openssl: Vendor import of OpenSSL 3.0.11 - src

diff options


context:
space:
mode:

author	Pierre Pronchery <pierre@freebsdfoundation.org>	2023-09-22 14:52:58 +0000
committer	Ed Maste <emaste@FreeBSD.org>	2023-09-22 15:55:26 +0000
commit	315108b81694de474bbc273c0050b195047f5eed (patch)
tree	e3f2a313c74d0ae64bb2f0da5ecd9edb258e361f /crypto
parent	cf2fc1b0f5ce501f5a29d307294e5637e0f5aba6 (diff)

vendor/openssl/3.0.11

Diffstat (limited to 'crypto')

-rw-r--r--

crypto/asn1/a_strnid.c

-rw-r--r--

crypto/asn1/asn1_gen.c

-rw-r--r--

crypto/chacha/asm/chacha-ia64.pl

-rw-r--r--

crypto/cmp/cmp_asn.c

-rw-r--r--

crypto/cmp/cmp_client.c

-rw-r--r--

crypto/cmp/cmp_status.c

-rw-r--r--

crypto/cms/cms_env.c

-rw-r--r--

crypto/cms/cms_lib.c

-rw-r--r--

crypto/cms/cms_local.h

-rw-r--r--

crypto/cms/cms_sd.c

-rw-r--r--

crypto/conf/conf_sap.c

-rw-r--r--

crypto/encode_decode/decoder_lib.c

-rw-r--r--

crypto/encode_decode/decoder_pkey.c

-rw-r--r--

crypto/engine/eng_lib.c

-rw-r--r--

crypto/engine/eng_list.c

-rw-r--r--

crypto/engine/eng_local.h

-rw-r--r--

crypto/engine/eng_table.c

-rw-r--r--

crypto/evp/ctrl_params_translate.c

-rw-r--r--

crypto/evp/p_lib.c

-rw-r--r--

crypto/http/http_client.c

-rw-r--r--

crypto/mem.c

-rw-r--r--

crypto/pem/pem_pkey.c

-rwxr-xr-x

crypto/perlasm/arm-xlate.pl

-rw-r--r--

crypto/pkcs12/p12_crt.c

-rwxr-xr-x

crypto/poly1305/asm/poly1305-x86_64.pl

-rw-r--r--

crypto/property/property.c

-rw-r--r--

crypto/provider_core.c

-rw-r--r--

crypto/rsa/rsa_ameth.c

-rw-r--r--

crypto/srp/srp_vfy.c

-rw-r--r--

crypto/store/store_lib.c

-rw-r--r--

crypto/threads_pthread.c

-rw-r--r--

crypto/x509/v3_ist.c

-rw-r--r--

crypto/x509/x509_cmp.c

33 files changed, 209 insertions, 116 deletions

diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index 9e54db929282..d052935661d3 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -129,8 +129,10 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)

int idx;

ASN1_STRING_TABLE fnd;

+#ifndef OPENSSL_NO_AUTOLOAD_CONFIG

/* "stable" can be impacted by config, so load the config file first */

OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);

+#endif

fnd.nid = nid;

if (stable) {

diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c
index 64620a4f28a7..402ab34e6a46 100644
--- a/crypto/asn1/asn1_gen.c
+++ b/crypto/asn1/asn1_gen.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -698,9 +698,12 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)

atmp->value.asn1_string->data = rdata;

atmp->value.asn1_string->length = rdlen;

atmp->value.asn1_string->type = utype;

- } else if (format == ASN1_GEN_FORMAT_ASCII)

- ASN1_STRING_set(atmp->value.asn1_string, str, -1);

- else if ((format == ASN1_GEN_FORMAT_BITLIST)

+ } else if (format == ASN1_GEN_FORMAT_ASCII) {

+ if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1)) {

+ ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);

+ goto bad_str;

+ }

+ } else if ((format == ASN1_GEN_FORMAT_BITLIST)

&& (utype == V_ASN1_BIT_STRING)) {

if (!CONF_parse_list

(str, ',', 1, bitstr_cb, atmp->value.bit_string)) {

diff --git a/crypto/chacha/asm/chacha-ia64.pl b/crypto/chacha/asm/chacha-ia64.pl
index b13d97285575..78201649d550 100644
--- a/crypto/chacha/asm/chacha-ia64.pl
+++ b/crypto/chacha/asm/chacha-ia64.pl

@@ -46,6 +46,8 @@ ChaCha20_ctr32:

ADDP @k[11]=4,$key

.save ar.lc,r3

mov r3=ar.lc }

+{ .mmi; ADDP $out=0,$out

+ ADDP $inp=0,$inp }

{ .mmi; ADDP $key=0,$key

ADDP $counter=0,$counter

.save pr,r14

diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
index 0ca107554c96..a8de73ad979b 100644
--- a/crypto/cmp/cmp_asn.c
+++ b/crypto/cmp/cmp_asn.c

@@ -1,5 +1,5 @@

* Copyright Nokia 2007-2019

* Copyright Siemens AG 2015-2019

@@ -188,22 +188,22 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,

return 0;

}

-/* get ASN.1 encoded integer, return -1 on error */

+/* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */

int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)

{

int64_t res;

if (!ASN1_INTEGER_get_int64(&res, a)) {

ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);

- return -1;

+ return -2;

}

if (res < INT_MIN) {

ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);

- return -1;

+ return -2;

}

if (res > INT_MAX) {

ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);

- return -1;

+ return -2;

}

return (int)res;

}

diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index dc41f4c3b7d9..df334cc00198 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c

@@ -584,7 +584,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,

return 0;

if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */

rid = ossl_cmp_asn1_get_int(crep->certReqId);

- if (rid != OSSL_CMP_CERTREQID_NONE) {

+ if (rid < OSSL_CMP_CERTREQID_NONE) {

ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);

return 0;

}

diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c
index bfe6cd9906b8..68144aa4fed8 100644
--- a/crypto/cmp/cmp_status.c
+++ b/crypto/cmp/cmp_status.c

@@ -1,5 +1,5 @@

* Copyright Nokia 2007-2019

* Copyright Siemens AG 2015-2019

@@ -30,9 +30,12 @@

int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)

{

+ int res ;

if (!ossl_assert(si != NULL && si->status != NULL))

return -1;

- return ossl_cmp_asn1_get_int(si->status);

+ res = ossl_cmp_asn1_get_int(si->status);

+ return res == -2 ? -1 : res;

}

const char *ossl_cmp_PKIStatus_to_string(int status)

diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index bd1f3e7345d4..99cf1dcb396c 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c

@@ -26,7 +26,7 @@ static void cms_env_set_version(CMS_EnvelopedData *env);

#define CMS_ENVELOPED_STANDARD 1

#define CMS_ENVELOPED_AUTH 2

-static int cms_get_enveloped_type(const CMS_ContentInfo *cms)

+static int cms_get_enveloped_type_simple(const CMS_ContentInfo *cms)

{

int nid = OBJ_obj2nid(cms->contentType);

@@ -38,11 +38,28 @@ static int cms_get_enveloped_type(const CMS_ContentInfo *cms)

return CMS_ENVELOPED_AUTH;

default:

- ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);

return 0;

}

+static int cms_get_enveloped_type(const CMS_ContentInfo *cms)

+ int ret = cms_get_enveloped_type_simple(cms);

+ if (ret == 0)

+ ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);

+ return ret;

+void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf)

+ if (cms_get_enveloped_type_simple(cinf) != 0) {

+ CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cinf);

+ if (ec != NULL)

+ OPENSSL_clear_free(ec->key, ec->keylen);

+ }

CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms)

{

if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {

diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index 1d2c5bc42288..8b135e95aacc 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c

@@ -76,10 +76,7 @@ CMS_ContentInfo *CMS_ContentInfo_new(void)

void CMS_ContentInfo_free(CMS_ContentInfo *cms)

{

if (cms != NULL) {

- CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);

- if (ec != NULL)

- OPENSSL_clear_free(ec->key, ec->keylen);

+ ossl_cms_env_enc_content_free(cms);

OPENSSL_free(cms->ctx.propq);

ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));

}

diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h
index 15b4a29ce03d..253f6819e435 100644
--- a/crypto/cms/cms_local.h
+++ b/crypto/cms/cms_local.h

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -444,6 +444,7 @@ BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);

int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);

BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms);

int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio);

+void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf);

CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms);

CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms);

CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms);

diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 34c021bba64a..53c8e378f318 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -233,9 +233,9 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)

int i;

if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC"))

- return ossl_cms_ecdsa_dsa_sign(si, cmd);

+ return ossl_cms_ecdsa_dsa_sign(si, cmd) > 0;

else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS"))

- return ossl_cms_rsa_sign(si, cmd);

+ return ossl_cms_rsa_sign(si, cmd) > 0;

/* Something else? We'll give engines etc a chance to handle this */

if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)

diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c
index 513f8bfc1fb9..3019bcf31af8 100644
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c

@@ -65,7 +65,8 @@ int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings)

#endif

#ifndef OPENSSL_SYS_UEFI

- ret = CONF_modules_load_file(filename, appname, flags);

+ ret = CONF_modules_load_file_ex(OSSL_LIB_CTX_get0_global_default(),

+ filename, appname, flags);

#else

ret = 1;

#endif

diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c
index e24d2c6cd588..2e4b7ed60b9c 100644
--- a/crypto/encode_decode/decoder_lib.c
+++ b/crypto/encode_decode/decoder_lib.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -743,10 +743,11 @@ static int decoder_process(const OSSL_PARAM params[], void *arg)

(void *)new_data.ctx, LEVEL, rv);

} OSSL_TRACE_END(DECODER);

- data->flag_construct_called = 1;

ok = (rv > 0);

- if (ok)

+ if (ok) {

+ data->flag_construct_called = 1;

goto end;

+ }

}

/* The constructor didn't return success */

diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c
index ed10bb1cee03..ad5e2805319b 100644
--- a/crypto/encode_decode/decoder_pkey.c
+++ b/crypto/encode_decode/decoder_pkey.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -150,7 +150,11 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst,

import_data.keymgmt = keymgmt;

import_data.keydata = NULL;

- import_data.selection = data->selection;

+ if (data->selection == 0)

+ /* import/export functions do not tolerate 0 selection */

+ import_data.selection = OSSL_KEYMGMT_SELECT_ALL;

+ else

+ import_data.selection = data->selection;

* No need to check for errors here, the value of

diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c
index dfd53a433195..cfdb5a50f481 100644
--- a/crypto/engine/eng_lib.c
+++ b/crypto/engine/eng_lib.c

@@ -133,28 +133,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)

return item;

}

-void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)

+int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)

{

ENGINE_CLEANUP_ITEM *item;

if (!int_cleanup_check(1))

- return;

+ return 0;

item = int_cleanup_item(cb);

- if (item != NULL)

- if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0)

- OPENSSL_free(item);

+ if (item != NULL) {

+ if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0))

+ return 1;

+ OPENSSL_free(item);

+ }

+ return 0;

}

-void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)

+int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)

{

ENGINE_CLEANUP_ITEM *item;

if (!int_cleanup_check(1))

- return;

+ return 0;

item = int_cleanup_item(cb);

if (item != NULL) {

- if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)

- OPENSSL_free(item);

+ if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0)

+ return 1;

+ OPENSSL_free(item);

}

+ return 0;

}

/* The API function that performs all cleanup */

diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index 04c73c762864..f2eed3b07174 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -78,12 +78,15 @@ static int engine_list_add(ENGINE *e)

ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);

return 0;

}

- engine_list_head = e;

- e->prev = NULL;

* The first time the list allocates, we should register the cleanup.

- engine_cleanup_add_last(engine_list_cleanup);

+ if (!engine_cleanup_add_last(engine_list_cleanup)) {

+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);

+ return 0;

+ }

+ engine_list_head = e;

+ e->prev = NULL;

} else {

/* We are adding to the tail of an existing list. */

if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) {

diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h
index 03a86299cf88..75bc9e6f1675 100644
--- a/crypto/engine/eng_local.h
+++ b/crypto/engine/eng_local.h

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item {

ENGINE_CLEANUP_CB *cb;

} ENGINE_CLEANUP_ITEM;

DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM)

-void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);

-void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);

+int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);

+int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);

/* We need stacks of ENGINEs for use in eng_table.c */

DEFINE_STACK_OF(ENGINE)

diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c
index a8209d9e7176..3138a1526002 100644
--- a/crypto/engine/eng_table.c
+++ b/crypto/engine/eng_table.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -93,9 +93,11 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,

added = 1;

if (!int_table_check(table, 1))

goto end;

- if (added)

- /* The cleanup callback needs to be added */

- engine_cleanup_add_first(cleanup);

+ /* The cleanup callback needs to be added */

+ if (added && !engine_cleanup_add_first(cleanup)) {

+ lh_ENGINE_PILE_free(&(*table)->piles);

+ *table = NULL;

+ }

while (num_nids--) {

tmplate.nid = *nids;

fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate);

@@ -201,8 +203,10 @@ ENGINE *ossl_engine_table_select(ENGINE_TABLE **table, int nid,

ENGINE_PILE tmplate, *fnd = NULL;

int initres, loop = 0;

+#ifndef OPENSSL_NO_AUTOLOAD_CONFIG

/* Load the config before trying to check if engines are available */

OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);

+#endif

if (!(*table)) {

OSSL_TRACE3(ENGINE_TABLE,

diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index b28875037c72..dcd53b43f92b 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c

@@ -1786,7 +1786,8 @@ static int get_rsa_payload_n(enum state state,

{

const BIGNUM *bn = NULL;

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)

return 0;

bn = RSA_get0_n(EVP_PKEY_get0_RSA(ctx->p2));

@@ -1799,7 +1800,8 @@ static int get_rsa_payload_e(enum state state,

{

const BIGNUM *bn = NULL;

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)

return 0;

bn = RSA_get0_e(EVP_PKEY_get0_RSA(ctx->p2));

@@ -1812,7 +1814,8 @@ static int get_rsa_payload_d(enum state state,

{

const BIGNUM *bn = NULL;

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)

return 0;

bn = RSA_get0_d(EVP_PKEY_get0_RSA(ctx->p2));

@@ -1912,7 +1915,8 @@ static int get_rsa_payload_coefficient(enum state state,

const struct translation_st *translation, \

struct translation_ctx_st *ctx) \

{ \

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \

return 0; \

return get_rsa_payload_factor(state, translation, ctx, n - 1); \

}

@@ -1923,7 +1927,8 @@ static int get_rsa_payload_coefficient(enum state state,

const struct translation_st *translation, \

struct translation_ctx_st *ctx) \

{ \

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \

return 0; \

return get_rsa_payload_exponent(state, translation, ctx, \

n - 1); \

@@ -1935,7 +1940,8 @@ static int get_rsa_payload_coefficient(enum state state,

const struct translation_st *translation, \

struct translation_ctx_st *ctx) \

{ \

- if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \

+ if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \

+ && EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \

return 0; \

return get_rsa_payload_coefficient(state, translation, ctx, \

n - 1); \

@@ -2271,10 +2277,10 @@ static const struct translation_st evp_pkey_ctx_translations[] = {

{ SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,

EVP_PKEY_CTRL_RSA_KEYGEN_BITS, "rsa_keygen_bits", NULL,

OSSL_PKEY_PARAM_RSA_BITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },

- { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,

+ { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,

EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, "rsa_keygen_pubexp", NULL,

OSSL_PKEY_PARAM_RSA_E, OSSL_PARAM_UNSIGNED_INTEGER, NULL },

- { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,

+ { SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,

EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, "rsa_keygen_primes", NULL,

OSSL_PKEY_PARAM_RSA_PRIMES, OSSL_PARAM_UNSIGNED_INTEGER, NULL },

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index aa6ec31dab6e..59a7a867ecbb 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c

@@ -717,6 +717,7 @@ static void detect_foreign_key(EVP_PKEY *pkey)

{

switch (pkey->type) {

case EVP_PKEY_RSA:

+ case EVP_PKEY_RSA_PSS:

pkey->foreign = pkey->pkey.rsa != NULL

&& ossl_rsa_is_foreign(pkey->pkey.rsa);

break;

@@ -1075,6 +1076,7 @@ int EVP_PKEY_can_sign(const EVP_PKEY *pkey)

if (pkey->keymgmt == NULL) {

switch (EVP_PKEY_get_base_id(pkey)) {

case EVP_PKEY_RSA:

+ case EVP_PKEY_RSA_PSS:

return 1;

# ifndef OPENSSL_NO_DSA

case EVP_PKEY_DSA:

diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index ee41c03103e5..e3ccc6c4cc2f 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c

@@ -164,7 +164,8 @@ void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx,

- * Server name (and port) must be given if and only if plain HTTP proxy is used.

+ * Server name (and optional port) must be given if and only if

+ * a plain HTTP proxy is used and |path| does not begin with 'http://'.

int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, int method_POST,

const char *server, const char *port,

@@ -193,11 +194,17 @@ int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, int method_POST,

return 0;

}

- /* Make sure path includes a forward slash */

- if (path == NULL)

+ /* Make sure path includes a forward slash (abs_path) */

+ if (path == NULL) {

path = "/";

- if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0)

+ } else if (HAS_PREFIX(path, "http://")) { /* absoluteURI for proxy use */

+ if (server != NULL) {

+ ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_INVALID_ARGUMENT);

+ return 0;

+ }

+ } else if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0) {

return 0;

+ }

* Add (the rest of) the path and the HTTP version,

* which is fixed to 1.0 for straightforward implementation of keep-alive

diff --git a/crypto/mem.c b/crypto/mem.c
index f6cdcf5a423e..bc9dc111676f 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -195,7 +195,6 @@ void *CRYPTO_zalloc(size_t num, const char *file, int line)

void *ret;

ret = CRYPTO_malloc(num, file, line);

- FAILTEST();

if (ret != NULL)

memset(ret, 0, num);

@@ -208,7 +207,6 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)

if (realloc_impl != CRYPTO_realloc)

return realloc_impl(str, num, file, line);

- FAILTEST();

if (str == NULL)

return CRYPTO_malloc(num, file, line);

@@ -217,6 +215,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)

return NULL;

}

+ FAILTEST();

return realloc(str, num);

}

diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 3e76852c67a4..4deee46ce550 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -366,10 +366,19 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,

return ret;

}

+static int no_password_cb(char *buf, int num, int rwflag, void *userdata)

+ return -1;

EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,

OSSL_LIB_CTX *libctx, const char *propq)

{

- return pem_read_bio_key(bp, x, NULL, NULL, libctx, propq,

+ /*

+ * PEM_read_bio_Parameters(_ex) should never ask for a password. Any attempt

+ * to get a password just fails.

+ */

+ return pem_read_bio_key(bp, x, no_password_cb, NULL, libctx, propq,

EVP_PKEY_KEY_PARAMETERS);

}

diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl
index a90885905c0f..38d570c79017 100755
--- a/crypto/perlasm/arm-xlate.pl
+++ b/crypto/perlasm/arm-xlate.pl

@@ -1,5 +1,5 @@

#! /usr/bin/env perl

# Licensed under the Apache License 2.0 (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -159,9 +159,8 @@ while(my $line=<>) {

}

{

- $line =~ s|(^[\.\w]+)\:\s*||;

- my $label = $1;

- if ($label) {

+ if ($line =~ s|(^[\.\w]+)\:\s*||) {

+ my $label = $1;

printf "%s:",($GLOBALS{$label} or $label);

}

diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index 00c71297463d..26a444f868b0 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -14,6 +14,12 @@

static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,

PKCS12_SAFEBAG *bag);

+static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,

+ X509 *cert,

+ const char *name,

+ int namelen,

+ unsigned char *keyid,

+ int keyidlen);

static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)

{

@@ -40,6 +46,9 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,

int i;

unsigned char keyid[EVP_MAX_MD_SIZE];

unsigned int keyidlen = 0;

+ int namelen = -1;

+ unsigned char *pkeyid = NULL;

+ int pkeyidlen = -1;

/* Set defaults */

if (nid_cert == NID_undef)

@@ -64,11 +73,16 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,

}

if (cert) {

- bag = PKCS12_add_cert(&bags, cert);

- if (name && !PKCS12_add_friendlyname(bag, name, -1))

- goto err;

- if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))

- goto err;

+ if (name == NULL)

+ name = (char *)X509_alias_get0(cert, &namelen);

+ if (keyidlen > 0) {

+ pkeyid = keyid;

+ pkeyidlen = keyidlen;

+ } else {

+ pkeyid = X509_keyid_get0(cert, &pkeyidlen);

+ }

+ bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen);

}

/* Add all other certificates */

@@ -139,30 +153,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *

iter, mac_iter, keytype, NULL, NULL);

}

-PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)

+static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,

+ X509 *cert,

+ const char *name,

+ int namelen,

+ unsigned char *keyid,

+ int keyidlen)

{

PKCS12_SAFEBAG *bag = NULL;

- char *name;

- int namelen = -1;

- unsigned char *keyid;

- int keyidlen = -1;

/* Add user certificate */

if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL)

goto err;

- /*

- * Use friendlyName and localKeyID in certificate. (if present)

- */

- name = (char *)X509_alias_get0(cert, &namelen);

- if (name && !PKCS12_add_friendlyname(bag, name, namelen))

+ if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen))

goto err;

- keyid = X509_keyid_get0(cert, &keyidlen);

- if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))

+ if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen))

goto err;

if (!pkcs12_add_bag(pbags, bag))

@@ -173,7 +180,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)

err:

PKCS12_SAFEBAG_free(bag);

return NULL;

+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)

+ char *name = NULL;

+ int namelen = -1;

+ unsigned char *keyid = NULL;

+ int keyidlen = -1;

+ /*

+ * Use friendlyName and localKeyID in certificate. (if present)

+ */

+ name = (char *)X509_alias_get0(cert, &namelen);

+ keyid = X509_keyid_get0(cert, &keyidlen);

+ return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen);

}

PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags,

diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl
index fa9bfb7a7b81..4cddca1c514c 100755
--- a/crypto/poly1305/asm/poly1305-x86_64.pl
+++ b/crypto/poly1305/asm/poly1305-x86_64.pl

@@ -1,5 +1,5 @@

#! /usr/bin/env perl

# Licensed under the Apache License 2.0 (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -195,7 +195,7 @@ $code.=<<___ if ($avx>1);

bt \$`5+32`,%r9 # AVX2?

cmovc %rax,%r10

___

-$code.=<<___ if ($avx>3);

+$code.=<<___ if ($avx>3 && !$win64);

mov \$`(1<<31|1<<21|1<<16)`,%rax

shr \$32,%r9

and %rax,%r9

@@ -2724,7 +2724,7 @@ $code.=<<___;

.cfi_endproc

.size poly1305_blocks_avx512,.-poly1305_blocks_avx512

___

-if ($avx>3) {

+if ($avx>3 && !$win64) {

########################################################################

# VPMADD52 version using 2^44 radix.

diff --git a/crypto/property/property.c b/crypto/property/property.c
index b97861d4862f..602db0f3ff54 100644
--- a/crypto/property/property.c
+++ b/crypto/property/property.c

@@ -129,11 +129,11 @@ static const OSSL_LIB_CTX_METHOD ossl_ctx_global_properties_method = {

};

OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx,

- int loadconfig)

+ ossl_unused int loadconfig)

{

OSSL_GLOBAL_PROPERTIES *globp;

-#ifndef FIPS_MODULE

+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)

if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))

return NULL;

#endif

@@ -513,7 +513,7 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store,

if (nid <= 0 || method == NULL || store == NULL)

return 0;

-#ifndef FIPS_MODULE

+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)

if (ossl_lib_ctx_is_default(store->ctx)

&& !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))

return 0;

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 7a1232812162..92cce32c5bbf 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -408,7 +408,7 @@ int ossl_provider_info_add_to_store(OSSL_LIB_CTX *libctx,

}

OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name,

- int noconfig)

+ ossl_unused int noconfig)

{

struct provider_store_st *store = NULL;

OSSL_PROVIDER *prov = NULL;

@@ -417,7 +417,7 @@ OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name,

OSSL_PROVIDER tmpl = { 0, };

int i;

-#ifndef FIPS_MODULE

+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)

* Make sure any providers are loaded from config before we try to find

* them.

@@ -1356,7 +1356,7 @@ int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx,

struct provider_store_st *store = get_provider_store(ctx);

STACK_OF(OSSL_PROVIDER) *provs = NULL;

-#ifndef FIPS_MODULE

+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)

* Make sure any providers are loaded from config before we try to use

* them.

diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index e819780e7d94..07734077e322 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c

@@ -60,13 +60,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)

if (!rsa_param_encode(pkey, &str, &strtype))

return 0;

penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);

- if (penclen <= 0)

+ if (penclen <= 0) {

+ ASN1_STRING_free(str);

return 0;

+ }

if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),

strtype, str, penc, penclen))

return 1;

OPENSSL_free(penc);

+ ASN1_STRING_free(str);

return 0;

}

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index e8beb60d278a..96d511ffe636 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

@@ -283,6 +283,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key)

return NULL;

if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL

|| (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) {

+ sk_SRP_user_pwd_free(vb->users_pwd);

OPENSSL_free(vb);

return NULL;

}

diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 5ff927862916..bc12d8dd13a2 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -424,14 +424,14 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)

load_data.v = NULL;

load_data.ctx = ctx;

+ ctx->error_flag = 0;

if (!ctx->fetched_loader->p_load(ctx->loader_ctx,

ossl_store_handle_load_result,

&load_data,

ossl_pw_passphrase_callback_dec,

&ctx->pwdata)) {

- if (!OSSL_STORE_eof(ctx))

- ctx->error_flag = 1;

+ ctx->error_flag = 1;

return NULL;

}

v = load_data.v;

diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c
index bfc05a4e878c..801855c9306e 100644
--- a/crypto/threads_pthread.c
+++ b/crypto/threads_pthread.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -72,8 +72,6 @@ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)

# if !defined (__TANDEM) && !defined (_SPT_MODEL_)

# if !defined(NDEBUG) && !defined(OPENSSL_NO_MUTEX_ERRORCHECK)

pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);

-# else

- pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);

# endif

# else

/* The SPT Thread Library does not define MUTEX attributes. */

diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c
index e6fef0153c8e..4a3cfa12a471 100644
--- a/crypto/x509/v3_ist.c
+++ b/crypto/x509/v3_ist.c

@@ -51,25 +51,25 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_

if (strcmp(cnf->name, "signTool") == 0) {

ist->signTool = ASN1_UTF8STRING_new();

if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {

- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);

+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

goto err;

}

} else if (strcmp(cnf->name, "cATool") == 0) {

ist->cATool = ASN1_UTF8STRING_new();

if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {

- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);

+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

goto err;

}

} else if (strcmp(cnf->name, "signToolCert") == 0) {

ist->signToolCert = ASN1_UTF8STRING_new();

if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {

- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);

+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

goto err;

}

} else if (strcmp(cnf->name, "cAToolCert") == 0) {

ist->cAToolCert = ASN1_UTF8STRING_new();

if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {

- ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);

+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

goto err;

}

} else {

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 1027bed82e69..989fb8faa9f4 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c

@@ -292,12 +292,13 @@ unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,

unsigned long ret = 0;

unsigned char md[SHA_DIGEST_LENGTH];

EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq);

+ int i2d_ret;

/* Make sure X509_NAME structure contains valid cached encoding */

- i2d_X509_NAME(x, NULL);

+ i2d_ret = i2d_X509_NAME(x, NULL);

if (ok != NULL)

*ok = 0;

- if (sha1 != NULL

+ if (i2d_ret >= 0 && sha1 != NULL

&& EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) {

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |

((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)

@@ -325,7 +326,9 @@ unsigned long X509_NAME_hash_old(const X509_NAME *x)

goto end;

/* Make sure X509_NAME structure contains valid cached encoding */

- i2d_X509_NAME(x, NULL);

+ if (i2d_X509_NAME(x, NULL) < 0)

+ goto end;

if (EVP_DigestInit_ex(md_ctx, md5, NULL)

&& EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length)

&& EVP_DigestFinal_ex(md_ctx, md, NULL))