vendor/openssl/3.0.11

11 files changed, 93 insertions, 18 deletions

diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index 42785c33a0d2..f55fa914be7f 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -259,12 +259,12 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3  crypto/params_
 97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c  crypto/ppccap.c
 3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad  crypto/ppccpuid.pl
 b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905  crypto/property/defn_cache.c
-7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595  crypto/property/property.c
+3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba  crypto/property/property.c
 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26  crypto/property/property_local.h
 921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004  crypto/property/property_parse.c
 a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3  crypto/property/property_query.c
 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d  crypto/property/property_string.c
-9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e  crypto/provider_core.c
+0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639  crypto/provider_core.c
 d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89  crypto/provider_local.h
 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9  crypto/provider_predefined.c
 a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7  crypto/rand/rand_lib.c
@@ -344,7 +344,7 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a  crypto/sparse_
 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b  crypto/stack/stack.c
 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8  crypto/threads_lib.c
 a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c  crypto/threads_none.c
-2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe  crypto/threads_pthread.c
+3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716  crypto/threads_pthread.c
 88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027  crypto/threads_win.c
 fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd  crypto/x86_64cpuid.pl
 bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16  crypto/x86cpuid.pl
@@ -567,13 +567,13 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc  providers/impl
 589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6  providers/implementations/kdfs/tls1_prf.c
 4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0  providers/implementations/kdfs/x942kdf.c
 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43  providers/implementations/kem/rsa_kem.c
-37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5  providers/implementations/keymgmt/dh_kmgmt.c
-2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c  providers/implementations/keymgmt/dsa_kmgmt.c
+9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696  providers/implementations/keymgmt/dh_kmgmt.c
+a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304  providers/implementations/keymgmt/dsa_kmgmt.c
 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe  providers/implementations/keymgmt/ec_kmgmt.c
 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251  providers/implementations/keymgmt/ec_kmgmt_imexport.inc
-d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1  providers/implementations/keymgmt/ecx_kmgmt.c
+011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb  providers/implementations/keymgmt/ecx_kmgmt.c
 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b  providers/implementations/keymgmt/kdf_legacy_kmgmt.c
-e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1  providers/implementations/keymgmt/mac_legacy_kmgmt.c
+1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09  providers/implementations/keymgmt/mac_legacy_kmgmt.c
 19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75  providers/implementations/keymgmt/rsa_kmgmt.c
 aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185  providers/implementations/macs/cmac_prov.c
 e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe  providers/implementations/macs/gmac_prov.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index ec1978c7fede..db5ddc6cb7c6 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052  providers/fips-sources.checksums
+8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8  providers/fips-sources.checksums
diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c
index 386c865d832e..ef80a515d756 100644
--- a/providers/implementations/ciphers/cipher_chacha20.c
+++ b/providers/implementations/ciphers/cipher_chacha20.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -21,6 +21,7 @@
 
 static OSSL_FUNC_cipher_newctx_fn chacha20_newctx;
 static OSSL_FUNC_cipher_freectx_fn chacha20_freectx;
+static OSSL_FUNC_cipher_dupctx_fn chacha20_dupctx;
 static OSSL_FUNC_cipher_get_params_fn chacha20_get_params;
 static OSSL_FUNC_cipher_get_ctx_params_fn chacha20_get_ctx_params;
 static OSSL_FUNC_cipher_set_ctx_params_fn chacha20_set_ctx_params;
@@ -64,6 +65,25 @@ static void chacha20_freectx(void *vctx)
     }
 }
 
+static void *chacha20_dupctx(void *vctx)
+{
+    PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)vctx;
+    PROV_CHACHA20_CTX *dupctx = NULL;
+
+    if (ctx != NULL) {
+        dupctx = OPENSSL_memdup(ctx, sizeof(*dupctx));
+        if (dupctx != NULL && dupctx->base.tlsmac != NULL && dupctx->base.alloced) {
+            dupctx->base.tlsmac = OPENSSL_memdup(dupctx->base.tlsmac,
+                                                 dupctx->base.tlsmacsize);
+            if (dupctx->base.tlsmac == NULL) {
+                OPENSSL_free(dupctx);
+                dupctx = NULL;
+            }
+        }
+    }
+    return dupctx;
+}
+
 static int chacha20_get_params(OSSL_PARAM params[])
 {
     return ossl_cipher_generic_get_params(params, 0, CHACHA20_FLAGS,
@@ -187,6 +207,7 @@ int ossl_chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen,
 const OSSL_DISPATCH ossl_chacha20_functions[] = {
     { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_newctx },
     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_freectx },
+    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_dupctx },
     { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_chacha20_einit },
     { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_chacha20_dinit },
     { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_update },
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
index b9cee2571bf3..d598f7eba1ac 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -316,10 +316,14 @@ static int der2key_export_object(void *vctx,
     void *keydata;
 
     if (reference_sz == sizeof(keydata) && export != NULL) {
+        int selection = ctx->selection;
+
+        if (selection == 0)
+            selection = OSSL_KEYMGMT_SELECT_ALL;
         /* The contents of the reference is the address to our object */
         keydata = *(void **)reference;
 
-        return export(keydata, ctx->selection, export_cb, export_cbarg);
+        return export(keydata, selection, export_cb, export_cbarg);
     }
     return 0;
 }
diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c
index 501957faba01..b9d0cabadae2 100644
--- a/providers/implementations/encode_decode/decode_msblob2key.c
+++ b/providers/implementations/encode_decode/decode_msblob2key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -79,6 +79,18 @@ static void msblob2key_freectx(void *vctx)
     OPENSSL_free(ctx);
 }
 
+static int msblob2key_does_selection(void *provctx, int selection)
+{
+    if (selection == 0)
+        return 1;
+
+    if ((selection & (OSSL_KEYMGMT_SELECT_PRIVATE_KEY
+                      | OSSL_KEYMGMT_SELECT_PUBLIC_KEY))  != 0)
+        return 1;
+
+    return 0;
+}
+
 static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
                              OSSL_CALLBACK *data_cb, void *data_cbarg,
                              OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
@@ -211,10 +223,14 @@ msblob2key_export_object(void *vctx,
     void *keydata;
 
     if (reference_sz == sizeof(keydata) && export != NULL) {
+        int selection = ctx->selection;
+
+        if (selection == 0)
+            selection = OSSL_KEYMGMT_SELECT_ALL;
         /* The contents of the reference is the address to our object */
         keydata = *(void **)reference;
 
-        return export(keydata, ctx->selection, export_cb, export_cbarg);
+        return export(keydata, selection, export_cb, export_cbarg);
     }
     return 0;
 }
@@ -260,6 +276,8 @@ static void rsa_adjust(void *key, struct msblob2key_ctx_st *ctx)
           (void (*)(void))msblob2##keytype##_newctx },                  \
         { OSSL_FUNC_DECODER_FREECTX,                                    \
           (void (*)(void))msblob2key_freectx },                         \
+        { OSSL_FUNC_DECODER_DOES_SELECTION,                             \
+          (void (*)(void))msblob2key_does_selection },                  \
         { OSSL_FUNC_DECODER_DECODE,                                     \
           (void (*)(void))msblob2key_decode },                          \
         { OSSL_FUNC_DECODER_EXPORT_OBJECT,                              \
diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c
index c6424165b03b..2d7cb15e53e0 100644
--- a/providers/implementations/encode_decode/decode_pvk2key.c
+++ b/providers/implementations/encode_decode/decode_pvk2key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -79,6 +79,17 @@ static void pvk2key_freectx(void *vctx)
     OPENSSL_free(ctx);
 }
 
+static int pvk2key_does_selection(void *provctx, int selection)
+{
+    if (selection == 0)
+        return 1;
+
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)  != 0)
+        return 1;
+
+    return 0;
+}
+
 static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
                          OSSL_CALLBACK *data_cb, void *data_cbarg,
                          OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
@@ -179,10 +190,14 @@ static int pvk2key_export_object(void *vctx,
     void *keydata;
 
     if (reference_sz == sizeof(keydata) && export != NULL) {
+        int selection = ctx->selection;
+
+        if (selection == 0)
+            selection = OSSL_KEYMGMT_SELECT_ALL;
         /* The contents of the reference is the address to our object */
         keydata = *(void **)reference;
 
-        return export(keydata, ctx->selection, export_cb, export_cbarg);
+        return export(keydata, selection, export_cb, export_cbarg);
     }
     return 0;
 }
@@ -226,6 +241,8 @@ static void rsa_adjust(void *key, struct pvk2key_ctx_st *ctx)
           (void (*)(void))pvk2##keytype##_newctx },                     \
         { OSSL_FUNC_DECODER_FREECTX,                                    \
           (void (*)(void))pvk2key_freectx },                            \
+        { OSSL_FUNC_DECODER_DOES_SELECTION,                             \
+          (void (*)(void))pvk2key_does_selection },                     \
         { OSSL_FUNC_DECODER_DECODE,                                     \
           (void (*)(void))pvk2key_decode },                             \
         { OSSL_FUNC_DECODER_EXPORT_OBJECT,                              \
diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c
index c7b01cb2b3e5..0f4c62962ddc 100644
--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -858,14 +858,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save,
                 case 1:
                     if ((str = OPENSSL_malloc(str_sz)) == NULL
                         || !WPACKET_init_der(&pkt, str, str_sz)) {
+                        WPACKET_cleanup(&pkt);
                         goto err;
                     }
                     break;
                 }
                 if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss)
                     || !WPACKET_finish(&pkt)
-                    || !WPACKET_get_total_written(&pkt, &str_sz))
+                    || !WPACKET_get_total_written(&pkt, &str_sz)) {
+                    WPACKET_cleanup(&pkt);
                     goto err;
+                }
                 WPACKET_cleanup(&pkt);
 
                 /*
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 9a7dde7c6627..4ca9c1a3fad8 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -222,6 +222,9 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
     if (!ossl_prov_is_running() || dh == NULL)
         return 0;
 
+    if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+        return 0;
+
     tmpl = OSSL_PARAM_BLD_new();
     if (tmpl == NULL)
         return 0;
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
index cd8b4410b0db..2f5742cfcc07 100644
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -223,6 +223,9 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
     if (!ossl_prov_is_running() || dsa == NULL)
         return 0;
 
+    if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
+        return 0;
+
     tmpl = OSSL_PARAM_BLD_new();
     if (tmpl == NULL)
         return 0;
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index 2a7f867aa56b..987d38456fba 100644
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -238,6 +238,9 @@ static int ecx_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
     if (!ossl_prov_is_running() || key == NULL)
         return 0;
 
+    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
+        return 0;
+
     tmpl = OSSL_PARAM_BLD_new();
     if (tmpl == NULL)
         return 0;
diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
index c934ff164094..1fae4407fca6 100644
--- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -281,6 +281,9 @@ static int mac_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
     if (!ossl_prov_is_running() || key == NULL)
         return 0;
 
+    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0)
+        return 0;
+
     tmpl = OSSL_PARAM_BLD_new();
     if (tmpl == NULL)
         return 0;