1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/54336
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit is contained in:
Node.js GitHub Bot 2024-08-12 15:14:08 +00:00
parent 53c5322c6a
commit 94d062bc78
158 changed files with 2301 additions and 798 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
deps/openssl/openssl/CHANGES.md vendored
View File

@ -28,12 +28,78 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024] ### Changes between 3.0.14 and 3.0.14+quic [7 Jun 2024]
* Add QUIC API support from BoringSSL * Add QUIC API support from BoringSSL
*Todd Short* *Todd Short*
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
The SSL_free_buffers function is used to free the internal OpenSSL
buffer used when processing an incoming record from the network.
The call is only expected to succeed if the buffer is not currently
in use. However, two scenarios have been identified where the buffer
is freed even when still in use.
The first scenario occurs where a record header has been received
from the network and processed by OpenSSL, but the full record body
has not yet arrived. In this case calling SSL_free_buffers will succeed
even though a record has only been partially processed and the buffer
is still in use.
The second scenario occurs where a full record containing application
data has been received and processed by OpenSSL but the application has
only read part of this data. Again a call to SSL_free_buffers will
succeed even though the buffer is still in use.
([CVE-2024-4741])
*Matt Caswell*
* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow.
Applications that use the functions EVP_PKEY_param_check() or
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
reason.
([CVE-2024-4603])
*Tomáš Mráz*
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
is being used (but not if early_data is also configured and the default
anti-replay protection is in use). In this case, under certain conditions,
the session cache can get into an incorrect state and it will fail to flush
properly as it fills. The session cache will continue to grow in an unbounded
manner. A malicious client could deliberately create the scenario for this
failure to force a Denial of Service. It may also happen by accident in
normal operation.
([CVE-2024-2511])
*Matt Caswell*
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit.
*Randall S. Becker*
### Changes between 3.0.12 and 3.0.13 [30 Jan 2024] ### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
* A file in PKCS12 format can contain certificates and keys and may come from * A file in PKCS12 format can contain certificates and keys and may come from
@ -19830,6 +19896,9 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129

6
deps/openssl/openssl/CONTRIBUTING.md vendored
View File

@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.
[openssl/openssl]: <https://github.com/openssl/openssl> [openssl/openssl]: <https://github.com/openssl/openssl>
To request new a feature, ask a question, or report a bug, To request a new feature, ask a question, or report a bug,
please open an [issue on GitHub](https://github.com/openssl/openssl/issues). please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
To submit a patch or implement a new feature, please open a To submit a patch or implement a new feature, please open a
@ -67,7 +67,8 @@ guidelines:
often. We do not accept merge commits, you will have to remove them often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable. (usually by rebasing) before it will be acceptable.
4. Code provided should follow our [coding style] and compile without warnings. 4. Code provided should follow our [coding style] and [documentation policy]
and compile without warnings.
There is a [Perl tool](util/check-format.pl) that helps There is a [Perl tool](util/check-format.pl) that helps
finding code formatting mistakes and other coding style nits. finding code formatting mistakes and other coding style nits.
Where `gcc` or `clang` is available, you should use the Where `gcc` or `clang` is available, you should use the
@ -77,6 +78,7 @@ guidelines:
whenever a PR is created or updated by committers. whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html [coding style]: https://www.openssl.org/policies/technical/coding-style.html
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
5. When at all possible, code contributions should include tests. These can 5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see either be added to an existing test, or completely new. Please see

9
deps/openssl/openssl/Configurations/10-main.conf vendored
View File

@ -784,7 +784,14 @@ my %targets = (
asm_arch => 'aarch64', asm_arch => 'aarch64',
perlasm_scheme => "linux64", perlasm_scheme => "linux64",
}, },
"linux-arm64ilp32-clang" => { # clang config abi by --target
inherit_from => [ "linux-generic32" ],
CC => "clang",
CXX => "clang++",
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
},
"linux-mips32" => { "linux-mips32" => {
# Configure script adds minimally required -march for assembly # Configure script adds minimally required -march for assembly
# support, if no -march was specified at command line. # support, if no -march was specified at command line.

6
deps/openssl/openssl/Configurations/15-ios.conf vendored
View File

@ -49,16 +49,16 @@ my %targets = (
# #
"iphoneos-cross" => { "iphoneos-cross" => {
inherit_from => [ "ios-common" ], inherit_from => [ "ios-common" ],
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
}, },
"ios-cross" => { "ios-cross" => {
inherit_from => [ "ios-xcrun" ], inherit_from => [ "ios-xcrun" ],
CC => "cc", CC => "cc",
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"), cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
}, },
"ios64-cross" => { "ios64-cross" => {
inherit_from => [ "ios64-xcrun" ], inherit_from => [ "ios64-xcrun" ],
CC => "cc", CC => "cc",
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"), cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
}, },
); );

14
deps/openssl/openssl/Configurations/unix-Makefile.tmpl vendored
View File

@ -21,7 +21,7 @@
sub dependmagic { sub dependmagic {
my $target = shift; my $target = shift;
return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target"; return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target";
} }
our $COLUMNS = $ENV{COLUMNS}; our $COLUMNS = $ENV{COLUMNS};
@ -527,7 +527,7 @@ all: build_sw build_docs
test: tests test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
$(MAKE) run_tests "$(MAKE)" run_tests
run_tests: FORCE run_tests: FORCE
@ : {- output_off() if $disabled{tests}; "" -} @ : {- output_off() if $disabled{tests}; "" -}
( SRCTOP=$(SRCDIR) \ ( SRCTOP=$(SRCDIR) \
@ -542,7 +542,7 @@ run_tests: FORCE
list-tests: list-tests:
@ : {- output_off() if $disabled{tests}; "" -} @ : {- output_off() if $disabled{tests}; "" -}
$(MAKE) run_tests TESTS=list "$(MAKE)" run_tests TESTS=list
@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} @ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
@echo "Tests are not supported with your chosen Configure options" @echo "Tests are not supported with your chosen Configure options"
@ : {- output_on() if !$disabled{tests}; "" -} @ : {- output_on() if !$disabled{tests}; "" -}
@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm
cd sources-tmp \ cd sources-tmp \
&& $$srcdir/Configure --banner=Configured enable-fips -O0 \ && $$srcdir/Configure --banner=Configured enable-fips -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \
&& $(MAKE) -sj 4 build_generated providers/fips.so \ && "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep1 \ && find . -name '*.d' | xargs cat > dep1 \
&& $(MAKE) distclean \ && "$(MAKE)" distclean \
&& $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \ && $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \
&& $(MAKE) -sj 4 build_generated providers/fips.so \ && "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep2 \ && find . -name '*.d' | xargs cat > dep2 \
&& cat sources1 sources2 \ && cat sources1 sources2 \
| grep -v ' : \\$$' | grep -v util/providers.num \ | grep -v ' : \\$$' | grep -v util/providers.num \
@ -1332,7 +1332,7 @@ ordinals: build_generated
$(SSLHEADERS) $(SSLHEADERS)
test_ordinals: test_ordinals:
$(MAKE) run_tests TESTS=test_ordinals "$(MAKE)" run_tests TESTS=test_ordinals
tags TAGS: FORCE tags TAGS: FORCE
rm -f TAGS tags rm -f TAGS tags

3
deps/openssl/openssl/Configure vendored
View File

@ -1,6 +1,6 @@
#! /usr/bin/env perl #! /usr/bin/env perl
# -*- mode: perl; -*- # -*- mode: perl; -*-
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
# #
# Licensed under the Apache License 2.0 (the "License"). You may not use # Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy # this file except in compliance with the License. You can obtain a copy
@ -405,6 +405,7 @@ my @disablables = (
"asan", "asan",
"asm", "asm",
"async", "async",
"atexit",
"autoalginit", "autoalginit",
"autoerrinit", "autoerrinit",
"autoload-config", "autoload-config",

6
deps/openssl/openssl/FAQ.md vendored
View File

@ -1,6 +0,0 @@
Frequently Asked Questions (FAQ)
================================
The [Frequently Asked Questions][FAQ] are now maintained on the OpenSSL homepage.
[FAQ]: https://www.openssl.org/docs/faq.html

9
deps/openssl/openssl/INSTALL.md vendored
View File

@ -480,7 +480,7 @@ Setting the FIPS HMAC key
As part of its self-test validation, the FIPS module must verify itself As part of its self-test validation, the FIPS module must verify itself
by performing a SHA-256 HMAC computation on itself. The default key is by performing a SHA-256 HMAC computation on itself. The default key is
the SHA256 value of "the holy handgrenade of antioch" and is sufficient the SHA256 value of "holy hand grenade of antioch" and is sufficient
for meeting the FIPS requirements. for meeting the FIPS requirements.
To change the key to a different value, use this flag. The value should To change the key to a different value, use this flag. The value should
@ -546,6 +546,13 @@ be used even with this option.
Do not build support for async operations. Do not build support for async operations.
### no-atexit
Do not use `atexit()` in libcrypto builds.
`atexit()` has varied semantics between platforms and can cause SIGSEGV in some
circumstances. This option disables the atexit registration of OPENSSL_cleanup.
### no-autoalginit ### no-autoalginit
Don't automatically load all supported ciphers and digests. Don't automatically load all supported ciphers and digests.

15
deps/openssl/openssl/NEWS.md vendored
View File

@ -18,6 +18,18 @@ OpenSSL Releases
OpenSSL 3.0 OpenSSL 3.0
----------- -----------
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called
([CVE-2024-4741])
* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow
([CVE-2024-4603])
* Fixed unbounded memory growth with session handling in TLSv1.3
([CVE-2024-2511])
### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024] ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes * Fixed PKCS12 Decoding crashes
@ -1470,6 +1482,9 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129

5
deps/openssl/openssl/NOTES-NONSTOP.md vendored
View File

@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when
the program terminates. This limitation applies to all OpenSSL shared library the program terminates. This limitation applies to all OpenSSL shared library
components. components.
A resolution to this situation is under investigation. It is possible to configure the build with `no-atexit` to avoid the SIGSEGV.
Preferably, you can explicitly call `OPENSSL_cleanup()` from your application.
It is not mandatory as it just deallocates various global data structures
OpenSSL allocated.
About Prefix and OpenSSLDir About Prefix and OpenSSLDir
--------------------------- ---------------------------

4
deps/openssl/openssl/VERSION.dat vendored
View File

@ -1,7 +1,7 @@
MAJOR=3 MAJOR=3
MINOR=0 MINOR=0
PATCH=13 PATCH=14
PRE_RELEASE_TAG= PRE_RELEASE_TAG=
BUILD_METADATA=quic BUILD_METADATA=quic
RELEASE_DATE="30 Jan 2024" RELEASE_DATE="4 Jun 2024"
SHLIB_VERSION=81.3 SHLIB_VERSION=81.3

8
deps/openssl/openssl/apps/lib/s_cb.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -1318,7 +1318,8 @@ int ssl_load_stores(SSL_CTX *ctx,
if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore)) if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
goto err; goto err;
add_crls_store(vfy, crls); add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy); if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0)
goto err;
if (crl_download) if (crl_download)
store_setup_crl_download(vfy); store_setup_crl_download(vfy);
} }
@ -1332,7 +1333,8 @@ int ssl_load_stores(SSL_CTX *ctx,
goto err; goto err;
if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore)) if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
goto err; goto err;
SSL_CTX_set1_chain_cert_store(ctx, ch); if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0)
goto err;
} }
rv = 1; rv = 1;
err: err:

3
deps/openssl/openssl/apps/list.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -1230,6 +1230,7 @@ static void list_provider_info(void)
} }
if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) { if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {
sk_OSSL_PROVIDER_free(providers);
BIO_printf(bio_err, "ERROR: Memory allocation\n"); BIO_printf(bio_err, "ERROR: Memory allocation\n");
return; return;
} }

4
deps/openssl/openssl/apps/ocsp.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -11,7 +11,7 @@
#ifdef OPENSSL_SYS_VMS #ifdef OPENSSL_SYS_VMS
/* So fd_set and friends get properly defined on OpenVMS */ /* So fd_set and friends get properly defined on OpenVMS */
# define _XOPEN_SOURCE_EXTENDED # define _XOPEN_SOURCE_EXTENDED 1
#endif #endif
#include <stdio.h> #include <stdio.h>

16
deps/openssl/openssl/apps/pkcs12.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -712,9 +712,6 @@ int pkcs12_main(int argc, char **argv)
in = bio_open_default(infile, 'r', FORMAT_PKCS12); in = bio_open_default(infile, 'r', FORMAT_PKCS12);
if (in == NULL) if (in == NULL)
goto end; goto end;
out = bio_open_owner(outfile, FORMAT_PEM, private);
if (out == NULL)
goto end;
p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq()); p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq());
if (p12 == NULL) { if (p12 == NULL) {
@ -814,6 +811,11 @@ int pkcs12_main(int argc, char **argv)
dump: dump:
assert(private); assert(private);
out = bio_open_owner(outfile, FORMAT_PEM, private);
if (out == NULL)
goto end;
if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n"); BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
@ -855,7 +857,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
} else if (bagnid == NID_pkcs7_encrypted) { } else if (bagnid == NID_pkcs7_encrypted) {
if (options & INFO) { if (options & INFO) {
BIO_printf(bio_err, "PKCS7 Encrypted data: "); BIO_printf(bio_err, "PKCS7 Encrypted data: ");
alg_print(p7->d.encrypted->enc_data->algorithm); if (p7->d.encrypted == NULL) {
BIO_printf(bio_err, "<no data>\n");
} else {
alg_print(p7->d.encrypted->enc_data->algorithm);
}
} }
bags = PKCS12_unpack_p7encdata(p7, pass, passlen); bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
} else { } else {

2
deps/openssl/openssl/apps/req.c vendored
View File

@ -569,7 +569,7 @@ int req_main(int argc, char **argv)
X509V3_CTX ctx; X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx); X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, addext_conf); X509V3_set_nconf(&ctx, req_conf);
if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
BIO_printf(bio_err, "Error checking extensions defined using -addext\n"); BIO_printf(bio_err, "Error checking extensions defined using -addext\n");
goto end; goto end;

6
deps/openssl/openssl/apps/speed.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
@ -727,8 +727,12 @@ static int EVP_Update_loop(void *args)
unsigned char *buf = tempargs->buf; unsigned char *buf = tempargs->buf;
EVP_CIPHER_CTX *ctx = tempargs->ctx; EVP_CIPHER_CTX *ctx = tempargs->ctx;
int outl, count, rc; int outl, count, rc;
unsigned char faketag[16] = { 0xcc };
if (decrypt) { if (decrypt) {
if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
(void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag);
}
for (count = 0; COND(c[D_EVP][testnum]); count++) { for (count = 0; COND(c[D_EVP][testnum]); count++) {
rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
if (rc != 1) { if (rc != 1) {

11
deps/openssl/openssl/apps/ts.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -535,15 +535,18 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
*md_value = OPENSSL_hexstr2buf(digest, &digest_len); *md_value = OPENSSL_hexstr2buf(digest, &digest_len);
if (*md_value == NULL || md_value_len != digest_len) { if (*md_value == NULL || md_value_len != digest_len) {
OPENSSL_free(*md_value);
*md_value = NULL;
BIO_printf(bio_err, "bad digest, %d bytes " BIO_printf(bio_err, "bad digest, %d bytes "
"must be specified\n", md_value_len); "must be specified\n", md_value_len);
return 0; goto err;
} }
} }
rv = md_value_len; rv = md_value_len;
err: err:
if (rv <= 0) {
OPENSSL_free(*md_value);
*md_value = NULL;
rv = 0;
}
EVP_MD_CTX_free(md_ctx); EVP_MD_CTX_free(md_ctx);
return rv; return rv;
} }

2
deps/openssl/openssl/crypto/aes/build.info vendored
View File

@ -76,7 +76,7 @@ DEFINE[../../providers/libdefault.a]=$AESDEF
# already gets everything that the static libcrypto.a has, and doesn't need it # already gets everything that the static libcrypto.a has, and doesn't need it
# added again. # added again.
IF[{- !$disabled{module} && !$disabled{shared} -}] IF[{- !$disabled{module} && !$disabled{shared} -}]
DEFINE[../providers/liblegacy.a]=$AESDEF DEFINE[../../providers/liblegacy.a]=$AESDEF
ENDIF ENDIF
GENERATE[aes-ia64.s]=asm/aes-ia64.S GENERATE[aes-ia64.s]=asm/aes-ia64.S

10
deps/openssl/openssl/crypto/bio/bio_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -869,8 +869,12 @@ static int bio_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds)
return 1; return 1;
#ifndef OPENSSL_NO_SOCK #ifndef OPENSSL_NO_SOCK
if (BIO_get_fd(bio, &fd) > 0 && fd < FD_SETSIZE) if (BIO_get_fd(bio, &fd) > 0) {
return BIO_socket_wait(fd, BIO_should_read(bio), max_time); int ret = BIO_socket_wait(fd, BIO_should_read(bio), max_time);
if (ret != -1)
return ret;
}
#endif #endif
/* fall back to polling since no sockets are available */ /* fall back to polling since no sockets are available */

6
deps/openssl/openssl/crypto/bio/bio_sock.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -396,7 +396,11 @@ int BIO_socket_wait(int fd, int for_read, time_t max_time)
struct timeval tv; struct timeval tv;
time_t now; time_t now;
#ifdef _WIN32
if ((SOCKET)fd == INVALID_SOCKET)
#else
if (fd < 0 || fd >= FD_SETSIZE) if (fd < 0 || fd >= FD_SETSIZE)
#endif
return -1; return -1;
if (max_time == 0) if (max_time == 0)
return 1; return 1;

53
deps/openssl/openssl/crypto/bn/bn_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -618,14 +618,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
int i; int i;
BN_ULONG t1, t2, *ap, *bp; BN_ULONG t1, t2, *ap, *bp;
ap = a->d;
bp = b->d;
if (BN_get_flags(a, BN_FLG_CONSTTIME)
&& a->top == b->top) {
int res = 0;
for (i = 0; i < b->top; i++) {
res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]),
-1, res);
res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]),
1, res);
}
return res;
}
bn_check_top(a); bn_check_top(a);
bn_check_top(b); bn_check_top(b);
i = a->top - b->top; i = a->top - b->top;
if (i != 0) if (i != 0)
return i; return i;
ap = a->d;
bp = b->d;
for (i = a->top - 1; i >= 0; i--) { for (i = a->top - 1; i >= 0; i--) {
t1 = ap[i]; t1 = ap[i];
t2 = bp[i]; t2 = bp[i];
@ -737,11 +752,10 @@ int BN_is_bit_set(const BIGNUM *a, int n)
return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
} }
int BN_mask_bits(BIGNUM *a, int n) int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n)
{ {
int b, w; int b, w;
bn_check_top(a);
if (n < 0) if (n < 0)
return 0; return 0;
@ -755,10 +769,21 @@ int BN_mask_bits(BIGNUM *a, int n)
a->top = w + 1; a->top = w + 1;
a->d[w] &= ~(BN_MASK2 << b); a->d[w] &= ~(BN_MASK2 << b);
} }
bn_correct_top(a); a->flags |= BN_FLG_FIXED_TOP;
return 1; return 1;
} }
int BN_mask_bits(BIGNUM *a, int n)
{
int ret;
bn_check_top(a);
ret = ossl_bn_mask_bits_fixed_top(a, n);
if (ret)
bn_correct_top(a);
return ret;
}
void BN_set_negative(BIGNUM *a, int b) void BN_set_negative(BIGNUM *a, int b)
{ {
if (b && !BN_is_zero(a)) if (b && !BN_is_zero(a))
@ -935,6 +960,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w)
return BN_abs_is_word(a, w) && (!w || !a->neg); return BN_abs_is_word(a, w) && (!w || !a->neg);
} }
int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w)
{
int res, i;
const BN_ULONG *ap = a->d;
if (a->neg || a->top == 0)
return 0;
res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0);
for (i = 1; i < a->top; i++)
res = constant_time_select_int(constant_time_is_zero_bn(ap[i]),
res, 0);
return res;
}
int BN_is_odd(const BIGNUM *a) int BN_is_odd(const BIGNUM *a)
{ {
return (a->top > 0) && (a->d[0] & 1); return (a->top > 0) && (a->d[0] & 1);

162
deps/openssl/openssl/crypto/bn/bn_rand.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -186,8 +186,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range,
} else { } else {
do { do {
/* range = 11..._2 or range = 101..._2 */ /* range = 11..._2 or range = 101..._2 */
if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
ctx)) strength, ctx))
return 0; return 0;
if (!--count) { if (!--count) {
@ -240,17 +240,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
# endif # endif
#endif #endif
int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
unsigned int strength, BN_CTX *ctx)
{
int n;
int count = 100;
if (r == NULL) {
ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (range->neg || BN_is_zero(range)) {
ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE);
return 0;
}
n = BN_num_bits(range); /* n > 0 */
/* BN_is_bit_set(range, n - 1) always holds */
if (n == 1) {
BN_zero(r);
} else {
BN_set_flags(r, BN_FLG_CONSTTIME);
do {
if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY,
strength, ctx))
return 0;
if (!--count) {
ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
ossl_bn_mask_bits_fixed_top(r, n);
}
while (BN_ucmp(r, range) >= 0);
#ifdef BN_DEBUG
/* With BN_DEBUG on a fixed top number cannot be returned */
bn_correct_top(r);
#endif
}
return 1;
}
/* /*
* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range.
* BN_rand_range, it also includes the contents of |priv| and |message| in * Unlike BN_rand_range, it also includes the contents of |priv| and |message|
* the generation so that an RNG failure isn't fatal as long as |priv| * in the generation so that an RNG failure isn't fatal as long as |priv|
* remains secret. This is intended for use in DSA and ECDSA where an RNG * remains secret. This is intended for use in DSA and ECDSA where an RNG
* weakness leads directly to private key exposure unless this function is * weakness leads directly to private key exposure unless this function is
* used. * used.
*/ */
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
const BIGNUM *priv, const unsigned char *message, const BIGNUM *priv,
size_t message_len, BN_CTX *ctx) const unsigned char *message,
size_t message_len, BN_CTX *ctx)
{ {
EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
/* /*
@ -260,20 +306,24 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
unsigned char random_bytes[64]; unsigned char random_bytes[64];
unsigned char digest[SHA512_DIGEST_LENGTH]; unsigned char digest[SHA512_DIGEST_LENGTH];
unsigned done, todo; unsigned done, todo;
/* We generate |range|+8 bytes of random output. */ /* We generate |range|+1 bytes of random output. */
const unsigned num_k_bytes = BN_num_bytes(range) + 8; const unsigned num_k_bytes = BN_num_bytes(range) + 1;
unsigned char private_bytes[96]; unsigned char private_bytes[96];
unsigned char *k_bytes = NULL; unsigned char *k_bytes = NULL;
const int max_n = 64; /* Pr(failure to generate) < 2^max_n */
int n;
int ret = 0; int ret = 0;
EVP_MD *md = NULL; EVP_MD *md = NULL;
OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx);
if (mdctx == NULL) if (mdctx == NULL)
goto err; goto end;
k_bytes = OPENSSL_malloc(num_k_bytes); k_bytes = OPENSSL_malloc(num_k_bytes);
if (k_bytes == NULL) if (k_bytes == NULL)
goto err; goto end;
/* Ensure top byte is set to avoid non-constant time in bin2bn */
k_bytes[0] = 0xff;
/* We copy |priv| into a local buffer to avoid exposing its length. */ /* We copy |priv| into a local buffer to avoid exposing its length. */
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
@ -283,41 +333,60 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
* length of the private key. * length of the private key.
*/ */
ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err; goto end;
} }
md = EVP_MD_fetch(libctx, "SHA512", NULL); md = EVP_MD_fetch(libctx, "SHA512", NULL);
if (md == NULL) { if (md == NULL) {
ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST);
goto err; goto end;
} }
for (done = 0; done < num_k_bytes;) { for (n = 0; n < max_n; n++) {
if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) unsigned char i = 0;
goto err;
if (!EVP_DigestInit_ex(mdctx, md, NULL) for (done = 1; done < num_k_bytes;) {
|| !EVP_DigestUpdate(mdctx, &done, sizeof(done)) if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes),
|| !EVP_DigestUpdate(mdctx, private_bytes, 0) <= 0)
sizeof(private_bytes)) goto end;
|| !EVP_DigestUpdate(mdctx, message, message_len)
|| !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes))
|| !EVP_DigestFinal_ex(mdctx, digest, NULL))
goto err;
todo = num_k_bytes - done; if (!EVP_DigestInit_ex(mdctx, md, NULL)
if (todo > SHA512_DIGEST_LENGTH) || !EVP_DigestUpdate(mdctx, &i, sizeof(i))
todo = SHA512_DIGEST_LENGTH; || !EVP_DigestUpdate(mdctx, private_bytes,
memcpy(k_bytes + done, digest, todo); sizeof(private_bytes))
done += todo; || !EVP_DigestUpdate(mdctx, message, message_len)
|| !EVP_DigestUpdate(mdctx, random_bytes,
sizeof(random_bytes))
|| !EVP_DigestFinal_ex(mdctx, digest, NULL))
goto end;
todo = num_k_bytes - done;
if (todo > SHA512_DIGEST_LENGTH)
todo = SHA512_DIGEST_LENGTH;
memcpy(k_bytes + done, digest, todo);
done += todo;
++i;
}
if (!BN_bin2bn(k_bytes, num_k_bytes, out))
goto end;
/* Clear out the top bits and rejection filter into range */
BN_set_flags(out, BN_FLG_CONSTTIME);
ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range));
if (BN_ucmp(out, range) < 0) {
ret = 1;
#ifdef BN_DEBUG
/* With BN_DEBUG on a fixed top number cannot be returned */
bn_correct_top(out);
#endif
goto end;
}
} }
/* Failed to generate anything */
ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR);
if (!BN_bin2bn(k_bytes, num_k_bytes, out)) end:
goto err;
if (BN_mod(out, out, range, ctx) != 1)
goto err;
ret = 1;
err:
EVP_MD_CTX_free(mdctx); EVP_MD_CTX_free(mdctx);
EVP_MD_free(md); EVP_MD_free(md);
OPENSSL_clear_free(k_bytes, num_k_bytes); OPENSSL_clear_free(k_bytes, num_k_bytes);
@ -326,3 +395,20 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); OPENSSL_cleanse(private_bytes, sizeof(private_bytes));
return ret; return ret;
} }
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
const BIGNUM *priv, const unsigned char *message,
size_t message_len, BN_CTX *ctx)
{
int ret;
ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message,
message_len, ctx);
/*
* This call makes the BN_generate_dsa_nonce non-const-time, thus we
* do not use it internally. But fixed_top BNs currently cannot be returned
* from public API calls.
*/
bn_correct_top(out);
return ret;
}

8
deps/openssl/openssl/crypto/bn/bn_shift.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -156,6 +156,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
return 0; return 0;
} }
bn_check_top(r);
bn_check_top(a);
ret = bn_rshift_fixed_top(r, a, n); ret = bn_rshift_fixed_top(r, a, n);
bn_correct_top(r); bn_correct_top(r);
@ -177,9 +180,6 @@ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
BN_ULONG *t, *f; BN_ULONG *t, *f;
BN_ULONG l, m, mask; BN_ULONG l, m, mask;
bn_check_top(r);
bn_check_top(a);
assert(n >= 0); assert(n >= 0);
nw = n / BN_BITS2; nw = n / BN_BITS2;

46
deps/openssl/openssl/crypto/dsa/dsa_check.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -19,8 +19,34 @@
#include "dsa_local.h" #include "dsa_local.h"
#include "crypto/dsa.h" #include "crypto/dsa.h"
static int dsa_precheck_params(const DSA *dsa, int *ret)
{
if (dsa->params.p == NULL || dsa->params.q == NULL) {
ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
*ret = FFC_CHECK_INVALID_PQ;
return 0;
}
if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
*ret = FFC_CHECK_INVALID_PQ;
return 0;
}
if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
*ret = FFC_CHECK_INVALID_PQ;
return 0;
}
return 1;
}
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
{ {
if (!dsa_precheck_params(dsa, ret))
return 0;
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA, ret); FFC_PARAM_TYPE_DSA, ret);
@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
*/ */
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{ {
if (!dsa_precheck_params(dsa, ret))
return 0;
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
&& *ret == 0; && *ret == 0;
} }
@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
*/ */
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{ {
if (!dsa_precheck_params(dsa, ret))
return 0;
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
&& *ret == 0; && *ret == 0;
} }
@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
{ {
*ret = 0; *ret = 0;
return (dsa->params.q != NULL if (!dsa_precheck_params(dsa, ret))
&& ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); return 0;
return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
} }
/* /*
@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL; BIGNUM *pub_key = NULL;
if (dsa->params.p == NULL if (!dsa_precheck_params(dsa, &ret))
|| dsa->params.g == NULL return 0;
if (dsa->params.g == NULL
|| dsa->priv_key == NULL || dsa->priv_key == NULL
|| dsa->pub_key == NULL) || dsa->pub_key == NULL)
return 0; return 0;

11
deps/openssl/openssl/crypto/dsa/dsa_ossl.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -262,12 +262,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* We calculate k from SHA512(private_key + H(message) + random). * We calculate k from SHA512(private_key + H(message) + random).
* This protects the private key from a weak PRNG. * This protects the private key from a weak PRNG.
*/ */
if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst, if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q,
dlen, ctx)) dsa->priv_key, dgst,
dlen, ctx))
goto err; goto err;
} else if (!BN_priv_rand_range_ex(k, dsa->params.q, 0, ctx)) } else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx))
goto err; goto err;
} while (BN_is_zero(k)); } while (ossl_bn_is_word_fixed_top(k, 0));
BN_set_flags(k, BN_FLG_CONSTTIME); BN_set_flags(k, BN_FLG_CONSTTIME);
BN_set_flags(l, BN_FLG_CONSTTIME); BN_set_flags(l, BN_FLG_CONSTTIME);

9
deps/openssl/openssl/crypto/dsa/dsa_sign.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -156,6 +156,11 @@ int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen,
{ {
DSA_SIG *s; DSA_SIG *s;
if (sig == NULL) {
*siglen = DSA_size(dsa);
return 1;
}
/* legacy case uses the method table */ /* legacy case uses the method table */
if (dsa->libctx == NULL || dsa->meth != DSA_get_default_method()) if (dsa->libctx == NULL || dsa->meth != DSA_get_default_method())
s = DSA_do_sign(dgst, dlen, dsa); s = DSA_do_sign(dgst, dlen, dsa);
@ -165,7 +170,7 @@ int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen,
*siglen = 0; *siglen = 0;
return 0; return 0;
} }
*siglen = i2d_DSA_SIG(s, sig != NULL ? &sig : NULL); *siglen = i2d_DSA_SIG(s, &sig);
DSA_SIG_free(s); DSA_SIG_free(s);
return 1; return 1;
} }

2
deps/openssl/openssl/crypto/ec/build.info vendored
View File

@ -77,7 +77,7 @@ DEFINE[../../providers/libdefault.a]=$ECDEF
# Otherwise, it already gets everything that the static libcrypto.a # Otherwise, it already gets everything that the static libcrypto.a
# has, and doesn't need it added again. # has, and doesn't need it added again.
IF[{- !$disabled{module} && !$disabled{shared} -}] IF[{- !$disabled{module} && !$disabled{shared} -}]
DEFINE[../providers/liblegacy.a]=$ECDEF DEFINE[../../providers/liblegacy.a]=$ECDEF
ENDIF ENDIF
GENERATE[ecp_nistz256-x86.S]=asm/ecp_nistz256-x86.pl GENERATE[ecp_nistz256-x86.S]=asm/ecp_nistz256-x86.pl

8
deps/openssl/openssl/crypto/ec/curve448/arch_64/f_impl64.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014 Cryptography Research, Inc. * Copyright 2014 Cryptography Research, Inc.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
@ -45,9 +45,9 @@ void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
accum0 += widemul(a[j + 4], b[i - j + 4]); accum0 += widemul(a[j + 4], b[i - j + 4]);
} }
for (; j < 4; j++) { for (; j < 4; j++) {
accum2 += widemul(a[j], b[i - j + 8]); accum2 += widemul(a[j], b[i + 8 - j]);
accum1 += widemul(aa[j], bbb[i - j + 4]); accum1 += widemul(aa[j], bbb[i + 4 - j]);
accum0 += widemul(a[j + 4], bb[i - j + 4]); accum0 += widemul(a[j + 4], bb[i + 4 - j]);
} }
accum1 -= accum2; accum1 -= accum2;

15
deps/openssl/openssl/crypto/ec/ecdsa_ossl.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -70,6 +70,11 @@ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
{ {
ECDSA_SIG *s; ECDSA_SIG *s;
if (sig == NULL && (kinv == NULL || r == NULL)) {
*siglen = ECDSA_size(eckey);
return 1;
}
s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
if (s == NULL) { if (s == NULL) {
*siglen = 0; *siglen = 0;
@ -140,18 +145,18 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/* get random k */ /* get random k */
do { do {
if (dgst != NULL) { if (dgst != NULL) {
if (!BN_generate_dsa_nonce(k, order, priv_key, if (!ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key,
dgst, dlen, ctx)) { dgst, dlen, ctx)) {
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err; goto err;
} }
} else { } else {
if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { if (!ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx)) {
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err; goto err;
} }
} }
} while (BN_is_zero(k)); } while (ossl_bn_is_word_fixed_top(k, 0));
/* compute r the x-coordinate of generator * k */ /* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

7
deps/openssl/openssl/crypto/encode_decode/encoder_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -59,6 +59,11 @@ int OSSL_ENCODER_to_bio(OSSL_ENCODER_CTX *ctx, BIO *out)
return 0; return 0;
} }
if (ctx->cleanup == NULL || ctx->construct == NULL) {
ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INIT_FAIL);
return 0;
}
return encoder_process(&data) > 0; return encoder_process(&data) > 0;
} }

44
deps/openssl/openssl/crypto/engine/eng_pkey.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
return NULL; return NULL;
} }
/* We enforce check for legacy key */
switch (EVP_PKEY_get_id(pkey)) {
case EVP_PKEY_RSA:
{
RSA *rsa = EVP_PKEY_get1_RSA(pkey);
EVP_PKEY_set1_RSA(pkey, rsa);
RSA_free(rsa);
}
break;
# ifndef OPENSSL_NO_EC
case EVP_PKEY_SM2:
case EVP_PKEY_EC:
{
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
EVP_PKEY_set1_EC_KEY(pkey, ec);
EC_KEY_free(ec);
}
break;
# endif
# ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
{
DSA *dsa = EVP_PKEY_get1_DSA(pkey);
EVP_PKEY_set1_DSA(pkey, dsa);
DSA_free(dsa);
}
break;
#endif
# ifndef OPENSSL_NO_DH
case EVP_PKEY_DH:
{
DH *dh = EVP_PKEY_get1_DH(pkey);
EVP_PKEY_set1_DH(pkey, dh);
DH_free(dh);
}
break;
#endif
default:
/*Do nothing */
break;
}
return pkey; return pkey;
} }

4
deps/openssl/openssl/crypto/err/openssl.ec vendored
View File

@ -76,6 +76,6 @@ R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
R TLS1_AD_UNKNOWN_PSK_IDENTITY 1115 R SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY 1115
R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116
R TLS1_AD_NO_APPLICATION_PROTOCOL 1120 R SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL 1120

4
deps/openssl/openssl/crypto/ess/ess_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -293,7 +293,7 @@ int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
int i, ret; int i, ret;
if (require_signing_cert && ss == NULL && ssv2 == NULL) { if (require_signing_cert && ss == NULL && ssv2 == NULL) {
ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); ERR_raise(ERR_LIB_ESS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
return -1; return -1;
} }
if (n_v1 == 0 || n_v2 == 0) { if (n_v1 == 0 || n_v2 == 0) {

9
deps/openssl/openssl/crypto/evp/keymgmt_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -243,10 +243,15 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
/* /*
* A comparison and sk_P_CACHE_ELEM_find() are avoided to not cause * A comparison and sk_P_CACHE_ELEM_find() are avoided to not cause
* problems when we've only a read lock. * problems when we've only a read lock.
* A keymgmt is a match if the |keymgmt| pointers are identical or if the
* provider and the name ID match
*/ */
for (i = 0; i < end; i++) { for (i = 0; i < end; i++) {
p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
if (keymgmt == p->keymgmt && (p->selection & selection) == selection) if ((p->selection & selection) == selection
&& (keymgmt == p->keymgmt
|| (keymgmt->name_id == p->keymgmt->name_id
&& keymgmt->prov == p->keymgmt->prov)))
return p; return p;
} }
return NULL; return NULL;

12
deps/openssl/openssl/crypto/evp/p_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -1902,7 +1902,15 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
* If |tmp_keymgmt| is present in the operation cache, it means * If |tmp_keymgmt| is present in the operation cache, it means
* that export doesn't need to be redone. In that case, we take * that export doesn't need to be redone. In that case, we take
* token copies of the cached pointers, to have token success * token copies of the cached pointers, to have token success
* values to return. * values to return. It is possible (e.g. in a no-cached-fetch
* build), for op->keymgmt to be a different pointer to tmp_keymgmt
* even though the name/provider must be the same. In other words
* the keymgmt instance may be different but still equivalent, i.e.
* same algorithm/provider instance - but we make the simplifying
* assumption that the keydata can be used with either keymgmt
* instance. Not doing so introduces significant complexity and
* probably requires refactoring - since we would have to ripple
* the change in keymgmt instance up the call chain.
*/ */
if (op != NULL && op->keymgmt != NULL) { if (op != NULL && op->keymgmt != NULL) {
keydata = op->keydata; keydata = op->keydata;

69
deps/openssl/openssl/crypto/evp/pmeth_lib.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -1028,6 +1028,71 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return EVP_PKEY_CTX_set_params(ctx, octet_string_params); return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
} }
static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
const char *param, int op, int ctrl,
const unsigned char *data,
int datalen)
{
OSSL_PARAM os_params[2];
unsigned char *info = NULL;
size_t info_len = 0;
size_t info_alloc = 0;
int ret = 0;
if (ctx == NULL || (ctx->operation & op) == 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
/* Uses the same return values as EVP_PKEY_CTX_ctrl */
return -2;
}
/* Code below to be removed when legacy support is dropped. */
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
/* end of legacy support */
if (datalen < 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
return 0;
} else if (datalen == 0) {
return 1;
}
/* Get the original value length */
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end();
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
return 0;
/* Older provider that doesn't support getting this parameter */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
info_alloc = os_params[0].return_size + datalen;
if (info_alloc == 0)
return 0;
info = OPENSSL_zalloc(info_alloc);
if (info == NULL)
return 0;
info_len = os_params[0].return_size;
os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
/* if we have data, then go get it */
if (info_len > 0) {
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
goto error;
}
/* Copy the input data */
memcpy(&info[info_len], data, datalen);
ret = EVP_PKEY_CTX_set_params(ctx, os_params);
error:
OPENSSL_clear_free(info, info_alloc);
return ret;
}
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx, int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
const unsigned char *sec, int seclen) const unsigned char *sec, int seclen)
{ {
@ -1078,7 +1143,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
const unsigned char *info, int infolen) const unsigned char *info, int infolen)
{ {
return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL, return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
OSSL_KDF_PARAM_INFO, OSSL_KDF_PARAM_INFO,
EVP_PKEY_OP_DERIVE, EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_HKDF_INFO, EVP_PKEY_CTRL_HKDF_INFO,

33
deps/openssl/openssl/crypto/evp/signature.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -403,8 +403,8 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation,
int iter; int iter;
if (ctx == NULL) { if (ctx == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
return -2; return -1;
} }
evp_pkey_ctx_free_old_ops(ctx); evp_pkey_ctx_free_old_ops(ctx);
@ -634,8 +634,8 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
int ret; int ret;
if (ctx == NULL) { if (ctx == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
return -2; return -1;
} }
if (ctx->operation != EVP_PKEY_OP_SIGN) { if (ctx->operation != EVP_PKEY_OP_SIGN) {
@ -646,6 +646,11 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
if (ctx->op.sig.algctx == NULL) if (ctx->op.sig.algctx == NULL)
goto legacy; goto legacy;
if (ctx->op.sig.signature->sign == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
ret = ctx->op.sig.signature->sign(ctx->op.sig.algctx, sig, siglen, ret = ctx->op.sig.signature->sign(ctx->op.sig.algctx, sig, siglen,
(sig == NULL) ? 0 : *siglen, tbs, tbslen); (sig == NULL) ? 0 : *siglen, tbs, tbslen);
@ -678,8 +683,8 @@ int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
int ret; int ret;
if (ctx == NULL) { if (ctx == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
return -2; return -1;
} }
if (ctx->operation != EVP_PKEY_OP_VERIFY) { if (ctx->operation != EVP_PKEY_OP_VERIFY) {
@ -690,6 +695,11 @@ int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
if (ctx->op.sig.algctx == NULL) if (ctx->op.sig.algctx == NULL)
goto legacy; goto legacy;
if (ctx->op.sig.signature->verify == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
ret = ctx->op.sig.signature->verify(ctx->op.sig.algctx, sig, siglen, ret = ctx->op.sig.signature->verify(ctx->op.sig.algctx, sig, siglen,
tbs, tbslen); tbs, tbslen);
@ -721,8 +731,8 @@ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
int ret; int ret;
if (ctx == NULL) { if (ctx == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
return -2; return -1;
} }
if (ctx->operation != EVP_PKEY_OP_VERIFYRECOVER) { if (ctx->operation != EVP_PKEY_OP_VERIFYRECOVER) {
@ -733,6 +743,11 @@ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
if (ctx->op.sig.algctx == NULL) if (ctx->op.sig.algctx == NULL)
goto legacy; goto legacy;
if (ctx->op.sig.signature->verify_recover == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
ret = ctx->op.sig.signature->verify_recover(ctx->op.sig.algctx, rout, ret = ctx->op.sig.signature->verify_recover(ctx->op.sig.algctx, rout,
routlen, routlen,
(rout == NULL ? 0 : *routlen), (rout == NULL ? 0 : *routlen),

14
deps/openssl/openssl/crypto/init.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -97,17 +97,19 @@ static int win32atexit(void)
DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit) DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit)
{ {
#ifdef OPENSSL_INIT_DEBUG #ifndef OPENSSL_NO_ATEXIT
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n"); fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n");
#endif # endif
#ifndef OPENSSL_SYS_UEFI # ifndef OPENSSL_SYS_UEFI
# if defined(_WIN32) && !defined(__BORLANDC__) # if defined(_WIN32) && !defined(__BORLANDC__)
/* We use _onexit() in preference because it gets called on DLL unload */ /* We use _onexit() in preference because it gets called on DLL unload */
if (_onexit(win32atexit) == NULL) if (_onexit(win32atexit) == NULL)
return 0; return 0;
# else # else
if (atexit(OPENSSL_cleanup) != 0) if (atexit(OPENSSL_cleanup) != 0)
return 0; return 0;
# endif
# endif # endif
#endif #endif

4
deps/openssl/openssl/crypto/o_str.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2003-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -251,7 +251,7 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
*q = CH_ZERO; *q = CH_ZERO;
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
ebcdic2ascii(str, str, q - str - 1); ebcdic2ascii(str, str, q - str);
#endif #endif
return 1; return 1;
} }

4
deps/openssl/openssl/crypto/perlasm/x86asm.pl vendored
View File

@ -174,9 +174,9 @@ sub ::vprotd
sub ::endbranch sub ::endbranch
{ {
&::generic("%ifdef __CET__\n"); &::generic("#ifdef __CET__\n");
&::data_byte(0xf3,0x0f,0x1e,0xfb); &::data_byte(0xf3,0x0f,0x1e,0xfb);
&::generic("%endif\n"); &::generic("#endif\n");
} }
# label management # label management

3
deps/openssl/openssl/crypto/property/property_parse.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
@ -14,6 +14,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include "internal/propertyerr.h" #include "internal/propertyerr.h"
#include "internal/property.h" #include "internal/property.h"
#include "internal/numbers.h"
#include "crypto/ctype.h" #include "crypto/ctype.h"
#include "internal/nelem.h" #include "internal/nelem.h"
#include "property_local.h" #include "property_local.h"

11
deps/openssl/openssl/crypto/provider_core.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -567,9 +567,16 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name,
} }
/* provider_new() generates an error, so no need here */ /* provider_new() generates an error, so no need here */
if ((prov = provider_new(name, template.init, template.parameters)) == NULL) prov = provider_new(name, template.init, template.parameters);
if (prov == NULL)
return NULL; return NULL;
if (!ossl_provider_set_module_path(prov, template.path)) {
ossl_provider_free(prov);
return NULL;
}
prov->libctx = libctx; prov->libctx = libctx;
#ifndef FIPS_MODULE #ifndef FIPS_MODULE
prov->error_lib = ERR_get_next_error_library(); prov->error_lib = ERR_get_next_error_library();

2
deps/openssl/openssl/crypto/sha/build.info vendored
View File

@ -88,7 +88,7 @@ DEFINE[../../providers/libdefault.a]=$SHA1DEF $KECCAK1600DEF
# linked with libcrypto. Otherwise, it already gets everything that # linked with libcrypto. Otherwise, it already gets everything that
# the static libcrypto.a has, and doesn't need it added again. # the static libcrypto.a has, and doesn't need it added again.
IF[{- !$disabled{module} && !$disabled{shared} -}] IF[{- !$disabled{module} && !$disabled{shared} -}]
DEFINE[../providers/liblegacy.a]=$SHA1DEF $KECCAK1600DEF DEFINE[../../providers/liblegacy.a]=$SHA1DEF $KECCAK1600DEF
ENDIF ENDIF
GENERATE[sha1-586.S]=asm/sha1-586.pl GENERATE[sha1-586.S]=asm/sha1-586.pl

37
deps/openssl/openssl/crypto/sm2/sm2_crypt.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017 Ribose Inc. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved.
* Ported from Ribose contributions from Botan. * Ported from Ribose contributions from Botan.
* *
@ -67,6 +67,18 @@ static size_t ec_field_size(const EC_GROUP *group)
return field_size; return field_size;
} }
static int is_all_zeros(const unsigned char *msg, size_t msglen)
{
unsigned char re = 0;
size_t i;
for (i = 0; i < msglen; i++) {
re |= msg[i];
}
return re == 0 ? 1 : 0;
}
int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size, int ossl_sm2_plaintext_size(const unsigned char *ct, size_t ct_size,
size_t *pt_size) size_t *pt_size)
{ {
@ -179,6 +191,13 @@ int ossl_sm2_encrypt(const EC_KEY *key,
memset(ciphertext_buf, 0, *ciphertext_len); memset(ciphertext_buf, 0, *ciphertext_len);
msg_mask = OPENSSL_zalloc(msg_len);
if (msg_mask == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE);
goto done;
}
again:
if (!BN_priv_rand_range_ex(k, order, 0, ctx)) { if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
goto done; goto done;
@ -198,12 +217,6 @@ int ossl_sm2_encrypt(const EC_KEY *key,
goto done; goto done;
} }
msg_mask = OPENSSL_zalloc(msg_len);
if (msg_mask == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE);
goto done;
}
/* X9.63 with no salt happens to match the KDF used in SM2 */ /* X9.63 with no salt happens to match the KDF used in SM2 */
if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0, if (!ossl_ecdh_kdf_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
digest, libctx, propq)) { digest, libctx, propq)) {
@ -211,6 +224,11 @@ int ossl_sm2_encrypt(const EC_KEY *key,
goto done; goto done;
} }
if (is_all_zeros(msg_mask, msg_len)) {
memset(x2y2, 0, 2 * field_size);
goto again;
}
for (i = 0; i != msg_len; ++i) for (i = 0; i != msg_len; ++i)
msg_mask[i] ^= msg[i]; msg_mask[i] ^= msg[i];
@ -364,6 +382,11 @@ int ossl_sm2_decrypt(const EC_KEY *key,
goto done; goto done;
} }
if (is_all_zeros(msg_mask, msg_len)) {
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
goto done;
}
for (i = 0; i != msg_len; ++i) for (i = 0; i != msg_len; ++i)
ptext_buf[i] = C2[i] ^ msg_mask[i]; ptext_buf[i] = C2[i] ^ msg_mask[i];

18
deps/openssl/openssl/crypto/sm2/sm2_sign.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017 Ribose Inc. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved.
* Ported from Ribose contributions from Botan. * Ported from Ribose contributions from Botan.
* *
@ -29,6 +29,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
{ {
int rc = 0; int rc = 0;
const EC_GROUP *group = EC_KEY_get0_group(key); const EC_GROUP *group = EC_KEY_get0_group(key);
const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
EVP_MD_CTX *hash = NULL; EVP_MD_CTX *hash = NULL;
BIGNUM *p = NULL; BIGNUM *p = NULL;
@ -43,6 +44,12 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
uint16_t entl = 0; uint16_t entl = 0;
uint8_t e_byte = 0; uint8_t e_byte = 0;
/* SM2 Signatures require a public key, check for it */
if (pubkey == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
goto done;
}
hash = EVP_MD_CTX_new(); hash = EVP_MD_CTX_new();
ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key));
if (hash == NULL || ctx == NULL) { if (hash == NULL || ctx == NULL) {
@ -118,7 +125,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
|| BN_bn2binpad(yG, buf, p_bytes) < 0 || BN_bn2binpad(yG, buf, p_bytes) < 0
|| !EVP_DigestUpdate(hash, buf, p_bytes) || !EVP_DigestUpdate(hash, buf, p_bytes)
|| !EC_POINT_get_affine_coordinates(group, || !EC_POINT_get_affine_coordinates(group,
EC_KEY_get0_public_key(key), pubkey,
xA, yA, ctx) xA, yA, ctx)
|| BN_bn2binpad(xA, buf, p_bytes) < 0 || BN_bn2binpad(xA, buf, p_bytes) < 0
|| !EVP_DigestUpdate(hash, buf, p_bytes) || !EVP_DigestUpdate(hash, buf, p_bytes)
@ -442,6 +449,11 @@ int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
int sigleni; int sigleni;
int ret = -1; int ret = -1;
if (sig == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
goto done;
}
e = BN_bin2bn(dgst, dgstlen, NULL); e = BN_bin2bn(dgst, dgstlen, NULL);
if (e == NULL) { if (e == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB); ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
@ -454,7 +466,7 @@ int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
goto done; goto done;
} }
sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); sigleni = i2d_ECDSA_SIG(s, &sig);
if (sigleni < 0) { if (sigleni < 0) {
ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
goto done; goto done;

4
deps/openssl/openssl/crypto/x509/v3_addr.c vendored
View File

@ -397,11 +397,11 @@ static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
const int prefixlen, const int afilen) const int prefixlen, const int afilen)
{ {
int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
IPAddressOrRange *aor = IPAddressOrRange_new(); IPAddressOrRange *aor;
if (prefixlen < 0 || prefixlen > (afilen * 8)) if (prefixlen < 0 || prefixlen > (afilen * 8))
return 0; return 0;
if (aor == NULL) if ((aor = IPAddressOrRange_new()) == NULL)
return 0; return 0;
aor->type = IPAddressOrRange_addressPrefix; aor->type = IPAddressOrRange_addressPrefix;
if (aor->u.addressPrefix == NULL && if (aor->u.addressPrefix == NULL &&

4
deps/openssl/openssl/demos/digest/EVP_MD_demo.c vendored
View File

@ -1,5 +1,5 @@
/*- /*-
* Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -83,7 +83,7 @@ int demonstrate_digest(void)
const char *option_properties = NULL; const char *option_properties = NULL;
EVP_MD *message_digest = NULL; EVP_MD *message_digest = NULL;
EVP_MD_CTX *digest_context = NULL; EVP_MD_CTX *digest_context = NULL;
unsigned int digest_length; int digest_length;
unsigned char *digest_value = NULL; unsigned char *digest_value = NULL;
int j; int j;

4
deps/openssl/openssl/demos/digest/EVP_MD_stdin.c vendored
View File

@ -1,5 +1,5 @@
/*- /*-
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -38,7 +38,7 @@ int demonstrate_digest(BIO *input)
const char * option_properties = NULL; const char * option_properties = NULL;
EVP_MD *message_digest = NULL; EVP_MD *message_digest = NULL;
EVP_MD_CTX *digest_context = NULL; EVP_MD_CTX *digest_context = NULL;
unsigned int digest_length; int digest_length;
unsigned char *digest_value = NULL; unsigned char *digest_value = NULL;
unsigned char buffer[512]; unsigned char buffer[512];
int ii; int ii;

3
deps/openssl/openssl/doc/fingerprints.txt vendored
View File

@ -15,6 +15,9 @@ currently in use to sign OpenSSL distributions:
OpenSSL OMC: OpenSSL OMC:
EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
OpenSSL:
BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
Richard Levitte: Richard Levitte:
7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C

4
deps/openssl/openssl/doc/internal/man3/OPTIONS.pod vendored
View File

@ -155,7 +155,7 @@ on multiple lines; each entry should use B<OPT_MORE_STR>, like this:
{OPT_MORE_STR, 0, 0, {OPT_MORE_STR, 0, 0,
"This flag is not really needed on Unix systems"}, "This flag is not really needed on Unix systems"},
{OPT_MORE_STR, 0, 0, {OPT_MORE_STR, 0, 0,
"(Unix and descendents for ths win!)"} "(Unix and descendents for the win!)"}
Each subsequent line will be indented the correct amount. Each subsequent line will be indented the correct amount.
@ -333,7 +333,7 @@ things very differently.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this Licensed under the Apache License 2.0 (the "License"). You may not use this
file except in compliance with the License. You can obtain a copy in the file file except in compliance with the License. You can obtain a copy in the file

4
deps/openssl/openssl/doc/internal/man3/ossl_method_construct.pod vendored
View File

@ -93,7 +93,7 @@ This default store should be stored in the library context I<libctx>.
The method to be looked up should be identified with data found in I<data> The method to be looked up should be identified with data found in I<data>
(which is the I<mcm_data> that was passed to ossl_construct_method()). (which is the I<mcm_data> that was passed to ossl_construct_method()).
In other words, the ossl_method_construct() caller is entirely responsible In other words, the ossl_method_construct() caller is entirely responsible
for ensuring the necesssary data is made available. for ensuring the necessary data is made available.
Optionally, I<prov> may be given as a search criterion, to narrow down the Optionally, I<prov> may be given as a search criterion, to narrow down the
search of a method belonging to just one provider. search of a method belonging to just one provider.
@ -148,7 +148,7 @@ This functionality was added to OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this Licensed under the Apache License 2.0 (the "License"). You may not use this
file except in compliance with the License. You can obtain a copy in the file file except in compliance with the License. You can obtain a copy in the file

4
deps/openssl/openssl/doc/internal/man3/ossl_provider_new.pod vendored
View File

@ -297,7 +297,7 @@ in a bitstring that's internal to I<provider>.
ossl_provider_test_operation_bit() checks if the bit operation I<bitnum> ossl_provider_test_operation_bit() checks if the bit operation I<bitnum>
is set (1) or not (0) in the internal I<provider> bitstring, and sets is set (1) or not (0) in the internal I<provider> bitstring, and sets
I<*result> to 1 or 0 accorddingly. I<*result> to 1 or 0 accordingly.
ossl_provider_init_as_child() stores in the library context I<ctx> references to ossl_provider_init_as_child() stores in the library context I<ctx> references to
the necessary upcalls for managing child providers. The I<handle> and I<in> the necessary upcalls for managing child providers. The I<handle> and I<in>
@ -390,7 +390,7 @@ The functions described here were all added in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

4
deps/openssl/openssl/doc/internal/man3/ossl_random_add_conf_module.pod vendored
View File

@ -15,7 +15,7 @@ ossl_random_add_conf_module - internal random configuration module
ossl_random_add_conf_module() adds the random configuration module ossl_random_add_conf_module() adds the random configuration module
for providers. for providers.
This allows the type and parameters of the stardard setup of random number This allows the type and parameters of the standard setup of random number
generators to be configured with an OpenSSL L<config(5)> file. generators to be configured with an OpenSSL L<config(5)> file.
=head1 RETURN VALUES =head1 RETURN VALUES
@ -32,7 +32,7 @@ The functions described here were all added in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

4
deps/openssl/openssl/doc/internal/man7/EVP_PKEY.pod vendored
View File

@ -19,7 +19,7 @@ private/public key pairs, but has had other uses as well.
=for comment "uses" could as well be "abuses"... =for comment "uses" could as well be "abuses"...
The private/public key pair that an B<EVP_PKEY> contains is refered to The private/public key pair that an B<EVP_PKEY> contains is referred to
as its "internal key" or "origin" (the reason for "origin" is as its "internal key" or "origin" (the reason for "origin" is
explained further down, in L</Export cache for provider operations>), explained further down, in L</Export cache for provider operations>),
and it can take one of the following forms: and it can take one of the following forms:
@ -202,7 +202,7 @@ L<provider-keymgmt(7)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

5
deps/openssl/openssl/doc/man1/openssl-crl.pod.in vendored
View File

@ -95,6 +95,9 @@ Print out the CRL in text form.
Verify the signature in the CRL. Verify the signature in the CRL.
This option is implicitly enabled if any of B<-CApath>, B<-CAfile>
or B<-CAstore> is specified.
=item B<-noout> =item B<-noout>
Don't output the encoded version of the CRL. Don't output the encoded version of the CRL.
@ -162,7 +165,7 @@ L<ossl_store-file(7)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

17
deps/openssl/openssl/doc/man1/openssl-mac.pod.in vendored
View File

@ -123,26 +123,31 @@ To see the list of supported MAC's use the command C<openssl list
=head1 EXAMPLES =head1 EXAMPLES
To create a hex-encoded HMAC-SHA1 MAC of a file and write to stdout: \ To create a hex-encoded HMAC-SHA1 MAC of a file and write to stdout:
openssl mac -digest SHA1 \ openssl mac -digest SHA1 \
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \ -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \
-in msg.bin HMAC -in msg.bin HMAC
To create a SipHash MAC from a file with a binary file output: \ To create a SipHash MAC from a file with a binary file output:
openssl mac -macopt hexkey:000102030405060708090A0B0C0D0E0F \ openssl mac -macopt hexkey:000102030405060708090A0B0C0D0E0F \
-in msg.bin -out out.bin -binary SipHash -in msg.bin -out out.bin -binary SipHash
To create a hex-encoded CMAC-AES-128-CBC MAC from a file:\ To create a hex-encoded CMAC-AES-128-CBC MAC from a file:
openssl mac -cipher AES-128-CBC \ openssl mac -cipher AES-128-CBC \
-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \ -macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \
-in msg.bin CMAC -in msg.bin CMAC
To create a hex-encoded KMAC128 MAC from a file with a Customisation String To create a hex-encoded KMAC128 MAC from a file with a Customisation String
'Tag' and output length of 16: \ 'Tag' and output length of 16:
openssl mac -macopt custom:Tag -macopt hexkey:40414243444546 \ openssl mac -macopt custom:Tag -macopt hexkey:40414243444546 \
-macopt size:16 -in msg.bin KMAC128 -macopt size:16 -in msg.bin KMAC128
To create a hex-encoded GMAC-AES-128-GCM with a IV from a file: \ To create a hex-encoded GMAC-AES-128-GCM with a IV from a file:
openssl mac -cipher AES-128-GCM -macopt hexiv:E0E00F19FED7BA0136A797F3 \ openssl mac -cipher AES-128-GCM -macopt hexiv:E0E00F19FED7BA0136A797F3 \
-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B -in msg.bin GMAC -macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B -in msg.bin GMAC
@ -165,7 +170,7 @@ L<EVP_MAC-Poly1305(7)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

33
deps/openssl/openssl/doc/man1/openssl-req.pod.in vendored
View File

@ -472,16 +472,29 @@ any digest that has been set.
=item B<string_mask> =item B<string_mask>
This option masks out the use of certain string types in certain This option masks out the use of certain string types in certain
fields. Most users will not need to change this option. fields. Most users will not need to change this option. It can be set to
several values:
It can be set to several values B<default> which is also the default =over 4
option uses PrintableStrings, T61Strings and BMPStrings if the
B<pkix> value is used then only PrintableStrings and BMPStrings will =item B<utf8only>
be used. This follows the PKIX recommendation in RFC2459. If the - only UTF8Strings are used (this is the default value)
B<utf8only> option is used then only UTF8Strings will be used: this
is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr> =item B<pkix>
option just uses PrintableStrings and T61Strings: certain software has - any string type except T61Strings
problems with BMPStrings and UTF8Strings: in particular Netscape.
=item B<nombstr>
- any string type except BMPStrings and UTF8Strings
=item B<default>
- any kind of string type
=back
Note that B<utf8only> is the PKIX recommendation in RFC2459 after 2003, and the
default B<string_mask>; B<default> is not the default option. The B<nombstr>
value is a workaround for some software that has problems with variable-sized
BMPStrings and UTF8Strings.
=item B<req_extensions> =item B<req_extensions>
@ -765,7 +778,7 @@ The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

18
deps/openssl/openssl/doc/man1/openssl-smime.pod.in vendored
View File

@ -195,14 +195,14 @@ Don't try to verify the signatures on the message.
=item B<-nocerts> =item B<-nocerts>
When signing a message the signer's certificate is normally included When signing a message, the signer's certificate is normally included.
with this option it is excluded. This will reduce the size of the With this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate signed message, but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example). available locally (passed using the B<-certfile> option for example).
=item B<-noattr> =item B<-noattr>
Normally when a message is signed a set of attributes are included which Normally, when a message is signed, a set of attributes are included which
include the signing time and supported symmetric algorithms. With this include the signing time and supported symmetric algorithms. With this
option they are not included. option they are not included.
@ -243,14 +243,6 @@ used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the verified then the signers certificates will be written to this file if the
verification was successful. verification was successful.
=item B<-nocerts>
Don't include signers certificate when signing.
=item B<-noattr>
Don't include any signed attributes when signing.
=item B<-recip> I<file> =item B<-recip> I<file>
The recipients certificate when decrypting a message. This certificate The recipients certificate when decrypting a message. This certificate
@ -482,7 +474,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

5
deps/openssl/openssl/doc/man1/openssl-storeutl.pod.in vendored
View File

@ -79,6 +79,9 @@ returned.
Note that all options must be given before the I<uri> argument. Note that all options must be given before the I<uri> argument.
Otherwise they are ignored. Otherwise they are ignored.
Note I<-keys> selects exclusively private keys, there is no selector for public
keys only.
=item B<-subject> I<arg> =item B<-subject> I<arg>
Search for an object having the subject name I<arg>. Search for an object having the subject name I<arg>.
@ -137,7 +140,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

8
deps/openssl/openssl/doc/man1/openssl-ts.pod.in vendored
View File

@ -163,9 +163,9 @@ use its own default policy. (Optional)
=item B<-no_nonce> =item B<-no_nonce>
No nonce is specified in the request if this option is No nonce is specified in the request if this option is
given. Otherwise a 64 bit long pseudo-random none is given. Otherwise, a 64-bit long pseudo-random nonce is
included in the request. It is recommended to use nonce to included in the request. It is recommended to use a nonce to
protect against replay-attacks. (Optional) protect against replay attacks. (Optional)
=item B<-cert> =item B<-cert>
@ -652,7 +652,7 @@ L<ossl_store-file(7)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

6
deps/openssl/openssl/doc/man3/DEFINE_STACK_OF.pod vendored
View File

@ -41,8 +41,8 @@ OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero
STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare); STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare);
STACK_OF(TYPE) *sk_TYPE_new_null(void); STACK_OF(TYPE) *sk_TYPE_new_null(void);
int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n); int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n);
void sk_TYPE_free(const STACK_OF(TYPE) *sk); void sk_TYPE_free(STACK_OF(TYPE) *sk);
void sk_TYPE_zero(const STACK_OF(TYPE) *sk); void sk_TYPE_zero(STACK_OF(TYPE) *sk);
TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i); TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i);
TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr); TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr);
int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr); int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr);
@ -297,7 +297,7 @@ B<sk_I<TYPE>_reserve>() and B<sk_I<TYPE>_new_reserve>() were added in OpenSSL
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

4
deps/openssl/openssl/doc/man3/EVP_DigestInit.pod vendored
View File

@ -483,7 +483,7 @@ EVP_MD_CTX_get_params() can be used with the following OSSL_PARAM keys:
=over 4 =over 4
=item "micalg" (B<OSSL_PARAM_DIGEST_KEY_MICALG>) <UTF8 string>. =item "micalg" (B<OSSL_DIGEST_PARAM_MICALG>) <UTF8 string>.
Gets the digest Message Integrity Check algorithm string. This is used when Gets the digest Message Integrity Check algorithm string. This is used when
creating S/MIME multipart/signed messages, as specified in RFC 3851. creating S/MIME multipart/signed messages, as specified in RFC 3851.
@ -784,7 +784,7 @@ in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

4
deps/openssl/openssl/doc/man3/EVP_KDF.pod vendored
View File

@ -20,7 +20,7 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params - EVP KDF routines
typedef struct evp_kdf_st EVP_KDF; typedef struct evp_kdf_st EVP_KDF;
typedef struct evp_kdf_ctx_st EVP_KDF_CTX; typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
EVP_KDF_CTX *EVP_KDF_CTX_new(const EVP_KDF *kdf); EVP_KDF_CTX *EVP_KDF_CTX_new(EVP_KDF *kdf);
const EVP_KDF *EVP_KDF_CTX_kdf(EVP_KDF_CTX *ctx); const EVP_KDF *EVP_KDF_CTX_kdf(EVP_KDF_CTX *ctx);
void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
EVP_KDF_CTX *EVP_KDF_CTX_dup(const EVP_KDF_CTX *src); EVP_KDF_CTX *EVP_KDF_CTX_dup(const EVP_KDF_CTX *src);
@ -304,7 +304,7 @@ This functionality was added in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

6
deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_params.pod vendored
View File

@ -23,7 +23,9 @@ The EVP_PKEY_CTX_get_params() and EVP_PKEY_CTX_set_params() functions allow
transfer of arbitrary key parameters to and from providers. transfer of arbitrary key parameters to and from providers.
Not all parameters may be supported by all providers. Not all parameters may be supported by all providers.
See L<OSSL_PROVIDER(3)> for more information on providers. See L<OSSL_PROVIDER(3)> for more information on providers.
See L<OSSL_PARAM(3)> for more information on parameters. The I<params> field is a pointer to a list of B<OSSL_PARAM> structures,
terminated with a L<OSSL_PARAM_END(3)> struct.
See L<OSSL_PARAM(3)> for information about passing parameters.
These functions must only be called after the EVP_PKEY_CTX has been initialised These functions must only be called after the EVP_PKEY_CTX has been initialised
for use in an operation. for use in an operation.
These methods replace the EVP_PKEY_CTX_ctrl() mechanism. (EVP_PKEY_CTX_ctrl now These methods replace the EVP_PKEY_CTX_ctrl() mechanism. (EVP_PKEY_CTX_ctrl now
@ -84,7 +86,7 @@ All functions were added in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

7
deps/openssl/openssl/doc/man3/EVP_PKEY_check.pod vendored
View File

@ -61,6 +61,11 @@ It is not necessary to call these functions after locally calling an approved ke
generation method, but may be required for assurance purposes when receiving generation method, but may be required for assurance purposes when receiving
keys from a third party. keys from a third party.
The EVP_PKEY_pairwise_check() and EVP_PKEY_private_check() might not be bounded
by any key size limits as private keys are not expected to be supplied by
attackers. For that reason they might take an unbounded time if run on
arbitrarily large keys.
=head1 RETURN VALUES =head1 RETURN VALUES
All functions return 1 for success or others for failure. All functions return 1 for success or others for failure.
@ -86,7 +91,7 @@ EVP_PKEY_private_check() and EVP_PKEY_pairwise_check() were added in OpenSSL 3.0
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

4
deps/openssl/openssl/doc/man3/SSL_CIPHER_get_name.pod vendored
View File

@ -120,7 +120,7 @@ cipher B<c>.
SSL_CIPHER_description() returns a textual description of the cipher used SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it
must be at least 128 bytes, otherwise a buffer will be allocated using must be at least 128 bytes. If B<buf> is NULL it will be allocated using
OPENSSL_malloc(). If the provided buffer is too small, or the allocation fails, OPENSSL_malloc(). If the provided buffer is too small, or the allocation fails,
B<NULL> is returned. B<NULL> is returned.
@ -216,7 +216,7 @@ The SSL_CIPHER_get_prf_nid() function was added in OpenSSL 3.0.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

6
deps/openssl/openssl/doc/man3/SSL_CTX_set_cert_store.pod vendored
View File

@ -16,7 +16,9 @@ SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store - manipu
SSL_CTX_set_cert_store() sets/replaces the certificate verification storage SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. If another X509_STORE object is currently of B<ctx> to/with B<store>. If another X509_STORE object is currently
set in B<ctx>, it will be X509_STORE_free()ed. set in B<ctx>, it will be X509_STORE_free()ed. SSL_CTX_set_cert_store() will
take ownership of the B<store>, i.e., the call C<X509_STORE_free(store)> is no
longer needed.
SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. The B<store>'s reference count is incremented. of B<ctx> to/with B<store>. The B<store>'s reference count is incremented.
@ -79,7 +81,7 @@ L<SSL_CTX_set_verify(3)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

5
deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod vendored
View File

@ -144,6 +144,9 @@ B<Client mode:> ignored (see BUGS)
If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set. If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set.
If verification flags are not modified explicitly by C<SSL_CTX_set_verify()>
or C<SSL_set_verify()>, the default value will be SSL_VERIFY_NONE.
The actual verification procedure is performed either using the built-in The actual verification procedure is performed either using the built-in
verification procedure or using another application provided verification verification procedure or using another application provided verification
function set with function set with
@ -363,7 +366,7 @@ and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

5
deps/openssl/openssl/doc/man3/SSL_CTX_use_certificate.pod vendored
View File

@ -68,7 +68,7 @@ SSL_use_certificate() loads B<x> into B<ssl>. The rest of the
certificates needed to form the complete certificate chain can be certificates needed to form the complete certificate chain can be
specified using the specified using the
L<SSL_CTX_add_extra_chain_cert(3)> L<SSL_CTX_add_extra_chain_cert(3)>
function. function. On success the reference counter of the B<x> is incremented.
SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from
the memory location B<d> (with length B<len>) into B<ctx>, the memory location B<d> (with length B<len>) into B<ctx>,
@ -97,6 +97,7 @@ to the certificate an error is returned. To change a [certificate/private-key]
pair, the new certificate needs to be set first with SSL_use_certificate() or pair, the new certificate needs to be set first with SSL_use_certificate() or
SSL_CTX_use_certificate() before setting the private key with SSL_CTX_use_certificate() before setting the private key with
SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey().
On success the reference counter of the B<pkey>/B<rsa> is incremented.
SSL_CTX_use_cert_and_key() and SSL_use_cert_and_key() assign the X.509 SSL_CTX_use_cert_and_key() and SSL_use_cert_and_key() assign the X.509
certificate B<x>, private key B<key>, and certificate B<chain> onto the certificate B<x>, private key B<key>, and certificate B<chain> onto the
@ -195,7 +196,7 @@ L<SSL_CTX_add_extra_chain_cert(3)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

20
deps/openssl/openssl/doc/man3/SSL_load_client_CA_file.pod vendored
View File

@ -54,7 +54,8 @@ it is not limited to CA certificates.
=head1 RETURN VALUES =head1 RETURN VALUES
The following return values can occur: The following return values can occur for SSL_load_client_CA_file_ex(), and
SSL_load_client_CA_file():
=over 4 =over 4
@ -68,6 +69,21 @@ Pointer to the subject names of the successfully read certificates.
=back =back
The following return values can occur for SSL_add_file_cert_subjects_to_stack(),
SSL_add_dir_cert_subjects_to_stack(), and SSL_add_store_cert_subjects_to_stack():
=over 4
=item 0 (Failure)
The operation failed.
=item 1 (Success)
The operation succeeded.
=back
=head1 EXAMPLES =head1 EXAMPLES
Load names of CAs from file and use it as a client CA list: Load names of CAs from file and use it as a client CA list:
@ -96,7 +112,7 @@ were added in OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

5
deps/openssl/openssl/doc/man7/EVP_PKEY-SM2.pod vendored
View File

@ -38,6 +38,9 @@ Getter that returns the default digest name.
B<SM2> signatures can be generated by using the 'DigestSign' series of APIs, for B<SM2> signatures can be generated by using the 'DigestSign' series of APIs, for
instance, EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal(). instance, EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal().
Ditto for the verification process by calling the 'DigestVerify' series of APIs. Ditto for the verification process by calling the 'DigestVerify' series of APIs.
Note that the SM2 algorithm requires the presence of the public key for signatures,
as such the B<OSSL_PKEY_PARAM_PUB_KEY> option must be set on any key used in signature
generation.
Before computing an B<SM2> signature, an B<EVP_PKEY_CTX> needs to be created, Before computing an B<SM2> signature, an B<EVP_PKEY_CTX> needs to be created,
and an B<SM2> ID must be set for it, like this: and an B<SM2> ID must be set for it, like this:
@ -84,7 +87,7 @@ L<EVP_MD_CTX_set_pkey_ctx(3)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

28
deps/openssl/openssl/doc/man7/migration_guide.pod vendored
View File

@ -136,6 +136,14 @@ To ensure the future compatibility, the engines should be turned to providers.
To prefer the provider-based hardware offload, you can specify the default To prefer the provider-based hardware offload, you can specify the default
properties to prefer your provider. properties to prefer your provider.
Setting engine-based or application-based default low-level crypto method such
as B<RSA_METHOD> or B<EC_KEY_METHOD> is still possible and keys inside the
default provider will use the engine-based implementation for the crypto
operations. However B<EVP_PKEY>s created by decoding by using B<OSSL_DECODER>,
B<PEM_> or B<d2i_> APIs will be provider-based. To create a fully legacy
B<EVP_PKEY>s L<EVP_PKEY_set1_RSA(3)>, L<EVP_PKEY_set1_EC_KEY(3)> or similar
functions must be used.
=head3 Versioning Scheme =head3 Versioning Scheme
The OpenSSL versioning scheme has changed with the OpenSSL 3.0 release. The new The OpenSSL versioning scheme has changed with the OpenSSL 3.0 release. The new
@ -1298,7 +1306,7 @@ d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(), d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(),
d2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(), d2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(),
d2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(), d2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(),
d2i_EC_PUBKEY_fp(), o2i_ECPublicKey(), d2i_RSAPrivateKey(), d2i_EC_PUBKEY_fp(), d2i_RSAPrivateKey(),
d2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(), d2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(),
d2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(), d2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(),
d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp() d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp()
@ -1307,6 +1315,13 @@ See L</Deprecated i2d and d2i functions for low-level key types>
=item * =item *
o2i_ECPublicKey()
Use L<EVP_PKEY_set1_encoded_public_key(3)>.
See L</Deprecated low-level key parameter setters>
=item *
DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(), DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(),
DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(),
DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(),
@ -1857,13 +1872,20 @@ and L<d2i_RSAPrivateKey(3)/Migration>
i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(), i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(),
i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(),
i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() i2d_EC_PUBKEY_fp()
See L</Deprecated low-level key reading and writing functions> See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration> and L<d2i_RSAPrivateKey(3)/Migration>
=item * =item *
i2o_ECPublicKey()
Use L<EVP_PKEY_get1_encoded_public_key(3)>.
See L</Deprecated low-level key parameter getters>
=item *
i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(), i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(),
i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(),
i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp()
@ -2462,7 +2484,7 @@ The migration guide was created for OpenSSL 3.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

20
deps/openssl/openssl/e_os.h vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -296,20 +296,18 @@ static ossl_inline void ossl_sleep(unsigned long millis)
ts.tv_sec = (long int) (millis / 1000); ts.tv_sec = (long int) (millis / 1000);
ts.tv_nsec = (long int) (millis % 1000) * 1000000ul; ts.tv_nsec = (long int) (millis % 1000) * 1000000ul;
nanosleep(&ts, NULL); nanosleep(&ts, NULL);
# elif defined(__TANDEM) # elif defined(__TANDEM) && !defined(_REENTRANT)
# if !defined(_REENTRANT)
# include <cextdecs.h(PROCESS_DELAY_)> # include <cextdecs.h(PROCESS_DELAY_)>
/* HPNS does not support usleep for non threaded apps */ /* HPNS does not support usleep for non threaded apps */
PROCESS_DELAY_(millis * 1000); PROCESS_DELAY_(millis * 1000);
# elif defined(_SPT_MODEL_)
# include <spthread.h>
# include <spt_extensions.h>
usleep(millis * 1000);
# else
usleep(millis * 1000);
# endif
# else # else
usleep(millis * 1000); unsigned int s = (unsigned int)(millis / 1000);
unsigned int us = (unsigned int)((millis % 1000) * 1000);
if (s > 0)
sleep(s);
usleep(us);
# endif # endif
} }
#elif defined(_WIN32) #elif defined(_WIN32)

6
deps/openssl/openssl/engines/e_afalg.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -811,8 +811,10 @@ static int bind_helper(ENGINE *e, const char *id)
if (!afalg_chk_platform()) if (!afalg_chk_platform())
return 0; return 0;
if (!bind_afalg(e)) if (!bind_afalg(e)) {
afalg_destroy(e);
return 0; return 0;
}
return 1; return 1;
} }

4
deps/openssl/openssl/engines/e_dasync.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -985,7 +985,7 @@ static int dasync_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
size_t inlen); size_t inlen);
if (pdecrypt == NULL) if (pdecrypt == NULL)
EVP_PKEY_meth_get_encrypt(dasync_rsa_orig, NULL, &pdecrypt); EVP_PKEY_meth_get_decrypt(dasync_rsa_orig, NULL, &pdecrypt);
return pdecrypt(ctx, out, outlen, in, inlen); return pdecrypt(ctx, out, outlen, in, inlen);
} }

16
deps/openssl/openssl/fuzz/asn1.c vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"); * Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -312,10 +312,16 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, i); ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, i);
if (o != NULL) { if (o != NULL) {
BIO *bio = BIO_new(BIO_s_null()); /*
if (bio != NULL) { * Don't print excessively long output to prevent spurious fuzzer
ASN1_item_print(bio, o, 4, i, pctx); * timeouts.
BIO_free(bio); */
if (b - buf < 10000) {
BIO *bio = BIO_new(BIO_s_null());
if (bio != NULL) {
ASN1_item_print(bio, o, 4, i, pctx);
BIO_free(bio);
}
} }
if (ASN1_item_i2d(o, &der, i) > 0) { if (ASN1_item_i2d(o, &der, i) > 0) {
OPENSSL_free(der); OPENSSL_free(der);

10
deps/openssl/openssl/include/crypto/bn.h vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -87,6 +87,14 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx); const BIGNUM *d, BN_CTX *ctx);
int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n);
int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w);
int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
unsigned int strength, BN_CTX *ctx);
int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
const BIGNUM *priv,
const unsigned char *message,
size_t message_len, BN_CTX *ctx);
#define BN_PRIMETEST_COMPOSITE 0 #define BN_PRIMETEST_COMPOSITE 0
#define BN_PRIMETEST_COMPOSITE_WITH_FACTOR 1 #define BN_PRIMETEST_COMPOSITE_WITH_FACTOR 1

1
deps/openssl/openssl/include/crypto/bn_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bn_conf.h"

1
deps/openssl/openssl/include/crypto/dso_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/dso_conf.h"

25
deps/openssl/openssl/include/internal/constant_time.h vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the Apache License 2.0 (the "License"). You may not use * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -140,6 +140,29 @@ static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b))); return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
} }
#ifdef BN_ULONG
static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)
{
return 0 - (a >> (sizeof(a) * 8 - 1));
}
static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)
{
return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));
}
static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)
{
return constant_time_msb_bn(~a & (a - 1));
}
static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,
BN_ULONG b)
{
return constant_time_is_zero_bn(a ^ b);
}
#endif
static ossl_inline unsigned int constant_time_ge(unsigned int a, static ossl_inline unsigned int constant_time_ge(unsigned int a,
unsigned int b) unsigned int b)
{ {

1
deps/openssl/openssl/include/openssl/asn1.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1.h"

1
deps/openssl/openssl/include/openssl/asn1t.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1t.h"

1
deps/openssl/openssl/include/openssl/bio.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bio.h"

1
deps/openssl/openssl/include/openssl/cmp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cmp.h"

1
deps/openssl/openssl/include/openssl/cms.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cms.h"

1
deps/openssl/openssl/include/openssl/conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/conf.h"

1
deps/openssl/openssl/include/openssl/configuration.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/configuration.h"

1
deps/openssl/openssl/include/openssl/crmf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crmf.h"

1
deps/openssl/openssl/include/openssl/crypto.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crypto.h"

1
deps/openssl/openssl/include/openssl/ct.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ct.h"

1
deps/openssl/openssl/include/openssl/err.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/err.h"

1
deps/openssl/openssl/include/openssl/ess.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ess.h"

1
deps/openssl/openssl/include/openssl/fipskey.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/fipskey.h"

1
deps/openssl/openssl/include/openssl/lhash.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/lhash.h"

1
deps/openssl/openssl/include/openssl/ocsp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ocsp.h"

1
deps/openssl/openssl/include/openssl/opensslv.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/opensslv.h"

1
deps/openssl/openssl/include/openssl/pkcs12.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs12.h"

1
deps/openssl/openssl/include/openssl/pkcs7.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs7.h"

1
deps/openssl/openssl/include/openssl/safestack.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/safestack.h"

Some files were not shown because too many files have changed in this diff Show More