From d2a5432d1c9a4d3b8a1db3607a3dc592d2c036eb Mon Sep 17 00:00:00 2001 From: qiuleilei Date: Thu, 30 Oct 2025 21:24:25 +0800 Subject: [PATCH] [mslite][feature] update openssl version 1.1.1k to 3.5.4 --- cmake/external_libs/openssl.cmake | 122 +-- .../python_api/test_encrypt_and_decrypt.py | 58 ++ .../st/scripts/ascend/run_cloud_arm_a2.sh | 3 + third_party/patch/openssl/CVE-2021-3711.patch | 81 -- third_party/patch/openssl/CVE-2021-3712.patch | 17 - third_party/patch/openssl/CVE-2021-4160.patch | 78 -- third_party/patch/openssl/CVE-2022-0778.patch | 49 -- third_party/patch/openssl/CVE-2022-1292.patch | 58 -- third_party/patch/openssl/CVE-2022-2068.patch | 241 ------ third_party/patch/openssl/CVE-2022-2097.patch | 22 - third_party/patch/openssl/CVE-2022-4304.patch | 771 ------------------ third_party/patch/openssl/CVE-2022-4450.patch | 14 - third_party/patch/openssl/CVE-2023-0215.patch | 144 ---- third_party/patch/openssl/CVE-2023-0286.patch | 44 - third_party/patch/openssl/CVE-2023-0464.patch | 222 ----- third_party/patch/openssl/CVE-2023-0465.patch | 54 -- third_party/patch/openssl/CVE-2023-0466.patch | 27 - third_party/patch/openssl/CVE-2023-2650.patch | 63 -- third_party/patch/openssl/CVE-2023-3446.patch | 124 --- third_party/patch/openssl/CVE-2023-3817.patch | 57 -- third_party/patch/openssl/CVE-2023-4807.patch | 47 -- third_party/patch/openssl/CVE-2023-5678.patch | 113 --- third_party/patch/openssl/CVE-2024-0727.patch | 109 --- .../patch/openssl/CVE-2024-13176.patch | 525 ------------ third_party/patch/openssl/CVE-2024-2511.patch | 487 ----------- third_party/patch/openssl/CVE-2024-4741.patch | 71 -- third_party/patch/openssl/CVE-2024-5535.patch | 169 ---- third_party/patch/openssl/CVE-2024-9143.patch | 201 ----- 28 files changed, 69 insertions(+), 3902 deletions(-) create mode 100644 mindspore-lite/test/st/python/python_api/test_encrypt_and_decrypt.py delete mode 100644 third_party/patch/openssl/CVE-2021-3711.patch delete mode 100644 third_party/patch/openssl/CVE-2021-3712.patch delete mode 100644 third_party/patch/openssl/CVE-2021-4160.patch delete mode 100644 third_party/patch/openssl/CVE-2022-0778.patch delete mode 100644 third_party/patch/openssl/CVE-2022-1292.patch delete mode 100644 third_party/patch/openssl/CVE-2022-2068.patch delete mode 100644 third_party/patch/openssl/CVE-2022-2097.patch delete mode 100644 third_party/patch/openssl/CVE-2022-4304.patch delete mode 100644 third_party/patch/openssl/CVE-2022-4450.patch delete mode 100644 third_party/patch/openssl/CVE-2023-0215.patch delete mode 100644 third_party/patch/openssl/CVE-2023-0286.patch delete mode 100644 third_party/patch/openssl/CVE-2023-0464.patch delete mode 100644 third_party/patch/openssl/CVE-2023-0465.patch delete mode 100644 third_party/patch/openssl/CVE-2023-0466.patch delete mode 100644 third_party/patch/openssl/CVE-2023-2650.patch delete mode 100644 third_party/patch/openssl/CVE-2023-3446.patch delete mode 100644 third_party/patch/openssl/CVE-2023-3817.patch delete mode 100644 third_party/patch/openssl/CVE-2023-4807.patch delete mode 100644 third_party/patch/openssl/CVE-2023-5678.patch delete mode 100644 third_party/patch/openssl/CVE-2024-0727.patch delete mode 100644 third_party/patch/openssl/CVE-2024-13176.patch delete mode 100644 third_party/patch/openssl/CVE-2024-2511.patch delete mode 100644 third_party/patch/openssl/CVE-2024-4741.patch delete mode 100644 third_party/patch/openssl/CVE-2024-5535.patch delete mode 100644 third_party/patch/openssl/CVE-2024-9143.patch diff --git a/cmake/external_libs/openssl.cmake b/cmake/external_libs/openssl.cmake index 09e6069a..580bc659 100644 --- a/cmake/external_libs/openssl.cmake +++ b/cmake/external_libs/openssl.cmake @@ -1,15 +1,9 @@ if(ENABLE_GITEE OR ENABLE_GITEE_EULER) # Channel GITEE_EULER is NOT supported now, use GITEE instead. - set(REQ_URL "https://gitee.com/mirrors/openssl/repository/archive/OpenSSL_1_1_1k.tar.gz") - set(SHA256 "b92f9d3d12043c02860e5e602e50a73ed21a69947bcc74d391f41148e9f6aa95") + set(REQ_URL "https://gitee.com/mirrors/openssl/repository/archive/openssl-3.5.4.tar.gz") + set(SHA256 "758b69feed5787dc12d34b0eb29b60d3c9d73d5a64760c62d93a6d26b344d65d") else() - set(REQ_URL "https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1k.tar.gz") - set(SHA256 "b92f9d3d12043c02860e5e602e50a73ed21a69947bcc74d391f41148e9f6aa95") -endif() - -if(BUILD_LITE) - set(OPENSSL_PATCH_ROOT ${TOP_DIR}/third_party/patch/openssl) -else() - set(OPENSSL_PATCH_ROOT ${CMAKE_SOURCE_DIR}/third_party/patch/openssl) + set(REQ_URL "https://github.com/openssl/openssl/archive/refs/tags/openssl-3.5.4.tar.gz") + set(SHA256 "758b69feed5787dc12d34b0eb29b60d3c9d73d5a64760c62d93a6d26b344d65d") endif() if(BUILD_LITE) @@ -21,36 +15,11 @@ if(BUILD_LITE) ${ANDROID_NDK_ROOT}/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin: $ENV{PATH}) mindspore_add_pkg(openssl - VER 1.1.1k + VER 3.5.4 LIBS ssl crypto URL ${REQ_URL} SHA256 ${SHA256} CONFIGURE_COMMAND ./Configure android-arm64 -D__ANDROID_API__=29 no-zlib no-afalgeng - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4304.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4450.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0215.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0286.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0464.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0465.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0466.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-2650.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3446.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3817.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-4807.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-5678.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-0727.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-2511.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-5535.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-9143.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-4741.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-13176.patch ) elseif(PLATFORM_ARM32 AND ANDROID_NDK_TOOLCHAIN_INCLUDED) set(openssl_USE_STATIC_LIBS OFF) @@ -60,70 +29,20 @@ if(BUILD_LITE) ${ANDROID_NDK_ROOT}/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin: $ENV{PATH}) mindspore_add_pkg(openssl - VER 1.1.1k + VER 3.5.4 LIBS ssl crypto URL ${REQ_URL} SHA256 ${SHA256} CONFIGURE_COMMAND ./Configure android-arm -D__ANDROID_API__=19 no-zlib no-afalgeng - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4304.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4450.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0215.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0286.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0464.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0465.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0466.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-2650.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3446.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3817.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-4807.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-5678.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-0727.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-2511.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-5535.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-9143.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-4741.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-13176.patch ) elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE) set(openssl_CFLAGS -fvisibility=hidden) mindspore_add_pkg(openssl - VER 1.1.1k + VER 3.5.4 LIBS ssl crypto URL ${REQ_URL} SHA256 ${SHA256} CONFIGURE_COMMAND ./config no-zlib no-shared no-afalgeng - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4304.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4450.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0215.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0286.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0464.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0465.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0466.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-2650.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3446.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3817.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-4807.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-5678.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-0727.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-2511.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-5535.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-9143.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-4741.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-13176.patch ) else() MESSAGE(FATAL_ERROR "openssl does not support compilation for the current environment.") @@ -135,36 +54,11 @@ else() if(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE) set(openssl_CFLAGS -fvisibility=hidden) mindspore_add_pkg(openssl - VER 1.1.1k + VER 3.5.4 LIBS ssl crypto URL ${REQ_URL} SHA256 ${SHA256} CONFIGURE_COMMAND ./config no-zlib no-shared no-afalgeng - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4304.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-4450.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0215.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0286.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0464.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0465.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-0466.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-2650.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3446.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-3817.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-4807.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2023-5678.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-0727.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-2511.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-5535.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-9143.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-4741.patch - PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2024-13176.patch ) include_directories(${openssl_INC}) add_library(mindspore::ssl ALIAS openssl::ssl) diff --git a/mindspore-lite/test/st/python/python_api/test_encrypt_and_decrypt.py b/mindspore-lite/test/st/python/python_api/test_encrypt_and_decrypt.py new file mode 100644 index 00000000..ca3a19c0 --- /dev/null +++ b/mindspore-lite/test/st/python/python_api/test_encrypt_and_decrypt.py @@ -0,0 +1,58 @@ +# Copyright 2025 Huawei Technologies Co., Ltd +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============================================================================ +""" +Test for MindSpore Lite encrypt_and_decrypt +""" + +import mindspore_lite as mslite +import numpy as np + +MODEL_FILE = "./single_matmul_model.onnx" +ENCRYPT_MINDIR_MODEL_FILE = "encrypt_single_matmul_model" +DECRYPT_KEY = "30313233343637383939414243444546" +DECRYPT_MODE = "AES-GCM" +ENCRYPT_KEY = "30313233343637383939414243444546" +DEC_NUM_PARALLEL = 64 + +def test_convert_encrypt_and_infer_decrypt_model(): + """ + test convert encrypt and infer decrypt model + """ + # convert and encrypt model + converter = mslite.Converter() + converter.input_shape = {"input": [1, 4]} + converter.input_data_type = mslite.DataType.FLOAT32 + converter.output_data_type = mslite.DataType.FLOAT32 + converter.save_type = mslite.ModelType.MINDIR + converter.enable_encryption = True + converter.encrypt_key = ENCRYPT_KEY + converter.infer = True + converter.optimize = "general" + converter.save_type = mslite.ModelType.MINDIR + converter.convert(mslite.FmkType.ONNX, MODEL_FILE, ENCRYPT_MINDIR_MODEL_FILE) + # decrypt and predict model + model = mslite.Model() + context = mslite.Context() + context.target = ["cpu"] + dec_key = bytes.fromhex(DECRYPT_KEY) + model.build_from_file(model_path = ENCRYPT_MINDIR_MODEL_FILE + ".mindir", + model_type = mslite.ModelType.MINDIR, context = context, + dec_key = dec_key, dec_mode = DECRYPT_MODE, + dec_num_parallel = DEC_NUM_PARALLEL) + np_input = np.ones((1, 4), dtype=np.float32) + ms_inputs = model.get_inputs() + ms_inputs[0].set_data_from_numpy(np_input) + out = model.predict(ms_inputs) + assert out[0].shape == [1, 4] diff --git a/mindspore-lite/test/st/scripts/ascend/run_cloud_arm_a2.sh b/mindspore-lite/test/st/scripts/ascend/run_cloud_arm_a2.sh index 2a21c3d1..e0e199d9 100644 --- a/mindspore-lite/test/st/scripts/ascend/run_cloud_arm_a2.sh +++ b/mindspore-lite/test/st/scripts/ascend/run_cloud_arm_a2.sh @@ -389,6 +389,7 @@ cd ${basepath}/python/python_api/ || exit 1 cp -r ${ms_models_path}/sd1.5_unet.onnx* . || exit 1 # for Model Predict ST cp -r ${ms_models_path}/single_matmul_model.onnx.mindir . || exit 1 # for Update weights ST cp -r ${basepath}/../${config_folder}/ascend/prof.json . || exit 1 # for test profiling +cp -r ${models_path}/single_matmul_model.onnx . || exit 1 # for Encrypt And Decrypt ST #for code coverage in A2 if [[ "${MSLITE_ENABLE_COVERAGE}" == "on" || "${MSLITE_ENABLE_COVERAGE}" == "ON" ]]; then echo "MSLITE_ENABLE_COVERAGE: ${MSLITE_ENABLE_COVERAGE}, MSLITE_COVERAGE_FILE: ${MSLITE_COVERAGE_FILE}" @@ -398,6 +399,7 @@ if [[ "${MSLITE_ENABLE_COVERAGE}" == "on" || "${MSLITE_ENABLE_COVERAGE}" == "ON" python3 -m coverage run --rcfile=${MSLITE_COVERAGE_FILE} -m pytest test_model_info.py || exit 1 python3 -m coverage run --rcfile=${MSLITE_COVERAGE_FILE} -m pytest test_update_weight.py || exit 1 python3 -m coverage run --rcfile=${MSLITE_COVERAGE_FILE} -m pytest test_acl_profiling.py || exit 1 + python3 -m coverage run --rcfile=${MSLITE_COVERAGE_FILE} -m pytest test_encrypt_and_decrypt.py || exit 1 else pytest test_tensor.py || exit 1 pytest test_model.py || exit 1 @@ -405,6 +407,7 @@ else pytest test_model_info.py || exit 1 pytest test_update_weight.py || exit 1 pytest test_acl_profiling.py || exit 1 + pytest test_encrypt_and_decrypt.py || exit 1 fi echo "---------- Run MindSpore Lite API SUCCESS ----------" #--------------------------------------------------------- diff --git a/third_party/patch/openssl/CVE-2021-3711.patch b/third_party/patch/openssl/CVE-2021-3711.patch deleted file mode 100644 index 790e10f8..00000000 --- a/third_party/patch/openssl/CVE-2021-3711.patch +++ /dev/null @@ -1,81 +0,0 @@ -diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c -index ef505f6441..1188abfc6b 100644 ---- a/crypto/sm2/sm2_crypt.c -+++ b/crypto/sm2/sm2_crypt.c -@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group) - return field_size; - } - --int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, -- size_t *pt_size) -+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size) - { -- const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); -- const int md_size = EVP_MD_size(digest); -- size_t overhead; -+ struct SM2_Ciphertext_st *sm2_ctext = NULL; - -- if (md_size < 0) { -- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST); -- return 0; -- } -- if (field_size == 0) { -- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD); -- return 0; -- } -+ sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); - -- overhead = 10 + 2 * field_size + (size_t)md_size; -- if (msg_len <= overhead) { -+ if (sm2_ctext == NULL) { - SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING); - return 0; - } - -- *pt_size = msg_len - overhead; -+ *pt_size = sm2_ctext->C2->length; -+ SM2_Ciphertext_free(sm2_ctext); -+ - return 1; - } - -diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c -index b42a14c32f..27025fbf3a 100644 ---- a/crypto/sm2/sm2_pmeth.c -+++ b/crypto/sm2/sm2_pmeth.c -@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, - const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; - - if (out == NULL) { -- if (!sm2_plaintext_size(ec, md, inlen, outlen)) -+ if (!sm2_plaintext_size(in, inlen, outlen)) - return -1; - else - return 1; -diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h -index 76ee80baff..50851a83ce 100644 ---- a/include/crypto/sm2.h -+++ b/include/crypto/sm2.h -@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen, - int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *ct_size); - --int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, -- size_t *pt_size); -+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size); - - int sm2_encrypt(const EC_KEY *key, - const EVP_MD *digest, -diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c -index 2bb73947ff..41827bb82f 100644 ---- a/test/sm2_internal_test.c -+++ b/test/sm2_internal_test.c -@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group, - if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) - goto done; - -- if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) -+ if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len)) - || !TEST_int_eq(ptext_len, msg_len)) - goto done; - diff --git a/third_party/patch/openssl/CVE-2021-3712.patch b/third_party/patch/openssl/CVE-2021-3712.patch deleted file mode 100644 index 1e07534d..00000000 --- a/third_party/patch/openssl/CVE-2021-3712.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c -index 7b7c75ce84..e497a25909 100644 ---- a/crypto/ec/ec_asn1.c -+++ b/crypto/ec/ec_asn1.c -@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) - ret->seed_len = params->curve->seed->length; - } - -- if (!params->order || !params->base || !params->base->data) { -+ if (params->order == NULL -+ || params->base == NULL -+ || params->base->data == NULL -+ || params->base->length == 0) { - ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); - goto err; - } - diff --git a/third_party/patch/openssl/CVE-2021-4160.patch b/third_party/patch/openssl/CVE-2021-4160.patch deleted file mode 100644 index c5773f5b..00000000 --- a/third_party/patch/openssl/CVE-2021-4160.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl -index 95cb227dc5..91b7aac6e7 100644 ---- a/crypto/bn/asm/mips.pl -+++ b/crypto/bn/asm/mips.pl -@@ -1986,6 +1986,8 @@ $code.=<<___; - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -+ sltu $at,$c_3,$t_2 -+ $ADDU $c_1,$at - mflo ($t_1,$a_2,$a_0) - mfhi ($t_2,$a_2,$a_0) - ___ -@@ -2196,6 +2198,8 @@ $code.=<<___; - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -+ sltu $at,$c_3,$t_2 -+ $ADDU $c_1,$at - mflo ($t_1,$a_2,$a_0) - mfhi ($t_2,$a_2,$a_0) - ___ -diff --git a/test/bntest.c b/test/bntest.c -index 87e5c4065b..fa9fc07cef 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -630,6 +630,51 @@ static int test_modexp_mont5(void) - if (!TEST_BN_eq(c, d)) - goto err; - -+ /* -+ * Regression test for overflow bug in bn_sqr_comba4/8 for -+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. -+ */ -+ { -+ static const char *ehex[] = { -+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", -+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", -+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", -+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", -+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", -+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", -+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", -+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", -+ NULL}; -+ static const char *phex[] = { -+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", -+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", -+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", -+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", -+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", -+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", -+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", -+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", -+ NULL}; -+ static const char *mhex[] = { -+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", -+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", -+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", -+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", -+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", -+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", -+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", -+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", -+ NULL}; -+ -+ if (!TEST_true(parse_bigBN(&e, ehex)) -+ || !TEST_true(parse_bigBN(&p, phex)) -+ || !TEST_true(parse_bigBN(&m, mhex)) -+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) -+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) -+ || !TEST_BN_eq(a, d)) -+ goto err; -+ } -+ - /* Zero input */ - if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) - goto err; \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-0778.patch b/third_party/patch/openssl/CVE-2022-0778.patch deleted file mode 100644 index e384dac2..00000000 --- a/third_party/patch/openssl/CVE-2022-0778.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c -index 1723d5ded5..53b0f55985 100644 ---- a/crypto/bn/bn_sqrt.c -+++ b/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-1292.patch b/third_party/patch/openssl/CVE-2022-1292.patch deleted file mode 100644 index d0716222..00000000 --- a/third_party/patch/openssl/CVE-2022-1292.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index fa7c6c9fef..83c1cc80e0 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-2068.patch b/third_party/patch/openssl/CVE-2022-2068.patch deleted file mode 100644 index fde78b92..00000000 --- a/third_party/patch/openssl/CVE-2022-2068.patch +++ /dev/null @@ -1,241 +0,0 @@ -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index cfd18f5da1..9d2a6f6db7 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -104,52 +104,78 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -- my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -- my @flist = sort readdir(DIR); -- closedir DIR; -- if ( $removelinks ) { -- # Delete any existing symbolic links -- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -- if (-l $_) { -- print "unlink $_" if $verbose; -- unlink $_ || warn "Can't unlink $_, $!\n"; -- } -- } -- } -- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -- # Check to see if certificates and/or CRLs present. -- my ($cert, $crl) = check_file($fname); -- if (!$cert && !$crl) { -- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -- next; -- } -- link_hash_cert($fname) if ($cert); -- link_hash_crl($fname) if ($crl); -- } -+ my $dir = shift; -+ my %hashlist; -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; -+ my @flist = sort readdir(DIR); -+ closedir DIR; -+ if ( $removelinks ) { -+ # Delete any existing symbolic links -+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -+ if (-l $_) { -+ print "unlink $_\n" if $verbose; -+ unlink $_ || warn "Can't unlink $_, $!\n"; -+ } -+ } -+ } -+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -+ # Check to see if certificates and/or CRLs present. -+ my ($cert, $crl) = check_file($fname); -+ if (!$cert && !$crl) { -+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -+ next; -+ } -+ link_hash_cert($fname) if ($cert); -+ link_hash_crl($fname) if ($crl); -+ } -+ -+ chdir $pwd; - } - - sub check_file { -- my ($is_cert, $is_crl) = (0,0); -- my $fname = $_[0]; -- open IN, $fname; -- while() { -- if (/^-----BEGIN (.*)-----/) { -- my $hdr = $1; -- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -- $is_cert = 1; -- last if ($is_crl); -- } elsif ($hdr eq "X509 CRL") { -- $is_crl = 1; -- last if ($is_cert); -- } -- } -- } -- close IN; -- return ($is_cert, $is_crl); -+ my ($is_cert, $is_crl) = (0,0); -+ my $fname = $_[0]; -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { -+ if (/^-----BEGIN (.*)-----/) { -+ my $hdr = $1; -+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -+ $is_cert = 1; -+ last if ($is_crl); -+ } elsif ($hdr eq "X509 CRL") { -+ $is_crl = 1; -+ last if ($is_cert); -+ } -+ } -+ } -+ close $in; -+ return ($is_cert, $is_crl); - } - - sub compute_hash { -@@ -177,76 +203,48 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form .r - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); -+ chomp $hash; -+ chomp $fprint; -+ return if !$hash; -+ $fprint =~ s/^.*=//; -+ $fprint =~ tr/://d; -+ my $suffix = 0; -+ # Search for an unused hash filename -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { -+ # Hash matches: if fingerprint matches its a duplicate cert -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; -+ return; -+ } -+ $suffix++; -+ } -+ $hash .= ".$crlmark$suffix"; -+ if ($symlink_exists) { -+ print "link $fname -> $hash\n" if $verbose; -+ symlink $fname, $hash || warn "Can't symlink, $!"; -+ } else { -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); -+ } -+ $hashlist{$hash} = $fprint; - } \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-2097.patch b/third_party/patch/openssl/CVE-2022-2097.patch deleted file mode 100644 index 0bc4a3ab..00000000 --- a/third_party/patch/openssl/CVE-2022-2097.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl -index fe2b26542a..812758e02e 100644 ---- a/crypto/aes/asm/aesni-x86.pl -+++ b/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-4304.patch b/third_party/patch/openssl/CVE-2022-4304.patch deleted file mode 100644 index b898a507..00000000 --- a/third_party/patch/openssl/CVE-2022-4304.patch +++ /dev/null @@ -1,771 +0,0 @@ -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 76fc7ebcff..6e9d239321 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c -index dd87c152cf..3dd8d9a568 100644 ---- a/crypto/bn/bn_err.c -+++ b/crypto/bn/bn_err.c -@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, -+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), -+ "ossl_bn_rsa_do_unblind"}, - {0, NULL} - }; - -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 62a969b134..4d8cb64675 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -283,6 +283,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index b9ed5322fa..c9fe2fdada 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ - {- $target{bn_asm_src} -} \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c -+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ -+ rsa_sup_mul.c - - INCLUDE[bn_exp.o]=.. - -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 0000000000..acafefd5fe ---- /dev/null -+++ b/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,614 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+/* nonstandard; implemented by gcc on 64-bit platforms */ -+typedef __uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint64_t big = 0; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+ } else { -+ return host; -+ } -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint32_t big = 0; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+ } else { -+ return host; -+ } -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 9f91a4a811..ba3a46d5b9 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1,4 +1,4 @@ --# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift - BN_F_BN_SET_WORDS:144:bn_set_words - BN_F_BN_STACK_PUSH:148:BN_STACK_push - BN_F_BN_USUB:115:BN_usub -+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind - BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow - BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean - BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index b52a66f6a6..6c3c0cf78d 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 60afda1dad..b5f36fb25a 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); - - #endif -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index 9f3c7cfaab..a0752cea52 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 -+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-4450.patch b/third_party/patch/openssl/CVE-2022-4450.patch deleted file mode 100644 index 3364ea75..00000000 --- a/third_party/patch/openssl/CVE-2022-4450.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index d416d939ea..328c30cdbb 100644 ---- a/crypto/pem/pem_lib.c -+++ b/crypto/pem/pem_lib.c -@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - goto end; - } - BIO_read(headerB, *header, headerlen); \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2023-0215.patch b/third_party/patch/openssl/CVE-2023-0215.patch deleted file mode 100644 index 26b5cde0..00000000 --- a/third_party/patch/openssl/CVE-2023-0215.patch +++ /dev/null @@ -1,144 +0,0 @@ -diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c -index 760e4846a4..f8d4b1b9aa 100644 ---- a/crypto/asn1/bio_ndef.c -+++ b/crypto/asn1/bio_ndef.c -@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 5dc6a3aebe..ec11bfc253 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; - use OpenSSL::Test::Utils; - - setup("test_cms"); -@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); - my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - = disabled qw/des dh dsa ec ec2m rc2 zlib/; - --plan tests => 6; -+plan tests => 7; - - my @smime_pkcs7_tests = ( - -@@ -584,3 +584,14 @@ sub check_availability { - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem -new file mode 100644 -index 0000000000..f824fc2267 ---- /dev/null -+++ b/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2023-0286.patch b/third_party/patch/openssl/CVE-2023-0286.patch deleted file mode 100644 index c3915edf..00000000 --- a/third_party/patch/openssl/CVE-2023-0286.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c -index 87a5eff47c..e54ddc55c9 100644 ---- a/crypto/x509v3/v3_genn.c -+++ b/crypto/x509v3/v3_genn.c -@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h -index 90fa3592ce..e61c0f29d4 100644 ---- a/include/openssl/x509v3.h -+++ b/include/openssl/x509v3.h -@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; -diff --git a/test/v3nametest.c b/test/v3nametest.c -index d1852190b8..37819da8fd 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -646,6 +646,14 @@ static struct gennamedata { - 0xb7, 0x09, 0x02, 0x02 - }, - 15 -+ }, { -+ /* -+ * Regression test for CVE-2023-0286. -+ */ -+ { -+ 0xa3, 0x00 -+ }, -+ 2 - } - }; diff --git a/third_party/patch/openssl/CVE-2023-0464.patch b/third_party/patch/openssl/CVE-2023-0464.patch deleted file mode 100644 index f87f8f58..00000000 --- a/third_party/patch/openssl/CVE-2023-0464.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: [PATCH] x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20569) ---- - crypto/x509v3/pcy_local.h | 8 +++++++- - crypto/x509v3/pcy_node.c | 12 +++++++++--- - crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- - 3 files changed, 43 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h -index 5daf78de45..344aa06765 100644 ---- a/crypto/x509v3/pcy_local.h -+++ b/crypto/x509v3/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void policy_node_free(X509_POLICY_NODE *node); - int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c -index e2d7b15322..d574fb9d66 100644 ---- a/crypto/x509v3/pcy_node.c -+++ b/crypto/x509v3/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c -index 6e8322cbc5..6c7fd35405 100644 ---- a/crypto/x509v3/pcy_tree.c -+++ b/crypto/x509v3/pcy_tree.c -@@ -13,6 +13,18 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - /* - * Enable this to print out the complete policy tree at various point during - * evaluation. -@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - level = tree->levels; - if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (level_add_node(level, data, NULL, tree) == NULL) { -+ if (level_add_node(level, data, NULL, tree, 1) == NULL) { - policy_data_free(data); - goto bad_tree; - } -@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (policy_node_match(last, node, data->valid_policy)) { -- if (level_add_node(curr, data, node, NULL) == NULL) -+ if (level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (level_add_node(curr, data, node, tree) == NULL) { -+ if (level_add_node(curr, data, node, tree, 1) == NULL) { - policy_data_free(data); - return 0; - } -@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy && -- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) -+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; -- node = level_add_node(NULL, extra, anyPolicy->parent, tree); -+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) --- -2.34.1 - diff --git a/third_party/patch/openssl/CVE-2023-0465.patch b/third_party/patch/openssl/CVE-2023-0465.patch deleted file mode 100644 index 441e1d7b..00000000 --- a/third_party/patch/openssl/CVE-2023-0465.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 7 Mar 2023 16:52:55 +0000 -Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf - certs - -Even though we check the leaf cert to confirm it is valid, we -later ignored the invalid flag and did not notice that the leaf -cert was bad. - -Fixes: CVE-2023-0465 - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20588) ---- - crypto/x509/x509_vfy.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 925fbb5412..1dfe4f9f31 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) - } - /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { -- int i; -+ int i, cbcalled = 0; - - /* Locate certificates with bad extensions and notify callback. */ -- for (i = 1; i < sk_X509_num(ctx->chain); i++) { -+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; -+ cbcalled = 1; - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_INVALID_POLICY_EXTENSION)) - return 0; - } -+ if (!cbcalled) { -+ /* Should not be able to get here */ -+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ /* The callback ignored the error so we return success */ - return 1; - } - if (ret == X509_PCY_TREE_FAILURE) { --- -2.34.1 - diff --git a/third_party/patch/openssl/CVE-2023-0466.patch b/third_party/patch/openssl/CVE-2023-0466.patch deleted file mode 100644 index 81de1dcf..00000000 --- a/third_party/patch/openssl/CVE-2023-0466.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -index f6f304bf7b..aa292f9336 100644 ---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod -+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -@@ -92,8 +92,9 @@ B. - X509_VERIFY_PARAM_set_time() sets the verification time in B to - B. Normally the current time is used. - --X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled --by default) and adds B to the acceptable policy set. -+X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. -+Contrary to preexisting documentation of this function it does not enable -+policy checking. - - X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled - by default) and sets the acceptable policy set to B. Any existing -@@ -377,6 +378,10 @@ and has no effect. - - The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. - -+The function X509_VERIFY_PARAM_add0_policy() was historically documented as -+enabling policy checking however the implementation has never done this. -+The documentation was changed to align with the implementation. -+ - =head1 COPYRIGHT - - Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/third_party/patch/openssl/CVE-2023-2650.patch b/third_party/patch/openssl/CVE-2023-2650.patch deleted file mode 100644 index aef8f9ea..00000000 --- a/third_party/patch/openssl/CVE-2023-2650.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 12 May 2023 10:00:13 +0200 -Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will - translate - -OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical -numeric text form. For gigantic sub-identifiers, this would take a very -long time, the time complexity being O(n^2) where n is the size of that -sub-identifier. - -To mitigate this, a restriction on the size that OBJ_obj2txt() will -translate to canonical numeric text form is added, based on RFC 2578 -(STD 58), which says this: - -> 3.5. OBJECT IDENTIFIER values -> -> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. -> For the SMIv2, each number in the list is referred to as a sub-identifier, -> there are at most 128 sub-identifiers in a value, and each sub-identifier -> has a maximum value of 2^32-1 (4294967295 decimal). - -Fixes otc/security#96 -Fixes CVE-2023-2650 - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz ---- - crypto/objects/obj_dat.c | 19 +++++++++++++++++++ - -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 7e8de727f3..d699915b20 100644 ---- a/crypto/objects/obj_dat.c -+++ b/crypto/objects/obj_dat.c -@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - first = 1; - bl = NULL; - -+ /* -+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: -+ * -+ * > 3.5. OBJECT IDENTIFIER values -+ * > -+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative -+ * > numbers. For the SMIv2, each number in the list is referred to as a -+ * > sub-identifier, there are at most 128 sub-identifiers in a value, -+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 -+ * > decimal). -+ * -+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), -+ * i.e. 586 bytes long. -+ * -+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ */ -+ if (len > 586) -+ goto err; -+ - while (len > 0) { - l = 0; - use_bn = 0; --- -2.34.1 - diff --git a/third_party/patch/openssl/CVE-2023-3446.patch b/third_party/patch/openssl/CVE-2023-3446.patch deleted file mode 100644 index 6804e674..00000000 --- a/third_party/patch/openssl/CVE-2023-3446.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 6 Jul 2023 16:36:35 +0100 -Subject: [PATCH] Fix DH_check() excessive time with over sized modulus - -The DH_check() function checks numerous aspects of the key or parameters -that have been supplied. Some of those checks use the supplied modulus -value even if it is excessively large. - -There is already a maximum DH modulus size (10,000 bits) over which -OpenSSL will not generate or derive keys. DH_check() will however still -perform various tests for validity on such a large modulus. We introduce a -new maximum (32,768) over which DH_check() will just fail. - -An application that calls DH_check() and supplies a key or parameters -obtained from an untrusted source could be vulnerable to a Denial of -Service attack. - -The function DH_check() is itself called by a number of other OpenSSL -functions. An application calling any of those other functions may -similarly be affected. The other functions affected by this are -DH_check_ex() and EVP_PKEY_param_check(). - -CVE-2023-3446 - -Reviewed-by: Paul Dale -Reviewed-by: Tom Cosgrove -Reviewed-by: Bernd Edlinger -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21452) ---- - crypto/dh/dh_check.c | 6 ++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/err/openssl.txt | 1 + - include/openssl/dh.h | 3 +++ - include/openssl/dherr.h | 3 ++- - 5 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 4ac169e75c..e5f9dd5030 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret) - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - if (!DH_check_params(dh, ret)) - return 0; - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 7285587b4a..92800d3fcc 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { - {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), - "dh_builtin_genparams"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 9f91a4a811..c0a3cd720b 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version - DH_F_COMPUTE_KEY:102:compute_key - DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp - DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams -+DH_F_DH_CHECK:126:DH_check - DH_F_DH_CHECK_EX:121:DH_check_ex - DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex - DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 3527540cdd..892e31559d 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -29,6 +29,9 @@ extern "C" { - # ifndef OPENSSL_DH_MAX_MODULUS_BITS - # define OPENSSL_DH_MAX_MODULUS_BITS 10000 - # endif -+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 -+# endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 - -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 916b3bed0b..528c819856 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void); - # define DH_F_COMPUTE_KEY 102 - # define DH_F_DHPARAMS_PRINT_FP 101 - # define DH_F_DH_BUILTIN_GENPARAMS 106 -+# define DH_F_DH_CHECK 126 - # define DH_F_DH_CHECK_EX 121 - # define DH_F_DH_CHECK_PARAMS_EX 122 - # define DH_F_DH_CHECK_PUB_KEY_EX 123 --- -2.34.1 - diff --git a/third_party/patch/openssl/CVE-2023-3817.patch b/third_party/patch/openssl/CVE-2023-3817.patch deleted file mode 100644 index 9d6ab499..00000000 --- a/third_party/patch/openssl/CVE-2023-3817.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 21 Jul 2023 11:39:41 +0200 -Subject: [PATCH] DH_check(): Do not try checking q properties if it is - obviously invalid - -If |q| >= |p| then the q value is obviously wrong as q -is supposed to be a prime divisor of p-1. - -We check if p is overly large so this added test implies that -q is not large either when performing subsequent tests using that -q value. - -Otherwise if it is too large these additional checks of the q value -such as the primality test can then trigger DoS by doing overly long -computations. - -Fixes CVE-2023-3817 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/21551) ---- - crypto/dh/dh_check.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 2001d2e7cb..9ae96991eb 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) - - int DH_check(const DH *dh, int *ret) - { -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) - if (t2 == NULL) - goto err; - -- if (dh->q) { -+ if (dh->q != NULL) { -+ if (BN_ucmp(dh->p, dh->q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->g, dh->p) >= 0) --- -2.34.1 \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2023-4807.patch b/third_party/patch/openssl/CVE-2023-4807.patch deleted file mode 100644 index 8e5791cd..00000000 --- a/third_party/patch/openssl/CVE-2023-4807.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a632d534c73eeb3e3db8c7540d811194ef7c79ff Mon Sep 17 00:00:00 2001 -From: Bernd Edlinger -Date: Tue, 22 Aug 2023 16:07:30 +0200 -Subject: [PATCH] Avoid clobbering non-volatile XMM registers - -This affects some Poly1305 assembler functions -which are only used for certain CPU types. - -Remove those functions for Windows targets, -as a simple interim solution. - -Fixes #21522 - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21808) - -(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165) ---- - crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl -index 5f834d8faf..801455c639 100755 ---- a/crypto/poly1305/asm/poly1305-x86_64.pl -+++ b/crypto/poly1305/asm/poly1305-x86_64.pl -@@ -193,7 +193,7 @@ $code.=<<___ if ($avx>1); - bt \$`5+32`,%r9 # AVX2? - cmovc %rax,%r10 - ___ --$code.=<<___ if ($avx>3); -+$code.=<<___ if ($avx>3 && !$win64); - mov \$`(1<<31|1<<21|1<<16)`,%rax - shr \$32,%r9 - and %rax,%r9 -@@ -2722,7 +2722,7 @@ $code.=<<___; - .cfi_endproc - .size poly1305_blocks_avx512,.-poly1305_blocks_avx512 - ___ --if ($avx>3) { -+if ($avx>3 && !$win64) { - ######################################################################## - # VPMADD52 version using 2^44 radix. - # --- -2.34.1 - diff --git a/third_party/patch/openssl/CVE-2023-5678.patch b/third_party/patch/openssl/CVE-2023-5678.patch deleted file mode 100644 index 02f8761e..00000000 --- a/third_party/patch/openssl/CVE-2023-5678.patch +++ /dev/null @@ -1,113 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 4ac169e..9cb4482 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -184,6 +184,20 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - BN_CTX *ctx = NULL; - - *ret = 0; -+ -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK_EX, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 7285587..85f1e51 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -81,6 +81,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 117f2fa..b4c789d 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -109,6 +109,12 @@ static int generate_key(DH *dh) - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+ if (dh->q != NULL -+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); - return 0; -@@ -202,6 +208,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - int ret = -1; - int check_result; - -+ if (dh->q != NULL -+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); - goto err; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 7e17763..405c116 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -2100,6 +2100,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_Q_VALUE:102:bad q value -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 3527540..a50ad96 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -68,14 +68,15 @@ DECLARE_ASN1_ITEM(DHparams) - /* #define DH_GENERATOR_3 3 */ - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - # define DH_CHECK_P_NOT_PRIME 0x01 - # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 -+# define DH_MODULUS_TOO_LARGE 0x100 - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 916b3be..88c3a6c 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -81,6 +81,7 @@ int ERR_load_DH_strings(void); - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/third_party/patch/openssl/CVE-2024-0727.patch b/third_party/patch/openssl/CVE-2024-0727.patch deleted file mode 100644 index c17bbfa4..00000000 --- a/third_party/patch/openssl/CVE-2024-0727.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 09015a582baa980dc04f635504b16fe95dc3790b Mon Sep 17 00:00:00 2001 -From: l00511027 -Date: Fri, 26 Jan 2024 18:45:28 +0800 -Subject: [PATCH 1/2] fix CVE-2024-0727 - -Add NULL checks where ContentInfo data can be NULL ---- - crypto/pkcs12/p12_add.c | 16 ++++++++++++++ - crypto/pkcs12/p12_mutl.c | 5 +++++ - crypto/pkcs12/p12_npas.c | 5 +++-- - crypto/pkcs7/pk7_mime.c | 8 +++++-- - 4 files changed, 53 insertions(+), 6 deletions(-) - -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index af184c86af..9b40e5384e 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ if (p12->authsafes->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - } -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 3658003fe5..766c9c1e9d 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (!p12->mac->iter) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 0334289a89..130337638d 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 19e6868148..b457108c94 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - { - STACK_OF(X509_ALGOR) *mdalgs; - int ctype_nid = OBJ_obj2nid(p7->type); -- if (ctype_nid == NID_pkcs7_signed) -+ -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - --- -2.17.1 diff --git a/third_party/patch/openssl/CVE-2024-13176.patch b/third_party/patch/openssl/CVE-2024-13176.patch deleted file mode 100644 index 9be1707f..00000000 --- a/third_party/patch/openssl/CVE-2024-13176.patch +++ /dev/null @@ -1,525 +0,0 @@ -diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c -index 9531acfc3c..ea36875891 100644 ---- a/crypto/bn/bn_exp.c -+++ b/crypto/bn/bn_exp.c -@@ -589,7 +589,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - * out by Colin Percival, - * http://www.daemonology.net/hyperthreading-considered-harmful/) - */ --int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) - { -@@ -606,12 +606,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - unsigned int t4 = 0; - #endif - -- bn_check_top(a); -- bn_check_top(p); -- bn_check_top(m); -- - if (!BN_is_odd(m)) { -- BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); -+ BNerr(BN_F_BN_MOD_EXP_MONT_FIXED_TOP, BN_R_CALLED_WITH_EVEN_MODULUS); - return 0; - } - -@@ -1112,7 +1108,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - goto err; - } else - #endif -- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) -+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) - goto err; - ret = 1; - err: -@@ -1126,6 +1122,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - return ret; - } - -+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont) -+{ -+ bn_check_top(a); -+ bn_check_top(p); -+ bn_check_top(m); -+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) -+ return 0; -+ bn_correct_top(rr); -+ return 1; -+} -+ - int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - { -diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c -index fe6fb0e40f..64674f27d0 100644 ---- a/crypto/bn/bn_lib.c -+++ b/crypto/bn/bn_lib.c -@@ -598,14 +598,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b) - int i; - BN_ULONG t1, t2, *ap, *bp; - -+ ap = a->d; -+ bp = b->d; -+ -+ if (BN_get_flags(a, BN_FLG_CONSTTIME) -+ && a->top == b->top) { -+ int res = 0; -+ -+ for (i = 0; i < b->top; i++) { -+ res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]), -+ -1, res); -+ res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]), -+ 1, res); -+ } -+ return res; -+ } -+ - bn_check_top(a); - bn_check_top(b); - - i = a->top - b->top; - if (i != 0) - return i; -- ap = a->d; -- bp = b->d; -+ - for (i = a->top - 1; i >= 0; i--) { - t1 = ap[i]; - t2 = bp[i]; -@@ -717,11 +732,10 @@ int BN_is_bit_set(const BIGNUM *a, int n) - return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); - } - --int BN_mask_bits(BIGNUM *a, int n) -+int bn_mask_bits_fixed_top(BIGNUM *a, int n) - { - int b, w; - -- bn_check_top(a); - if (n < 0) - return 0; - -@@ -735,10 +749,21 @@ int BN_mask_bits(BIGNUM *a, int n) - a->top = w + 1; - a->d[w] &= ~(BN_MASK2 << b); - } -- bn_correct_top(a); -+ a->flags |= BN_FLG_FIXED_TOP; - return 1; - } - -+int BN_mask_bits(BIGNUM *a, int n) -+{ -+ int ret; -+ -+ bn_check_top(a); -+ ret = bn_mask_bits_fixed_top(a, n); -+ if (ret) -+ bn_correct_top(a); -+ return ret; -+} -+ - void BN_set_negative(BIGNUM *a, int b) - { - if (b && !BN_is_zero(a)) -@@ -915,6 +940,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w) - return BN_abs_is_word(a, w) && (!w || !a->neg); - } - -+int bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w) -+{ -+ int res, i; -+ const BN_ULONG *ap = a->d; -+ -+ if (a->neg || a->top == 0) -+ return 0; -+ -+ res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0); -+ -+ for (i = 1; i < a->top; i++) -+ res = constant_time_select_int(constant_time_is_zero_bn(ap[i]), -+ res, 0); -+ return res; -+} -+ - int BN_is_odd(const BIGNUM *a) - { - return (a->top > 0) && (a->d[0] & 1); -diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c -index 6b4b50a068..46d4d5a82a 100644 ---- a/crypto/bn/bn_rand.c -+++ b/crypto/bn/bn_rand.c -@@ -194,17 +194,61 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) - return BN_rand_range(r, range); - } - -+int bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range) -+{ -+ int n; -+ int count = 100; -+ -+ if (r == NULL) { -+ BNerr(BN_F_BN_PRIV_RAND_RANGE_FIXED_TOP, ERR_R_PASSED_NULL_PARAMETER); -+ return 0; -+ } -+ -+ if (range->neg || BN_is_zero(range)) { -+ BNerr(BN_F_BN_PRIV_RAND_RANGE_FIXED_TOP, BN_R_INVALID_RANGE); -+ return 0; -+ } -+ -+ n = BN_num_bits(range); /* n > 0 */ -+ -+ /* BN_is_bit_set(range, n - 1) always holds */ -+ -+ if (n == 1) { -+ BN_zero(r); -+ } else { -+ BN_set_flags(r, BN_FLG_CONSTTIME); -+ do { -+ if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) -+ return 0; -+ -+ if (!--count) { -+ BNerr(BN_F_BN_PRIV_RAND_RANGE_FIXED_TOP, BN_R_TOO_MANY_ITERATIONS); -+ return 0; -+ } -+ bn_mask_bits_fixed_top(r, n); -+ } -+ while (BN_ucmp(r, range) >= 0); -+#ifdef BN_DEBUG -+ /* With BN_DEBUG on a fixed top number cannot be returned */ -+ bn_correct_top(r); -+#endif -+ } -+ -+ return 1; -+} -+ - /* -- * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike -- * BN_rand_range, it also includes the contents of |priv| and |message| in -- * the generation so that an RNG failure isn't fatal as long as |priv| -+ * bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range. -+ * Unlike BN_rand_range, it also includes the contents of |priv| and |message| -+ * in the generation so that an RNG failure isn't fatal as long as |priv| - * remains secret. This is intended for use in DSA and ECDSA where an RNG - * weakness leads directly to private key exposure unless this function is - * used. - */ --int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, -- const BIGNUM *priv, const unsigned char *message, -- size_t message_len, BN_CTX *ctx) -+int bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, -+ const BIGNUM *priv, -+ const unsigned char *message, -+ size_t message_len, BN_CTX *ctx) - { - SHA512_CTX sha; - /* -@@ -214,15 +258,19 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, - unsigned char random_bytes[64]; - unsigned char digest[SHA512_DIGEST_LENGTH]; - unsigned done, todo; -- /* We generate |range|+8 bytes of random output. */ -- const unsigned num_k_bytes = BN_num_bytes(range) + 8; -+ /* We generate |range|+1 bytes of random output. */ -+ const unsigned num_k_bytes = BN_num_bytes(range) + 1; - unsigned char private_bytes[96]; -- unsigned char *k_bytes; -+ unsigned char *k_bytes = NULL; -+ const int max_n = 64; /* Pr(failure to generate) < 2^max_n */ -+ int n; - int ret = 0; - - k_bytes = OPENSSL_malloc(num_k_bytes); - if (k_bytes == NULL) -- goto err; -+ goto end; -+ /* Ensure top byte is set to avoid non-constant time in bin2bn */ -+ k_bytes[0] = 0xff; - - /* We copy |priv| into a local buffer to avoid exposing its length. */ - if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { -@@ -231,35 +279,70 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, - * large and we don't handle this case in order to avoid leaking the - * length of the private key. - */ -- BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); -- goto err; -+ BNerr(BN_F_BN_GEN_DSA_NONCE_FIXED_TOP, BN_R_PRIVATE_KEY_TOO_LARGE); -+ goto end; - } -+ for (n = 0; n < max_n; n++) { -+ unsigned char i = 0; -+ -+ for (done = 0; done < num_k_bytes;) { -+ if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1) -+ goto end; -+ SHA512_Init(&sha); -+ SHA512_Update(&sha, &i, sizeof(i)); -+ SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); -+ SHA512_Update(&sha, message, message_len); -+ SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); -+ SHA512_Final(digest, &sha); -+ -+ todo = num_k_bytes - done; -+ if (todo > SHA512_DIGEST_LENGTH) -+ todo = SHA512_DIGEST_LENGTH; -+ memcpy(k_bytes + done, digest, todo); -+ done += todo; -+ ++i; -+ } - -- for (done = 0; done < num_k_bytes;) { -- if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1) -- goto err; -- SHA512_Init(&sha); -- SHA512_Update(&sha, &done, sizeof(done)); -- SHA512_Update(&sha, private_bytes, sizeof(private_bytes)); -- SHA512_Update(&sha, message, message_len); -- SHA512_Update(&sha, random_bytes, sizeof(random_bytes)); -- SHA512_Final(digest, &sha); -- -- todo = num_k_bytes - done; -- if (todo > SHA512_DIGEST_LENGTH) -- todo = SHA512_DIGEST_LENGTH; -- memcpy(k_bytes + done, digest, todo); -- done += todo; -- } -+ if (!BN_bin2bn(k_bytes, num_k_bytes, out)) -+ goto end; - -- if (!BN_bin2bn(k_bytes, num_k_bytes, out)) -- goto err; -- if (BN_mod(out, out, range, ctx) != 1) -- goto err; -- ret = 1; -+ /* Clear out the top bits and rejection filter into range */ -+ BN_set_flags(out, BN_FLG_CONSTTIME); -+ bn_mask_bits_fixed_top(out, BN_num_bits(range)); - -- err: -- OPENSSL_free(k_bytes); -+ if (BN_ucmp(out, range) < 0) { -+ ret = 1; -+#ifdef BN_DEBUG -+ /* With BN_DEBUG on a fixed top number cannot be returned */ -+ bn_correct_top(out); -+#endif -+ goto end; -+ } -+ } -+ /* Failed to generate anything */ -+ BNerr(BN_F_BN_GEN_DSA_NONCE_FIXED_TOP, ERR_R_INTERNAL_ERROR); -+ -+ end: -+ OPENSSL_clear_free(k_bytes, num_k_bytes); -+ OPENSSL_cleanse(digest, sizeof(digest)); -+ OPENSSL_cleanse(random_bytes, sizeof(random_bytes)); - OPENSSL_cleanse(private_bytes, sizeof(private_bytes)); - return ret; - } -+ -+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, -+ const BIGNUM *priv, const unsigned char *message, -+ size_t message_len, BN_CTX *ctx) -+{ -+ int ret; -+ -+ ret = bn_gen_dsa_nonce_fixed_top(out, range, priv, message, -+ message_len, ctx); -+ /* -+ * This call makes the BN_generate_dsa_nonce non-const-time, thus we -+ * do not use it internally. But fixed_top BNs currently cannot be returned -+ * from public API calls. -+ */ -+ bn_correct_top(out); -+ return ret; -+} -diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c -index 210a83f586..4018ad9e68 100644 ---- a/crypto/bn/bn_shift.c -+++ b/crypto/bn/bn_shift.c -@@ -156,6 +156,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) - return 0; - } - -+ bn_check_top(r); -+ bn_check_top(a); -+ - ret = bn_rshift_fixed_top(r, a, n); - - bn_correct_top(r); -@@ -177,9 +180,6 @@ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n) - BN_ULONG *t, *f; - BN_ULONG l, m, mask; - -- bn_check_top(r); -- bn_check_top(a); -- - assert(n >= 0); - - nw = n / BN_BITS2; -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index a983def64e..cd74b0100a 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -229,12 +229,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, - * We calculate k from SHA512(private_key + H(message) + random). - * This protects the private key from a weak PRNG. - */ -- if (!BN_generate_dsa_nonce(k, dsa->q, dsa->priv_key, dgst, -- dlen, ctx)) -+ if (!bn_gen_dsa_nonce_fixed_top(k, dsa->q, -+ dsa->priv_key, dgst, -+ dlen, ctx)) - goto err; -- } else if (!BN_priv_rand_range(k, dsa->q)) -+ } else if (!bn_priv_rand_range_fixed_top(k, dsa->q)) - goto err; -- } while (BN_is_zero(k)); -+ } while (bn_is_word_fixed_top(k, 0)); - - BN_set_flags(k, BN_FLG_CONSTTIME); - BN_set_flags(l, BN_FLG_CONSTTIME); -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index 08db89fcee..9f0b480705 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -12,8 +12,8 @@ - - #include - #include -- - #include "ec_local.h" -+#include "crypto/bn.h" - - /* functions for EC_GROUP objects */ - -@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, - if (!BN_sub(e, group->order, e)) - goto err; - /*- -- * Exponent e is public. -- * No need for scatter-gather or BN_FLG_CONSTTIME. -+ * Although the exponent is public we want the result to be -+ * fixed top. - */ -- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) -+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) - goto err; - - ret = 1; -diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c -index 1da87bfb5e..b17731e945 100644 ---- a/crypto/ec/ecdsa_ossl.c -+++ b/crypto/ec/ecdsa_ossl.c -@@ -88,20 +88,20 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, - /* get random k */ - do { - if (dgst != NULL) { -- if (!BN_generate_dsa_nonce(k, order, priv_key, -- dgst, dlen, ctx)) { -+ if (!bn_gen_dsa_nonce_fixed_top(k, order, priv_key, -+ dgst, dlen, ctx)) { - ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); - goto err; - } - } else { -- if (!BN_priv_rand_range(k, order)) { -+ if (!bn_priv_rand_range_fixed_top(k, order)) { - ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); - goto err; - } - } -- } while (BN_is_zero(k)); -+ } while (bn_is_word_fixed_top(k, 0)); - - /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 60afda1dad..8e7a965551 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); - */ - int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx); -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont); - int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, - BN_CTX *ctx); - int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, -@@ -87,4 +90,16 @@ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); - -+ -+ -+ -+ -+ -+int bn_mask_bits_fixed_top(BIGNUM *a, int n); -+int bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w); -+int bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range); -+int bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, -+ const BIGNUM *priv, -+ const unsigned char *message, -+ size_t message_len, BN_CTX *ctx); - #endif -diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h -index 6600a1d72a..9f4034b921 100644 ---- a/include/internal/constant_time.h -+++ b/include/internal/constant_time.h -@@ -139,6 +139,29 @@ static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b) - return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b))); - } - -+#ifdef BN_ULONG -+static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a) -+{ -+ return 0 - (a >> (sizeof(a) * 8 - 1)); -+} -+ -+static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b) -+{ -+ return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b))); -+} -+ -+static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a) -+{ -+ return constant_time_msb_bn(~a & (a - 1)); -+} -+ -+static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a, -+ BN_ULONG b) -+{ -+ return constant_time_is_zero_bn(a ^ b); -+} -+#endif -+ - static ossl_inline unsigned int constant_time_ge(unsigned int a, - unsigned int b) - { -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index a0752cea52..8941ddbd2a 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -73,6 +73,9 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 - # define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 -+# define BN_F_BN_MOD_EXP_MONT_FIXED_TOP 152 -+# define BN_F_BN_PRIV_RAND_RANGE_FIXED_TOP 153 -+# define BN_F_BN_GEN_DSA_NONCE_FIXED_TOP 154 - - /* - * BN reason codes. diff --git a/third_party/patch/openssl/CVE-2024-2511.patch b/third_party/patch/openssl/CVE-2024-2511.patch deleted file mode 100644 index 8be177e5..00000000 --- a/third_party/patch/openssl/CVE-2024-2511.patch +++ /dev/null @@ -1,487 +0,0 @@ -From fc43b2b1abae58c1b261962299d2bbeee770810a Mon Sep 17 00:00:00 2001 -From: jxlang910 -Date: Thu, 11 Apr 2024 17:24:44 +0800 -Subject: [PATCH] fix CVE-2024-2511 - ---- - include/openssl/sslerr.h | 4 +- - ssl/ssl_err.c | 5 +- - ssl/ssl_lib.c | 5 +- - ssl/ssl_sess.c | 36 ++++- - ssl/statem/statem_srvr.c | 5 +- - test/sslapitest.c | 300 +++++++++++++++++++++++++++++++++++++++ - 6 files changed, 339 insertions(+), 16 deletions(-) - -diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h -index aa5f56a482..3e99ffc27f 100644 ---- a/include/openssl/sslerr.h -+++ b/include/openssl/sslerr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -224,7 +224,7 @@ int ERR_load_SSL_strings(void); - # define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 546 - # define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320 - # define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321 --# define SSL_F_SSL_SESSION_DUP 348 -+# define SSL_F_SSL_SESSION_DUP_INTERN 668 - # define SSL_F_SSL_SESSION_NEW 189 - # define SSL_F_SSL_SESSION_PRINT_FP 190 - # define SSL_F_SSL_SESSION_SET1_ID 423 -diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c -index 5a7c42a88c..c4144bb8b4 100644 ---- a/ssl/ssl_err.c -+++ b/ssl/ssl_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -325,7 +325,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { - "SSL_renegotiate_abbreviated"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""}, -- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"}, -+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP_INTERN, 0), -+ "ssl_session_dup_intern"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0), - "SSL_SESSION_print_fp"}, -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 618549a2ca..2a44960fac 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3541,9 +3541,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index 1b4c85b60c..5cc816b0fc 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -221,11 +216,32 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) - - return dest; - err: -- SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); -+ SSLerr(SSL_F_SSL_SESSION_DUP_INTERN, ERR_R_MALLOC_FAILURE); - SSL_SESSION_free(dest); - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) -@@ -455,6 +471,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, - ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); - - if (ret != NULL) { -+ if (ret->not_resumable) { -+ /* If its not resumable then ignore this session */ -+ if (!copy) -+ SSL_SESSION_free(ret); -+ return NULL; -+ } - tsan_counter(&s->session_ctx->stats.sess_cb_hit); - - /* -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index 1b3b8002ee..d242e98024 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2418,9 +2418,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 5ee982ab06..395b1e5457 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -6669,6 +6669,128 @@ static int test_ca_names(int tst) - return testresult; - } - -+/* -+ * Test that a session cache overflow works as expected -+ * Test 0: TLSv1.3, timeout on new session later than old session -+ * Test 1: TLSv1.2, timeout on new session later than old session -+ * Test 2: TLSv1.3, timeout on new session earlier than old session -+ * Test 3: TLSv1.2, timeout on new session earlier than old session -+ */ -+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) -+static int test_session_cache_overflow(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ SSL_SESSION *sess = NULL; -+ -+#ifdef OPENSSL_NO_TLS1_3 -+ /* If no TLSv1.3 available then do nothing in this case */ -+ if (idx % 2 == 0) -+ TEST_info("No TLSv1.3 available"); -+ return 1; -+#endif -+#ifdef OPENSSL_NO_TLS1_2 -+ /* If no TLSv1.2 available then do nothing in this case */ -+ if (idx % 2 == 1) -+ TEST_info("No TLSv1.2 available"); -+ return 1; -+#endif -+ -+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), TLS1_VERSION, -+ (idx % 2 == 0) ? TLS1_3_VERSION -+ : TLS1_2_VERSION, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))) -+ goto end; -+ -+ SSL_CTX_sess_set_get_cb(sctx, get_session_cb); -+ get_sess_val = NULL; -+ -+ SSL_CTX_sess_set_cache_size(sctx, 1); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ if (idx > 1) { -+ sess = SSL_get_session(serverssl); -+ if (!TEST_ptr(sess)) -+ goto end; -+ -+ /* -+ * Cause this session to have a longer timeout than the next session to -+ * be added. -+ */ -+ if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) { -+ sess = NULL; -+ goto end; -+ } -+ sess = NULL; -+ } -+ -+ SSL_shutdown(serverssl); -+ SSL_shutdown(clientssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ -+ /* -+ * Session cache size is 1 and we already populated the cache with a session -+ * so the next connection should cause an overflow. -+ */ -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ /* -+ * The session we just negotiated may have been already removed from the -+ * internal cache - but we will return it anyway from our external cache. -+ */ -+ get_sess_val = SSL_get_session(serverssl); -+ if (!TEST_ptr(get_sess_val)) -+ goto end; -+ sess = SSL_get1_session(clientssl); -+ if (!TEST_ptr(sess)) -+ goto end; -+ -+ SSL_shutdown(serverssl); -+ SSL_shutdown(clientssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(SSL_set_session(clientssl, sess))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ testresult = 1; -+ -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ SSL_SESSION_free(sess); -+ -+ return testresult; -+} -+#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ -+ - /* - * Test 0: Client sets servername and server acknowledges it (TLSv1.2) - * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) -@@ -7288,6 +7410,180 @@ static int test_inherit_verify_param(void) - return testresult; - } - -+struct resume_servername_cb_data { -+ int i; -+ SSL_CTX *cctx; -+ SSL_CTX *sctx; -+ SSL_SESSION *sess; -+ int recurse; -+}; -+ -+/* -+ * Servername callback. We use it here to run another complete handshake using -+ * the same session - and mark the session as not_resuamble at the end -+ */ -+static int resume_servername_cb(SSL *s, int *ad, void *arg) -+{ -+ struct resume_servername_cb_data *cbdata = arg; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int ret = SSL_TLSEXT_ERR_ALERT_FATAL; -+ -+ if (cbdata->recurse) -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ -+ if ((cbdata->i % 3) != 1) -+ return SSL_TLSEXT_ERR_OK; -+ -+ cbdata->recurse = 1; -+ -+ if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl, -+ &clientssl, NULL, NULL)) -+ || !TEST_true(SSL_set_session(clientssl, cbdata->sess))) -+ goto end; -+ -+ ERR_set_mark(); -+ /* -+ * We expect this to fail - because the servername cb will fail. This will -+ * mark the session as not_resumable. -+ */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) { -+ ERR_clear_last_mark(); -+ goto end; -+ } -+ ERR_pop_to_mark(); -+ -+ ret = SSL_TLSEXT_ERR_OK; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ cbdata->recurse = 0; -+ return ret; -+} -+ -+/* -+ * Test multiple resumptions and cache size handling -+ * Test 0: TLSv1.3 (max_early_data set) -+ * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) -+ * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) -+ * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes) -+ * Test 4: TLSv1.2 -+ */ -+static int test_multi_resume(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ SSL_SESSION *sess = NULL; -+ int max_version = TLS1_3_VERSION; -+ int i, testresult = 0; -+ struct resume_servername_cb_data cbdata; -+ -+#if defined(OPENSSL_NO_TLS1_2) -+ if (idx == 4) -+ TEST_info("TLSv1.2 is disabled in this build"); -+ return 1; -+#else -+ if (idx == 4) -+ max_version = TLS1_2_VERSION; -+#endif -+#if defined(OPENSSL_NO_TLS1_3) -+ if (idx != 4) -+ TEST_info("No usable TLSv1.3 in this build"); -+ return 1; -+#endif -+ -+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), TLS1_VERSION, -+ max_version, &sctx, &cctx, cert, -+ privkey))) -+ goto end; -+ -+ /* -+ * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for -+ * replay protection), or if SSL_OP_NO_TICKET is in use -+ */ -+ if (idx == 0 || idx == 2) { -+ if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) -+ goto end; -+ } -+ if (idx == 1 || idx == 2 || idx == 3) -+ SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); -+ -+ SSL_CTX_sess_set_cache_size(sctx, 5); -+ -+ if (idx == 3) { -+ SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb); -+ SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata); -+ cbdata.cctx = cctx; -+ cbdata.sctx = sctx; -+ cbdata.recurse = 0; -+ } -+ -+ for (i = 0; i < 30; i++) { -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL)) -+ || !TEST_true(SSL_set_session(clientssl, sess))) -+ goto end; -+ -+ /* -+ * Check simultaneous resumes. We pause the connection part way through -+ * the handshake by (mis)using the servername_cb. The pause occurs after -+ * session resumption has already occurred, but before any session -+ * tickets have been issued. While paused we run another complete -+ * handshake resuming the same session. -+ */ -+ if (idx == 3) { -+ cbdata.i = i; -+ cbdata.sess = sess; -+ } -+ -+ /* -+ * Recreate a bug where dynamically changing the max_early_data value -+ * can cause sessions in the session cache which cannot be deleted. -+ */ -+ if ((idx == 0 || idx == 2) && (i % 3) == 2) -+ SSL_set_max_early_data(serverssl, 0); -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ if (sess == NULL || (idx == 0 && (i % 3) == 2)) { -+ if (!TEST_false(SSL_session_reused(clientssl))) -+ goto end; -+ } else { -+ if (!TEST_true(SSL_session_reused(clientssl))) -+ goto end; -+ } -+ SSL_SESSION_free(sess); -+ -+ /* Do a full handshake, followed by two resumptions */ -+ if ((i % 3) == 2) { -+ sess = NULL; -+ } else { -+ if (!TEST_ptr((sess = SSL_get1_session(clientssl)))) -+ goto end; -+ } -+ -+ SSL_shutdown(clientssl); -+ SSL_shutdown(serverssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ } -+ -+ /* We should never exceed the session cache size limit */ -+ if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5)) -+ goto end; -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ SSL_SESSION_free(sess); -+ return testresult; -+} -+ - int setup_tests(void) - { - if (!TEST_ptr(certsdir = test_get_argument(0)) -@@ -7422,6 +7718,10 @@ int setup_tests(void) - #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) - ADD_ALL_TESTS(test_serverinfo_custom, 4); - #endif -+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) -+ ADD_ALL_TESTS(test_session_cache_overflow, 4); -+#endif -+ ADD_ALL_TESTS(test_multi_resume, 5); - return 1; - } - --- -2.43.0.windows.1 - diff --git a/third_party/patch/openssl/CVE-2024-4741.patch b/third_party/patch/openssl/CVE-2024-4741.patch deleted file mode 100644 index a4fc6fa5..00000000 --- a/third_party/patch/openssl/CVE-2024-4741.patch +++ /dev/null @@ -1,71 +0,0 @@ -From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 -From: Watson Ladd -Date: Wed, 24 Apr 2024 11:26:56 +0100 -Subject: [PATCH] Only free the read buffers if we're not using them - -If we're part way through processing a record, or the application has -not released all the records then we should not free our buffer because -they are still needed. - -CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) -Reference:https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d -Conflict:NA ---- - ssl/record/rec_layer_s3.c | 9 +++++++++ - ssl/record/record.h | 1 + - ssl/ssl_lib.c | 3 +++ - 3 files changed, 13 insertions(+) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index 4bcffcc41e364..1569997bea2d3 100644 ---- a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) - return SSL3_BUFFER_get_left(&rl->rbuf) != 0; - } - -+int RECORD_LAYER_data_present(const RECORD_LAYER *rl) -+{ -+ if (rl->rstate == SSL_ST_READ_BODY) -+ return 1; -+ if (RECORD_LAYER_processed_read_pending(rl)) -+ return 1; -+ return 0; -+} -+ - /* Checks if we have decrypted unread record data pending */ - int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) - { -diff --git a/ssl/record/record.h b/ssl/record/record.h -index 234656bf93942..b60f71c8cb23b 100644 ---- a/ssl/record/record.h -+++ b/ssl/record/record.h -@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); - int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); - int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); - int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); -+int RECORD_LAYER_data_present(const RECORD_LAYER *rl); - void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); - void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); - int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index eed649c6fdee9..d14c55ae557bc 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) - if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) - return 0; - -+ if (RECORD_LAYER_data_present(rl)) -+ return 0; -+ - RECORD_LAYER_release(rl); - return 1; - } diff --git a/third_party/patch/openssl/CVE-2024-5535.patch b/third_party/patch/openssl/CVE-2024-5535.patch deleted file mode 100644 index 327711ae..00000000 --- a/third_party/patch/openssl/CVE-2024-5535.patch +++ /dev/null @@ -1,169 +0,0 @@ -From d7afe8e89ced1f4d5f1e5aab474dd9c069115b6e Mon Sep 17 00:00:00 2001 -From: xuhuiyue -Date: Fri, 28 Jun 2024 17:31:29 +0800 -Subject: [PATCH 2/2] Fix SSL_select_next_proto and add ALPN validation in the - client - -Fix CVE-2024-5535. - -Signed-off-by: xuhuiyue ---- - ssl/ssl_lib.c | 63 +++++++++++++++++++++++------------- - ssl/statem/extensions_clnt.c | 27 +++++++++++++++- - ssl/statem/extensions_srvr.c | 3 +- - 3 files changed, 68 insertions(+), 25 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 00410a7385..cb2dca4247 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2767,37 +2767,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index c641ae7351..4ad75c8e2d 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1602,7 +1602,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - PACKET_data(pkt), - PACKET_remaining(pkt), - s->ctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, - SSL_R_BAD_EXTENSION); - return 0; -@@ -1633,6 +1634,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3->alpn_sent) { -@@ -1653,6 +1656,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_malloc(len); - if (s->s3->alpn_selected == NULL) { -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 775d9a7444..a08027fd6d 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1562,9 +1562,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3->npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.33.0 - - diff --git a/third_party/patch/openssl/CVE-2024-9143.patch b/third_party/patch/openssl/CVE-2024-9143.patch deleted file mode 100644 index cc3c363c..00000000 --- a/third_party/patch/openssl/CVE-2024-9143.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Thu, 19 Sep 2024 01:02:40 +1000 -Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. - -The BN_GF2m_poly2arr() function converts characteristic-2 field -(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, -to a compact array with just the exponents of the non-zero terms. - -These polynomials are then used in BN_GF2m_mod_arr() to perform modular -reduction. A precondition of calling BN_GF2m_mod_arr() is that the -polynomial must have a non-zero constant term (i.e. the array has `0` as -its final element). - -Internally, callers of BN_GF2m_poly2arr() did not verify that -precondition, and binary EC curve parameters with an invalid polynomial -could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). - -The precondition is always true for polynomials that arise from the -standard form of EC parameters for characteristic-two fields (X9.62). -See the "Finite Field Identification" section of: - - https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html - -The OpenSSL GF(2^m) code supports only the trinomial and pentanomial -basis X9.62 forms. - -This commit updates BN_GF2m_poly2arr() to return `0` (failure) when -the constant term is zero (i.e. the input bitmask BIGNUM is not odd). - -Additionally, the return value is made unambiguous when there is not -enough space to also pad the array with a final `-1` sentinel value. -The return value is now always the number of elements (including the -final `-1`) that would be filled when the output array is sufficiently -large. Previously the same count was returned both when the array has -just enough room for the final `-1` and when it had only enough space -for non-sentinel values. - -Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose -degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against -CPU exhausition attacks via excessively large inputs. - -The above issues do not arise in processing X.509 certificates. These -generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) -disallows explicit EC parameters. The TLS code in OpenSSL enforces this -constraint only after the certificate is decoded, but, even if explicit -parameters are specified, they are in X9.62 form, which cannot represent -problem values as noted above. - -Initially reported as oss-fuzz issue 71623. - -A closely related issue was earlier reported in -. - -Severity: Low, CVE-2024-9143 - -Reviewed-by: Matt Caswell -Reviewed-by: Bernd Edlinger -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/25639) - -(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) ---- - crypto/bn/bn_gf2m.c | 28 +++++++++++++++------- - test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 71 insertions(+), 8 deletions(-) - -diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c -index c811ae82d6..bcc66613cc 100644 ---- a/crypto/bn/bn_gf2m.c -+++ b/crypto/bn/bn_gf2m.c -@@ -15,6 +15,7 @@ - #include "bn_local.h" - - #ifndef OPENSSL_NO_EC2M -+# include - - /* - * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should -@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - /* - * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * - * x^i) into an array of integers corresponding to the bits with non-zero -- * coefficient. Array is terminated with -1. Up to max elements of the array -- * will be filled. Return value is total number of array elements that would -- * be filled if array was large enough. -+ * coefficient. The array is intended to be suitable for use with -+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be -+ * zero. This translates to a requirement that the input BIGNUM `a` is odd. -+ * -+ * Given sufficient room, the array is terminated with -1. Up to max elements -+ * of the array will be filled. -+ * -+ * The return value is total number of array elements that would be filled if -+ * array was large enough, including the terminating `-1`. It is `0` when `a` -+ * is not odd or the constant term is zero contrary to requirement. -+ * -+ * The return value is also `0` when the leading exponent exceeds -+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, - */ - int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - { - int i, j, k = 0; - BN_ULONG mask; - -- if (BN_is_zero(a)) -+ if (!BN_is_odd(a)) - return 0; - - for (i = a->top - 1; i >= 0; i--) { -@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - } - } - -- if (k < max) { -+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) -+ return 0; -+ -+ if (k < max) - p[k] = -1; -- k++; -- } - -- return k; -+ return k + 1; - } - - /* -diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c -index 8c2cd05631..02cfd4e9d8 100644 ---- a/test/ec_internal_test.c -+++ b/test/ec_internal_test.c -@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) - } - - #ifndef OPENSSL_NO_EC2M -+/* Test that decoding of invalid GF2m field parameters fails. */ -+static int ec2m_field_sanity(void) -+{ -+ int ret = 0; -+ BN_CTX *ctx = BN_CTX_new(); -+ BIGNUM *p, *a, *b; -+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; -+ -+ TEST_info("Testing GF2m hardening\n"); -+ -+ BN_CTX_start(ctx); -+ p = BN_CTX_get(ctx); -+ a = BN_CTX_get(ctx); -+ if (!TEST_ptr(b = BN_CTX_get(ctx)) -+ || !TEST_true(BN_one(a)) -+ || !TEST_true(BN_one(b))) -+ goto out; -+ -+ /* Even pentanomial value should be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf2))) -+ goto out; -+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Zero constant term accepted in GF2m polynomial"); -+ -+ /* Odd hexanomial should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf3))) -+ goto out; -+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Hexanomial accepted as GF2m polynomial"); -+ -+ /* Excessive polynomial degree should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0x71)) -+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) -+ goto out; -+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("GF2m polynomial degree > %d accepted", -+ OPENSSL_ECC_MAX_FIELD_BITS); -+ -+ ret = group1 == NULL && group2 == NULL && group3 == NULL; -+ -+ out: -+ EC_GROUP_free(group1); -+ EC_GROUP_free(group2); -+ EC_GROUP_free(group3); -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ -+ return ret; -+} -+ - /* test EC_GF2m_simple_method directly */ - static int field_tests_ec2_simple(void) - { -@@ -443,6 +493,7 @@ int setup_tests(void) - ADD_TEST(field_tests_ecp_simple); - ADD_TEST(field_tests_ecp_mont); - #ifndef OPENSSL_NO_EC2M -+ ADD_TEST(ec2m_field_sanity); - ADD_TEST(field_tests_ec2_simple); - #endif - ADD_ALL_TESTS(field_tests_default, crv_len); --- -2.43.0.windows.1 - -- Gitee