diff --git a/crypto/external/bsd/openssl/dist/CHANGES b/crypto/external/bsd/openssl/dist/CHANGES index 3ef3fa28cfa8..1e2d651b7514 100644 --- a/crypto/external/bsd/openssl/dist/CHANGES +++ b/crypto/external/bsd/openssl/dist/CHANGES @@ -7,6 +7,178 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] + + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + [Hugo Landau] + + *) Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + (CVE-2023-0215) + [Viktor Dukhovni, Matt Caswell] + + *) Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + (CVE-2022-4450) + [Kurt Roeckx, Matt Caswell] + + *) Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + (CVE-2022-4304) + [Dmitry Belyavsky, Hubert Kario] + + Changes between 1.1.1r and 1.1.1s [1 Nov 2022] + + *) Fixed a regression introduced in 1.1.1r version not refreshing the + certificate data to be signed before signing the certificate. + [Gibeom Gwon] + + Changes between 1.1.1q and 1.1.1r [11 Oct 2022] + + *) Fixed the linux-mips64 Configure target which was missing the + SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that + platform. + [Adam Joseph] + + *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was + causing incorrect results in some cases as a result. + [Paul Dale] + + *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + [Matt Caswell] + + *) Fixed a regression introduced in 1.1.1o for re-signing certificates with + different key sizes + [Todd Short] + + *) Added the loongarch64 target + [Shi Pujin] + + *) Fixed a DRBG seed propagation thread safety issue + [Bernd Edlinger] + + *) Fixed a memory leak in tls13_generate_secret + [Bernd Edlinger] + + *) Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid + 32-bit lane assignment in CTR mode") for 64bit targets only, since it is + reportedly 2-17% slower and the silicon errata only affects 32bit targets. + The new algorithm is still used for 32 bit targets. + [Bernd Edlinger] + + *) Added a missing header for memcmp that caused compilation failure on some + platforms + [Gregor Jasny] + + Changes between 1.1.1p and 1.1.1q [5 Jul 2022] + + *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. + (CVE-2022-2097) + [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] + + Changes between 1.1.1o and 1.1.1p [21 Jun 2022] + + *) In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + [Daniel Fiala, Tomáš Mráz] + + *) When OpenSSL TLS client is connecting without any supported elliptic + curves and TLS-1.3 protocol is disabled the connection will no longer fail + if a ciphersuite that does not use a key exchange based on elliptic + curves can be negotiated. + [Tomáš Mráz] + + Changes between 1.1.1n and 1.1.1o [3 May 2022] + + *) Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed + by some operating systems in a manner where it is automatically executed. + On such operating systems, an attacker could execute arbitrary commands + with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-1292) + [Tomáš Mráz] + Changes between 1.1.1m and 1.1.1n [15 Mar 2022] *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever diff --git a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf index 8ca8235ed566..f815a09b2321 100644 --- a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf +++ b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf @@ -742,7 +742,7 @@ my %targets = ( inherit_from => [ "linux-generic32", asm("mips64_asm") ], cflags => add("-mabi=n32"), cxxflags => add("-mabi=n32"), - bn_ops => "RC4_CHAR", + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", perlasm_scheme => "n32", multilib => "32", }, @@ -761,6 +761,13 @@ my %targets = ( perlasm_scheme => "linux64", }, + # loongarch64 below refers to contemporary LoongArch Architecture + # specifications, + "linux64-loongarch64" => { + inherit_from => [ "linux-generic64"], + perlasm_scheme => "linux64", + }, + #### IA-32 targets... #### These two targets are a bit aged and are to be used on older Linux #### machines where gcc doesn't understand -m32 and -m64 @@ -995,6 +1002,13 @@ my %targets = ( perlasm_scheme => "linux64", }, + "BSD-aarch64" => { + inherit_from => [ "BSD-generic64", asm("aarch64_asm") ], + lib_cppflags => add("-DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "linux64", + }, + "bsdi-elf-gcc" => { inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], CC => "gcc", diff --git a/crypto/external/bsd/openssl/dist/Configure b/crypto/external/bsd/openssl/dist/Configure index 4bea49d7da76..6cb1a84f4b7f 100755 --- a/crypto/external/bsd/openssl/dist/Configure +++ b/crypto/external/bsd/openssl/dist/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1215,7 +1215,7 @@ $target{build_scheme} = [ $target{build_scheme} ] my ($builder, $builder_platform, @builder_opts) = @{$target{build_scheme}}; -foreach my $checker (($builder_platform."-".$target{build_file}."-checker.pm", +foreach my $checker (($builder_platform."-".$config{build_file}."-checker.pm", $builder_platform."-checker.pm")) { my $checker_path = catfile($srcdir, "Configurations", $checker); if (-f $checker_path) { @@ -1712,8 +1712,8 @@ if ($builder eq "unified") { # Store the name of the template file we will build the build file from # in %config. This may be useful for the build file itself. my @build_file_template_names = - ( $builder_platform."-".$target{build_file}.".tmpl", - $target{build_file}.".tmpl" ); + ( $builder_platform."-".$config{build_file}.".tmpl", + $config{build_file}.".tmpl" ); my @build_file_templates = (); # First, look in the user provided directory, if given @@ -1937,8 +1937,8 @@ if ($builder eq "unified") { } next if @skip && $skip[$#skip] <= 0; push @rawlines, $_ - if ($target_kind eq $target{build_file} - || $target_kind eq $target{build_file}."(".$builder_platform.")"); + if ($target_kind eq $config{build_file} + || $target_kind eq $config{build_file}."(".$builder_platform.")"); } }, qr/^\s*(?:#.*)?$/ => sub { }, @@ -2813,8 +2813,8 @@ if ($builder_platform eq 'unix') { my %builders = ( unified => sub { - print 'Creating ',$target{build_file},"\n"; - run_dofile(catfile($blddir, $target{build_file}), + print 'Creating ',$config{build_file},"\n"; + run_dofile(catfile($blddir, $config{build_file}), @{$config{build_file_templates}}); }, ); @@ -2868,7 +2868,7 @@ exit(0); # sub death_handler { die @_ if $^S; # To prevent the added message in eval blocks - my $build_file = $target{build_file} // "build file"; + my $build_file = $config{build_file} // "build file"; my @message = ( <<"_____", @_ ); Failure! $build_file wasn't produced. diff --git a/crypto/external/bsd/openssl/dist/NEWS b/crypto/external/bsd/openssl/dist/NEWS index f4ac262888ad..2724fc4d85ba 100644 --- a/crypto/external/bsd/openssl/dist/NEWS +++ b/crypto/external/bsd/openssl/dist/NEWS @@ -5,10 +5,43 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] + + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) + o Fixed Timing Oracle in RSA Decryption (CVE-2022-4304) + + Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] + + o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the + certificate data to be signed before signing the certificate. + + Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] + + o Added a missing header for memcmp that caused compilation failure on + some platforms + + Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] + + o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms + (CVE-2022-2097) + + Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] + + o Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + (CVE-2022-2068) + + Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] + + o Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection (CVE-2022-1292) + Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop - forever for non-prime moduli ([CVE-2022-0778]) + forever for non-prime moduli (CVE-2022-0778) Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] diff --git a/crypto/external/bsd/openssl/dist/README b/crypto/external/bsd/openssl/dist/README index 3e100933f388..b2f806be3a44 100644 --- a/crypto/external/bsd/openssl/dist/README +++ b/crypto/external/bsd/openssl/dist/README @@ -1,7 +1,7 @@ - OpenSSL 1.1.1n 15 Mar 2022 + OpenSSL 1.1.1t 7 Feb 2023 - Copyright (c) 1998-2021 The OpenSSL Project + Copyright (c) 1998-2022 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/external/bsd/openssl/dist/apps/apps.c b/crypto/external/bsd/openssl/dist/apps/apps.c index 1a92271595f1..f2447fb0bef8 100644 --- a/crypto/external/bsd/openssl/dist/apps/apps.c +++ b/crypto/external/bsd/openssl/dist/apps/apps.c @@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) if (cb_data != NULL && cb_data->password != NULL && *(const char*)cb_data->password != '\0') pw_min_len = 1; + else if (!verify) + pw_min_len = 0; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); @@ -1374,7 +1376,8 @@ static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) #undef BSIZE #define BSIZE 256 -BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) +BIGNUM *load_serial(const char *serialfile, int *exists, int create, + ASN1_INTEGER **retai) { BIO *in = NULL; BIGNUM *ret = NULL; @@ -1386,6 +1389,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) goto err; in = BIO_new_file(serialfile, "r"); + if (exists != NULL) + *exists = in != NULL; if (in == NULL) { if (!create) { perror(serialfile); @@ -1393,8 +1398,14 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) } ERR_clear_error(); ret = BN_new(); - if (ret == NULL || !rand_serial(ret, ai)) + if (ret == NULL) { BIO_printf(bio_err, "Out of memory\n"); + } else if (!rand_serial(ret, ai)) { + BIO_printf(bio_err, "Error creating random number to store in %s\n", + serialfile); + BN_free(ret); + ret = NULL; + } } else { if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { BIO_printf(bio_err, "unable to load number from %s\n", @@ -1414,6 +1425,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) ai = NULL; } err: + if (ret == NULL) + ERR_print_errors(bio_err); BIO_free(in); ASN1_INTEGER_free(ai); return ret; diff --git a/crypto/external/bsd/openssl/dist/apps/apps.h b/crypto/external/bsd/openssl/dist/apps/apps.h index 34c3fd8633c1..3e8f50fda87b 100644 --- a/crypto/external/bsd/openssl/dist/apps/apps.h +++ b/crypto/external/bsd/openssl/dist/apps/apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -527,9 +527,12 @@ typedef struct ca_db_st { } CA_DB; void* app_malloc(int sz, const char *what); -BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai); -int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, - ASN1_INTEGER **retai); + +/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */ +BIGNUM *load_serial(const char *serialfile, int *exists, int create, + ASN1_INTEGER **retai); +int save_serial(const char *serialfile, const char *suffix, + const BIGNUM *serial, ASN1_INTEGER **retai); int rotate_serial(const char *serialfile, const char *new_suffix, const char *old_suffix); int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); diff --git a/crypto/external/bsd/openssl/dist/apps/ca.c b/crypto/external/bsd/openssl/dist/apps/ca.c index 390ac37493c8..ea375ca0b1d3 100644 --- a/crypto/external/bsd/openssl/dist/apps/ca.c +++ b/crypto/external/bsd/openssl/dist/apps/ca.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -842,7 +842,8 @@ end_of_options: goto end; } } else { - if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { + serial = load_serial(serialfile, NULL, create_ser, NULL); + if (serial == NULL) { BIO_printf(bio_err, "error while loading serial number\n"); goto end; } @@ -1078,7 +1079,8 @@ end_of_options: if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) != NULL) - if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { + if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL)) + == NULL) { BIO_printf(bio_err, "error while loading CRL number\n"); goto end; } diff --git a/crypto/external/bsd/openssl/dist/apps/ocsp.c b/crypto/external/bsd/openssl/dist/apps/ocsp.c index 27ec94fa6b8d..8f20864cea51 100644 --- a/crypto/external/bsd/openssl/dist/apps/ocsp.c +++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -176,7 +176,7 @@ const OPTIONS ocsp_options[] = { {"no_intern", OPT_NO_INTERN, '-', "Don't search certificates contained in response for signer"}, {"badsig", OPT_BADSIG, '-', - "Corrupt last byte of loaded OSCP response signature (for test)"}, + "Corrupt last byte of loaded OCSP response signature (for test)"}, {"text", OPT_TEXT, '-', "Print text form of request and response"}, {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, diff --git a/crypto/external/bsd/openssl/dist/apps/s_cb.c b/crypto/external/bsd/openssl/dist/apps/s_cb.c index d066a423dee8..2f94c13393a5 100644 --- a/crypto/external/bsd/openssl/dist/apps/s_cb.c +++ b/crypto/external/bsd/openssl/dist/apps/s_cb.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,22 +74,28 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) } switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - BIO_puts(bio_err, "issuer= "); - X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, get_nameopt()); - BIO_puts(bio_err, "\n"); + if (err_cert != NULL) { + BIO_puts(bio_err, "issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, get_nameopt()); + BIO_puts(bio_err, "\n"); + } break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - BIO_printf(bio_err, "notBefore="); - ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); - BIO_printf(bio_err, "\n"); + if (err_cert != NULL) { + BIO_printf(bio_err, "notBefore="); + ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); + BIO_printf(bio_err, "\n"); + } break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - BIO_printf(bio_err, "notAfter="); - ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); - BIO_printf(bio_err, "\n"); + if (err_cert != NULL) { + BIO_printf(bio_err, "notAfter="); + ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); + BIO_printf(bio_err, "\n"); + } break; case X509_V_ERR_NO_EXPLICIT_POLICY: if (!verify_args.quiet) diff --git a/crypto/external/bsd/openssl/dist/apps/s_server.c b/crypto/external/bsd/openssl/dist/apps/s_server.c index 6ee2af8e468c..b8e2e66747f6 100644 --- a/crypto/external/bsd/openssl/dist/apps/s_server.c +++ b/crypto/external/bsd/openssl/dist/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2236,6 +2236,30 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) SSL_CTX_sess_get_cache_size(ssl_ctx)); } +static long int count_reads_callback(BIO *bio, int cmd, const char *argp, + int argi, long int argl, long int ret) +{ + unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio); + + switch (cmd) { + case BIO_CB_READ: /* No break here */ + case BIO_CB_GETS: + if (p_counter != NULL) + ++*p_counter; + break; + default: + break; + } + + if (s_debug) { + BIO_set_callback_arg(bio, (char *)bio_s_out); + ret = bio_dump_callback(bio, cmd, argp, argi, argl, ret); + BIO_set_callback_arg(bio, (char *)p_counter); + } + + return ret; +} + static int sv_body(int s, int stype, int prot, unsigned char *context) { char *buf = NULL; @@ -2353,10 +2377,7 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) SSL_set_accept_state(con); /* SSL_set_fd(con,s); */ - if (s_debug) { - BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); - } + BIO_set_callback(SSL_get_rbio(con), count_reads_callback); if (s_msg) { #ifndef OPENSSL_NO_SSL_TRACE if (s_msg == 2) @@ -2653,7 +2674,25 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) */ if ((!async || !SSL_waiting_for_async(con)) && !SSL_is_init_finished(con)) { + /* + * Count number of reads during init_ssl_connection. + * It helps us to distinguish configuration errors from errors + * caused by a client. + */ + unsigned int read_counter = 0; + + BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter); i = init_ssl_connection(con); + BIO_set_callback_arg(SSL_get_rbio(con), NULL); + + /* + * If initialization fails without reads, then + * there was a fatal error in configuration. + */ + if (i <= 0 && read_counter == 0) { + ret = -1; + goto err; + } if (i < 0) { ret = 0; diff --git a/crypto/external/bsd/openssl/dist/apps/x509.c b/crypto/external/bsd/openssl/dist/apps/x509.c index 1043eba0c8a0..8d4bf71a03ee 100644 --- a/crypto/external/bsd/openssl/dist/apps/x509.c +++ b/crypto/external/bsd/openssl/dist/apps/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -400,7 +400,7 @@ int x509_main(int argc, char **argv) aliasout = ++num; break; case OPT_CACREATESERIAL: - CA_createserial = ++num; + CA_createserial = 1; break; case OPT_CLREXT: clrext = 1; @@ -590,6 +590,8 @@ int x509_main(int argc, char **argv) xca = load_cert(CAfile, CAformat, "CA Certificate"); if (xca == NULL) goto end; + if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca))) + goto end; } out = bio_open_default(outfile, 'w', outformat); @@ -914,6 +916,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, char *buf = NULL; ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; + int defaultfile = 0, file_exists; if (serialfile == NULL) { const char *p = strrchr(CAfile, '.'); @@ -923,9 +926,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, memcpy(buf, CAfile, len); memcpy(buf + len, POSTFIX, sizeof(POSTFIX)); serialfile = buf; + defaultfile = 1; } - serial = load_serial(serialfile, create, NULL); + serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL); if (serial == NULL) goto end; @@ -934,8 +938,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, goto end; } - if (!save_serial(serialfile, NULL, serial, &bs)) - goto end; + if (file_exists || create) + save_serial(serialfile, NULL, serial, &bs); + else + bs = BN_to_ASN1_INTEGER(serial, NULL); end: OPENSSL_free(buf); diff --git a/crypto/external/bsd/openssl/dist/config b/crypto/external/bsd/openssl/dist/config index 49422981ae84..c7b035a0c57c 100755 --- a/crypto/external/bsd/openssl/dist/config +++ b/crypto/external/bsd/openssl/dist/config @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -709,6 +709,7 @@ case "$GUESSOS" in ia64-*-*bsd*) OUT="BSD-ia64" ;; x86_64-*-dragonfly*) OUT="BSD-x86_64" ;; amd64-*-*bsd*) OUT="BSD-x86_64" ;; + arm64-*-*bsd*) OUT="BSD-aarch64" ;; *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc... if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD libc=/usr/lib/libc.so diff --git a/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86.pl b/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86.pl index fe2b26542ab6..3502940d5233 100644 --- a/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86.pl +++ b/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); &movdqu (&QWP(-16*2,$out,$inp),$inout4); &movdqu (&QWP(-16*1,$out,$inp),$inout5); &cmp ($inp,$len); # done yet? - &jb (&label("grandloop")); + &jbe (&label("grandloop")); &set_label("short"); &add ($len,16*6); @@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); &pxor ($rndkey1,$inout5); &movdqu (&QWP(-16*1,$out,$inp),$inout5); &cmp ($inp,$len); # done yet? - &jb (&label("grandloop")); + &jbe (&label("grandloop")); &set_label("short"); &add ($len,16*6); diff --git a/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesv8-armx.pl b/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesv8-armx.pl index 2b0e982996d1..7edc436a53ca 100755 --- a/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/external/bsd/openssl/dist/crypto/aes/asm/aesv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -740,6 +740,21 @@ $code.=<<___; #ifndef __ARMEB__ rev $ctr, $ctr #endif +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat1,$dat0,$dat0 + add $tctr1, $ctr, #1 + vorr $dat2,$dat0,$dat0 + add $ctr, $ctr, #2 + vorr $ivec,$dat0,$dat0 + rev $tctr1, $tctr1 + vmov.32 ${dat1}[3],$tctr1 + b.ls .Lctr32_tail + rev $tctr2, $ctr + sub $len,$len,#3 // bias + vmov.32 ${dat2}[3],$tctr2 +___ +$code.=<<___ if ($flavour !~ /64/); add $tctr1, $ctr, #1 vorr $ivec,$dat0,$dat0 rev $tctr1, $tctr1 @@ -751,6 +766,8 @@ $code.=<<___; vmov.32 ${ivec}[3],$tctr2 sub $len,$len,#3 // bias vorr $dat2,$ivec,$ivec +___ +$code.=<<___; b .Loop3x_ctr32 .align 4 @@ -777,11 +794,25 @@ $code.=<<___; aese $dat1,q8 aesmc $tmp1,$dat1 vld1.8 {$in0},[$inp],#16 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat0,$ivec,$ivec +___ +$code.=<<___ if ($flavour !~ /64/); add $tctr0,$ctr,#1 +___ +$code.=<<___; aese $dat2,q8 aesmc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat1,$ivec,$ivec +___ +$code.=<<___ if ($flavour !~ /64/); rev $tctr0,$tctr0 +___ +$code.=<<___; aese $tmp0,q9 aesmc $tmp0,$tmp0 aese $tmp1,q9 @@ -790,6 +821,12 @@ $code.=<<___; mov $key_,$key aese $dat2,q9 aesmc $tmp2,$dat2 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat2,$ivec,$ivec + add $tctr0,$ctr,#1 +___ +$code.=<<___; aese $tmp0,q12 aesmc $tmp0,$tmp0 aese $tmp1,q12 @@ -805,22 +842,47 @@ $code.=<<___; aese $tmp1,q13 aesmc $tmp1,$tmp1 veor $in2,$in2,$rndlast +___ +$code.=<<___ if ($flavour =~ /64/); + rev $tctr0,$tctr0 + aese $tmp2,q13 + aesmc $tmp2,$tmp2 + vmov.32 ${dat0}[3], $tctr0 +___ +$code.=<<___ if ($flavour !~ /64/); vmov.32 ${ivec}[3], $tctr0 aese $tmp2,q13 aesmc $tmp2,$tmp2 vorr $dat0,$ivec,$ivec +___ +$code.=<<___; rev $tctr1,$tctr1 aese $tmp0,q14 aesmc $tmp0,$tmp0 +___ +$code.=<<___ if ($flavour !~ /64/); vmov.32 ${ivec}[3], $tctr1 rev $tctr2,$ctr +___ +$code.=<<___; aese $tmp1,q14 aesmc $tmp1,$tmp1 +___ +$code.=<<___ if ($flavour =~ /64/); + vmov.32 ${dat1}[3], $tctr1 + rev $tctr2,$ctr + aese $tmp2,q14 + aesmc $tmp2,$tmp2 + vmov.32 ${dat2}[3], $tctr2 +___ +$code.=<<___ if ($flavour !~ /64/); vorr $dat1,$ivec,$ivec vmov.32 ${ivec}[3], $tctr2 aese $tmp2,q14 aesmc $tmp2,$tmp2 vorr $dat2,$ivec,$ivec +___ +$code.=<<___; subs $len,$len,#3 aese $tmp0,q15 aese $tmp1,q15 diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c b/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c index 38735cd86f3e..36853612b69c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c @@ -489,6 +489,7 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) char eol; int len; char linebuf[MAX_SMLEN]; + int ret; /* * Buffer output so we don't write one line at a time. This is useful * when streaming as we don't end up with one OCTET STRING per line. @@ -523,9 +524,12 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) BIO_write(out, "\r\n", 2); } } - (void)BIO_flush(out); + ret = BIO_flush(out); BIO_pop(out); BIO_free(bf); + if (ret <= 0) + return 0; + return 1; } diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/bio_asn1.c b/crypto/external/bsd/openssl/dist/crypto/asn1/bio_asn1.c index 914d77c866c6..17b0d1aa6cad 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/bio_asn1.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/bio_asn1.c @@ -172,7 +172,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl) case ASN1_STATE_START: if (!asn1_bio_setup_ex(b, ctx, ctx->prefix, ASN1_STATE_PRE_COPY, ASN1_STATE_HEADER)) - return 0; + return -1; break; /* Copy any pre data first */ @@ -189,7 +189,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl) case ASN1_STATE_HEADER: ctx->buflen = ASN1_object_size(0, inl, ctx->asn1_tag) - inl; if (!ossl_assert(ctx->buflen <= ctx->bufsize)) - return 0; + return -1; p = ctx->buf; ASN1_put_object(&p, 0, inl, ctx->asn1_tag, ctx->asn1_class); ctx->copylen = inl; diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/bio_ndef.c b/crypto/external/bsd/openssl/dist/crypto/asn1/bio_ndef.c index 760e4846a474..c8a776b482d0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/bio_ndef.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/bio_ndef.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg); +/* + * On success, the returned BIO owns the input BIO as part of its BIO chain. + * On failure, NULL is returned and the input BIO is owned by the caller. + * + * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() + */ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) { NDEF_SUPPORT *ndef_aux = NULL; BIO *asn_bio = NULL; const ASN1_AUX *aux = it->funcs; ASN1_STREAM_ARG sarg; + BIO *pop_bio = NULL; if (!aux || !aux->asn1_cb) { ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); @@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) out = BIO_push(asn_bio, out); if (out == NULL) goto err; + pop_bio = asn_bio; - BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); - BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); + if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 + || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 + || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) + goto err; /* - * Now let callback prepends any digest, cipher etc BIOs ASN1 structure - * needs. + * Now let the callback prepend any digest, cipher, etc., that the BIO's + * ASN1 structure needs. */ sarg.out = out; sarg.ndef_bio = NULL; sarg.boundary = NULL; - if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) + /* + * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the + * middle of some partially built, but not returned BIO chain. + */ + if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { + /* + * ndef_aux is now owned by asn_bio so we must not free it in the err + * clean up block + */ + ndef_aux = NULL; goto err; + } + + /* + * We must not fail now because the callback has prepended additional + * BIOs to the chain + */ ndef_aux->val = val; ndef_aux->it = it; @@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) ndef_aux->boundary = sarg.boundary; ndef_aux->out = out; - BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); - return sarg.ndef_bio; err: + /* BIO_pop() is NULL safe */ + (void)BIO_pop(pop_bio); BIO_free(asn_bio); OPENSSL_free(ndef_aux); return NULL; diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/charmap.pl b/crypto/external/bsd/openssl/dist/crypto/asn1/charmap.pl index dadd8df7749d..52fa5a7900ca 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/charmap.pl +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/charmap.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,9 @@ # https://www.openssl.org/source/license.html use strict; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my ($i, @arr); @@ -82,8 +85,8 @@ $arr[ord("?")] |= $PSTRING_CHAR; # Now generate the C code -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; +# Year the file was generated. +my $YEAR = OpenSSL::copyright::year_of($0); print < +#include /* * Copyright Patrick Powell 1995 @@ -31,8 +32,10 @@ static int fmtstr(char **, char **, size_t *, size_t *, const char *, int, int, int); static int fmtint(char **, char **, size_t *, size_t *, int64_t, int, int, int, int); +#ifndef OPENSSL_SYS_UEFI static int fmtfp(char **, char **, size_t *, size_t *, LDOUBLE, int, int, int, int); +#endif static int doapr_outch(char **, char **, size_t *, size_t *, int); static int _dopr(char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, @@ -88,7 +91,9 @@ _dopr(char **sbuffer, { char ch; int64_t value; +#ifndef OPENSSL_SYS_UEFI LDOUBLE fvalue; +#endif char *strvalue; int min; int max; @@ -259,6 +264,7 @@ _dopr(char **sbuffer, min, max, flags)) return 0; break; +#ifndef OPENSSL_SYS_UEFI case 'f': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -292,6 +298,16 @@ _dopr(char **sbuffer, flags, G_FORMAT)) return 0; break; +#else + case 'f': + case 'E': + case 'e': + case 'G': + case 'g': + /* not implemented for UEFI */ + ERR_raise(ERR_LIB_BIO, ERR_R_UNSUPPORTED); + return 0; +#endif case 'c': if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, va_arg(args, int))) @@ -512,6 +528,8 @@ fmtint(char **sbuffer, return 1; } +#ifndef OPENSSL_SYS_UEFI + static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; @@ -803,6 +821,8 @@ fmtfp(char **sbuffer, return 1; } +#endif /* OPENSSL_SYS_UEFI */ + #define BUFFER_INC 1024 static int diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl index 8c37d132e476..33cb769c36d5 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2101,193 +2101,6 @@ __bn_post4x_internal: .size __bn_post4x_internal,.-__bn_post4x_internal ___ } -{ -$code.=<<___; -.globl bn_from_montgomery -.type bn_from_montgomery,\@abi-omnipotent -.align 32 -bn_from_montgomery: -.cfi_startproc - testl \$7,`($win64?"48(%rsp)":"%r9d")` - jz bn_from_mont8x - xor %eax,%eax - ret -.cfi_endproc -.size bn_from_montgomery,.-bn_from_montgomery - -.type bn_from_mont8x,\@function,6 -.align 32 -bn_from_mont8x: -.cfi_startproc - .byte 0x67 - mov %rsp,%rax -.cfi_def_cfa_register %rax - push %rbx -.cfi_push %rbx - push %rbp -.cfi_push %rbp - push %r12 -.cfi_push %r12 - push %r13 -.cfi_push %r13 - push %r14 -.cfi_push %r14 - push %r15 -.cfi_push %r15 -.Lfrom_prologue: - - shl \$3,${num}d # convert $num to bytes - lea ($num,$num,2),%r10 # 3*$num in bytes - neg $num - mov ($n0),$n0 # *n0 - - ############################################################## - # Ensure that stack frame doesn't alias with $rptr+3*$num - # modulo 4096, which covers ret[num], am[num] and n[num] - # (see bn_exp.c). The stack is allocated to aligned with - # bn_power5's frame, and as bn_from_montgomery happens to be - # last operation, we use the opportunity to cleanse it. - # - lea -320(%rsp,$num,2),%r11 - mov %rsp,%rbp - sub $rptr,%r11 - and \$4095,%r11 - cmp %r11,%r10 - jb .Lfrom_sp_alt - sub %r11,%rbp # align with $aptr - lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256) - jmp .Lfrom_sp_done - -.align 32 -.Lfrom_sp_alt: - lea 4096-320(,$num,2),%r10 - lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256) - sub %r10,%r11 - mov \$0,%r10 - cmovc %r10,%r11 - sub %r11,%rbp -.Lfrom_sp_done: - and \$-64,%rbp - mov %rsp,%r11 - sub %rbp,%r11 - and \$-4096,%r11 - lea (%rbp,%r11),%rsp - mov (%rsp),%r10 - cmp %rbp,%rsp - ja .Lfrom_page_walk - jmp .Lfrom_page_walk_done - -.Lfrom_page_walk: - lea -4096(%rsp),%rsp - mov (%rsp),%r10 - cmp %rbp,%rsp - ja .Lfrom_page_walk -.Lfrom_page_walk_done: - - mov $num,%r10 - neg $num - - ############################################################## - # Stack layout - # - # +0 saved $num, used in reduction section - # +8 &t[2*$num], used in reduction section - # +32 saved *n0 - # +40 saved %rsp - # +48 t[2*$num] - # - mov $n0, 32(%rsp) - mov %rax, 40(%rsp) # save original %rsp -.cfi_cfa_expression %rsp+40,deref,+8 -.Lfrom_body: - mov $num,%r11 - lea 48(%rsp),%rax - pxor %xmm0,%xmm0 - jmp .Lmul_by_1 - -.align 32 -.Lmul_by_1: - movdqu ($aptr),%xmm1 - movdqu 16($aptr),%xmm2 - movdqu 32($aptr),%xmm3 - movdqa %xmm0,(%rax,$num) - movdqu 48($aptr),%xmm4 - movdqa %xmm0,16(%rax,$num) - .byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00 # lea 64($aptr),$aptr - movdqa %xmm1,(%rax) - movdqa %xmm0,32(%rax,$num) - movdqa %xmm2,16(%rax) - movdqa %xmm0,48(%rax,$num) - movdqa %xmm3,32(%rax) - movdqa %xmm4,48(%rax) - lea 64(%rax),%rax - sub \$64,%r11 - jnz .Lmul_by_1 - - movq $rptr,%xmm1 - movq $nptr,%xmm2 - .byte 0x67 - mov $nptr,%rbp - movq %r10, %xmm3 # -num -___ -$code.=<<___ if ($addx); - mov OPENSSL_ia32cap_P+8(%rip),%r11d - and \$0x80108,%r11d - cmp \$0x80108,%r11d # check for AD*X+BMI2+BMI1 - jne .Lfrom_mont_nox - - lea (%rax,$num),$rptr - call __bn_sqrx8x_reduction - call __bn_postx4x_internal - - pxor %xmm0,%xmm0 - lea 48(%rsp),%rax - jmp .Lfrom_mont_zero - -.align 32 -.Lfrom_mont_nox: -___ -$code.=<<___; - call __bn_sqr8x_reduction - call __bn_post4x_internal - - pxor %xmm0,%xmm0 - lea 48(%rsp),%rax - jmp .Lfrom_mont_zero - -.align 32 -.Lfrom_mont_zero: - mov 40(%rsp),%rsi # restore %rsp -.cfi_def_cfa %rsi,8 - movdqa %xmm0,16*0(%rax) - movdqa %xmm0,16*1(%rax) - movdqa %xmm0,16*2(%rax) - movdqa %xmm0,16*3(%rax) - lea 16*4(%rax),%rax - sub \$32,$num - jnz .Lfrom_mont_zero - - mov \$1,%rax - mov -48(%rsi),%r15 -.cfi_restore %r15 - mov -40(%rsi),%r14 -.cfi_restore %r14 - mov -32(%rsi),%r13 -.cfi_restore %r13 - mov -24(%rsi),%r12 -.cfi_restore %r12 - mov -16(%rsi),%rbp -.cfi_restore %rbp - mov -8(%rsi),%rbx -.cfi_restore %rbx - lea (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lfrom_epilogue: - ret -.cfi_endproc -.size bn_from_mont8x,.-bn_from_mont8x -___ -} }}} if ($addx) {{{ @@ -3894,10 +3707,6 @@ mul_handler: .rva .LSEH_begin_bn_power5 .rva .LSEH_end_bn_power5 .rva .LSEH_info_bn_power5 - - .rva .LSEH_begin_bn_from_mont8x - .rva .LSEH_end_bn_from_mont8x - .rva .LSEH_info_bn_from_mont8x ___ $code.=<<___ if ($addx); .rva .LSEH_begin_bn_mulx4x_mont_gather5 @@ -3929,11 +3738,6 @@ $code.=<<___; .byte 9,0,0,0 .rva mul_handler .rva .Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue # HandlerData[] -.align 8 -.LSEH_info_bn_from_mont8x: - .byte 9,0,0,0 - .rva mul_handler - .rva .Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue # HandlerData[] ___ $code.=<<___ if ($addx); .align 8 diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_blind.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_blind.c index 76fc7ebcffc0..dd5beea7c93e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_blind.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_blind.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,20 +13,6 @@ #define BN_BLINDING_COUNTER 32 -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c index 0da9f39b31a9..4273618825cc 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, snum->neg = num_neg; snum->top = div_n; snum->flags |= BN_FLG_FIXED_TOP; - if (rm != NULL) - bn_rshift_fixed_top(rm, snum, norm_shift); + + if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0) + goto err; + BN_CTX_end(ctx); return 1; err: diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_err.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_err.c index dd87c152cf37..6f5464b54054 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, + {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), + "ossl_bn_rsa_do_unblind"}, {0, NULL} }; diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c index ef6a8f346d0d..9e9cd107bb4a 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,15 @@ extern unsigned int OPENSSL_sparcv9cap_P[]; /* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 +/* + * Beyond this limit the constant time code is disabled due to + * the possible overflow in the computation of powerbufLen in + * BN_mod_exp_mont_consttime. + * When this limit is exceeded, the computation will be done using + * non-constant time code, but it will take very long. + */ +#define BN_CONSTTIME_SIZE_LIMIT (INT_MAX / BN_BYTES / 256) + /* this one works - simple but works */ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { @@ -192,13 +201,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, return ret; } + BN_RECP_CTX_init(&recp); + BN_CTX_start(ctx); aa = BN_CTX_get(ctx); val[0] = BN_CTX_get(ctx); if (val[0] == NULL) goto err; - BN_RECP_CTX_init(&recp); if (m->neg) { /* ignore sign of 'm' */ if (!BN_copy(aa, m)) @@ -308,12 +318,6 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, BIGNUM *val[TABLE_SIZE]; BN_MONT_CTX *mont = NULL; - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) { - return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); - } - bn_check_top(a); bn_check_top(p); bn_check_top(m); @@ -322,6 +326,14 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, BNerr(BN_F_BN_MOD_EXP_MONT, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } + + if (m->top <= BN_CONSTTIME_SIZE_LIMIT + && (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(m, BN_FLG_CONSTTIME) != 0)) { + return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); + } + bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1, or x**0 mod -1 is still zero. */ @@ -621,6 +633,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, top = m->top; + if (top > BN_CONSTTIME_SIZE_LIMIT) { + /* Prevent overflowing the powerbufLen computation below */ + return BN_mod_exp_mont(rr, a, p, m, ctx, in_mont); + } + /* * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak * whether the top bits are zero. @@ -700,7 +717,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, else #endif #if defined(OPENSSL_BN_ASM_MONT5) - if (window >= 5) { + if (window >= 5 && top <= BN_SOFT_LIMIT) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ /* reserve space for mont->N.d[] copy */ @@ -761,6 +778,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; + if (top > BN_SOFT_LIMIT) + goto fallback; + #if defined(SPARC_T4_MONT) if (t4) { typedef int (*bn_pwr5_mont_f) (BN_ULONG *tp, const BN_ULONG *np, @@ -903,14 +923,21 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, #if defined(OPENSSL_BN_ASM_MONT5) if (window == 5 && top > 1) { /* - * This optimization uses ideas from http://eprint.iacr.org/2011/239, - * specifically optimization of cache-timing attack countermeasures - * and pre-computation optimization. - */ - - /* - * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as - * 512-bit RSA is hardly relevant, we omit it to spare size... + * This optimization uses ideas from https://eprint.iacr.org/2011/239, + * specifically optimization of cache-timing attack countermeasures, + * pre-computation optimization, and Almost Montgomery Multiplication. + * + * The paper discusses a 4-bit window to optimize 512-bit modular + * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer + * important. + * + * |bn_mul_mont_gather5| and |bn_power5| implement the "almost" + * reduction variant, so the values here may not be fully reduced. + * They are bounded by R (i.e. they fit in |top| words), not |m|. + * Additionally, we pass these "almost" reduced inputs into + * |bn_mul_mont|, which implements the normal reduction variant. + * Given those inputs, |bn_mul_mont| may not give reduced + * output, but it will still produce "almost" reduced output. */ void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, const void *table, const BN_ULONG *np, @@ -922,9 +949,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); int bn_get_bits5(const BN_ULONG *ap, int off); - int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *not_used, const BN_ULONG *np, - const BN_ULONG *n0, int num); BN_ULONG *n0 = mont->n0, *np; @@ -1013,17 +1037,22 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } } - ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top); tmp.top = top; - bn_correct_top(&tmp); - if (ret) { - if (!BN_copy(rr, &tmp)) - ret = 0; - goto err; /* non-zero ret means it's not error */ - } + /* + * The result is now in |tmp| in Montgomery form, but it may not be + * fully reduced. This is within bounds for |BN_from_montgomery| + * (tmp < R <= m*R) so it will, when converting from Montgomery form, + * produce a fully reduced result. + * + * This differs from Figure 2 of the paper, which uses AMM(h, 1) to + * convert from Montgomery form with unreduced output, followed by an + * extra reduction step. In the paper's terminology, we replace + * steps 9 and 10 with MM(h, 1). + */ } else #endif { + fallback: if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c index 0941f7b97f3f..6190bf1eddb0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in, if (R == NULL) goto err; - BN_one(X); + if (!BN_one(X)) + goto err; BN_zero(Y); if (BN_copy(B, a) == NULL) goto err; @@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in, if (R == NULL) goto err; - BN_one(X); + if (!BN_one(X)) + goto err; BN_zero(Y); if (BN_copy(B, a) == NULL) goto err; diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_local.h b/crypto/external/bsd/openssl/dist/crypto/bn/bn_local.h index 8ad69ccd3639..30b7614fdbb2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_local.h +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,6 +35,26 @@ /* #define BN_DEBUG */ /* #define BN_DEBUG_RAND */ +/* + * This should limit the stack usage due to alloca to about 4K. + * BN_SOFT_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS. + * Beyond that size bn_mul_mont is no longer used, and the constant time + * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage. + * Note that bn_mul_mont does an alloca that is hidden away in assembly. + * It is not recommended to do computations with numbers exceeding this limit, + * since the result will be highly version dependent: + * While the current OpenSSL version will use non-optimized, but safe code, + * previous versions will use optimized code, that may crash due to unexpected + * stack overflow, and future versions may very well turn this into a hard + * limit. + * Note however, that it is possible to override the size limit using + * "./config -DBN_SOFT_LIMIT=" if necessary, and the O/S specific + * stack limit is known and taken into consideration. + */ +# ifndef BN_SOFT_LIMIT +# define BN_SOFT_LIMIT (4096 / BN_BYTES) +# endif + # ifndef OPENSSL_SMALL_FOOTPRINT # define BN_MUL_COMBA # define BN_SQR_COMBA @@ -263,6 +283,20 @@ struct bn_gencb_st { } cb; }; +struct bn_blinding_st { + BIGNUM *A; + BIGNUM *Ai; + BIGNUM *e; + BIGNUM *mod; /* just a reference */ + CRYPTO_THREAD_ID tid; + int counter; + unsigned long flags; + BN_MONT_CTX *m_ctx; + int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + CRYPTO_RWLOCK *lock; +}; + /*- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c index 1e5045a010bb..7617b0df5e70 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,7 +42,7 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int num = mont->N.top; #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) - if (num > 1 && a->top == num && b->top == num) { + if (num > 1 && num <= BN_SOFT_LIMIT && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return 0; if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c index 325dc228490a..c29e62ed3fef 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -249,17 +249,28 @@ const BIGNUM *BN_get0_nist_prime_521(void) return &_bignum_nist_p_521; } -static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max) -{ - int i; - -#ifdef BN_DEBUG - (void)ossl_assert(top <= max); -#endif - for (i = 0; i < top; i++) - dst[i] = src[i]; - for (; i < max; i++) - dst[i] = 0; +/* + * To avoid more recent compilers (specifically clang-14) from treating this + * code as a violation of the strict aliasing conditions and omiting it, this + * cannot be declared as a function. Moreover, the dst parameter cannot be + * cached in a local since this no longer references the union and again falls + * foul of the strict aliasing criteria. Refer to #18225 for the initial + * diagnostics and llvm/llvm-project#55255 for the later discussions with the + * LLVM developers. The problem boils down to if an array in the union is + * converted to a pointer or if it is used directly. + * + * This function was inlined regardless, so there is no space cost to be + * paid for making it a macro. + */ +#define nist_cp_bn_0(dst, src_in, top, max) \ +{ \ + int ii; \ + const BN_ULONG *src = src_in; \ + \ + for (ii = 0; ii < top; ii++) \ + (dst)[ii] = src[ii]; \ + for (; ii < max; ii++) \ + (dst)[ii] = 0; \ } static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.pl b/crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.pl index b0b16087429b..d2eaac6564f8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.pl @@ -1,13 +1,16 @@ #! /usr/bin/env perl -# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::year_of($0); print <<"EOF"; /* * WARNING: do not edit! diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/build.info b/crypto/external/bsd/openssl/dist/crypto/bn/build.info index b9ed5322fa68..c9fe2fdada69 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/build.info +++ b/crypto/external/bsd/openssl/dist/crypto/bn/build.info @@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ {- $target{bn_asm_src} -} \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c + bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ + rsa_sup_mul.c INCLUDE[bn_exp.o]=.. diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/rsa_sup_mul.c b/crypto/external/bsd/openssl/dist/crypto/bn/rsa_sup_mul.c new file mode 100644 index 000000000000..acafefd5febf --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/bn/rsa_sup_mul.c @@ -0,0 +1,614 @@ +#include +#include +#include +#include +#include +#include +#include +#include "internal/numbers.h" +#include "internal/constant_time.h" +#include "bn_local.h" + +# if BN_BYTES == 8 +typedef uint64_t limb_t; +# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 +/* nonstandard; implemented by gcc on 64-bit platforms */ +typedef __uint128_t limb2_t; +# define HAVE_LIMB2_T +# endif +# define LIMB_BIT_SIZE 64 +# define LIMB_BYTE_SIZE 8 +# elif BN_BYTES == 4 +typedef uint32_t limb_t; +typedef uint64_t limb2_t; +# define LIMB_BIT_SIZE 32 +# define LIMB_BYTE_SIZE 4 +# define HAVE_LIMB2_T +# else +# error "Not supported" +# endif + +/* + * For multiplication we're using schoolbook multiplication, + * so if we have two numbers, each with 6 "digits" (words) + * the multiplication is calculated as follows: + * A B C D E F + * x I J K L M N + * -------------- + * N*F + * N*E + * N*D + * N*C + * N*B + * N*A + * M*F + * M*E + * M*D + * M*C + * M*B + * M*A + * L*F + * L*E + * L*D + * L*C + * L*B + * L*A + * K*F + * K*E + * K*D + * K*C + * K*B + * K*A + * J*F + * J*E + * J*D + * J*C + * J*B + * J*A + * I*F + * I*E + * I*D + * I*C + * I*B + * + I*A + * ========================== + * N*B N*D N*F + * + N*A N*C N*E + * + M*B M*D M*F + * + M*A M*C M*E + * + L*B L*D L*F + * + L*A L*C L*E + * + K*B K*D K*F + * + K*A K*C K*E + * + J*B J*D J*F + * + J*A J*C J*E + * + I*B I*D I*F + * + I*A I*C I*E + * + * 1+1 1+3 1+5 + * 1+0 1+2 1+4 + * 0+1 0+3 0+5 + * 0+0 0+2 0+4 + * + * 0 1 2 3 4 5 6 + * which requires n^2 multiplications and 2n full length additions + * as we can keep every other result of limb multiplication in two separate + * limbs + */ + +#if defined HAVE_LIMB2_T +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + limb2_t t; + /* + * this is idiomatic code to tell compiler to use the native mul + * those three lines will actually compile to single instruction + */ + + t = (limb2_t)a * b; + *hi = t >> LIMB_BIT_SIZE; + *lo = (limb_t)t; +} +#elif (BN_BYTES == 8) && (defined _MSC_VER) +/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ +#pragma intrinsic(_umul128) +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + *lo = _umul128(a, b, hi); +} +#else +/* + * if the compiler doesn't have either a 128bit data type nor a "return + * high 64 bits of multiplication" + */ +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + limb_t a_low = (limb_t)(uint32_t)a; + limb_t a_hi = a >> 32; + limb_t b_low = (limb_t)(uint32_t)b; + limb_t b_hi = b >> 32; + + limb_t p0 = a_low * b_low; + limb_t p1 = a_low * b_hi; + limb_t p2 = a_hi * b_low; + limb_t p3 = a_hi * b_hi; + + uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); + + *lo = p0 + (p1 << 32) + (p2 << 32); + *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; +} +#endif + +/* add two limbs with carry in, return carry out */ +static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) +{ + limb_t carry1, carry2, t; + /* + * `c = a + b; if (c < a)` is idiomatic code that makes compilers + * use add with carry on assembly level + */ + + *ret = a + carry; + if (*ret < a) + carry1 = 1; + else + carry1 = 0; + + t = *ret; + *ret = t + b; + if (*ret < t) + carry2 = 1; + else + carry2 = 0; + + return carry1 + carry2; +} + +/* + * add two numbers of the same size, return overflow + * + * add a to b, place result in ret; all arrays need to be n limbs long + * return overflow from addition (0 or 1) + */ +static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + limb_t c = 0; + ossl_ssize_t i; + + for(i = n - 1; i > -1; i--) + c = _add_limb(&ret[i], a[i], b[i], c); + + return c; +} + +/* + * return number of limbs necessary for temporary values + * when multiplying numbers n limbs large + */ +static ossl_inline size_t mul_limb_numb(size_t n) +{ + return 2 * n * 2; +} + +/* + * multiply two numbers of the same size + * + * multiply a by b, place result in ret; a and b need to be n limbs long + * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs + * long + */ +static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) +{ + limb_t *r_odd, *r_even; + size_t i, j, k; + + r_odd = tmp; + r_even = &tmp[2 * n]; + + memset(ret, 0, 2 * n * sizeof(limb_t)); + + for (i = 0; i < n; i++) { + for (k = 0; k < i + n + 1; k++) { + r_even[k] = 0; + r_odd[k] = 0; + } + for (j = 0; j < n; j++) { + /* + * place results from even and odd limbs in separate arrays so that + * we don't have to calculate overflow every time we get individual + * limb multiplication result + */ + if (j % 2 == 0) + _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); + else + _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); + } + /* + * skip the least significant limbs when adding multiples of + * more significant limbs (they're zero anyway) + */ + add(ret, ret, r_even, n + i + 1); + add(ret, ret, r_odd, n + i + 1); + } +} + +/* modifies the value in place by performing a right shift by one bit */ +static ossl_inline void rshift1(limb_t *val, size_t n) +{ + limb_t shift_in = 0, shift_out = 0; + size_t i; + + for (i = 0; i < n; i++) { + shift_out = val[i] & 1; + val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); + shift_in = shift_out; + } +} + +/* extend the LSB of flag to all bits of limb */ +static ossl_inline limb_t mk_mask(limb_t flag) +{ + flag |= flag << 1; + flag |= flag << 2; + flag |= flag << 4; + flag |= flag << 8; + flag |= flag << 16; +#if (LIMB_BYTE_SIZE == 8) + flag |= flag << 32; +#endif + return flag; +} + +/* + * copy from either a or b to ret based on flag + * when flag == 0, then copies from b + * when flag == 1, then copies from a + */ +static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + /* + * would be more efficient with non volatile mask, but then gcc + * generates code with jumps + */ + volatile limb_t mask; + size_t i; + + mask = mk_mask(flag); + for (i = 0; i < n; i++) { +#if (LIMB_BYTE_SIZE == 8) + ret[i] = constant_time_select_64(mask, a[i], b[i]); +#else + ret[i] = constant_time_select_32(mask, a[i], b[i]); +#endif + } +} + +static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) +{ + limb_t borrow1, borrow2, t; + /* + * while it doesn't look constant-time, this is idiomatic code + * to tell compilers to use the carry bit from subtraction + */ + + *ret = a - borrow; + if (*ret > a) + borrow1 = 1; + else + borrow1 = 0; + + t = *ret; + *ret = t - b; + if (*ret > t) + borrow2 = 1; + else + borrow2 = 0; + + return borrow1 + borrow2; +} + +/* + * place the result of a - b into ret, return the borrow bit. + * All arrays need to be n limbs long + */ +static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) +{ + limb_t borrow = 0; + ossl_ssize_t i; + + for (i = n - 1; i > -1; i--) + borrow = _sub_limb(&ret[i], a[i], b[i], borrow); + + return borrow; +} + +/* return the number of limbs necessary to allocate for the mod() tmp operand */ +static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) +{ + return (anum + modnum) * 3; +} + +/* + * calculate a % mod, place the result in ret + * size of a is defined by anum, size of ret and mod is modnum, + * size of tmp is returned by mod_limb_numb() + */ +static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, + size_t modnum, limb_t *tmp) +{ + limb_t *atmp, *modtmp, *rettmp; + limb_t res; + size_t i; + + memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); + + atmp = tmp; + modtmp = &tmp[anum + modnum]; + rettmp = &tmp[(anum + modnum) * 2]; + + for (i = modnum; i 0; i--, rp--) { + v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); + v = v + carry + rp[-1]; + carry |= (v != rp[-1]); + carry &= (v <= rp[-1]); + rp[-1] = v; + } + + /* perform the final reduction by mod... */ + carry -= sub(ret, rp, mod, modnum); + + /* ...conditionally */ + cselect(carry, ret, rp, ret, modnum); +} + +/* allocated buffer should be freed afterwards */ +static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) +{ + int i; + int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + limb_t *ptr = buf + (limbs - real_limbs); + + for (i = 0; i < real_limbs; i++) + ptr[i] = bn->d[real_limbs - i - 1]; +} + +#if LIMB_BYTE_SIZE == 8 +static ossl_inline uint64_t be64(uint64_t host) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + uint64_t big = 0; + + big |= (host & 0xff00000000000000) >> 56; + big |= (host & 0x00ff000000000000) >> 40; + big |= (host & 0x0000ff0000000000) >> 24; + big |= (host & 0x000000ff00000000) >> 8; + big |= (host & 0x00000000ff000000) << 8; + big |= (host & 0x0000000000ff0000) << 24; + big |= (host & 0x000000000000ff00) << 40; + big |= (host & 0x00000000000000ff) << 56; + return big; + } else { + return host; + } +} + +#else +/* Not all platforms have htobe32(). */ +static ossl_inline uint32_t be32(uint32_t host) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + uint32_t big = 0; + + big |= (host & 0xff000000) >> 24; + big |= (host & 0x00ff0000) >> 8; + big |= (host & 0x0000ff00) << 8; + big |= (host & 0x000000ff) << 24; + return big; + } else { + return host; + } +} +#endif + +/* + * We assume that intermediate, possible_arg2, blinding, and ctx are used + * similar to BN_BLINDING_invert_ex() arguments. + * to_mod is RSA modulus. + * buf and num is the serialization buffer and its length. + * + * Here we use classic/Montgomery multiplication and modulo. After the calculation finished + * we serialize the new structure instead of BIGNUMs taking endianness into account. + */ +int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, + const BN_BLINDING *blinding, + const BIGNUM *possible_arg2, + const BIGNUM *to_mod, BN_CTX *ctx, + unsigned char *buf, int num) +{ + limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; + limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; + size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; + size_t l_tmp_count = 0; + int ret = 0; + size_t i; + unsigned char *tmp; + const BIGNUM *arg1 = intermediate; + const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; + + l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; + + l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; + l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); + l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); + l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); + + if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) + goto err; + + BN_to_limb(arg1, l_im, l_size); + BN_to_limb(arg2, l_mul, l_size); + BN_to_limb(to_mod, l_mod, l_mod_count); + + l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); + + if (blinding->m_ctx != NULL) { + l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? + mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); + l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); + } else { + l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? + mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); + l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); + } + + if ((l_ret == NULL) || (l_tmp == NULL)) + goto err; + + if (blinding->m_ctx != NULL) { + limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); + mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, + blinding->m_ctx->n0[0], l_tmp); + } else { + limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); + mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); + } + + /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ + if (num < BN_num_bytes(to_mod)) { + BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); + goto err; + } + + memset(buf, 0, num); + tmp = buf + num - BN_num_bytes(to_mod); + for (i = 0; i < l_mod_count; i++) { +#if LIMB_BYTE_SIZE == 8 + l_buf = be64(l_ret[i]); +#else + l_buf = be32(l_ret[i]); +#endif + if (i == 0) { + int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); + + memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); + tmp += delta; + } else { + memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); + tmp += LIMB_BYTE_SIZE; + } + } + ret = num; + + err: + OPENSSL_free(l_im); + OPENSSL_free(l_mul); + OPENSSL_free(l_mod); + OPENSSL_free(l_tmp); + OPENSSL_free(l_ret); + + return ret; +} diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.c b/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.c index 22455b8a6374..a2ab58bbeb4c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2012, Intel Corporation. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -66,6 +66,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], unsigned char *R2 = table_s; /* borrow */ int index; int wvalue; + BN_ULONG tmp[16]; if ((((size_t)p_str & 4095) + 320) >> 12) { result = p_str; @@ -237,7 +238,10 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], rsaz_1024_red2norm_avx2(result_norm, result); + bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16); + OPENSSL_cleanse(storage, sizeof(storage)); + OPENSSL_cleanse(tmp, sizeof(tmp)); } /* @@ -266,6 +270,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8], unsigned char *p_str = (unsigned char *)exponent; int index; unsigned int wvalue; + BN_ULONG tmp[8]; /* table[0] = 1_inv */ temp[0] = 0 - m[0]; @@ -309,7 +314,10 @@ void RSAZ_512_mod_exp(BN_ULONG result[8], /* from Montgomery */ rsaz_512_mul_by_one(result, temp, m, k0); + bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8); + OPENSSL_cleanse(storage, sizeof(storage)); + OPENSSL_cleanse(tmp, sizeof(tmp)); } #endif diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.h b/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.h index 88f65a4bae46..1532a7e07179 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.h +++ b/crypto/external/bsd/openssl/dist/crypto/bn/rsaz_exp.h @@ -1,5 +1,5 @@ /* - * Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2012, Intel Corporation. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -22,6 +22,8 @@ # define RSAZ_ENABLED # include +# include "internal/constant_time.h" +# include "bn_local.h" void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], @@ -35,6 +37,27 @@ void RSAZ_512_mod_exp(BN_ULONG result[8], const BN_ULONG m_norm[8], BN_ULONG k0, const BN_ULONG RR[8]); +static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask, + const BN_ULONG *a, + const BN_ULONG *b, size_t num) +{ + size_t i; + + for (i = 0; i < num; i++) { + r[i] = constant_time_select_64(mask, a[i], b[i]); + } +} + +static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, + BN_ULONG carry, + const BN_ULONG *m, + BN_ULONG *tmp, size_t num) +{ + carry -= bn_sub_words(tmp, r, m, num); + bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num); + return carry; +} + # endif #endif diff --git a/crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c b/crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c index fc490303d4c6..6f077b339a87 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c +++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c @@ -68,7 +68,12 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) if (enc) { int ivlen; + calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + if (calg->algorithm == NULL) { + CMSerr(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; + } /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { diff --git a/crypto/external/bsd/openssl/dist/crypto/cms/cms_err.c b/crypto/external/bsd/openssl/dist/crypto/cms/cms_err.c index a211f4954ce1..408fe13b87d9 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_err.c @@ -264,6 +264,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM), + "unsupported content encryption algorithm"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), "unsupported content type"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM), diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/keysets.pl b/crypto/external/bsd/openssl/dist/crypto/conf/keysets.pl index 27a7214cc519..9c9a00dea8d7 100644 --- a/crypto/external/bsd/openssl/dist/crypto/conf/keysets.pl +++ b/crypto/external/bsd/openssl/dist/crypto/conf/keysets.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,9 @@ use strict; use warnings; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my $NUMBER = 0x0001; my $UPPER = 0x0002; @@ -54,9 +57,8 @@ foreach (0 .. 127) { push(@V_w32, $v); } -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; - +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::year_of($0); print <<"EOF"; /* * WARNING: do not edit! diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/curve448/curve448.c b/crypto/external/bsd/openssl/dist/crypto/ec/curve448/curve448.c index 12d97f06795b..3d4db44564e9 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/curve448/curve448.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/curve448/curve448.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control, int32_t delta = odd & mask; assert(position >= 0); + assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */ if (odd & (1 << (table_bits + 1))) delta -= (1 << (table_bits + 1)); current -= delta * (1 << pos); diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c index 4335b3da1a54..1acbbde3d37b 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) /* extract seed (optional) */ if (params->curve->seed != NULL) { + /* + * This happens for instance with + * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a + * and causes the OPENSSL_malloc below to choke on the + * zero length allocation request. + */ + if (params->curve->seed->length == 0) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); + goto err; + } OPENSSL_free(ret->seed); if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE); @@ -784,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) } /* extract the order */ - if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) { + if (ASN1_INTEGER_to_BN(params->order, a) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } @@ -801,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) if (params->cofactor == NULL) { BN_free(b); b = NULL; - } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) { + } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_key.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_key.c index 23efbd015ca4..63799002bc98 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_key.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_key.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) && key->meth->set_private(key, priv_key) == 0) return 0; + /* + * Return `0` to comply with legacy behavior for this function, see + * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696 + */ + if (priv_key == NULL) { + BN_clear_free(key->priv_key); + key->priv_key = NULL; + return 0; /* intentional for legacy compatibility */ + } + /* * We should never leak the bit length of the secret scalar in the key, * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` @@ -657,8 +667,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len) ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE); return 0; } - eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key); - if (eckey->priv_key == NULL) { + if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) { ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB); return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c index 5005249b05ea..cfad3e15b0bf 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2014, Intel Corporation. All Rights Reserved. * Copyright (c) 2015, CloudFlare, Inc. * @@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return 0; } + memset(&p, 0, sizeof(p)); BN_CTX_start(ctx); if (scalar) { diff --git a/crypto/external/bsd/openssl/dist/crypto/engine/eng_dyn.c b/crypto/external/bsd/openssl/dist/crypto/engine/eng_dyn.c index 6a0ddc162d00..27d7b893cdad 100644 --- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_dyn.c +++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_dyn.c @@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx) return 0; } +/* + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 3.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_get_base_id is exported + * as a function in openssl 3.x, while it is named EVP_PKEY_base_id + * in openssl 1.1.x. Therefore we take the presence of that symbol + * as an indication that the engine will be incompatible. + */ +static int using_libcrypto_3(dynamic_data_ctx *ctx) +{ + int ret; + + ERR_set_mark(); + ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL; + ERR_pop_to_mark(); + + return ret; +} + static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) { ENGINE cpy; @@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) /* * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too - * old. - * Unfortunately the version checker does not distinguish between - * engines built for openssl 1.1.x and openssl 3.x, but loading - * an engine that is built for openssl 3.x will cause a fatal - * error. Detect such engines, since EVP_PKEY_get_base_id is exported - * as a function in openssl 3.x, while it is named EVP_PKEY_base_id - * in openssl 1.1.x. Therefore we take the presence of that symbol - * as an indication that the engine will be incompatible. + * old. Also fail if this is engine for openssl 3.x. */ - if (vcheck_res < OSSL_DYNAMIC_OLDEST - || DSO_bind_func(ctx->dynamic_dso, - "EVP_PKEY_get_base_id") != NULL) { + if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL; diff --git a/crypto/external/bsd/openssl/dist/crypto/err/err.c b/crypto/external/bsd/openssl/dist/crypto/err/err.c index bd116e249acb..239a3cea9cc2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/err/err.c +++ b/crypto/external/bsd/openssl/dist/crypto/err/err.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,9 @@ #include "internal/constant_time.h" #include "e_os.h" +#ifndef OPENSSL_NO_ERR static int err_load_strings(const ERR_STRING_DATA *str); +#endif static void ERR_STATE_free(ERR_STATE *s); #ifndef OPENSSL_NO_ERR @@ -76,9 +78,9 @@ static ERR_STRING_DATA ERR_str_functs[] = { {ERR_PACK(0, SYS_F_BIND, 0), "bind"}, {ERR_PACK(0, SYS_F_LISTEN, 0), "listen"}, {ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"}, -# ifdef OPENSSL_SYS_WINDOWS +#ifdef OPENSSL_SYS_WINDOWS {ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"}, -# endif +#endif {ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"}, {ERR_PACK(0, SYS_F_FREAD, 0), "fread"}, {ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"}, @@ -141,21 +143,26 @@ static int set_err_thread_local; static CRYPTO_THREAD_LOCAL err_thread_local; static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT; -static CRYPTO_RWLOCK *err_string_lock; +static CRYPTO_RWLOCK *err_string_lock = NULL; +#ifndef OPENSSL_NO_ERR static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *); +#endif /* * The internal state */ +#ifndef OPENSSL_NO_ERR static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL; +#endif static int int_err_library_number = ERR_LIB_USER; static unsigned long get_error_values(int inc, int top, const char **file, int *line, const char **data, int *flags); +#ifndef OPENSSL_NO_ERR static unsigned long err_string_data_hash(const ERR_STRING_DATA *a) { unsigned long ret, l; @@ -184,7 +191,6 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d) return p; } -#ifndef OPENSSL_NO_ERR /* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ # define SPACE_SYS_STR_REASONS 8 * 1024 # define NUM_SYS_STR_REASONS 127 @@ -299,6 +305,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init) err_string_lock = CRYPTO_THREAD_lock_new(); if (err_string_lock == NULL) return 0; +#ifndef OPENSSL_NO_ERR int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash, err_string_data_cmp); if (int_error_hash == NULL) { @@ -306,6 +313,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init) err_string_lock = NULL; return 0; } +#endif return 1; } @@ -315,10 +323,13 @@ void err_cleanup(void) CRYPTO_THREAD_cleanup_local(&err_thread_local); CRYPTO_THREAD_lock_free(err_string_lock); err_string_lock = NULL; +#ifndef OPENSSL_NO_ERR lh_ERR_STRING_DATA_free(int_error_hash); int_error_hash = NULL; +#endif } +#ifndef OPENSSL_NO_ERR /* * Legacy; pack in the library. */ @@ -342,6 +353,7 @@ static int err_load_strings(const ERR_STRING_DATA *str) CRYPTO_THREAD_unlock(err_string_lock); return 1; } +#endif int ERR_load_ERR_strings(void) { @@ -360,24 +372,31 @@ int ERR_load_ERR_strings(void) int ERR_load_strings(int lib, ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (ERR_load_ERR_strings() == 0) return 0; err_patch(lib, str); err_load_strings(str); +#endif + return 1; } int ERR_load_strings_const(const ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (ERR_load_ERR_strings() == 0) return 0; err_load_strings(str); +#endif + return 1; } int ERR_unload_strings(int lib, ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (!RUN_ONCE(&err_string_init, do_err_strings_init)) return 0; @@ -389,14 +408,14 @@ int ERR_unload_strings(int lib, ERR_STRING_DATA *str) for (; str->error; str++) (void)lh_ERR_STRING_DATA_delete(int_error_hash, str); CRYPTO_THREAD_unlock(err_string_lock); +#endif return 1; } void err_free_strings_int(void) { - if (!RUN_ONCE(&err_string_init, do_err_strings_init)) - return; + /* obsolete */ } /********************************************************/ @@ -636,6 +655,7 @@ char *ERR_error_string(unsigned long e, char *ret) const char *ERR_lib_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p; unsigned long l; @@ -647,10 +667,14 @@ const char *ERR_lib_error_string(unsigned long e) d.error = ERR_PACK(l, 0, 0); p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } const char *ERR_func_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p; unsigned long l, f; @@ -663,10 +687,14 @@ const char *ERR_func_error_string(unsigned long e) d.error = ERR_PACK(l, f, 0); p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } const char *ERR_reason_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p = NULL; unsigned long l, r; @@ -683,6 +711,9 @@ const char *ERR_reason_error_string(unsigned long e) p = int_err_get_item(&d); } return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } void err_delete_thread_state(void) diff --git a/crypto/external/bsd/openssl/dist/crypto/err/openssl.txt b/crypto/external/bsd/openssl/dist/crypto/err/openssl.txt index 902e97b84355..ba3a46d5b988 100644 --- a/crypto/external/bsd/openssl/dist/crypto/err/openssl.txt +++ b/crypto/external/bsd/openssl/dist/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift BN_F_BN_SET_WORDS:144:bn_set_words BN_F_BN_STACK_PUSH:148:BN_STACK_push BN_F_BN_USUB:115:BN_usub +BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean BUF_F_BUF_MEM_NEW:101:BUF_MEM_new @@ -2023,6 +2024,8 @@ CMS_R_UNKNOWN_CIPHER:148:unknown cipher CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm CMS_R_UNKNOWN_ID:150:unknown id CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm +CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\ + unsupported content encryption algorithm CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\ diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/bio_enc.c b/crypto/external/bsd/openssl/dist/crypto/evp/bio_enc.c index 6639061eae9a..9afce7c08409 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/bio_enc.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/bio_enc.c @@ -299,6 +299,7 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) int i; EVP_CIPHER_CTX **c_ctx; BIO *next; + int pend; ctx = BIO_get_data(b); next = BIO_next(b); @@ -334,8 +335,14 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) /* do a final write */ again: while (ctx->buf_len != ctx->buf_off) { + pend = ctx->buf_len - ctx->buf_off; i = enc_write(b, NULL, 0); - if (i < 0) + /* + * i should never be > 0 here because we didn't ask to write any + * new data. We stop if we get an error or we failed to make any + * progress writing pending data. + */ + if (i < 0 || (ctx->buf_len - ctx->buf_off) == pend) return i; } diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c b/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c index d835968f253c..e756624b2cdf 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, # define PTRDIFF_T size_t #endif -int is_partially_overlapping(const void *ptr1, const void *ptr2, int len) +int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len) { PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2; /* @@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int i, j, bl, cmpl = inl; + int i, j, bl; + size_t cmpl = (size_t)inl; if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) cmpl = (cmpl + 7) / 8; @@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int fix_len, cmpl = inl; + int fix_len; unsigned int b; + size_t cmpl = (size_t)inl; /* Prevent accidental use of encryption context when decrypting */ if (ctx->encrypt) { diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/evp_local.h b/crypto/external/bsd/openssl/dist/crypto/evp/evp_local.h index f1589d682894..b59beee49fa8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/evp_local.h +++ b/crypto/external/bsd/openssl/dist/crypto/evp/evp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st { typedef struct evp_pbe_st EVP_PBE_CTL; DEFINE_STACK_OF(EVP_PBE_CTL) -int is_partially_overlapping(const void *ptr1, const void *ptr2, int len); +int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len); diff --git a/crypto/external/bsd/openssl/dist/crypto/init.c b/crypto/external/bsd/openssl/dist/crypto/init.c index 1b0d523beae0..b23af7977cd2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/init.c +++ b/crypto/external/bsd/openssl/dist/crypto/init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -211,7 +211,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete) } static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT; -static int load_crypto_strings_inited = 0; + DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings) { int ret = 1; @@ -225,7 +225,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings) "err_load_crypto_strings_int()\n"); # endif ret = err_load_crypto_strings_int(); - load_crypto_strings_inited = 1; #endif return ret; } @@ -549,14 +548,6 @@ void OPENSSL_cleanup(void) async_deinit(); } - if (load_crypto_strings_inited) { -#ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: " - "err_free_strings_int()\n"); -#endif - err_free_strings_int(); - } - key = destructor_key.value; destructor_key.sane = -1; CRYPTO_THREAD_cleanup_local(&key); diff --git a/crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.pl b/crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.pl index e5d38147eccf..e1b4a02f288f 100644 --- a/crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.pl +++ b/crypto/external/bsd/openssl/dist/crypto/objects/obj_dat.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,9 @@ use integer; use strict; use warnings; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; # Generate the DER encoding for the given OID. sub der_it @@ -36,10 +39,8 @@ sub der_it return $ret; } -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[0])); # Read input, parse all #define's into OID name and value. # Populate %ln and %sn with long and short names (%dupln and %dupsn) diff --git a/crypto/external/bsd/openssl/dist/crypto/objects/objects.pl b/crypto/external/bsd/openssl/dist/crypto/objects/objects.pl index d7d1962c9999..8b258d4df509 100644 --- a/crypto/external/bsd/openssl/dist/crypto/objects/objects.pl +++ b/crypto/external/bsd/openssl/dist/crypto/objects/objects.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,16 +7,15 @@ # https://www.openssl.org/source/license.html use Getopt::Std; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; our($opt_n); getopts('n'); -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; -$iYEAR = [localtime([stat($ARGV[1])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[1], $ARGV[0])); open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]"; $max_nid=0; diff --git a/crypto/external/bsd/openssl/dist/crypto/objects/objxref.pl b/crypto/external/bsd/openssl/dist/crypto/objects/objxref.pl index ce76cadae31c..4d4b9074fc26 100644 --- a/crypto/external/bsd/openssl/dist/crypto/objects/objxref.pl +++ b/crypto/external/bsd/openssl/dist/crypto/objects/objxref.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,18 +8,17 @@ use strict; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my %xref_tbl; my %oid_tbl; my ($mac_file, $xref_file) = @ARGV; -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($mac_file)]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; -$iYEAR = [localtime([stat($xref_file)]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $mac_file, $xref_file)); open(IN, $mac_file) || die "Can't open $mac_file, $!\n"; diff --git a/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c b/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c index 2de093595d0d..14f9ca4aa4d6 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header, (BIO_write(bp, "-----\n", 6) != 6)) goto err; - i = strlen(header); + i = header != NULL ? strlen(header) : 0; if (i > 0) { if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1)) goto err; @@ -791,7 +791,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, { BIO *tmp = *header; char *linebuf, *p; - int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; + int len, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ enum header_status got_header = MAYBE_HEADER; unsigned int flags_mask; @@ -805,7 +805,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, return 0; } - for (line = 0; ; line++) { + for (;;) { flags_mask = ~0u; len = BIO_gets(bp, linebuf, LINESIZE); if (len <= 0) { @@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, *data = pem_malloc(len, flags); if (*header == NULL || *data == NULL) { pem_free(*header, flags, 0); + *header = NULL; pem_free(*data, flags, 0); + *data = NULL; goto end; } BIO_read(headerB, *header, headerlen); diff --git a/crypto/external/bsd/openssl/dist/crypto/rand/drbg_lib.c b/crypto/external/bsd/openssl/dist/crypto/rand/drbg_lib.c index 8c7c28c9703a..d32fa80cf89d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rand/drbg_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/rand/drbg_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, drbg->state = DRBG_READY; drbg->generate_counter = 1; drbg->reseed_time = time(NULL); - if (drbg->enable_reseed_propagation) { - if (drbg->parent == NULL) - tsan_counter(&drbg->reseed_counter); - else - tsan_store(&drbg->reseed_counter, - tsan_load(&drbg->parent->reseed_counter)); - } + if (drbg->enable_reseed_propagation && drbg->parent == NULL) + tsan_counter(&drbg->reseed_counter); end: if (entropy != NULL && drbg->cleanup_entropy != NULL) @@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, drbg->state = DRBG_READY; drbg->generate_counter = 1; drbg->reseed_time = time(NULL); - if (drbg->enable_reseed_propagation) { - if (drbg->parent == NULL) - tsan_counter(&drbg->reseed_counter); - else - tsan_store(&drbg->reseed_counter, - tsan_load(&drbg->parent->reseed_counter)); - } + if (drbg->enable_reseed_propagation && drbg->parent == NULL) + tsan_counter(&drbg->reseed_counter); end: if (entropy != NULL && drbg->cleanup_entropy != NULL) diff --git a/crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c b/crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c index 5c72fad8ca26..3fdb56cb0024 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, prediction_resistance, - (unsigned char *)&drbg, sizeof(drbg)) != 0) + (unsigned char *)&drbg, sizeof(drbg)) != 0) { bytes = bytes_needed; + if (drbg->enable_reseed_propagation) + tsan_store(&drbg->reseed_counter, + tsan_load(&drbg->parent->reseed_counter)); + } rand_drbg_unlock(drbg->parent); rand_pool_add_end(pool, bytes, 8 * bytes); diff --git a/crypto/external/bsd/openssl/dist/crypto/rand/rand_vms.c b/crypto/external/bsd/openssl/dist/crypto/rand/rand_vms.c index a00f83bcc491..969473730903 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rand/rand_vms.c +++ b/crypto/external/bsd/openssl/dist/crypto/rand/rand_vms.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -479,31 +479,6 @@ size_t data_collect_method(RAND_POOL *pool) return rand_pool_entropy_available(pool); } -int rand_pool_add_nonce_data(RAND_POOL *pool) -{ - struct { - pid_t pid; - CRYPTO_THREAD_ID tid; - unsigned __int64 time; - } data = { 0 }; - - /* - * Add process id, thread id, and a high resolution timestamp - * (where available, which is OpenVMS v8.4 and up) to ensure that - * the nonce is unique with high probability for different process - * instances. - */ - data.pid = getpid(); - data.tid = CRYPTO_THREAD_get_current_id(); -#if __CRTL_VER >= 80400000 - sys$gettim_prec(&data.time); -#else - sys$gettim((void*)&data.time); -#endif - - return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); -} - /* * SYS$GET_ENTROPY METHOD * ====================== @@ -577,6 +552,59 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) return data_collect_method(pool); } +int rand_pool_add_nonce_data(RAND_POOL *pool) +{ + /* + * Two variables to ensure that two nonces won't ever be the same + */ + static unsigned __int64 last_time = 0; + static unsigned __int32 last_seq = 0; + + struct { + pid_t pid; + CRYPTO_THREAD_ID tid; + unsigned __int64 time; + unsigned __int32 seq; + } data; + + /* Erase the entire structure including any padding */ + memset(&data, 0, sizeof(data)); + + /* + * Add process id, thread id, a timestamp, and a sequence number in case + * the same time stamp is repeated, to ensure that the nonce is unique + * with high probability for different process instances. + * + * The normal OpenVMS time is specified to be high granularity (100ns), + * but the time update granularity given by sys$gettim() may be lower. + * + * OpenVMS version 8.4 (which is the latest for Alpha and Itanium) and + * on have sys$gettim_prec() as well, which is supposedly having a better + * time update granularity, but tests on Itanium (and even Alpha) have + * shown that compared with sys$gettim(), the difference is marginal, + * so of very little significance in terms of entropy. + * Given that, and that it's a high ask to expect everyone to have + * upgraded to OpenVMS version 8.4, only sys$gettim() is used, and a + * sequence number is added as well, in case sys$gettim() returns the + * same time value more than once. + * + * This function is assumed to be called under thread lock, and does + * therefore not take concurrency into account. + */ + data.pid = getpid(); + data.tid = CRYPTO_THREAD_get_current_id(); + data.seq = 0; + sys$gettim((void*)&data.time); + + if (data.time == last_time) { + data.seq = ++last_seq; + } else { + last_time = data.time; + last_seq = 0; + } + + return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); +} int rand_pool_add_additional_data(RAND_POOL *pool) { @@ -586,16 +614,12 @@ int rand_pool_add_additional_data(RAND_POOL *pool) } data = { 0 }; /* - * Add some noise from the thread id and a high resolution timer. - * The thread id adds a little randomness if the drbg is accessed - * concurrently (which is the case for the drbg). + * Add some noise from the thread id and a timer. The thread id adds a + * little randomness if the drbg is accessed concurrently (which is the + * case for the drbg). */ data.tid = CRYPTO_THREAD_get_current_id(); -#if __CRTL_VER >= 80400000 - sys$gettim_prec(&data.time); -#else sys$gettim((void*)&data.time); -#endif return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); } diff --git a/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c b/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c index 903654600858..cdcd70103d98 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c +++ b/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,9 @@ # ifdef USE_BCRYPTGENRANDOM # include -# pragma comment(lib, "bcrypt.lib") +# ifdef _MSC_VER +# pragma comment(lib, "bcrypt.lib") +# endif # ifndef STATUS_SUCCESS # define STATUS_SUCCESS ((NTSTATUS)0x00000000L) # endif diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c index fb045544a832..2c9c46ea53c8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c @@ -172,6 +172,7 @@ static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) strtype, str, rk, rklen)) { RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(str); + OPENSSL_clear_free(rk, rklen); return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c index b52a66f6a628..2e3ee4ab33dc 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, BN_free(d); } - if (blinding) - if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) + if (blinding) { + /* + * ossl_bn_rsa_do_unblind() combines blinding inversion and + * 0-padded BN BE serialization + */ + j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, + buf, num); + if (j == 0) goto err; - - j = BN_bn2binpad(ret, buf, num); + } else { + j = BN_bn2binpad(ret, buf, num); + if (j < 0) + goto err; + } switch (padding) { case RSA_PKCS1_PADDING: diff --git a/crypto/external/bsd/openssl/dist/crypto/s390x_arch.h b/crypto/external/bsd/openssl/dist/crypto/s390x_arch.h index 4d2cc02eb3d3..64e7ebb5662e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/s390x_arch.h +++ b/crypto/external/bsd/openssl/dist/crypto/s390x_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -47,6 +47,9 @@ struct OPENSSL_s390xcap_st { unsigned long long kma[2]; }; +#if defined(__GNUC__) && defined(__linux) +__attribute__ ((visibility("hidden"))) +#endif extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; /* convert facility bit number or function code to bit mask */ diff --git a/crypto/external/bsd/openssl/dist/crypto/s390xcap.c b/crypto/external/bsd/openssl/dist/crypto/s390xcap.c index 5d58b2d807b4..1097c703b4fb 100644 --- a/crypto/external/bsd/openssl/dist/crypto/s390xcap.c +++ b/crypto/external/bsd/openssl/dist/crypto/s390xcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,6 +26,9 @@ void OPENSSL_vx_probe(void); struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +#if defined(__GNUC__) && defined(__linux) +__attribute__ ((visibility("hidden"))) +#endif void OPENSSL_cpuid_setup(void) { sigset_t oset; diff --git a/crypto/external/bsd/openssl/dist/crypto/txt_db/txt_db.c b/crypto/external/bsd/openssl/dist/crypto/txt_db/txt_db.c index c4e1782514d8..cbb81905ac81 100644 --- a/crypto/external/bsd/openssl/dist/crypto/txt_db/txt_db.c +++ b/crypto/external/bsd/openssl/dist/crypto/txt_db/txt_db.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,7 +21,6 @@ TXT_DB *TXT_DB_read(BIO *in, int num) { TXT_DB *ret = NULL; int esc = 0; - long ln = 0; int i, add, n; int size = BUFSIZE; int offset = 0; @@ -61,7 +60,6 @@ TXT_DB *TXT_DB_read(BIO *in, int num) } buf->data[offset] = '\0'; BIO_gets(in, &(buf->data[offset]), size - offset); - ln++; if (buf->data[offset] == '\0') break; if ((offset == 0) && (buf->data[0] == '#')) diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c index 238c2519a6e2..46a861e90de0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -332,9 +332,13 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); X509_STORE_unlock(xl->store_ctx); - /* If a CRL, update the last file suffix added for this */ - - if (type == X509_LU_CRL) { + /* + * If a CRL, update the last file suffix added for this. + * We don't need to add an entry if k is 0 as this is the initial value. + * This avoids the need for a write lock and sort operation in the + * simple case where no CRL is present for a hash. + */ + if (type == X509_LU_CRL && k > 0) { CRYPTO_THREAD_write_lock(ctx->lock); /* * Look for entry again in case another thread added an entry @@ -362,6 +366,12 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, ok = 0; goto finish; } + + /* + * Ensure stack is sorted so that subsequent sk_BY_DIR_HASH_find + * will not mutate the stack and therefore require a write lock. + */ + sk_BY_DIR_HASH_sort(ent->hashes); } else if (hent->suffix < k) { hent->suffix = k; } diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c index 1d8d2d7b28e9..3724a118f343 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) unsigned long ret = 0; EVP_MD_CTX *ctx = EVP_MD_CTX_new(); unsigned char md[16]; - char *f; + char *f = NULL; if (ctx == NULL) goto err; @@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) goto err; - OPENSSL_free(f); if (!EVP_DigestUpdate (ctx, (unsigned char *)a->cert_info.serialNumber.data, (unsigned long)a->cert_info.serialNumber.length)) @@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL; err: + OPENSSL_free(f); EVP_MD_CTX_free(ctx); return ret; } diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_req.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_req.c index dd674926ddb5..c2b8cb9f3e2d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_req.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) ext = X509_ATTRIBUTE_get0_type(attr, 0); break; } - if (!ext || (ext->type != V_ASN1_SEQUENCE)) + if (ext == NULL) /* no extensions is not an error */ + return sk_X509_EXTENSION_new_null(); + if (ext->type != V_ASN1_SEQUENCE) return NULL; p = ext->value.sequence->data; return (STACK_OF(X509_EXTENSION) *) @@ -227,44 +229,52 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc) X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) { - return X509at_delete_attr(req->req_info.attributes, loc); + X509_ATTRIBUTE *attr = X509at_delete_attr(req->req_info.attributes, loc); + + if (attr != NULL) + req->req_info.enc.modified = 1; + return attr; } int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) { - if (X509at_add1_attr(&req->req_info.attributes, attr)) - return 1; - return 0; + if (!X509at_add1_attr(&req->req_info.attributes, attr)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_NID(&req->req_info.attributes, nid, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_txt(&req->req_info.attributes, attrname, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } long X509_REQ_get_version(const X509_REQ *req) diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c index b18489f67f6e..925fbb541258 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c @@ -973,14 +973,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) time_t *ptime; int i; - if (notify) - ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) return 1; else ptime = NULL; + if (notify) + ctx->current_crl = crl; i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); if (i == 0) { diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x_all.c b/crypto/external/bsd/openssl/dist/crypto/x509/x_all.c index a4e9cdaee837..fcf6b5ba3780 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x_all.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,13 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { + /* + * Setting the modified flag before signing it. This makes the cached + * encoding to be ignored, so even if the certificate fields have changed, + * they are signed correctly. + * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions + * which exist below are the same. + */ x->cert_info.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, &x->sig_alg, &x->signature, &x->cert_info, pkey, @@ -65,12 +72,14 @@ int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert) int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->req_info.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, x->signature, &x->req_info, pkey, md)); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) { + x->req_info.enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, x->signature, &x->req_info, ctx); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x_crl.c b/crypto/external/bsd/openssl/dist/crypto/x509/x_crl.c index c9762f9e2394..df0041c0108c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x_crl.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x_crl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl) if (gtmp) { gens = gtmp; - if (!crl->issuers) { + if (crl->issuers == NULL) { crl->issuers = sk_GENERAL_NAMES_new_null(); - if (!crl->issuers) + if (crl->issuers == NULL) { + GENERAL_NAMES_free(gtmp); return 0; + } } - if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) + if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) { + GENERAL_NAMES_free(gtmp); return 0; + } } rev->issuer = gens; @@ -255,7 +259,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_FREE_POST: - if (crl->meth->crl_free) { + if (crl->meth != NULL && crl->meth->crl_free != NULL) { if (!crl->meth->crl_free(crl)) return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c b/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c index 59ac6895bc26..dc4a494fb543 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -493,9 +493,7 @@ int X509_NAME_set(X509_NAME **xn, X509_NAME *name) int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) { char *s, *c, *b; - int l, i; - - l = 80 - 2 - obase; + int i; b = X509_NAME_oneline(name, NULL, 0); if (!b) @@ -521,12 +519,10 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) if (BIO_write(bp, ", ", 2) != 2) goto err; } - l--; } if (*s == '\0') break; s++; - l--; } OPENSSL_free(b); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c index 4258dbc40c0f..f9c368bea405 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,8 @@ #include #include +#include +#include #include "internal/cryptlib.h" #include @@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min, unsigned char mask; int i, j; - if (memcmp(min, max, length) <= 0) - return -1; + /* + * It is the responsibility of the caller to confirm min <= max. We don't + * use ossl_assert() here since we have no way of signalling an error from + * this function - so we just use a plain assert instead. + */ + assert(memcmp(min, max, length) <= 0); + for (i = 0; i < length && min[i] == max[i]; i++) ; for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; if (i < j) @@ -385,12 +392,14 @@ static int range_should_be_prefix(const unsigned char *min, /* * Construct a prefix. */ -static int make_addressPrefix(IPAddressOrRange **result, - unsigned char *addr, const int prefixlen) +static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, + const int prefixlen, const int afilen) { int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; IPAddressOrRange *aor = IPAddressOrRange_new(); + if (prefixlen < 0 || prefixlen > (afilen * 8)) + return 0; if (aor == NULL) return 0; aor->type = IPAddressOrRange_addressPrefix; @@ -426,8 +435,11 @@ static int make_addressRange(IPAddressOrRange **result, IPAddressOrRange *aor; int i, prefixlen; + if (memcmp(min, max, length) > 0) + return 0; + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) - return make_addressPrefix(result, min, prefixlen); + return make_addressPrefix(result, min, prefixlen, length); if ((aor = IPAddressOrRange_new()) == NULL) return 0; @@ -589,7 +601,9 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr, { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; - if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + + if (aors == NULL + || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi))) return 0; if (sk_IPAddressOrRange_push(aors, aor)) return 1; @@ -986,7 +1000,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, switch (delim) { case '/': prefixlen = (int)strtoul(s + i2, &t, 10); - if (t == s + i2 || *t != '\0') { + if (t == s + i2 + || *t != '\0' + || prefixlen > (length * 8) + || prefixlen < 0) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); X509V3_conf_err(val); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_asid.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_asid.c index ac6857267291..8e9e919804d0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_asid.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_asid.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) */ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) { - return (a == NULL || - a == b || - (b != NULL && - !X509v3_asid_inherits(a) && - !X509v3_asid_inherits(b) && - asid_contains(b->asnum->u.asIdsOrRanges, - a->asnum->u.asIdsOrRanges) && - asid_contains(b->rdi->u.asIdsOrRanges, - a->rdi->u.asIdsOrRanges))); + int subset; + + if (a == NULL || a == b) + return 1; + + if (b == NULL) + return 0; + + if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b)) + return 0; + + subset = a->asnum == NULL + || (b->asnum != NULL + && asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges)); + if (!subset) + return 0; + + return a->rdi == NULL + || (b->rdi != NULL + && asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges)); } /* diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_genn.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_genn.c index 87a5eff47cd9..fd307c43cf20 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_genn.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_genn.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_lib.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_lib.c index 97c1cbc20fed..ea88ff2acd22 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -242,8 +242,10 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, } /* If delete, just delete it */ if (ext_op == X509V3_ADD_DELETE) { - if (!sk_X509_EXTENSION_delete(*x, extidx)) + extmp = sk_X509_EXTENSION_delete(*x, extidx); + if (extmp == NULL) return -1; + X509_EXTENSION_free(extmp); return 1; } } else { diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_sxnet.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_sxnet.c index 89cda01be2a5..3c5508f9416c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_sxnet.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_sxnet.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,15 +57,29 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET) static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) { - long v; + int64_t v; char *tmp; SXNETID *id; int i; - v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); + + /* + * Since we add 1 to the version number to display it, we don't support + * LONG_MAX since that would cause on overflow. + */ + if (!ASN1_INTEGER_get_int64(&v, sx->version) + || v >= LONG_MAX + || v < LONG_MIN) { + BIO_printf(out, "%*sVersion: ", indent, ""); + } else { + long vl = (long)v; + + BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl); + } for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { id = sk_SXNETID_value(sx->ids, i); tmp = i2s_ASN1_INTEGER(NULL, id->zone); + if (tmp == NULL) + return 0; BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp); OPENSSL_free(tmp); ASN1_STRING_print(out, id->user); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_utl.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_utl.c index a7ff4b4fb4d3..eac78259fc82 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_utl.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_utl.c @@ -1087,12 +1087,17 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc) static int ipv4_from_asc(unsigned char *v4, const char *in) { - int a0, a1, a2, a3; - if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) + const char *p; + int a0, a1, a2, a3, n; + + if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4) return 0; if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255)) return 0; + p = in + n; + if (!(*p == '\0' || ossl_isspace(*p))) + return 0; v4[0] = a0; v4[1] = a1; v4[2] = a2; diff --git a/crypto/external/bsd/openssl/dist/doc/fingerprints.txt b/crypto/external/bsd/openssl/dist/doc/fingerprints.txt index 51e76c8f71b9..3604fbdc658c 100644 --- a/crypto/external/bsd/openssl/dist/doc/fingerprints.txt +++ b/crypto/external/bsd/openssl/dist/doc/fingerprints.txt @@ -22,3 +22,13 @@ pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 uid Matt Caswell uid Matt Caswell + +pub rsa4096 2021-02-14 + B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 +uid Paul Dale + +pub rsa4096 2021-07-16 + A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C +uid Tomáš Mráz +uid Tomáš Mráz +uid Tomáš Mráz diff --git a/crypto/external/bsd/openssl/dist/doc/man1/x509.pod b/crypto/external/bsd/openssl/dist/doc/man1/x509.pod index 3c9b2f2263e3..a94f099b3565 100644 --- a/crypto/external/bsd/openssl/dist/doc/man1/x509.pod +++ b/crypto/external/bsd/openssl/dist/doc/man1/x509.pod @@ -434,22 +434,26 @@ the CA certificate file. Sets the CA serial number file to use. -When the B<-CA> option is used to sign a certificate it uses a serial -number specified in a file. This file consists of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. +When creating a certificate with this option, and with the B<-CA> option, +the certificate serial number is stored in the given file. +This file consists of one line containing +an even number of hex digits with the serial number used last time. +After reading this number, it is incremented and used, and the file is updated. The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". +If the B<-CA> option is specified and neither <-CAserial> or <-CAcreateserial> +is given and the default serial number file does not exist, +a random number is generated; this is the recommended practice. + =item B<-CAcreateserial> -With this option the CA serial number file is created if it does not exist: -it will contain the serial number "02" and the certificate being signed will -have the 1 as its serial number. If the B<-CA> option is specified -and the serial number file does not exist a random number is generated; -this is the recommended practice. +With this option and the B<-CA> option +the CA serial number file is created if it does not exist. +A random number is generated, used for the certificate, +and saved into the serial number file determined as described above. =item B<-extfile filename> @@ -932,7 +936,7 @@ the old form must have their links rebuilt using B or similar. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/BIO_f_base64.pod b/crypto/external/bsd/openssl/dist/doc/man3/BIO_f_base64.pod index c2c5309a6017..55ca5d4de30f 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/BIO_f_base64.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/BIO_f_base64.pod @@ -38,9 +38,8 @@ to flush the final block through the BIO. The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags(). For writing, it causes all data to be written on one line without newline at the end. -For reading, it forces the decoder to process the data regardless -of newlines. All newlines are ignored and the input does not need -to contain any newline at all. +For reading, it expects the data to be all on one line (with or +without a trailing newline). =head1 NOTES diff --git a/crypto/external/bsd/openssl/dist/doc/man3/CMS_add0_cert.pod b/crypto/external/bsd/openssl/dist/doc/man3/CMS_add0_cert.pod index 9fbbe9d86048..944f998746a4 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/CMS_add0_cert.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/CMS_add0_cert.pod @@ -19,25 +19,33 @@ CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_ge =head1 DESCRIPTION -CMS_add0_cert() and CMS_add1_cert() add certificate B to B. -must be of type signed data or enveloped data. +CMS_add0_cert() and CMS_add1_cert() add certificate I to I. +I must be of type signed data or (authenticated) enveloped data. +For signed data, such a certificate can be used when signing or verifying +to fill in the signer certificate or to provide an extra CA certificate +that may be needed for chain building in certificate validation. -CMS_get1_certs() returns all certificates in B. +CMS_get1_certs() returns all certificates in I. -CMS_add0_crl() and CMS_add1_crl() add CRL B to B. CMS_get1_crls() -returns any CRLs in B. +CMS_add0_crl() and CMS_add1_crl() add CRL I to I. +I must be of type signed data or (authenticated) enveloped data. +For signed data, such a CRL may be used in certificate validation. +It may be given both for inclusion when signing a CMS message +and when verifying a signed CMS message. + +CMS_get1_crls() returns all CRLs in I. =head1 NOTES -The CMS_ContentInfo structure B must be of type signed data or enveloped +The CMS_ContentInfo structure I must be of type signed data or enveloped data or an error will be returned. -For signed data certificates and CRLs are added to the B and -B fields of SignedData structure. For enveloped data they are added to +For signed data certificates and CRLs are added to the I and +I fields of SignedData structure. For enveloped data they are added to B. -As the B<0> implies CMS_add0_cert() adds B internally to B and it -must not be freed up after the call as opposed to CMS_add1_cert() where B +As the I<0> implies CMS_add0_cert() adds I internally to I and it +must not be freed up after the call as opposed to CMS_add1_cert() where I must be freed up. The same certificate or CRL must not be added to the same cms structure more @@ -50,7 +58,7 @@ CMS_add0_cert(), CMS_add1_cert() and CMS_add0_crl() and CMS_add1_crl() return CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs or NULL if there are none or an error occurs. The only error which will occur -in practice is if the B type is invalid. +in practice is if the I type is invalid. =head1 SEE ALSO @@ -60,7 +68,7 @@ L =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/CMS_verify.pod b/crypto/external/bsd/openssl/dist/doc/man3/CMS_verify.pod index c7dbb6b6c275..d7a423c30b29 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/CMS_verify.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/CMS_verify.pod @@ -15,50 +15,58 @@ CMS_verify, CMS_get0_signers - verify a CMS SignedData structure =head1 DESCRIPTION -CMS_verify() verifies a CMS SignedData structure. B is the CMS_ContentInfo -structure to verify. B is a set of certificates in which to search for -the signing certificate(s). B is a trusted certificate store used for -chain verification. B is the detached content if the content is not -present in B. The content is written to B if it is not NULL. - -B is an optional set of flags, which can be used to modify the verify -operation. - -CMS_get0_signers() retrieves the signing certificate(s) from B, it may only +CMS_verify() is very similar to L. It verifies a +B structure contained in a structure of type B. +I points to the B structure to verify. +The optional I parameter refers to a set of certificates +in which to search for signing certificates. +I may contain extra untrusted CA certificates that may be used for +chain building as well as CRLs that may be used for certificate validation. +I may be NULL or point to +the trusted certificate store to use for chain verification. +I refers to the signed data if the content is detached from I. +Otherwise I should be NULL and the signed data must be in I. +The content is written to the BIO I unless it is NULL. +I is an optional set of flags, which can be used to modify the operation. + +CMS_get0_signers() retrieves the signing certificate(s) from I, it may only be called after a successful CMS_verify() operation. =head1 VERIFY PROCESS Normally the verify process proceeds as follows. -Initially some sanity checks are performed on B. The type of B must +Initially some sanity checks are performed on I. The type of I must be SignedData. There must be at least one signature on the data and if -the content is detached B cannot be B. +the content is detached I cannot be NULL. An attempt is made to locate all the signing certificate(s), first looking in -the B parameter (if it is not NULL) and then looking in any -certificates contained in the B structure itself. If any signing -certificate cannot be located the operation fails. +the I parameter (if it is not NULL) and then looking in any +certificates contained in the I structure unless B is set. +If any signing certificate cannot be located the operation fails. -Each signing certificate is chain verified using the B purpose and -the supplied trusted certificate store. Any internal certificates in the message -are used as untrusted CAs. If CRL checking is enabled in B any internal -CRLs are used in addition to attempting to look them up in B. If any -chain verify fails an error code is returned. +Each signing certificate is chain verified using the I purpose and +using the trusted certificate store I if supplied. +Any internal certificates in the message, which may have been added using +L, are used as untrusted CAs. +If CRL checking is enabled in I and B is not set, +any internal CRLs, which may have been added using L, +are used in addition to attempting to look them up in I. +If I is not NULL and any chain verify fails an error code is returned. -Finally the signed content is read (and written to B if it is not NULL) -and the signature's checked. +Finally the signed content is read (and written to I unless it is NULL) +and the signature is checked. -If all signature's verify correctly then the function is successful. +If all signatures verify correctly then the function is successful. -Any of the following flags (ored together) can be passed in the B +Any of the following flags (ored together) can be passed in the I parameter to change the default verify behaviour. If B is set the certificates in the message itself are not -searched when locating the signing certificate(s). This means that all the -signing certificates must be in the B parameter. +searched when locating the signing certificate(s). +This means that all the signing certificates must be in the I parameter. -If B is set and CRL checking is enabled in B then any +If B is set and CRL checking is enabled in I then any CRLs in the message itself are ignored. If the B flag is set MIME headers for type B are deleted @@ -66,7 +74,7 @@ from the content. If the content is not of type B then an error is returned. If B is set the signing certificates are not -verified. +chain verified. If B is set the signed attributes signature is not verified. @@ -77,20 +85,20 @@ If B is set then the content digest is not checked. One application of B is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the B parameter. In this case if the signer is not one of the -certificates supplied in B then the verify will fail because the +in the I parameter. In this case if the signer certificate is not one +of the certificates supplied in I then the verify will fail because the signer cannot be found. In some cases the standard techniques for looking up and validating certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This -can be achieved by setting and verifying the signers certificates manually +can be achieved by setting and verifying the signer certificates manually using the signed data utility functions. Care should be taken when modifying the default verify behaviour, for example setting B will totally disable all content verification and any modified content will be considered valid. This combination is however -useful if one merely wishes to write the content to B and its validity +useful if one merely wishes to write the content to I and its validity is not considered important. Chain verification should arguably be performed using the signing time rather @@ -100,8 +108,7 @@ timestamp). =head1 RETURN VALUES -CMS_verify() returns 1 for a successful verification and zero if an error -occurred. +CMS_verify() returns 1 for a successful verification and 0 if an error occurred. CMS_get0_signers() returns all signers or NULL if an error occurred. @@ -109,8 +116,8 @@ The error can be obtained from L =head1 BUGS -The trusted certificate store is not searched for the signing certificate, -this is primarily due to the inadequacies of the current B +The trusted certificate store is not searched for the signing certificate. +This is primarily due to the inadequacies of the current B functionality. The lack of single pass processing means that the signed content must all @@ -118,11 +125,13 @@ be held in memory if it is not detached. =head1 SEE ALSO +L, L, L, +L, L, L =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/EC_KEY_new.pod b/crypto/external/bsd/openssl/dist/doc/man3/EC_KEY_new.pod index 6507dc95cdff..2fdb4659b673 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/EC_KEY_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/EC_KEY_new.pod @@ -33,7 +33,7 @@ EC_KEY objects const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); - int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv); + int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key); const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); @@ -102,7 +102,9 @@ that it is valid. The functions EC_KEY_get0_group(), EC_KEY_set_group(), EC_KEY_get0_private_key(), EC_KEY_set_private_key(), EC_KEY_get0_public_key(), and EC_KEY_set_public_key() get and set the EC_GROUP object, the private key, -and the EC_POINT public key for the B respectively. +and the EC_POINT public key for the B respectively. The function +EC_KEY_set_private_key() accepts NULL as the priv_key argument to securely clear +the private key component from the EC_KEY. The functions EC_KEY_get_conv_form() and EC_KEY_set_conv_form() get and set the point_conversion_form for the B. For a description of @@ -160,10 +162,14 @@ EC_KEY_copy() returns a pointer to the destination key, or NULL on error. EC_KEY_get0_engine() returns a pointer to an ENGINE, or NULL if it wasn't set. -EC_KEY_up_ref(), EC_KEY_set_group(), EC_KEY_set_private_key(), -EC_KEY_set_public_key(), EC_KEY_precompute_mult(), EC_KEY_generate_key(), -EC_KEY_check_key(), EC_KEY_set_public_key_affine_coordinates(), -EC_KEY_oct2key() and EC_KEY_oct2priv() return 1 on success or 0 on error. +EC_KEY_up_ref(), EC_KEY_set_group(), EC_KEY_set_public_key(), +EC_KEY_precompute_mult(), EC_KEY_generate_key(), EC_KEY_check_key(), +EC_KEY_set_public_key_affine_coordinates(), EC_KEY_oct2key() and +EC_KEY_oct2priv() return 1 on success or 0 on error. + +EC_KEY_set_private_key() returns 1 on success or 0 on error except when the +priv_key argument is NULL, in that case it returns 0, for legacy compatibility, +and should not be treated as an error. EC_KEY_get0_group() returns the EC_GROUP associated with the EC_KEY. @@ -184,7 +190,7 @@ L =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/EVP_EncryptInit.pod b/crypto/external/bsd/openssl/dist/doc/man3/EVP_EncryptInit.pod index 392ce5dbc579..a17459a06e03 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/EVP_EncryptInit.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/EVP_EncryptInit.pod @@ -313,7 +313,7 @@ length. EVP_CIPHER_CTX_set_padding() always returns 1. EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV -length or zero if the cipher does not use an IV. +length, zero if the cipher does not use an IV and a negative value on error. EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. @@ -661,7 +661,7 @@ EVP_CIPHER_CTX_reset(). =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_LH_COMPFUNC.pod b/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_LH_COMPFUNC.pod index ae0a4bbf978b..29702aa0b586 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -23,7 +23,7 @@ lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error - dynamic hash table TYPE *lh_TYPE_insert(LHASH_OF(TYPE) *table, TYPE *data); TYPE *lh_TYPE_delete(LHASH_OF(TYPE) *table, TYPE *data); - TYPE *lh_retrieve(LHASH_OF(TYPE) *table, TYPE *data); + TYPE *lh_TYPE_retrieve(LHASH_OF(TYPE) *table, TYPE *data); void lh_TYPE_doall(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNC func); void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func, @@ -229,7 +229,7 @@ type checking. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_init_crypto.pod b/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_init_crypto.pod index 3447f5f1138f..d01dba3d29dd 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_init_crypto.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_init_crypto.pod @@ -81,7 +81,7 @@ B will be ignored. With this option the library will automatically load and make available all libcrypto digests. This option is a default option. Once selected subsequent calls to OPENSSL_init_crypto() with the option -B will be ignored. +B will be ignored. =item OPENSSL_INIT_NO_ADD_ALL_CIPHERS @@ -264,7 +264,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign.pod b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign.pod index 6fd54777d1f1..11b626191038 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign.pod @@ -13,29 +13,26 @@ PKCS7_sign - create a PKCS#7 signedData structure =head1 DESCRIPTION -PKCS7_sign() creates and returns a PKCS#7 signedData structure. B is -the certificate to sign with, B is the corresponding private key. -B is an optional additional set of certificates to include in the PKCS#7 -structure (for example any intermediate CAs in the chain). +PKCS7_sign() creates and returns a PKCS#7 signedData structure. +I is the certificate to sign with, I is the corresponding +private key. I is an optional set of extra certificates to include +in the PKCS#7 structure (for example any intermediate CAs in the chain). -The data to be signed is read from BIO B. +The data to be signed is read from BIO I. -B is an optional set of flags. +I is an optional set of flags. -=head1 NOTES - -Any of the following flags (ored together) can be passed in the B -parameter. +Any of the following flags (ored together) can be passed in the I Many S/MIME clients expect the signed content to include valid MIME headers. If -the B flag is set MIME headers for type B are prepended +the B flag is set MIME headers for type C are prepended to the data. -If B is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the -B parameter though. This can reduce the size of the signature if the -signers certificate can be obtained by other means: for example a previously -signed message. +If B is set the signer's certificate and the extra I +will not be included in the PKCS7 structure. +The signer's certificate must still be supplied in the I parameter +though. This can reduce the size of the signatures if the signer's certificates +can be obtained by other means: for example a previously signed message. The data being signed is included in the PKCS7 structure, unless B is set in which case it is omitted. This is used for PKCS7 @@ -59,7 +56,7 @@ these algorithms is disabled then it will not be included. If the flags B is set then the returned B structure is just initialized ready to perform the signing operation. The signing is however -B performed and the data to be signed is not read from the B +B performed and the data to be signed is not read from the I parameter. Signing is deferred until after the data has been written. In this way data can be signed in a single pass. @@ -80,17 +77,17 @@ BIO_new_PKCS7(). If a signer is specified it will use the default digest for the signing algorithm. This is B for both RSA and DSA keys. -The B, B and B parameters can all be -B if the B flag is set. One or more signers can be added +The I, I and I parameters can all be +NULL if the B flag is set. One or more signers can be added using the function PKCS7_sign_add_signer(). PKCS7_final() must also be called to finalize the structure if streaming is not enabled. Alternative signing digests can also be specified using this method. -If B and B are NULL then a certificates only +If I and I are NULL then a certificates only PKCS#7 structure is output. -In versions of OpenSSL before 1.0.0 the B and B parameters must -B be NULL. +In versions of OpenSSL before 1.0.0 the I and I parameters must +not be NULL. =head1 BUGS @@ -107,14 +104,14 @@ L, L =head1 HISTORY -The B flag, and the ability for B, B, -and B parameters to be B were added in OpenSSL 1.0.0. +The B flag, and the ability for I, I, +and I parameters to be NULL were added in OpenSSL 1.0.0. The B flag was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign_add_signer.pod b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign_add_signer.pod index d4a27a2f6194..0bbd6d8dca7c 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign_add_signer.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_sign_add_signer.pod @@ -2,7 +2,8 @@ =head1 NAME -PKCS7_sign_add_signer - add a signer PKCS7 signed data structure +PKCS7_sign_add_signer, +PKCS7_add_certificate, PKCS7_add_crl - add information to PKCS7 structure =head1 SYNOPSIS @@ -10,22 +11,22 @@ PKCS7_sign_add_signer - add a signer PKCS7 signed data structure PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); - + int PKCS7_add_certificate(PKCS7 *p7, X509 *cert); + int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl); =head1 DESCRIPTION -PKCS7_sign_add_signer() adds a signer with certificate B and private -key B using message digest B to a PKCS7 signed data structure -B. +PKCS7_sign_add_signer() adds a signer with certificate I and private +key I using message digest I to a PKCS7 signed data structure I. -The PKCS7 structure should be obtained from an initial call to PKCS7_sign() -with the flag B set or in the case or re-signing a valid PKCS7 +The B structure should be obtained from an initial call to PKCS7_sign() +with the flag B set or in the case or re-signing a valid PKCS#7 signed data structure. -If the B parameter is B then the default digest for the public +If the I parameter is NULL then the default digest for the public key algorithm will be used. -Unless the B flag is set the returned PKCS7 structure +Unless the B flag is set the returned B structure is not complete and must be finalized either by streaming (if applicable) or a call to PKCS7_final(). @@ -37,13 +38,13 @@ signed data structure where the simpler PKCS7_sign() function defaults are not appropriate. For example if multiple signers or non default digest algorithms are needed. -Any of the following flags (ored together) can be passed in the B +Any of the following flags (ored together) can be passed in the I parameter. If B is set then an attempt is made to copy the content -digest value from the PKCS7 structure: to add a signer to an existing structure. +digest value from the B structure: to add a signer to an existing structure. An error occurs if a matching digest value cannot be found to copy. The -returned PKCS7 structure will be valid and finalized when this flag is set. +returned B structure will be valid and finalized when this flag is set. If B is set in addition to B then the B structure will not be finalized so additional attributes @@ -51,8 +52,8 @@ can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is needed to finalize it. If B is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the -B parameter though. This can reduce the size of the signature if the +B structure, the signer's certificate must still be supplied in the +I parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. @@ -66,20 +67,32 @@ If present the SMIMECapabilities attribute indicates support for the following algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of these algorithms is disabled then it will not be included. - -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO -structure just added, this can be used to set additional attributes +PKCS7_sign_add_signers() returns an internal pointer to the B +structure just added, which can be used to set additional attributes before it is finalized. +PKCS7_add_certificate() adds to the B structure I the certificate +I, which may be an end-entity (signer) certificate +or a CA certificate useful for chain building. +This is done internally by L and similar signing functions. +It may have to be used before calling L +in order to provide any missing certificate(s) needed for verification. + +PKCS7_add_crl() adds the CRL I to the B structure I. +This may be called to provide certificate status information +to be included when signing or to use when verifying the B structure. + =head1 RETURN VALUES -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO +PKCS7_sign_add_signers() returns an internal pointer to the B structure just added or NULL if an error occurs. +PKCS7_add_certificate() and PKCS7_add_crl() return 1 on success, 0 on error. + =head1 SEE ALSO -L, L, -L, +L, L, +L, L =head1 HISTORY @@ -87,7 +100,7 @@ The PPKCS7_sign_add_signer() function was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_verify.pod b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_verify.pod index 9e238c565952..4418e5489c9f 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_verify.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/PKCS7_verify.pod @@ -15,64 +15,76 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure =head1 DESCRIPTION -PKCS7_verify() verifies a PKCS#7 signedData structure. B is the PKCS7 -structure to verify. B is a set of certificates in which to search for -the signer's certificate. B is a trusted certificate store (used for -chain verification). B is the signed data if the content is not -present in B (that is it is detached). The content is written to B -if it is not NULL. - -B is an optional set of flags, which can be used to modify the verify -operation. - -PKCS7_get0_signers() retrieves the signer's certificates from B, it does -B check their validity or whether any signatures are valid. The B -and B parameters have the same meanings as in PKCS7_verify(). +PKCS7_verify() is very similar to L. +It verifies a PKCS#7 signedData structure given in I. +The optional I parameter refers to a set of certificates +in which to search for signer's certificates. +I may contain extra untrusted CA certificates that may be used for +chain building as well as CRLs that may be used for certificate validation. +I may be NULL or point to +the trusted certificate store to use for chain verification. +I refers to the signed data if the content is detached from I. +Otherwise I should be NULL, and then the signed data must be in I. +The content is written to the BIO I unless it is NULL. +I is an optional set of flags, which can be used to modify the operation. + +PKCS7_get0_signers() retrieves the signer's certificates from I, it does +B check their validity or whether any signatures are valid. The I +and I parameters have the same meanings as in PKCS7_verify(). =head1 VERIFY PROCESS Normally the verify process proceeds as follows. -Initially some sanity checks are performed on B. The type of B must -be signedData. There must be at least one signature on the data and if -the content is detached B cannot be B. If the content is -not detached and B is not B, then the structure has both +Initially some sanity checks are performed on I. The type of I must +be SignedData. There must be at least one signature on the data and if +the content is detached I cannot be NULL. If the content is +not detached and I is not NULL then the structure has both embedded and external content. To treat this as an error, use the flag B. The default behavior allows this, for compatibility with older versions of OpenSSL. An attempt is made to locate all the signer's certificates, first looking in -the B parameter (if it is not B) and then looking in any certificates -contained in the B structure itself. If any signer's certificates cannot be -located the operation fails. +the I parameter (if it is not NULL). Then they are looked up in any +certificates contained in the I structure unless B is set. +If any signer's certificates cannot be located the operation fails. Each signer's certificate is chain verified using the B purpose and -the supplied trusted certificate store. Any internal certificates in the message -are used as untrusted CAs. If any chain verify fails an error code is returned. +using the trusted certificate store I if supplied. +Any internal certificates in the message, which may have been added using +L, are used as untrusted CAs unless B +is set. +If CRL checking is enabled in I and B is not set, +any internal CRLs, which may have been added using L, +are used in addition to attempting to look them up in I. +If I is not NULL and any chain verify fails an error code is returned. -Finally the signed content is read (and written to B is it is not NULL) and -the signature's checked. +Finally the signed content is read (and written to I unless it is NULL) +and the signature is checked. -If all signature's verify correctly then the function is successful. +If all signatures verify correctly then the function is successful. -Any of the following flags (ored together) can be passed in the B parameter -to change the default verify behaviour. Only the flag B is -meaningful to PKCS7_get0_signers(). +Any of the following flags (ored together) can be passed in the I +parameter to change the default verify behaviour. +Only the flag B is meaningful to PKCS7_get0_signers(). If B is set the certificates in the message itself are not -searched when locating the signer's certificate. This means that all the signers -certificates must be in the B parameter. +searched when locating the signer's certificates. +This means that all the signer's certificates must be in the I parameter. + +If B is set and CRL checking is enabled in I then any +CRLs in the message itself are ignored. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. If B is set the signer's certificates are not chain verified. If B is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from -the signer's certificate) must be contained in the trusted store. +the signer's certificates) must be contained in the trusted store. If B is set then the signatures on the data are not checked. @@ -80,46 +92,46 @@ If B is set then the signatures on the data are not checked. One application of B is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the B parameter. In this case if the signer is not one of the -certificates supplied in B then the verify will fail because the +in the I parameter. In this case if the signer's certificate is not one +of the certificates supplied in I then the verify will fail because the signer cannot be found. Care should be taken when modifying the default verify behaviour, for example setting B will totally disable all verification and any signed message will be considered valid. This combination is however -useful if one merely wishes to write the content to B and its validity +useful if one merely wishes to write the content to I and its validity is not considered important. -Chain verification should arguably be performed using the signing time rather +Chain verification should arguably be performed using the signing time rather than the current time. However, since the signing time is supplied by the signer it cannot be trusted without additional evidence (such as a trusted timestamp). =head1 RETURN VALUES -PKCS7_verify() returns one for a successful verification and zero -if an error occurs. +PKCS7_verify() returns 1 for a successful verification and 0 if an error occurs. -PKCS7_get0_signers() returns all signers or B if an error occurred. +PKCS7_get0_signers() returns all signers or NULL if an error occurred. -The error can be obtained from L +The error can be obtained from L. =head1 BUGS -The trusted certificate store is not searched for the signers certificate, -this is primarily due to the inadequacies of the current B +The trusted certificate store is not searched for the signer's certificates. +This is primarily due to the inadequacies of the current B functionality. -The lack of single pass processing and need to hold all data in memory as -mentioned in PKCS7_sign() also applies to PKCS7_verify(). +The lack of single pass processing means that the signed content must all +be held in memory if it is not detached. =head1 SEE ALSO +L, L, L, L, L =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set1_verify_cert_store.pod b/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set1_verify_cert_store.pod index b42f2a499f13..a7f2a53a80af 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set1_verify_cert_store.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set1_verify_cert_store.pod @@ -5,7 +5,9 @@ SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store, SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store, SSL_set0_verify_cert_store, SSL_set1_verify_cert_store, -SSL_set0_chain_cert_store, SSL_set1_chain_cert_store - set certificate +SSL_set0_chain_cert_store, SSL_set1_chain_cert_store, +SSL_CTX_get0_verify_cert_store, SSL_CTX_get0_chain_cert_store, +SSL_get0_verify_cert_store, SSL_get0_chain_cert_store - set certificate verification or chain store =head1 SYNOPSIS @@ -16,11 +18,15 @@ verification or chain store int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); + int SSL_CTX_get0_verify_cert_store(SSL_CTX *ctx, X509_STORE **st); + int SSL_CTX_get0_chain_cert_store(SSL_CTX *ctx, X509_STORE **st); int SSL_set0_verify_cert_store(SSL *ctx, X509_STORE *st); int SSL_set1_verify_cert_store(SSL *ctx, X509_STORE *st); int SSL_set0_chain_cert_store(SSL *ctx, X509_STORE *st); int SSL_set1_chain_cert_store(SSL *ctx, X509_STORE *st); + int SSL_get0_verify_cert_store(SSL *ctx, X509_STORE **st); + int SSL_get0_chain_cert_store(SSL *ctx, X509_STORE **st); =head1 DESCRIPTION @@ -34,6 +40,11 @@ SSL_set0_verify_cert_store(), SSL_set1_verify_cert_store(), SSL_set0_chain_cert_store() and SSL_set1_chain_cert_store() are similar except they apply to SSL structure B. +SSL_CTX_get0_verify_chain_store(), SSL_get0_verify_chain_store(), +SSL_CTX_get0_chain_cert_store() and SSL_get0_chain_cert_store() retrieve the +objects previously set via the above calls. A pointer to the object (or NULL if +no such object has been set) is written to B<*st>. + All these functions are implemented as macros. Those containing a B<1> increment the reference count of the supplied store so it must be freed at some point after the operation. Those containing a B<0> do @@ -90,7 +101,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_timeout.pod b/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_timeout.pod index c32585e45f92..e76353cfd4b9 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_timeout.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_timeout.pod @@ -42,6 +42,16 @@ basis, see L. All currently supported protocols have the same default timeout value of 300 seconds. +This timeout value is used as the ticket lifetime hint for stateless session +tickets. It is also used as the timeout value within the ticket itself. + +For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 +seconds). + +For TLSv1.2, tickets generated during an initial handshake use the value +as specified. Tickets generated during a resumed handshake have a value +of 0 for the ticket lifetime hint. + =head1 RETURN VALUES SSL_CTX_set_timeout() returns the previously set timeout value. @@ -58,7 +68,7 @@ L =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_current_cipher.pod b/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_current_cipher.pod index 64ca819b0e1c..4ed555aa4972 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_current_cipher.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_current_cipher.pod @@ -10,8 +10,8 @@ SSL_get_pending_cipher - get SSL_CIPHER of a connection #include - SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); - SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); + const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); + const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); const char *SSL_get_cipher_name(const SSL *s); const char *SSL_get_cipher(const SSL *s); @@ -61,7 +61,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_new.pod b/crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_new.pod index b8024dc4af66..bf16c1eced29 100644 --- a/crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_new.pod @@ -175,14 +175,18 @@ It should not normally be necessary for end user applications to call X509_STORE_CTX_purpose_inherit() directly. Typically applications should call X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this function it is possible to set the purpose and trust values for the I at -the same time. The I and I arguments can have the same +the same time. +Both I and its internal verification parameter pointer must not be NULL. +The I and I arguments can have the same purpose values as described for X509_STORE_CTX_set_purpose() above. The I argument can have the same trust values as described in X509_STORE_CTX_set_trust() above. Any of the I, I or I values may also have the value 0 to indicate that the supplied parameter should be ignored. After calling this function the purpose to be used -for verification is set from the I argument, and the trust is set from -the I argument. If I is 0 then the trust value will be set from +for verification is set from the I argument unless the purpose was +already set in I before, and the trust is set from the I argument +unless the trust was already set in I before. +If I is 0 then the trust value will be set from the default trust value for I. If the default trust value for the purpose is I and I is 0 then the default trust value associated with the I value is used for the trust setting instead. diff --git a/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86.pl b/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86.pl index 5b097ce3ef9b..7d5c92d98ce3 100644 --- a/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86.pl +++ b/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -116,6 +116,8 @@ $chunk="ebx"; &function_begin_B("padlock_key_bswap"); &mov ("edx",&wparam(0)); &mov ("ecx",&DWP(240,"edx")); + &inc ("ecx"); + &shl ("ecx",2); &set_label("bswap_loop"); &mov ("eax",&DWP(0,"edx")); &bswap ("eax"); diff --git a/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86_64.pl b/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86_64.pl index 09b0aaa48dfe..f60bec1e7d5d 100644 --- a/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86_64.pl +++ b/crypto/external/bsd/openssl/dist/engines/asm/e_padlock-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -92,6 +92,8 @@ padlock_capability: .align 16 padlock_key_bswap: mov 240($arg1),%edx + inc %edx + shl \$2,%edx .Lbswap_loop: mov ($arg1),%eax bswap %eax diff --git a/crypto/external/bsd/openssl/dist/include/crypto/bn.h b/crypto/external/bsd/openssl/dist/include/crypto/bn.h index 60afda1dadee..9f866ed71abf 100644 --- a/crypto/external/bsd/openssl/dist/include/crypto/bn.h +++ b/crypto/external/bsd/openssl/dist/include/crypto/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); +int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, + const BN_BLINDING *blinding, + const BIGNUM *possible_arg2, + const BIGNUM *to_mod, BN_CTX *ctx, + unsigned char *buf, int num); #endif diff --git a/crypto/external/bsd/openssl/dist/include/openssl/bnerr.h b/crypto/external/bsd/openssl/dist/include/openssl/bnerr.h index 9f3c7cfaab67..5c83777f9f06 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/bnerr.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/bnerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); # define BN_F_BN_SET_WORDS 144 # define BN_F_BN_STACK_PUSH 148 # define BN_F_BN_USUB 115 +# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 /* * BN reason codes. diff --git a/crypto/external/bsd/openssl/dist/include/openssl/cmserr.h b/crypto/external/bsd/openssl/dist/include/openssl/cmserr.h index 7dbc13dc939e..d589f592c805 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/cmserr.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/cmserr.h @@ -187,6 +187,7 @@ int ERR_load_CMS_strings(void); # define CMS_R_UNKNOWN_DIGEST_ALGORITHM 149 # define CMS_R_UNKNOWN_ID 150 # define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151 +# define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM 194 # define CMS_R_UNSUPPORTED_CONTENT_TYPE 152 # define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153 # define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM 179 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h b/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h index c48626447036..7b6c212fa097 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010efL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n 15 Mar 2022" +# define OPENSSL_VERSION_NUMBER 0x1010114fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1t 7 Feb 2023" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/crypto/external/bsd/openssl/dist/include/openssl/ssl.h b/crypto/external/bsd/openssl/dist/include/openssl/ssl.h index fd0c5a99967f..9af0c8995ecc 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/ssl.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/ssl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1305,6 +1305,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_GET_MAX_PROTO_VERSION 131 # define SSL_CTRL_GET_SIGNATURE_NID 132 # define SSL_CTRL_GET_TMP_KEY 133 +# define SSL_CTRL_GET_VERIFY_CERT_STORE 137 +# define SSL_CTRL_GET_CHAIN_CERT_STORE 138 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -1360,10 +1362,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set1_verify_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) +# define SSL_CTX_get0_verify_cert_store(ctx,st) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set0_chain_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set1_chain_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) +# define SSL_CTX_get0_chain_cert_store(ctx,st) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_set0_chain(s,sk) \ SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk)) # define SSL_set1_chain(s,sk) \ @@ -1386,10 +1392,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_set1_verify_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) +#define SSL_get0_verify_cert_store(s,st) \ + SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_set0_chain_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_set1_chain_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) +#define SSL_get0_chain_cert_store(s,st) \ + SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_get1_groups(s, glist) \ SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) # define SSL_CTX_set1_groups(ctx, glist, glistlen) \ diff --git a/crypto/external/bsd/openssl/dist/include/openssl/x509v3.h b/crypto/external/bsd/openssl/dist/include/openssl/x509v3.h index 90fa3592ce58..3a4f04c183e9 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/x509v3.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/x509v3.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; diff --git a/crypto/external/bsd/openssl/dist/ssl/packet.c b/crypto/external/bsd/openssl/dist/ssl/packet.c index 1ddde969f3b2..d6357495f53e 100644 --- a/crypto/external/bsd/openssl/dist/ssl/packet.c +++ b/crypto/external/bsd/openssl/dist/ssl/packet.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -161,7 +161,7 @@ int WPACKET_set_flags(WPACKET *pkt, unsigned int flags) } /* Store the |value| of length |len| at location |data| */ -static int put_value(unsigned char *data, size_t value, size_t len) +static int put_value(unsigned char *data, uint64_t value, size_t len) { for (data += len - 1; len > 0; len--) { *data = (unsigned char)(value & 0xff); @@ -306,12 +306,12 @@ int WPACKET_start_sub_packet(WPACKET *pkt) return WPACKET_start_sub_packet_len__(pkt, 0); } -int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size) +int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t size) { unsigned char *data; /* Internal API, so should not fail */ - if (!ossl_assert(size <= sizeof(unsigned int)) + if (!ossl_assert(size <= sizeof(uint64_t)) || !WPACKET_allocate_bytes(pkt, size, &data) || !put_value(data, val, size)) return 0; diff --git a/crypto/external/bsd/openssl/dist/ssl/packet_local.h b/crypto/external/bsd/openssl/dist/ssl/packet_local.h index 1b6c2fb9bc3f..5b1d3fe56edb 100644 --- a/crypto/external/bsd/openssl/dist/ssl/packet_local.h +++ b/crypto/external/bsd/openssl/dist/ssl/packet_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,6 +227,28 @@ __owur static ossl_inline int PACKET_peek_net_4(const PACKET *pkt, return 1; } +/* + * Peek ahead at 8 bytes in network order from |pkt| and store the value in + * |*data| + */ +__owur static ossl_inline int PACKET_peek_net_8(const PACKET *pkt, + uint64_t *data) +{ + if (PACKET_remaining(pkt) < 8) + return 0; + + *data = ((uint64_t)(*pkt->curr)) << 56; + *data |= ((uint64_t)(*(pkt->curr + 1))) << 48; + *data |= ((uint64_t)(*(pkt->curr + 2))) << 40; + *data |= ((uint64_t)(*(pkt->curr + 3))) << 32; + *data |= ((uint64_t)(*(pkt->curr + 4))) << 24; + *data |= ((uint64_t)(*(pkt->curr + 5))) << 16; + *data |= ((uint64_t)(*(pkt->curr + 6))) << 8; + *data |= *(pkt->curr + 7); + + return 1; +} + /* Equivalent of n2l */ /* Get 4 bytes in network order from |pkt| and store the value in |*data| */ __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data) @@ -250,6 +272,17 @@ __owur static ossl_inline int PACKET_get_net_4_len(PACKET *pkt, size_t *data) return ret; } + +/* Get 8 bytes in network order from |pkt| and store the value in |*data| */ +__owur static ossl_inline int PACKET_get_net_8(PACKET *pkt, uint64_t *data) +{ + if (!PACKET_peek_net_8(pkt, data)) + return 0; + + packet_forward(pkt, 8); + + return 1; +} /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */ __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt, @@ -808,7 +841,7 @@ int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len, * 1 byte will fail. Don't call this directly. Use the convenience macros below * instead. */ -int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); +int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t bytes); /* * Convenience macros for calling WPACKET_put_bytes with different @@ -822,6 +855,8 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); WPACKET_put_bytes__((pkt), (val), 3) #define WPACKET_put_bytes_u32(pkt, val) \ WPACKET_put_bytes__((pkt), (val), 4) +#define WPACKET_put_bytes_u64(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 8) /* Set a maximum size that we will not allow the WPACKET to grow beyond */ int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize); diff --git a/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c b/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c index 8249b4ace9cd..1db1712a0986 100644 --- a/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c +++ b/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include #include "record_local.h" #include "../packet_local.h" +#include "internal/cryptlib.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AESNI_ASM) && ( \ @@ -115,10 +116,22 @@ size_t ssl3_pending(const SSL *s) if (s->rlayer.rstate == SSL_ST_READ_BODY) return 0; + /* Take into account DTLS buffered app data */ + if (SSL_IS_DTLS(s)) { + DTLS1_RECORD_DATA *rdata; + pitem *item, *iter; + + iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); + while ((item = pqueue_next(&iter)) != NULL) { + rdata = item->data; + num += rdata->rrec.length; + } + } + for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) { if (SSL3_RECORD_get_type(&s->rlayer.rrec[i]) != SSL3_RT_APPLICATION_DATA) - return 0; + return num; num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]); } @@ -971,11 +984,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } /* - * Reserve some bytes for any growth that may occur during encryption. - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ - if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE, + * Reserve some bytes for any growth that may occur during encryption. If + * we are adding the MAC independently of the cipher algorithm, then the + * max encrypted overhead does not need to include an allocation for that + * MAC + */ + if (!WPACKET_reserve_bytes(thispkt, + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size, NULL) /* * We also need next the amount of bytes written to this @@ -1025,6 +1041,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) + /* Check we allowed enough room for the encryption growth */ + || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size >= thiswr->length) /* Encryption should never shrink the data! */ || origlen > thiswr->length || (thiswr->length > origlen diff --git a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_buffer.c b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_buffer.c index b9ba25e0c3f8..fa597c274671 100644 --- a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_buffer.c +++ b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -97,11 +97,16 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) #endif len = ssl_get_max_send_fragment(s) - + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; + + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align + + SSL_RT_MAX_CIPHER_BLOCK_SIZE /* Explicit IV allowance */; #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + /* + * We don't need to add an allowance for eivlen here since empty + * fragments only occur when we don't have an explicit IV + */ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; } diff --git a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c index f158544789bb..47c7369ed549 100644 --- a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c +++ b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out, #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; unsigned char *rotated_mac; + char aux1, aux2, aux3, mask; #else unsigned char rotated_mac[EVP_MAX_MD_SIZE]; #endif @@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out, #if defined(CBC_MAC_ROTATE_IN_PLACE) j = 0; for (i = 0; i < md_size; i++) { - /* in case cache-line is 32 bytes, touch second line */ - ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; - out[j++] = rotated_mac[rotate_offset++]; + /* + * in case cache-line is 32 bytes, + * load from both lines and select appropriately + */ + aux1 = rotated_mac[rotate_offset & ~32]; + aux2 = rotated_mac[rotate_offset | 32]; + mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset); + aux3 = constant_time_select_8(mask, aux1, aux2); + out[j++] = aux3; + rotate_offset++; rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #else diff --git a/crypto/external/bsd/openssl/dist/ssl/s3_enc.c b/crypto/external/bsd/openssl/dist/ssl/s3_enc.c index 8a89f512fe60..7b119b452fd7 100644 --- a/crypto/external/bsd/openssl/dist/ssl/s3_enc.c +++ b/crypto/external/bsd/openssl/dist/ssl/s3_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -589,6 +589,8 @@ int ssl3_alert_code(int code) return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; + case SSL_AD_MISSING_EXTENSION: + return SSL_AD_HANDSHAKE_FAILURE; default: return -1; } diff --git a/crypto/external/bsd/openssl/dist/ssl/s3_lib.c b/crypto/external/bsd/openssl/dist/ssl/s3_lib.c index e4cf007f82a5..32f9b257106b 100644 --- a/crypto/external/bsd/openssl/dist/ssl/s3_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/s3_lib.c @@ -3676,6 +3676,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(s->cert, parg, 1, larg); + case SSL_CTRL_GET_VERIFY_CERT_STORE: + return ssl_cert_get_cert_store(s->cert, parg, 0); + + case SSL_CTRL_GET_CHAIN_CERT_STORE: + return ssl_cert_get_cert_store(s->cert, parg, 1); + case SSL_CTRL_GET_PEER_SIGNATURE_NID: if (s->s3->tmp.peer_sigalg == NULL) return 0; @@ -3949,6 +3955,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); + case SSL_CTRL_GET_VERIFY_CERT_STORE: + return ssl_cert_get_cert_store(ctx->cert, parg, 0); + + case SSL_CTRL_GET_CHAIN_CERT_STORE: + return ssl_cert_get_cert_store(ctx->cert, parg, 1); + /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) { diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_cert.c b/crypto/external/bsd/openssl/dist/ssl/ssl_cert.c index eba96b207eee..b615e7048da4 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_cert.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_cert.c @@ -876,6 +876,12 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) return 1; } +int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain) +{ + *pstore = (chain ? c->chain_store : c->verify_store); + return 1; +} + int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) { int level; diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c b/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c index 91fda9f061d5..a3ca5294be2e 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1026,7 +1026,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * alphanumeric, so we call this an error. */ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); - return 0; + return 0; } if (rule == CIPHER_SPECIAL) { diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_init.c b/crypto/external/bsd/openssl/dist/ssl/ssl_init.c index d083d9597091..a5d45480c9e0 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_init.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -116,7 +116,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) } static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT; -static int ssl_strings_inited = 0; + DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) { /* @@ -129,7 +129,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) "ERR_load_SSL_strings()\n"); # endif ERR_load_SSL_strings(); - ssl_strings_inited = 1; #endif return 1; } @@ -157,20 +156,6 @@ static void ssl_library_stop(void) ssl_comp_free_compression_methods_int(); #endif } - - if (ssl_strings_inited) { -#ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: " - "err_free_strings_int()\n"); -#endif - /* - * If both crypto and ssl error strings are inited we will end up - * calling err_free_strings_int() twice - but that's ok. The second - * time will be a no-op. It's easier to do that than to try and track - * between the two libraries whether they have both been inited. - */ - err_free_strings_int(); - } } /* diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c b/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c index 9c411a329396..47adc3211c85 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1510,12 +1510,26 @@ int SSL_has_pending(const SSL *s) { /* * Similar to SSL_pending() but returns a 1 to indicate that we have - * unprocessed data available or 0 otherwise (as opposed to the number of - * bytes available). Unlike SSL_pending() this will take into account - * read_ahead data. A 1 return simply indicates that we have unprocessed - * data. That data may not result in any application data, or we may fail - * to parse the records for some reason. + * processed or unprocessed data available or 0 otherwise (as opposed to the + * number of bytes available). Unlike SSL_pending() this will take into + * account read_ahead data. A 1 return simply indicates that we have data. + * That data may not result in any application data, or we may fail to parse + * the records for some reason. */ + + /* Check buffered app data if any first */ + if (SSL_IS_DTLS(s)) { + DTLS1_RECORD_DATA *rdata; + pitem *item, *iter; + + iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); + while ((item = pqueue_next(&iter)) != NULL) { + rdata = item->data; + if (rdata->rrec.length > 0) + return 1; + } + } + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) return 1; @@ -2084,6 +2098,7 @@ int SSL_shutdown(SSL *s) if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + memset(&args, 0, sizeof(args)); args.s = s; args.type = OTHERFUNC; args.f.func_other = s->method->ssl_shutdown; @@ -3709,6 +3724,7 @@ int SSL_do_handshake(SSL *s) if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + memset(&args, 0, sizeof(args)); args.s = s; ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_local.h b/crypto/external/bsd/openssl/dist/ssl/ssl_local.h index 9f346e30e8f4..5c7921542310 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_local.h +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2301,6 +2301,7 @@ __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags); __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); +__owur int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain); __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c b/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c index 6457c0c0efa3..2df07bea6782 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -727,6 +727,34 @@ static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type, return 1; } +static size_t extension_contextoff(unsigned int version) +{ + return version == SSL_SERVERINFOV1 ? 4 : 0; +} + +static size_t extension_append_length(unsigned int version, size_t extension_length) +{ + return extension_length + extension_contextoff(version); +} + +static void extension_append(unsigned int version, + const unsigned char *extension, + const size_t extension_length, + unsigned char *serverinfo) +{ + const size_t contextoff = extension_contextoff(version); + + if (contextoff > 0) { + /* We know this only uses the last 2 bytes */ + serverinfo[0] = 0; + serverinfo[1] = 0; + serverinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; + serverinfo[3] = SYNTHV1CONTEXT & 0xff; + } + + memcpy(serverinfo + contextoff, extension, extension_length); +} + static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *arg) @@ -842,12 +870,36 @@ int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, const unsigned char *serverinfo, size_t serverinfo_length) { - unsigned char *new_serverinfo; + unsigned char *new_serverinfo = NULL; if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (version == SSL_SERVERINFOV1) { + /* + * Convert serverinfo version v1 to v2 and call yourself recursively + * over the converted serverinfo. + */ + const size_t sinfo_length = extension_append_length(SSL_SERVERINFOV1, + serverinfo_length); + unsigned char *sinfo; + int ret; + + sinfo = OPENSSL_malloc(sinfo_length); + if (sinfo == NULL) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); + return 0; + } + + extension_append(SSL_SERVERINFOV1, serverinfo, serverinfo_length, sinfo); + + ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, sinfo, + sinfo_length); + + OPENSSL_free(sinfo); + return ret; + } if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, NULL)) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); @@ -899,7 +951,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) char namePrefix2[] = "SERVERINFOV2 FOR "; int ret = 0; BIO *bin = NULL; - size_t num_extensions = 0, contextoff = 0; + size_t num_extensions = 0; if (ctx == NULL || file == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); @@ -918,6 +970,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) for (num_extensions = 0;; num_extensions++) { unsigned int version; + size_t append_length; if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0) { @@ -962,11 +1015,6 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); goto end; } - /* - * File does not have a context value so we must take account of - * this later. - */ - contextoff = 4; } else { /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */ if (extension_length < 8 @@ -977,25 +1025,16 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) } } /* Append the decoded extension to the serverinfo buffer */ - tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length - + contextoff); + append_length = extension_append_length(version, extension_length); + tmp = OPENSSL_realloc(serverinfo, serverinfo_length + append_length); if (tmp == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); goto end; } serverinfo = tmp; - if (contextoff > 0) { - unsigned char *sinfo = serverinfo + serverinfo_length; - - /* We know this only uses the last 2 bytes */ - sinfo[0] = 0; - sinfo[1] = 0; - sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; - sinfo[3] = SYNTHV1CONTEXT & 0xff; - } - memcpy(serverinfo + serverinfo_length + contextoff, - extension, extension_length); - serverinfo_length += extension_length + contextoff; + extension_append(version, extension, extension_length, + serverinfo + serverinfo_length); + serverinfo_length += append_length; OPENSSL_free(name); name = NULL; diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c b/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c index 457bc8b3c20a..759e1873e6b1 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -130,11 +130,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } #endif if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) <= 0) + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { - if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0) + if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0) goto err; } if (BIO_puts(bp, "\n") <= 0) diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/extensions_clnt.c b/crypto/external/bsd/openssl/dist/ssl/statem/extensions_clnt.c index 9d38ac23b5f0..1cbaefa9f123 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/extensions_clnt.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/extensions_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -118,6 +118,8 @@ static int use_ecc(SSL *s) int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; + const uint16_t *pgroups = NULL; + size_t num_groups, j; /* See if we support any ECC ciphersuites */ if (s->version == SSL3_VERSION) @@ -139,7 +141,19 @@ static int use_ecc(SSL *s) } sk_SSL_CIPHER_free(cipher_stack); - return ret; + if (!ret) + return 0; + + /* Check we have at least one EC supported group */ + tls1_get_supported_groups(s, &pgroups, &num_groups); + for (j = 0; j < num_groups; j++) { + uint16_t ctmp = pgroups[j]; + + if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) + return 1; + } + + return 0; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, @@ -988,7 +1002,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { #ifndef OPENSSL_NO_TLS1_3 - uint32_t now, agesec, agems = 0; + uint32_t agesec, agems = 0; size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; @@ -1045,8 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, * this in multiple places in the code, so portability shouldn't be an * issue. */ - now = (uint32_t)time(NULL); - agesec = now - (uint32_t)s->session->time; + agesec = (uint32_t)(time(NULL) - s->session->time); /* * We calculate the age in seconds but the server may work in ms. Due to * rounding errors we could overestimate the age by up to 1s. It is diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/extensions_srvr.c b/crypto/external/bsd/openssl/dist/ssl/statem/extensions_srvr.c index 04f64f810640..47541101db50 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/extensions_srvr.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,16 +12,16 @@ #include "statem_local.h" #include "internal/cryptlib.h" -#define COOKIE_STATE_FORMAT_VERSION 0 +#define COOKIE_STATE_FORMAT_VERSION 1 /* * 2 bytes for packet length, 2 bytes for format version, 2 bytes for * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for - * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen, + * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen, * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. */ -#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \ +#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \ + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) /* @@ -741,7 +741,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, unsigned char hmac[SHA256_DIGEST_LENGTH]; unsigned char hrr[MAX_HRR_SIZE]; size_t rawlen, hmaclen, hrrlen, ciphlen; - unsigned long tm, now; + uint64_t tm, now; /* Ignore any cookie if we're not set up to verify it */ if (s->ctx->verify_stateless_cookie_cb == NULL @@ -851,7 +851,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } if (!PACKET_get_1(&cookie, &key_share) - || !PACKET_get_net_4(&cookie, &tm) + || !PACKET_get_net_8(&cookie, &tm) || !PACKET_get_length_prefixed_2(&cookie, &chhash) || !PACKET_get_length_prefixed_1(&cookie, &appcookie) || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { @@ -861,7 +861,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ - now = (unsigned long)time(NULL); + now = time(NULL); if (tm > now || (now - tm) > 600) { /* Cookie is stale. Ignore it */ return 1; @@ -1167,7 +1167,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, s->ext.early_data_ok = 1; s->ext.ticket_expected = 1; } else { - uint32_t ticket_age = 0, now, agesec, agems; + uint32_t ticket_age = 0, agesec, agems; int ret; /* @@ -1209,8 +1209,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } ticket_age = (uint32_t)ticket_agel; - now = (uint32_t)time(NULL); - agesec = now - (uint32_t)sess->time; + agesec = (uint32_t)(time(NULL) - sess->time); agems = agesec * (uint32_t)1000; ticket_age -= sess->ext.tick_age_add; @@ -1800,7 +1799,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, &ciphlen) /* Is there a key_share extension present in this HRR? */ || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL) - || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL)) + || !WPACKET_put_bytes_u64(pkt, time(NULL)) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c index d1a39698124b..d19c44e8d984 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1422,6 +1422,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) && sversion == TLS1_2_VERSION && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { + if (s->hello_retry_request != SSL_HRR_NONE) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto err; + } s->hello_retry_request = SSL_HRR_PENDING; hrr = 1; if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c index 8e3fb686ee27..8fe6cea72359 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type) else len = s->init_num; - if (len > s->max_send_fragment) - len = s->max_send_fragment; + if (len > ssl_get_max_send_fragment(s)) + len = ssl_get_max_send_fragment(s); /* * XDTLS: this function is too long. split out the CCS part @@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type) ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, &written); - if (ret < 0) { + if (ret <= 0) { /* * might need to update MTU here, but we don't know which * previous packet caused the failure -- so can't really diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c index d701c46b43b5..43f77a58992f 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt) static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, unsigned char *tick_nonce) { + uint32_t timeout = (uint32_t)s->session->timeout; + /* - * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this - * unspecified for resumed session (for simplicity). + * Ticket lifetime hint: * In TLSv1.3 we reset the "time" field above, and always specify the - * timeout. + * timeout, limited to a 1 week period per RFC8446. + * For TLSv1.2 this is advisory only and we leave this unspecified for + * resumed session (for simplicity). */ - if (!WPACKET_put_bytes_u32(pkt, - (s->hit && !SSL_IS_TLS13(s)) - ? 0 : s->session->timeout)) { +#define ONE_WEEK_SEC (7 * 24 * 60 * 60) + + if (SSL_IS_TLS13(s)) { + if (s->session->timeout > ONE_WEEK_SEC) + timeout = ONE_WEEK_SEC; + } else if (s->hit) + timeout = 0; + + if (!WPACKET_put_bytes_u32(pkt, timeout)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, ERR_R_INTERNAL_ERROR); return 0; diff --git a/crypto/external/bsd/openssl/dist/ssl/t1_enc.c b/crypto/external/bsd/openssl/dist/ssl/t1_enc.c index c85c0b0310e1..f8e53d4efc79 100644 --- a/crypto/external/bsd/openssl/dist/ssl/t1_enc.c +++ b/crypto/external/bsd/openssl/dist/ssl/t1_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -672,6 +672,8 @@ int tls1_alert_code(int code) return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; + case SSL_AD_MISSING_EXTENSION: + return SSL_AD_HANDSHAKE_FAILURE; default: return -1; } diff --git a/crypto/external/bsd/openssl/dist/ssl/t1_lib.c b/crypto/external/bsd/openssl/dist/ssl/t1_lib.c index b1d3add18743..5f657f888e0d 100644 --- a/crypto/external/bsd/openssl/dist/ssl/t1_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, ca_dn = s->s3->tmp.peer_ca_names; - if (!sk_X509_NAME_num(ca_dn)) + if (ca_dn == NULL + || sk_X509_NAME_num(ca_dn) == 0 + || ssl_check_ca_name(ca_dn, x)) rv |= CERT_PKEY_ISSUER_NAME; - - if (!(rv & CERT_PKEY_ISSUER_NAME)) { - if (ssl_check_ca_name(ca_dn, x)) - rv |= CERT_PKEY_ISSUER_NAME; - } - if (!(rv & CERT_PKEY_ISSUER_NAME)) { + else for (i = 0; i < sk_X509_num(chain); i++) { X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) { rv |= CERT_PKEY_ISSUER_NAME; break; } } - } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) goto end; } else @@ -2555,6 +2553,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) int rv, start_idx, i; if (x == NULL) { x = sk_X509_value(sk, 0); + if (x == NULL) + return ERR_R_INTERNAL_ERROR; start_idx = 1; } else start_idx = 0; diff --git a/crypto/external/bsd/openssl/dist/ssl/tls13_enc.c b/crypto/external/bsd/openssl/dist/ssl/tls13_enc.c index b8fb07f210ef..ff85df4483f7 100644 --- a/crypto/external/bsd/openssl/dist/ssl/tls13_enc.c +++ b/crypto/external/bsd/openssl/dist/ssl/tls13_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -190,6 +190,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, if (!ossl_assert(mdleni >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, ERR_R_INTERNAL_ERROR); + EVP_PKEY_CTX_free(pctx); return 0; } mdlen = (size_t)mdleni; diff --git a/crypto/external/bsd/openssl/dist/test/certs/ee-ed25519.pem b/crypto/external/bsd/openssl/dist/test/certs/ee-ed25519.pem index 3f4b5b2ac79d..559179d018f7 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/ee-ed25519.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/ee-ed25519.pem @@ -1,9 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6197312946105598768 (0x5601474a2a8dc330) + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Aug 1 12:19:24 2016 GMT + Not After : Nov 11 16:34:03 2121 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: X25519 + X25519 Public-Key: + pub: + 85:20:f0:09:89:30:a7:54:74:8b:7d:dc:b4:3e:f7: + 5a:0d:bf:3a:0d:26:38:1a:f4:eb:a4:a9:8e:aa:9b: + 4e:6a + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Key Agreement + X509v3 Subject Key Identifier: + 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B + Signature Algorithm: ED25519 + 72:b4:22:9c:d5:7b:85:10:ff:7c:28:59:e5:bb:1e:e8:b6:5f: + 74:39:94:dd:2f:8a:3d:6c:f3:23:28:d1:5e:3c:d1:56:e7:0a: + ea:99:ff:62:5c:48:0f:1c:24:24:35:98:1a:bb:ae:96:b9:93: + b3:cb:8e:45:e3:c0:ef:2e:5c:07 -----BEGIN CERTIFICATE----- -MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX -N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD -DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj -ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg -BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v -/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg -w1AH9efZBw== +MIIBLjCB4aADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBU +ZXN0IERlbW8wIBcNMTYwODAxMTIxOTI0WhgPMjEyMTExMTExNjM0MDNaMBkxFzAV +BgNVBAMMDklFVEYgVGVzdCBEZW1vMCowBQYDK2VuAyEAhSDwCYkwp1R0i33ctD73 +Wg2/Og0mOBr066SpjqqbTmqjRTBDMA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQEA +BAQDAgMIMCAGA1UdDgEBAAQWBBSbH17t7QQzheT3vGI8WXW5C8i7OzAFBgMrZXAD +QQBytCKc1XuFEP98KFnlux7otl90OZTdL4o9bPMjKNFePNFW5wrqmf9iXEgPHCQk +NZgau66WuZOzy45F48DvLlwH -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1-key.pem b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1-key.pem index e3e66d55c510..28dd206dbe8d 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1-key.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1-key.pem @@ -1,15 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k -WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X -EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB -AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g -PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf -flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU -X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ -pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA -b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt -9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR -83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs -n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ -1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== +MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw +XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT +48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ +b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L +eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG +a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm +tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf +3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r +zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF +nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ +XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw +ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ +S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi +BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 +2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn +MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU +JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn +j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA +jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu +ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk +3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P +o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI +fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 +5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP +RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= -----END RSA PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.pem b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.pem index d1e85120a043..d2a111fb8235 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.pem @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk +MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw -MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu -c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G -CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ -BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk -EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw -FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q -Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD -VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w -DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK -BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L -vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw -KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG -SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE -oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr -5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy +NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK +/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE +FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI +0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I +QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S +wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB +CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I +Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD +ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI +/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB +u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ +BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR +RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 +IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W +YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.sct b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.sct index 59362dcee1f4..35c9eb9e3bed 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.sct +++ b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1.sct @@ -2,11 +2,11 @@ Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 - Timestamp : Apr 5 17:04:16.275 2013 GMT + Timestamp : Jan 1 00:00:00.000 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: - D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: - E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: - F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: - 05:51:9D:89:ED:BF:08 \ No newline at end of file + 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: + D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: + BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: + 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: + 60:EB:A8:AF:03:5E:C3 \ No newline at end of file diff --git a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer-key.pem b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer-key.pem new file mode 100644 index 000000000000..9326e38b1eb7 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR +yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm +JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB +AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK +QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL +GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq +r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr +4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw ++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ +b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY +xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN +lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei +T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= +-----END RSA PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer.pem b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer.pem index 1fa449d5a098..6aa9455f09ed 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/embeddedSCTs1_issuer.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk +MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw -MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu -c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf -MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 -jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP -KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL -svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk -tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG -A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO -MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt -OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy -f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP -OwqULg== +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw +ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy +YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG +0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 +SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG +acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw +wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw +CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB +MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq ++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo +2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c +Doud4XrO -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/root-ed25519.pem b/crypto/external/bsd/openssl/dist/test/certs/root-ed25519.pem index e509d540110f..44077801ed3d 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/root-ed25519.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/root-ed25519.pem @@ -1,9 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 84:f1:08:3d:1c:e3:2d:95 + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Apr 19 21:36:39 2017 GMT + Not After : Nov 11 15:37:05 2122 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b: + 96:c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31: + 66:e1 + X509v3 extensions: + X509v3 Subject Key Identifier: + A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + X509v3 Authority Key Identifier: + keyid:A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ED25519 + 08:f9:fc:49:37:0c:03:64:ed:90:70:89:eb:f1:69:ca:75:3b: + 71:15:8f:eb:80:45:00:db:88:9b:66:46:9c:a4:e1:50:c5:59: + 43:98:66:37:6d:b7:59:51:5d:b4:9d:1d:89:25:b4:f6:87:43: + b7:d3:3b:85:b9:8e:e1:a8:46:04 -----BEGIN CERTIFICATE----- -MIIBODCB66ADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg -VGVzdCBEZW1vMB4XDTE3MDQxOTIxMzYzOVoXDTQxMDIxMjIxMzYzOVowGTEXMBUG -A1UEAwwOSUVURiBUZXN0IERlbW8wKjAFBgMrZXADIQAZv0QJaYTN/oVBusFn3DuW -yFCGqjC2tssMXDitcDFm4aNQME4wHQYDVR0OBBYEFKKMwfhuWWDT4DrnXJYsl6jU -SCk8MB8GA1UdIwQYMBaAFKKMwfhuWWDT4DrnXJYsl6jUSCk8MAwGA1UdEwQFMAMB -Af8wBQYDK2VwA0EAa6iEoQZBWB1MhCzASv5HuFM7fR5Nz2/KM7GxYjQWsfvK2Ds1 -jaPSG7Lx4uywIndMafp5CoPoFr6yLBkt+NZLAg== +MIIBOjCB7aADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg +VGVzdCBEZW1vMCAXDTE3MDQxOTIxMzYzOVoYDzIxMjIxMTExMTUzNzA1WjAZMRcw +FQYDVQQDDA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlcAMhABm/RAlphM3+hUG6wWfc +O5bIUIaqMLa2ywxcOK1wMWbho1AwTjAdBgNVHQ4EFgQUoozB+G5ZYNPgOudcliyX +qNRIKTwwHwYDVR0jBBgwFoAUoozB+G5ZYNPgOudcliyXqNRIKTwwDAYDVR0TBAUw +AwEB/zAFBgMrZXADQQAI+fxJNwwDZO2QcInr8WnKdTtxFY/rgEUA24ibZkacpOFQ +xVlDmGY3bbdZUV20nR2JJbT2h0O30zuFuY7hqEYE -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/rootCA.pem b/crypto/external/bsd/openssl/dist/test/certs/rootCA.pem index ef73d001b677..c2abbf8a58a5 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/rootCA.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/rootCA.pem @@ -1,21 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 88:43:29:cb:c2:eb:15:9a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Validity + Not Before: Jul 2 13:15:11 2015 GMT + Not After : Jul 2 17:50:05 2122 GMT + Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:f1:6b:77:88:ac:35:df:fb:73:53:2f:92:80: + 2f:74:16:32:4d:f5:10:20:6f:6c:3a:8e:d1:dc:6b: + e1:2e:3e:c3:04:0f:bf:9b:c4:c9:12:d1:e4:0b:45: + 97:e5:06:cd:66:3a:e1:e0:e2:2b:df:a2:c4:ec:7b: + d3:3d:3c:8a:ff:5e:74:a0:ab:a7:03:6a:16:5b:5e: + 92:c4:7e:5b:79:8a:69:d4:bc:83:5e:ae:42:92:74: + a5:2b:e7:00:c1:a9:dc:d5:b1:53:07:0f:73:f7:8e: + ad:14:3e:25:9e:e5:1e:e6:cc:91:cd:95:0c:80:44: + 20:c3:fd:17:cf:91:3d:63:10:1c:14:5b:fb:c3:a8: + c1:88:b2:77:ff:9c:db:fc:6a:44:44:44:f7:85:ec: + 08:2c:d4:df:81:a3:79:c9:fe:1e:9b:93:16:53:b7: + 97:ab:be:4f:1a:a5:e2:fa:46:05:e4:0d:9c:2a:a4: + cc:b9:1e:21:a0:6c:c4:ab:59:b0:40:39:bb:f9:88: + ad:fd:df:8d:b4:0b:af:7e:41:e0:21:3c:c8:33:45: + 49:84:2f:93:06:ee:fd:4f:ed:4f:f3:bc:9b:de:fc: + 25:5e:55:d5:75:d4:c5:7b:3a:40:35:06:9f:c4:84: + b4:6c:93:0c:af:37:5a:af:b6:41:4d:26:23:1c:b8: + 02:b3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + X509v3 Authority Key Identifier: + keyid:85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + + Signature Algorithm: sha256WithRSAEncryption + b9:5c:c3:39:31:e9:c1:63:f9:f1:29:2c:c6:84:80:ed:33:e5: + 72:3c:2c:e8:93:1f:07:03:65:cd:bb:04:ed:10:29:00:5f:ea: + 91:08:19:df:10:88:e9:00:5c:2e:eb:b5:af:98:70:c8:c4:8b: + 53:c4:26:c5:a1:d8:46:b9:9f:7d:48:e0:26:74:2c:61:b8:c1: + 89:06:b6:e5:b5:ba:6b:75:2b:16:ad:ca:88:26:25:73:9b:15: + 22:59:6a:94:dc:61:34:88:28:58:9f:de:fd:71:1e:37:af:90: + 74:7b:cf:bb:93:1c:73:24:15:26:7a:33:8c:5d:5b:81:97:14: + 62:01:7e:17:76:fb:aa:7a:4d:ed:81:2b:bd:d9:f3:12:69:86: + 01:b3:91:0a:8d:6b:bd:71:41:a9:93:63:c2:a1:ab:0d:48:05: + 99:7d:9e:a2:a4:ac:9f:73:0d:5b:5c:05:3a:52:64:fe:17:79: + 2a:27:51:d7:5b:af:dc:10:d5:23:6b:2c:62:51:00:c9:67:17: + 2d:29:a3:21:88:fd:14:48:0d:99:8c:d8:f8:c8:c7:ec:d2:83: + 3d:ba:d4:94:7b:df:39:61:4b:e3:7c:b9:ea:77:09:01:bc:ec: + db:1c:fa:42:1b:6d:1d:b1:51:5f:e4:87:dd:41:24:00:a2:52: + e0:1a:c0:1c -----BEGIN CERTIFICATE----- -MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +MIIDgTCCAmmgAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa -Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 -YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM -BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf -+3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i -xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO -rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU -34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL -r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 -QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf -ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w -DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 -mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ -WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI -qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 -GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT -JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAgFw0xNTA3MDIxMzE1MTFa +GA8yMTIyMDcwMjE3NTAwNVowVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt +U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UE +AwwGcm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPFrd4is +Nd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/m8TJEtHkC0WX5QbNZjrh4OIr +36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyDXq5CknSlK+cAwanc1bFTBw9z +946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7w6jBiLJ3/5zb/GpERET3hewI +LNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTMuR4hoGzEq1mwQDm7+Yit/d+N +tAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXVddTFezpANQafxIS0bJMMrzda +r7ZBTSYjHLgCswIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSFVok1 +4p8AGuGGAwtLr3YSazNt/TAfBgNVHSMEGDAWgBSFVok14p8AGuGGAwtLr3YSazNt +/TANBgkqhkiG9w0BAQsFAAOCAQEAuVzDOTHpwWP58SksxoSA7TPlcjws6JMfBwNl +zbsE7RApAF/qkQgZ3xCI6QBcLuu1r5hwyMSLU8QmxaHYRrmffUjgJnQsYbjBiQa2 +5bW6a3UrFq3KiCYlc5sVIllqlNxhNIgoWJ/e/XEeN6+QdHvPu5MccyQVJnozjF1b +gZcUYgF+F3b7qnpN7YErvdnzEmmGAbORCo1rvXFBqZNjwqGrDUgFmX2eoqSsn3MN +W1wFOlJk/hd5KidR11uv3BDVI2ssYlEAyWcXLSmjIYj9FEgNmYzY+MjH7NKDPbrU +lHvfOWFL43y56ncJAbzs2xz6QhttHbFRX+SH3UEkAKJS4BrAHA== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/ct_test.c b/crypto/external/bsd/openssl/dist/test/ct_test.c index 78d11ca98cf7..84f6bedddc83 100644 --- a/crypto/external/bsd/openssl/dist/test/ct_test.c +++ b/crypto/external/bsd/openssl/dist/test/ct_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name) if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) goto end; fixture->test_case_name = test_case_name; - fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ + fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) || !TEST_int_eq( CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) diff --git a/crypto/external/bsd/openssl/dist/test/dtls_mtu_test.c b/crypto/external/bsd/openssl/dist/test/dtls_mtu_test.c index f20edf02d2f5..62b44be74297 100644 --- a/crypto/external/bsd/openssl/dist/test/dtls_mtu_test.c +++ b/crypto/external/bsd/openssl/dist/test/dtls_mtu_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -185,12 +185,58 @@ static int run_mtu_tests(void) end: SSL_CTX_free(ctx); - bio_s_mempacket_test_free(); return ret; } +static int test_server_mtu_larger_than_max_fragment_length(void) +{ + SSL_CTX *ctx = NULL; + SSL *srvr_ssl = NULL, *clnt_ssl = NULL; + int rv = 0; + + if (!TEST_ptr(ctx = SSL_CTX_new(DTLS_method()))) + goto end; + + SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback); + SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback); + +#ifndef OPENSSL_NO_DH + if (!TEST_true(SSL_CTX_set_dh_auto(ctx, 1))) + goto end; +#endif + + if (!TEST_true(create_ssl_objects(ctx, ctx, &srvr_ssl, &clnt_ssl, + NULL, NULL))) + goto end; + + SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU); + if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500))) + goto end; + + SSL_set_tlsext_max_fragment_length(clnt_ssl, + TLSEXT_max_fragment_length_512); + + if (!TEST_true(create_ssl_connection(srvr_ssl, clnt_ssl, + SSL_ERROR_NONE))) + goto end; + + rv = 1; + + end: + SSL_free(clnt_ssl); + SSL_free(srvr_ssl); + SSL_CTX_free(ctx); + return rv; +} + int setup_tests(void) { ADD_TEST(run_mtu_tests); + ADD_TEST(test_server_mtu_larger_than_max_fragment_length); return 1; } + +void cleanup_tests(void) +{ + bio_s_mempacket_test_free(); +} diff --git a/crypto/external/bsd/openssl/dist/test/dtlstest.c b/crypto/external/bsd/openssl/dist/test/dtlstest.c index 1d7b105fb6ac..59b257db368c 100644 --- a/crypto/external/bsd/openssl/dist/test/dtlstest.c +++ b/crypto/external/bsd/openssl/dist/test/dtlstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -328,6 +328,93 @@ static int test_dtls_duplicate_records(void) return testresult; } +/* + * Test that swapping an app data record so that it is received before the + * Finished message still works. + */ +static int test_swap_app_data(void) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *sssl = NULL, *cssl = NULL; + int testresult = 0; + BIO *bio; + char msg[] = { 0x00, 0x01, 0x02, 0x03 }; + char buf[10]; + + if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + DTLS_client_method(), + DTLS1_VERSION, 0, + &sctx, &cctx, cert, privkey))) + return 0; + +#ifndef OPENSSL_NO_DTLS1_2 + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) + goto end; +#else + /* Default sigalgs are SHA1 based in priv_key), 1)) + goto err; + + /* Test compliance with legacy behavior for NULL private keys */ + if (!TEST_int_eq(EC_KEY_set_private_key(key, NULL), 0) + || !TEST_ptr_null(key->priv_key)) + goto err; + + testresult = 1; + + err: + EC_KEY_free(key); + EC_KEY_free(aux_key); + return testresult; +} + /* * Tests behavior of the decoded_from_explicit_params flag and API */ @@ -337,6 +370,7 @@ int setup_tests(void) ADD_TEST(field_tests_ec2_simple); #endif ADD_ALL_TESTS(field_tests_default, crv_len); + ADD_TEST(set_private_key); ADD_TEST(decoded_flag_test); ADD_ALL_TESTS(ecpkparams_i2d2i_test, crv_len); diff --git a/crypto/external/bsd/openssl/dist/test/exptest.c b/crypto/external/bsd/openssl/dist/test/exptest.c index cde4d6bc4548..b7098713470e 100644 --- a/crypto/external/bsd/openssl/dist/test/exptest.c +++ b/crypto/external/bsd/openssl/dist/test/exptest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,7 +49,8 @@ static int test_mod_exp_zero(void) BIGNUM *r = NULL; BN_ULONG one_word = 1; BN_CTX *ctx = BN_CTX_new(); - int ret = 1, failed = 0; + int ret = 0, failed = 0; + BN_MONT_CTX *mont = NULL; if (!TEST_ptr(m = BN_new()) || !TEST_ptr(a = BN_new()) @@ -94,6 +95,33 @@ static int test_mod_exp_zero(void) if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) failed = 1; + if (!TEST_ptr(mont = BN_MONT_CTX_new())) + goto err; + + ERR_set_mark(); + /* mont is not set but passed in */ + if (!TEST_false(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + if (!TEST_false(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + ERR_pop_to_mark(); + + if (!TEST_true(BN_MONT_CTX_set(mont, m, ctx))) + goto err; + + /* we compute 0 ** a mod 1 here, to execute code that uses mont */ + if (!TEST_true(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) + failed = 1; + + if (!TEST_true(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a))) + failed = 1; + /* * A different codepath exists for single word multiplication * in non-constant-time only. @@ -114,6 +142,7 @@ static int test_mod_exp_zero(void) BN_free(a); BN_free(p); BN_free(m); + BN_MONT_CTX_free(mont); BN_CTX_free(ctx); return ret; diff --git a/crypto/external/bsd/openssl/dist/test/pemtest.c b/crypto/external/bsd/openssl/dist/test/pemtest.c index 3203d976be76..ba10824bf94b 100644 --- a/crypto/external/bsd/openssl/dist/test/pemtest.c +++ b/crypto/external/bsd/openssl/dist/test/pemtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,9 +83,39 @@ static int test_invalid(void) return 1; } +static int test_empty_payload(void) +{ + BIO *b; + static char *emptypay = + "-----BEGIN CERTIFICATE-----\n" + "-\n" /* Base64 EOF character */ + "-----END CERTIFICATE-----"; + char *name = NULL, *header = NULL; + unsigned char *data = NULL; + long len; + int ret = 0; + + b = BIO_new_mem_buf(emptypay, strlen(emptypay)); + if (!TEST_ptr(b)) + return 0; + + /* Expected to fail because the payload is empty */ + if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) + goto err; + + ret = 1; + err: + OPENSSL_free(name); + OPENSSL_free(header); + OPENSSL_free(data); + BIO_free(b); + return ret; +} + int setup_tests(void) { ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); ADD_TEST(test_invalid); + ADD_TEST(test_empty_payload); return 1; } diff --git a/crypto/external/bsd/openssl/dist/test/recipes/10-test_bn_data/bnmod.txt b/crypto/external/bsd/openssl/dist/test/recipes/10-test_bn_data/bnmod.txt index 6c94a0f02524..edde03bd6294 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/10-test_bn_data/bnmod.txt +++ b/crypto/external/bsd/openssl/dist/test/recipes/10-test_bn_data/bnmod.txt @@ -2474,6 +2474,71 @@ A = 9025e6183706105e948b1b0edf922f9011b9e11887d70adb00b26f272b9e76a38f3099084d9c E = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae159400943725570726cdc92b3ea94f9f206729516fdda83e31d815b0c7720e7598a91d992273e3bd8ac413b441d8f1dfe5aa7c3bf3ef573adc38292676217467731e6cf440a59611b8110af88d3e62f60209b513b01fbb69a097458ad02096b5e38f0 M = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7 +# The following inputs trigger an edge case between Montgomery reduction and the +# "almost" reduction variant from https://eprint.iacr.org/2011/239 +ModExp = 00 +A = 19c7bc9b97c6083cd7b8d1cd001452c9b67983247169c6532047eb7fc8933014dbf69fee7a358769f1429802c8ea89d4f9ca6ba6f368fbdb1fa5717b4a00 +E = bbc7e09147408571050e8d0c634682c5863b7e8a573626648902cff12e590c74f5a23ecce39732266bc15b8afbd6c48a48c83fbdc33947515cc0b6e4fb98ae2cd730e58f951fec8be7e2e3c74f4506c7fd7e29bdb28675fe8a59789ab1148e931a2ebd2d36f78bc241682a3d8083d8ff538858cd240c5a693936e5a391dc9d77118062a3f868c058440a4192267faaaba91112f45eee5842060febbf9353a6d3e7f7996573209136a5506062ea23d74067f08c613f3ff74bade25f8c3368e6dba84eae672eac11be1137fc514924fcab8c82e46d092bd047dcbadaa48c67a096ec1a04f392a8511e6acbad9954949b703e71ff837337b594055ae6f3c0fc154447a687c9ac8a2cdfd64a2e680c6ff21254735af7f5eb6b43f0bce86bda55a04143a991711081435ed4f4a89b23fc3a588022b7a8543db4bf5c8ac93603367c750ff2191f59a716340fab49bb7544759c8d846465eec1438e76395f73e7b5e945f31f1b87fefa854a0d208846eaab5fa27144fd039911608bab0eaee80f1d3553dfa2d9ba95268479b97a059613660df5ad79796e0b272244aca90ccc13449ec15c206eeed7b60405a4c5cfdf5da5d136c27fa9385d810ad198dfe794ffce9955e10520efea1e2eb794e379401b9affd863b9566ce941c4726755574a1b1946acf0090bfb93f37dd55f524485bbba7fa84b53addfde01ae1de9c57fe50d4b708dd0fa45d02af398b3d05c6d17f84c11e9aacdbe0b146cad6ddbd877731e26a17f3ebed459560d12ed7a6abc2ea6fe922e69d2622ef11b6b245b9ba8f0940faaa671a4beb727be5393a94dafaeff7221b29183e7418f4c5bb95a6a586c93dbc8ce0236d9dbe26c40513611b4141fed66599adbfb20fc30e09a4815e4159f65a6708f34584a7a77b3843941cd61a6917dcc3d07a3dfb5a2cb108bacea7e782f2111b4d22ecaaeff469ecd0da371df1ac5e9bf6df6ccba2d3a9f393d597499eaca2c206bfb81c3426c5fe45bcf16e38aecd246a319a1f37041c638b75a4839517e43a6d01bee7d85eaeedbce13cd15699d3ee42c7414cfed576590e4fb6ddb6edd3e1957efaf039bfe8b9dc75869b1f93abff15cae8b234161070fa3542303c2ed35ca66083d0ac299b81182317a2a3985269602b1fa1e822fcbda48e686d80b273f06b0a702ca7f42cbbbd2fc2b3601422c8bff6302eda3c61b293049636002649b16f3c1f0be2b6599d66493a4497cd795b10a2ab8220fafad24fa90e1bfcf39ecce337e705695c7a224bf9f445a287d6aab221341659ca4be7861f6ac4c9d33dac811e6 +M = 519b6e57781d40d897ec0c1b648d195526726b295438c9a70928ac25979563d72db91c8c42298a33b572edecdf40904c68a23337aa5341b56e92b0da5041 + +# To fully exercise BN_mod_exp_mont_consttime codepaths, we generate inputs at +# different bitwidths. rsaz-avx2.pl only runs at 1024-bit moduli, and +# x86_64-mont5.pl unrolls 8 64-bit words at a time, so we want to capture both +# multiples of 512- and non-multiples. Also include moduli that are not quite a +# full word. +# 512-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97 + +# 1024-bit +ModExp = 00 +A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7 + +# 1025-bit +ModExp = 00 +A = 010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 010223abfdda02e84e11cec8ee7fc784fa135733935f7b9054bb70f1f06d234d76dcf3beed55c7f39e955dc1fef2b65009240fd02f7a1b27a78fc2867144bf666efb929856db9f671c356c4c67a068a70fe83c52eebda03668872fd270d0794f0771d217fb6b93b12529a944f7f0496a9158757c55b8ee14f803f1d2d887e2f561 + +# 1088-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = e91f6d748773cb212a23aa348125615123b1800c9ea222c9374c757702ae4140fa333790ed8f6bf60a1d7dda65c2767cc5f33e32e333d19fbfb5a2b85795757c9ca070268763a618e9d33873d28a89bf88acd209efbb15b80cd33b92a6b3a682e1c91782fc24fb86ddff4f809219c977b54b99359094bbcc51dfe17b992ab24b74a17950ad754281 + +# 1472-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = a8770362f4bfe4fc1ab0e52705c11a9b6ba235d5a5f22197c2d68e27ed18426ede3316af706aa79bcf943dbd51459eb15ae1f9386216b3f3a847f94440a65b97659bc5ba2adb67173714ecaa886c0b926d7a64ea45576f9d2171784ce7e801724d5b0abfd93357d538ea7ad3ad89a74f4660bdb66dfb5f684dcf00402e3cdf0ab58afd867c943c8f47b80268a789456aa7c50a619dd2f9f5e3f74b5d810f0f8dadbf4ad5b917cdcb156c4c132611c8b3b035118a9e03551f + +# 1536-bit +ModExp = 00 +A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 878cd000778f927b2f1a4b8bac86efd282079a7ac0d25e09ffd2f72fbc282e65e233929d2457c7b1d63c56fb706cdfa04fb87e654c578c98d7cf59c2293dc5641086b68db4867105981daaf147a0ee91f6932ef064deae4142c19e58d50c0686f0eaf778be72450f89a98b4680bbc5ffab942195e44dd20616150fd1deca058068ca31ab2f861e99082588f17a2025bf5e536150142fca3187a259c791fc721430f24d7e338f8dc02e693a7e694d42775e80f7f7c03600b6ae86b4aba2b0e991 + +# 2048-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 9f40a7535c561208ecb38e17c9336d9bc8484d335901b2cd42759cf03689227f6992f10cb6b586d767fbcdf30e9d82a0eda60d2694ccd0194fa96b50b56e0cdeec1951ea9e58b07e334a7f108841a0ab28256917fecea561388807ed124a17386a7a7b501f9cbf3404247a76948d0561e48137d3f9669e36f175731796aeaf78851f7d866917f661422186a4814aa35c066b5a90b9cfc918af769a9f0bb30c12581027df64ac328a0f07dbd20adb704479f6d0f233a131828c71bab19c3c34795ea4fb68aa632c6f688e5b3b84413c9031d8dc251003a590dec0dd09bfa6109ed4570701439b6f265b84ac2170c317357b5fbe5535e2bbdd93c1aacfdaa28c85 + +# 3072-bit +ModExp = 00 +A = 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = c23dfd244a58a668d514498a705c8f8f548311b24f0f98b023d2d33632534c2ae948d6641d41fd7a29fbbd594bfc7fdd6e8162cbb3056af3075347b6fc8876458d33a9d0ffdbcdf482de0c73d1310fd8fa8f9f92dd0dbb0e2034e98a30f6c11b482f7476c5b593f673a322b1130daa4314e9074270dce1076436f0d56cf196afcbb235a9a7b3ac85b9062e85fc0e63a12c468c787019f6805f9faab64fc6a0babc80785d88740243f11366bffb40ccbe8b2bb7a99a2c8238a6f656bb0117d7b2602aa400f4d77de5f93c673f13264ca70de949454e3e3f261993c1aa427e8ef4f507af744f71f3b4aaf3c981d44cc1bfb1eb1151168762b242b740573df698e500d99612e17dc760f7b3bf7c235e39e81ad7edbe6c07dbb8b139745bb394d61cb799bcafec5de074932b0b2d74797e779ac8d81f63a2b2e9baa229dfaa7f90f34ffade1d2ad022a3407d35eb2d7477c6ae8ad100f6e95c05b4f947c1fabfb11a17add384e6b4cd3a02fd9b43f46805c6c74e366b74aa3b766be7a5fbbd67fa81 + +# 4096-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 8030411ecbddcb0fe4e76fd6b5bf542e8b015d1610cf96130ded12ba2cda0641bd9692080f218ea8b0d751845b519d95b843542ec8d2a07f1f93afe3189b69a4f35c983011c7f7928c3df458cc3eae85c36e6934a4b1bc0a67c8a521de336642c49e10a7ffa8d0af911aacc19e3900449161940f139220e099a150dcaf0ff96ffff6e726c1ac139969103cf6a828ac3adf0301506aa02787b4f570d5dde53a34acab8fec6fa94760abf16ee99954371ad65a6e899daab87b95811d069404991de9abe064ebbddf886e970f10d260c899dda940191a82d4c8bd36651363aff5493f4f59e700007dcadf37ebea7fcfd7600d16617ffea0d9ae659446d851d93c564e50e558f734c894d735fa273770703dab62844d9f01badf632f3d14a00f739c022c9be95f54e9cea46ec6da7cb11f4602e06962951c48204726b7f120ddbd0eb3566dc8d1e6f195a9196e96db33322d088b43aecffe9b4df182dd016aca0bd14f1c56cd1a18b89165c027029862b09ffd78e92ab614349c4fd67f49cb12cd33d0728930d0538bda57acef1365a73cc8fbac7d463b9e3c3bae0bb6224b080cdb8b5cd47d546d53111fdc22b7ff679bcfe27192920ee163b2be337d8cccc93b4de7d2d31934b9c0e97af291dcc1135b4a473bd37114eec3ba75c411887b57799d3188e7353f33a4d31735ebfc9fcfc044985148dd96da3876a5ab7ea7a404b411 # These test vectors satisfy (ModSqrt * ModSqrt) mod P = A mod P with P a prime. # ModSqrt is in [0, (P-1)/2]. diff --git a/crypto/external/bsd/openssl/dist/test/recipes/25-test_x509.t b/crypto/external/bsd/openssl/dist/test/recipes/25-test_x509.t index f5ef0f996324..853d30c8ba39 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/25-test_x509.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/25-test_x509.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,11 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 9; +plan tests => 16; + +# Prevent MSys2 filename munging for arguments that look like file paths but +# aren't +$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -46,4 +50,59 @@ subtest 'x509 -- second x.509 v3 certificate' => sub { subtest 'x509 -- pathlen' => sub { ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")]))); +}; + +# extracts issuer from a -text formatted-output +sub get_issuer { + my $f = shift(@_); + my $issuer = ""; + open my $fh, $f or die; + while (my $line = <$fh>) { + if ($line =~ /Issuer:/) { + $issuer = $line; + } + } + close $fh; + return $issuer; } + +# Tests for signing certs (broken in 1.1.1o) +my $a_key = "a-key.pem"; +my $a_cert = "a-cert.pem"; +my $a2_cert = "a2-cert.pem"; +my $ca_key = "ca-key.pem"; +my $ca_cert = "ca-cert.pem"; +my $cnf = srctop_file('apps', 'openssl.cnf'); + +# Create cert A +ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:2048", + "-config", $cnf, + "-keyout", $a_key, "-out", $a_cert, "-days", "365", + "-nodes", "-subj", "/CN=test.example.com"]))); +# Create cert CA - note key size +ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:4096", + "-config", $cnf, + "-keyout", $ca_key, "-out", $ca_cert, "-days", "3650", + "-nodes", "-subj", "/CN=ca.example.com"]))); +# Sign cert A with CA (errors on 1.1.1o) +ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert, + "-CAkey", $ca_key, "-set_serial", "1234567890", + "-preserve_dates", "-sha256", "-text", "-out", $a2_cert]))); +# verify issuer is CA +ok (get_issuer($a2_cert) =~ /CN = ca.example.com/); + +# Tests for issue #16080 (fixed in 1.1.1o) +my $b_key = "b-key.pem"; +my $b_csr = "b-cert.csr"; +my $b_cert = "b-cert.pem"; +# Create the CSR +ok(run(app(["openssl", "req", "-new", "-newkey", "rsa:4096", + "-keyout", $b_key, "-out", $b_csr, "-nodes", + "-config", $cnf, + "-subj", "/CN=b.example.com"]))); +# Sign it - position of "-text" matters! +ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial", + "-CA", $ca_cert, "-CAkey", $ca_key, + "-in", $b_csr, "-out", $b_cert]))); +# Verify issuer is CA +ok(get_issuer($b_cert) =~ /CN = ca.example.com/); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpciph.txt b/crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpciph.txt index 1c02ea1e9c2d..8480ddee0b63 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpciph.txt +++ b/crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpciph.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21 Operation = DECRYPT Result = CIPHERFINAL_ERROR +#Test vectors generated to validate aesni_ocb_encrypt on x86 +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = C14DFF7D62A13C4A3422456207453190 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 41970D13737B7BD1B5FBF49ED4412CA5 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = BE0228651ED4E48A11BDED68D953F3A0 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 17BC6E10B16E5FDC52836E7D589518C7 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = E84AAC18666116990A3A37B3A5FC55BD +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 3E5EA7EE064FE83B313E28D411E91EAD +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C + Title = AES XTS test vectors from IEEE Std 1619-2007 # Using the same key twice for encryption is always banned. diff --git a/crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13hrr.t b/crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13hrr.t index e0b47ed359d8..0092a9d747ab 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13hrr.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13hrr.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -37,7 +37,8 @@ my $proxy = TLSProxy::Proxy->new( use constant { CHANGE_HRR_CIPHERSUITE => 0, - CHANGE_CH1_CIPHERSUITE => 1 + CHANGE_CH1_CIPHERSUITE => 1, + DUPLICATE_HRR => 2 }; #Test 1: A client should fail if the server changes the ciphersuite between the @@ -46,7 +47,7 @@ $proxy->filter(\&hrr_filter); $proxy->serverflags("-curves P-256"); my $testtype = CHANGE_HRR_CIPHERSUITE; $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 2; +plan tests => 3; ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); #Test 2: It is an error if the client changes the offered ciphersuites so that @@ -58,6 +59,19 @@ $testtype = CHANGE_CH1_CIPHERSUITE; $proxy->start(); ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); +#Test 3: A client should fail with unexpected_message alert if the server +# sends more than 1 HRR +my $fatal_alert = 0; +$proxy->clear(); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} +$testtype = DUPLICATE_HRR; +$proxy->start(); +ok($fatal_alert, "Server duplicated HRR"); + sub hrr_filter { my $proxy = shift; @@ -78,6 +92,39 @@ sub hrr_filter return; } + if ($testtype == DUPLICATE_HRR) { + # We're only interested in the HRR + # and the unexpected_message alert from client + if ($proxy->flight == 4) { + $fatal_alert = 1 + if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10; + return; + } + if ($proxy->flight != 3) { + return; + } + + # Find ServerHello record (HRR actually) and insert after that + my $i; + for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) { + next; + } + my $hrr_record = ${$proxy->record_list}[$i]; + my $dup_hrr = TLSProxy::Record->new(3, + $hrr_record->content_type(), + $hrr_record->version(), + $hrr_record->len(), + $hrr_record->sslv2(), + $hrr_record->len_real(), + $hrr_record->decrypt_len(), + $hrr_record->data(), + $hrr_record->decrypt_data()); + + $i++; + splice @{$proxy->record_list}, $i, 0, $dup_hrr; + return; + } + # CHANGE_CH1_CIPHERSUITE if ($proxy->flight != 0) { return; diff --git a/crypto/external/bsd/openssl/dist/test/recipes/80-test_cms.t b/crypto/external/bsd/openssl/dist/test/recipes/80-test_cms.t index 5dc6a3aebe01..79ae1308eccd 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/80-test_cms.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/80-test_cms.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ use warnings; use POSIX; use File::Spec::Functions qw/catfile/; use File::Compare qw/compare_text/; -use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; use OpenSSL::Test::Utils; setup("test_cms"); @@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) = disabled qw/des dh dsa ec ec2m rc2 zlib/; -plan tests => 6; +plan tests => 7; my @smime_pkcs7_tests = ( @@ -584,3 +584,14 @@ sub check_availability { return ""; } + +# Check that we get the expected failure return code +with({ exit_checker => sub { return shift == 6; } }, + sub { + ok(run(app(['openssl', 'cms', '-encrypt', + '-in', srctop_file("test", "smcont.txt"), + '-stream', '-recip', + srctop_file("test/smime-certs", "badrsa.pem"), + ])), + "Check failure during BIO setup with -stream is handled correctly"); + }); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/80-test_ssl_new.t b/crypto/external/bsd/openssl/dist/test/recipes/80-test_ssl_new.t index 81d8f59a70b4..3d281091d15e 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/80-test_ssl_new.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/80-test_ssl_new.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 29; # = scalar @conf_srcs +plan tests => 30; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -70,6 +70,8 @@ my %conf_dependent_tests = ( "25-cipher.conf" => disabled("poly1305") || disabled("chacha"), "27-ticket-appdata.conf" => !$is_default_tls, "28-seclevel.conf" => disabled("tls1_2") || $no_ec, + "30-supported-groups.conf" => disabled("tls1_2") || disabled("tls1_3") + || $no_ec || $no_ec2m ); # Add your test here if it should be skipped for some compile-time diff --git a/crypto/external/bsd/openssl/dist/test/recipes/95-test_external_pyca_data/cryptography.sh b/crypto/external/bsd/openssl/dist/test/recipes/95-test_external_pyca_data/cryptography.sh index e1616914a77f..4ca3cae1170f 100755 --- a/crypto/external/bsd/openssl/dist/test/recipes/95-test_external_pyca_data/cryptography.sh +++ b/crypto/external/bsd/openssl/dist/test/recipes/95-test_external_pyca_data/cryptography.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. # # Licensed under the OpenSSL license (the "License"). You may not use @@ -12,6 +12,7 @@ # OpenSSL external testing using the Python Cryptography module # set -e +set -x O_EXE=`pwd`/$BLDTOP/apps O_BINC=`pwd`/$BLDTOP/include @@ -35,30 +36,27 @@ echo "------------------------------------------------------------------" cd $SRCTOP # Create a python virtual env and activate -rm -rf venv-pycrypto -virtualenv venv-pycrypto -. ./venv-pycrypto/bin/activate +rm -rf venv-cryptography +python -m venv venv-cryptography +. ./venv-cryptography/bin/activate cd pyca-cryptography -pip install .[test] - echo "------------------------------------------------------------------" echo "Building cryptography" echo "------------------------------------------------------------------" -python ./setup.py clean - -CFLAGS="-I$O_BINC -I$O_SINC -L$O_LIB" python ./setup.py build +LDFLAGS="-L$O_LIB" CFLAGS="-I$O_BINC -I$O_SINC" pip install .[test] +pip install -e vectors echo "------------------------------------------------------------------" echo "Running tests" echo "------------------------------------------------------------------" -CFLAGS="-I$O_BINC -I$O_SINC -L$O_LIB" python ./setup.py test +pytest -n auto tests --wycheproof-root=../wycheproof cd ../ deactivate -rm -rf venv-pycrypto +rm -rf venv-cryptography exit 0 diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/badrsa.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/badrsa.pem new file mode 100644 index 000000000000..f824fc226732 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/badrsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD +VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY +DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw +I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A +/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s +yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 +zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB +lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww +CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm +ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW +eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt +5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d +rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv +yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ +j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= +-----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/mksmime-certs.sh b/crypto/external/bsd/openssl/dist/test/smime-certs/mksmime-certs.sh index c98e164b1871..e33fac97bc39 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/mksmime-certs.sh +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/mksmime-certs.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,23 +15,23 @@ export OPENSSL_CONF # Root CA: create certificate directly CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \ - -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 + -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 # EE RSA certificates: create request first CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa1.pem -out req.pem -newkey rsa:2048 # Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa2.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa3.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem # Create DSA parameters @@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048 CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem # Create EC parameters @@ -58,15 +58,15 @@ $OPENSSL ecparam -out ecp2.pem -name K-283 CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smec1.pem -out req.pem -newkey ec:ecp.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smec3.pem -out req.pem -newkey ec:ecp.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem # Create X9.42 DH parameters. $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \ @@ -78,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smtmp.pem -out req.pem -newkey rsa:2048 # Sign request but force public key to DH -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -force_pubkey dhpub.pem \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem # Remove temp files. diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smdh.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smdh.pem index f831b0713b95..273dfca5e05c 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smdh.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smdh.pem @@ -1,33 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ -9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B -mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF -cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V -thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh -atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC -FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA== +MIICXAIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCB6AUA/1eXRh+iLWHXe+lUl6e+ ++460tAIIpsQ1jw1ZaTmlH9SlrWSBNVRVHwDuBW7vA+lKgBvDpCIjmhRbgrZIGwcZ +6ruCYy5KF/B3AW5MApC9QCDaVrG6Hb7NfpMgwuUIKvvvOMrrvn4r5Oxtsx9rORTE +bdS33MuZCOIbodjs5u+e/2hhssOwgUTMASDwXppJTyeMwAAZ+p78ByrSULP6yYdP +PTh8sK1begDG6YTSKE3VqYNg1yaE5tQvCQ0U2L4qZ8JqexAVHbR8LA8MNhtA1pma +Zj4q2WNAEevpprIIRXgJEZY278nPlvVeoKfOef9RBHgQ6ZTnZ1Et5iLMCwYHAoIB +AFVgJaHfnBVJYfaQh1NyoVZJ5xX6UvvL5xEKUwwEMgs8JSOzp2UI+KRDpy9KbNH7 +93Kwa2d8Q7ynciDiCmd1ygF4CJKb4ZOwjWjpZ4DedHr0XokGhyBCyjaBxOi3i4tP +EFO8YHs5B/yOZHzcpTfs2VxJqIm3KF8q0Ify9PWDAsgo+d21/+eye60FHjF9o2/D +l3NRlOhUhHNGykfqFgKEEEof3/3c6r5BS0oRXdsu6dx/y2/v8j9aJoHfyGHkswxr +ULSBxJENOBB89C+GET6yhbxV1e4SFwzHnXgG8bWXwk7bea6ZqXbHq0pT3kUiQeKe +assXKqRBAG9NLbQ3mmx8RFkCHQDIVBWPf6VwBa2s1CAcsIziVJ8qr/KAKx9DZ3h5 +BB4CHAF3VZBAC/TB85J4PzsLJ+VrOWr0c8kQlYUR9rw= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM -BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC -oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV -Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5 -30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z -EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh -A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve -cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw -3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD -umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf -BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC -AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi -0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD -48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d -LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z -vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu -Uj6tw18ExOYxqoEGixNLPA5qsQ== +MIIFmDCCBICgAwIBAgIUWlJkHZZ2eZgkGCHFtcMAjlLdDH8wDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgREggIzEwggNCMIICNQYHKoZIzj4C +ATCCAigCggEBAIHoBQD/V5dGH6ItYdd76VSXp777jrS0AgimxDWPDVlpOaUf1KWt +ZIE1VFUfAO4Fbu8D6UqAG8OkIiOaFFuCtkgbBxnqu4JjLkoX8HcBbkwCkL1AINpW +sbodvs1+kyDC5Qgq++84yuu+fivk7G2zH2s5FMRt1Lfcy5kI4huh2Ozm757/aGGy +w7CBRMwBIPBemklPJ4zAABn6nvwHKtJQs/rJh089OHywrVt6AMbphNIoTdWpg2DX +JoTm1C8JDRTYvipnwmp7EBUdtHwsDww2G0DWmZpmPirZY0AR6+mmsghFeAkRljbv +yc+W9V6gp855/1EEeBDplOdnUS3mIswLBgcCggEAVWAlod+cFUlh9pCHU3KhVknn +FfpS+8vnEQpTDAQyCzwlI7OnZQj4pEOnL0ps0fv3crBrZ3xDvKdyIOIKZ3XKAXgI +kpvhk7CNaOlngN50evReiQaHIELKNoHE6LeLi08QU7xgezkH/I5kfNylN+zZXEmo +ibcoXyrQh/L09YMCyCj53bX/57J7rQUeMX2jb8OXc1GU6FSEc0bKR+oWAoQQSh/f +/dzqvkFLShFd2y7p3H/Lb+/yP1omgd/IYeSzDGtQtIHEkQ04EHz0L4YRPrKFvFXV +7hIXDMedeAbxtZfCTtt5rpmpdserSlPeRSJB4p5qyxcqpEEAb00ttDeabHxEWQId +AMhUFY9/pXAFrazUIBywjOJUnyqv8oArH0NneHkDggEFAAKCAQBigH0Mp4jUMSfK +yOhKlEfyZ/hj/EImsUYW4+u8xjBN+ruOJUTJ06Mtgw3g2iLkhQoO9NROqvC9rdLj ++j3e+1QWm9EDNKQAa4nUp8/W+XZ5KkQWudmtaojEXD1+kd44ieNLtPGuVnPtDGO4 +zPf04IUq7tDGbMDMMn6YXvW6f28lR3gF5vvVIsnjsd/Lau6orzmNSrymXegsEsFR +Q7hT+/tPoAtro6Hx9rBrYb/0OCiRe4YuYrFKkC0aaJfUQepVyuVMSTxxKTzq8T06 +M8SBITlmkPFZJHyGzV/+a72hpJsAa0BaDnpxH3cFpEMzeYG1XQK461zexoIYN3ub +i3xNPUzPo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4E +FgQULayIqKcWHtUH4pFolI6dKxycIG8wHwYDVR0jBBgwFoAUFcETIWviVV+nah1X +INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAKjKvvJ6Vc9HiQXACqqRZnekz2gO +ue71nsXXDr2+y4PPpgcDzgtO3vhQc7Akv6Uyca9LY7w/X+temP63yxdLpKXTV19w +Or0p4VEvTZ8AttMjFh4Hl8caVYk/J4TIudSXLIfKROP6sFu5GOw7W3xpBkL5Zio6 +3dqe6xAYK0woNQPDfj5yOAlqj1Ohth81JywW5h2g8GfLtNe62coAqwjMJT+ExHfU +EkF/beSqRGOvXwyhSxFpe7HVjUMgrgdfoZnNsoPmpH3eTiF4BjamGWI1+Z0o+RHa +oPwN+cCzbDsi9uTQJO1D5S697heX00zzzU/KSW7djNzKv55vm24znuFkXTM= -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa1.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa1.pem index b424f6704ed9..0104e207cb27 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa1.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa1.pem @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0= +MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQeAhwE9yuqObvNXzUTN+PY2rg00PzdyJw3XJAUrmlY -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x -EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV -86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE -DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp -O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit -1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO -xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx -d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3 -MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z -Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt -17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf -0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO +MIIFmjCCBIKgAwIBAgIUUoOmJmXAY29/2rWY0wJphQ5/pzUwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMxMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBACGS7hCpTL0g +lx9C1Bwz5xfVd0mwCqx9UGiH8Bf4lRsSagL0Irwvnjz++WH1vecZa2bWsYsPhQ+D +KDzaCo20CYln4IFEPgY0fSE+KTF1icFj/mD+MgxWgsgKoTI120ENPGHqHpKkv0Uv +OlwTImU4BxxkctZ5273XEv3VPQE8COGnXgqt7NBazU/O7vibFm0iaEsVjHFHYcoo ++sMcm3F2E/gvR9IJGaGPeCk0sMW8qloPzErWIugx/OGqM7fni2cIcZwGdju52O+l +cLV0tZdgC7eTbVDMLspyuiYME+zvEzRwCQF/GqcCDSn68zxJv/zSNZ9XxOgZaBfs +Na7e8YGATiujYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBSFVrWPZrHzhHUg0MMEAAKwQIfsazAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAbm49FB+eyeX7OBUC/akhnkFw +cDXqw7Fl2OibRK+g/08zp4CruwJdb72j5+pTmG+9SF7tGyQBfHFf1+epa3ZiIc+0 +UzFf2xQBMyHjesL19cTe4i176dHz8pCxx9OEow0GlZVV85+Anev101NskKVNNVA7 +YnB2xKQWgf8HORh66XVCk54xMcd99ng8xQ8vhZC6KckVbheQgdPp7gUAcDgxH2Yo +JF8jHQlsWNcCGURDldP6FQ49TGWHj24IGjnjGapWxMUjvCz+kV6sGW/OIYu+MM9w +FMIOyEdUUtKowWT6eXwrITup3T6pspPTicbK61ZCPuxMvP2JBFGZsqat+F5g+w== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa2.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa2.pem index 648447fc89a1..7d5b969dc3b3 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa2.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa2.pem @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA== +MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQeAhwmRauZi+nQ3kQ+GSKD7JCwv8XkD9NObMGlW018 -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E -h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt -tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa -LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn -3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0 -KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k -qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp -VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb -uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV -6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD -2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96 -GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I +MIIFmjCCBIKgAwIBAgIUHGKu2FMhT1wCiJTK3uAnklo55uowDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMyMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAE0+OYS0s8/o +HwuuiPsBZTlRynqdwF6FHdE0Ei2uVTxnJouPYB2HvaMioG2inbISzPtEcnLF9Pyx +4hsXz7D49yqyMFjE3G8ObBOs/Vdno6E9ZZshWiRDwPf8JmoYp551UuJDoVaOTnhx +pEs30nuidtqd54PMdWUQPfp58kTu6bXvcRxdUj5CK/PyjavJCnGfppq/6j8jtrji +mOjIIeLZIbWp7hTVS/ffmfqZ8Lx/ShOcUzDa0VS3lfO28XqXpeqbyHdojsYlG2oA +shKJL7/scq3ab8cI5QuHEIGSbxinKfjCX4OEQ04CNsgUwMY9emPSaNdYDZOPqq/K +3bGk2PLcRsyjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBTQAQyUCqYWGo5RuwGCtHNgXgzEQzAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAc3rayE2FGgG1RhLXAHYAs1Ky +4fcVcrzaPaz5jjWbpBCStkx+gNcUiBf+aSxNrRvUoPOSwMDLpMhbNBj2cjJqQ0W1 +oq4RUQth11qH89uPtBqiOqRTdlWAGZJbUTtVfrlc58DsDxFCwdcktSDYZwlO2lGO +vMCOn9N7oqEEuwRa++xVnYc8ZbY8lGwJD3bGR6iC7NkYk+2LSqPS52m8e0GO8dpf +RUrndbhmtsYa925dj2LlI218F3XwVcAUPW67dbpeEVw5OG8OCHRHqrwBEJj2PMV3 +tHeNXDEhjTzI3wiFia4kDBAKIsrC/XQ4tEiFzq0V00BiVY0ykhy+v/qNPskTsg== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa3.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa3.pem index 77acc5e46ffc..6df4699450f0 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa3.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa3.pem @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY= +MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQfAh0AkfI6533W5nBIVrDPcp2DCXC8u2SIwBob6OoK5A== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9 -msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf -zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7 -cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp -N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS -2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE -FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask -pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK -YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM -khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i -Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv -4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660 +MIIFmjCCBIKgAwIBAgIUO2QHMd9V/S6KlrFDIPd7asRP4FAwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMzMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAEj25Os9f57G +TaxsP8NzdCRBThCLqZWqLADh6S/aFOQQFpRRk3vGkvrOK/5La8KGKIDyzCEQo7Kg +sPwI1o4N5GKx15Cer2ekDWLtP4hA2CChs4tWJzEa8VxIDTg4EUnASFCbfDUY/Yt0 +5NM4nxtBhnr6PT7XmRehEFaTAgmsQFJ29jKx4tJkr+Gmj9J4i10CPd9DvIgIEnNt +rYMAlfbGovaZVCgKp5INVA4IkDfCcbzDeNiOGaACeV+4QuEbgIbUhMq9vbw3Vvqe +jwozPdrTYjd7oNxx/tY7gqxFRFxdDPXPno230afsAJsHmNF7lpj9Q4vBhy8w/EI1 +jGzuiXjei9qjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBTwbCT+wSR9cvTg70jA2yIWgQSDZjAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAe5t9oi8K76y+wnV6I21vKgEh +M6DEe3+XTq10kAgYbcbMm+a6n86beaID7FANGET+3bsShxFeAX9g4Qsdw+Z3PF3P +wvqiBD8MaXczj28zP6j9TxsjGzpAsV3xo1n7aQ+hHzpopJUxAyx4hLBqSSwdj/xe +azELeVKoXY/nlokXnONWC5AvtfR7m7mKFPOmUghbeGCJH7+FXnC58eiF7BEpSbQl +SniAdQFis+Dne6/kwZnQQaSDg55ELfaZOLhaLcRtqqgU+kv24mXGGEBhs9bBKMz5 +ZNiKLafE3tCGRA5iMRwzdeSgrdnkQDHFiYXh3JHk5oKwGOdxusgt3DTHAFej1A== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smec1.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smec1.pem index 75a862666b25..a94f65c60042 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smec1.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smec1.pem @@ -1,22 +1,22 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS -DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV -3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdOomk0EB/oWMnTZB +Qm5XMjlKnZNF4PMpwgov0Tj3u8OhRANCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ +7hpSjs4bd95L+Lli+O91/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Ky -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I -iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi -ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg -MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK -Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy -WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt -7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV -FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y -S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1 -DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7 -qtcHJA== +MIICrTCCAZWgAwIBAgIUdLT4B443vbxt0B8Mzy0sR4+6AyowDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzEwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ7hpSjs4bd95L+Lli+O91 +/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Kyo2AwXjAMBgNVHRMBAf8EAjAAMA4G +A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUOia9H7l0qw3ftsDgEEeSBrHwQrwwHwYD +VR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQELBQADggEB +AC7h/QkMocYANPqMQAO2okygG+OaE4qpKnlzHPUFMYedJGCvAWrwxu4hWL9T+hZo +qilM7Fwaxw/P4Zaaa15SOOhXkIdn9Fu2ROmBQtEiklmWGMjiZ6F+9NCZPk0cTAXK +2WQZOy41YNuvts+20osD4X/8x3fiARlokufj/TVyE73wG8pSSDh4KxWDfKv5Pi1F +PC5IJh8XVELnFkeY3xjtoux5AYT+1xIQHO4eBua02Y1oPiWG7l/sK3grVlxrupd9 +pXowwFlezWZP9q12VlWkcqwNb9hF9PkZge9bpiOJipSYgyobtAnms/CRHu3e6izl +LJRua7p4Wt/8GQENDrVkHqU= -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smec2.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smec2.pem index 457297a760f1..3fe14b3a1193 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smec2.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smec2.pem @@ -1,23 +1,23 @@ -----BEGIN PRIVATE KEY----- -MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl -brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7 -uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8 -6bQ= +MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAEkuzLBwx5bIw3Q2PMNQ +HzaY8yL3QLjzaJ8tCHrI/JTb9Q7VoUwDSgAEAu8b2HvLzKd0qhPtIw65Lh3OgF3X +IN5874qHwt9zPSvokijSAH3v9tcBJPdRLD3Lweh2ZPn5hMwVwVorHqSgASk5vnjp +HqER -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+ -huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj -JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E -BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA -FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez -ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK -xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0 -uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P -rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq -IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0 -4ZdCllHZkhop +MIICsjCCAZqgAwIBAgIUFMjrNKt+D8tzvn7jtjZ5HrLcUlswDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzIwXjAQBgcqhkjOPQIBBgUr +gQQAEANKAAQC7xvYe8vMp3SqE+0jDrkuHc6AXdcg3nzviofC33M9K+iSKNIAfe/2 +1wEk91EsPcvB6HZk+fmEzBXBWisepKABKTm+eOkeoRGjYDBeMAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBSqWRYUy2syIUwfSR31e19LeNXK +9TAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsF +AAOCAQEASbh+sI03xUMMzPT8bRbWNF5gG3ab8IUzqm05rTa54NCPRSn+ZdMXcCFz +5fSU0T1dgEjeD+cCRVAZxskTZF7FWmRLc2weJMf7x+nPE5KaWyRAoD7FIKGP2m6m +IMCVOmiafuzmHASBYOz6RwjgWS0AWES48DJX6o0KpuT4bsknz+H7Xo+4+NYGCRao +enqIMZmWesGVXJ63pl32jUlXeAg59W6PpV2L9XRWLzDW1t1q2Uji7coCWtNjkojZ +rv0yRMc1czkT+mAJRAJ8D9MoTnRXm1dH4bOxte4BGUHNQ2P1HeV01vkd1RTL0g0R +lPyDAlBASvMn7RZ9nX8G3UOOL6gtVA== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smroot.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smroot.pem index d1a253f40958..9af38d310b4f 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smroot.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smroot.pem @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq -nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL -DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc -BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI -MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV -kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q -LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c -b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R -Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu -ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4 -Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF -ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp -PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx -mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw -nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z -8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw -fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu -PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T -5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP -aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq -qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr -yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK -NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53 -bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI -vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ -KfvPCYimQwBjVrEnSntLPR0= +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDZLSl8LdU54OUA +T8ctFuKLShJul2IMzaEDkFLoL4agccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7Ke +iSuFJOrQtvDt+HkU5c706YDmw15mBpDSHapkXr80G/ABFbstWafOfagVW45wv65K +H4cnpcqwrLhagmC8QG0KfWbf+Z2efOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+Ubzg +cY4Y/hJ7Fw1/IeEhgr/iVJhQIUAklp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR +0YZWyIKfKzbeJLBzDqY2hQzVL6kAvY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt ++UTEkuBdAgMBAAECggEAF3Eagz7nPyIZVdlGpIVN2r8aEjng6YTglmPjrxBCNdtS +F6AxvY9UKklIF2Gg4tXlhU0TlDWvedM4Koif2/VKK1Ez3FvvpePQXPs/YKlB7T1U +MHnnRII9nUBOva88zv5YcJ97nyKM03q9M18H1a29nShnlc1w56EEpBc5HX/yFYMv +kMYydvB5j0DQkJlkQNFn4yRag0wIIPeyXwwh5l98SMlr40hO10OYTOQPrrgP/ham +AOZ//DvGo5gF8hGJYoqG4vcYbxRfTqbc2lQ4XRknOT182l9gRum52ahkBY6LKb4r +IZXPStS6fCAR5S0lcdBb3uN/ap9SUfb9w/Dhj5DZAQKBgQDr06DcsBpoGV2dK9ib +YL5MxC5JL7G79IBPi3ThRiOSttKXv3oDAFB0AlJvFKwYmVz8SxXqQ2JUA4BfvMGF +TNrbhukzo0ou5boExnQW/RjLN3fWVq1JM7iLbNU9YYpPCIG5LXrt4ZDOwITeGe8f +bmZK9zxWxc6BBJtc3mTFS5tm4QKBgQDrwRyEn6oZ9TPbR69fPgWvDqQwKs+6TtYn +0otMG9UejbSMcyU4sI+bZouoca2CzoNi2qZVIvI9aOygUHQAP7Dyq1KhsvYtzJub +KEua379WnzBMMjJ56Q/e4aKTq229QvOk+ZEYl6aklZX7xnYetYNZQrp4QzUyOQTG +gfxgxKi0/QKBgQCy1esAUJ/F366JOS3rLqNBjehX4c5T7ae8KtJ433qskO4E29TI +H93jC7u9txyHDw5f2QUGgRE5Cuq4L2lGEDFMFvQUD7l69QVrB6ATqt25hhffuB1z +DMDfIqpXAPgk1Rui9SVq7gqlb4OS9nHLESqLoQ/l8d2XI4o6FACxSZPQoQKBgQCR +8AvwSUoqIXDFaB22jpVEJYMb0hSfFxhYtGvIZF5MOJowa0L6UcnD//mp/xzSoXYR +pppaj3R28VGxd7wnP0YRIl7XfAoKleMpbAtJRwKR458pO9WlQ9GwPeq/ENqw0xYx +5M+d8pqUvYiHv/X00pYJllYKBkiS21sKawLJAFQTHQKBgQCJCwVHxvxkdQ8G0sU2 +Vtv2W38hWOSg5+cxa+g1W6My2LhX34RkgKzuaUpYMlWGHzILpxIxhPrVLk1ZIjil +GIP969XJ1BjB/kFtLWdxXG8tH1If3JgzfSHUofPHF3CENoJYEZ1ugEfIPzWPZJDI +DL5zP8gmBL9ZAOO/J9YacxWYMQ== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT -JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+ -LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E -J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/ -MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe -untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb -i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G -A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB -AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb -Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl -zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt -9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C -7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt -Emsny2ah6fU2z7PztrUy/A80 +MIIDezCCAmOgAwIBAgIUBxh2L3ItsVPuBogDI0WfUX1lFnMwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTEwMTUzMzEzWjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgUlNBIFJvb3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDZLSl8LdU54OUAT8ctFuKLShJul2IMzaEDkFLoL4ag +ccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7KeiSuFJOrQtvDt+HkU5c706YDmw15m +BpDSHapkXr80G/ABFbstWafOfagVW45wv65KH4cnpcqwrLhagmC8QG0KfWbf+Z2e +fOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+UbzgcY4Y/hJ7Fw1/IeEhgr/iVJhQIUAk +lp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR0YZWyIKfKzbeJLBzDqY2hQzVL6kA +vY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt+UTEkuBdAgMBAAGjYzBhMB0GA1Ud +DgQWBBQVwRMha+JVX6dqHVcg1s/zqXNkWTAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAQEAvdAmpDPi1Wt7Hk30dXKF7Ug6MUKETi+uoO1Suo9JhNko +/cpvoi8fbo/dnWVDfHVoItEn644Svver5UJdKJY62DvhilpCtAywYfCpgxkpKoKE +dnpjnRBSMcbVDImsqvf1YjzFKiOiD7kcVvz4V0NZY91ZWwu3vgaSvcTJQkpWN0a+ +LWanpVKqigl8nskttnBeiHDHGebxj3hawlIdtVlkbQwLLwlVkX99x1F73uS33IzB +Y6+ZJ2is7mD839B8fOVd9pvPvBBgahIrw5tzJ/Q+gITuVQd9E6RVXh10/Aw+i/8S +7tHpEUgP3hBk1P+wRQBWDxbHB28lE+41jvh3JObQWQ== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa1.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa1.pem index d0d0b9e66b01..d32d88904788 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa1.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa1.pem @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC -xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID -3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU -/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D -orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs -CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH -XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp -KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i -cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL -s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35 -27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak -cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT -8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze -j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG -ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da -ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk -LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+ -msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q -55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or -sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8 -d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR -355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG -hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu -iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST -1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn -zQpuMJliRlrq/5JkIbH6SA== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDax3T7alefZcbm +CcdN0kEoBLwV8H25vre43RYjuPo64TBjeKUy27ayC1TXydF1eYm3HPrFYfkS0fZ6 +YK0xvwyxiQnesvcfnVe2fpXFPsl5RQvu1JKM7rJAuLC+YTRLez07IHhQnHQ25ZkR ++B4SL5mIhuOSJ9yyFJYJQ3Kdw/aX/jtnWVR8p3FyghJptWIm90ufW4xWFY0yNSW1 +KmkZuOWF7VPh5RC1C7woB/RHhyD2gOP7tF+eDJ/QbX4iki4gPRFHuNrSV8ZpvDkI +qqyF5BW8tyJneDkoWW8IuEpmNIzfbOCHvI6y7roeAmRrwH4/o5WxaEIsnQ/3pNvj +n6+vA+nfAgMBAAECggEAFR5MHQQYCYjDXoDoI7YdgwA+AFIoGLjKYZu5yjX4tZv3 +gJ/si7sTaMlY5cGTU1HUPirxIVeCjv4Eha31BJ3KsGJ9jj6Gm0nOuzd/O+ctKeRv +2/HaDvpFlk4dsCrlkjmxteuS9u5l9hygniWYutcBwjY0cRnMScZcm0VO+DVVMDj0 +9yNrFzhlmqV+ckawjK/J91r0uvnCVIsGA6akhlc5K0gwvFb/CC1WuceEeGx/38k3 +4OuiHtLyJfIlgyGD8C3QfJlMOBHeQ/DCo6GMqrOAad/chtcO7JklcJ+k2qylP2gu +e25NJCQVh+L32b9WrH3quH6fbLIg8a8MmUWl6te3FQKBgQDddu0Dp8R8fe2WnAE5 +oXdASAf2BpthRNqUdYpkkO7gOV0MXCKIEiGZ+WuWEYmNlsXZCJRABprqLw9O/5Td +2q+rCbdG9mSW2x82t/Ia4zd3r0RSHZyKbtOLtgmWfQkwVHy+rED8Juie5bNzHbjS +1mYtFP2KDQ5yZA95yFg8ZtXOawKBgQD85VOPnfXGOJ783JHepAn4J2x1Edi+ZDQ+ +Ml9g2LwetI46dQ0bF6V8RtcyWp0+6+ydX5U4JKhERFDivolD7Z1KFmlNLPs0cqSX +5g5kzTD+R+zpr9FRragYKyLdHsLP0ur75Rh5FQkUl2DmeKCMvMKAkio0cduVpVXT +SvWUBtkHXQKBgBy4VoZZ1GZcolocwx/pK6DfdoDWXIIhvsLv91GRZhkX91QqAqRo +zYi9StF8Vr1Q5zl9HlSrRp3GGpMhG/olaRCiQu1l+KeDpSmgczo/aysPRKntgyaE +ttRweA/XCUEGQ+MqTYcluJcarMnp+dUFztxb04F6rfvxs/wUGjVDFMkfAoGBAK+F +wx9UtPZk6gP6Wsu58qlnQ2Flh5dtGM1qTMR86OQu0OBFyVjaaqL8z/NE7Qp02H7J +jlmvJ5JqD/Gv6Llau+Zl86P66kcWoqJCrA7OU4jJBueSfadA7gAIQGRUK0Xuz+UQ +tpGjRfAiuMB9TIEhqaVuzRglRhBw9kZ2KkgZEJyJAoGBANrEpEwOhCv8Vt1Yiw6o +co96wYj+0LARJXw6rIfEuLkthBRRoHqQMKqwIGMrwjHlHXPnQmajONzIJd+u+OS4 +psCGetAIGegd3xNVpK2uZv9QBWBpQbuofOh/c2Ctmm2phL2sVwCZ0qwIeXuBwJEc +NOlOojKDO+dELErpShJgFIaU -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK -2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt -+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF -Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe -bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM -kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o -E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK -WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp -lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT -GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu -9Hjq6s316fk4Ne0EUF3PbA== +MIIDeTCCAmGgAwIBAgIUM6U1Peo3wzfAJIrzINejJJfmRzkwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMxMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA2sd0+2pXn2XG5gnHTdJBKAS8FfB9ub63uN0WI7j6 +OuEwY3ilMtu2sgtU18nRdXmJtxz6xWH5EtH2emCtMb8MsYkJ3rL3H51Xtn6VxT7J +eUUL7tSSjO6yQLiwvmE0S3s9OyB4UJx0NuWZEfgeEi+ZiIbjkifcshSWCUNyncP2 +l/47Z1lUfKdxcoISabViJvdLn1uMVhWNMjUltSppGbjlhe1T4eUQtQu8KAf0R4cg +9oDj+7Rfngyf0G1+IpIuID0RR7ja0lfGabw5CKqsheQVvLciZ3g5KFlvCLhKZjSM +32zgh7yOsu66HgJka8B+P6OVsWhCLJ0P96Tb45+vrwPp3wIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUHw4Us7FXwgLtZ1JB +MOAHSkNYfEkwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAAMAXEjTNo7evn6BvfEaG2q21q9xfFear/M0zxc5xcTj+WP+ +BKrlxXg5RlVFyvmzGhwZBERsDMJYa54aw8scDJsy/0zPdWST39dNev7xH13pP8nF +QF4MGPKIqBzX8iDCqhz70p1w2ndLjz1dvsAqn6z9/Sh3T2kj6DfZY3jA49pMEim1 +vYd4lWa5AezU3+cLtBbo2c2iyG2W7SFpnNTjLX823f9rbVPnUb93ZI/tDXDIf5hL +0hocZs+MWdC7Ly1Ru4PXa6+DeOM0z673me/Q27e24OBbG2eq5g7eW5euxJinGkpI +XGGKTKrBCPxSdTtwSNHU9HsggT8a0wXL2QocZ3w= -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa2.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa2.pem index 2f17cb2978f4..a7a21fc80fac 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa2.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa2.pem @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2 -iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq -V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD -lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5 -U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3 -NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB -Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1 -J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI -dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW -3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz -XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK -3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK -Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa -P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI -LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN -bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX -q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8 -38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm -hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t -QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb -0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS -8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0 -KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e -y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR -hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n -yrLyf+8hjm6H6zkjqiOkHAl+ +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkoMi4sqj2mN8j +SaFAibXEfeYYrzBHIdCm/uaXWit81fXOSFVw1rbeAppxz7bOcSEN50lpdP2UX3/b +FYFD3exHXjvch9NPNgQaNkCqTNTuYa2L9wrpltXnon7tH3W/zZfF+/qpUSu1f6rk +GyxjVXxLwjIawCX0rbLcdFCVVy+EyvQkvSxXjafrDMzshWzPDbtjUv3SH6avqrPn +4NX0fv3BdBwTfDLAw/m8nN+9B9Mg0V7UNM1IJY/Vo5pLhv+MrEf8SnAS+1Wt43rT +3PY9iMZMMWUswdgmPY0yCN95ggwNrSMGV60yvEDxINWuJoR8s0lybDdFa+AB5v4T +hqKpspFNAgMBAAECggEAZmWu0K5QJ7Y7Rlo9ayLicsFyk36vUESQZ6MF0ybzEEPi +BkR2ZAX+vDuNQckm1pprlAcRZbactl35bT3Z+fQE1cgaZoC8/x6xwq2m0796pNPB +v0zjqdBBOLAaSgjLm56wyd88GqZ8vZsTBnw3KrxIYcP13e5OcaJ0V/GOf/yfD0lg +Tq9i7V5Iq++Fpo2KvJA8FMgqcfhvhdo40rRykoBfzEZpBk4Ia/Yijsbx5sE15pFZ +DfmsMbD+vViuM8IavHo61mBNyYeydwlgIMqUgP/6xbYUov/XSUojrLG+IQuvDx9D +xzTHGM+IBJxQZMza/mDVcjUAcDEjWt/Mve8ibTQCbwKBgQDyaiGsURtlf/8xmmvT +RQQFFFsJ8SXHNYmnceNULIjfDxpLk1yC4kBNUD+liAJscoVlOcByHmXQRtnY1PHq +AwyrwplGd82773mtriDVFSjhD+GB7I0Hv2j+uiFZury0jR/6/AsWKCtTqd0opyuB +8rGZjguiwZIjeyxd8mL1dncUHwKBgQDxcNxHUvIeDBvAmtK65xWUuLcqtK9BblBH +YVA7p93RqX4E+w3J0OCvQRQ3r1GCMMzFEO0oOvNfMucU4rbQmx1pbzF8aQU+8iEW +kYpaWUbPUQ2hmBblhjGYHsigt/BrzaW0QveVIWcGiyVVX9wiCzJH5moJlCRK2oHR +B36hdlmNEwKBgQCSlWSpOx4y4RQiHXtn9Eq6+5UVTPGIJTKIwxAwnQFiyFIhMwl0 +x3UUixsBcF3uz80j6akaGJF+QOmH+TQTSibGUdS3TMhmBSfxwuJtlu7yMNUu6Chb +b/4AUfLKvGVRVCjrbq8Rhda1L3jhFTz0xhlofgFBOIWy2M96O5BlV24oBwKBgQDs +cf93ZfawkGEZVUXsPeQ3mlHe48YCCPtbfCSr13B3JErCq+5L52AyoUQgaHQlUI8o +qrPmQx0V7O662G/6iP3bxEYtNVgq1cqrpGpeorGi1BjKWPyLWMj21abbJmev21xc +1XxLMsQHd3tfSZp2SIq8OR09NjP4jla1k2Ziz1lRuwKBgQCUJXjhW4dPoOzC7DJK +u4PsxcKkJDwwtfNudVDaHcbvvaHELTAkE2639vawH0TRwP6TDwmlbTQJP4EW+/0q +13VcNXVAZSruA9dvxlh4vNUH3PzTDdFIJzGVbYbV9p5t++EQ7gRLuLZqs99BOzM9 +k6W9F60mEFz1Owh+lQv7WfSIVA== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF -AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp -cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS -0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1 -NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0 -EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47 -Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv -/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c -XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv -6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i -NzYzLAPBkHCMY0Is3KKIBw== +MIIDeTCCAmGgAwIBAgIUTMQXiTcI/rpzqO91NyFWpjLE3KkwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA5KDIuLKo9pjfI0mhQIm1xH3mGK8wRyHQpv7ml1or +fNX1zkhVcNa23gKacc+2znEhDedJaXT9lF9/2xWBQ93sR1473IfTTzYEGjZAqkzU +7mGti/cK6ZbV56J+7R91v82Xxfv6qVErtX+q5BssY1V8S8IyGsAl9K2y3HRQlVcv +hMr0JL0sV42n6wzM7IVszw27Y1L90h+mr6qz5+DV9H79wXQcE3wywMP5vJzfvQfT +INFe1DTNSCWP1aOaS4b/jKxH/EpwEvtVreN609z2PYjGTDFlLMHYJj2NMgjfeYIM +Da0jBletMrxA8SDVriaEfLNJcmw3RWvgAeb+E4aiqbKRTQIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUSJ0v3SKahe6eKssR +rBvYLBprFTgwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAKoyszyZ3DfCOIVzeJrnScXuMvRkVqO5aGmgZxtY9r6gPk8v +gXaEFXDKqRbGqEnuwEjpew+SVZO8nrVpdIP7fydpufy7Cu91Ev4YL1ui5Vc66+IK +7dXV7eZYcH/dDJBPZddHx9vGhcr0w8B1W9nldM3aQE/RQjOmMRDc7/Hnk0f0RzJp +LA0adW3ry27z2s4qeCwkV9DNSh1KoGfcLwydBiXmJ1XINMFH/scD4pk9UeJpUL+5 +zvTaDzUmzLsI1gH3j/rlzJuNJ7EMfggKlfQdit9Qn6+6Gjk6T5jkZfzcq3LszuEA +EFtkxWyBmmEgh4EmvZGAyrUvne1hIIksKe3iJ+E= -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa3.pem b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa3.pem index 14c27f64aa90..980d3af3b4c9 100644 --- a/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa3.pem +++ b/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa3.pem @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji -OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3 -Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX -63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H -XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l -vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6 -L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP -lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf -BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR -OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+ -i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se -snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9 -wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn -8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+ -ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm -oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX -LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E -yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7 -2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc -RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK -KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk -isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL -rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw -IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh -yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF -RvOAi5wVkYylDxV4238MAZIq +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167 +toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB +GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi +ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK +2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M +jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq +DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb +Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ +0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh +/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG +A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI +vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I +pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi +YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS +wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+ +BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto +NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o +c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K +7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt +oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L +3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk +YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr +Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs +Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz +TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X +fNcb5iDYqZRzD8ixBbLxUw== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC -FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF -STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW -m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha -v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p -1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp -sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa -VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr -O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7 -tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY -CscFo2Z2pYROGtZDmYqhRw== +MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC +XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+ +qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK +wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI +U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N +f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi +V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq +112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd +CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2 +iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW +ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE +BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg= -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/10-resumption.conf b/crypto/external/bsd/openssl/dist/test/ssl-tests/10-resumption.conf index 73de974ab013..a33a1d80e4d5 100644 --- a/crypto/external/bsd/openssl/dist/test/ssl-tests/10-resumption.conf +++ b/crypto/external/bsd/openssl/dist/test/ssl-tests/10-resumption.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 65 +num_tests = 68 test-0 = 0-resumption test-1 = 1-resumption @@ -67,6 +67,9 @@ test-61 = 61-resumption test-62 = 62-resumption test-63 = 63-resumption test-64 = 64-resumption-with-hrr +test-65 = 65-resumption-when-mfl-ext-is-missing +test-66 = 66-resumption-when-mfl-ext-is-different +test-67 = 67-resumption-when-mfl-ext-is-correct # =========================================================== [0-resumption] @@ -2437,3 +2440,119 @@ Method = TLS ResumptionExpected = Yes +# =========================================================== + +[65-resumption-when-mfl-ext-is-missing] +ssl_conf = 65-resumption-when-mfl-ext-is-missing-ssl + +[65-resumption-when-mfl-ext-is-missing-ssl] +server = 65-resumption-when-mfl-ext-is-missing-server +client = 65-resumption-when-mfl-ext-is-missing-client +resume-server = 65-resumption-when-mfl-ext-is-missing-server +resume-client = 65-resumption-when-mfl-ext-is-missing-resume-client + +[65-resumption-when-mfl-ext-is-missing-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[65-resumption-when-mfl-ext-is-missing-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[65-resumption-when-mfl-ext-is-missing-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-65] +ExpectedResult = ServerFail +HandshakeMode = Resume +ResumptionExpected = No +client = 65-resumption-when-mfl-ext-is-missing-client-extra + +[65-resumption-when-mfl-ext-is-missing-client-extra] +MaxFragmentLenExt = 512 + + +# =========================================================== + +[66-resumption-when-mfl-ext-is-different] +ssl_conf = 66-resumption-when-mfl-ext-is-different-ssl + +[66-resumption-when-mfl-ext-is-different-ssl] +server = 66-resumption-when-mfl-ext-is-different-server +client = 66-resumption-when-mfl-ext-is-different-client +resume-server = 66-resumption-when-mfl-ext-is-different-server +resume-client = 66-resumption-when-mfl-ext-is-different-resume-client + +[66-resumption-when-mfl-ext-is-different-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[66-resumption-when-mfl-ext-is-different-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[66-resumption-when-mfl-ext-is-different-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-66] +ExpectedResult = ServerFail +HandshakeMode = Resume +ResumptionExpected = No +client = 66-resumption-when-mfl-ext-is-different-client-extra +resume-client = 66-resumption-when-mfl-ext-is-different-resume-client-extra + +[66-resumption-when-mfl-ext-is-different-client-extra] +MaxFragmentLenExt = 512 + +[66-resumption-when-mfl-ext-is-different-resume-client-extra] +MaxFragmentLenExt = 1024 + + +# =========================================================== + +[67-resumption-when-mfl-ext-is-correct] +ssl_conf = 67-resumption-when-mfl-ext-is-correct-ssl + +[67-resumption-when-mfl-ext-is-correct-ssl] +server = 67-resumption-when-mfl-ext-is-correct-server +client = 67-resumption-when-mfl-ext-is-correct-client +resume-server = 67-resumption-when-mfl-ext-is-correct-server +resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client + +[67-resumption-when-mfl-ext-is-correct-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[67-resumption-when-mfl-ext-is-correct-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[67-resumption-when-mfl-ext-is-correct-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-67] +ExpectedResult = Success +HandshakeMode = Resume +ResumptionExpected = Yes +client = 67-resumption-when-mfl-ext-is-correct-client-extra +resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client-extra + +[67-resumption-when-mfl-ext-is-correct-client-extra] +MaxFragmentLenExt = 512 + +[67-resumption-when-mfl-ext-is-correct-resume-client-extra] +MaxFragmentLenExt = 512 + + diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/11-dtls_resumption.conf b/crypto/external/bsd/openssl/dist/test/ssl-tests/11-dtls_resumption.conf index a981fa51dfdf..635279a30f37 100644 --- a/crypto/external/bsd/openssl/dist/test/ssl-tests/11-dtls_resumption.conf +++ b/crypto/external/bsd/openssl/dist/test/ssl-tests/11-dtls_resumption.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 16 +num_tests = 19 test-0 = 0-resumption test-1 = 1-resumption @@ -18,6 +18,9 @@ test-12 = 12-resumption test-13 = 13-resumption test-14 = 14-resumption test-15 = 15-resumption +test-16 = 16-resumption-when-mfl-ext-is-missing +test-17 = 17-resumption-when-mfl-ext-is-different +test-18 = 18-resumption-when-mfl-ext-is-correct # =========================================================== [0-resumption] @@ -618,3 +621,122 @@ Method = DTLS ResumptionExpected = Yes +# =========================================================== + +[16-resumption-when-mfl-ext-is-missing] +ssl_conf = 16-resumption-when-mfl-ext-is-missing-ssl + +[16-resumption-when-mfl-ext-is-missing-ssl] +server = 16-resumption-when-mfl-ext-is-missing-server +client = 16-resumption-when-mfl-ext-is-missing-client +resume-server = 16-resumption-when-mfl-ext-is-missing-server +resume-client = 16-resumption-when-mfl-ext-is-missing-resume-client + +[16-resumption-when-mfl-ext-is-missing-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[16-resumption-when-mfl-ext-is-missing-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[16-resumption-when-mfl-ext-is-missing-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedResult = ServerFail +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = No +client = 16-resumption-when-mfl-ext-is-missing-client-extra + +[16-resumption-when-mfl-ext-is-missing-client-extra] +MaxFragmentLenExt = 512 + + +# =========================================================== + +[17-resumption-when-mfl-ext-is-different] +ssl_conf = 17-resumption-when-mfl-ext-is-different-ssl + +[17-resumption-when-mfl-ext-is-different-ssl] +server = 17-resumption-when-mfl-ext-is-different-server +client = 17-resumption-when-mfl-ext-is-different-client +resume-server = 17-resumption-when-mfl-ext-is-different-server +resume-client = 17-resumption-when-mfl-ext-is-different-resume-client + +[17-resumption-when-mfl-ext-is-different-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[17-resumption-when-mfl-ext-is-different-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[17-resumption-when-mfl-ext-is-different-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-17] +ExpectedResult = ServerFail +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = No +client = 17-resumption-when-mfl-ext-is-different-client-extra +resume-client = 17-resumption-when-mfl-ext-is-different-resume-client-extra + +[17-resumption-when-mfl-ext-is-different-client-extra] +MaxFragmentLenExt = 512 + +[17-resumption-when-mfl-ext-is-different-resume-client-extra] +MaxFragmentLenExt = 1024 + + +# =========================================================== + +[18-resumption-when-mfl-ext-is-correct] +ssl_conf = 18-resumption-when-mfl-ext-is-correct-ssl + +[18-resumption-when-mfl-ext-is-correct-ssl] +server = 18-resumption-when-mfl-ext-is-correct-server +client = 18-resumption-when-mfl-ext-is-correct-client +resume-server = 18-resumption-when-mfl-ext-is-correct-server +resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client + +[18-resumption-when-mfl-ext-is-correct-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[18-resumption-when-mfl-ext-is-correct-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[18-resumption-when-mfl-ext-is-correct-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-18] +ExpectedResult = Success +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = Yes +client = 18-resumption-when-mfl-ext-is-correct-client-extra +resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client-extra + +[18-resumption-when-mfl-ext-is-correct-client-extra] +MaxFragmentLenExt = 512 + +[18-resumption-when-mfl-ext-is-correct-resume-client-extra] +MaxFragmentLenExt = 512 + + diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/16-certstatus.conf b/crypto/external/bsd/openssl/dist/test/ssl-tests/16-certstatus.conf deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf b/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf new file mode 100644 index 000000000000..4280db7114d6 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf @@ -0,0 +1,54 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 2 + +test-0 = 0-Just a sanity test case +test-1 = 1-Pass with empty groups with TLS1.2 +# =========================================================== + +[0-Just a sanity test case] +ssl_conf = 0-Just a sanity test case-ssl + +[0-Just a sanity test case-ssl] +server = 0-Just a sanity test case-server +client = 0-Just a sanity test case-client + +[0-Just a sanity test case-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-Just a sanity test case-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-Pass with empty groups with TLS1.2] +ssl_conf = 1-Pass with empty groups with TLS1.2-ssl + +[1-Pass with empty groups with TLS1.2-ssl] +server = 1-Pass with empty groups with TLS1.2-server +client = 1-Pass with empty groups with TLS1.2-client + +[1-Pass with empty groups with TLS1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-Pass with empty groups with TLS1.2-client] +CipherString = DEFAULT +Groups = sect163k1 +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf.in b/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf.in new file mode 100644 index 000000000000..edffc0ffc92b --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/ssl-tests/30-supported-groups.conf.in @@ -0,0 +1,45 @@ +# -*- mode: perl; -*- +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; +use OpenSSL::Test::Utils; + +our @tests = ( + { + name => "Just a sanity test case", + server => { }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, +); + +our @tests_tls1_3 = ( + { + name => "Fail empty groups with TLS1.3", + server => { }, + client => { "Groups" => "sect163k1" }, + test => { "ExpectedResult" => "ClientFail" }, + }, +); + +our @tests_tls1_2 = ( + { + name => "Pass with empty groups with TLS1.2", + server => { }, + client => { "Groups" => "sect163k1", + "MaxProtocol" => "TLSv1.2" }, + test => { "ExpectedResult" => "Success" }, + }, +); + +push @tests, @tests_tls1_3 unless disabled("tls1_3") + || !disabled("ec2m") || disabled("ec"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); diff --git a/crypto/external/bsd/openssl/dist/test/ssl-tests/protocol_version.pm b/crypto/external/bsd/openssl/dist/test/ssl-tests/protocol_version.pm index 943719e84add..bca0f0ba03e4 100644 --- a/crypto/external/bsd/openssl/dist/test/ssl-tests/protocol_version.pm +++ b/crypto/external/bsd/openssl/dist/test/ssl-tests/protocol_version.pm @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -265,6 +265,69 @@ sub generate_resumption_tests { }; } + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-missing", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "No", + "ExpectedResult" => "ServerFail", + } + }; + + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-different", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + "extra" => { + "MaxFragmentLenExt" => 1024, + }, + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "No", + "ExpectedResult" => "ServerFail", + } + }; + + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-correct", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + } + }; + return (@server_tests, @client_tests); } diff --git a/crypto/external/bsd/openssl/dist/test/sslapitest.c b/crypto/external/bsd/openssl/dist/test/sslapitest.c index 21322ceec5e4..5ee982ab06cf 100644 --- a/crypto/external/bsd/openssl/dist/test/sslapitest.c +++ b/crypto/external/bsd/openssl/dist/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -85,20 +85,6 @@ struct sslapitest_log_counts { }; -static unsigned char serverinfov1[] = { - 0xff, 0xff, /* Dummy extension type */ - 0x00, 0x01, /* Extension length is 1 byte */ - 0xff /* Dummy extension data */ -}; - -static unsigned char serverinfov2[] = { - 0x00, 0x00, 0x00, - (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */ - 0xff, 0xff, /* Dummy extension type */ - 0x00, 0x01, /* Extension length is 1 byte */ - 0xff /* Dummy extension data */ -}; - static int hostname_cb(SSL *s, int *al, void *arg) { const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); @@ -808,6 +794,157 @@ static int test_large_message_dtls(void) } #endif +/* + * Test we can successfully send the maximum amount of application data. We + * test each protocol version individually, each with and without EtM enabled. + * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is + * simpler this way. We also test all combinations with and without the + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the + * underlying buffer. + */ +static int test_large_app_data(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0, prot; + unsigned char *msg, *buf = NULL; + size_t written, readbytes; + const SSL_METHOD *smeth = TLS_server_method(); + const SSL_METHOD *cmeth = TLS_client_method(); + + switch (tst >> 2) { + case 0: +#ifndef OPENSSL_NO_TLS1_3 + prot = TLS1_3_VERSION; + break; +#else + return 1; +#endif + + case 1: +#ifndef OPENSSL_NO_TLS1_2 + prot = TLS1_2_VERSION; + break; +#else + return 1; +#endif + + case 2: +#ifndef OPENSSL_NO_TLS1_1 + prot = TLS1_1_VERSION; + break; +#else + return 1; +#endif + + case 3: +#ifndef OPENSSL_NO_TLS1 + prot = TLS1_VERSION; + break; +#else + return 1; +#endif + + case 4: +#ifndef OPENSSL_NO_SSL3 + prot = SSL3_VERSION; + break; +#else + return 1; +#endif + + case 5: +#ifndef OPENSSL_NO_DTLS1_2 + prot = DTLS1_2_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + case 6: +#ifndef OPENSSL_NO_DTLS1 + prot = DTLS1_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + default: + /* Shouldn't happen */ + return 0; + } + + /* Maximal sized message of zeros */ + msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (!TEST_ptr(msg)) + goto end; + + buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1); + if (!TEST_ptr(buf)) + goto end; + /* Set whole buffer to all bits set */ + memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1); + + if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, prot, prot, &sctx, &cctx, + cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if ((tst & 1) != 0) { + /* Setting this option gives us a minimally sized underlying buffer */ + if (!TEST_true(SSL_set_options(serverssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) + goto end; + } + + if ((tst & 2) != 0) { + /* + * Setting this option means the MAC is added before encryption + * giving us a larger record for the encryption process + */ + if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_NO_ENCRYPT_THEN_MAC))) + goto end; + } + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH, + &written)) + || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH)) + goto end; + + /* We provide a buffer slightly larger than what we are actually expecting */ + if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1, + &readbytes))) + goto end; + + if (!TEST_mem_eq(msg, written, buf, readbytes)) + goto end; + + testresult = 1; +end: + OPENSSL_free(msg); + OPENSSL_free(buf); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + + #ifndef OPENSSL_NO_OCSP static int ocsp_server_cb(SSL *s, void *arg) { @@ -4349,62 +4486,137 @@ end: return testresult; } -/* - * Test loading of serverinfo data in various formats. test_sslmessages actually - * tests to make sure the extensions appear in the handshake - */ -static int test_serverinfo(int tst) +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) + +#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ + | SSL_EXT_CLIENT_HELLO \ + | SSL_EXT_TLS1_2_SERVER_HELLO \ + | SSL_EXT_IGNORE_ON_RESUMPTION) + +#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \ + | SSL_EXT_TLS1_2_SERVER_HELLO \ + | SSL_EXT_CLIENT_HELLO) + +#define SERVERINFO_CUSTOM \ + 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \ + 0x00, 0x03, \ + 0x04, 0x05, 0x06 \ + +static const unsigned char serverinfo_custom_tls13[] = { + 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff, + SERVERINFO_CUSTOM +}; +static const unsigned char serverinfo_custom_v2[] = { + 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff, + SERVERINFO_CUSTOM +}; +static const unsigned char serverinfo_custom_v1[] = { + SERVERINFO_CUSTOM +}; +static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13); +static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2); +static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1); + +static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, + size_t chainidx, int *al, + void *parse_arg) { - unsigned int version; - unsigned char *sibuf; - size_t sibuflen; - int ret, expected, testresult = 0; - SSL_CTX *ctx; + const size_t len = serverinfo_custom_v1_len; + const unsigned char *si = &serverinfo_custom_v1[len - 3]; + int *p_cb_result = (int*)parse_arg; + *p_cb_result = TEST_mem_eq(in, inlen, si, 3); + return 1; +} - ctx = SSL_CTX_new(TLS_method()); - if (!TEST_ptr(ctx)) - goto end; +static int test_serverinfo_custom(const int idx) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int cb_result = 0; - if ((tst & 0x01) == 0x01) - version = SSL_SERVERINFOV2; - else - version = SSL_SERVERINFOV1; + /* + * Following variables are set in the switch statement + * according to the test iteration. + * Default values do not make much sense: test would fail with them. + */ + int serverinfo_version = 0; + int protocol_version = 0; + unsigned int extension_context = 0; + const unsigned char *si = NULL; + size_t si_len = 0; - if ((tst & 0x02) == 0x02) { - sibuf = serverinfov2; - sibuflen = sizeof(serverinfov2); - expected = (version == SSL_SERVERINFOV2); - } else { - sibuf = serverinfov1; - sibuflen = sizeof(serverinfov1); - expected = (version == SSL_SERVERINFOV1); + const int call_use_serverinfo_ex = idx > 0; + switch (idx) { + case 0: /* FALLTHROUGH */ + case 1: + serverinfo_version = SSL_SERVERINFOV1; + protocol_version = TLS1_2_VERSION; + extension_context = SYNTHV1CONTEXT; + si = serverinfo_custom_v1; + si_len = serverinfo_custom_v1_len; + break; + case 2: + serverinfo_version = SSL_SERVERINFOV2; + protocol_version = TLS1_2_VERSION; + extension_context = SYNTHV1CONTEXT; + si = serverinfo_custom_v2; + si_len = serverinfo_custom_v2_len; + break; + case 3: + serverinfo_version = SSL_SERVERINFOV2; + protocol_version = TLS1_3_VERSION; + extension_context = TLS13CONTEXT; + si = serverinfo_custom_tls13; + si_len = serverinfo_custom_tls13_len; + break; } - if ((tst & 0x04) == 0x04) { - ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen); - } else { - ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen); + if (!TEST_true(create_ssl_ctx_pair(TLS_method(), + TLS_method(), + protocol_version, + protocol_version, + &sctx, &cctx, cert, privkey))) + goto end; - /* - * The version variable is irrelevant in this case - it's what is in the - * buffer that matters - */ - if ((tst & 0x02) == 0x02) - expected = 0; - else - expected = 1; + if (call_use_serverinfo_ex) { + if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version, + si, si_len))) + goto end; + } else { + if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len))) + goto end; } - if (!TEST_true(ret == expected)) + if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp, + extension_context, + NULL, NULL, NULL, + serverinfo_custom_parse_cb, + &cb_result)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_int_eq(SSL_do_handshake(clientssl), 1)) + goto end; + + if (!TEST_true(cb_result)) goto end; testresult = 1; end: - SSL_CTX_free(ctx); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); return testresult; } +#endif /* * Test that SSL_export_keying_material() produces expected results. There are @@ -6734,6 +6946,69 @@ end: SSL_CTX_free(cctx); return testresult; } + +/* + * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week + * 0 = TLSv1.2 + * 1 = TLSv1.3 + */ +static int test_ticket_lifetime(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int version = TLS1_3_VERSION; + +#define ONE_WEEK_SEC (7 * 24 * 60 * 60) +#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) + + if (idx == 0) { +#ifdef OPENSSL_NO_TLS1_2 + TEST_info("Skipping: TLS 1.2 is disabled."); + return 1; +#else + version = TLS1_2_VERSION; +#endif + } + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), version, version, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + /* + * Set the timeout to be more than 1 week + * make sure the returned value is the default + */ + if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), + SSL_get_default_timeout(serverssl))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (idx == 0) { + /* TLSv1.2 uses the set value */ + if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) + goto end; + } else { + /* TLSv1.3 uses the limited value */ + if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) + goto end; + } + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} #endif /* * Test that setting an ALPN does not violate RFC @@ -6807,6 +7082,171 @@ end: return testresult; } +/* + * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store. + */ +static int test_set_verify_cert_store_ssl_ctx(void) +{ + SSL_CTX *ctx = NULL; + int testresult = 0; + X509_STORE *store = NULL, *new_store = NULL, + *cstore = NULL, *new_cstore = NULL; + + /* Create an initial SSL_CTX. */ + ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + /* Retrieve verify store pointer. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + /* Retrieve chain store pointer. */ + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + /* We haven't set any yet, so this should be NULL. */ + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + /* Create stores. We use separate stores so pointers are different. */ + new_store = X509_STORE_new(); + if (!TEST_ptr(new_store)) + goto end; + + new_cstore = X509_STORE_new(); + if (!TEST_ptr(new_cstore)) + goto end; + + /* Set stores. */ + if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store))) + goto end; + + if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore))) + goto end; + + /* Should be able to retrieve the same pointer. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) + goto end; + + /* Should be able to unset again. */ + if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL))) + goto end; + + if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL))) + goto end; + + /* Should now be NULL. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + testresult = 1; + +end: + X509_STORE_free(new_store); + X509_STORE_free(new_cstore); + SSL_CTX_free(ctx); + return testresult; +} + +/* + * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store. + */ +static int test_set_verify_cert_store_ssl(void) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + int testresult = 0; + X509_STORE *store = NULL, *new_store = NULL, + *cstore = NULL, *new_cstore = NULL; + + /* Create an initial SSL_CTX. */ + ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + /* Create an SSL object. */ + ssl = SSL_new(ctx); + if (!TEST_ptr(ssl)) + goto end; + + /* Retrieve verify store pointer. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + /* Retrieve chain store pointer. */ + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + /* We haven't set any yet, so this should be NULL. */ + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + /* Create stores. We use separate stores so pointers are different. */ + new_store = X509_STORE_new(); + if (!TEST_ptr(new_store)) + goto end; + + new_cstore = X509_STORE_new(); + if (!TEST_ptr(new_cstore)) + goto end; + + /* Set stores. */ + if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store))) + goto end; + + if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore))) + goto end; + + /* Should be able to retrieve the same pointer. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) + goto end; + + /* Should be able to unset again. */ + if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL))) + goto end; + + if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL))) + goto end; + + /* Should now be NULL. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + testresult = 1; + +end: + X509_STORE_free(new_store); + X509_STORE_free(new_cstore); + SSL_free(ssl); + SSL_CTX_free(ctx); + return testresult; +} + static int test_inherit_verify_param(void) { int testresult = 0; @@ -6886,6 +7326,7 @@ int setup_tests(void) #ifndef OPENSSL_NO_DTLS ADD_TEST(test_large_message_dtls); #endif + ADD_ALL_TESTS(test_large_app_data, 28); #ifndef OPENSSL_NO_OCSP ADD_TEST(test_tlsext_status_type); #endif @@ -6947,7 +7388,6 @@ int setup_tests(void) #else ADD_ALL_TESTS(test_custom_exts, 3); #endif - ADD_ALL_TESTS(test_serverinfo, 8); ADD_ALL_TESTS(test_export_key_mat, 6); #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); @@ -6973,9 +7413,15 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_TLS1_3 ADD_TEST(test_sni_tls13); + ADD_ALL_TESTS(test_ticket_lifetime, 2); #endif ADD_TEST(test_set_alpn); + ADD_TEST(test_set_verify_cert_store_ssl_ctx); + ADD_TEST(test_set_verify_cert_store_ssl); ADD_TEST(test_inherit_verify_param); +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) + ADD_ALL_TESTS(test_serverinfo_custom, 4); +#endif return 1; } diff --git a/crypto/external/bsd/openssl/dist/test/ssltestlib.c b/crypto/external/bsd/openssl/dist/test/ssltestlib.c index 456afdf4716e..422787b0f582 100644 --- a/crypto/external/bsd/openssl/dist/test/ssltestlib.c +++ b/crypto/external/bsd/openssl/dist/test/ssltestlib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -435,6 +435,39 @@ static int mempacket_test_read(BIO *bio, char *out, int outl) return outl; } +/* Take the last and penultimate packets and swap them around */ +int mempacket_swap_recent(BIO *bio) +{ + MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio); + MEMPACKET *thispkt; + int numpkts = sk_MEMPACKET_num(ctx->pkts); + + /* We need at least 2 packets to be able to swap them */ + if (numpkts <= 1) + return 0; + + /* Get the penultimate packet */ + thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); + if (thispkt == NULL) + return 0; + + if (sk_MEMPACKET_delete(ctx->pkts, numpkts - 2) != thispkt) + return 0; + + /* Re-add it to the end of the list */ + thispkt->num++; + if (sk_MEMPACKET_insert(ctx->pkts, thispkt, numpkts - 1) <= 0) + return 0; + + /* We also have to adjust the packet number of the other packet */ + thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); + if (thispkt == NULL) + return 0; + thispkt->num--; + + return 1; +} + int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, int type) { diff --git a/crypto/external/bsd/openssl/dist/test/ssltestlib.h b/crypto/external/bsd/openssl/dist/test/ssltestlib.h index 17b278219a6e..8f0a1b5308c3 100644 --- a/crypto/external/bsd/openssl/dist/test/ssltestlib.h +++ b/crypto/external/bsd/openssl/dist/test/ssltestlib.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -46,6 +46,7 @@ void bio_s_always_retry_free(void); #define MEMPACKET_CTRL_GET_DROP_REC (3 << 15) #define MEMPACKET_CTRL_SET_DUPLICATE_REC (4 << 15) +int mempacket_swap_recent(BIO *bio); int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, int type); diff --git a/crypto/external/bsd/openssl/dist/test/test_test.c b/crypto/external/bsd/openssl/dist/test/test_test.c index 74a230c1966b..cec0368648cb 100644 --- a/crypto/external/bsd/openssl/dist/test/test_test.c +++ b/crypto/external/bsd/openssl/dist/test/test_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -33,19 +33,19 @@ static int test_case(int expected, const char *test, int result) static int test_int(void) { if (!TEST(1, TEST_int_eq(1, 1)) - | !TEST(0, TEST_int_eq(1, -1)) - | !TEST(1, TEST_int_ne(1, 2)) - | !TEST(0, TEST_int_ne(3, 3)) - | !TEST(1, TEST_int_lt(4, 9)) - | !TEST(0, TEST_int_lt(9, 4)) - | !TEST(1, TEST_int_le(4, 9)) - | !TEST(1, TEST_int_le(5, 5)) - | !TEST(0, TEST_int_le(9, 4)) - | !TEST(1, TEST_int_gt(8, 5)) - | !TEST(0, TEST_int_gt(5, 8)) - | !TEST(1, TEST_int_ge(8, 5)) - | !TEST(1, TEST_int_ge(6, 6)) - | !TEST(0, TEST_int_ge(5, 8))) + || !TEST(0, TEST_int_eq(1, -1)) + || !TEST(1, TEST_int_ne(1, 2)) + || !TEST(0, TEST_int_ne(3, 3)) + || !TEST(1, TEST_int_lt(4, 9)) + || !TEST(0, TEST_int_lt(9, 4)) + || !TEST(1, TEST_int_le(4, 9)) + || !TEST(1, TEST_int_le(5, 5)) + || !TEST(0, TEST_int_le(9, 4)) + || !TEST(1, TEST_int_gt(8, 5)) + || !TEST(0, TEST_int_gt(5, 8)) + || !TEST(1, TEST_int_ge(8, 5)) + || !TEST(1, TEST_int_ge(6, 6)) + || !TEST(0, TEST_int_ge(5, 8))) goto err; return 1; @@ -56,19 +56,19 @@ err: static int test_uint(void) { if (!TEST(1, TEST_uint_eq(3u, 3u)) - | !TEST(0, TEST_uint_eq(3u, 5u)) - | !TEST(1, TEST_uint_ne(4u, 2u)) - | !TEST(0, TEST_uint_ne(6u, 6u)) - | !TEST(1, TEST_uint_lt(5u, 9u)) - | !TEST(0, TEST_uint_lt(9u, 5u)) - | !TEST(1, TEST_uint_le(5u, 9u)) - | !TEST(1, TEST_uint_le(7u, 7u)) - | !TEST(0, TEST_uint_le(9u, 5u)) - | !TEST(1, TEST_uint_gt(11u, 1u)) - | !TEST(0, TEST_uint_gt(1u, 11u)) - | !TEST(1, TEST_uint_ge(11u, 1u)) - | !TEST(1, TEST_uint_ge(6u, 6u)) - | !TEST(0, TEST_uint_ge(1u, 11u))) + || !TEST(0, TEST_uint_eq(3u, 5u)) + || !TEST(1, TEST_uint_ne(4u, 2u)) + || !TEST(0, TEST_uint_ne(6u, 6u)) + || !TEST(1, TEST_uint_lt(5u, 9u)) + || !TEST(0, TEST_uint_lt(9u, 5u)) + || !TEST(1, TEST_uint_le(5u, 9u)) + || !TEST(1, TEST_uint_le(7u, 7u)) + || !TEST(0, TEST_uint_le(9u, 5u)) + || !TEST(1, TEST_uint_gt(11u, 1u)) + || !TEST(0, TEST_uint_gt(1u, 11u)) + || !TEST(1, TEST_uint_ge(11u, 1u)) + || !TEST(1, TEST_uint_ge(6u, 6u)) + || !TEST(0, TEST_uint_ge(1u, 11u))) goto err; return 1; @@ -79,19 +79,19 @@ err: static int test_char(void) { if (!TEST(1, TEST_char_eq('a', 'a')) - | !TEST(0, TEST_char_eq('a', 'A')) - | !TEST(1, TEST_char_ne('a', 'c')) - | !TEST(0, TEST_char_ne('e', 'e')) - | !TEST(1, TEST_char_lt('i', 'x')) - | !TEST(0, TEST_char_lt('x', 'i')) - | !TEST(1, TEST_char_le('i', 'x')) - | !TEST(1, TEST_char_le('n', 'n')) - | !TEST(0, TEST_char_le('x', 'i')) - | !TEST(1, TEST_char_gt('w', 'n')) - | !TEST(0, TEST_char_gt('n', 'w')) - | !TEST(1, TEST_char_ge('w', 'n')) - | !TEST(1, TEST_char_ge('p', 'p')) - | !TEST(0, TEST_char_ge('n', 'w'))) + || !TEST(0, TEST_char_eq('a', 'A')) + || !TEST(1, TEST_char_ne('a', 'c')) + || !TEST(0, TEST_char_ne('e', 'e')) + || !TEST(1, TEST_char_lt('i', 'x')) + || !TEST(0, TEST_char_lt('x', 'i')) + || !TEST(1, TEST_char_le('i', 'x')) + || !TEST(1, TEST_char_le('n', 'n')) + || !TEST(0, TEST_char_le('x', 'i')) + || !TEST(1, TEST_char_gt('w', 'n')) + || !TEST(0, TEST_char_gt('n', 'w')) + || !TEST(1, TEST_char_ge('w', 'n')) + || !TEST(1, TEST_char_ge('p', 'p')) + || !TEST(0, TEST_char_ge('n', 'w'))) goto err; return 1; @@ -102,19 +102,19 @@ err: static int test_uchar(void) { if (!TEST(1, TEST_uchar_eq(49, 49)) - | !TEST(0, TEST_uchar_eq(49, 60)) - | !TEST(1, TEST_uchar_ne(50, 2)) - | !TEST(0, TEST_uchar_ne(66, 66)) - | !TEST(1, TEST_uchar_lt(60, 80)) - | !TEST(0, TEST_uchar_lt(80, 60)) - | !TEST(1, TEST_uchar_le(60, 80)) - | !TEST(1, TEST_uchar_le(78, 78)) - | !TEST(0, TEST_uchar_le(80, 60)) - | !TEST(1, TEST_uchar_gt(88, 37)) - | !TEST(0, TEST_uchar_gt(37, 88)) - | !TEST(1, TEST_uchar_ge(88, 37)) - | !TEST(1, TEST_uchar_ge(66, 66)) - | !TEST(0, TEST_uchar_ge(37, 88))) + || !TEST(0, TEST_uchar_eq(49, 60)) + || !TEST(1, TEST_uchar_ne(50, 2)) + || !TEST(0, TEST_uchar_ne(66, 66)) + || !TEST(1, TEST_uchar_lt(60, 80)) + || !TEST(0, TEST_uchar_lt(80, 60)) + || !TEST(1, TEST_uchar_le(60, 80)) + || !TEST(1, TEST_uchar_le(78, 78)) + || !TEST(0, TEST_uchar_le(80, 60)) + || !TEST(1, TEST_uchar_gt(88, 37)) + || !TEST(0, TEST_uchar_gt(37, 88)) + || !TEST(1, TEST_uchar_ge(88, 37)) + || !TEST(1, TEST_uchar_ge(66, 66)) + || !TEST(0, TEST_uchar_ge(37, 88))) goto err; return 1; @@ -125,19 +125,19 @@ err: static int test_long(void) { if (!TEST(1, TEST_long_eq(123l, 123l)) - | !TEST(0, TEST_long_eq(123l, -123l)) - | !TEST(1, TEST_long_ne(123l, 500l)) - | !TEST(0, TEST_long_ne(1000l, 1000l)) - | !TEST(1, TEST_long_lt(-8923l, 102934563l)) - | !TEST(0, TEST_long_lt(102934563l, -8923l)) - | !TEST(1, TEST_long_le(-8923l, 102934563l)) - | !TEST(1, TEST_long_le(12345l, 12345l)) - | !TEST(0, TEST_long_le(102934563l, -8923l)) - | !TEST(1, TEST_long_gt(84325677l, 12345l)) - | !TEST(0, TEST_long_gt(12345l, 84325677l)) - | !TEST(1, TEST_long_ge(84325677l, 12345l)) - | !TEST(1, TEST_long_ge(465869l, 465869l)) - | !TEST(0, TEST_long_ge(12345l, 84325677l))) + || !TEST(0, TEST_long_eq(123l, -123l)) + || !TEST(1, TEST_long_ne(123l, 500l)) + || !TEST(0, TEST_long_ne(1000l, 1000l)) + || !TEST(1, TEST_long_lt(-8923l, 102934563l)) + || !TEST(0, TEST_long_lt(102934563l, -8923l)) + || !TEST(1, TEST_long_le(-8923l, 102934563l)) + || !TEST(1, TEST_long_le(12345l, 12345l)) + || !TEST(0, TEST_long_le(102934563l, -8923l)) + || !TEST(1, TEST_long_gt(84325677l, 12345l)) + || !TEST(0, TEST_long_gt(12345l, 84325677l)) + || !TEST(1, TEST_long_ge(84325677l, 12345l)) + || !TEST(1, TEST_long_ge(465869l, 465869l)) + || !TEST(0, TEST_long_ge(12345l, 84325677l))) goto err; return 1; @@ -148,19 +148,19 @@ err: static int test_ulong(void) { if (!TEST(1, TEST_ulong_eq(919ul, 919ul)) - | !TEST(0, TEST_ulong_eq(919ul, 10234ul)) - | !TEST(1, TEST_ulong_ne(8190ul, 66ul)) - | !TEST(0, TEST_ulong_ne(10555ul, 10555ul)) - | !TEST(1, TEST_ulong_lt(10234ul, 1000000ul)) - | !TEST(0, TEST_ulong_lt(1000000ul, 10234ul)) - | !TEST(1, TEST_ulong_le(10234ul, 1000000ul)) - | !TEST(1, TEST_ulong_le(100000ul, 100000ul)) - | !TEST(0, TEST_ulong_le(1000000ul, 10234ul)) - | !TEST(1, TEST_ulong_gt(100000000ul, 22ul)) - | !TEST(0, TEST_ulong_gt(22ul, 100000000ul)) - | !TEST(1, TEST_ulong_ge(100000000ul, 22ul)) - | !TEST(1, TEST_ulong_ge(10555ul, 10555ul)) - | !TEST(0, TEST_ulong_ge(22ul, 100000000ul))) + || !TEST(0, TEST_ulong_eq(919ul, 10234ul)) + || !TEST(1, TEST_ulong_ne(8190ul, 66ul)) + || !TEST(0, TEST_ulong_ne(10555ul, 10555ul)) + || !TEST(1, TEST_ulong_lt(10234ul, 1000000ul)) + || !TEST(0, TEST_ulong_lt(1000000ul, 10234ul)) + || !TEST(1, TEST_ulong_le(10234ul, 1000000ul)) + || !TEST(1, TEST_ulong_le(100000ul, 100000ul)) + || !TEST(0, TEST_ulong_le(1000000ul, 10234ul)) + || !TEST(1, TEST_ulong_gt(100000000ul, 22ul)) + || !TEST(0, TEST_ulong_gt(22ul, 100000000ul)) + || !TEST(1, TEST_ulong_ge(100000000ul, 22ul)) + || !TEST(1, TEST_ulong_ge(10555ul, 10555ul)) + || !TEST(0, TEST_ulong_ge(22ul, 100000000ul))) goto err; return 1; @@ -171,19 +171,19 @@ err: static int test_size_t(void) { if (!TEST(1, TEST_size_t_eq((size_t)10, (size_t)10)) - | !TEST(0, TEST_size_t_eq((size_t)10, (size_t)12)) - | !TEST(1, TEST_size_t_ne((size_t)10, (size_t)12)) - | !TEST(0, TEST_size_t_ne((size_t)24, (size_t)24)) - | !TEST(1, TEST_size_t_lt((size_t)30, (size_t)88)) - | !TEST(0, TEST_size_t_lt((size_t)88, (size_t)30)) - | !TEST(1, TEST_size_t_le((size_t)30, (size_t)88)) - | !TEST(1, TEST_size_t_le((size_t)33, (size_t)33)) - | !TEST(0, TEST_size_t_le((size_t)88, (size_t)30)) - | !TEST(1, TEST_size_t_gt((size_t)52, (size_t)33)) - | !TEST(0, TEST_size_t_gt((size_t)33, (size_t)52)) - | !TEST(1, TEST_size_t_ge((size_t)52, (size_t)33)) - | !TEST(1, TEST_size_t_ge((size_t)38, (size_t)38)) - | !TEST(0, TEST_size_t_ge((size_t)33, (size_t)52))) + || !TEST(0, TEST_size_t_eq((size_t)10, (size_t)12)) + || !TEST(1, TEST_size_t_ne((size_t)10, (size_t)12)) + || !TEST(0, TEST_size_t_ne((size_t)24, (size_t)24)) + || !TEST(1, TEST_size_t_lt((size_t)30, (size_t)88)) + || !TEST(0, TEST_size_t_lt((size_t)88, (size_t)30)) + || !TEST(1, TEST_size_t_le((size_t)30, (size_t)88)) + || !TEST(1, TEST_size_t_le((size_t)33, (size_t)33)) + || !TEST(0, TEST_size_t_le((size_t)88, (size_t)30)) + || !TEST(1, TEST_size_t_gt((size_t)52, (size_t)33)) + || !TEST(0, TEST_size_t_gt((size_t)33, (size_t)52)) + || !TEST(1, TEST_size_t_ge((size_t)52, (size_t)33)) + || !TEST(1, TEST_size_t_ge((size_t)38, (size_t)38)) + || !TEST(0, TEST_size_t_ge((size_t)33, (size_t)52))) goto err; return 1; @@ -194,19 +194,19 @@ err: static int test_time_t(void) { if (!TEST(1, TEST_time_t_eq((time_t)10, (time_t)10)) - | !TEST(0, TEST_time_t_eq((time_t)10, (time_t)12)) - | !TEST(1, TEST_time_t_ne((time_t)10, (time_t)12)) - | !TEST(0, TEST_time_t_ne((time_t)24, (time_t)24)) - | !TEST(1, TEST_time_t_lt((time_t)30, (time_t)88)) - | !TEST(0, TEST_time_t_lt((time_t)88, (time_t)30)) - | !TEST(1, TEST_time_t_le((time_t)30, (time_t)88)) - | !TEST(1, TEST_time_t_le((time_t)33, (time_t)33)) - | !TEST(0, TEST_time_t_le((time_t)88, (time_t)30)) - | !TEST(1, TEST_time_t_gt((time_t)52, (time_t)33)) - | !TEST(0, TEST_time_t_gt((time_t)33, (time_t)52)) - | !TEST(1, TEST_time_t_ge((time_t)52, (time_t)33)) - | !TEST(1, TEST_time_t_ge((time_t)38, (time_t)38)) - | !TEST(0, TEST_time_t_ge((time_t)33, (time_t)52))) + || !TEST(0, TEST_time_t_eq((time_t)10, (time_t)12)) + || !TEST(1, TEST_time_t_ne((time_t)10, (time_t)12)) + || !TEST(0, TEST_time_t_ne((time_t)24, (time_t)24)) + || !TEST(1, TEST_time_t_lt((time_t)30, (time_t)88)) + || !TEST(0, TEST_time_t_lt((time_t)88, (time_t)30)) + || !TEST(1, TEST_time_t_le((time_t)30, (time_t)88)) + || !TEST(1, TEST_time_t_le((time_t)33, (time_t)33)) + || !TEST(0, TEST_time_t_le((time_t)88, (time_t)30)) + || !TEST(1, TEST_time_t_gt((time_t)52, (time_t)33)) + || !TEST(0, TEST_time_t_gt((time_t)33, (time_t)52)) + || !TEST(1, TEST_time_t_ge((time_t)52, (time_t)33)) + || !TEST(1, TEST_time_t_ge((time_t)38, (time_t)38)) + || !TEST(0, TEST_time_t_ge((time_t)33, (time_t)52))) goto err; return 1; @@ -220,19 +220,19 @@ static int test_pointer(void) char y = 1; if (!TEST(1, TEST_ptr(&y)) - | !TEST(0, TEST_ptr(NULL)) - | !TEST(0, TEST_ptr_null(&y)) - | !TEST(1, TEST_ptr_null(NULL)) - | !TEST(1, TEST_ptr_eq(NULL, NULL)) - | !TEST(0, TEST_ptr_eq(NULL, &y)) - | !TEST(0, TEST_ptr_eq(&y, NULL)) - | !TEST(0, TEST_ptr_eq(&y, &x)) - | !TEST(1, TEST_ptr_eq(&x, &x)) - | !TEST(0, TEST_ptr_ne(NULL, NULL)) - | !TEST(1, TEST_ptr_ne(NULL, &y)) - | !TEST(1, TEST_ptr_ne(&y, NULL)) - | !TEST(1, TEST_ptr_ne(&y, &x)) - | !TEST(0, TEST_ptr_ne(&x, &x))) + || !TEST(0, TEST_ptr(NULL)) + || !TEST(0, TEST_ptr_null(&y)) + || !TEST(1, TEST_ptr_null(NULL)) + || !TEST(1, TEST_ptr_eq(NULL, NULL)) + || !TEST(0, TEST_ptr_eq(NULL, &y)) + || !TEST(0, TEST_ptr_eq(&y, NULL)) + || !TEST(0, TEST_ptr_eq(&y, &x)) + || !TEST(1, TEST_ptr_eq(&x, &x)) + || !TEST(0, TEST_ptr_ne(NULL, NULL)) + || !TEST(1, TEST_ptr_ne(NULL, &y)) + || !TEST(1, TEST_ptr_ne(&y, NULL)) + || !TEST(1, TEST_ptr_ne(&y, &x)) + || !TEST(0, TEST_ptr_ne(&x, &x))) goto err; return 1; @@ -243,9 +243,9 @@ err: static int test_bool(void) { if (!TEST(0, TEST_true(0)) - | !TEST(1, TEST_true(1)) - | !TEST(1, TEST_false(0)) - | !TEST(0, TEST_false(1))) + || !TEST(1, TEST_true(1)) + || !TEST(1, TEST_false(0)) + || !TEST(0, TEST_false(1))) goto err; return 1; @@ -258,19 +258,19 @@ static int test_string(void) static char buf[] = "abc"; if (!TEST(1, TEST_str_eq(NULL, NULL)) - | !TEST(1, TEST_str_eq("abc", buf)) - | !TEST(0, TEST_str_eq("abc", NULL)) - | !TEST(0, TEST_str_eq("abc", "")) - | !TEST(0, TEST_str_eq(NULL, buf)) - | !TEST(0, TEST_str_ne(NULL, NULL)) - | !TEST(0, TEST_str_eq("", NULL)) - | !TEST(0, TEST_str_eq(NULL, "")) - | !TEST(0, TEST_str_ne("", "")) - | !TEST(0, TEST_str_eq("\1\2\3\4\5", "\1x\3\6\5")) - | !TEST(0, TEST_str_ne("abc", buf)) - | !TEST(1, TEST_str_ne("abc", NULL)) - | !TEST(1, TEST_str_ne(NULL, buf)) - | !TEST(0, TEST_str_eq("abcdef", "abcdefghijk"))) + || !TEST(1, TEST_str_eq("abc", buf)) + || !TEST(0, TEST_str_eq("abc", NULL)) + || !TEST(0, TEST_str_eq("abc", "")) + || !TEST(0, TEST_str_eq(NULL, buf)) + || !TEST(0, TEST_str_ne(NULL, NULL)) + || !TEST(0, TEST_str_eq("", NULL)) + || !TEST(0, TEST_str_eq(NULL, "")) + || !TEST(0, TEST_str_ne("", "")) + || !TEST(0, TEST_str_eq("\1\2\3\4\5", "\1x\3\6\5")) + || !TEST(0, TEST_str_ne("abc", buf)) + || !TEST(1, TEST_str_ne("abc", NULL)) + || !TEST(1, TEST_str_ne(NULL, buf)) + || !TEST(0, TEST_str_eq("abcdef", "abcdefghijk"))) goto err; return 1; @@ -283,16 +283,16 @@ static int test_memory(void) static char buf[] = "xyz"; if (!TEST(1, TEST_mem_eq(NULL, 0, NULL, 0)) - | !TEST(1, TEST_mem_eq(NULL, 1, NULL, 2)) - | !TEST(0, TEST_mem_eq(NULL, 0, "xyz", 3)) - | !TEST(0, TEST_mem_eq(NULL, 7, "abc", 3)) - | !TEST(0, TEST_mem_ne(NULL, 0, NULL, 0)) - | !TEST(0, TEST_mem_eq(NULL, 0, "", 0)) - | !TEST(0, TEST_mem_eq("", 0, NULL, 0)) - | !TEST(0, TEST_mem_ne("", 0, "", 0)) - | !TEST(0, TEST_mem_eq("xyz", 3, NULL, 0)) - | !TEST(0, TEST_mem_eq("xyz", 3, buf, sizeof(buf))) - | !TEST(1, TEST_mem_eq("xyz", 4, buf, sizeof(buf)))) + || !TEST(1, TEST_mem_eq(NULL, 1, NULL, 2)) + || !TEST(0, TEST_mem_eq(NULL, 0, "xyz", 3)) + || !TEST(0, TEST_mem_eq(NULL, 7, "abc", 3)) + || !TEST(0, TEST_mem_ne(NULL, 0, NULL, 0)) + || !TEST(0, TEST_mem_eq(NULL, 0, "", 0)) + || !TEST(0, TEST_mem_eq("", 0, NULL, 0)) + || !TEST(0, TEST_mem_ne("", 0, "", 0)) + || !TEST(0, TEST_mem_eq("xyz", 3, NULL, 0)) + || !TEST(0, TEST_mem_eq("xyz", 3, buf, sizeof(buf))) + || !TEST(1, TEST_mem_eq("xyz", 4, buf, sizeof(buf)))) goto err; return 1; @@ -315,61 +315,61 @@ static int test_bignum(void) int r = 0; if (!TEST(1, TEST_int_eq(BN_dec2bn(&a, "0"), 1)) - | !TEST(1, TEST_BN_eq_word(a, 0)) - | !TEST(0, TEST_BN_eq_word(a, 30)) - | !TEST(1, TEST_BN_abs_eq_word(a, 0)) - | !TEST(0, TEST_BN_eq_one(a)) - | !TEST(1, TEST_BN_eq_zero(a)) - | !TEST(0, TEST_BN_ne_zero(a)) - | !TEST(1, TEST_BN_le_zero(a)) - | !TEST(0, TEST_BN_lt_zero(a)) - | !TEST(1, TEST_BN_ge_zero(a)) - | !TEST(0, TEST_BN_gt_zero(a)) - | !TEST(1, TEST_BN_even(a)) - | !TEST(0, TEST_BN_odd(a)) - | !TEST(1, TEST_BN_eq(b, c)) - | !TEST(0, TEST_BN_eq(a, b)) - | !TEST(0, TEST_BN_ne(NULL, c)) - | !TEST(1, TEST_int_eq(BN_dec2bn(&b, "1"), 1)) - | !TEST(1, TEST_BN_eq_word(b, 1)) - | !TEST(1, TEST_BN_eq_one(b)) - | !TEST(0, TEST_BN_abs_eq_word(b, 0)) - | !TEST(1, TEST_BN_abs_eq_word(b, 1)) - | !TEST(0, TEST_BN_eq_zero(b)) - | !TEST(1, TEST_BN_ne_zero(b)) - | !TEST(0, TEST_BN_le_zero(b)) - | !TEST(0, TEST_BN_lt_zero(b)) - | !TEST(1, TEST_BN_ge_zero(b)) - | !TEST(1, TEST_BN_gt_zero(b)) - | !TEST(0, TEST_BN_even(b)) - | !TEST(1, TEST_BN_odd(b)) - | !TEST(1, TEST_int_eq(BN_dec2bn(&c, "-334739439"), 10)) - | !TEST(0, TEST_BN_eq_word(c, 334739439)) - | !TEST(1, TEST_BN_abs_eq_word(c, 334739439)) - | !TEST(0, TEST_BN_eq_zero(c)) - | !TEST(1, TEST_BN_ne_zero(c)) - | !TEST(1, TEST_BN_le_zero(c)) - | !TEST(1, TEST_BN_lt_zero(c)) - | !TEST(0, TEST_BN_ge_zero(c)) - | !TEST(0, TEST_BN_gt_zero(c)) - | !TEST(0, TEST_BN_even(c)) - | !TEST(1, TEST_BN_odd(c)) - | !TEST(1, TEST_BN_eq(a, a)) - | !TEST(0, TEST_BN_ne(a, a)) - | !TEST(0, TEST_BN_eq(a, b)) - | !TEST(1, TEST_BN_ne(a, b)) - | !TEST(0, TEST_BN_lt(a, c)) - | !TEST(1, TEST_BN_lt(c, b)) - | !TEST(0, TEST_BN_lt(b, c)) - | !TEST(0, TEST_BN_le(a, c)) - | !TEST(1, TEST_BN_le(c, b)) - | !TEST(0, TEST_BN_le(b, c)) - | !TEST(1, TEST_BN_gt(a, c)) - | !TEST(0, TEST_BN_gt(c, b)) - | !TEST(1, TEST_BN_gt(b, c)) - | !TEST(1, TEST_BN_ge(a, c)) - | !TEST(0, TEST_BN_ge(c, b)) - | !TEST(1, TEST_BN_ge(b, c))) + || !TEST(1, TEST_BN_eq_word(a, 0)) + || !TEST(0, TEST_BN_eq_word(a, 30)) + || !TEST(1, TEST_BN_abs_eq_word(a, 0)) + || !TEST(0, TEST_BN_eq_one(a)) + || !TEST(1, TEST_BN_eq_zero(a)) + || !TEST(0, TEST_BN_ne_zero(a)) + || !TEST(1, TEST_BN_le_zero(a)) + || !TEST(0, TEST_BN_lt_zero(a)) + || !TEST(1, TEST_BN_ge_zero(a)) + || !TEST(0, TEST_BN_gt_zero(a)) + || !TEST(1, TEST_BN_even(a)) + || !TEST(0, TEST_BN_odd(a)) + || !TEST(1, TEST_BN_eq(b, c)) + || !TEST(0, TEST_BN_eq(a, b)) + || !TEST(0, TEST_BN_ne(NULL, c)) + || !TEST(1, TEST_int_eq(BN_dec2bn(&b, "1"), 1)) + || !TEST(1, TEST_BN_eq_word(b, 1)) + || !TEST(1, TEST_BN_eq_one(b)) + || !TEST(0, TEST_BN_abs_eq_word(b, 0)) + || !TEST(1, TEST_BN_abs_eq_word(b, 1)) + || !TEST(0, TEST_BN_eq_zero(b)) + || !TEST(1, TEST_BN_ne_zero(b)) + || !TEST(0, TEST_BN_le_zero(b)) + || !TEST(0, TEST_BN_lt_zero(b)) + || !TEST(1, TEST_BN_ge_zero(b)) + || !TEST(1, TEST_BN_gt_zero(b)) + || !TEST(0, TEST_BN_even(b)) + || !TEST(1, TEST_BN_odd(b)) + || !TEST(1, TEST_int_eq(BN_dec2bn(&c, "-334739439"), 10)) + || !TEST(0, TEST_BN_eq_word(c, 334739439)) + || !TEST(1, TEST_BN_abs_eq_word(c, 334739439)) + || !TEST(0, TEST_BN_eq_zero(c)) + || !TEST(1, TEST_BN_ne_zero(c)) + || !TEST(1, TEST_BN_le_zero(c)) + || !TEST(1, TEST_BN_lt_zero(c)) + || !TEST(0, TEST_BN_ge_zero(c)) + || !TEST(0, TEST_BN_gt_zero(c)) + || !TEST(0, TEST_BN_even(c)) + || !TEST(1, TEST_BN_odd(c)) + || !TEST(1, TEST_BN_eq(a, a)) + || !TEST(0, TEST_BN_ne(a, a)) + || !TEST(0, TEST_BN_eq(a, b)) + || !TEST(1, TEST_BN_ne(a, b)) + || !TEST(0, TEST_BN_lt(a, c)) + || !TEST(1, TEST_BN_lt(c, b)) + || !TEST(0, TEST_BN_lt(b, c)) + || !TEST(0, TEST_BN_le(a, c)) + || !TEST(1, TEST_BN_le(c, b)) + || !TEST(0, TEST_BN_le(b, c)) + || !TEST(1, TEST_BN_gt(a, c)) + || !TEST(0, TEST_BN_gt(c, b)) + || !TEST(1, TEST_BN_gt(b, c)) + || !TEST(1, TEST_BN_ge(a, c)) + || !TEST(0, TEST_BN_ge(c, b)) + || !TEST(1, TEST_BN_ge(b, c))) goto err; r = 1; diff --git a/crypto/external/bsd/openssl/dist/test/testutil/driver.c b/crypto/external/bsd/openssl/dist/test/testutil/driver.c index f0517d7ff5ef..094e2a3fc01e 100644 --- a/crypto/external/bsd/openssl/dist/test/testutil/driver.c +++ b/crypto/external/bsd/openssl/dist/test/testutil/driver.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/test/v3ext.c b/crypto/external/bsd/openssl/dist/test/v3ext.c index 14ae49969d07..2bc0f866e2b1 100644 --- a/crypto/external/bsd/openssl/dist/test/v3ext.c +++ b/crypto/external/bsd/openssl/dist/test/v3ext.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,10 +8,12 @@ */ #include +#include #include #include #include #include +#include "internal/nelem.h" #include "testutil.h" @@ -37,11 +39,302 @@ end: return ret; } +#ifndef OPENSSL_NO_RFC3779 +static int test_asid(void) +{ + ASN1_INTEGER *val1 = NULL, *val2 = NULL; + ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(), + *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new(); + int testresult = 0; + + if (!TEST_ptr(asid1) + || !TEST_ptr(asid2) + || !TEST_ptr(asid3)) + goto err; + + if (!TEST_ptr(val1 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))) + goto err; + + if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL))) + goto err; + + val1 = NULL; + if (!TEST_ptr(val2 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) + goto err; + + if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL))) + goto err; + + val2 = NULL; + if (!TEST_ptr(val1 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)) + || !TEST_ptr(val2 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) + goto err; + + /* + * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also + * test V3_ASID_RDI if we think it is worth it. + */ + if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2))) + goto err; + val1 = val2 = NULL; + + /* Actual subsets */ + if (!TEST_true(X509v3_asid_subset(NULL, NULL)) + || !TEST_true(X509v3_asid_subset(NULL, asid1)) + || !TEST_true(X509v3_asid_subset(asid1, asid1)) + || !TEST_true(X509v3_asid_subset(asid2, asid2)) + || !TEST_true(X509v3_asid_subset(asid1, asid3)) + || !TEST_true(X509v3_asid_subset(asid2, asid3)) + || !TEST_true(X509v3_asid_subset(asid3, asid3)) + || !TEST_true(X509v3_asid_subset(asid4, asid1)) + || !TEST_true(X509v3_asid_subset(asid4, asid2)) + || !TEST_true(X509v3_asid_subset(asid4, asid3))) + goto err; + + /* Not subsets */ + if (!TEST_false(X509v3_asid_subset(asid1, NULL)) + || !TEST_false(X509v3_asid_subset(asid1, asid2)) + || !TEST_false(X509v3_asid_subset(asid2, asid1)) + || !TEST_false(X509v3_asid_subset(asid3, asid1)) + || !TEST_false(X509v3_asid_subset(asid3, asid2)) + || !TEST_false(X509v3_asid_subset(asid1, asid4)) + || !TEST_false(X509v3_asid_subset(asid2, asid4)) + || !TEST_false(X509v3_asid_subset(asid3, asid4))) + goto err; + + testresult = 1; + err: + ASN1_INTEGER_free(val1); + ASN1_INTEGER_free(val2); + ASIdentifiers_free(asid1); + ASIdentifiers_free(asid2); + ASIdentifiers_free(asid3); + ASIdentifiers_free(asid4); + return testresult; +} + +static struct ip_ranges_st { + const unsigned int afi; + const char *ip1; + const char *ip2; + int rorp; +} ranges[] = { + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.2", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.3", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.254", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.255", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.255", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.255.255", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.1.0", "192.168.255.255", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::2", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::3", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::fffe", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::ffff", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::ffff", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::1:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressRange} +}; + +static int check_addr(IPAddrBlocks *addr, int type) +{ + IPAddressFamily *fam; + IPAddressOrRange *aorr; + + if (!TEST_int_eq(sk_IPAddressFamily_num(addr), 1)) + return 0; + + fam = sk_IPAddressFamily_value(addr, 0); + if (!TEST_ptr(fam)) + return 0; + + if (!TEST_int_eq(fam->ipAddressChoice->type, IPAddressChoice_addressesOrRanges)) + return 0; + + if (!TEST_int_eq(sk_IPAddressOrRange_num(fam->ipAddressChoice->u.addressesOrRanges), 1)) + return 0; + + aorr = sk_IPAddressOrRange_value(fam->ipAddressChoice->u.addressesOrRanges, 0); + if (!TEST_ptr(aorr)) + return 0; + + if (!TEST_int_eq(aorr->type, type)) + return 0; + + return 1; +} + +static int test_addr_ranges(void) +{ + IPAddrBlocks *addr = NULL; + ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL; + size_t i; + int testresult = 0; + + for (i = 0; i < OSSL_NELEM(ranges); i++) { + addr = sk_IPAddressFamily_new_null(); + if (!TEST_ptr(addr)) + goto end; + /* + * Has the side effect of installing the comparison function onto the + * stack. + */ + if (!TEST_true(X509v3_addr_canonize(addr))) + goto end; + + ip1 = a2i_IPADDRESS(ranges[i].ip1); + if (!TEST_ptr(ip1)) + goto end; + if (!TEST_true(ip1->length == 4 || ip1->length == 16)) + goto end; + ip2 = a2i_IPADDRESS(ranges[i].ip2); + if (!TEST_ptr(ip2)) + goto end; + if (!TEST_int_eq(ip2->length, ip1->length)) + goto end; + if (!TEST_true(memcmp(ip1->data, ip2->data, ip1->length) <= 0)) + goto end; + + if (!TEST_true(X509v3_addr_add_range(addr, ranges[i].afi, NULL, ip1->data, ip2->data))) + goto end; + + if (!TEST_true(X509v3_addr_is_canonical(addr))) + goto end; + + if (!check_addr(addr, ranges[i].rorp)) + goto end; + + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + addr = NULL; + ASN1_OCTET_STRING_free(ip1); + ASN1_OCTET_STRING_free(ip2); + ip1 = ip2 = NULL; + } + + testresult = 1; + end: + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + ASN1_OCTET_STRING_free(ip1); + ASN1_OCTET_STRING_free(ip2); + return testresult; +} + +static struct extvalues_st { + const char *value; + int pass; +} extvalues[] = { + /* No prefix is ok */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.1\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/0\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/1\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/32\n", 1 }, + /* Prefix is too long */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/33\n", 0 }, + /* Unreasonably large prefix */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/12341234\n", 0 }, + /* Invalid IP addresses */ + { "sbgp-ipAddrBlock = IPv4:192.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:256.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:-1.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv3:192.0.0.0\n", 0 }, + + /* IPv6 */ + /* No prefix is ok */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001::db8\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/0\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/1\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/32\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000/32\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/128\n", 1 }, + /* Prefix is too long */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::/129\n", 0 }, + /* Unreasonably large prefix */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::/12341234\n", 0 }, + /* Invalid IP addresses */ + /* Not enough blocks of numbers */ + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000\n", 0 }, + /* Too many blocks of numbers */ + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value too large */ + { "sbgp-ipAddrBlock = IPv6:1ffff:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value with invalid characters */ + { "sbgp-ipAddrBlock = IPv6:fffg:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value is negative */ + { "sbgp-ipAddrBlock = IPv6:-1:0db8:0000:0000:0000:0000:0000:0000\n", 0 } +}; + +static int test_ext_syntax(void) +{ + size_t i; + int testresult = 1; + + for (i = 0; i < OSSL_NELEM(extvalues); i++) { + X509V3_CTX ctx; + BIO *extbio = BIO_new_mem_buf(extvalues[i].value, + strlen(extvalues[i].value)); + CONF *conf; + long eline; + + if (!TEST_ptr(extbio)) + return 0 ; + + conf = NCONF_new(NULL); + if (!TEST_ptr(conf)) { + BIO_free(extbio); + return 0; + } + if (!TEST_long_gt(NCONF_load_bio(conf, extbio, &eline), 0)) { + testresult = 0; + } else { + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, conf); + + if (extvalues[i].pass) { + if (!TEST_true(X509V3_EXT_add_nconf(conf, &ctx, "default", + NULL))) { + TEST_info("Value: %s", extvalues[i].value); + testresult = 0; + } + } else { + ERR_set_mark(); + if (!TEST_false(X509V3_EXT_add_nconf(conf, &ctx, "default", + NULL))) { + testresult = 0; + TEST_info("Value: %s", extvalues[i].value); + ERR_clear_last_mark(); + } else { + ERR_pop_to_mark(); + } + } + } + BIO_free(extbio); + NCONF_free(conf); + } + + return testresult; +} +#endif /* OPENSSL_NO_RFC3779 */ + int setup_tests(void) { if (!TEST_ptr(infile = test_get_argument(0))) return 0; ADD_TEST(test_pathlen); +#ifndef OPENSSL_NO_RFC3779 + ADD_TEST(test_asid); + ADD_TEST(test_addr_ranges); + ADD_TEST(test_ext_syntax); +#endif /* OPENSSL_NO_RFC3779 */ return 1; } diff --git a/crypto/external/bsd/openssl/dist/test/v3nametest.c b/crypto/external/bsd/openssl/dist/test/v3nametest.c index d1852190b84e..566472ab9667 100644 --- a/crypto/external/bsd/openssl/dist/test/v3nametest.c +++ b/crypto/external/bsd/openssl/dist/test/v3nametest.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -646,6 +646,14 @@ static struct gennamedata { 0xb7, 0x09, 0x02, 0x02 }, 15 + }, { + /* + * Regression test for CVE-2023-0286. + */ + { + 0xa3, 0x00 + }, + 2 } }; diff --git a/crypto/external/bsd/openssl/dist/test/x509_internal_test.c b/crypto/external/bsd/openssl/dist/test/x509_internal_test.c index d2f41d708509..bbfaadcfb91f 100644 --- a/crypto/external/bsd/openssl/dist/test/x509_internal_test.c +++ b/crypto/external/bsd/openssl/dist/test/x509_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,8 +57,63 @@ static int test_standard_exts(void) return good; } +typedef struct { + const char *ipasc; + const char *data; + int length; +} IP_TESTDATA; + +static IP_TESTDATA a2i_ipaddress_tests[] = { + {"127.0.0.1", "\x7f\x00\x00\x01", 4}, + {"1.2.3.4", "\x01\x02\x03\x04", 4}, + {"1.2.3.255", "\x01\x02\x03\xff", 4}, + {"1.2.3", NULL, 0}, + {"1.2.3 .4", NULL, 0}, + + {"::1", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16}, + {"1:1:1:1:1:1:1:1", "\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01", 16}, + {"2001:db8::ff00:42:8329", "\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\xff\x00\x00\x42\x83\x29", 16}, + {"1:1:1:1:1:1:1:1.test", NULL, 0}, + {":::1", NULL, 0}, + {"2001::123g", NULL, 0}, + + {"example.test", NULL, 0}, + {"", NULL, 0}, + + {"1.2.3.4 ", "\x01\x02\x03\x04", 4}, + {" 1.2.3.4", "\x01\x02\x03\x04", 4}, + {" 1.2.3.4 ", "\x01\x02\x03\x04", 4}, + {"1.2.3.4.example.test", NULL, 0}, +}; + + +static int test_a2i_ipaddress(int idx) +{ + int good = 1; + ASN1_OCTET_STRING *ip; + int len = a2i_ipaddress_tests[idx].length; + + ip = a2i_IPADDRESS(a2i_ipaddress_tests[idx].ipasc); + if (len == 0) { + if (!TEST_ptr_null(ip)) { + good = 0; + TEST_note("'%s' should not be parsed as IP address", a2i_ipaddress_tests[idx].ipasc); + } + } else { + if (!TEST_ptr(ip) + || !TEST_int_eq(ASN1_STRING_length(ip), len) + || !TEST_mem_eq(ASN1_STRING_get0_data(ip), len, + a2i_ipaddress_tests[idx].data, len)) { + good = 0; + } + } + ASN1_OCTET_STRING_free(ip); + return good; +} + int setup_tests(void) { ADD_TEST(test_standard_exts); + ADD_ALL_TESTS(test_a2i_ipaddress, OSSL_NELEM(a2i_ipaddress_tests)); return 1; } diff --git a/crypto/external/bsd/openssl/dist/tools/c_rehash.in b/crypto/external/bsd/openssl/dist/tools/c_rehash.in index fa7c6c9fef91..9d2a6f6db73b 100644 --- a/crypto/external/bsd/openssl/dist/tools/c_rehash.in +++ b/crypto/external/bsd/openssl/dist/tools/c_rehash.in @@ -1,7 +1,7 @@ #!{- $config{HASHBANGPERL} -} # {- join("\n# ", @autowarntext) -} -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -104,54 +104,97 @@ foreach (@dirlist) { } exit($errorcount); +sub copy_file { + my ($src_fname, $dst_fname) = @_; + + if (open(my $in, "<", $src_fname)) { + if (open(my $out, ">", $dst_fname)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "Cannot open $dst_fname for write, $!"; + } + close $in; + } else { + warn "Cannot open $src_fname for read, $!"; + } +} + sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my $dir = shift; + my %hashlist; + + print "Doing $dir\n"; + + if (!chdir $dir) { + print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; + return; + } + + opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_\n" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } + + chdir $pwd; } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + + open(my $in, "<", $fname); + while(<$in>) { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close $in; + return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists @@ -160,72 +203,48 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'cert'); } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'crl'); +} + +sub link_hash { + my ($fname, $type) = @_; + my $is_cert = $type eq 'cert'; + + my ($hash, $fprint) = compute_hash($openssl, + $is_cert ? "x509" : "crl", + $is_cert ? $x509hash : $crlhash, + "-fingerprint", "-noout", + "-in", $fname); + chomp $hash; + chomp $fprint; + return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + my $crlmark = $is_cert ? "" : "r"; + while(exists $hashlist{"$hash.$crlmark$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { + my $what = $is_cert ? 'certificate' : 'CRL'; + print STDERR "WARNING: Skipping duplicate $what $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$crlmark$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + copy_file($fname, $hash); + } + $hashlist{$hash} = $fprint; } diff --git a/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/copyright.pm b/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/copyright.pm new file mode 100644 index 000000000000..f560f9d9dc88 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/copyright.pm @@ -0,0 +1,41 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +package OpenSSL::copyright; + +sub year_of { + my $file = shift; + + return $ENV{'OSSL_COPYRIGHT_YEAR'} if defined $ENV{'OSSL_COPYRIGHT_YEAR'}; + + # Use the file date for backward compatibility. + my $YEAR = [localtime([stat($file)]->[9])]->[5] + 1900; + + # See if git's available + open my $FH, + "git log -1 --date=short --format=format:%cd $file 2>/dev/null|" + or return $YEAR; + my $LINE = <$FH>; + close $FH; + $LINE =~ s/^([0-9]*)-.*/$1/ if $LINE; + $YEAR = $LINE if $LINE; + return $YEAR; +} + +sub latest { + my $l = 0; + foreach my $f (@_ ) { + my $y = year_of($f); + $l = $y if $y > $l; + } + return $l +} +1; diff --git a/crypto/external/bsd/openssl/dist/util/private.num b/crypto/external/bsd/openssl/dist/util/private.num index bc7d967b5d14..27790ab8a7ad 100644 --- a/crypto/external/bsd/openssl/dist/util/private.num +++ b/crypto/external/bsd/openssl/dist/util/private.num @@ -323,6 +323,8 @@ SSL_CTX_decrypt_session_ticket_fn define SSL_CTX_disable_ct define SSL_CTX_generate_session_ticket_fn define SSL_CTX_get0_chain_certs define +SSL_CTX_get0_chain_cert_store define +SSL_CTX_get0_verify_cert_store define SSL_CTX_get_default_read_ahead define SSL_CTX_get_max_cert_list define SSL_CTX_get_max_proto_version define @@ -388,6 +390,8 @@ SSL_clear_mode define SSL_disable_ct define SSL_get0_chain_certs define SSL_get0_session define +SSL_get0_chain_cert_store define +SSL_get0_verify_cert_store define SSL_get1_curves define SSL_get1_groups define SSL_get_cipher define diff --git a/crypto/external/bsd/openssl/lib/libcrypto/bn.inc b/crypto/external/bsd/openssl/lib/libcrypto/bn.inc index 88effe6d81a1..b8b4c1467652 100644 --- a/crypto/external/bsd/openssl/lib/libcrypto/bn.inc +++ b/crypto/external/bsd/openssl/lib/libcrypto/bn.inc @@ -1,4 +1,4 @@ -# $NetBSD: bn.inc,v 1.6 2021/08/15 13:32:43 rillig Exp $ +# $NetBSD: bn.inc,v 1.8 2023/02/08 15:51:36 christos Exp $ # # @(#) Copyright (c) 1995 Simon J. Gerraty # @@ -40,6 +40,7 @@ bn_sqrt.c \ bn_srp.c \ bn_word.c \ bn_x931p.c \ +rsa_sup_mul.c \ rsaz_exp.c SRCS += ${BN_SRCS} diff --git a/crypto/external/bsd/openssl/lib/libcrypto/shlib_version b/crypto/external/bsd/openssl/lib/libcrypto/shlib_version index 16f32fad1ee4..2ae684841d21 100644 --- a/crypto/external/bsd/openssl/lib/libcrypto/shlib_version +++ b/crypto/external/bsd/openssl/lib/libcrypto/shlib_version @@ -1,5 +1,5 @@ -# $NetBSD: shlib_version,v 1.14 2018/09/23 13:33:04 christos Exp $ +# $NetBSD: shlib_version,v 1.15 2023/02/08 15:51:36 christos Exp $ # Remember to update distrib/sets/lists/base/shl.* when changing # major=14 -minor=0 +minor=1