diff --git a/CHANGES.md b/CHANGES.md --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,80 @@ [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.8 and 3.0.9 [30 May 2023] + + * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. ([CVE-2023-2650]) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + *Richard Levitte* + + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which + happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can + trigger a crash of an application using AES-XTS decryption if the memory + just after the buffer being decrypted is not mapped. + Thanks to Anton Romanov (Amazon) for discovering the issue. + ([CVE-2023-1255]) + + *Nevine Ebeid* + + * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 3.0.7. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + + *Bernd Edlinger* + + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. + ([CVE-2023-0466]) + + *Tomáš Mráz* + + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. + ([CVE-2023-0465]) + + *Matt Caswell* + + * Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. + ([CVE-2023-0464]) + + *Paul Dale* + ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] * Fixed NULL dereference during PKCS7 data verification. @@ -19578,6 +19652,11 @@ +[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 +[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 +[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 +[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 @@ -19588,7 +19667,7 @@ [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/Configure b/Configure --- a/Configure +++ b/Configure @@ -1423,7 +1423,7 @@ } if ($target =~ /linux.*-mips/ && !$disabled{asm} - && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { + && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); diff --git a/NEWS.md b/NEWS.md --- a/NEWS.md +++ b/NEWS.md @@ -18,6 +18,17 @@ OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023] + + * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT + IDENTIFIER sub-identities. ([CVE-2023-2650]) + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms + ([CVE-2023-1255]) + * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) + * Fixed handling of invalid certificate policies in leaf certificates + ([CVE-2023-0465]) + * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + ### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) @@ -1430,6 +1441,12 @@ * Support for various new platforms + +[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 +[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 +[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 +[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 @@ -1440,7 +1457,7 @@ [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -44,6 +44,20 @@ You cannot build for TNS/E for FIPS, so you must specify the `no-fips` option to `./Configure`. +Linking and Loading Considerations +---------------------------------- + +Because of how the NonStop Common Runtime Environment (CRE) works, there are +restrictions on how programs can link and load with OpenSSL libraries. +On current NonStop platforms, programs cannot both statically link OpenSSL +libraries and dynamically load OpenSSL shared libraries concurrently. If this +is done, there is a high probability of encountering a SIGSEGV condition +relating to `atexit()` processing when a shared library is unloaded and when +the program terminates. This limitation applies to all OpenSSL shared library +components. + +A resolution to this situation is under investigation. + About Prefix and OpenSSLDir --------------------------- diff --git a/NOTES-VMS.md b/NOTES-VMS.md --- a/NOTES-VMS.md +++ b/NOTES-VMS.md @@ -83,6 +83,23 @@ $ set image /flag=nocall_debug [.test]evp_test.exe +About assembler acceleration +---------------------------- + +OpenSSL has assembler acceleration for a number of BIGNUM and crypto +routines. The VMS config targets tries to look for a selection of +assemblers and will use what they find. If none of the assemblers are +found, OpenSSL will be built as if `no-asm` was configured. + +### For Itanium / IA64 / I64 + +- There is only one assembler, a port of Intel's `ias`, found in the + HP Open Source Tools CD, available through [DECUSlib](http://www.decuslib.com). + It's assumed to be set up as per the instructions, where `disk` and + `dir` are expected to be adapted to local conditions: + + $ ias :== $disk:[dir]iasi64.exe + Checking the distribution ------------------------- diff --git a/VERSION.dat b/VERSION.dat --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=8 +PATCH=9 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="7 Feb 2023" +RELEASE_DATE="30 May 2023" SHLIB_VERSION=3 diff --git a/apps/cmp.c b/apps/cmp.c --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -158,6 +158,7 @@ static int opt_reqin_new_tid = 0; static char *opt_reqout = NULL; static char *opt_rspin = NULL; +static int rspin_in_use = 0; static char *opt_rspout = NULL; static int opt_use_mock_srv = 0; @@ -371,7 +372,7 @@ OPT_SECTION("Server authentication"), {"trusted", OPT_TRUSTED, 's', - "Certificates to trust as chain roots when verifying signed CMP responses"}, + "Certificates to use as trust anchors when verifying signed CMP responses"}, {OPT_MORE_STR, 0, 0, "unless -srvcert is given"}, {"untrusted", OPT_UNTRUSTED, 's', "Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"}, @@ -417,7 +418,7 @@ {OPT_MORE_STR, 0, 0, "This can be used as the default CMP signer cert chain to include"}, {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-', - "Send messages without CMP-level protection"}, + "Send request messages without CMP-level protection"}, OPT_SECTION("Credentials format"), {"certform", OPT_CERTFORM, 's', @@ -462,13 +463,16 @@ "Do not interactively prompt for input when a password is required etc."}, {"repeat", OPT_REPEAT, 'p', "Invoke the transaction the given positive number of times. Default 1"}, - {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"}, + {"reqin", OPT_REQIN, 's', + "Take sequence of CMP requests to send to server from file(s)"}, {"reqin_new_tid", OPT_REQIN_NEW_TID, '-', "Use fresh transactionID for CMP requests read from -reqin"}, - {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"}, + {"reqout", OPT_REQOUT, 's', + "Save sequence of CMP requests created by the client to file(s)"}, {"rspin", OPT_RSPIN, 's', "Process sequence of CMP responses provided in file(s), skipping server"}, - {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"}, + {"rspout", OPT_RSPOUT, 's', + "Save sequence of actually used CMP responses to file(s)"}, {"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use internal mock server at API level, bypassing socket-based HTTP"}, @@ -754,12 +758,12 @@ } /* read DER-encoded OSSL_CMP_MSG from the specified file name item */ -static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) +static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames) { char *file; OSSL_CMP_MSG *ret; - if (filenames == NULL) { + if (filenames == NULL || desc == NULL) { CMP_err("NULL arg to read_PKIMESSAGE"); return NULL; } @@ -774,6 +778,8 @@ ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq()); if (ret == NULL) CMP_err1("cannot read PKIMessage from file '%s'", file); + else + CMP_info2("%s %s", desc, file); return ret; } @@ -795,7 +801,7 @@ && !write_PKIMESSAGE(req, &opt_reqout)) goto err; if (opt_reqin != NULL && opt_rspin == NULL) { - if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL) + if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL) goto err; /*- * The transaction ID in req_new read from opt_reqin may not be fresh. @@ -805,22 +811,44 @@ if (opt_reqin_new_tid && !OSSL_CMP_MSG_update_transactionID(ctx, req_new)) goto err; + + /* + * Except for first request, need to satisfy recipNonce check by server. + * Unfortunately requires re-protection if protection is required. + */ + if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new)) + goto err; } if (opt_rspin != NULL) { - res = read_PKIMESSAGE(&opt_rspin); + res = read_PKIMESSAGE("actually using", &opt_rspin); } else { - const OSSL_CMP_MSG *actual_req = opt_reqin != NULL ? req_new : req; + const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req; - res = opt_use_mock_srv - ? OSSL_CMP_CTX_server_perform(ctx, actual_req) - : OSSL_CMP_MSG_http_perform(ctx, actual_req); + if (opt_use_mock_srv) { + if (rspin_in_use) + CMP_warn("too few -rspin filename arguments; resorting to using mock server"); + res = OSSL_CMP_CTX_server_perform(ctx, actual_req); + } else { +#ifndef OPENSSL_NO_SOCK + if (opt_server == NULL) { + CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments"); + goto err; + } + if (rspin_in_use) + CMP_warn("too few -rspin filename arguments; resorting to contacting server"); + res = OSSL_CMP_MSG_http_perform(ctx, actual_req); +#else + CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments"); +#endif + } + rspin_in_use = 0; } if (res == NULL) goto err; - if (opt_reqin != NULL || prev_opt_rspin != NULL) { - /* need to satisfy nonce and transactionID checks */ + if (req_new != NULL || prev_opt_rspin != NULL) { + /* need to satisfy nonce and transactionID checks by client */ ASN1_OCTET_STRING *nonce; ASN1_OCTET_STRING *tid; @@ -1024,10 +1052,10 @@ goto err; } } else if (opt_srv_cert == NULL) { - CMP_err("mock server credentials must be given if -use_mock_srv or -port is used"); + CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used"); goto err; } else { - CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given"); + CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given"); } if (opt_srv_secret == NULL @@ -1121,7 +1149,7 @@ goto err; if (opt_send_error) - (void)ossl_cmp_mock_srv_set_send_error(srv_ctx, 1); + (void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1); if (opt_send_unprotected) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1); @@ -1283,7 +1311,9 @@ /* disable any cert status/revocation checking etc. */ X509_VERIFY_PARAM_clear_flags(tls_vpm, ~(X509_V_FLAG_USE_CHECK_TIME - | X509_V_FLAG_NO_CHECK_TIME)); + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); } CMP_debug("trying to build cert chain for own TLS cert"); if (SSL_CTX_build_cert_chain(ssl_ctx, @@ -1498,10 +1528,25 @@ CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) { - if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) { - CMP_err("missing -newkey (or -key) to be certified and no -csr given"); + if (opt_newkey == NULL + && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { + CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key"); return 0; } + if (opt_newkey == NULL + && opt_popo != OSSL_CRMF_POPO_NONE + && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) { + if (opt_csr != NULL) { + CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s", + opt_key == NULL ? "" : + ", and -key option superseded by by -csr"); + return 0; + } + if (opt_key == NULL) { + CMP_err("missing -newkey (or -key) option for POPO"); + return 0; + } + } if (opt_certout == NULL) { CMP_err("-certout not given, nowhere to save newly enrolled certificate"); return 0; @@ -1897,8 +1942,11 @@ (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT, opt_total_timeout); - if (opt_reqin != NULL && opt_rspin != NULL) - CMP_warn("-reqin is ignored since -rspin is present"); + if (opt_rspin != NULL) { + rspin_in_use = 1; + if (opt_reqin != NULL) + CMP_warn("-reqin is ignored since -rspin is present"); + } if (opt_reqin_new_tid && opt_reqin == NULL) CMP_warn("-reqin_new_tid is ignored since -reqin is not present"); if (opt_reqin != NULL || opt_reqout != NULL @@ -1923,12 +1971,14 @@ if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info); - info->server = opt_server; - info->port = server_port; + info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); + info->server = host; + host = NULL; /* prevent deallocation */ + if ((info->port = OPENSSL_strdup(server_port)) == NULL) + goto err; /* workaround for callback design flaw, see #17088: */ info->use_proxy = proxy_host != NULL; info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); - info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); if (info->ssl_ctx == NULL) goto err; @@ -1952,7 +2002,9 @@ /* not printing earlier, to minimize confusion in case setup fails before */ if (opt_rspin != NULL) - CMP_info("will not contact any server since -rspin is given"); + CMP_info2("will contact %s%s " + "only if -rspin argument gives too few filenames", + server_buf, proxy_buf); else CMP_info2("will contact %s%s", server_buf, proxy_buf); @@ -2847,8 +2899,16 @@ CMP_err("-tls_used option not supported with -port option"); goto err; } - if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) { - CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options"); + if (opt_server != NULL || opt_use_mock_srv) { + CMP_err("The -port option excludes -server and -use_mock_srv"); + goto err; + } + if (opt_reqin != NULL || opt_reqout != NULL) { + CMP_err("The -port option does not support -reqin and -reqout"); + goto err; + } + if (opt_rspin != NULL || opt_rspout != NULL) { + CMP_err("The -port option does not support -rspin and -rspout"); goto err; } } @@ -2857,10 +2917,6 @@ goto err; } #endif - if (opt_rspin != NULL && opt_use_mock_srv) { - CMP_err("cannot use both -rspin and -use_mock_srv options"); - goto err; - } if (opt_use_mock_srv #ifndef OPENSSL_NO_SOCK @@ -2881,8 +2937,8 @@ } #ifndef OPENSSL_NO_SOCK - if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) { - CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given"); + if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) { + CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given"); opt_tls_used = 0; } @@ -2893,11 +2949,11 @@ /* act as CMP client, possibly using internal mock server */ - if (opt_server != NULL) { - if (opt_rspin != NULL) { - CMP_warn("ignoring -server option since -rspin is given"); - opt_server = NULL; - } + if (opt_rspin != NULL) { + if (opt_server != NULL) + CMP_warn("-server option is not used if enough filenames given for -rspin"); + if (opt_use_mock_srv) + CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin"); } #endif @@ -3010,7 +3066,11 @@ /* cannot free info already here, as it may be used indirectly by: */ OSSL_CMP_CTX_free(cmp_ctx); #ifndef OPENSSL_NO_SOCK - APP_HTTP_TLS_INFO_free(info); + if (info != NULL) { + OPENSSL_free((char *)info->server); + OPENSSL_free((char *)info->port); + APP_HTTP_TLS_INFO_free(info); + } #endif } X509_VERIFY_PARAM_free(vpm); diff --git a/apps/dgst.c b/apps/dgst.c --- a/apps/dgst.c +++ b/apps/dgst.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -487,8 +487,11 @@ /* Filter out message digests that we cannot use */ md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq()); - if (md == NULL) - return; + if (md == NULL) { + md = EVP_get_digestbyname(name->name); + if (md == NULL) + return; + } BIO_printf(dec->bio, "-%-25s", name->name); if (++dec->n == 3) { diff --git a/apps/enc.c b/apps/enc.c --- a/apps/enc.c +++ b/apps/enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,6 +30,10 @@ #define SIZE (512) #define BSIZE (8*1024) +#define PBKDF2_ITER_DEFAULT 10000 +#define STR(a) XSTR(a) +#define XSTR(a) #a + static int set_hex(const char *in, unsigned char *out, int size); static void show_ciphers(const OBJ_NAME *name, void *bio_); @@ -88,8 +92,13 @@ {"S", OPT_UPPER_S, 's', "Salt, in hex"}, {"iv", OPT_IV, 's', "IV in hex"}, {"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"}, - {"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"}, - {"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"}, + {"iter", OPT_ITER, 'p', + "Specify the iteration count and force the use of PBKDF2"}, + {OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)}, + {"pbkdf2", OPT_PBKDF2, '-', + "Use password-based key derivation function 2 (PBKDF2)"}, + {OPT_MORE_STR, 0, 0, + "Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)}, {"none", OPT_NONE, '-', "Don't encrypt"}, #ifdef ZLIB {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, @@ -272,7 +281,7 @@ case OPT_PBKDF2: pbkdf2 = 1; if (iter == 0) /* do not overwrite a chosen value */ - iter = 10000; + iter = PBKDF2_ITER_DEFAULT; break; case OPT_NONE: cipher = NULL; diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -27,7 +27,7 @@ STACK_OF(X509) *caPubs); int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, int fail_info, const char *text); -int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val); +int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); diff --git a/apps/lib/apps.c b/apps/lib/apps.c --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2474,6 +2474,10 @@ if (connect) { SSL *ssl; BIO *sbio = NULL; + X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx); + X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + const char *host = vpm == NULL ? NULL : + X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */); /* adapt after fixing callback design flaw, see #17088 */ if ((info->use_proxy @@ -2488,8 +2492,8 @@ return NULL; } - /* adapt after fixing callback design flaw, see #17088 */ - SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */ + if (vpm != NULL) + SSL_set_tlsext_host_name(ssl, host /* may be NULL */); SSL_set_connect_state(ssl); BIO_set_ssl(sbio, ssl, BIO_CLOSE); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -14,7 +14,7 @@ #include #include #include - + /* the context for the CMP mock server */ typedef struct { @@ -22,9 +22,8 @@ STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */ OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */ - int sendError; /* send error response also on valid requests */ + int sendError; /* send error response on given request type */ OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */ - int certReqId; /* id of last ir/cr/kur, used for polling */ int pollCount; /* number of polls before actual cert response */ int curr_pollCount; /* number of polls so far for current request */ int checkAfterTime; /* time the client should wait between polling */ @@ -54,7 +53,7 @@ if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL) goto err; - ctx->certReqId = -1; + ctx->sendError = -1; /* all other elements are initialized to 0 or NULL, respectively */ return ctx; @@ -130,7 +129,7 @@ return 1; } -int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val) +int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -138,7 +137,8 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - ctx->sendError = val != 0; + /* might check bodytype, but this would require exporting all body types */ + ctx->sendError = bodytype; return 1; } @@ -172,7 +172,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *cert_req, - int certReqId, + ossl_unused int certReqId, const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr, X509 **certOut, @@ -187,7 +187,8 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return NULL; } @@ -195,7 +196,6 @@ *certOut = NULL; *chainOut = NULL; *caPubs = NULL; - ctx->certReqId = certReqId; if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) { /* start polling */ @@ -270,7 +270,8 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->sendError || ctx->certOut == NULL) { + if (ctx->certOut == NULL || ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return NULL; } @@ -301,7 +302,9 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm) + || sk_OSSL_CMP_ITAV_num(in) > 1) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } @@ -358,7 +361,8 @@ } static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *certConf, int certReqId, + const OSSL_CMP_MSG *certConf, + ossl_unused int certReqId, const ASN1_OCTET_STRING *certHash, const OSSL_CMP_PKISI *si) { @@ -369,17 +373,13 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError || ctx->certOut == NULL) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf) + || ctx->certOut == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } - if (certReqId != ctx->certReqId) { - /* in case of error, invalid reqId -1 */ - ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); - return 0; - } - if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL) return 0; if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) { @@ -392,7 +392,8 @@ } static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *pollReq, int certReqId, + const OSSL_CMP_MSG *pollReq, + ossl_unused int certReqId, OSSL_CMP_MSG **certReq, int64_t *check_after) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -402,7 +403,8 @@ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) { *certReq = NULL; ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; diff --git a/apps/openssl.cnf b/apps/openssl.cnf --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -356,7 +356,7 @@ # Certificate enrollment subject = "/CN=openssl-cmp-test" newkey = insta.priv.pem -out_trusted = insta.ca.crt +out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature certout = insta.cert.pem [pbm] # Password-based protection for Insta CA @@ -366,7 +366,7 @@ [signature] # Signature-based protection for Insta CA # Server authentication -trusted = insta.ca.crt # does not include keyUsage digitalSignature +trusted = $insta::out_trusted # apps/insta.ca.crt # Client authentication secret = # disable PBM diff --git a/apps/rehash.c b/apps/rehash.c --- a/apps/rehash.c +++ b/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2013-2014 Timo Teräs * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -340,6 +340,11 @@ return *path == '/'; } +static int sk_strcmp(const char * const *a, const char * const *b) +{ + return strcmp(*a, *b); +} + /* * Process a directory; return number of errors found. */ @@ -369,7 +374,7 @@ if (verbose) BIO_printf(bio_out, "Doing %s\n", dirname); - if ((files = sk_OPENSSL_STRING_new_null()) == NULL) { + if ((files = sk_OPENSSL_STRING_new(sk_strcmp)) == NULL) { BIO_printf(bio_err, "Skipping %s, out of memory\n", dirname); errs = 1; goto err; diff --git a/apps/s_server.c b/apps/s_server.c --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -229,6 +229,7 @@ || !SSL_SESSION_set_cipher(tmpsess, cipher) || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) { OPENSSL_free(key); + SSL_SESSION_free(tmpsess); return 0; } OPENSSL_free(key); diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2261,10 +2261,10 @@ b.ne .Lxts_enc_big_size // Encrypt the iv with key2, as the first XEX iv. ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_enc_iv_enc: aese $iv0,$dat @@ -2866,9 +2866,9 @@ // Encrypt the composite block to get the last second encrypted text block ldr $rounds,[$key1,#240] // load key schedule... - vld1.8 {$dat},[$key1],#16 + vld1.32 {$dat},[$key1],#16 sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key1],#16 // load key schedule... + vld1.32 {$dat1},[$key1],#16 // load key schedule... .Loop_final_enc: aese $tmpin,$dat0 aesmc $tmpin,$tmpin @@ -2937,10 +2937,10 @@ b.ne .Lxts_dec_big_size // Encrypt the iv with key2, as the first XEX iv. ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_dec_small_iv_enc: aese $iv0,$dat @@ -3020,10 +3020,10 @@ // Encrypt the iv with key2, as the first XEX iv ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_dec_iv_enc: aese $iv0,$dat @@ -3353,7 +3353,7 @@ .align 4 .Lxts_dec_tail4x: add $inp,$inp,#16 - vld1.32 {$dat0},[$inp],#16 + tst $tailcnt,#0xf veor $tmp1,$dat1,$tmp0 vst1.8 {$tmp1},[$out],#16 veor $tmp2,$dat2,$tmp2 @@ -3362,6 +3362,8 @@ veor $tmp4,$dat4,$tmp4 vst1.8 {$tmp3-$tmp4},[$out],#32 + b.eq .Lxts_dec_abort + vld1.8 {$dat0},[$inp],#16 b .Lxts_done .align 4 .Lxts_outer_dec_tail: @@ -3539,7 +3541,7 @@ // Processing the last two blocks with cipher stealing. mov x7,x3 cbnz x2,.Lxts_dec_1st_done - vld1.32 {$dat0},[$inp],#16 + vld1.8 {$dat0},[$inp],#16 // Decrypt the last secod block to get the last plain text block .Lxts_dec_1st_done: @@ -3584,9 +3586,9 @@ // Decrypt the composite block to get the last second plain text block ldr $rounds,[$key_,#240] - vld1.8 {$dat},[$key_],#16 + vld1.32 {$dat},[$key_],#16 sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key_],#16 + vld1.32 {$dat1},[$key_],#16 .Loop_final_dec: aesd $tmpin,$dat0 aesimc $tmpin,$tmpin diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl --- a/crypto/aes/asm/bsaes-armv7.pl +++ b/crypto/aes/asm/bsaes-armv7.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ # details see http://www.openssl.org/~appro/cryptogams/. # # Specific modes and adaptation for Linux kernel by Ard Biesheuvel -# of Linaro. Permission to use under GPL terms is granted. +# of Linaro. # ==================================================================== # Bit-sliced AES for ARM NEON @@ -1447,7 +1447,7 @@ .align 2 0: add r12, $key, #248 vld1.8 {@XMM[0]}, [$ctr] @ load counter - adrl $ctr, .LREVM0SR @ borrow $ctr + add $ctr, $const, #.LREVM0SR-.LM0 @ borrow $ctr vldmia r12, {@XMM[4]} @ load round0 key sub sp, #0x10 @ place for adjusted round0 key #endif diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -148,6 +148,9 @@ int w, v, iv; unsigned char *c; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); iv = ~v; @@ -182,6 +185,9 @@ { int w, v; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL)) diff --git a/crypto/asn1/asn1_parse.c b/crypto/asn1/asn1_parse.c --- a/crypto/asn1/asn1_parse.c +++ b/crypto/asn1/asn1_parse.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,7 +50,7 @@ pop_f_prefix = 1; } saved_indent = BIO_get_indent(bp); - if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) < 0) + if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) <= 0) goto err; } diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ OPENSSL_free(octmp->data); octmp->data = NULL; - if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) { + if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) <= 0) { ERR_raise(ERR_LIB_ASN1, ASN1_R_ENCODE_ERROR); goto err; } diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -784,7 +784,7 @@ /* This will let SSL_s_sock() work with stdin/stdout */ new_bio->num = bio->num; - if (!BIO_dup_state(bio, (char *)new_bio)) { + if (BIO_dup_state(bio, (char *)new_bio) <= 0) { BIO_free(new_bio); goto err; } diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -566,7 +566,7 @@ ret = BIO_new(BIO_s_accept()); if (ret == NULL) return NULL; - if (BIO_set_accept_name(ret, str)) + if (BIO_set_accept_name(ret, str) > 0) return ret; BIO_free(ret); return NULL; diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c --- a/crypto/bn/bn_asm.c +++ b/crypto/bn/bn_asm.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -381,25 +381,33 @@ #ifndef OPENSSL_SMALL_FOOTPRINT while (n & ~3) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); t1 = a[1]; - t2 = b[1]; - r[1] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[1]; + t1 = (t2 - t1) & BN_MASK2; + r[1] = t1; + c += (t1 > t2); t1 = a[2]; - t2 = b[2]; - r[2] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[2]; + t1 = (t2 - t1) & BN_MASK2; + r[2] = t1; + c += (t1 > t2); t1 = a[3]; - t2 = b[3]; - r[3] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[3]; + t1 = (t2 - t1) & BN_MASK2; + r[3] = t1; + c += (t1 > t2); a += 4; b += 4; r += 4; @@ -408,10 +416,12 @@ #endif while (n) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); a++; b++; r++; @@ -446,7 +456,7 @@ t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1top = (int)(rtop & ~mask) | (ntop & mask); n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); + bn_correct_top_consttime(n); } else { ret = BN_mod_mul(n, n, r, b->mod, ctx); } diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1021,6 +1021,28 @@ return (words <= a->dmax) ? a : bn_expand2(a, words); } +void bn_correct_top_consttime(BIGNUM *a) +{ + int j, atop; + BN_ULONG limb; + unsigned int mask; + + for (j = 0, atop = 0; j < a->dmax; j++) { + limb = a->d[j]; + limb |= 0 - limb; + limb >>= BN_BITS2 - 1; + limb = 0 - limb; + mask = (unsigned int)limb; + mask &= constant_time_msb(j - a->top); + atop = constant_time_select_int(mask, j + 1, atop); + } + + mask = constant_time_eq_int(atop, 0); + a->top = atop; + a->neg = constant_time_select_int(mask, 0, a->neg); + a->flags &= ~BN_FLG_FIXED_TOP; +} + void bn_correct_top(BIGNUM *a) { BN_ULONG *ftl; diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h --- a/crypto/bn/bn_local.h +++ b/crypto/bn/bn_local.h @@ -290,20 +290,6 @@ } cb; }; -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - /*- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * @@ -378,24 +364,6 @@ # define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */ # define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */ -/* - * 2011-02-22 SMS. In various places, a size_t variable or a type cast to - * size_t was used to perform integer-only operations on pointers. This - * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t - * is still only 32 bits. What's needed in these cases is an integer type - * with the same size as a pointer, which size_t is not certain to be. The - * only fix here is VMS-specific. - */ -# if defined(OPENSSL_SYS_VMS) -# if __INITIAL_POINTER_SIZE == 64 -# define PTR_SIZE_INT long long -# else /* __INITIAL_POINTER_SIZE == 64 */ -# define PTR_SIZE_INT int -# endif /* __INITIAL_POINTER_SIZE == 64 [else] */ -# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */ -# define PTR_SIZE_INT size_t -# endif /* defined(OPENSSL_SYS_VMS) [else] */ - # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) /* * BN_UMULT_HIGH section. @@ -536,10 +504,10 @@ ret = (r); \ BN_UMULT_LOHI(low,high,w,tmp); \ ret += (c); \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret>(BN_BITS4-1); \ m =(m&BN_MASK2l)<<(BN_BITS4+1); \ - l=(l+m)&BN_MASK2; if (l < m) h++; \ + l=(l+m)&BN_MASK2; h += (l < m); \ (lo)=l; \ (ho)=h; \ } @@ -644,9 +612,9 @@ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=(r); \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=h&BN_MASK2; \ (r)=l; \ } @@ -660,7 +628,7 @@ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l+=(c); if ((l&BN_MASK2) < (c)) h++; \ + l+=(c); h += ((l&BN_MASK2) < (c)); \ (c)=h&BN_MASK2; \ (r)=l&BN_MASK2; \ } @@ -690,7 +658,7 @@ int cl, int dl); int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); - +void bn_correct_top_consttime(BIGNUM *a); BIGNUM *int_bn_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, int *noinv); diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -338,7 +338,6 @@ sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_192_TOP], *res; - PTR_SIZE_INT mask; static const BIGNUM ossl_bignum_nist_p_192_sqr = { (BN_ULONG *)_nist_p_192_sqr, OSSL_NELEM(_nist_p_192_sqr), @@ -439,13 +438,9 @@ * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;' * this is what happens below, but without explicit if:-) a. */ - mask = - 0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0], - BN_NIST_192_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *) - (((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask)); + res = (bn_sub_words(c_d, r_d, _nist_p_192[0], BN_NIST_192_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_192_TOP); r->top = BN_NIST_192_TOP; bn_correct_top(r); @@ -479,11 +474,7 @@ sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_224_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_224_sqr = { (BN_ULONG *)_nist_p_224_sqr, OSSL_NELEM(_nist_p_224_sqr), @@ -597,7 +588,7 @@ # endif } #endif - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) { carry = (int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1], @@ -616,19 +607,14 @@ carry = (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1], BN_NIST_224_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; /* otherwise it's effectively same as in BN_nist_mod_192... */ - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_224_TOP); r->top = BN_NIST_224_TOP; bn_correct_top(r); @@ -660,11 +646,7 @@ sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_256_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_256_sqr = { (BN_ULONG *)_nist_p_256_sqr, OSSL_NELEM(_nist_p_256_sqr), @@ -850,7 +832,7 @@ } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1], @@ -859,18 +841,13 @@ carry = (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1], BN_NIST_256_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_256_TOP); r->top = BN_NIST_256_TOP; bn_correct_top(r); @@ -906,11 +883,7 @@ sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_384_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_384_sqr = { (BN_ULONG *)_nist_p_384_sqr, OSSL_NELEM(_nist_p_384_sqr), @@ -1131,7 +1104,7 @@ } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1], @@ -1140,18 +1113,13 @@ carry = (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1], BN_NIST_384_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_384_TOP); r->top = BN_NIST_384_TOP; bn_correct_top(r); @@ -1168,7 +1136,6 @@ { int top = a->top, i; BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res; - PTR_SIZE_INT mask; static const BIGNUM ossl_bignum_nist_p_521_sqr = { (BN_ULONG *)_nist_p_521_sqr, OSSL_NELEM(_nist_p_521_sqr), @@ -1221,12 +1188,10 @@ r_d[i] &= BN_NIST_521_TOP_MASK; bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP); - mask = - 0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521, - BN_NIST_521_TOP); - res = t_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = bn_sub_words(t_d, r_d, _nist_p_521, + BN_NIST_521_TOP) + ? r_d + : t_d; nist_cp_bn(r_d, res, BN_NIST_521_TOP); r->top = BN_NIST_521_TOP; bn_correct_top(r); diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -318,7 +318,7 @@ * sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1. */ if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base)) - goto end; + goto err; } /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X)) diff --git a/crypto/bn/build.info b/crypto/bn/build.info --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -105,7 +105,7 @@ bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c + bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF IF[{- !$disabled{'deprecated-0.9.8'} -}] diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c deleted file mode 100644 --- a/crypto/bn/rsa_sup_mul.c +++ /dev/null @@ -1,604 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include "internal/endian.h" -#include "internal/numbers.h" -#include "internal/constant_time.h" -#include "bn_local.h" - -# if BN_BYTES == 8 -typedef uint64_t limb_t; -# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -typedef uint128_t limb2_t; -# define HAVE_LIMB2_T -# endif -# define LIMB_BIT_SIZE 64 -# define LIMB_BYTE_SIZE 8 -# elif BN_BYTES == 4 -typedef uint32_t limb_t; -typedef uint64_t limb2_t; -# define LIMB_BIT_SIZE 32 -# define LIMB_BYTE_SIZE 4 -# define HAVE_LIMB2_T -# else -# error "Not supported" -# endif - -/* - * For multiplication we're using schoolbook multiplication, - * so if we have two numbers, each with 6 "digits" (words) - * the multiplication is calculated as follows: - * A B C D E F - * x I J K L M N - * -------------- - * N*F - * N*E - * N*D - * N*C - * N*B - * N*A - * M*F - * M*E - * M*D - * M*C - * M*B - * M*A - * L*F - * L*E - * L*D - * L*C - * L*B - * L*A - * K*F - * K*E - * K*D - * K*C - * K*B - * K*A - * J*F - * J*E - * J*D - * J*C - * J*B - * J*A - * I*F - * I*E - * I*D - * I*C - * I*B - * + I*A - * ========================== - * N*B N*D N*F - * + N*A N*C N*E - * + M*B M*D M*F - * + M*A M*C M*E - * + L*B L*D L*F - * + L*A L*C L*E - * + K*B K*D K*F - * + K*A K*C K*E - * + J*B J*D J*F - * + J*A J*C J*E - * + I*B I*D I*F - * + I*A I*C I*E - * - * 1+1 1+3 1+5 - * 1+0 1+2 1+4 - * 0+1 0+3 0+5 - * 0+0 0+2 0+4 - * - * 0 1 2 3 4 5 6 - * which requires n^2 multiplications and 2n full length additions - * as we can keep every other result of limb multiplication in two separate - * limbs - */ - -#if defined HAVE_LIMB2_T -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb2_t t; - /* - * this is idiomatic code to tell compiler to use the native mul - * those three lines will actually compile to single instruction - */ - - t = (limb2_t)a * b; - *hi = t >> LIMB_BIT_SIZE; - *lo = (limb_t)t; -} -#elif (BN_BYTES == 8) && (defined _MSC_VER) -/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -#pragma intrinsic(_umul128) -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - *lo = _umul128(a, b, hi); -} -#else -/* - * if the compiler doesn't have either a 128bit data type nor a "return - * high 64 bits of multiplication" - */ -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb_t a_low = (limb_t)(uint32_t)a; - limb_t a_hi = a >> 32; - limb_t b_low = (limb_t)(uint32_t)b; - limb_t b_hi = b >> 32; - - limb_t p0 = a_low * b_low; - limb_t p1 = a_low * b_hi; - limb_t p2 = a_hi * b_low; - limb_t p3 = a_hi * b_hi; - - uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); - - *lo = p0 + (p1 << 32) + (p2 << 32); - *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -} -#endif - -/* add two limbs with carry in, return carry out */ -static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -{ - limb_t carry1, carry2, t; - /* - * `c = a + b; if (c < a)` is idiomatic code that makes compilers - * use add with carry on assembly level - */ - - *ret = a + carry; - if (*ret < a) - carry1 = 1; - else - carry1 = 0; - - t = *ret; - *ret = t + b; - if (*ret < t) - carry2 = 1; - else - carry2 = 0; - - return carry1 + carry2; -} - -/* - * add two numbers of the same size, return overflow - * - * add a to b, place result in ret; all arrays need to be n limbs long - * return overflow from addition (0 or 1) - */ -static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t c = 0; - ossl_ssize_t i; - - for(i = n - 1; i > -1; i--) - c = _add_limb(&ret[i], a[i], b[i], c); - - return c; -} - -/* - * return number of limbs necessary for temporary values - * when multiplying numbers n limbs large - */ -static ossl_inline size_t mul_limb_numb(size_t n) -{ - return 2 * n * 2; -} - -/* - * multiply two numbers of the same size - * - * multiply a by b, place result in ret; a and b need to be n limbs long - * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs - * long - */ -static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -{ - limb_t *r_odd, *r_even; - size_t i, j, k; - - r_odd = tmp; - r_even = &tmp[2 * n]; - - memset(ret, 0, 2 * n * sizeof(limb_t)); - - for (i = 0; i < n; i++) { - for (k = 0; k < i + n + 1; k++) { - r_even[k] = 0; - r_odd[k] = 0; - } - for (j = 0; j < n; j++) { - /* - * place results from even and odd limbs in separate arrays so that - * we don't have to calculate overflow every time we get individual - * limb multiplication result - */ - if (j % 2 == 0) - _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); - else - _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); - } - /* - * skip the least significant limbs when adding multiples of - * more significant limbs (they're zero anyway) - */ - add(ret, ret, r_even, n + i + 1); - add(ret, ret, r_odd, n + i + 1); - } -} - -/* modifies the value in place by performing a right shift by one bit */ -static ossl_inline void rshift1(limb_t *val, size_t n) -{ - limb_t shift_in = 0, shift_out = 0; - size_t i; - - for (i = 0; i < n; i++) { - shift_out = val[i] & 1; - val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); - shift_in = shift_out; - } -} - -/* extend the LSB of flag to all bits of limb */ -static ossl_inline limb_t mk_mask(limb_t flag) -{ - flag |= flag << 1; - flag |= flag << 2; - flag |= flag << 4; - flag |= flag << 8; - flag |= flag << 16; -#if (LIMB_BYTE_SIZE == 8) - flag |= flag << 32; -#endif - return flag; -} - -/* - * copy from either a or b to ret based on flag - * when flag == 0, then copies from b - * when flag == 1, then copies from a - */ -static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - /* - * would be more efficient with non volatile mask, but then gcc - * generates code with jumps - */ - volatile limb_t mask; - size_t i; - - mask = mk_mask(flag); - for (i = 0; i < n; i++) { -#if (LIMB_BYTE_SIZE == 8) - ret[i] = constant_time_select_64(mask, a[i], b[i]); -#else - ret[i] = constant_time_select_32(mask, a[i], b[i]); -#endif - } -} - -static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -{ - limb_t borrow1, borrow2, t; - /* - * while it doesn't look constant-time, this is idiomatic code - * to tell compilers to use the carry bit from subtraction - */ - - *ret = a - borrow; - if (*ret > a) - borrow1 = 1; - else - borrow1 = 0; - - t = *ret; - *ret = t - b; - if (*ret > t) - borrow2 = 1; - else - borrow2 = 0; - - return borrow1 + borrow2; -} - -/* - * place the result of a - b into ret, return the borrow bit. - * All arrays need to be n limbs long - */ -static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t borrow = 0; - ossl_ssize_t i; - - for (i = n - 1; i > -1; i--) - borrow = _sub_limb(&ret[i], a[i], b[i], borrow); - - return borrow; -} - -/* return the number of limbs necessary to allocate for the mod() tmp operand */ -static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -{ - return (anum + modnum) * 3; -} - -/* - * calculate a % mod, place the result in ret - * size of a is defined by anum, size of ret and mod is modnum, - * size of tmp is returned by mod_limb_numb() - */ -static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, - size_t modnum, limb_t *tmp) -{ - limb_t *atmp, *modtmp, *rettmp; - limb_t res; - size_t i; - - memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); - - atmp = tmp; - modtmp = &tmp[anum + modnum]; - rettmp = &tmp[(anum + modnum) * 2]; - - for (i = modnum; i 0; i--, rp--) { - v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); - v = v + carry + rp[-1]; - carry |= (v != rp[-1]); - carry &= (v <= rp[-1]); - rp[-1] = v; - } - - /* perform the final reduction by mod... */ - carry -= sub(ret, rp, mod, modnum); - - /* ...conditionally */ - cselect(carry, ret, rp, ret, modnum); -} - -/* allocated buffer should be freed afterwards */ -static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -{ - int i; - int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - limb_t *ptr = buf + (limbs - real_limbs); - - for (i = 0; i < real_limbs; i++) - ptr[i] = bn->d[real_limbs - i - 1]; -} - -#if LIMB_BYTE_SIZE == 8 -static ossl_inline uint64_t be64(uint64_t host) -{ - uint64_t big = 0; - DECLARE_IS_ENDIAN; - - if (!IS_LITTLE_ENDIAN) - return host; - - big |= (host & 0xff00000000000000) >> 56; - big |= (host & 0x00ff000000000000) >> 40; - big |= (host & 0x0000ff0000000000) >> 24; - big |= (host & 0x000000ff00000000) >> 8; - big |= (host & 0x00000000ff000000) << 8; - big |= (host & 0x0000000000ff0000) << 24; - big |= (host & 0x000000000000ff00) << 40; - big |= (host & 0x00000000000000ff) << 56; - return big; -} - -#else -/* Not all platforms have htobe32(). */ -static ossl_inline uint32_t be32(uint32_t host) -{ - uint32_t big = 0; - DECLARE_IS_ENDIAN; - - if (!IS_LITTLE_ENDIAN) - return host; - - big |= (host & 0xff000000) >> 24; - big |= (host & 0x00ff0000) >> 8; - big |= (host & 0x0000ff00) << 8; - big |= (host & 0x000000ff) << 24; - return big; -} -#endif - -/* - * We assume that intermediate, possible_arg2, blinding, and ctx are used - * similar to BN_BLINDING_invert_ex() arguments. - * to_mod is RSA modulus. - * buf and num is the serialization buffer and its length. - * - * Here we use classic/Montgomery multiplication and modulo. After the calculation finished - * we serialize the new structure instead of BIGNUMs taking endianness into account. - */ -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num) -{ - limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; - limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; - size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; - size_t l_tmp_count = 0; - int ret = 0; - size_t i; - unsigned char *tmp; - const BIGNUM *arg1 = intermediate; - const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; - - l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - - l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; - l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); - - if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) - goto err; - - BN_to_limb(arg1, l_im, l_size); - BN_to_limb(arg2, l_mul, l_size); - BN_to_limb(to_mod, l_mod, l_mod_count); - - l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); - - if (blinding->m_ctx != NULL) { - l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? - mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } else { - l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? - mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } - - if ((l_ret == NULL) || (l_tmp == NULL)) - goto err; - - if (blinding->m_ctx != NULL) { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, - blinding->m_ctx->n0[0], l_tmp); - } else { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); - } - - /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ - if (num < BN_num_bytes(to_mod)) { - ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); - goto err; - } - - memset(buf, 0, num); - tmp = buf + num - BN_num_bytes(to_mod); - for (i = 0; i < l_mod_count; i++) { -#if LIMB_BYTE_SIZE == 8 - l_buf = be64(l_ret[i]); -#else - l_buf = be32(l_ret[i]); -#endif - if (i == 0) { - int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); - - memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); - tmp += delta; - } else { - memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); - tmp += LIMB_BYTE_SIZE; - } - } - ret = num; - - err: - OPENSSL_free(l_im); - OPENSSL_free(l_mul); - OPENSSL_free(l_mod); - OPENSSL_free(l_tmp); - OPENSSL_free(l_ret); - - return ret; -} diff --git a/crypto/build.info b/crypto/build.info --- a/crypto/build.info +++ b/crypto/build.info @@ -97,9 +97,7 @@ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -IF[{- !$disabled{shared} -}] - SOURCE[../libssl]=sparse_array.c -ENDIF +SHARED_SOURCE[../libssl]=sparse_array.c SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -64,10 +64,10 @@ break; default: if (IS_CREP(rcvd_type)) { + int any_rid = OSSL_CMP_CERTREQID_NONE; OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip; OSSL_CMP_CERTRESPONSE *crep = - ossl_cmp_certrepmessage_get0_certresponse(crepmsg, - -1 /* any rid */); + ossl_cmp_certrepmessage_get0_certresponse(crepmsg, any_rid); if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) return -1; @@ -357,15 +357,16 @@ * Send certConf for IR, CR or KUR sequences and check response, * not modifying ctx->status during the certConf exchange */ -int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, - const char *txt) +int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *txt) { OSSL_CMP_MSG *certConf; OSSL_CMP_MSG *PKIconf = NULL; int res = 0; /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ - if ((certConf = ossl_cmp_certConf_new(ctx, fail_info, txt)) == NULL) + certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); + if (certConf == NULL) goto err; res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); @@ -411,12 +412,10 @@ { char buf[OSSL_CMP_PKISI_BUFLEN]; X509 *crt = NULL; - EVP_PKEY *privkey; if (!ossl_assert(ctx != NULL && crep != NULL)) return NULL; - privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); switch (ossl_cmp_pkisi_get_status(crep->status)) { case OSSL_CMP_PKISTATUS_waiting: ossl_cmp_err(ctx, @@ -454,7 +453,7 @@ ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); goto err; } - crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey); + crt = ossl_cmp_certresponse_get1_cert(ctx, crep); if (crt == NULL) /* according to PKIStatus, we can expect a cert */ ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); @@ -493,18 +492,46 @@ if (fail_info != 0) /* accept any error flagged by CMP core library */ return fail_info; - ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); - chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, - 0, ctx->libctx, ctx->propq); + if (out_trusted == NULL) { + ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); + chain = X509_build_chain(cert, ctx->untrusted, out_trusted, + 0, ctx->libctx, ctx->propq); + } else { + X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); + + ossl_cmp_debug(ctx, "validating newly enrolled cert"); + if (csc == NULL) + goto err; + if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) + goto err; + /* disable any cert status/revocation checking etc. */ + X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), + ~(X509_V_FLAG_USE_CHECK_TIME + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); + if (X509_verify_cert(csc) <= 0) + goto err; + + if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { + sk_X509_free(chain); + chain = NULL; + } + err: + X509_STORE_CTX_free(csc); + } + if (sk_X509_num(chain) > 0) X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ if (out_trusted != NULL) { if (chain == NULL) { - ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); + ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; } else { ossl_cmp_debug(ctx, - "succeeded building proper chain for newly enrolled cert"); + "success validating newly enrolled cert"); } } else if (chain == NULL) { ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); @@ -521,6 +548,7 @@ /*- * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR. + * |rid| must be OSSL_CMP_CERTREQID_NONE if not available, namely for p10cr * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. * Returns 1 on success and provides the received PKIMESSAGE in *resp. * Returns 0 on error (which includes the case that timeout has been reached). @@ -530,7 +558,7 @@ OSSL_CMP_MSG **resp, int *checkAfter, int req_type, int expected_type) { - EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx /* may be NULL */, 0); + EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); int fail_info = 0; /* no failure */ const char *txt = NULL; OSSL_CMP_CERTREPMESSAGE *crepmsg; @@ -554,10 +582,9 @@ return 0; if (!save_statusInfo(ctx, crep->status)) return 0; - if (rid == -1) { - /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ + if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */ rid = ossl_cmp_asn1_get_int(crep->certReqId); - if (rid == -1) { + if (rid != OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } @@ -621,7 +648,7 @@ "rejecting newly enrolled cert with subject: %s", subj); if (!ctx->disableConfirm && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) { - if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt)) + if (!ossl_cmp_exchange_certConf(ctx, rid, fail_info, txt)) ret = 0; } @@ -630,6 +657,7 @@ ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, "rejecting newly enrolled cert with subject: %s; %s", subj, txt); + ctx->status = OSSL_CMP_PKISTATUS_rejection; ret = 0; } OPENSSL_free(subj); @@ -662,7 +690,7 @@ { OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; - int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; + int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; int res = 0; @@ -704,7 +732,7 @@ OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; - int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; + int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; X509 *result = NULL; diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -457,8 +457,8 @@ } /* Set or clear the password to be used for protecting messages with PBMAC */ -int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len) +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len) { ASN1_OCTET_STRING *secretValue = NULL; if (ctx == NULL) { @@ -669,13 +669,13 @@ */ DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509) -/* Set the X509 name of the recipient. Set in the PKIHeader */ +/* Set the X509 name of the recipient to be placed in the PKIHeader */ DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME) /* Store the X509 name of the expected sender in the PKIHeader of responses */ DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) -/* Set the X509 name of the issuer. Set in the PKIHeader */ +/* Set the X509 name of the issuer to be placed in the certTemplate */ DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) /* @@ -834,6 +834,7 @@ } /* Get the private/public key to use for cert enrollment, or NULL on error */ +/* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) { if (ctx == NULL) { @@ -848,6 +849,21 @@ return ctx->pkey; /* may be NULL */ } +EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx) +{ + if (!ossl_assert(ctx != NULL)) + return NULL; + if (ctx->newPkey != NULL) + return ctx->newPkey; + if (ctx->p10CSR != NULL) + return X509_REQ_get0_pubkey(ctx->p10CSR); + if (ctx->oldCert != NULL) + return X509_get0_pubkey(ctx->oldCert); + if (ctx->cert != NULL) + return X509_get0_pubkey(ctx->cert); + return ctx->pkey; +} + /* Set the given transactionID to the context */ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,7 +95,10 @@ {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PBM_SECRET), "missing pbm secret"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY), "missing private key"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO), + "missing private key for popo"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PUBLIC_KEY), "missing public key"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_REFERENCE_CERT), "missing reference cert"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SECRET), "missing secret"}, diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -789,6 +789,7 @@ STACK_OF(X509) *extraCertsIn); int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *nonce); +EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx); /* from cmp_status.c */ int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); @@ -852,7 +853,9 @@ # define OSSL_CMP_PKIBODY_POLLREP 26 # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP /* certReqId for the first - and so far only - certificate request */ -# define OSSL_CMP_CERTREQID 0 +# define OSSL_CMP_CERTREQID 0 +# define OSSL_CMP_CERTREQID_NONE -1 +# define OSSL_CMP_CERTREQID_INVALID -2 /* sequence id for the first - and so far only - revocation request */ # define OSSL_CMP_REVREQSID 0 int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, @@ -885,8 +888,8 @@ int unprotected); int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, ASN1_OCTET_STRING *hash); -OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text); +OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text); OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int64_t poll_after); @@ -900,8 +903,8 @@ OSSL_CMP_CERTRESPONSE * ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, int rid); -X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep); OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); /* from cmp_protect.c */ @@ -922,8 +925,8 @@ const OSSL_CMP_MSG *msg, int accept_RAVerified); /* from cmp_client.c */ -int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, - const char *txt); +int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *txt); int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, const char *txt, int errorCode, const char *detail); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -274,7 +274,7 @@ OSSL_CRMF_MSG *crm = NULL; X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert; /* refcert defaults to current client cert */ - EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0); + EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); STACK_OF(GENERAL_NAME) *default_sans = NULL; const X509_NAME *ref_subj = refcert != NULL ? X509_get_subject_name(refcert) : NULL; @@ -286,15 +286,9 @@ /* RFC5280: subjectAltName MUST be critical if subject is null */ X509_EXTENSIONS *exts = NULL; - if (rkey == NULL && ctx->p10CSR != NULL) - rkey = X509_REQ_get0_pubkey(ctx->p10CSR); - if (rkey == NULL && refcert != NULL) - rkey = X509_get0_pubkey(refcert); - if (rkey == NULL) - rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY); return NULL; #endif } @@ -411,15 +405,9 @@ if (type != OSSL_CMP_PKIBODY_P10CR) { EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); - /* - * privkey is NULL in case ctx->newPkey does not include a private key. - * We then may try to use ctx->pkey as fallback/default, but only - * if ctx-> newPkey does not include a (non-matching) public key: - */ - if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL) - privkey = ctx->pkey; /* default is independent of ctx->oldCert */ - if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { - ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); + /* privkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ + if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO); goto err; } if (crm == NULL) { @@ -794,15 +782,17 @@ return 1; } -OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text) +OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text) { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_CERTSTATUS *certStatus = NULL; ASN1_OCTET_STRING *certHash = NULL; OSSL_CMP_PKISI *sinfo; - if (!ossl_assert(ctx != NULL && ctx->newCert != NULL)) + if (!ossl_assert(ctx != NULL && ctx->newCert != NULL + && (certReqId == OSSL_CMP_CERTREQID + || certReqId == OSSL_CMP_CERTREQID_NONE))) return NULL; if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) { @@ -816,10 +806,13 @@ if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL) goto err; /* consume certStatus into msg right away so it gets deallocated with msg */ - if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus)) + if (sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus) < 1) { + OSSL_CMP_CERTSTATUS_free(certStatus); goto err; + } + /* set the ID of the certReq */ - if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID)) + if (!ASN1_INTEGER_set(certStatus->certReqId, certReqId)) goto err; /* * The hash of the certificate, using the same hash algorithm @@ -965,12 +958,12 @@ { int trid; - if (rid == -1) + if (rid == OSSL_CMP_CERTREQID_NONE) return 1; trid = ossl_cmp_asn1_get_int(certReqId); - if (trid == -1) { + if (trid == OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } @@ -1031,14 +1024,15 @@ /*- * Retrieve the newly enrolled certificate from the given certResponse crep. - * In case of indirect POPO uses the libctx and propq from ctx and private key. + * Uses libctx and propq from ctx, in case of indirect POPO also private key. * Returns a pointer to a copy of the found certificate, or NULL if not found. */ -X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey) +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep) { OSSL_CMP_CERTORENCCERT *coec; X509 *crt = NULL; + EVP_PKEY *pkey; if (!ossl_assert(crep != NULL && ctx != NULL)) return NULL; @@ -1051,6 +1045,8 @@ break; case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT: /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */ + pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); + /* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ if (pkey == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); return NULL; @@ -1084,6 +1080,20 @@ || ossl_cmp_msg_protect(ctx, msg); } +int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) +{ + if (ctx == NULL || msg == NULL || msg->header == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (ctx->recipNonce == NULL) /* nothing to do for 1st msg in transaction */ + return 1; + if (!ossl_cmp_asn1_octet_string_set1(&msg->header->recipNonce, + ctx->recipNonce)) + return 0; + return msg->header->protectionAlg == NULL || ossl_cmp_msg_protect(ctx, msg); +} + OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq) { diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -129,6 +129,7 @@ } } +/* ctx is not const just because ctx->chain may get adapted */ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) @@ -251,6 +252,7 @@ return id == NULL || ossl_cmp_hdr_set1_senderKID(msg->header, id); } +/* ctx is not const just because ctx->chain may get adapted */ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -22,8 +22,9 @@ /* the context for the generic CMP server */ struct ossl_cmp_srv_ctx_st { - OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */ - void *custom_ctx; /* pointer to specific server context */ + void *custom_ctx; /* pointer to application-specific server context */ + OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */ + int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ OSSL_CMP_SRV_cert_request_cb_t process_cert_request; OSSL_CMP_SRV_rr_cb_t process_rr; @@ -57,6 +58,7 @@ if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) goto err; + ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; /* all other elements are initialized to 0 or NULL, respectively */ return ctx; @@ -184,7 +186,7 @@ } if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { - certReqId = OSSL_CMP_CERTREQID; + certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */ p10cr = req->body->value.p10cr; } else { OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ @@ -199,7 +201,12 @@ return NULL; } certReqId = OSSL_CRMF_MSG_get_certReqId(crm); + if (certReqId != OSSL_CMP_CERTREQID) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return 0; + } } + srv_ctx->certReqId = certReqId; if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { /* Proof of possession could not be verified */ @@ -356,6 +363,10 @@ ASN1_OCTET_STRING *certHash = status->certHash; OSSL_CMP_PKISI *si = status->statusInfo; + if (certReqId != srv_ctx->certReqId) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return NULL; + } if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ @@ -394,8 +405,12 @@ return NULL; } - pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); + pr = sk_OSSL_CMP_POLLREQ_value(prc, OSSL_CMP_CERTREQID); certReqId = ossl_cmp_asn1_get_int(pr->certReqId); + if (certReqId != srv_ctx->certReqId) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return NULL; + } if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, &certReq, &check_after)) return NULL; @@ -446,7 +461,7 @@ ASN1_OCTET_STRING *backup_secret; OSSL_CMP_PKIHEADER *hdr; int req_type, rsp_type; - int res; + int req_verified = 0; OSSL_CMP_MSG *rsp = NULL; if (srv_ctx == NULL || srv_ctx->ctx == NULL @@ -506,12 +521,12 @@ } } - res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, - srv_ctx->acceptUnprotected); + req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, + srv_ctx->acceptUnprotected); if (ctx->secretValue != NULL && ctx->pkey != NULL && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ - if (!res) + if (!req_verified) goto err; switch (req_type) { @@ -568,9 +583,15 @@ int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; OSSL_CMP_PKISI *si = NULL; - if (ctx->transactionID == NULL) { - /* ignore any (extra) error in next two function calls: */ - (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); + if (!req_verified) { + /* + * Above ossl_cmp_msg_check_update() was not successfully executed, + * which normally would set ctx->transactionID and ctx->recipNonce. + * So anyway try to provide the right transactionID and recipNonce, + * while ignoring any (extra) error in next two function calls. + */ + if (ctx->transactionID == NULL) + (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); } diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2020 * Copyright Siemens AG 2015-2020 * @@ -323,11 +323,11 @@ * verify that the newly enrolled certificate (which assumed rid == * OSSL_CMP_CERTREQID) can also be validated with the same trusted store */ - EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); OSSL_CMP_CERTRESPONSE *crep = ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip, OSSL_CMP_CERTREQID); - X509 *newcrt = ossl_cmp_certresponse_get1_cert(crep, ctx, pkey); + X509 *newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep); + /* * maybe better use get_cert_status() from cmp_client.c, which catches * errors @@ -642,7 +642,6 @@ return 0; } - /*- * Check received message (i.e., response by server or request from client) * Any msg->extraCerts are prepended to ctx->untrusted. @@ -765,6 +764,11 @@ #endif } + /* if not yet present, learn transactionID */ + if (ctx->transactionID == NULL + && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID)) + return 0; + /* * RFC 4210 section 5.1.1 states: the recipNonce is copied from * the senderNonce of the previous message in the transaction. @@ -773,11 +777,6 @@ if (!ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce)) return 0; - /* if not yet present, learn transactionID */ - if (ctx->transactionID == NULL - && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID)) - return -1; - /* * Store any provided extraCerts in ctx for future use, * such that they are available to ctx->certConf_cb and @@ -788,7 +787,7 @@ /* this allows self-signed certs */ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND)) - return -1; + return 0; if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) { /* diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -309,7 +309,7 @@ */ penc = NULL; penclen = i2d_X509_ALGOR(wrap_alg, &penc); - if (penc == NULL || penclen == 0) + if (penclen <= 0) goto err; wrap_str = ASN1_STRING_new(); if (wrap_str == NULL) diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,7 @@ */ #include +#include #include #include #include @@ -257,7 +258,7 @@ ASN1_STRING *wrap_str; ASN1_OCTET_STRING *ukm; unsigned char *penc = NULL; - size_t penclen; + int penclen; int rv = 0; int ecdh_nid, kdf_type, kdf_nid, wrap_nid; const EVP_MD *kdf_md; @@ -274,15 +275,18 @@ /* Is everything uninitialised? */ if (aoid == OBJ_nid2obj(NID_undef)) { /* Set the key */ + size_t enckeylen; - penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc); - ASN1_STRING_set0(pubkey, penc, penclen); + enckeylen = EVP_PKEY_get1_encoded_public_key(pkey, &penc); + if (enckeylen > INT_MAX || enckeylen == 0) + goto err; + ASN1_STRING_set0(pubkey, penc, (int)enckeylen); pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; penc = NULL; - X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), - V_ASN1_UNDEF, NULL); + (void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), + V_ASN1_UNDEF, NULL); /* cannot fail */ } /* See if custom parameters set */ @@ -346,7 +350,7 @@ penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); - if (penclen == 0) + if (penclen <= 0) goto err; if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) @@ -358,7 +362,7 @@ * of another AlgorithmIdentifier. */ penclen = i2d_X509_ALGOR(wrap_alg, &penc); - if (penc == NULL || penclen == 0) + if (penclen <= 0) goto err; wrap_str = ASN1_STRING_new(); if (wrap_str == NULL) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -138,7 +138,7 @@ return 1; } -CMS_EncryptedContentInfo* ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) +CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) { switch (cms_get_enveloped_type(cms)) { case CMS_ENVELOPED_STANDARD: diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -432,7 +432,7 @@ (void)ERR_pop_to_mark(); mdbio = BIO_new(BIO_f_md()); - if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { + if (mdbio == NULL || BIO_set_md(mdbio, digest) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR); goto err; } @@ -615,11 +615,12 @@ int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) { - int r; - r = CMS_add0_crl(cms, crl); - if (r > 0) - X509_CRL_up_ref(crl); - return r; + if (!X509_CRL_up_ref(crl)) + return 0; + if (CMS_add0_crl(cms, crl)) + return 1; + X509_CRL_free(crl); + return 0; } STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -701,14 +701,21 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; int i, r, cms_pkey_ri_type; int debug = 0, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); - ris = CMS_get0_RecipientInfos(cms); - if (ris != NULL) - debug = ossl_cms_get0_env_enc_content(cms)->debug; + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } + + if (ris != NULL && ec != NULL) + debug = ec->debug; cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk); if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) { @@ -731,11 +738,8 @@ if (r < 0) return 0; } - /* - * If we have a cert try matching RecipientInfo otherwise try them - * all. - */ - else if (cert == NULL|| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + /* If we have a cert, try matching RecipientInfo, else try them all */ + else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); @@ -772,7 +776,8 @@ return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -783,7 +788,7 @@ { STACK_OF(CMS_RecipientInfo) *ris; CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { @@ -791,11 +796,10 @@ if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK) continue; - /* - * If we have an id try matching RecipientInfo otherwise try them - * all. - */ - if (id == NULL || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + /* If we have an id, try matching RecipientInfo, else try them all */ + if (id == NULL + || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + match_ri = 1; CMS_RecipientInfo_set0_key(ri, key, keylen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_key(ri, NULL, 0); @@ -809,7 +813,8 @@ } } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -817,15 +822,25 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, ossl_ssize_t passlen) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); + + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } - ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { ri = sk_CMS_RecipientInfo_value(ris, i); if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS) continue; + + /* Must try each PasswordRecipientInfo */ + match_ri = 1; CMS_RecipientInfo_set0_password(ri, pass, passlen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_password(ri, NULL, 0); @@ -833,7 +848,8 @@ return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -843,7 +859,7 @@ { int r; BIO *cont; - + CMS_EncryptedContentInfo *ec; int nid = OBJ_obj2nid(CMS_get0_type(cms)); if (nid != NID_pkcs7_enveloped @@ -853,14 +869,9 @@ } if (dcont == NULL && !check_content(cms)) return 0; - if (flags & CMS_DEBUG_DECRYPT) - ossl_cms_get0_env_enc_content(cms)->debug = 1; - else - ossl_cms_get0_env_enc_content(cms)->debug = 0; - if (cert == NULL) - ossl_cms_get0_env_enc_content(cms)->havenocert = 1; - else - ossl_cms_get0_env_enc_content(cms)->havenocert = 0; + ec = ossl_cms_get0_env_enc_content(cms); + ec->debug = (flags & CMS_DEBUG_DECRYPT) != 0; + ec->havenocert = cert == NULL; if (pk == NULL && cert == NULL && dcont == NULL && out == NULL) return 1; if (pk != NULL && !CMS_decrypt_set1_pkey(cms, pk, cert)) diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -226,6 +226,9 @@ char *dirpath = NULL; OPENSSL_DIR_CTX *dirctx = NULL; #endif +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + int numincludes = 0; +#endif if ((buff = BUF_MEM_new()) == NULL) { ERR_raise(ERR_LIB_CONF, ERR_R_BUF_LIB); @@ -442,6 +445,20 @@ const char *include_dir = ossl_safe_getenv("OPENSSL_CONF_INCLUDE"); char *include_path = NULL; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* + * The include processing below can cause the "conf" fuzzer to + * timeout due to the fuzzer inserting large and complicated + * includes - with a large amount of time spent in + * OPENSSL_strlcat/OPENSSL_strcpy. This is not a security + * concern because config files should never come from untrusted + * sources. We just set an arbitrary limit on the allowed + * number of includes when fuzzing to prevent this timeout. + */ + if (numincludes++ > 10) + goto err; +#endif + if (include_dir == NULL) include_dir = conf->includedir; diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -173,7 +173,10 @@ ERR_raise(ERR_LIB_DSA, DSA_R_BN_ERROR); goto dsaerr; } - DSA_set0_key(dsa, dsa_pubkey, dsa_privkey); + if (!DSA_set0_key(dsa, dsa_pubkey, dsa_privkey)) { + ERR_raise(ERR_LIB_DSA, ERR_R_INTERNAL_ERROR); + goto dsaerr; + } goto done; diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -36,6 +36,7 @@ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL), "seed_len is less than the length of q"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_TOO_MANY_RETRIES), "too many retries"}, {0, NULL} }; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,6 +21,9 @@ #include "dsa_local.h" #include +#define MIN_DSA_SIGN_QBITS 128 +#define MAX_DSA_SIGN_RETRIES 8 + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -75,6 +78,7 @@ int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; + int retries = 0; if (dsa->params.p == NULL || dsa->params.q == NULL @@ -129,7 +133,10 @@ * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q */ - /* Generate a blinding value */ + /* + * Generate a blinding value + * The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here. + */ do { if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) @@ -164,14 +171,19 @@ goto err; /* - * Redo if r or s is zero as required by FIPS 186-3: this is very - * unlikely. + * Redo if r or s is zero as required by FIPS 186-4: Section 4.6 + * This is very unlikely. + * Limit the retries so there is no possibility of an infinite + * loop for bad domain parameter values. */ - if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) + if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) { + if (retries++ > MAX_DSA_SIGN_RETRIES) { + reason = DSA_R_TOO_MANY_RETRIES; + goto err; + } goto redo; - + } rv = 1; - err: if (rv == 0) { ERR_raise(ERR_LIB_DSA, reason); @@ -212,7 +224,10 @@ /* Reject obviously invalid parameters */ if (BN_is_zero(dsa->params.p) || BN_is_zero(dsa->params.q) - || BN_is_zero(dsa->params.g)) { + || BN_is_zero(dsa->params.g) + || BN_is_negative(dsa->params.p) + || BN_is_negative(dsa->params.q) + || BN_is_negative(dsa->params.g)) { ERR_raise(ERR_LIB_DSA, DSA_R_INVALID_PARAMETERS); return 0; } @@ -220,7 +235,6 @@ ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY); return 0; } - k = BN_new(); l = BN_new(); if (k == NULL || l == NULL) @@ -236,7 +250,8 @@ /* Preallocate space */ q_bits = BN_num_bits(dsa->params.q); q_words = bn_get_top(dsa->params.q); - if (!bn_wexpand(k, q_words + 2) + if (q_bits < MIN_DSA_SIGN_QBITS + || !bn_wexpand(k, q_words + 2) || !bn_wexpand(l, q_words + 2)) goto err; diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -165,7 +165,7 @@ *siglen = 0; return 0; } - *siglen = i2d_DSA_SIG(s, &sig); + *siglen = i2d_DSA_SIG(s, sig != NULL ? &sig : NULL); DSA_SIG_free(s); return 1; } diff --git a/crypto/ec/asm/ecp_nistp521-ppc64.pl b/crypto/ec/asm/ecp_nistp521-ppc64.pl --- a/crypto/ec/asm/ecp_nistp521-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp521-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,7 @@ } $code.=<<___; +.machine "any" .text ___ diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -108,6 +108,7 @@ "random number generation failed"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SHARED_INFO_ERROR), "shared info error"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "slot full"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_TOO_MANY_RETRIES), "too many retries"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_ORDER), "undefined order"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,6 +20,15 @@ #include "crypto/bn.h" #include "ec_local.h" +#define MIN_ECDSA_SIGN_ORDERBITS 64 +/* + * It is highly unlikely that a retry will happen, + * Multiple retries would indicate that something is wrong + * with the group parameters (which would normally only happen + * with a bad custom group). + */ +#define MAX_ECDSA_SIGN_RETRIES 8 + int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { @@ -66,7 +75,7 @@ *siglen = 0; return 0; } - *siglen = i2d_ECDSA_SIG(s, &sig); + *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); ECDSA_SIG_free(s); return 1; } @@ -120,7 +129,9 @@ /* Preallocate space */ order_bits = BN_num_bits(order); - if (!BN_set_bit(k, order_bits) + /* Check the number of bits here so that an infinite loop is not possible */ + if (order_bits < MIN_ECDSA_SIGN_ORDERBITS + || !BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) goto err; @@ -195,6 +206,7 @@ EC_KEY *eckey) { int ok = 0, i; + int retries = 0; BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; @@ -304,6 +316,11 @@ ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES); goto err; } + /* Avoid infinite loops cause by invalid group parameters */ + if (retries++ > MAX_ECDSA_SIGN_RETRIES) { + ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES); + goto err; + } } else { /* s != 0 => we have a valid signature */ break; diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -712,7 +712,7 @@ static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { ECX_KEY *ecx = ossl_ecx_key_op(NULL, NULL, 0, ctx->pmeth->pkey_id, - KEY_OP_PUBLIC, NULL, NULL); + KEY_OP_KEYGEN, NULL, NULL); if (ecx != NULL) { EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, ecx); diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,8 +140,9 @@ if (!int_cleanup_check(1)) return; item = int_cleanup_item(cb); - if (item) - sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0); + if (item != NULL) + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) + OPENSSL_free(item); } void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -233,7 +233,9 @@ CMP_R_MISSING_P10CSR:121:missing p10csr CMP_R_MISSING_PBM_SECRET:166:missing pbm secret CMP_R_MISSING_PRIVATE_KEY:131:missing private key +CMP_R_MISSING_PRIVATE_KEY_FOR_POPO:190:missing private key for popo CMP_R_MISSING_PROTECTION:143:missing protection +CMP_R_MISSING_PUBLIC_KEY:183:missing public key CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert CMP_R_MISSING_SECRET:178:missing secret CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification @@ -514,6 +516,7 @@ DSA_R_P_NOT_PRIME:115:p not prime DSA_R_Q_NOT_PRIME:113:q not prime DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q +DSA_R_TOO_MANY_RETRIES:116:too many retries DSO_R_CTRL_FAILED:100:control command failed DSO_R_DSO_ALREADY_LOADED:110:dso already loaded DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure @@ -597,6 +600,7 @@ EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed EC_R_SHARED_INFO_ERROR:150:shared info error EC_R_SLOT_FULL:108:slot full +EC_R_TOO_MANY_RETRIES:176:too many retries EC_R_UNDEFINED_GENERATOR:113:undefined generator EC_R_UNDEFINED_ORDER:128:undefined order EC_R_UNKNOWN_COFACTOR:164:unknown cofactor diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -387,7 +387,7 @@ { int ret; - if ((ret = default_check(state, translation, ctx)) < 0) + if ((ret = default_check(state, translation, ctx)) <= 0) return ret; switch (state) { @@ -1136,6 +1136,7 @@ const struct translation_st *translation, struct translation_ctx_st *ctx) { + char *p2 = NULL; int ret; if ((ret = default_check(state, translation, ctx)) <= 0) @@ -1148,13 +1149,25 @@ if (state == PRE_CTRL_TO_PARAMS) { ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); ctx->p1 = 0; + } else if (state == PRE_PARAMS_TO_CTRL) { + /* + * We're translating from params to ctrl and setting the curve name. + * The ctrl function needs it to be a NID, but meanwhile, we need + * space to get the curve name from the param. |ctx->name_buf| is + * sufficient for that. + * The double indirection is necessary for default_fixup_args()'s + * call of OSSL_PARAM_get_utf8_string() to be done correctly. + */ + p2 = ctx->name_buf; + ctx->p2 = &p2; + ctx->sz = sizeof(ctx->name_buf); } if ((ret = default_fixup_args(state, translation, ctx)) <= 0) return ret; if (state == PRE_PARAMS_TO_CTRL) { - ctx->p1 = OBJ_sn2nid(ctx->p2); + ctx->p1 = OBJ_sn2nid(p2); ctx->p2 = NULL; } @@ -2140,6 +2153,46 @@ EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL, OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, + /*- + * SM2 + * == + */ + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAM_ENC, "ec_param_enc", NULL, + OSSL_PKEY_PARAM_EC_ENCODING, OSSL_PARAM_UTF8_STRING, fix_ec_param_enc }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, "ec_paramgen_curve", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, + fix_ec_paramgen_curve_nid }, + /* + * EVP_PKEY_CTRL_EC_ECDH_COFACTOR and EVP_PKEY_CTRL_EC_KDF_TYPE are used + * both for setting and getting. The fixup function has to handle this... + */ + { NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_ECDH_COFACTOR, "ecdh_cofactor_mode", NULL, + OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, OSSL_PARAM_INTEGER, + fix_ecdh_cofactor }, + { NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_TYPE, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_TYPE, OSSL_PARAM_UTF8_STRING, fix_ec_kdf_type }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_MD, "ecdh_kdf_md", NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_MD, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, /*- * RSA * === @@ -2307,8 +2360,12 @@ */ { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, + { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, + { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, }; static const struct translation_st evp_pkey_translations[] = { @@ -2721,6 +2778,7 @@ if (translation->fixup_args != NULL) fixup = translation->fixup_args; ctx.action_type = translation->action_type; + ctx.ctrl_cmd = translation->ctrl_num; } ctx.pctx = pctx; ctx.params = params; diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -447,7 +447,7 @@ if (isize != NULL) { if (size <= UINT_MAX) { - *isize = (int)size; + *isize = (unsigned int)size; } else { ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); ret = 0; @@ -762,7 +762,7 @@ return pctx->op.sig.signature->get_ctx_md_params(pctx->op.sig.algctx, params); - if (ctx->digest != NULL && ctx->digest->get_params != NULL) + if (ctx->digest != NULL && ctx->digest->get_ctx_params != NULL) return ctx->digest->get_ctx_params(ctx->algctx, params); return 0; diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -283,7 +283,9 @@ */ int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) { - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN, + int keytype = nid == EVP_PKEY_SM2 ? EVP_PKEY_SM2 : EVP_PKEY_EC; + + return EVP_PKEY_CTX_ctrl(ctx, keytype, EVP_PKEY_OP_TYPE_GEN, EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL); } diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,7 +136,7 @@ md = md_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(md_nid), propq); /* Fallback to legacy method */ if (md == NULL) - EVP_get_digestbynid(md_nid); + md = EVP_get_digestbynid(md_nid); if (md == NULL) { (void)ERR_clear_last_mark(); diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -378,7 +378,7 @@ void evp_keymgmt_gen_cleanup(const EVP_KEYMGMT *keymgmt, void *genctx) { - if (keymgmt->gen != NULL) + if (keymgmt->gen_cleanup != NULL) keymgmt->gen_cleanup(genctx); } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1324,6 +1324,8 @@ int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid) { + if (pkey == NULL) + return 0; return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid); } @@ -1374,7 +1376,9 @@ int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub, size_t publen) { - if (pkey != NULL && evp_pkey_is_provided(pkey)) + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) return EVP_PKEY_set_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, @@ -1393,7 +1397,9 @@ { int rv; - if (pkey != NULL && evp_pkey_is_provided(pkey)) { + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) { size_t return_size = OSSL_PARAM_UNMODIFIED; unsigned char *buf; @@ -2172,7 +2178,14 @@ goto err; ret = OSSL_PARAM_get_BN(params, bn); err: - OPENSSL_free(buf); + if (buf != NULL) { + if (OSSL_PARAM_modified(params)) + OPENSSL_clear_free(buf, buf_sz); + else + OPENSSL_free(buf); + } else if (OSSL_PARAM_modified(params)) { + OPENSSL_cleanse(buffer, params[0].data_size); + } return ret; } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -509,8 +509,11 @@ if (pctx->op.kex.algctx != NULL) { if (!ossl_assert(pctx->op.kex.exchange != NULL)) goto err; - rctx->op.kex.algctx - = pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx); + + if (pctx->op.kex.exchange->dupctx != NULL) + rctx->op.kex.algctx + = pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx); + if (rctx->op.kex.algctx == NULL) { EVP_KEYEXCH_free(rctx->op.kex.exchange); rctx->op.kex.exchange = NULL; @@ -527,8 +530,11 @@ if (pctx->op.sig.algctx != NULL) { if (!ossl_assert(pctx->op.sig.signature != NULL)) goto err; - rctx->op.sig.algctx - = pctx->op.sig.signature->dupctx(pctx->op.sig.algctx); + + if (pctx->op.sig.signature->dupctx != NULL) + rctx->op.sig.algctx + = pctx->op.sig.signature->dupctx(pctx->op.sig.algctx); + if (rctx->op.sig.algctx == NULL) { EVP_SIGNATURE_free(rctx->op.sig.signature); rctx->op.sig.signature = NULL; @@ -545,8 +551,11 @@ if (pctx->op.ciph.algctx != NULL) { if (!ossl_assert(pctx->op.ciph.cipher != NULL)) goto err; - rctx->op.ciph.algctx - = pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx); + + if (pctx->op.ciph.cipher->dupctx != NULL) + rctx->op.ciph.algctx + = pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx); + if (rctx->op.ciph.algctx == NULL) { EVP_ASYM_CIPHER_free(rctx->op.ciph.cipher); rctx->op.ciph.cipher = NULL; @@ -563,8 +572,11 @@ if (pctx->op.encap.algctx != NULL) { if (!ossl_assert(pctx->op.encap.kem != NULL)) goto err; - rctx->op.encap.algctx - = pctx->op.encap.kem->dupctx(pctx->op.encap.algctx); + + if (pctx->op.encap.kem->dupctx != NULL) + rctx->op.encap.algctx + = pctx->op.encap.kem->dupctx(pctx->op.encap.algctx); + if (rctx->op.encap.algctx == NULL) { EVP_KEM_free(rctx->op.encap.kem); rctx->op.encap.kem = NULL; diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,7 @@ if (p1 != NULL) { if (p1->data_type != OSSL_PARAM_UTF8_STRING) goto err; + props = p1->data; } if (!ossl_ffc_set_digest(ffc, prm->data, props)) goto err; diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -182,6 +182,8 @@ || !ffc_bn_cpy(&dst->j, src->j)) return 0; + dst->mdname = src->mdname; + dst->mdprops = src->mdprops; OPENSSL_free(dst->seed); dst->seedlen = src->seedlen; if (src->seed != NULL) { diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1122,7 +1122,7 @@ char *port; char *path; int use_ssl; - OSSL_HTTP_REQ_CTX *rctx; + OSSL_HTTP_REQ_CTX *rctx = NULL; BIO *resp = NULL; time_t max_time = timeout > 0 ? time(NULL) + timeout : 0; @@ -1148,10 +1148,12 @@ NULL /* req */, expected_ct, expect_asn1, max_resp_len, -1 /* use same max time (timeout) */, - 0 /* no keep_alive */)) + 0 /* no keep_alive */)) { OSSL_HTTP_REQ_CTX_free(rctx); - else + rctx = NULL; + } else { resp = OSSL_HTTP_exchange(rctx, &redirection_url); + } } OPENSSL_free(path); if (resp == NULL && redirection_url != NULL) { @@ -1166,6 +1168,7 @@ OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; BIO_free(resp); OPENSSL_free(current_url); return NULL; @@ -1175,6 +1178,7 @@ OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; continue; } /* if redirection not allowed, ignore it */ @@ -1184,6 +1188,7 @@ OPENSSL_free(port); if (!OSSL_HTTP_close(rctx, resp != NULL)) { BIO_free(resp); + rctx = NULL; resp = NULL; } break; diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -253,9 +253,9 @@ * compatible with other HTTP client implementations like wget, curl and git */ if (no_proxy == NULL) - no_proxy = getenv("no_proxy"); + no_proxy = ossl_safe_getenv("no_proxy"); if (no_proxy == NULL) - no_proxy = getenv(OPENSSL_NO_PROXY); + no_proxy = ossl_safe_getenv(OPENSSL_NO_PROXY); if (no_proxy != NULL) found = strstr(no_proxy, server); @@ -275,10 +275,9 @@ * compatible with other HTTP client implementations like wget, curl and git */ if (proxy == NULL) - proxy = getenv(use_ssl ? "https_proxy" : "http_proxy"); + proxy = ossl_safe_getenv(use_ssl ? "https_proxy" : "http_proxy"); if (proxy == NULL) - proxy = getenv(use_ssl ? OPENSSL_HTTP_PROXY : - OPENSSL_HTTPS_PROXY); + proxy = ossl_safe_getenv(use_ssl ? OPENSSL_HTTP_PROXY : OPENSSL_HTTPS_PROXY); if (proxy == NULL || *proxy == '\0' || !use_proxy(no_proxy, server)) return NULL; diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl --- a/crypto/modes/asm/aes-gcm-armv8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -217,6 +217,7 @@ my $mod_t="v31"; my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9)=map("v$_.16b",(18..27)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s)=map("v$_.4s",(18..27)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q)=map("q$_",(18..27)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; @@ -268,28 +269,36 @@ stp d14, d15, [sp, #96] ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 - +#ifdef __AARCH64EB__ + ror $rk10_l, $rk10_l, #32 + ror $rk10_h, $rk10_h, #32 +#endif ld1 {$acc_lb}, [$current_tag] ext $acc_lb, $acc_lb, $acc_lb, #8 rev64 $acc_lb, $acc_lb lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk0s}, [$cc], #16 @ load rk0 add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 lsr $rctr32x, $ctr96_t32x, #32 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif fmov $ctr1d, $ctr96_b64x @ CTR block 1 rev $rctr32w, $rctr32w @ rev_ctr32 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk1s}, [$cc], #16 @ load rk1 rev $ctr32w, $rctr32w @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 @@ -309,45 +318,50 @@ rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 add $rctr32w, $rctr32w, #1 @ CTR block 3 fmov $ctr3.d[1], $ctr32x @ CTR block 3 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk3s}, [$cc], #16 @ load rk3 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 +#endif aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 +#endif aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 @@ -359,7 +373,7 @@ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 @@ -421,13 +435,25 @@ b.ge .L128_enc_tail @ handle tail ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif eor $input_l0, $input_l0, $rk10_l @ AES block 0 - round 10 low eor $input_h0, $input_h0, $rk10_h @ AES block 0 - round 10 high @@ -492,6 +518,10 @@ .L128_enc_main_loop: @ main loop start ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+3 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif rev64 $res0b, $res0b @ GHASH block 4k (only t0 is free) rev64 $res2b, $res2b @ GHASH block 4k+2 (t0, t1, and t2 free) @@ -520,7 +550,10 @@ pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high eor $t6.8b, $t6.8b, $res2.8b @ GHASH block 4k+2 - mid ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 1 rev $ctr32w, $rctr32w @ CTR block 4k+8 @@ -590,13 +623,19 @@ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 5 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 3 eor $acc_mb, $acc_mb, $t6.16b @ GHASH block 4k+2 - mid aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 5 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid eor $acc_lb, $acc_lb, $t8.16b @ GHASH block 4k+3 - low @@ -853,7 +892,10 @@ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif cmp $main_end_input_ptr, #48 ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag @@ -891,7 +933,10 @@ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $res0b, $res0b, $t0.16b @ feed in partial tag @@ -920,7 +965,10 @@ rev64 $res0b, $res1b @ GHASH final-2 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_l0, $input_l0, $rk10_l @ AES final-1 block - round 10 low @@ -954,7 +1002,10 @@ rev64 $res0b, $res1b @ GHASH final-1 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_h0, $input_h0, $rk10_h @ AES final block - round 10 high @@ -1017,9 +1068,11 @@ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid - +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w - +#else + mov $ctr32w, $rctr32w +#endif pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid @@ -1103,20 +1156,29 @@ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 +#ifdef __AARCH64EB__ + ror $rk10_h, $rk10_h, 32 + ror $rk10_l, $rk10_l, 32 +#endif sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif lsr $rctr32x, $ctr96_t32x, #32 fmov $ctr2d, $ctr96_b64x @ CTR block 2 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk1s}, [$cc], #16 @ load rk1 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w rev $rctr32w, $rctr32w @ rev_ctr32 @@ -1127,7 +1189,7 @@ rev $ctr32w, $rctr32w @ CTR block 1 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk2s}, [$cc], #16 @ load rk2 add $rctr32w, $rctr32w, #1 @ CTR block 1 fmov $ctr1.d[1], $ctr32x @ CTR block 1 @@ -1148,23 +1210,22 @@ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk3s}, [$cc], #16 @ load rk3 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 - ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ld1 { $acc_lb}, [$current_tag] @@ -1172,14 +1233,14 @@ rev64 $acc_lb, $acc_lb aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 @@ -1187,10 +1248,11 @@ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 @@ -1202,8 +1264,9 @@ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 @@ -1216,7 +1279,9 @@ trn1 $t0.2d, $h1.2d, $h2.2d @ h2h | h1h ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 +#endif trn2 $h12k.2d, $h1.2d, $h2.2d @ h2l | h1l add $main_end_input_ptr, $main_end_input_ptr, $input_ptr @@ -1250,12 +1315,10 @@ eor $h34k.16b, $h34k.16b, $acc_h.16b @ h4k | h3k b.ge .L128_dec_tail @ handle tail - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext - - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0 - load ciphertext; AES block 1 - load ciphertext eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 2 - load ciphertext eor $ctr0b, $res0b, $ctr0b @ AES block 0 - result rev64 $res0b, $res0b @ GHASH block 0 @@ -1263,10 +1326,9 @@ orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4 add $rctr32w, $rctr32w, #1 @ CTR block 4 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 3 - load ciphertext rev64 $res1b, $res1b @ GHASH block 1 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update mov $output_l1, $ctr1.d[0] @ AES block 1 - mov low mov $output_h1, $ctr1.d[1] @ AES block 1 - mov high @@ -1281,7 +1343,9 @@ fmov $ctr0.d[1], $ctr32x @ CTR block 4 rev $ctr32w, $rctr32w @ CTR block 5 eor $output_l1, $output_l1, $rk10_l @ AES block 1 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr1d, $ctr96_b64x @ CTR block 5 add $rctr32w, $rctr32w, #1 @ CTR block 5 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 @@ -1293,10 +1357,19 @@ orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 eor $output_h1, $output_h1, $rk10_h @ AES block 1 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif eor $output_l0, $output_l0, $rk10_l @ AES block 0 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $ctr2b, $res2b, $ctr2b @ AES block 2 - result eor $output_h0, $output_h0, $rk10_h @ AES block 0 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 1 - store result @@ -1356,9 +1429,14 @@ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 1 eor $output_l3, $output_l3, $rk10_l @ AES block 4k+3 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t3.1q, $t3.1d, $h34k.1d @ GHASH block 4k+1 - mid eor $output_h2, $output_h2, $rk10_h @ AES block 4k+2 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif mov $t6d, $res2.d[1] @ GHASH block 4k+2 - mid aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 1 @@ -1389,13 +1467,17 @@ pmull2 $t6.1q, $t6.2d, $h12k.2d @ GHASH block 4k+2 - mid eor $output_h3, $output_h3, $rk10_h @ AES block 4k+3 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 2 eor $t9.8b, $t9.8b, $res3.8b @ GHASH block 4k+3 - mid aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 5 eor $output_l2, $output_l2, $rk10_l @ AES block 4k+2 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 5 movi $mod_constant.8b, #0xc2 @@ -1412,7 +1494,7 @@ pmull $t9.1q, $t9.1d, $h12k.1d @ GHASH block 4k+3 - mid eor $acc_hb, $acc_hb, $t7.16b @ GHASH block 4k+3 - high - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+3 - load ciphertext aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 7 add $rctr32w, $rctr32w, #1 @ CTR block 4k+7 @@ -1433,7 +1515,7 @@ rev $ctr32w, $rctr32w @ CTR block 4k+8 pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment aese $ctr0b, $rk9 @ AES block 4k+4 - round 9 @@ -1448,17 +1530,16 @@ eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 5 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext add $rctr32w, $rctr32w, #1 @ CTR block 4k+8 eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid eor $ctr1b, $res1b, $ctr1b @ AES block 4k+5 - result aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 - ldr $res3q, [$input_ptr, #48] @ AES block 4k+3 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update rev64 $res1b, $res1b @ GHASH block 4k+5 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid @@ -1480,11 +1561,15 @@ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $output_h0, $output_h0, $rk10_h @ AES block 4k+4 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low mov $output_h1, $ctr1.d[1] @ AES block 4k+5 - mov high eor $output_l0, $output_l0, $rk10_l @ AES block 4k+4 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $ctr2b, $res2b, $ctr2b @ AES block 4k+6 - result mov $output_l1, $ctr1.d[0] @ AES block 4k+5 - mov low add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 @@ -1501,9 +1586,15 @@ add $rctr32w, $rctr32w, #1 @ CTR block 4k+10 eor $output_h1, $output_h1, $rk10_h @ AES block 4k+5 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $output_l1, $output_l1, $rk10_l @ AES block 4k+5 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 4k+5 - store result orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4k+10 @@ -1596,9 +1687,14 @@ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 2 eor $output_l3, $output_l3, $rk10_l @ AES block 4k+3 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t9.1q, $t9.1d, $h12k.1d @ GHASH block 4k+3 - mid eor $output_l2, $output_l2, $rk10_l @ AES block 4k+2 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif eor $acc_lb, $acc_lb, $t8.16b @ GHASH block 4k+3 - low aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 3 @@ -1652,7 +1748,9 @@ pmull $mod_constant.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low eor $output_h3, $output_h3, $rk10_h @ AES block 4k+3 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment @@ -1665,7 +1763,9 @@ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $output_h2, $output_h2, $rk10_h @ AES block 4k+2 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr0b, $rk9 @ AES block 4k+4 - round 9 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -1689,9 +1789,14 @@ cmp $main_end_input_ptr, #48 eor $output_h0, $output_h0, $rk10_h @ AES block 4k+4 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag eor $output_l0, $output_l0, $rk10_l @ AES block 4k+4 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif b.gt .L128_dec_blocks_more_than_3 mov $ctr3b, $ctr2b @@ -1735,9 +1840,14 @@ movi $t0.8b, #0 @ suppress further partial tag feed in eor $output_h0, $output_h0, $rk10_h @ AES final-2 block - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_l0, $output_l0, $rk10_l @ AES final-2 block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif .L128_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -1763,12 +1873,18 @@ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid eor $output_l0, $output_l0, $rk10_l @ AES final-1 block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid eor $output_h0, $output_h0, $rk10_h @ AES final-1 block - round 10 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L128_dec_blocks_more_than_1: @ blocks left > 1 rev64 $res0b, $res1b @ GHASH final-1 block @@ -1799,8 +1915,13 @@ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high eor $output_h0, $output_h0, $rk10_h @ AES final block - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk10_l @ AES final block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid .L128_dec_blocks_less_than_1: @ blocks left <= 1 @@ -1846,7 +1967,11 @@ bic $end_input_ptr, $end_input_ptr, $ctr32x @ mask out low existing bytes and $output_l0, $output_l0, $ctr32x +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid movi $mod_constant.8b, #0xc2 @@ -1955,6 +2080,7 @@ my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9,$rk10,$rk11)=map("v$_.16b",(18..29)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q,$rk10q,$rk11q)=map("q$_",(18..29)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s,$rk10s,$rk11s)=map("v$_.4s",(18..29)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; my $rk4v="v22"; @@ -1985,18 +2111,26 @@ stp d14, d15, [sp, #96] ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 +#ifdef __AARCH64EB__ + ror $rk12_l, $rk12_l, #32 + ror $rk12_h, $rk12_h, #32 +#endif + ld1 {$rk0s}, [$cc], #16 @ load rk0 - ldr $rk5q, [$cc, #80] @ load rk5 - - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk1s}, [$cc], #16 @ load rk1 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk2s}, [$cc], #16 @ load rk2 lsr $rctr32x, $ctr96_t32x, #32 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk3s}, [$cc], #16 @ load rk3 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk4s}, [$cc], #16 @ load rk4 rev $rctr32w, $rctr32w @ rev_ctr32 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 @@ -2020,15 +2154,13 @@ rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk5s}, [$cc], #16 @ load rk5 fmov $ctr3.d[1], $ctr32x @ CTR block 3 - ldr $rk3q, [$cc, #48] @ load rk3 - - ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 + ld1 {$rk6s}, [$cc], #16 @ load rk6 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ld1 { $acc_lb}, [$current_tag] @@ -2036,29 +2168,32 @@ rev64 $acc_lb, $acc_lb aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 @@ -2097,8 +2232,9 @@ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 @@ -2160,13 +2296,26 @@ rev $ctr32w, $rctr32w @ CTR block 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif add $input_ptr, $input_ptr, #64 @ AES input_ptr update cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks @@ -2236,7 +2385,10 @@ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 0 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 fmov $ctr3d, $ctr96_b64x @ CTR block 4k+3 rev64 $res0b, $res0b @ GHASH block 4k (only t0 is free) @@ -2247,10 +2399,16 @@ pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high rev64 $res3b, $res3b @ GHASH block 4k+3 (t0, t1, t2 and t3 free) ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 0 ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $res0b, $res0b, $acc_lb @ PRE 1 @@ -2327,7 +2485,10 @@ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 6 eor $acc_lb, $acc_lb, $t5.16b @ GHASH block 4k+2 - low @@ -2624,7 +2785,10 @@ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $input_l0, $input_l0, $rk12_l @ AES block 4k+4 - round 12 low eor $input_h0, $input_h0, $rk12_h @ AES block 4k+4 - round 12 high @@ -2661,7 +2825,10 @@ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $input_l0, $input_l0, $rk12_l @ AES final-2 block - round 12 low @@ -2692,7 +2859,10 @@ rev64 $res0b, $res1b @ GHASH final-2 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_h0, $input_h0, $rk12_h @ AES final-1 block - round 12 high @@ -2723,7 +2893,10 @@ st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-1 block eor $input_l0, $input_l0, $rk12_l @ AES final block - round 12 low @@ -2755,7 +2928,11 @@ .L192_enc_blocks_less_than_1: @ blocks left <= 1 ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif and $bit_length, $bit_length, #127 @ bit_length %= 128 sub $bit_length, $bit_length, #128 @ bit_length -= 128 @@ -2871,14 +3048,22 @@ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 +#ifdef __AARCH64EB__ + ror $rk12_l, $rk12_l, #32 + ror $rk12_h, $rk12_h, #32 +#endif ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk1s}, [$cc], #16 @ load rk1 lsr $rctr32x, $ctr96_t32x, #32 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w @@ -2888,14 +3073,14 @@ fmov $ctr1d, $ctr96_b64x @ CTR block 1 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 rev $ctr32w, $rctr32w @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk3s}, [$cc], #16 @ load rk3 fmov $ctr1.d[1], $ctr32x @ CTR block 1 rev $ctr32w, $rctr32w @ CTR block 2 @@ -2912,43 +3097,46 @@ fmov $ctr3.d[1], $ctr32x @ CTR block 3 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ld1 { $acc_lb}, [$current_tag] @@ -2962,7 +3150,7 @@ trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l @@ -2973,7 +3161,7 @@ trn2 $h12k.2d, $h1.2d, $h2.2d @ h2l | h1l aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 @@ -3037,17 +3225,13 @@ aese $ctr0b, $rk11 @ AES block 0 - round 11 b.ge .L192_dec_tail @ handle tail - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext - - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0,1 - load ciphertext eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result eor $ctr0b, $res0b, $ctr0b @ AES block 0 - result rev $ctr32w, $rctr32w @ CTR block 4 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext - - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext + ld1 {$res2b, $res3b}, [$input_ptr], #32 @ AES block 2,3 - load ciphertext mov $output_l1, $ctr1.d[0] @ AES block 1 - mov low @@ -3059,27 +3243,35 @@ mov $output_h0, $ctr0.d[1] @ AES block 0 - mov high rev64 $res0b, $res0b @ GHASH block 0 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update fmov $ctr0d, $ctr96_b64x @ CTR block 4 rev64 $res1b, $res1b @ GHASH block 1 cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks eor $output_l1, $output_l1, $rk12_l @ AES block 1 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr0.d[1], $ctr32x @ CTR block 4 rev $ctr32w, $rctr32w @ CTR block 5 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 fmov $ctr1d, $ctr96_b64x @ CTR block 5 eor $output_h1, $output_h1, $rk12_h @ AES block 1 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif add $rctr32w, $rctr32w, #1 @ CTR block 5 fmov $ctr1.d[1], $ctr32x @ CTR block 5 eor $output_l0, $output_l0, $rk12_l @ AES block 0 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif rev $ctr32w, $rctr32w @ CTR block 6 eor $output_h0, $output_h0, $rk12_h @ AES block 0 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 @@ -3134,7 +3326,9 @@ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $output_h2, $output_h2, $rk12_h @ AES block 4k+2 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 eor $t3.8b, $t3.8b, $res1.8b @ GHASH block 4k+1 - mid @@ -3148,7 +3342,9 @@ pmull $t3.1q, $t3.1d, $h34k.1d @ GHASH block 4k+1 - mid eor $acc_lb, $acc_lb, $t2.16b @ GHASH block 4k+1 - low eor $output_l2, $output_l2, $rk12_l @ AES block 4k+2 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 4 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 3 @@ -3226,15 +3422,17 @@ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 10 aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 6 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 eor $acc_mb, $acc_mb, $t9.16b @ MODULO - karatsuba tidy up pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid - ldr $res3q, [$input_ptr, #48] @ AES block 4k+7 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext eor $output_l3, $output_l3, $rk12_l @ AES block 4k+3 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment @@ -3245,10 +3443,10 @@ eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 8 - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr1b, $rk11 @ AES block 4k+5 - round 11 - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+7 - load ciphertext rev $ctr32w, $rctr32w @ CTR block 4k+8 aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 @@ -3257,11 +3455,13 @@ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 9 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid - add $input_ptr, $input_ptr, #64 @ AES input_ptr update cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result eor $output_h3, $output_h3, $rk12_h @ AES block 4k+3 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif eor $ctr1b, $res1b, $ctr1b @ AES block 4k+5 - result aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 10 @@ -3291,18 +3491,28 @@ rev $ctr32w, $rctr32w @ CTR block 4k+9 eor $output_l0, $output_l0, $rk12_l @ AES block 4k+4 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4k+9 eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low fmov $ctr1d, $ctr96_b64x @ CTR block 4k+9 add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 eor $output_l1, $output_l1, $rk12_l @ AES block 4k+5 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr1.d[1], $ctr32x @ CTR block 4k+9 rev $ctr32w, $rctr32w @ CTR block 4k+10 eor $output_h1, $output_h1, $rk12_h @ AES block 4k+5 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif eor $output_h0, $output_h0, $rk12_h @ AES block 4k+4 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $acc_lb, $acc_lb, $acc_mb @ MODULO - fold into low @@ -3351,17 +3561,28 @@ pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $output_h3, $output_h3, $rk12_h @ AES block 4k+3 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif fmov $ctr3.d[1], $ctr32x @ CTR block 4k+7 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $output_l2, $output_l2, $rk12_l @ AES block 4k+2 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high eor $output_h2, $output_h2, $rk12_h @ AES block 4k+2 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif eor $t3.8b, $t3.8b, $res1.8b @ GHASH block 4k+1 - mid pmull $acc_m.1q, $t0.1d, $acc_m.1d @ GHASH block 4k - mid eor $output_l3, $output_l3, $rk12_l @ AES block 4k+3 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result rev64 $res3b, $res3b @ GHASH block 4k+3 @@ -3513,8 +3734,13 @@ cmp $main_end_input_ptr, #48 eor $output_h0, $output_h0, $rk12_h @ AES block 4k+4 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES block 4k+4 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif b.gt .L192_dec_blocks_more_than_3 movi $acc_l.8b, #0 @@ -3558,10 +3784,16 @@ pmull2 $acc_h.1q, $res0.2d, $h4.2d @ GHASH final-3 block - high eor $output_l0, $output_l0, $rk12_l @ AES final-2 block - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif movi $t0.8b, #0 @ suppress further partial tag feed in pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_h0, $output_h0, $rk12_h @ AES final-2 block - round 12 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L192_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -3591,8 +3823,13 @@ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $output_h0, $output_h0, $rk12_h @ AES final-1 block - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES final-1 block - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid .L192_dec_blocks_more_than_1: @ blocks left > 1 @@ -3623,9 +3860,13 @@ movi $t0.8b, #0 @ suppress further partial tag feed in eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low eor $output_h0, $output_h0, $rk12_h @ AES final block - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES final block - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid .L192_dec_blocks_less_than_1: @ blocks left <= 1 @@ -3652,8 +3893,11 @@ orr $output_l0, $output_l0, $end_input_ptr mov $ctr0.d[1], $ctr96_b64x - +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits str $ctr32w, [$counter, #12] @ store the updated counter @@ -3778,6 +4022,7 @@ my $mod_t="v7"; my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9,$rk10,$rk11,$rk12,$rk13)=map("v$_.16b",(18..31)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s,$rk10s,$rk11s,$rk12s,$rk13s)=map("v$_.4s",(18..31)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q,$rk10q,$rk11q,$rk12q,$rk13q)=map("q$_",(18..31)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; @@ -3812,14 +4057,22 @@ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 +#ifdef __AARCH64EB__ + ror $rk14_l, $rk14_l, #32 + ror $rk14_h, $rk14_h, #32 +#endif ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk1s}, [$cc], #16 @ load rk1 add $main_end_input_ptr, $main_end_input_ptr, $input_ptr lsr $rctr32x, $ctr96_t32x, #32 @@ -3838,14 +4091,14 @@ orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 fmov $ctr1.d[1], $ctr32x @ CTR block 1 rev $ctr32w, $rctr32w @ CTR block 2 add $rctr32w, $rctr32w, #1 @ CTR block 2 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 2 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk3s}, [$cc], #16 @ load rk3 fmov $ctr2.d[1], $ctr32x @ CTR block 2 rev $ctr32w, $rctr32w @ CTR block 3 @@ -3856,46 +4109,48 @@ fmov $ctr3.d[1], $ctr32x @ CTR block 3 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk13q, [$cc, #208] @ load rk13 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 - ldr $rk12q, [$cc, #192] @ load rk12 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 add $rctr32w, $rctr32w, #1 @ CTR block 3 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ld1 { $acc_lb}, [$current_tag] @@ -3922,14 +4177,15 @@ trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk12s}, [$cc], #16 @ load rk12 aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk13s}, [$cc], #16 @ load rk13 aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h @@ -3994,13 +4250,26 @@ b.ge .L256_enc_tail @ handle tail ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif rev $ctr32w, $rctr32w @ CTR block 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif add $input_ptr, $input_ptr, #64 @ AES input_ptr update eor $input_l1, $input_l1, $rk14_l @ AES block 1 - round 14 low @@ -4078,10 +4347,16 @@ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 1 ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+7 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $res0b, $res0b, $acc_lb @ PRE 1 @@ -4167,7 +4442,10 @@ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 8 mov $t9d, $res3.d[1] @ GHASH block 4k+3 - mid @@ -4197,7 +4475,10 @@ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 8 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 10 shl $mod_constantd, $mod_constantd, #56 @ mod_constant @@ -4492,7 +4773,10 @@ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $input_l0, $input_l0, $rk14_l @ AES block 4k+4 - round 14 low eor $input_h0, $input_h0, $rk14_h @ AES block 4k+4 - round 14 high @@ -4527,7 +4811,10 @@ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $input_l0, $input_l0, $rk14_l @ AES final-2 block - round 14 low @@ -4556,7 +4843,10 @@ st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-2 block eor $input_l0, $input_l0, $rk14_l @ AES final-1 block - round 14 low @@ -4592,7 +4882,10 @@ rev64 $res0b, $res1b @ GHASH final-1 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag movi $t0.8b, #0 @ suppress further partial tag feed in @@ -4653,7 +4946,11 @@ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high mov $t0d, $res0.d[1] @ GHASH final block - mid +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low @@ -4743,21 +5040,29 @@ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - - ldr $rk8q, [$cc, #128] @ load rk8 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 +#ifdef __AARCH64EB__ + ror $rk14_h, $rk14_h, #32 + ror $rk14_l, $rk14_l, #32 +#endif + ld1 {$rk0s}, [$cc], #16 @ load rk0 sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk1s}, [$cc], #16 @ load rk1 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk2s}, [$cc], #16 @ load rk2 lsr $rctr32x, $ctr96_t32x, #32 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk3s}, [$cc], #16 @ load rk3 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk4s}, [$cc], #16 @ load rk4 add $main_end_input_ptr, $main_end_input_ptr, $input_ptr rev $rctr32w, $rctr32w @ rev_ctr32 @@ -4782,34 +5087,39 @@ rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk5s}, [$cc], #16 @ load rk5 fmov $ctr3.d[1], $ctr32x @ CTR block 3 add $rctr32w, $rctr32w, #1 @ CTR block 3 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk6s}, [$cc], #16 @ load rk6 - ldr $rk13q, [$cc, #208] @ load rk13 + ld1 {$rk7s}, [$cc], #16 @ load rk7 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 +#endif aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 +#endif aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ld1 { $acc_lb}, [$current_tag] @@ -4817,17 +5127,18 @@ rev64 $acc_lb, $acc_lb aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 - ldr $rk12q, [$cc, #192] @ load rk12 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk12s}, [$cc], #16 @ load rk12 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 @@ -4883,7 +5194,7 @@ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk13s}, [$cc], #16 @ load rk13 aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 @@ -4933,9 +5244,7 @@ aese $ctr0b, $rk13 @ AES block 0 - round 13 b.ge .L256_dec_tail @ handle tail - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext - - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0,1 - load ciphertext rev $ctr32w, $rctr32w @ CTR block 4 @@ -4943,7 +5252,7 @@ eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result rev64 $res1b, $res1b @ GHASH block 1 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 2 - load ciphertext mov $output_h0, $ctr0.d[1] @ AES block 0 - mov high @@ -4963,22 +5272,32 @@ orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 mov $output_h1, $ctr1.d[1] @ AES block 1 - mov high eor $output_h0, $output_h0, $rk14_h @ AES block 0 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk14_l @ AES block 0 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result fmov $ctr1d, $ctr96_b64x @ CTR block 5 - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext - add $input_ptr, $input_ptr, #64 @ AES input_ptr update + ld1 {$res3b}, [$input_ptr], #16 @ AES block 3 - load ciphertext fmov $ctr1.d[1], $ctr32x @ CTR block 5 rev $ctr32w, $rctr32w @ CTR block 6 add $rctr32w, $rctr32w, #1 @ CTR block 6 eor $output_l1, $output_l1, $rk14_l @ AES block 1 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 eor $output_h1, $output_h1, $rk14_h @ AES block 1 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 1 - store result eor $ctr2b, $res2b, $ctr2b @ AES block 2 - result @@ -5021,7 +5340,9 @@ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 3 eor $output_h2, $output_h2, $rk14_h @ AES block 4k+2 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 mov $acc_md, $h34k.d[1] @ GHASH block 4k - mid @@ -5030,7 +5351,9 @@ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 0 eor $output_l2, $output_l2, $rk14_l @ AES block 4k+2 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 2 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -5043,9 +5366,14 @@ pmull $acc_m.1q, $t0.1d, $acc_m.1d @ GHASH block 4k - mid eor $output_l3, $output_l3, $rk14_l @ AES block 4k+3 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $output_h3, $output_h3, $rk14_h @ AES block 4k+3 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif eor $acc_hb, $acc_hb, $t1.16b @ GHASH block 4k+1 - high aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 4 @@ -5139,7 +5467,7 @@ eor $t9.16b, $acc_lb, $acc_hb @ MODULO - karatsuba tidy up aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 9 - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext aese $ctr0b, $rk13 @ AES block 4k+4 - round 13 ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment @@ -5148,7 +5476,7 @@ eor $acc_mb, $acc_mb, $t9.16b @ MODULO - karatsuba tidy up aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 9 - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result @@ -5160,10 +5488,10 @@ eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 9 - ldr $res3q, [$input_ptr, #48] @ AES block 4k+7 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 12 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+7 - load ciphertext aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 11 mov $output_h0, $ctr0.d[1] @ AES block 4k+4 - mov high @@ -5172,7 +5500,6 @@ eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid aese $ctr1b, $rk13 @ AES block 4k+5 - round 13 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update mov $output_l0, $ctr0.d[0] @ AES block 4k+4 - mov low aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 12 @@ -5192,8 +5519,13 @@ add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 eor $output_l0, $output_l0, $rk14_l @ AES block 4k+4 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $output_h0, $output_h0, $rk14_h @ AES block 4k+4 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif mov $output_h1, $ctr1.d[1] @ AES block 4k+5 - mov high eor $ctr2b, $res2b, $ctr2b @ AES block 4k+6 - result eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low @@ -5213,9 +5545,15 @@ rev64 $res1b, $res1b @ GHASH block 4k+5 eor $output_h1, $output_h1, $rk14_h @ AES block 4k+5 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $output_l1, $output_l1, $rk14_l @ AES block 4k+5 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 4k+5 - store result rev64 $res0b, $res0b @ GHASH block 4k+4 @@ -5379,10 +5717,14 @@ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 10 eor $output_h2, $output_h2, $rk14_h @ AES block 4k+2 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 10 eor $output_l3, $output_l3, $rk14_l @ AES block 4k+3 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 11 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid @@ -5391,11 +5733,17 @@ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 11 eor $output_l2, $output_l2, $rk14_l @ AES block 4k+2 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 12 pmull $mod_constant.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low eor $output_h3, $output_h3, $rk14_h @ AES block 4k+3 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 11 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -5432,8 +5780,14 @@ cmp $main_end_input_ptr, #48 eor $output_l0, $output_l0, $rk14_l @ AES block 4k+4 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $output_h0, $output_h0, $rk14_h @ AES block 4k+4 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif b.gt .L256_dec_blocks_more_than_3 sub $rctr32w, $rctr32w, #1 @@ -5481,9 +5835,15 @@ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_l0, $output_l0, $rk14_l @ AES final-2 block - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif pmull $acc_l.1q, $res0.1d, $h4.1d @ GHASH final-3 block - low eor $output_h0, $output_h0, $rk14_h @ AES final-2 block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -5511,9 +5871,15 @@ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $output_l0, $output_l0, $rk14_l @ AES final-1 block - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid eor $output_h0, $output_h0, $rk14_h @ AES final-1 block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_more_than_1: @ blocks left > 1 stp $output_l0, $output_h0, [$output_ptr], #16 @ AES final-1 block - store result @@ -5541,13 +5907,18 @@ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid eor $output_l0, $output_l0, $rk14_l @ AES final block - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid eor $output_h0, $output_h0, $rk14_h @ AES final block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_less_than_1: @ blocks left <= 1 and $bit_length, $bit_length, #127 @ bit_length %= 128 @@ -5573,7 +5944,11 @@ mov $ctr0.d[1], $ctr96_b64x bic $end_input_ptr, $end_input_ptr, $ctr32x @ mask out low existing bytes +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif bic $main_end_input_ptr, $main_end_input_ptr, $ctr96_b64x @ mask out high existing bytes @@ -5714,7 +6089,7 @@ if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) { print " it $2\n"; } - + s/__AARCH64E([BL])__/__ARME$1__/go; print $_,"\n"; } } diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -443,6 +443,25 @@ first = 1; bl = NULL; + /* + * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: + * + * > 3.5. OBJECT IDENTIFIER values + * > + * > An OBJECT IDENTIFIER value is an ordered list of non-negative + * > numbers. For the SMIv2, each number in the list is referred to as a + * > sub-identifier, there are at most 128 sub-identifiers in a value, + * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 + * > decimal). + * + * So a legitimate OID according to this RFC is at most (32 * 128 / 7), + * i.e. 586 bytes long. + * + * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + */ + if (len > 586) + goto err; + while (len > 0) { l = 0; use_bn = 0; diff --git a/crypto/property/property.c b/crypto/property/property.c --- a/crypto/property/property.c +++ b/crypto/property/property.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -510,13 +510,14 @@ int ret = 0; int j, best = -1, score, optional; -#ifndef FIPS_MODULE - if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) + if (nid <= 0 || method == NULL || store == NULL) return 0; -#endif - if (nid <= 0 || method == NULL || store == NULL) +#ifndef FIPS_MODULE + if (ossl_lib_ctx_is_default(store->ctx) + && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; +#endif /* This only needs to be a read lock, because the query won't create anything */ if (!ossl_property_read_lock(store)) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -272,7 +272,13 @@ # endif drbg = RAND_get0_primary(NULL); if (drbg != NULL && num > 0) +# ifdef OPENSSL_RAND_SEED_NONE + /* Without an entropy source, we have to rely on the user */ + EVP_RAND_reseed(drbg, 0, buf, num, NULL, 0); +# else + /* With an entropy source, we downgrade this to additional input */ EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); +# endif } # if !defined(OPENSSL_NO_DEPRECATED_1_1_0) diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,13 +124,17 @@ ret = -1; goto err; } + if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */ + ret = -1; + goto err; + } for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); if (!BN_sub(k, pinfo->r, BN_value_one())) { ret = -1; goto err; } - if (!BN_mul(l, l, k, ctx)) { + if (!BN_mul(l, m, k, ctx)) { ret = -1; goto err; } @@ -138,12 +142,12 @@ ret = -1; goto err; } + if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */ + ret = -1; + goto err; + } } - if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ - ret = -1; - goto err; - } - if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { + if (!BN_mod_mul(i, key->d, key->e, m, ctx)) { ret = -1; goto err; } diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -234,6 +234,7 @@ * will only read the modulus from BN_BLINDING. In both cases it's safe * to access the blinding without a lock. */ + BN_set_flags(f, BN_FLG_CONSTTIME); return BN_BLINDING_invert_ex(f, unblind, b, ctx); } @@ -416,6 +417,11 @@ goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -453,13 +459,6 @@ goto err; } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, - rsa->n, ctx)) { - BN_free(d); - goto err; - } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { BN_free(d); @@ -469,20 +468,13 @@ BN_free(d); } - if (blinding) { - /* - * ossl_bn_rsa_do_unblind() combines blinding inversion and - * 0-padded BN BE serialization - */ - j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, - buf, num); - if (j == 0) - goto err; - } else { - j = BN_bn2binpad(ret, buf, num); - if (j < 0) + if (blinding) + if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - } + + j = BN_bn2binpad(ret, buf, num); + if (j < 0) + goto err; switch (padding) { case RSA_PKCS1_PADDING: diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -361,6 +361,7 @@ BN_CTX *ctx = NULL; BIGNUM *e = NULL; RSA_ACVP_TEST *info = NULL; + BIGNUM *tmp; #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) info = rsa->acvp_test; @@ -392,6 +393,14 @@ /* (Step 2) Generate prime factors */ if (!ossl_rsa_fips186_4_gen_prob_primes(rsa, info, nbits, e, ctx, cb)) goto err; + + /* p>q check and skipping in case of acvp test */ + if (info == NULL && BN_cmp(rsa->p, rsa->q) < 0) { + tmp = rsa->p; + rsa->p = rsa->q; + rsa->q = tmp; + } + /* (Steps 3-5) Compute params d, n, dP, dQ, qInv */ ok = ossl_rsa_sp800_56b_derive_params_from_pq(rsa, nbits, e, ctx); if (ok < 0) diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -454,7 +454,7 @@ goto done; } - sigleni = i2d_ECDSA_SIG(s, &sig); + sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); if (sigleni < 0) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); goto done; diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -528,6 +528,10 @@ ok = 0; break; } + } else { + ui->flags &= ~UI_FLAG_REDOABLE; + ok = -2; + goto err; } } diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c --- a/crypto/ui/ui_util.c +++ b/crypto/ui/ui_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) { - int ok = 0; + int ok = -2; UI *ui; if (size < 1) @@ -47,8 +47,6 @@ ok = UI_process(ui); UI_free(ui); } - if (ok > 0) - ok = 0; return ok; } diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h --- a/crypto/x509/pcy_local.h +++ b/crypto/x509/pcy_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,11 @@ }; struct X509_POLICY_TREE_st { + /* The number of nodes in the tree */ + size_t node_count; + /* The maximum number of nodes in the tree */ + size_t node_maximum; + /* This is the tree 'level' data */ X509_POLICY_LEVEL *levels; int nlevel; @@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); + X509_POLICY_TREE *tree, + int extra_data); void ossl_policy_node_free(X509_POLICY_NODE *node); int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c --- a/crypto/x509/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree) + X509_POLICY_TREE *tree, + int extra_data) { X509_POLICY_NODE *node; + /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ + if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) + return NULL; + node = OPENSSL_zalloc(sizeof(*node)); if (node == NULL) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); @@ -70,7 +75,7 @@ } node->data = data; node->parent = parent; - if (level) { + if (level != NULL) { if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { if (level->anyPolicy) goto node_error; @@ -90,24 +95,33 @@ } } - if (tree) { + if (extra_data) { if (tree->extra_data == NULL) tree->extra_data = sk_X509_POLICY_DATA_new_null(); if (tree->extra_data == NULL){ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } } + tree->node_count++; if (parent) parent->nchild++; return node; + extra_data_error: + if (level != NULL) { + if (level->anyPolicy == node) + level->anyPolicy = NULL; + else + (void) sk_X509_POLICY_NODE_pop(level->nodes); + } + node_error: ossl_policy_node_free(node); return NULL; diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,19 @@ #include "pcy_local.h" +/* + * If the maximum number of nodes in the policy tree isn't defined, set it to + * a generous default of 1000 nodes. + * + * Defining this to be zero means unlimited policy tree growth which opens the + * door on CVE-2023-0464. + */ +#ifndef OPENSSL_POLICY_TREE_NODES_MAX +# define OPENSSL_POLICY_TREE_NODES_MAX 1000 +#endif + +static void exnode_free(X509_POLICY_NODE *node); + static void expected_print(BIO *channel, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, int indent) @@ -163,6 +176,9 @@ return X509_PCY_TREE_INTERNAL; } + /* Limit the growth of the tree to mitigate CVE-2023-0464 */ + tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; + /* * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. * @@ -180,7 +196,7 @@ if ((data = ossl_policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) goto bad_tree; - if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { + if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { ossl_policy_data_free(data); goto bad_tree; } @@ -239,7 +255,8 @@ * Return value: 1 on success, 0 otherwise */ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data) + X509_POLICY_DATA *data, + X509_POLICY_TREE *tree) { X509_POLICY_LEVEL *last = curr - 1; int i, matched = 0; @@ -249,13 +266,13 @@ X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); if (ossl_policy_node_match(last, node, data->valid_policy)) { - if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) + if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) return 0; matched = 1; } } if (!matched && last->anyPolicy) { - if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) + if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) return 0; } return 1; @@ -268,7 +285,8 @@ * Return value: 1 on success, 0 otherwise. */ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; @@ -276,7 +294,7 @@ X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) + if (!tree_link_matching_nodes(curr, data, tree)) return 0; } return 1; @@ -307,7 +325,7 @@ /* Curr may not have anyPolicy */ data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { + if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { ossl_policy_data_free(data); return 0; } @@ -370,7 +388,7 @@ /* Finally add link to anyPolicy */ if (last->anyPolicy && ossl_policy_level_add_node(curr, cache->anyPolicy, - last->anyPolicy, NULL) == NULL) + last->anyPolicy, tree, 0) == NULL) return 0; return 1; } @@ -553,15 +571,23 @@ extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, - tree); + tree, 1); + if (node == NULL) { + ossl_policy_data_free(extra); + return 0; + } } if (!tree->user_policies) { tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; + if (!tree->user_policies) { + exnode_free(node); + return 0; + } } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { + exnode_free(node); return 0; + } } return 1; } @@ -580,7 +606,7 @@ for (i = 1; i < tree->nlevel; i++, curr++) { cache = ossl_policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) + if (!tree_link_nodes(curr, cache, tree)) return X509_PCY_TREE_INTERNAL; if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -179,7 +179,7 @@ case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: return "subject signature algorithm and issuer public key algorithm mismatch"; case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: - return "cert info siganature and signature algorithm mismatch"; + return "cert info signature and signature algorithm mismatch"; case X509_V_ERR_INVALID_CA: return "invalid CA certificate"; case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: @@ -213,6 +213,11 @@ case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: return "Certificate public key has explicit ECC parameters"; + /* + * Entries must be kept consistent with include/openssl/x509_vfy.h.in + * and with doc/man3/X509_STORE_CTX_get_error.pod + */ + default: /* Printing an error number into a static buffer is not thread-safe */ return "unknown certificate verification error"; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1654,15 +1654,23 @@ goto memerr; /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); + if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) + cbcalled = 1; CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); } + if (!cbcalled) { + /* Should not be able to get here */ + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) { @@ -3413,7 +3421,7 @@ ret = EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, &val); - return ret < 0 ? ret : !val; + return ret == 1 ? !val : -1; } return 1; diff --git a/doc/build.info b/doc/build.info --- a/doc/build.info +++ b/doc/build.info @@ -4145,6 +4145,10 @@ GENERATE[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod DEPEND[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod GENERATE[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod +DEPEND[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +GENERATE[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +DEPEND[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod +GENERATE[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod DEPEND[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod GENERATE[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod DEPEND[man/man7/EVP_CIPHER-RC2.7]=man7/EVP_CIPHER-RC2.pod @@ -4289,6 +4293,10 @@ GENERATE[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod DEPEND[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod GENERATE[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod +DEPEND[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +GENERATE[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +DEPEND[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod +GENERATE[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod DEPEND[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod GENERATE[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod DEPEND[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod @@ -4619,6 +4627,7 @@ html/man7/EVP_CIPHER-CHACHA.html \ html/man7/EVP_CIPHER-DES.html \ html/man7/EVP_CIPHER-IDEA.html \ +html/man7/EVP_CIPHER-NULL.html \ html/man7/EVP_CIPHER-RC2.html \ html/man7/EVP_CIPHER-RC4.html \ html/man7/EVP_CIPHER-RC5.html \ @@ -4655,6 +4664,7 @@ html/man7/EVP_MD-MD5-SHA1.html \ html/man7/EVP_MD-MD5.html \ html/man7/EVP_MD-MDC2.html \ +html/man7/EVP_MD-NULL.html \ html/man7/EVP_MD-RIPEMD160.html \ html/man7/EVP_MD-SHA1.html \ html/man7/EVP_MD-SHA2.html \ @@ -4743,6 +4753,7 @@ man/man7/EVP_CIPHER-CHACHA.7 \ man/man7/EVP_CIPHER-DES.7 \ man/man7/EVP_CIPHER-IDEA.7 \ +man/man7/EVP_CIPHER-NULL.7 \ man/man7/EVP_CIPHER-RC2.7 \ man/man7/EVP_CIPHER-RC4.7 \ man/man7/EVP_CIPHER-RC5.7 \ @@ -4779,6 +4790,7 @@ man/man7/EVP_MD-MD5-SHA1.7 \ man/man7/EVP_MD-MD5.7 \ man/man7/EVP_MD-MDC2.7 \ +man/man7/EVP_MD-NULL.7 \ man/man7/EVP_MD-RIPEMD160.7 \ man/man7/EVP_MD-SHA1.7 \ man/man7/EVP_MD-SHA2.7 \ diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -12,6 +12,9 @@ The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: +OpenSSL OMC: +EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 + Richard Levitte: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -30,8 +30,8 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, const OSSL_CRMF_CERTID *cid, int unprotectedErrors); - OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text); + OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text); OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after); @@ -124,8 +124,9 @@ and I is nonzero. ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last -received certificate. PKIStatus defaults to B if the I bit -field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is +received certificate with the given I. +The PKIStatus defaults to B if the I bit field is 0. +Otherwise it is taken as the failInfo of the PKIStatusInfo, PKIStatus is set to B, and I is copied to statusString unless it is NULL. ossl_cmp_pkiconf_new() creates a PKI Confirmation message. @@ -167,7 +168,7 @@ =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod --- a/doc/internal/man3/ossl_cmp_mock_srv_new.pod +++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod @@ -8,7 +8,7 @@ ossl_cmp_mock_srv_set1_chainOut, ossl_cmp_mock_srv_set1_caPubsOut, ossl_cmp_mock_srv_set_statusInfo, -ossl_cmp_mock_srv_set_send_error, +ossl_cmp_mock_srv_set_sendError, ossl_cmp_mock_srv_set_pollCount, ossl_cmp_mock_srv_set_checkAfterTime - functions used for testing with CMP mock server @@ -27,7 +27,7 @@ STACK_OF(X509) *caPubs); int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, int fail_info, const char *text); - int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); @@ -39,25 +39,27 @@ ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server. -OSSL_CMP_SRV_CTX_set1_certOut() sets the certificate to be returned in +ossl_cmp_mock_srv_set1_certOut() sets the certificate to be returned in cp/ip/kup. -OSSL_CMP_SRV_CTX_set1_chainOut() sets the certificate chain to be added to +ossl_cmp_mock_srv_set1_chainOut() sets the certificate chain to be added to the extraCerts in a cp/ip/kup. -It should to useful to validate B. +It should be useful for the validation of the certificate given via +ossl_cmp_mock_srv_set1_certOut(). -OSSL_CMP_SRV_CTX_set1_caPubsOut() sets the caPubs to be returned in an ip. +ossl_cmp_mock_srv_set1_caPubsOut() sets the caPubs to be returned in an ip. -OSSL_CMP_SRV_CTX_set_statusInfo() sets the status info to be returned. +ossl_cmp_mock_srv_set_statusInfo() sets the status info to be returned. -OSSL_CMP_SRV_CTX_set_send_error() enables enforcement of error responses. +ossl_cmp_mock_srv_set_sendError() enables enforcement of error responses +for requests of the given I, or for all requests if I is 1. +A I of -1 can be used to disable this feature, which is the default. -OSSL_CMP_SRV_CTX_set_pollCount() sets the number of polls before cert response. +ossl_cmp_mock_srv_set_pollCount() sets the number of polls before cert response. -OSSL_CMP_SRV_CTX_set_checkAfterTime() sets the number of seconds +ossl_cmp_mock_srv_set_checkAfterTime() sets the number of seconds the client should wait for the next poll. - =head1 NOTES CMP is defined in RFC 4210 (and CRMF in RFC 4211). @@ -77,7 +79,7 @@ =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -25,7 +25,7 @@ ossl_cmp_msg_protect() (re-)protects the given message I using an algorithm depending on the available context information given in the I. If there is a secretValue it selects PBMAC, else if there is a protection cert -it selects Signature and uses L. +it selects Signature and uses ossl_cmp_msg_add_extraCerts (see below). It also sets the protectionAlg field in the message header accordingly. ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I. @@ -40,6 +40,10 @@ CMP is defined in RFC 4210 (and CRMF in RFC 4211). +The I parameter of ossl_cmp_msg_add_extraCerts() +and thus also of ossl_cmp_msg_protect() cannot be made I +because Ichain> may get adapted to cache the chain of the CMP signer cert. + =head1 RETURN VALUES ossl_cmp_calc_protection() returns the protection on success, else NULL. @@ -52,7 +56,7 @@ =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod --- a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod +++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod @@ -43,8 +43,8 @@ # define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 # define OSSL_CMP_PKIFAILUREINFO_MAX 26 - X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); + X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep); int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); const char *ossl_cmp_PKIStatus_to_string(int status); OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si); @@ -55,7 +55,7 @@ ossl_cmp_certresponse_get1_cert() returns a pointer to a copy of the newly enrolled certificate from the given certResponse I, or NULL on error. -In case of indirect POPO uses data from the I and the private key I. +Uses data from I, which in case of indirect POPO includes the private key. ossl_cmp_pkisi_get_status() returns the PKIStatus of I, or -1 on error. @@ -89,7 +89,7 @@ =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -248,12 +248,16 @@ =item B<-newkey> I|I -The source of the private or public key for the certificate requested -in Initialization Request (IR), Certification Request(CR), or -Key Update Request (KUR). +The source of the private or public key for the certificate being requested. Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, the public key of the reference certificate, or the current client key. +The public portion of the key is placed in the certification request. + +Unless B<-cmd> I, B<-popo> I<-1>, or B<-popo> I<0> is given, the +private key will be needed as well to provide the proof of possession (POPO), +where the B<-key> option may provide a fallback. + =item B<-newkeypass> I Pass phrase source for the key given with the B<-newkey> option. @@ -344,7 +348,7 @@ =item B<-popo> I -Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where +Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. Note that a signature-based POPO can only be produced if a private key @@ -354,15 +358,22 @@ PKCS#10 CSR in PEM or DER format containing a certificate request. With B<-cmd> I it is used directly in a legacy P10CR message. + When used with B<-cmd> I, I, or I, -it is transformed into the respective regular CMP request, -while its public key is ignored if I<-newkey> is given. -It may also be used with B<-cmd> I to specify the certificate to be revoked +it is transformed into the respective regular CMP request. +In this case, a private key must be provided (with B<-newkey> or B<-key>) +for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used) +and the respective public key is placed in the certification request +(rather than taking over the public key contained in the PKCS#10 CSR). + +PKCS#10 CSR input may also be used with B<-cmd> I +to specify the certificate to be revoked via the included subject name and public key. =item B<-out_trusted> I|I Trusted certificate(s) to use for validating the newly enrolled certificate. +During this verification, any certificate status checking is disabled. Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -408,6 +419,7 @@ The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the default issuer entry in the requested certificate template of an IR/CR/KUR. +Its public key is used as a fallback in the template of certification requests. Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. @@ -443,7 +455,8 @@ The DNS hostname or IP address and optionally port of the CMP server to connect to using HTTP(S). -This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>. +This option excludes I<-port> and I<-use_mock_srv>. +It is ignored if I<-rspin> is given with enough filename arguments. The scheme C may be given only if the B<-tls_used> option is used. In this case the default port is 443, else 80. @@ -523,15 +536,15 @@ =item B<-trusted> I|I -When validating signature-based protection of CMP response messages, -these are the CA certificate(s) to trust while checking certificate chains -during CMP server authentication. -This option gives more flexibility than the B<-srvcert> option because the -server-side CMP signer certificate is not pinned but may be any certificate -for which a chain to one of the given trusted certificates can be constructed. +The certificate(s), typically of root CAs, the client shall use as trust anchors +when validating signature-based protection of CMP response messages. +This option is ignored if the B<-srvcert> option is given as well. +It provides more flexibility than B<-srvcert> because the CMP protection +certificate of the server is not pinned but may be any certificate +from which a chain to one of the given trust anchors can be constructed. -If no B<-trusted>, B<-srvcert>, and B<-secret> option is given -then protected response messages from the server are not authenticated. +If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation +errors will be thrown unless B<-unprotected_errors> permits an exception. Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -546,24 +559,24 @@ Non-trusted intermediate CA certificate(s). Any extra certificates given with the B<-cert> option are appended to it. All these certificates may be useful for cert path construction -for the CMP client certificate (to include in the extraCerts field of outgoing -messages) and for the TLS client certificate (if TLS is enabled) +for the own CMP signer certificate (to include in the extraCerts field of +request messages) and for the TLS client certificate (if TLS is enabled) as well as for chain building -when validating the CMP server certificate (checking signature-based +when validating server certificates (checking signature-based CMP message protection) and when validating newly enrolled certificates. -Multiple sources may be given, separated by commas and/or whitespace. -Each file may contain multiple certificates. +Multiple filenames or URLs may be given, separated by commas and/or whitespace. +Each source may contain multiple certificates. =item B<-srvcert> I|I The specific CMP server certificate to expect and directly trust (even if it is -expired) when validating signature-based protection of CMP response messages. -May be set alternatively to the B<-trusted> option to pin the accepted server. +expired) when verifying signature-based protection of CMP response messages. +This pins the accepted server and results in ignoring the B<-trusted> option. If set, the subject of the certificate is also used as default value for the recipient of CMP requests -and as default value for the expected sender of incoming CMP messages. +and as default value for the expected sender of CMP responses. =item B<-expect_sender> I @@ -583,8 +596,8 @@ =item B<-ignore_keyusage> Ignore key usage restrictions in CMP signer certificates when validating -signature-based protection of incoming CMP messages, -else C must be allowed for signer certificate. +signature-based protection of incoming CMP messages. +By default, C must be allowed by CMP signer certificates. =item B<-unprotected_errors> @@ -659,17 +672,25 @@ The client's current CMP signer certificate. Requires the corresponding key to be given with B<-key>. + +The subject and the public key contained in this certificate +serve as fallback values in the certificate template of IR/CR/KUR messages. + The subject of this certificate will be used as sender of outgoing CMP messages, while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. + The issuer of this certificate is used as one of the recipient fallback values -and as fallback issuer entry in the certificate template of IR/CR/KUR. +and as fallback issuer entry in the certificate template of IR/CR/KUR messages. + When using signature-based message protection, this "protection certificate" will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating using an external entity certificate as defined in appendix E.7 of RFC 4210. + For Key Update Request (KUR) messages this is also used as the certificate to be updated if the B<-oldcert> option is not given. + If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which is included in the extraCerts field in signature-protected request messages. @@ -695,6 +716,8 @@ This will be used for signature-based message protection unless the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. + =item B<-keypass> I Pass phrase source for the private key given with the B<-key> option. @@ -709,7 +732,7 @@ Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG and as the one-way function (OWF) in MSG_MAC_ALG. If applicable, this is used for message protection and -Proof-of-Possession (POPO) signatures. +proof-of-possession (POPO) signatures. To see the list of supported digests, use C. Defaults to C. @@ -732,7 +755,7 @@ =item B<-unprotected_requests> -Send messages without CMP-level protection. +Send request messages without CMP-level protection. =back @@ -801,11 +824,14 @@ =item B<-tls_used> -Enable using TLS (even when other TLS_related options are not set) -when connecting to CMP server via HTTP. -This option is not supported with the I<-port> option -and is ignored with the I<-use_mock_srv> and I<-rspin> options -or if the I<-server> option is not given. +Enable using TLS (even when other TLS-related options are not set) +for message exchange with CMP server via HTTP. +This option is not supported with the I<-port> option. +It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given +or I<-rspin> is given with enough filename arguments. + +The following TLS-related options are ignored +if B<-tls_used> is not given or does not take effect. =item B<-tls_cert> I|I @@ -867,46 +893,71 @@ =item B<-reqin> I -Take sequence of CMP requests from file(s). +Take the sequence of CMP requests to send to the server from the given file(s) +rather than from the sequence of requests produced internally. + +This option is ignored if the B<-rspin> option is given +because in the latter case no requests are actually sent. Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). -As many files are read as needed for a complete transaction. + +The files are read as far as needed to complete the transaction +and filenames have been provided. If more requests are needed, +the remaining ones are taken from the items at the respective position +in the sequence of requests produced internally. + +The client needs to update the recipNonce field in the given requests (except +for the first one) in order to satisfy the checks to be performed by the server. +This causes re-protection (if protecting requests is required). =item B<-reqin_new_tid> Use a fresh transactionID for CMP request messages read using B<-reqin>, -which requires re-protecting them as far as they were protected before. +which causes their reprotection (if protecting requests is required). This may be needed in case the sequence of requests is reused and the CMP server complains that the transaction ID has already been used. =item B<-reqout> I -Save sequence of CMP requests to file(s). +Save the sequence of CMP requests created by the client to the given file(s). +These requests are not sent to the server if the B<-reqin> option is used, too. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are written as needed to store the complete transaction. + +Files are written as far as needed to save the transaction +and filenames have been provided. +If the transaction contains more requests, the remaining ones are not saved. =item B<-rspin> I -Process sequence of CMP responses provided in file(s), skipping server. -This excludes I<-server>, I<-port>, and I<-use_mock_srv>. +Process the sequence of CMP responses provided in the given file(s), +not contacting any given server, +as long as enough filenames are provided to complete the transaction. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are read as needed for the complete transaction. + +Any server specified via the I<-server> or I<-use_mock_srv> options is contacted +only if more responses are needed to complete the transaction. +In this case the transaction will fail +unless the server has been prepared to continue the already started transaction. =item B<-rspout> I -Save sequence of CMP responses to file(s). +Save the sequence of actually used CMP responses to the given file(s). +These have been received from the server unless B<-rspin> takes effect. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are written as needed to store the complete transaction. + +Files are written as far as needed to save the responses +contained in the transaction and filenames have been provided. +If the transaction contains more responses, the remaining ones are not saved. =item B<-use_mock_srv> Test the client using the internal CMP server mock-up at API level, bypassing socket-based transfer via HTTP. -This excludes I<-server>, I<-port>, and I<-rspin>. +This excludes the B<-server> and B<-port> options. =back @@ -917,7 +968,9 @@ =item B<-port> I Act as HTTP-based CMP server mock-up listening on the given port. -This excludes I<-server>, I<-rspin>, and I<-use_mock_srv>. +This excludes the B<-server> and B<-use_mock_srv> options. +The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options +so far are not supported in this mode. =item B<-max_msgs> I @@ -1022,10 +1075,11 @@ =item B<-accept_unprot_err> Accept unprotected error messages from client. +So far this has no effect because the server does not accept any error messages. =item B<-accept_raverified> -Accept RAVERIFED as proof-of-possession (POPO). +Accept RAVERIFED as proof of possession (POPO). =back diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -129,7 +129,8 @@ =item B<-pbkdf2> -Use PBKDF2 algorithm with default iteration count unless otherwise specified. +Use PBKDF2 algorithm with a default iteration count of 10000 +unless otherwise specified by the B<-iter> command line option. =item B<-nosalt> diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -568,10 +568,12 @@ accepted. Only one specific protocol can be given and it cannot be combined with any of the B options. +The B options do not work with B and B commands but work with +B and B commands. =item B<-dtls>, B<-dtls1>, B<-dtls1_2> -These options specify to use DTLS instead of DLTS. +These options specify to use DTLS instead of TLS. With B<-dtls>, clients will negotiate any supported DTLS protocol version. Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, respectively. @@ -831,7 +833,7 @@ =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_STRING_new.pod b/doc/man3/ASN1_STRING_new.pod --- a/doc/man3/ASN1_STRING_new.pod +++ b/doc/man3/ASN1_STRING_new.pod @@ -27,7 +27,7 @@ =head1 NOTES Other string types call the B functions. For example -ASN1_OCTET_STRING_new() calls ASN1_STRING_type(V_ASN1_OCTET_STRING). +ASN1_OCTET_STRING_new() calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING). =head1 RETURN VALUES @@ -42,7 +42,7 @@ =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_EncryptedData_decrypt.pod b/doc/man3/CMS_EncryptedData_decrypt.pod --- a/doc/man3/CMS_EncryptedData_decrypt.pod +++ b/doc/man3/CMS_EncryptedData_decrypt.pod @@ -21,10 +21,10 @@ I is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -The following flags can be passed in the B parameter. +The following flags can be passed in the I parameter. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. =head1 RETURN VALUES @@ -39,7 +39,7 @@ =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_add0_cert.pod b/doc/man3/CMS_add0_cert.pod --- a/doc/man3/CMS_add0_cert.pod +++ b/doc/man3/CMS_add0_cert.pod @@ -20,6 +20,8 @@ =head1 DESCRIPTION CMS_add0_cert() and CMS_add1_cert() add certificate I to I. +This is used by L and L and may be used before +calling L to help chain building in certificate validation. I must be of type signed data or (authenticated) enveloped data. For signed data, such a certificate can be used when signing or verifying to fill in the signer certificate or to provide an extra CA certificate @@ -29,7 +31,8 @@ CMS_add0_crl() and CMS_add1_crl() add CRL I to I. I must be of type signed data or (authenticated) enveloped data. -For signed data, such a CRL may be used in certificate validation. +For signed data, such a CRL may be used in certificate validation +with L. It may be given both for inclusion when signing a CMS message and when verifying a signed CMS message. @@ -48,8 +51,7 @@ must not be freed up after the call as opposed to CMS_add1_cert() where I must be freed up. -The same certificate or CRL must not be added to the same cms structure more -than once. +The same certificate must not be added to the same cms structure more than once. =head1 RETURN VALUES @@ -63,12 +65,12 @@ =head1 SEE ALSO L, -L, +L, L, L, L =head1 COPYRIGHT -Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod --- a/doc/man3/CMS_decrypt.pod +++ b/doc/man3/CMS_decrypt.pod @@ -2,8 +2,9 @@ =head1 NAME -CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, CMS_decrypt_set1_pkey - decrypt -content from a CMS envelopedData structure +CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, +CMS_decrypt_set1_pkey, CMS_decrypt_set1_password +- decrypt content from a CMS envelopedData structure =head1 SYNOPSIS @@ -14,23 +15,41 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer); int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); + int CMS_decrypt_set1_password(CMS_ContentInfo *cms, + unsigned char *pass, ossl_ssize_t passlen); =head1 DESCRIPTION -CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData -or AuthEnvelopedData structure. B is the private key of the recipient, -B is the recipient's certificate, B is a BIO to write the content to -and B is an optional set of flags. - -The B parameter is used in the rare case where the encrypted content +CMS_decrypt() extracts the decrypted content from a CMS EnvelopedData +or AuthEnvelopedData structure. +It uses CMS_decrypt_set1_pkey() to decrypt the content +with the recipient private key I if I is not NULL. +In this case, it is recommended to provide the associated certificate +in I - see the NOTES below. +I is a BIO to write the content to and +I is an optional set of flags. +If I is NULL the function assumes that decryption was already done +(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just +provides the content unless I, I, and I are NULL as well. +The I parameter is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -CMS_decrypt_set1_pkey_and_peer() associates the private key B, the -corresponding certificate B and the originator certificate B with -the CMS_ContentInfo structure B. +CMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I +using the private key I, the corresponding certificate I, which is +recommended to be supplied but may be NULL, +and the (optional) originator certificate I. +On success, it also records in I the decryption key I, and this +should be followed by C. +This call deallocates any decryption key stored in I. + +CMS_decrypt_set1_pkey() is the same as +CMS_decrypt_set1_pkey_and_peer() with I being NULL. -CMS_decrypt_set1_pkey() associates the private key B, corresponding -certificate B with the CMS_ContentInfo structure B. +CMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I +using the secret I of length I. +On success, it also records in I the decryption key used, and this +should be followed by C. +This call deallocates any decryption key stored in I. =head1 NOTES @@ -38,7 +57,7 @@ needed to locate the appropriate (of possible several) recipients in the CMS structure. -If B is set to NULL all possible recipients are tried. This case however +If I is set to NULL all possible recipients are tried. This case however is problematic. To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not. If no recipient succeeds then a random symmetric key is used to decrypt @@ -54,26 +73,32 @@ It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure -in advance using the CMS utility functions such as CMS_set1_pkey(). In this -case both B and B should be set to NULL. +in advance using the CMS utility functions such as CMS_set1_pkey(), +or use CMS_decrypt_set1_password() if the recipient has a symmetric key. +In these cases both I and I should be set to NULL. To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key() and CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and -B and B set to NULL. +I and I set to NULL. -The following flags can be passed in the B parameter. +The following flags can be passed in the I parameter. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. =head1 RETURN VALUES -CMS_decrypt() returns either 1 for success or 0 for failure. -The error can be obtained from ERR_get_error(3) +CMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(), +CMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password() +return either 1 for success or 0 for failure. +The error can be obtained from ERR_get_error(3). =head1 BUGS +The B part of these function names is misleading +and should better read: B. + The lack of single pass processing and the need to hold all data in memory as mentioned in CMS_verify() also applies to CMS_decrypt(). @@ -83,11 +108,12 @@ =head1 HISTORY -B was added in OpenSSL 3.0. +CMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password() +were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod --- a/doc/man3/EC_GROUP_copy.pod +++ b/doc/man3/EC_GROUP_copy.pod @@ -129,7 +129,7 @@ For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by the octets for x, followed by the octets for y. -For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For +For any given x coordinate for a point on a curve it is possible to derive two possible y values. For POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of the two possible solutions for y has been used, followed by the octets for x. diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod --- a/doc/man3/EC_KEY_new.pod +++ b/doc/man3/EC_KEY_new.pod @@ -128,7 +128,7 @@ confirm that it is valid. EC_KEY_set_public_key_affine_coordinates() sets the public key for I based -on its affine co-ordinates; i.e., it constructs an EC_POINT object based on +on its affine coordinates; i.e., it constructs an EC_POINT object based on the supplied I and I values and sets the public key to be this EC_POINT. It also performs certain sanity checks on the key to confirm that it is valid. @@ -235,7 +235,7 @@ =head1 COPYRIGHT -Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_add.pod b/doc/man3/EC_POINT_add.pod --- a/doc/man3/EC_POINT_add.pod +++ b/doc/man3/EC_POINT_add.pod @@ -44,7 +44,7 @@ EC_POINT_cmp compares the two supplied points and tests whether or not they are equal. The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine -co-ordinate system. In the case of EC_POINTs_make_affine the value B provides the number of points in the array B to be +coordinate system. In the case of EC_POINTs_make_affine the value B provides the number of points in the array B to be forced. These functions were deprecated in OpenSSL 3.0 and should no longer be used. Modern versions automatically perform this conversion when needed. @@ -90,7 +90,7 @@ =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_new.pod b/doc/man3/EC_POINT_new.pod --- a/doc/man3/EC_POINT_new.pod +++ b/doc/man3/EC_POINT_new.pod @@ -124,9 +124,9 @@ A valid point on a curve is the special point at infinity. A point is set to be at infinity by calling EC_POINT_set_to_infinity(). -The affine co-ordinates for a point describe a point in terms of its x and y +The affine coordinates for a point describe a point in terms of its x and y position. The function EC_POINT_set_affine_coordinates() sets the B and B -co-ordinates for the point B

defined over the curve given in B. The +coordinates for the point B

defined over the curve given in B. The function EC_POINT_get_affine_coordinates() sets B and B, either of which may be NULL, to the corresponding coordinates of B

. @@ -140,27 +140,27 @@ EC_POINT_get_affine_coordinates(). They are defined for backwards compatibility only and should not be used. -As well as the affine co-ordinates, a point can alternatively be described in -terms of its Jacobian projective co-ordinates (for Fp curves only). Jacobian -projective co-ordinates are expressed as three values x, y and z. Working in -this co-ordinate system provides more efficient point multiplication -operations. A mapping exists between Jacobian projective co-ordinates and -affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written -as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian -projective from affine co-ordinates is simple. The co-ordinate (x, y) is mapped +As well as the affine coordinates, a point can alternatively be described in +terms of its Jacobian projective coordinates (for Fp curves only). Jacobian +projective coordinates are expressed as three values x, y and z. Working in +this coordinate system provides more efficient point multiplication +operations. A mapping exists between Jacobian projective coordinates and +affine coordinates. A Jacobian projective coordinate (x, y, z) can be written +as an affine coordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian +projective from affine coordinates is simple. The coordinate (x, y) is mapped to (x, y, 1). Although deprecated in OpenSSL 3.0 and should no longer be used, -to set or get the projective co-ordinates in older versions use +to set or get the projective coordinates in older versions use EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp() respectively. Modern versions should instead use EC_POINT_set_affine_coordinates() and EC_POINT_get_affine_coordinates(), performing the conversion manually using the above maps in such rare circumstances. -Points can also be described in terms of their compressed co-ordinates. For a +Points can also be described in terms of their compressed coordinates. For a point (x, y), for any given value for x such that the point is on the curve there will only ever be two possible values for y. Therefore, a point can be set using the EC_POINT_set_compressed_coordinates() function where B is the x -co-ordinate and B is a value 0 or 1 to identify which of the two +coordinate and B is a value 0 or 1 to identify which of the two possible values for y should be used. The functions EC_POINT_set_compressed_coordinates_GFp() and @@ -269,7 +269,7 @@ =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1065,7 +1065,7 @@ When used with a fetched B, EVP_CIPHER_CTX_set_params() get called with an L item with the key -"tlsaadpad" (B) +"tlsaad" (B) followed by EVP_CIPHER_CTX_get_params() with a key of "tlsaadpad" (B). diff --git a/doc/man3/EVP_PKEY_set1_RSA.pod b/doc/man3/EVP_PKEY_set1_RSA.pod --- a/doc/man3/EVP_PKEY_set1_RSA.pod +++ b/doc/man3/EVP_PKEY_set1_RSA.pod @@ -62,13 +62,16 @@ EVP_PKEY_get_base_id() returns the type of I. For example an RSA key will return B. -EVP_PKEY_get_id() returns the actual OID associated with I. -Historically keys using the same algorithm could use different OIDs. -For example an RSA key could use the OIDs corresponding to +EVP_PKEY_get_id() returns the actual NID associated with I +only if the I type isn't implemented just in a L. +Historically keys using the same algorithm could use different NIDs. +For example an RSA key could use the NIDs corresponding to the NIDs B (equivalent to B) or B (equivalent to B). The use of -alternative non-standard OIDs is now rare so B et al are not +alternative non-standard NIDs is now rare so B et al are not often seen in practice. +EVP_PKEY_get_id() returns -1 (B) if the I is +only implemented in a L. EVP_PKEY_type() returns the underlying type of the NID I. For example EVP_PKEY_type(EVP_PKEY_RSA2) will return B. @@ -142,6 +145,9 @@ For EVP_PKEY key type checking purposes, L is more generic. +For purposes of retrieving the name of the B the function +L is more generally useful. + The keys returned from the functions EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() were changed to have a "const" return type in OpenSSL 3.0. As described above the keys returned may be cached @@ -222,7 +228,7 @@ =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -332,6 +332,18 @@ =head1 NOTES +The use of a nonzero value for the I argument to +EVP_RAND_instantiate(), EVP_RAND_generate() or EVP_RAND_reseed() should +be used sparingly. In the default setup, this will cause all public and +private DRBGs to be reseeded on next use. Since, by default, public and +private DRBGs are allocated on a per thread basis, this can result in +significant overhead for highly multi-threaded applications. For normal +use-cases, the default "reseed_requests" and "reseed_time_interval" +thresholds ensure sufficient prediction resistance over time and you +can reduce those values if you think they are too high. Explicitly +requesting prediction resistance is intended for more special use-cases +like generating long-term secrets. + An B needs to have locking enabled if it acts as the parent of more than one child and the children can be accessed concurrently. This must be done by explicitly calling EVP_RAND_enable_locking(). @@ -394,7 +406,7 @@ =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -169,6 +169,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -183,7 +190,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod --- a/doc/man3/EVP_aria_128_gcm.pod +++ b/doc/man3/EVP_aria_128_gcm.pod @@ -92,6 +92,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -106,7 +113,7 @@ =head1 COPYRIGHT -Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_bf_cbc.pod b/doc/man3/EVP_bf_cbc.pod --- a/doc/man3/EVP_bf_cbc.pod +++ b/doc/man3/EVP_bf_cbc.pod @@ -37,6 +37,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_blake2b512.pod b/doc/man3/EVP_blake2b512.pod --- a/doc/man3/EVP_blake2b512.pod +++ b/doc/man3/EVP_blake2b512.pod @@ -31,6 +31,17 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + +While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, +this implementation outputs a digest of a fixed length (the maximum length +supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -41,12 +52,6 @@ RFC 7693. -=head1 NOTES - -While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, -this implementation outputs a digest of a fixed length (the maximum length -supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. - =head1 SEE ALSO L, @@ -54,7 +59,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_camellia_128_ecb.pod b/doc/man3/EVP_camellia_128_ecb.pod --- a/doc/man3/EVP_camellia_128_ecb.pod +++ b/doc/man3/EVP_camellia_128_ecb.pod @@ -75,6 +75,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -89,7 +96,7 @@ =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_cast5_cbc.pod b/doc/man3/EVP_cast5_cbc.pod --- a/doc/man3/EVP_cast5_cbc.pod +++ b/doc/man3/EVP_cast5_cbc.pod @@ -37,6 +37,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod --- a/doc/man3/EVP_chacha20.pod +++ b/doc/man3/EVP_chacha20.pod @@ -40,6 +40,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -54,7 +61,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod --- a/doc/man3/EVP_des_cbc.pod +++ b/doc/man3/EVP_des_cbc.pod @@ -85,6 +85,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -99,7 +106,7 @@ =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod --- a/doc/man3/EVP_desx_cbc.pod +++ b/doc/man3/EVP_desx_cbc.pod @@ -29,6 +29,11 @@ =back +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -43,7 +48,7 @@ =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_idea_cbc.pod b/doc/man3/EVP_idea_cbc.pod --- a/doc/man3/EVP_idea_cbc.pod +++ b/doc/man3/EVP_idea_cbc.pod @@ -35,6 +35,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -49,7 +56,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md2.pod b/doc/man3/EVP_md2.pod --- a/doc/man3/EVP_md2.pod +++ b/doc/man3/EVP_md2.pod @@ -24,6 +24,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md4.pod b/doc/man3/EVP_md4.pod --- a/doc/man3/EVP_md4.pod +++ b/doc/man3/EVP_md4.pod @@ -25,6 +25,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -44,7 +50,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md5.pod b/doc/man3/EVP_md5.pod --- a/doc/man3/EVP_md5.pod +++ b/doc/man3/EVP_md5.pod @@ -36,6 +36,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -54,7 +60,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_mdc2.pod b/doc/man3/EVP_mdc2.pod --- a/doc/man3/EVP_mdc2.pod +++ b/doc/man3/EVP_mdc2.pod @@ -26,6 +26,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -44,7 +51,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc2_cbc.pod b/doc/man3/EVP_rc2_cbc.pod --- a/doc/man3/EVP_rc2_cbc.pod +++ b/doc/man3/EVP_rc2_cbc.pod @@ -51,6 +51,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -65,7 +72,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc4.pod b/doc/man3/EVP_rc4.pod --- a/doc/man3/EVP_rc4.pod +++ b/doc/man3/EVP_rc4.pod @@ -43,6 +43,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -57,7 +64,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc5_32_12_16_cbc.pod b/doc/man3/EVP_rc5_32_12_16_cbc.pod --- a/doc/man3/EVP_rc5_32_12_16_cbc.pod +++ b/doc/man3/EVP_rc5_32_12_16_cbc.pod @@ -56,6 +56,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -71,7 +78,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_ripemd160.pod b/doc/man3/EVP_ripemd160.pod --- a/doc/man3/EVP_ripemd160.pod +++ b/doc/man3/EVP_ripemd160.pod @@ -25,6 +25,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -43,7 +50,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_seed_cbc.pod b/doc/man3/EVP_seed_cbc.pod --- a/doc/man3/EVP_seed_cbc.pod +++ b/doc/man3/EVP_seed_cbc.pod @@ -37,6 +37,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha1.pod b/doc/man3/EVP_sha1.pod --- a/doc/man3/EVP_sha1.pod +++ b/doc/man3/EVP_sha1.pod @@ -25,6 +25,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha224.pod b/doc/man3/EVP_sha224.pod --- a/doc/man3/EVP_sha224.pod +++ b/doc/man3/EVP_sha224.pod @@ -45,6 +45,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -63,7 +69,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha3_224.pod b/doc/man3/EVP_sha3_224.pod --- a/doc/man3/EVP_sha3_224.pod +++ b/doc/man3/EVP_sha3_224.pod @@ -50,6 +50,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -68,7 +74,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod --- a/doc/man3/EVP_sm3.pod +++ b/doc/man3/EVP_sm3.pod @@ -24,6 +24,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -42,7 +48,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod --- a/doc/man3/EVP_sm4_cbc.pod +++ b/doc/man3/EVP_sm4_cbc.pod @@ -41,6 +41,13 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -55,7 +62,7 @@ =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_whirlpool.pod b/doc/man3/EVP_whirlpool.pod --- a/doc/man3/EVP_whirlpool.pod +++ b/doc/man3/EVP_whirlpool.pod @@ -26,6 +26,12 @@ =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -45,7 +51,7 @@ =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -111,8 +111,8 @@ int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, const unsigned char *ref, int len); - int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len); + int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len); /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); @@ -290,7 +290,7 @@ =item B - Send messages without CMP-level protection. + Send request or response messages without CMP-level protection. =item B @@ -410,8 +410,8 @@ OSSL_CMP_CTX_set1_srvCert() sets the expected server cert in I and trusts it directly (even if it is expired) when verifying signed response messages. -May be used alternatively to OSSL_CMP_CTX_set0_trustedStore() -to pin the accepted server. +This pins the accepted CMP server and +results in ignoring whatever may be set using OSSL_CMP_CTX_set0_trustedStore(). Any previously set value is freed. The I argument may be NULL to clear the entry. If set, the subject of the certificate is also used @@ -419,7 +419,7 @@ and as default value for the expected sender of CMP responses. OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) -expected in the sender field of CMP response messages. +expected in the sender field of incoming CMP messages. Defaults to the subject of the pinned server certificate, if any. This can be used to make sure that only a particular entity is accepted as CMP message signer, and attackers are not able to use arbitrary certificates @@ -428,27 +428,30 @@ which pins the server to the holder of a particular certificate, while the expected sender name will continue to match after updates of the server cert. -OSSL_CMP_CTX_set0_trustedStore() sets the certificate store of type X509_STORE -containing trusted (root) CA certificates. -The store may also hold CRLs and -a certificate verification callback function used for CMP server authentication. +OSSL_CMP_CTX_set0_trustedStore() +sets in the CMP context I the certificate store of type X509_STORE +containing trusted certificates, typically of root CAs. +This is ignored when a certificate is pinned using OSSL_CMP_CTX_set1_srvCert(). +The store may also hold CRLs and a certificate verification callback function +used for signature-based peer authentication. Any store entry already set before is freed. When given a NULL parameter the entry is cleared. -OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set -certificate store containing trusted cert etc., or an empty store if unset. +OSSL_CMP_CTX_get0_trustedStore() +extracts from the CMP context I the pointer to the currently set +certificate store containing trust anchors etc., or an empty store if unset. OSSL_CMP_CTX_set1_untrusted() sets up a list of non-trusted certificates -of intermediate CAs that may be useful for path construction for the CMP client -certificate, for the TLS client certificate (if any), when verifying -the CMP server certificate, and when verifying newly enrolled certificates. +of intermediate CAs that may be useful for path construction for the own CMP +signer certificate, for the own TLS certificate (if any), when verifying peer +CMP protection certificates, and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the certificate related to the client's private key -used for CMP message protection. +OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate +related to the private key used for CMP message protection. Therefore the public key of this I must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). When using signature-based protection of CMP request messages @@ -464,7 +467,7 @@ certificate previously set in the I. It adds the optional I, a list of intermediate CA certs that may already constitute the targeted chain, to the untrusted certs that may already exist in the I. -Then the function uses this augumented set of certs for chain construction. +Then the function uses this augmented set of certs for chain construction. If I is NULL it builds the chain as far down as possible and ignores any verification errors. Else the CMP signer certificate must be verifiable where the chain reaches a trust anchor contained in I. @@ -587,6 +590,7 @@ In this case the function checks that the newly enrolled certificate can be verified using this trust store and untrusted certificates from the I, which have been augmented by the list of extraCerts received. +During this verification, any certificate status checking is disabled. If the callback argument is NULL the function tries building an approximate chain as far as possible using the same untrusted certificates from the I, and if this fails it takes the received extraCerts as fallback. diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -5,6 +5,7 @@ OSSL_CMP_MSG_get0_header, OSSL_CMP_MSG_get_bodytype, OSSL_CMP_MSG_update_transactionID, +OSSL_CMP_MSG_update_recipNonce, OSSL_CMP_CTX_setup_CRM, OSSL_CMP_MSG_read, OSSL_CMP_MSG_write, @@ -19,6 +20,7 @@ OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); + int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); @@ -33,7 +35,12 @@ OSSL_CMP_MSG_update_transactionID() updates the transactionID field in the header of the given message according to the CMP_CTX. -This requires re-protecting the message (if it was protected). +If I does not contain a transaction ID, a fresh one is created before. +The message gets re-protected (if protecting requests is required). + +OSSL_CMP_MSG_update_recipNonce() updates the recipNonce field +in the header of the given message according to the CMP_CTX. +The message gets re-protected (if protecting requests is required). OSSL_CMP_CTX_setup_CRM() creates a CRMF certificate request message from various information provided in the CMP context argument I @@ -65,7 +72,8 @@ =item the public key of any PKCS#10 CSR given in I, -=item the public key of any reference certificate given in I, +=item the public key of any reference certificate given in I +(see L), =item the public key derived from any client's private key set via L. @@ -121,8 +129,9 @@ OSSL_CMP_MSG_write() returns the number of bytes successfully encoded or a negative value if an error occurs. -i2d_OSSL_CMP_MSG_bio() and OSSL_CMP_MSG_update_transactionID() return 1 on -success, 0 on error. +i2d_OSSL_CMP_MSG_bio(), OSSL_CMP_MSG_update_transactionID(), +and OSSL_CMP_MSG_update_recipNonce() +return 1 on success, 0 on error. =head1 SEE ALSO @@ -135,9 +144,11 @@ The OpenSSL CMP support was added in OpenSSL 3.0. +OSSL_CMP_MSG_update_recipNonce() was added in OpenSSL 3.0.9. + =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod --- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod @@ -68,7 +68,7 @@ In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated using the private key I and the digest method I, where the I argument is ignored if I is of a type (such as -Ed25519 and Ed448) that is implicitly associated with a digest alorithm. +Ed25519 and Ed448) that is implicitly associated with a digest algorithm. I can be one of the following: @@ -110,7 +110,7 @@ =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_from_bio.pod b/doc/man3/OSSL_DECODER_from_bio.pod --- a/doc/man3/OSSL_DECODER_from_bio.pod +++ b/doc/man3/OSSL_DECODER_from_bio.pod @@ -42,8 +42,8 @@ =head1 RETURN VALUES -OSSL_DECODER_from_bio() and OSSL_DECODER_from_fp() return 1 on success, or 0 -on failure. +OSSL_DECODER_from_bio(), OSSL_DECODER_from_data() and OSSL_DECODER_from_fp() +return 1 on success, or 0 on failure. =head1 EXAMPLES @@ -110,7 +110,7 @@ =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -40,11 +40,11 @@ =item * Request parameters of some object -The caller (the I) sets up the B array and +The caller (the I) sets up the B array and calls some function (the I) that has intimate knowledge about the object, which can take the internal data of the object and copy (possibly convert) that to the memory prepared by the -I and pointed at with the B I. +I and pointed at with the B I. =item * Request parameter descriptors @@ -111,7 +111,7 @@ should accomodate enough space for a terminating NUL byte. When I, it's acceptable for I to be NULL. -This can be used by the I to figure out dynamically exactly +This can be used by the I to figure out dynamically exactly how much buffer space is needed to store the parameter data. In this case, I is ignored. @@ -267,6 +267,14 @@ =item * +If I for a B or a +B is NULL, the I should +set I to the size of the item to be returned +and return success. Later the responder will be called again +with I pointing at the place for the value to be put. + +=item * + If a I finds that some data sizes are too small for the requested data, it must set I for each such B item to the minimum required size, and eventually return @@ -356,7 +364,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -368,7 +368,7 @@ =head2 Example 2 This example is for requesting parameters on some object, and also -demonstrates that the requestor isn't obligated to request all +demonstrates that the requester isn't obligated to request all available parameters: const char *foo = NULL; @@ -403,7 +403,7 @@ =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PEM_read_CMS.pod b/doc/man3/PEM_read_CMS.pod --- a/doc/man3/PEM_read_CMS.pod +++ b/doc/man3/PEM_read_CMS.pod @@ -122,8 +122,7 @@ allocated object, which should be released by calling B_free>(), or NULL on error. -B>() and B>() return the number of bytes -written or zero on error. +B>() and B>() return 1 for success or 0 for failure. =head1 SEE ALSO @@ -143,7 +142,7 @@ =head1 COPYRIGHT -Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod --- a/doc/man3/PKCS7_sign.pod +++ b/doc/man3/PKCS7_sign.pod @@ -96,7 +96,7 @@ PKCS7_sign() is like PKCS7_sign_ex() except that it uses default values of NULL for the library context I and the property query I. -This is retained for API backward compatibiliy. +This is retained for API backward compatibility. =head1 BUGS @@ -122,7 +122,7 @@ =head1 COPYRIGHT -Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -211,7 +211,7 @@ to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built in OpenSSL functionality is not required. Those applications can turn this feature off by -setting this option. This is a server-side opton only. It is ignored by +setting this option. This is a server-side option only. It is ignored by clients. =item SSL_OP_NO_COMPRESSION @@ -352,6 +352,10 @@ =item SSL_OP_EPHEMERAL_RSA +=item SSL_OP_NETSCAPE_CA_DN_BUG + +=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + =back =head1 SECURE RENEGOTIATION @@ -452,7 +456,7 @@ =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod --- a/doc/man3/SSL_CTX_set_split_send_fragment.pod +++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod @@ -56,7 +56,7 @@ used (i.e. normal non-parallel operation). The number of pipelines set must be in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also automatically turn on "read_ahead" (see L). This is -explained further below. OpenSSL will only every use more than one pipeline if +explained further below. OpenSSL will only ever use more than one pipeline if a cipher suite is negotiated that uses a pipeline capable cipher provided by an engine. @@ -96,7 +96,10 @@ at a time. The more data that can be read, the more opportunity there is for parallelising the processing at the cost of increased memory overhead per connection. Setting B can impact the behaviour of the SSL_pending() -function (see L). +function (see L). In addition the default size of the internal +read buffer is multiplied by the number of pipelines available to ensure that we +can read multiple records in one go. This can therefore have a significant +impact on memory usage. The SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len() functions control the size of the read buffer that will be used. The B @@ -179,7 +182,7 @@ =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_SESSION_free.pod b/doc/man3/SSL_SESSION_free.pod --- a/doc/man3/SSL_SESSION_free.pod +++ b/doc/man3/SSL_SESSION_free.pod @@ -21,8 +21,8 @@ SSL_SESSION_new() creates a new SSL_SESSION structure and returns a pointer to it. -SSL_SESSION_dup() copies the contents of the SSL_SESSION structure in B -and returns a pointer to it. +SSL_SESSION_dup() creates a new SSL_SESSION structure that is a copy of B. +The copy is not owned by any cache that B may have been in. SSL_SESSION_up_ref() increments the reference count on the given SSL_SESSION structure. @@ -62,6 +62,8 @@ SSL_SESSION_new returns a pointer to the newly allocated SSL_SESSION structure or NULL on error. +SSL_SESSION_dup returns a pointer to the new copy or NULL on error. + SSL_SESSION_up_ref returns 1 on success or 0 on error. =head1 SEE ALSO @@ -77,7 +79,7 @@ =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -220,10 +220,10 @@ The certificate has been revoked. -=item B +=item B -A CA certificate is invalid. Either it is not a CA or its extensions are not -consistent with the supplied purpose. +The issuer certificate does not have a public key. =item B @@ -266,6 +266,44 @@ The current candidate issuer certificate was rejected because its C extension does not permit certificate signing. +=item B + +Unable to get CRL issuer certificate. + +=item B + +Unhandled critical extension. + +=item B + +Key usage does not include CRL signing. + +=item B + +Unhandled critical CRL extension. + +=item B + +Invalid non-CA certificate has CA markings. + +=item B + +Proxy path length constraint exceeded. + +=item B + +Key usage does not include digital signature, and therefore cannot sign +certificates. + +=item B + +Proxy certificates not allowed unless the B flag +is set. + =item B @@ -288,10 +326,14 @@ The only CRLs that could be found did not match the scope of the certificate. -=item B +=item B Some feature of a certificate extension is not supported. Unused. +=item B + +See RFC 3779 for details. + =item B A name constraint violation occurred in the permitted subtrees. @@ -306,6 +348,11 @@ A certificate name constraints extension included a minimum or maximum field: this is not supported. +=item B + +An application specific error. This will never be returned unless explicitly +set by an application callback. + =item B @@ -319,58 +366,15 @@ address format of a form not mentioned in RFC3280. This could be caused by a garbage extension or some new feature not currently supported. +=item B + +Unsupported or invalid name syntax. + =item B An error occurred when attempting to verify the CRL path. This error can only happen if extended CRL checking is enabled. -=item B - -An application specific error. This will never be returned unless explicitly -set by an application callback. - -=item B - -Unable to get CRL issuer certificate. - -=item B - -Unhandled critical extension. - -=item B - -Key usage does not include CRL signing. - -=item B - -Unhandled critical CRL extension. - -=item B - -Invalid non-CA certificate has CA markings. - -=item B - -Proxy path length constraint exceeded. - -=item B - -Key usage does not include digital signature, and therefore cannot sign -certificates. - -=item B - -Proxy certificates not allowed unless the B flag -is set. - -=item B - -See RFC 3779 for details. - -=item B - -Unsupported or invalid name syntax. - =item B Path loop. @@ -434,15 +438,28 @@ Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder. -=item B +=item B -The issuer certificate does not have a public key. +Cannot find certificate signature algorithm. -=item B +=item B The issuer's public key is not of the type required by the signature in the subject's certificate. +=item B + +The algorithm given in the certificate info is inconsistent + with the one used for the certificate signature. + +=item B + +A CA certificate is invalid. Either it is not a CA or its extensions are not +consistent with the supplied purpose. + =back =head1 NOTES diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -98,8 +98,9 @@ X509_VERIFY_PARAM_set_time() sets the verification time in B to B. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B. Any existing @@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man5/config.pod b/doc/man5/config.pod --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -73,7 +73,7 @@ The default behavior, where the B is B or B, is to treat the dollarsign as indicating a variable name; C is interpreted as C followed by the expansion of the variable C. If B is -B or B, then C is a single seven-character name nad +B or B, then C is a single seven-character name and variable expansions must be specified using braces or parentheses. .pragma [=] includedir:value @@ -575,7 +575,7 @@ =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_CIPHER-NULL.pod b/doc/man7/EVP_CIPHER-NULL.pod new file mode 100644 --- /dev/null +++ b/doc/man7/EVP_CIPHER-NULL.pod @@ -0,0 +1,72 @@ +=pod + +=head1 NAME + +EVP_CIPHER-NULL - The NULL EVP_CIPHER implementation + +=head1 DESCRIPTION + +Support for a NULL symmetric encryption using the B API. +This is used when the TLS cipher suite is TLS_NULL_WITH_NULL_NULL. +This does no encryption (just copies the data) and has a mac size of zero. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Parameters + +This implementation supports the following parameters: + +=head3 Gettable EVP_CIPHER parameters + +See L + +=head3 Gettable EVP_CIPHER_CTX parameters + +=over 4 + +=item "keylen" (B) + +=item "ivlen" (B and ) + +=item "tls-mac" (B) + +=back + +See L for further information. + +=head3 Settable EVP_CIPHER_CTX parameters + +=over 4 + +=item "tls-mac-size" (B) + +=back + +See L for further information. + +=head1 CONFORMING TO + +RFC 5246 section-6.2.3.1 + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_MD-NULL.pod b/doc/man7/EVP_MD-NULL.pod new file mode 100644 --- /dev/null +++ b/doc/man7/EVP_MD-NULL.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +EVP_MD-NULL - The NULL EVP_MD implementation + +=head1 DESCRIPTION + +Support for a NULL digest through the B API. +This algorithm does nothing and returns 1 for its init, +update and final methods. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Gettable Parameters + +This implementation supports the common gettable parameters described +in L. + +=head1 SEE ALSO + +L, L, +L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -142,7 +142,7 @@ Used for getting the EC public key Y component. -=item (B) +=item "default-digest" (B) Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). @@ -272,7 +272,7 @@ =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -172,6 +172,22 @@ =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L + +=item HASH-DRBG, see L + +=item HMAC-DRBG, see L + +=item TEST-RAND, see L + +TEST-RAND is an unapproved algorithm. + +=back + =head1 SELF TESTING One of the requirements for the FIPS module is self testing. An optional callback @@ -409,7 +425,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -71,6 +71,8 @@ =item RIPEMD160, see L +=item NULL, see L + =back =head2 Symmetric Ciphers @@ -93,6 +95,8 @@ =item ChaCha20-Poly1305, see L +=item NULL, see L + =back =head2 Message Authentication Code (MAC) @@ -216,6 +220,22 @@ =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L + +=item HASH-DRBG, see L + +=item HMAC-DRBG, see L + +=item SEED-SRC, see L + +=item TEST-RAND, see L + +=back + =head2 Asymmetric Key Encoder The default provider also includes all of the encoding algorithms @@ -251,7 +271,7 @@ =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod --- a/doc/man7/crypto.pod +++ b/doc/man7/crypto.pod @@ -116,7 +116,8 @@ Property query strings can be specified explicitly as an argument to a function. It is also possible to specify a default property query string for the whole -library context using the L function. Where both +library context using the L or +L functions. Where both default properties and function specific properties are specified then they are combined. Function specific properties will override default properties where there is a conflict. @@ -164,7 +165,7 @@ as a parameter an B object which may have been returned from an earlier call to L. -=head2 Implicit fetch +=head2 Implicit fetching OpenSSL has a number of functions that return an algorithm object with no associated implementation, such as L, L, @@ -210,6 +211,69 @@ =back +=head2 Performance + +If you perform the same operation many times then it is recommended to use +L to prefetch an algorithm once initially, +and then pass this created object to any operations that are currently +using L. +See an example of Explicit fetching in L. + +Prior to OpenSSL 3.0, constant method tables (such as EVP_sha256()) were used +directly to access methods. If you pass one of these convenience functions +to an operation the fixed methods are ignored, and only the name is used to +internally fetch methods from a provider. + +If the prefetched object is not passed to operations, then any implicit +fetch will use the internally cached prefetched object, but it will +still be slower than passing the prefetched object directly. + +Fetching via a provider offers more flexibility, but it is slower than the +old method, since it must search for the algorithm in all loaded providers, +and then populate the method table using provider supplied methods. +Internally OpenSSL caches similar algorithms on the first fetch +(so loading a digest caches all digests). + +The following methods can be used for prefetching: + +=over 4 + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=back + +The following methods are used internally when performing operations: + +=over 4 + +=item L + +=item L + +=item L + +=item L + +=back + +See L, and +for a list of algorithm names that +can be fetched. + =head1 FETCHING EXAMPLES The following section provides a series of examples of fetching algorithm @@ -404,6 +468,8 @@ * we're not supplying any particular search criteria for our SHA256 * implementation (second NULL parameter). Any SHA256 implementation will * do. + * In a larger application this fetch would just be done once, and could + * be used for multiple calls to other operations such as EVP_DigestInit_ex(). */ sha256 = EVP_MD_fetch(NULL, "SHA256", NULL); if (sha256 == NULL) @@ -504,7 +570,7 @@ =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -189,6 +189,15 @@ See also L and L. +=head4 Algorithm Fetching + +Using calls to convenience functions such as EVP_sha256() and EVP_aes_256_gcm() may +incur a performance penalty when using providers. +Retrieving algorithms from providers involves searching for an algorithm by name. +This is much slower than directly accessing a method table. +It is recommended to prefetch algorithms if an algorithm is used many times. +See L, L and L. + =head4 Support for Linux Kernel TLS In order to use KTLS, support for it must be compiled in using the @@ -2213,6 +2222,28 @@ =back +=head3 NID handling for provided keys and algorithms + +The following functions for NID (numeric id) handling have changed semantics. + +=over 4 + +=item * + +EVP_PKEY_id(), EVP_PKEY_get_id() + +This function was previously used to reliably return the NID of +an EVP_PKEY object, e.g., to look up the name of the algorithm of +such EVP_PKEY by calling L. With the introduction +of Ls EVP_PKEY_id() or its new equivalent +L might now also return the value -1 +(B) indicating the use of a provider to +implement the EVP_PKEY object. Therefore, the use of +L is recommended for retrieving +the name of the EVP_PKEY algorithm. + +=back + =head2 Using the FIPS Module in applications See L and L for details. diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -127,8 +127,7 @@ The I, if not NULL, should be set on the context in a manner similar to using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into -the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +the provider using the key management (OSSL_OP_KEYMGMT) operation (see L). OSSL_FUNC_asym_cipher_encrypt() performs the actual encryption itself. A previously initialised asymmetric cipher context is passed in the I parameter. @@ -150,7 +149,7 @@ using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +L). OSSL_FUNC_asym_cipher_decrypt() performs the actual decryption itself. A previously initialised asymmetric cipher context is passed in the I @@ -259,7 +258,7 @@ =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -312,7 +312,7 @@ of length I and operating system specific information. The I should contain uniquely identifying information and this is included, in an unspecified manner, as part of the output. -The output is stored in a buffer which contrains at least I and at +The output is stored in a buffer which contains at least I and at most I bytes. The buffer address is stored in I<*pout> and the buffer length returned to the caller. On error, zero is returned. @@ -779,7 +779,7 @@ #define OSSL_FUNC_BAR_FREECTX 2 typedef void (OSSL_FUNC_bar_freectx_fn)(void *ctx); - static ossl_inline OSSL_FUNC_bar_newctx(const OSSL_DISPATCH *opf) + static ossl_inline OSSL_FUNC_bar_freectx(const OSSL_DISPATCH *opf) { return (OSSL_FUNC_bar_freectx_fn *)opf->function; } #define OSSL_FUNC_BAR_INIT 3 @@ -809,7 +809,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -228,7 +228,7 @@ L, L, L, L, L, L, L, L, L, -L, +L, L, L, L =head1 HISTORY @@ -237,7 +237,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -34,7 +34,7 @@ OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); /* Functions to export a decoded object */ - void *OSSL_FUNC_decoder_export_object(void *ctx, + int OSSL_FUNC_decoder_export_object(void *ctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg); @@ -83,7 +83,7 @@ int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); - static ossl_inline OSSL_FUNC_decoder_decode_fn + static ossl_inline OSSL_FUNC_decoder_decode_fn* OSSL_FUNC_decoder_decode(const OSSL_DISPATCH *opf); L arrays are indexed by numbers that are provided as @@ -302,7 +302,7 @@ =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -268,6 +268,7 @@ L, L, L, L, L, L, L, L, +L, L, L =head1 HISTORY @@ -276,7 +277,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -374,6 +374,36 @@ The value should be the number of security bits of the given key. Bits of security is defined in SP800-57. +=item "mandatory-digest" (B) + +If there is a mandatory digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When EVP_PKEY_get_default_digest_name() queries this parameter and it's +filled in by the implementation, its return value will be 2. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L will place the string C<"UNDEF"> into +its argument I. This signifies that no digest should be specified +with the corresponding signature operation. + +=item "default-digest" (B) + +If there is a default digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When L queries this parameter and it's +filled in by the implementation, its return value will be 1. Note that if +B is responded to as well, +L ignores the response to this +parameter. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L will place the string C<"UNDEF"> into +its argument I. This signifies that no digest has to be specified +with the corresponding signature operation, but may be specified as an +option. + =back =head1 RETURN VALUES @@ -412,7 +442,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -155,7 +155,7 @@ =item OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify -=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_init +=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover =item OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final @@ -411,7 +411,7 @@ =head1 RETURN VALUES OSSL_FUNC_signature_newctx() and OSSL_FUNC_signature_dupctx() should return the newly created -provider side signature, or NULL on failure. +provider side signature context, or NULL on failure. OSSL_FUNC_signature_gettable_ctx_params(), OSSL_FUNC_signature_settable_ctx_params(), OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params(), @@ -429,7 +429,7 @@ =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_padlock.c b/engines/e_padlock.c --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -146,6 +146,19 @@ return (padlock_use_rng || padlock_use_ace); } +# ifndef AES_ASM +static int padlock_aes_set_encrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +static int padlock_aes_set_decrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +# define AES_ASM +# define AES_set_encrypt_key padlock_aes_set_encrypt_key +# define AES_set_decrypt_key padlock_aes_set_decrypt_key +# include "../crypto/aes/aes_core.c" +# endif + /* * This stuff is needed if this ENGINE is being compiled into a * self-contained shared-library. @@ -646,12 +659,10 @@ AES_set_decrypt_key(key, key_len, &cdata->ks); else AES_set_encrypt_key(key, key_len, &cdata->ks); -# ifndef AES_ASM /* * OpenSSL C functions use byte-swapped extended key. */ padlock_key_bswap(&cdata->ks); -# endif cdata->cword.b.keygen = 1; break; diff --git a/include/crypto/bn.h b/include/crypto/bn.h --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -114,10 +114,4 @@ extern const BIGNUM ossl_bn_inv_sqrt_2; -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num); - #endif diff --git a/include/crypto/cmperr.h b/include/crypto/cmperr.h --- a/include/crypto/cmperr.h +++ b/include/crypto/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/dsaerr.h b/include/crypto/dsaerr.h --- a/include/crypto/dsaerr.h +++ b/include/crypto/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h --- a/include/crypto/ecerr.h +++ b/include/crypto/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/refcount.h b/include/internal/refcount.h --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ # include # include -# ifndef OPENSSL_DEV_NO_ATOMICS +# if defined(OPENSSL_THREADS) && !defined(OPENSSL_DEV_NO_ATOMICS) # if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \ && !defined(__STDC_NO_ATOMICS__) # include diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -323,8 +323,8 @@ int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, const unsigned char *ref, int len); -int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len); +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len); /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); @@ -384,6 +384,7 @@ OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); +int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,9 @@ # define CMP_R_MISSING_P10CSR 121 # define CMP_R_MISSING_PBM_SECRET 166 # define CMP_R_MISSING_PRIVATE_KEY 131 +# define CMP_R_MISSING_PRIVATE_KEY_FOR_POPO 190 # define CMP_R_MISSING_PROTECTION 143 +# define CMP_R_MISSING_PUBLIC_KEY 183 # define CMP_R_MISSING_REFERENCE_CERT 168 # define CMP_R_MISSING_SECRET 178 # define CMP_R_MISSING_SENDER_IDENTIFICATION 111 diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ # define DSA_R_P_NOT_PRIME 115 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 +# define DSA_R_TOO_MANY_RETRIES 116 # endif #endif diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -90,6 +90,7 @@ # define EC_R_RANDOM_NUMBER_GENERATION_FAILED 158 # define EC_R_SHARED_INFO_ERROR 150 # define EC_R_SLOT_FULL 108 +# define EC_R_TOO_MANY_RETRIES 176 # define EC_R_UNDEFINED_GENERATOR 113 # define EC_R_UNDEFINED_ORDER 128 # define EC_R_UNKNOWN_COFACTOR 164 diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -21,13 +21,17 @@ c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm/aesp8-ppc.pl e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl -90d53250761de35280f57463855b1a41403c68dfe22771b2f622c5c9b3418eb4 crypto/aes/asm/aesv8-armx.pl -15cf92ba0ea6fb216c75bb0c134fa1e1b4159a3f9d3c571b2a8319252c4ae633 crypto/aes/asm/bsaes-armv7.pl +a097f9d71de7cefa8e93629033ff1986fb01128623ec051d9b5afef55c0e5ebb crypto/aes/asm/aesv8-armx.pl +5e8005fdb6641df465bdda20c3476f7176e6bcd63d5073044a0c02a327c7f172 crypto/aes/asm/bsaes-armv7.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl 1ff94d6bf6c8ae4809f64657eb89260fe3cb22137f649d3c73f72cb190258196 crypto/aes/asm/vpaes-armv8.pl c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl 060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl +2bc67270155e2d6c7da87d9070e005ee79cea18311004907edfd6a078003532a crypto/alphacpuid.pl +0255a480b78bdcc71f76676f496962a9828eb900f53b7be13be96ae3f67fe6db crypto/arm64cpuid.pl +e0daf54f72dd8fd1bc537d93f34e2a6a887a9ed6027bb33e15a327ef5ff37a42 crypto/armcap.c +a43f2c1eef16146943745f684f2add7d186924932a47abf7fb0760cba02804e6 crypto/armv4cpuid.pl 16739d54200fb81ca7835b5814f965022a2ab41589c7787e2697e3ea72d4fafa crypto/asn1_dsa.c 819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl 0070595128b250b9ebdebe48ce53d2d27ca16ec4f7c6c8bd169ab2e4a913b2d1 crypto/bn/asm/armv4-gf2m.pl @@ -66,8 +70,8 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/x86_64-mont.pl 259fb8d7f40c0dba46920b1f169d5b37de03b0fda645463d19e3ae2b56de851d crypto/bn/asm/x86_64-mont5.pl 0ea8185a037a2951bb3d1e590bbbdeac305176d5e618f3e43a04c09733a9de34 crypto/bn/bn_add.c -3962dfaa0142e67115ab84f7809d46d59bd122758be09a081b08b2e0d4743b2e crypto/bn/bn_asm.c -01a35f971062b97b4953604151d3b6a411be439743b5540aa25b638d2186db6f crypto/bn/bn_blind.c +759c2b9df808b3562fe8b0c7778dbadbf35f261e14fc2d5090d18c35b4181760 crypto/bn/bn_asm.c +14bd5a35c05fcf454854b92fb30b356d7ac618c1eb699dd798f6ad2936d1f5ee crypto/bn/bn_blind.c 7b761d541e3b7f6a3f2b14a09b2b3836a079a845cf67a54db4853e3fd38277c6 crypto/bn/bn_const.c 58b587e20404efa408b31a88ba9c357059ced709bea78c07deb91df7b687db81 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c @@ -79,28 +83,28 @@ 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c -b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb crypto/bn/bn_lib.c -0567e3881c4577f25eb7b93070ac1914251d5ef98e3ac4ebacec09a65a12868c crypto/bn/bn_local.h +bf73a1788a92142963177fb698bc518af9981bbf0ad9784701fbb2462ca10607 crypto/bn/bn_lib.c +d5beb9fbac2ff5dc3ccbdfa4d1aabca7225c778cff4e3b05b6d6c63e182637f5 crypto/bn/bn_local.h 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c f60f3d49b183b04bcdf9b82f7c961b8c1bcb00e68a2c1166fe9edd95a783356e crypto/bn/bn_mont.c 2da73a76b746a47d8cf8ec8b3e0708c2a34e810abde4b4f1241a49e7f5bb2b60 crypto/bn/bn_mpi.c 76982b18b0803d59b33168b260677e7412970757d3b9513de5c80025290f211d crypto/bn/bn_mul.c -4e3bf49a788ec36cd1d919475bc410a743931aa144e7c60d603e9c0b448faab4 crypto/bn/bn_nist.c +1f65ad369352d51af1a75eccf598cb497b400ebd86252f5ca8aac54bbb3cc7bd crypto/bn/bn_nist.c c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h 628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c -626226d4dae8e19530a60d8a94b270b262740550787fc46f686b301a043c705b crypto/bn/bn_rsa_fips186_4.c +a5c5c9f99961a5a7f22a3dcdce964c8a330f822be17f08652223a20fed747d0a crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c -2e69544977adab07422acab5cbb32f4efb7ab68bc160dde711e3f7a8e755b43d crypto/bn/rsa_sup_mul.c be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h 5b82cb8dbf3087c2e671871cb0a92e4039223a51af533a2ee996f3bfd47453a7 crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c +5f43844b5d8665de9ab895f93599150a327d73ec2674bbf7d7c512d30163022d crypto/c64xpluscpuid.pl 0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c @@ -131,10 +135,10 @@ b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c 9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h -f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15 crypto/dsa/dsa_ossl.c -6222aa8f60d7451d974dd87c66995033919f36d7f858cbe609cf731ad1eee34e crypto/dsa/dsa_sign.c +38062c6eebdb2f88fa0c6592837a96a49de2ae520d3ad483a3e02921c8adb094 crypto/dsa/dsa_ossl.c +d612fd05ff98816ba6cf37f84c0e31443ad9d840ed587a7ab2066027da390325 crypto/dsa/dsa_sign.c 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c -0a206e4c4de4702808cba7c9304bedb66abcbc33e513bc25574a795cd5fa3db0 crypto/ec/asm/ecp_nistp521-ppc64.pl +d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl 4617351d2de4d0b2abfd358c58050cee00702d0b4c1acca09312ec870e351c7d crypto/ec/asm/ecp_nistz256-armv8.pl 3715ddd921425f3018741037f01455ed26a840ace08691a800708170a66cf4d2 crypto/ec/asm/ecp_nistz256-ppc64.pl @@ -174,7 +178,7 @@ 129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c b2cf8f052a5716137da7b0e857ed7a5df5fb513b6d14534199a05e32f2b5a866 crypto/ec/ecdh_ossl.c -c3750d77c287500884a1ab01def8a6a8500c345d5de1c0f6a70e614fff1b9755 crypto/ec/ecdsa_ossl.c +099f7836a31643c58bda3829090ea81fe3d5acaa4c6f7b145d8355a4293d0ccc crypto/ec/ecdsa_ossl.c b6baa42b16e8df69a12e0ab101033100cddc808ec2682ba1574373e6ec86ae93 crypto/ec/ecdsa_sign.c f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecdsa_vrf.c 141cfc1459214555b623517a054a9e8d5e4065a11301237b7247be2c6f397a0a crypto/ec/ecp_mont.c @@ -187,7 +191,7 @@ 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c 28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -59d514629005748901718e82f2646ecb1d7fbedbc872726749ce9a5af0d205f2 crypto/evp/digest.c +1af3872164b4a4757bc7896a24b4d2f8eb2cfb4cba0d872a93db69975693e0a6 crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c 1c3d1b1f800b1f1f5adb1fdbdd67cdf37ca7ea93b264d1468c72a63c140873ce crypto/evp/evp_enc.c 7f10367f9b6191c4a8c01784130d26b2d778485a41cdac5fa17c9a1c4096f132 crypto/evp/evp_fetch.c @@ -200,30 +204,31 @@ 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c 5179624b8e03615dc9caedc9ec16d094fa081495613dd552d71c2c39475bcd83 crypto/evp/kem.c 5016dd7ef8b4cf7e9ea8465c18d1daa4c8808cb589261cf236058ee75bc868d7 crypto/evp/keymgmt_lib.c -a976cf4e7bfb61e06a147360b748238010d23efb069d191fd023abc38d9a2af9 crypto/evp/keymgmt_meth.c +46ffdc73f8a7fc314dc8988f2751a6e9f9784719f4f162dc4be2450b65b55261 crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c 4290c95f63b43688a8da57690d122add5161a6811f9753da1444d28f46739961 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c -b3eebfe75d050bef62a2ce6c13399a2b72bdf60bb540666d01a47691f68931b3 crypto/evp/p_lib.c +546d83abecf8973e2d872102a03bde5a46552909fa9e7d1402e1464a27453801 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c 1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c 4b2dbddf0f9ceed34c3822347138be754fb194febca1c21c46bcc3a5cce33674 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c -709d40d5096497349b8b9e2917e949a0a75e6065df62798d1816866ca7e7b4ca crypto/ffc/ffc_backend.c +1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c 2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84 crypto/ffc/ffc_key_validate.c -b18d5d7cfc95163defea41f5a081e90f6a7163a6b81c6cfadb8b470ef2e83fc5 crypto/ffc/ffc_params.c +8b72d5a7452b2c15aec6d20027053a83f7df89d49a3b6cfedd77e2b1a29e9fc1 crypto/ffc/ffc_params.c 1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9 crypto/ffc/ffc_params_generate.c 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h +0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e crypto/ia64cpuid.S f897493b50f4e9dd4cacb2a7accda6683c10ece602641874cdff1dac7128a751 crypto/initthread.c 5482c47c266523129980302426d25839fda662f1544f4b684707e6b272a952c9 crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c -183bdca6f855182d7d2c78a5c961b34283f85ea69ac828b700605ee82546397d crypto/modes/asm/aes-gcm-armv8_64.pl +e14f48d4112c0efe3826b4aa390cc24045a85298cc551ec7f3f36ac4236d7d81 crypto/modes/asm/aes-gcm-armv8_64.pl 1d686af304f94743038f916125effcb51790c025f3165d8d37b526bbeee781f0 crypto/modes/asm/aesni-gcm-x86_64.pl c2e874a8deb418b5d8c935b2e256370566a5150e040c9fa008cdb5b463c26904 crypto/modes/asm/ghash-alpha.pl 6bc7d63569c73d7020ede481f2de05221ac92403c7cc11e7263ada7644f6aa9b crypto/modes/asm/ghash-armv4.pl @@ -251,6 +256,8 @@ 06e67fdd2a308bf355c8dae2e0acd9af94f6e53d428a7d31966311eb5c0aebc1 crypto/params.c 4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c +97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c +3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c 7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h @@ -272,14 +279,16 @@ cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c 33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c -178c98421b54ec50ee55470a7b1acb771ed22efef2c2c0e059544baa7e6d387e crypto/rsa/rsa_ossl.c +e05fcad237b7e4e7842ad6e142789fe25d060247283c337c78703be6ecc31ed9 crypto/rsa/rsa_ossl.c be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c 174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c f01af62704dbf9457e2669c3e7c1d4d740f0388faa49df93611b987a8aa2bf11 crypto/rsa/rsa_sign.c 740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c -20e54cf2a8fd23ced0962c5f358cedd8ec0c398a87d33b34f1a4326d11e4892e crypto/rsa/rsa_sp800_56b_gen.c +3aba73dacebb046faf8d09dc279149b52c629004b524ec33e6d81c8ad0bc31a8 crypto/rsa/rsa_sp800_56b_gen.c 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c +0acbebed48f6242d595c21e3c1ad69da0daa960d62062e8970209deda144f337 crypto/s390xcap.c +22205848cfb55116ebf999dced8331b575886a609ce29e6886e6267b2310c337 crypto/s390xcpuid.pl 5fa59240ca885cbc0c1cd026934b226d44fc9c3fdf0c2e7e3a7bd7f4963ca2e5 crypto/self_test_core.c 05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl ca3b2b654f9a8c4bc2fa2538c1f19d17acd4a6b9e0df6a4b81df04efa697e67e crypto/sha/asm/keccak1600-armv8.pl @@ -329,17 +338,20 @@ 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c 8038a5a97f826f519424db634be5b082b3f7eca3ccb89875ca40fa6bd7dfdcfd crypto/sha/sha512.c 6c6f0e6069ac98e407a5810b84deace2d1396d252c584703bcd154d1a015c3ea crypto/sha/sha_local.h +9ef5a01caccc2eb15f72e367d0424737040ac8018479bbbbce3d216c655765c2 crypto/sparccpuid.S +5056b14a55665ffa342a9a1bb32c1c36886add5d0819869193427f33cee028f7 crypto/sparcv9cap.c c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_array.c 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c 2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c -7959c65c27280cdb1166a30a27c931befd6cfa4ed109094c40eb5a6d253c790c crypto/threads_win.c +88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl +bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl 0a9c484f640d96e918921f57f592e82e99ccdbe35d3138d64b10c7af839e9a07 e_os.h 6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h -f49a26fc4348f3b79507dc4a04fade82cf870f7c22e6c977f402c859fdd1b98b include/crypto/bn.h +8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h @@ -378,7 +390,7 @@ d4ac19b28ea61f03383364cfad1e941cac44fc36787d80882c5b76ecc9d34e29 include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h 6a899ef3e360c7144d84d3c3dbbd14aa457f5d38b83b13c0be7ec7f372076595 include/internal/provider.h -5af9a40c44def13576fe2c0eb082fb73c3565c5e00f902d51b1ed1593d481ccb include/internal/refcount.h +80d7d12b8b3d9945bde3991cb0d1413d120a58a04b17ac673549789e3f37b18a include/internal/refcount.h 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h 24f41a1985fa305833c3f58030c494d2563d15fc922cdf3eeb6a7ea8c135a880 include/internal/symhacks.h @@ -410,11 +422,11 @@ 3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8 include/openssl/dh.h 836130f5a32bbdce51b97b34758ed1b03a9d06065c187418eaf323dca6adfc6d include/openssl/dherr.h 92ae2c907fd56859e3ae28a085071611be5c9245879305cdf8bad027219e64b6 include/openssl/dsa.h -335eb40a33cd1e95e7783bda2d031ec2bcf02cff8aa804ba3484d1354452b7ea include/openssl/dsaerr.h +276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h 41bf49e64e1c341a8c17778147ddeba35e88dfd7ff131db6210e801ef25a8fd5 include/openssl/e_os2.h bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openssl/ebcdic.h 33b6321d1c6b7b1621198346946401bb81472054aa236b03c6f22f247248d2ad include/openssl/ec.h -dad1943d309aaadb800be4a3056096abec611d81982b83c601b482405e11d5c0 include/openssl/ecerr.h +7aa8c5bee779af59d4733f6a50f7f6be39f1eb43409e5b3357440f9a7d0ca115 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028 include/openssl/err.h.in @@ -488,7 +500,7 @@ f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h d3c95c9c6cc4e3b1a5e4b2bfb2ae735a4109d763bcda7b1e9b8f9eb253f79820 providers/fips/self_test_data.inc 629f619ad055723e42624230c08430a3ef53e17ab405dc0fd35499e9ca4e389c providers/fips/self_test_kats.c -6b082c1af446ef9a2bfe68a9ee4362dfa4f1f09f975f11f9ba2e5010493039c6 providers/implementations/asymciphers/rsa_enc.c +cd784a44a01a8a30a6be63381344a7f5432e74d40b02ea471c5b0dc943a7ac9d providers/implementations/asymciphers/rsa_enc.c 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h 89378cce6d31e8c2f221f9f29d0b17622624eb83e4ecec8465f7641f68352917 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -518,7 +530,7 @@ 74640ce402acc704af72e055fb7f27e6aa8efd417babc56f710478e571d8631c providers/implementations/ciphers/cipher_cts.h fcc3bb0637864252402aaa9d543209909df9a39611127f777b168bc888498dc0 providers/implementations/ciphers/cipher_tdes.c 77709f7fc3f7c08986cd4f0ebf2ef6e44bacb975c1483ef444b3cf5e5071f9d6 providers/implementations/ciphers/cipher_tdes.h -9e07260067083c76d26eb0dd8a8bb4a8dac678812644ff88951a0661be70d9fd providers/implementations/ciphers/cipher_tdes_common.c +6fc41326c5f464f27b7d31c16d5ad7116d6244b99e242893f6c96d0c61f3639a providers/implementations/ciphers/cipher_tdes_common.c 50645122f08ef4891cd96cace833bd550be7f5278ab785515fd61fe8993c8c25 providers/implementations/ciphers/cipher_tdes_hw.c 6bb3c24bfd872e3b4c779b29e9f962348f6ae3effeb4f243c8ea66abefe8a4fa providers/implementations/ciphers/ciphercommon.c dd72ea861edf70b94197821ceb00e07165d550934a2e851d62afa5034b79f468 providers/implementations/ciphers/ciphercommon_block.c @@ -545,7 +557,7 @@ c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h -04f22d6afbad5a6e806cf3af9a25843ccfefb748e24d97a09830a1677706acd5 providers/implementations/kdfs/hkdf.c +4e71ffd329f1715d14b54e14036b4b2618deb2fd81675287ce5eeb6c76a31d54 providers/implementations/kdfs/hkdf.c a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h @@ -557,18 +569,18 @@ 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c 37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c 2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c -ed6825fb92d0ab30f9f858ee29dfa403caa22430cccf493f850f993fd03a975e providers/implementations/keymgmt/ec_kmgmt.c +9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c -96b47ba54dcbc05f7ee98c7f78df04e9671b6dbddbc85e3ea53e74ad04663e7a providers/implementations/keymgmt/rsa_kmgmt.c +19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c 895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0 providers/implementations/macs/hmac_prov.c f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c -c7236e6e2e8adce14f8206da0ceef63c7974d4ba1a7dd71b94fa100cac6b46ba providers/implementations/rands/drbg.c +9d23df7f99beec7392c9d4ed813407050bc2d150098888fe802e2c9705fc33fa providers/implementations/rands/drbg.c bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19 providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c @@ -578,6 +590,6 @@ a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c 02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c 3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c -2334c8bba705032b8c1db5dd28e024a45a73b72cae82a2d815fe855445a49d10 providers/implementations/signature/rsa_sig.c +5b5e51acce1f6e86581de9ee870e64772f69562362b34079ac65c5d6fffaddef providers/implementations/signature/rsa_sig.c a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/providers/fips.checksum b/providers/fips.checksum --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -fd6bce79efec94a99e40c919e0a5ee392514b81cac01d4d46b5c76f27fb1b839 providers/fips-sources.checksums +d4b8aaf04173ffd7bdd7d64e823002a988146d85c193a4bb8217dc8225583169 providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -28,6 +28,10 @@ crypto/aes/asm/vpaes-ppc.pl crypto/aes/asm/vpaes-x86.pl crypto/aes/asm/vpaes-x86_64.pl +crypto/alphacpuid.pl +crypto/arm64cpuid.pl +crypto/armcap.c +crypto/armv4cpuid.pl crypto/asn1_dsa.c crypto/bn/asm/alpha-mont.pl crypto/bn/asm/armv4-gf2m.pl @@ -95,12 +99,12 @@ crypto/bn/bn_sqr.c crypto/bn/bn_sqrt.c crypto/bn/bn_word.c -crypto/bn/rsa_sup_mul.c crypto/bn/rsaz_exp.c crypto/bn/rsaz_exp.h crypto/bn/rsaz_exp_x2.c crypto/bsearch.c crypto/buffer/buffer.c +crypto/c64xpluscpuid.pl crypto/cmac/cmac.c crypto/context.c crypto/core_algorithm.c @@ -219,6 +223,7 @@ crypto/ffc/ffc_params_validate.c crypto/hmac/hmac.c crypto/hmac/hmac_local.h +crypto/ia64cpuid.S crypto/initthread.c crypto/lhash/lhash.c crypto/lhash/lhash_local.h @@ -251,6 +256,8 @@ crypto/params.c crypto/params_dup.c crypto/params_from_text.c +crypto/ppccap.c +crypto/ppccpuid.pl crypto/property/defn_cache.c crypto/property/property.c crypto/property/property_local.h @@ -280,6 +287,8 @@ crypto/rsa/rsa_sp800_56b_check.c crypto/rsa/rsa_sp800_56b_gen.c crypto/rsa/rsa_x931.c +crypto/s390xcap.c +crypto/s390xcpuid.pl crypto/self_test_core.c crypto/sha/asm/keccak1600-armv4.pl crypto/sha/asm/keccak1600-armv8.pl @@ -329,6 +338,8 @@ crypto/sha/sha3.c crypto/sha/sha512.c crypto/sha/sha_local.h +crypto/sparccpuid.S +crypto/sparcv9cap.c crypto/sparse_array.c crypto/stack/stack.c crypto/threads_lib.c @@ -336,6 +347,7 @@ crypto/threads_pthread.c crypto/threads_win.c crypto/x86_64cpuid.pl +crypto/x86cpuid.pl e_os.h include/crypto/aes_platform.h include/crypto/asn1_dsa.h diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -161,10 +161,12 @@ return 0; } if (prsactx->oaep_md == NULL) { - OPENSSL_free(tbuf); prsactx->oaep_md = EVP_MD_fetch(prsactx->libctx, "SHA-1", NULL); - ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); - return 0; + if (prsactx->oaep_md == NULL) { + OPENSSL_free(tbuf); + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + return 0; + } } ret = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,13 +123,12 @@ if (kl == 0 || RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0) return 0; DES_set_odd_parity(deskey); - if (kl >= 16) + if (kl >= 16) { DES_set_odd_parity(deskey + 1); - if (kl >= 24) { - DES_set_odd_parity(deskey + 2); - return 1; + if (kl >= 24) + DES_set_odd_parity(deskey + 2); } - return 0; + return 1; } int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[]) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -554,7 +554,7 @@ if (!HMAC_Final(hmac, prev, NULL)) goto err; - copy_len = (done_len + dig_len > okm_len) ? + copy_len = (dig_len > okm_len - done_len) ? okm_len - done_len : dig_len; diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -745,7 +745,7 @@ } p->return_size = EC_POINT_point2oct(ecg, ecp, POINT_CONVERSION_UNCOMPRESSED, - p->data, p->return_size, bnctx); + p->data, p->data_size, bnctx); if (p->return_size == 0) goto err; } diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,9 +124,9 @@ /* OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS are always available even if empty */ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && (RSA_get0_e(rsa) != NULL); - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) ok = ok && (RSA_get0_n(rsa) != NULL); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + ok = ok && (RSA_get0_e(rsa) != NULL); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && (RSA_get0_d(rsa) != NULL); return ok; diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -256,7 +256,7 @@ } else if (drbg->parent_clear_seed != NULL) { if (!ossl_drbg_lock_parent(drbg)) return; - drbg->parent_clear_seed(drbg, out, outlen); + drbg->parent_clear_seed(drbg->parent, out, outlen); ossl_drbg_unlock_parent(drbg); } } diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -823,14 +823,17 @@ return 0; } } else { + int ret; + if (!setup_tbuf(prsactx)) return 0; - rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, - prsactx->pad_mode); - if (rslen == 0) { + ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, + prsactx->pad_mode); + if (ret <= 0) { ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } + rslen = (size_t)ret; } if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1011,13 +1011,11 @@ return &s->rlayer.d->bitmap; /* - * Only HM and ALERT messages can be from the next epoch and only if we - * have already processed all of the unprocessed records from the last - * epoch + * We can only handle messages from the next epoch if we have already + * processed all of the unprocessed records from the previous epoch */ - else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) && - s->rlayer.d->unprocessed_rcds.epoch != s->rlayer.d->r_epoch && - (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { + else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) + && s->rlayer.d->unprocessed_rcds.epoch != s->rlayer.d->r_epoch) { *is_next_epoch = 1; return &s->rlayer.d->next_bitmap; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -215,25 +215,7 @@ /* start with empty packet ... */ if (left == 0) rb->offset = align; - else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { - /* - * check if next packet length is large enough to justify payload - * alignment... - */ - pkt = rb->buf + rb->offset; - if (pkt[0] == SSL3_RT_APPLICATION_DATA - && (pkt[3] << 8 | pkt[4]) >= 128) { - /* - * Note that even if packet is corrupted and its length field - * is insane, we can only be led to wrong decision about - * whether memmove will occur or not. Header values has no - * effect on memmove arguments and therefore no buffer - * overrun can be triggered. - */ - memmove(rb->buf + align, pkt, left); - rb->offset = align; - } - } + s->rlayer.packet = rb->buf + rb->offset; s->rlayer.packet_length = 0; /* ... now we can act as if 'extend' was set */ @@ -626,14 +608,13 @@ if (numpipes > maxpipes) numpipes = maxpipes; - if (n / numpipes >= max_send_fragment) { + if (n / numpipes >= split_send_fragment) { /* * We have enough data to completely fill all available * pipelines */ - for (j = 0; j < numpipes; j++) { - pipelens[j] = max_send_fragment; - } + for (j = 0; j < numpipes; j++) + pipelens[j] = split_send_fragment; } else { /* We can partially fill all available pipelines */ tmppipelen = n / numpipes; diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -58,6 +58,11 @@ if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + + /* Ensure our buffer is large enough to support all our pipelines */ + if (s->max_pipelines > 1) + len *= s->max_pipelines; + if (b->default_len > len) len = b->default_len; if ((p = OPENSSL_malloc(len)) == NULL) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -576,6 +576,7 @@ } } + ERR_set_mark(); enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0, macbufs, mac_size); /*- @@ -587,6 +588,7 @@ if (enc_err == 0) { if (ossl_statem_in_error(s)) { /* SSLfatal() already got called */ + ERR_clear_last_mark(); goto end; } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { @@ -595,6 +597,12 @@ * it like an empty record. */ + /* + * Remove any errors from the stack. Decryption failures are normal + * behaviour. + */ + ERR_pop_to_mark(); + thisrr = &rr[0]; if (!early_data_count_ok(s, thisrr->length, @@ -610,9 +618,12 @@ ret = 1; goto end; } + ERR_clear_last_mark(); SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto end; + } else { + ERR_clear_last_mark(); } OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); @@ -964,6 +975,7 @@ EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; + unsigned char *data[SSL_MAX_PIPELINES]; int i, pad = 0, tmpr; size_t bs, ctr, padnum, loop; unsigned char padval; @@ -1123,8 +1135,6 @@ } } if (n_recs > 1) { - unsigned char *data[SSL_MAX_PIPELINES]; - /* Set the output buffers */ for (ctr = 0; ctr < n_recs; ctr++) { data[ctr] = recs[ctr].data; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -24,6 +24,16 @@ #include "ssl_local.h" #include "ssl_cert_table.h" #include "internal/thread_once.h" +#ifndef OPENSSL_NO_POSIX_IO +# include +# ifdef _WIN32 +# define stat _stat +# endif +# ifndef S_ISDIR +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# endif +#endif + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, @@ -751,7 +761,14 @@ while ((filename = OPENSSL_DIR_read(&d, dir))) { char buf[1024]; int r; +#ifndef OPENSSL_NO_POSIX_IO + struct stat st; +#else + /* Cannot use stat so just skip current and parent directories */ + if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0) + continue; +#endif if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG); goto err; @@ -760,6 +777,11 @@ r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename); #else r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename); +#endif +#ifndef OPENSSL_NO_POSIX_IO + /* Skip subdirectories */ + if (!stat(buf, &st) && S_ISDIR(st.st_mode)) + continue; #endif if (r <= 0 || r >= (int)sizeof(buf)) goto err; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -190,9 +190,10 @@ dest->ticket_appdata = NULL; memset(&dest->ex_data, 0, sizeof(dest->ex_data)); - /* We deliberately don't copy the prev and next pointers */ + /* As the copy is not in the cache, we remove the associated pointers */ dest->prev = NULL; dest->next = NULL; + dest->owner = NULL; dest->references = 1; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -765,6 +765,7 @@ tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); if (tmparr == NULL) goto end; + OPENSSL_free(*pext); *pext = tmparr; *pextlen = gcb.gidcnt; ret = 1;