sync code with last improvements from OpenBSD

lib/libcrypto/cms/cms_sd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_sd.c,v 1.26 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: cms_sd.c,v 1.28 2023/09/11 09:29:30 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -256,16 +256,16 @@ static int
 cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
 {
 	EVP_PKEY *pkey = si->pkey;
-	int i;
+	int ret;
 
-	if (!pkey->ameth || !pkey->ameth->pkey_ctrl)
+	if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
 		return 1;
-	i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si);
-	if (i == -2) {
+	ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si);
+	if (ret == -2) {
 		CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
 		return 0;
 	}
-	if (i <= 0) {
+	if (ret <= 0) {
 		CMSerror(CMS_R_CTRL_FAILURE);
 		return 0;
 	}
@@ -721,119 +721,113 @@ cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
 int
 CMS_SignerInfo_sign(CMS_SignerInfo *si)
 {
-	EVP_MD_CTX *mctx = si->mctx;
-	EVP_PKEY_CTX *pctx = NULL;
-	unsigned char *abuf = NULL;
-	int alen;
-	size_t siglen;
-	const EVP_MD *md = NULL;
+	const EVP_MD *md;
+	unsigned char *buf = NULL, *sig = NULL;
+	int buf_len = 0;
+	size_t sig_len = 0;
+	int ret = 0;
 
-	md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
-	if (md == NULL)
-		return 0;
+	if ((md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm)) == NULL)
+		goto err;
 
 	if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
 		if (!cms_add1_signingTime(si, NULL))
 			goto err;
 	}
 
-	if (si->pctx)
-		pctx = si->pctx;
-	else {
-		EVP_MD_CTX_reset(mctx);
-		if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
+	if (si->pctx == NULL) {
+		EVP_MD_CTX_reset(si->mctx);
+		if (!EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, si->pkey))
 			goto err;
-		si->pctx = pctx;
 	}
 
-	if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
+	if (EVP_PKEY_CTX_ctrl(si->pctx, -1, EVP_PKEY_OP_SIGN,
 	    EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) {
 		CMSerror(CMS_R_CTRL_ERROR);
 		goto err;
 	}
 
-	alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
-	    &CMS_Attributes_Sign_it);
-	if (!abuf)
+	if ((buf_len = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &buf,
+	    &CMS_Attributes_Sign_it)) <= 0) {
+		buf_len = 0;
 		goto err;
-	if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0)
+	}
+	if (!EVP_DigestSign(si->mctx, NULL, &sig_len, buf, buf_len))
 		goto err;
-	if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0)
+	if ((sig = calloc(1, sig_len)) == NULL)
 		goto err;
-	free(abuf);
-	abuf = malloc(siglen);
-	if (abuf == NULL)
-		goto err;
-	if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
+	if (!EVP_DigestSign(si->mctx, sig, &sig_len, buf, buf_len))
 		goto err;
 
-	if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
+	if (EVP_PKEY_CTX_ctrl(si->pctx, -1, EVP_PKEY_OP_SIGN,
 	    EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) {
 		CMSerror(CMS_R_CTRL_ERROR);
 		goto err;
 	}
 
-	EVP_MD_CTX_reset(mctx);
+	ASN1_STRING_set0(si->signature, sig, sig_len);
+	sig = NULL;
 
-	ASN1_STRING_set0(si->signature, abuf, siglen);
-
-	return 1;
+	ret = 1;
 
  err:
-	free(abuf);
-	EVP_MD_CTX_reset(mctx);
+	if (si->mctx != NULL)
+		EVP_MD_CTX_reset(si->mctx);
+	freezero(buf, buf_len);
+	freezero(sig, sig_len);
 
-	return 0;
+	return ret;
 }
 LCRYPTO_ALIAS(CMS_SignerInfo_sign);
 
 int
 CMS_SignerInfo_verify(CMS_SignerInfo *si)
 {
-	EVP_MD_CTX *mctx = NULL;
-	unsigned char *abuf = NULL;
-	int alen, r = -1;
-	const EVP_MD *md = NULL;
+	const EVP_MD *md;
+	unsigned char *buf = NULL;
+	int buf_len = 0;
+	int ret = -1;
 
-	if (!si->pkey) {
+	if ((md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm)) == NULL)
+		goto err;
+
+	if (si->pkey == NULL) {
 		CMSerror(CMS_R_NO_PUBLIC_KEY);
-		return -1;
+		goto err;
 	}
 
-	md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
-	if (md == NULL)
-		return -1;
-	if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) {
+	if (si->mctx == NULL)
+		si->mctx = EVP_MD_CTX_new();
+	if (si->mctx == NULL) {
 		CMSerror(ERR_R_MALLOC_FAILURE);
-		return -1;
+		goto err;
 	}
-	mctx = si->mctx;
-	if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0)
+
+	if (EVP_DigestVerifyInit(si->mctx, &si->pctx, md, NULL, si->pkey) <= 0)
 		goto err;
 
 	if (!cms_sd_asn1_ctrl(si, 1))
 		goto err;
 
-	alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
-	    &CMS_Attributes_Verify_it);
-	if (!abuf)
-		goto err;
-	r = EVP_DigestVerifyUpdate(mctx, abuf, alen);
-	free(abuf);
-	if (r <= 0) {
-		r = -1;
+	if ((buf_len = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &buf,
+	    &CMS_Attributes_Verify_it)) <= 0) {
+		buf_len = 0;
 		goto err;
 	}
 
-	r = EVP_DigestVerifyFinal(mctx, si->signature->data,
-	    si->signature->length);
-	if (r <= 0)
+	ret = EVP_DigestVerify(si->mctx, si->signature->data, si->signature->length,
+	    buf, buf_len);
+	if (ret <= 0) {
 		CMSerror(CMS_R_VERIFICATION_FAILURE);
+		goto err;
+	}
 
  err:
-	EVP_MD_CTX_reset(mctx);
+	if (si->mctx != NULL)
+		EVP_MD_CTX_reset(si->mctx);
+	freezero(buf, buf_len);
 
-	return r;
+	return ret;
 }
 LCRYPTO_ALIAS(CMS_SignerInfo_verify);
 

lib/libcrypto/evp/evp_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.52 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.53 2023/09/10 16:53:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -78,8 +78,8 @@ int
 EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
     const unsigned char *key, const unsigned char *iv, int enc)
 {
-	if (cipher)
-		EVP_CIPHER_CTX_init(ctx);
+	if (cipher != NULL)
+		EVP_CIPHER_CTX_cleanup(ctx);
 	return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
 }
 

lib/libcrypto/evp/p_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: p_lib.c,v 1.36 2023/09/02 04:15:39 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.37 2023/09/10 17:32:17 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -449,13 +449,14 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 RSA *
 EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
 {
-	if (pkey->type == EVP_PKEY_RSA || pkey->type == EVP_PKEY_RSA_PSS) {
-		RSA_up_ref(pkey->pkey.rsa);
-		return pkey->pkey.rsa;
-	}
+	RSA *rsa;
 
-	EVPerror(EVP_R_EXPECTING_AN_RSA_KEY);
-	return NULL;
+	if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
+		return NULL;
+
+	RSA_up_ref(rsa);
+
+	return rsa;
 }
 
 int
@@ -482,12 +483,14 @@ EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
 DSA *
 EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
 {
-	if (pkey->type != EVP_PKEY_DSA) {
-		EVPerror(EVP_R_EXPECTING_A_DSA_KEY);
+	DSA *dsa;
+
+	if ((dsa = EVP_PKEY_get0_DSA(pkey)) == NULL)
 		return NULL;
-	}
-	DSA_up_ref(pkey->pkey.dsa);
-	return pkey->pkey.dsa;
+
+	DSA_up_ref(dsa);
+
+	return dsa;
 }
 
 int
@@ -514,12 +517,14 @@ EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 EC_KEY *
 EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
 {
-	if (pkey->type != EVP_PKEY_EC) {
-		EVPerror(EVP_R_EXPECTING_A_EC_KEY);
+	EC_KEY *key;
+
+	if ((key = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
 		return NULL;
-	}
-	EC_KEY_up_ref(pkey->pkey.ec);
-	return pkey->pkey.ec;
+
+	EC_KEY_up_ref(key);
+
+	return key;
 }
 
 int
@@ -547,12 +552,14 @@ EVP_PKEY_get0_DH(EVP_PKEY *pkey)
 DH *
 EVP_PKEY_get1_DH(EVP_PKEY *pkey)
 {
-	if (pkey->type != EVP_PKEY_DH) {
-		EVPerror(EVP_R_EXPECTING_A_DH_KEY);
+	DH *dh;
+
+	if ((dh = EVP_PKEY_get0_DH(pkey)) == NULL)
 		return NULL;
-	}
-	DH_up_ref(pkey->pkey.dh);
-	return pkey->pkey.dh;
+
+	DH_up_ref(dh);
+
+	return dh;
 }
 
 int

lib/libcrypto/man/BIO_f_base64.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: BIO_f_base64.3,v 1.14 2023/09/10 11:20:52 schwarze Exp $
+.\"	$OpenBSD: BIO_f_base64.3,v 1.15 2023/09/11 04:00:40 jsg Exp $
 .\"	OpenSSL fc1d88f0 Wed Jul 2 22:42:40 2014 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,14 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2023 $
+.Dd $Mdocdate: September 11 2023 $
 .Dt BIO_F_BASE64 3
 .Os
 .Sh NAME
 .Nm BIO_f_base64
 .\" .Nm EVP_ENCODE_LENGTH and
 .\" .Nm EVP_DECODE_LENGTH are intentionally undocumented
-.\" because they are internal implemention details of BIO_f_base64(3)
+.\" because they are internal implementation details of BIO_f_base64(3)
 .\" and practically unused outside evp/bio_b64.c.
 .Nd base64 BIO filter
 .Sh SYNOPSIS

lib/libcrypto/x509/x509_addr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.88 2023/09/06 15:53:07 job Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.89 2023/09/11 00:50:47 job Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -676,10 +676,9 @@ i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
 {
 	const IPAddrBlocks *addr = ext;
 	IPAddressFamily *af;
-	uint16_t afi = 0;
-	uint8_t safi = 0;
-	int safi_is_set = 0;
-	int i;
+	uint16_t afi;
+	uint8_t safi;
+	int i, safi_is_set;
 
 	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
 		af = sk_IPAddressFamily_value(addr, i);