SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2023-11-13 23:00:18 +00:00
parent 62d64fa864
commit 4574748555
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
13806 changed files with 1142078 additions and 937084 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/libcrypto/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.155 2023/08/09 09:32:22 tb Exp $
# $OpenBSD: Makefile,v 1.156 2023/11/12 10:49:27 robert Exp $
LIB= crypto
LIBREBUILD=y
@ -52,6 +52,10 @@ VERSION_SCRIPT= Symbols.map
SYMBOL_LIST= ${.CURDIR}/Symbols.list
SYMBOL_NAMESPACE= ${.CURDIR}/Symbols.namespace
.if (${MACHINE_CPU} == "amd64") || (${MACHINE_CPU} == "i386")
SYMBOL_LIST+= ${.CURDIR}/arch/${MACHINE_CPU}/Symbols.list
.endif
# crypto/
SRCS+= cpt_err.c
SRCS+= cryptlib.c

1
lib/libcrypto/Symbols.list
View file

@ -1893,7 +1893,6 @@ OPENSSL_cleanup
OPENSSL_config
OPENSSL_cpu_caps
OPENSSL_cpuid_setup
OPENSSL_ia32cap_P
OPENSSL_init
OPENSSL_init_crypto
OPENSSL_load_builtin_modules

1
lib/libcrypto/arch/amd64/Symbols.list Normal file
View file

@ -0,0 +1 @@
OPENSSL_ia32cap_P

1
lib/libcrypto/arch/i386/Symbols.list Normal file
View file

@ -0,0 +1 @@
OPENSSL_ia32cap_P

18
lib/libcrypto/asn1/a_time_posix.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: a_time_posix.c,v 1.3 2023/01/01 16:58:23 miod Exp $ */
/* $OpenBSD: a_time_posix.c,v 1.4 2023/11/13 12:46:07 beck Exp $ */
/*
* Copyright (c) 2022, Google Inc.
* Copyright (c) 2022, Bob Beck <beck@obtuse.com>
@ -26,6 +26,8 @@
#include <string.h>
#include <time.h>
#include <openssl/asn1.h>
#define SECS_PER_HOUR (int64_t)(60 * 60)
#define SECS_PER_DAY (int64_t)(24 * SECS_PER_HOUR)
@ -220,6 +222,20 @@ asn1_time_time_t_to_tm(const time_t *time, struct tm *out_tm)
return asn1_time_posix_to_tm(posix_time, out_tm);
}
int
OPENSSL_timegm(const struct tm *tm, time_t *out) {
return asn1_time_tm_to_time_t(tm, out);
}
LCRYPTO_ALIAS(OPENSSL_timegm);
struct tm *
OPENSSL_gmtime(const time_t *time, struct tm *out_tm) {
if (!asn1_time_time_t_to_tm(time, out_tm))
return NULL;
return out_tm;
}
LCRYPTO_ALIAS(OPENSSL_gmtime);
int
OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec)
{

7
lib/libcrypto/asn1/asn1.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: asn1.h,v 1.80 2023/07/28 10:33:13 tb Exp $ */
/* $OpenBSD: asn1.h,v 1.81 2023/11/13 12:46:07 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -914,6 +914,11 @@ int SMIME_text(BIO *in, BIO *out);
void ERR_load_ASN1_strings(void);
#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
int OPENSSL_timegm(const struct tm *tm, time_t *out);
struct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm);
#endif
/* Error codes for the ASN1 functions. */
/* Function codes. */

4
lib/libcrypto/hidden/openssl/asn1.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: asn1.h,v 1.6 2023/07/28 10:33:13 tb Exp $ */
/* $OpenBSD: asn1.h,v 1.7 2023/11/13 12:46:07 beck Exp $ */
/*
* Copyright (c) 2023 Bob Beck <beck@openbsd.org>
*
@ -249,5 +249,7 @@ LCRYPTO_USED(SMIME_text);
LCRYPTO_USED(ERR_load_ASN1_strings);
LCRYPTO_USED(ASN1_time_parse);
LCRYPTO_USED(ASN1_time_tm_cmp);
LCRYPTO_USED(OPENSSL_gmtime);
LCRYPTO_USED(OPENSSL_timegm);
#endif /* _LIBCRYPTO_ASN1_H */

44
lib/libcrypto/man/ASN1_TIME_set.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_TIME_set.3,v 1.19 2022/11/13 22:11:44 schwarze Exp $
.\" $OpenBSD: ASN1_TIME_set.3,v 1.20 2023/11/13 12:46:07 beck Exp $
.\" full merge up to: OpenSSL 3d0f1cb9 Jul 11 03:01:24 2017 +0800
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\"
@ -68,7 +68,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: November 13 2022 $
.Dd $Mdocdate: November 13 2023 $
.Dt ASN1_TIME_SET 3
.Os
.Sh NAME
@ -95,6 +95,8 @@
.Nm ASN1_UTCTIME_cmp_time_t ,
.Nm ASN1_TIME_compare ,
.Nm ASN1_TIME_to_generalizedtime
.Nm OPENSSL_gmtime,
.Nm OPENSSL_timegm,
.Nd ASN.1 Time functions
.Sh SYNOPSIS
.In openssl/asn1.h
@ -217,6 +219,16 @@
.Fa "const ASN1_TIME *t"
.Fa "ASN1_GENERALIZEDTIME **out"
.Fc
.Ft struct tm *
.Fo OPENSSL_gmtime
.Fa "const time_t *time"
.Fa "struct tm *out_tm"
.Fc
.Ft int
.Fo OPENSSL_timegm
.Fa "const struct tm *tm"
.Fa "time_t *out_time"
.Fc
.Sh DESCRIPTION
An
.Vt ASN1_TIME
@ -562,6 +574,28 @@ is earlier than
is later than
.Fa t ,
or \-2 on error.
.Pp
.Fn OPENSSL_timegm
converts a time structure in UTC time in
.Fa tm
to a time_t value in
.Fa out_time
.Fn OPENSSL_timegm
returns 1 for success or 0 for failure.
It can fail if the time is not representable in a time_t,
or falls outside the range allowed in RFC 5280 times.
.Pp
.Fn OPENSSL_gmtime
converts a time_t value in
.Fa time
to a struct tm in
.Fa out_tm
.Fn OPENSSL_gmtime
returns
.Fa out_tm
on success or NULL for failure.
It can fail if the time is not representable in a struct tm,
or falls outside the range allowed in RFC 5280 times.
.Sh EXAMPLES
Set a time object to one hour after the current time and print it
out:
@ -651,6 +685,12 @@ and
.Fn ASN1_TIME_compare
first appeared in OpenSSL 1.1.1 and have been available since
.Ox 7.2 .
.Pp
.Fn OPENSSL_gmtime
and
.Fn OPENSSL_timegm
first appeared in BoringSSL and have been available since
.Ox 7.5 .
.Sh CAVEATS
Some applications add offset times directly to a
.Vt time_t

142
lib/libcrypto/x509/x509_asid.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_asid.c,v 1.40 2023/04/19 12:30:09 jsg Exp $ */
/* $OpenBSD: x509_asid.c,v 1.41 2023/11/11 09:35:21 tb Exp $ */
/*
* Contributed to the OpenSSL Project by the American Registry for
* Internet Numbers ("ARIN").
@ -406,8 +406,12 @@ int
X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
{
ASIdentifierChoice **choice;
ASIdentifierChoice *aic = NULL;
int ret = 0;
if (asid == NULL)
return 0;
goto err;
switch (which) {
case V3_ASID_ASNUM:
choice = &asid->asnum;
@ -416,19 +420,76 @@ X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
choice = &asid->rdi;
break;
default:
return 0;
goto err;
}
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
return 0;
(*choice)->type = ASIdentifierChoice_inherit;
if (*choice != NULL) {
if ((*choice)->type != ASIdentifierChoice_inherit)
goto err;
} else {
if ((aic = ASIdentifierChoice_new()) == NULL)
goto err;
if ((aic->u.inherit = ASN1_NULL_new()) == NULL)
goto err;
aic->type = ASIdentifierChoice_inherit;
*choice = aic;
aic = NULL;
}
return (*choice)->type == ASIdentifierChoice_inherit;
ret = 1;
err:
ASIdentifierChoice_free(aic);
return ret;
}
LCRYPTO_ALIAS(X509v3_asid_add_inherit);
static int
ASIdOrRanges_add_id_or_range(ASIdOrRanges *aors, ASN1_INTEGER *min,
ASN1_INTEGER *max)
{
ASIdOrRange *aor = NULL;
ASRange *asr = NULL;
int ret = 0;
/* Preallocate since we must not fail after sk_ASIdOrRange_push(). */
if (max != NULL) {
if ((asr = ASRange_new()) == NULL)
goto err;
}
if ((aor = ASIdOrRange_new()) == NULL)
goto err;
if (sk_ASIdOrRange_push(aors, aor) <= 0)
goto err;
if (max == NULL) {
aor->type = ASIdOrRange_id;
aor->u.id = min;
} else {
ASN1_INTEGER_free(asr->min);
asr->min = min;
ASN1_INTEGER_free(asr->max);
asr->max = max;
aor->type = ASIdOrRange_range;
aor->u.range = asr;
asr = NULL;
}
aor = NULL;
ret = 1;
err:
ASIdOrRange_free(aor);
ASRange_free(asr);
return ret;
}
/*
* Add an ID or range to an ASIdentifierChoice.
*/
@ -437,9 +498,12 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
ASN1_INTEGER *max)
{
ASIdentifierChoice **choice;
ASIdOrRange *aor;
ASIdentifierChoice *aic = NULL, *new_aic = NULL;
int ret = 0;
if (asid == NULL)
return 0;
goto err;
switch (which) {
case V3_ASID_ASNUM:
choice = &asid->asnum;
@ -448,39 +512,33 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
choice = &asid->rdi;
break;
default:
return 0;
}
if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
return 0;
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
if ((*choice)->u.asIdsOrRanges == NULL)
return 0;
(*choice)->type = ASIdentifierChoice_asIdsOrRanges;
}
if ((aor = ASIdOrRange_new()) == NULL)
return 0;
if (max == NULL) {
aor->type = ASIdOrRange_id;
aor->u.id = min;
} else {
aor->type = ASIdOrRange_range;
if ((aor->u.range = ASRange_new()) == NULL)
goto err;
ASN1_INTEGER_free(aor->u.range->min);
aor->u.range->min = min;
ASN1_INTEGER_free(aor->u.range->max);
aor->u.range->max = max;
}
if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
goto err;
return 1;
}
if ((aic = *choice) != NULL) {
if (aic->type != ASIdentifierChoice_asIdsOrRanges)
goto err;
} else {
if ((aic = new_aic = ASIdentifierChoice_new()) == NULL)
goto err;
aic->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
if (aic->u.asIdsOrRanges == NULL)
goto err;
aic->type = ASIdentifierChoice_asIdsOrRanges;
}
if (!ASIdOrRanges_add_id_or_range(aic->u.asIdsOrRanges, min, max))
goto err;
*choice = aic;
aic = new_aic = NULL;
ret = 1;
err:
ASIdOrRange_free(aor);
return 0;
ASIdentifierChoice_free(new_aic);
return ret;
}
LCRYPTO_ALIAS(X509v3_asid_add_id_or_range);

7
lib/libcrypto/x509/x509_internal.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */
/* $OpenBSD: x509_internal.h,v 1.27 2023/11/13 10:33:00 tb Exp $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
@ -96,7 +96,8 @@ int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
int x509v3_cache_extensions(X509 *x);
X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);
int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter,
time_t *out);
struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc);
@ -133,7 +134,7 @@ int x509_constraints_check(struct x509_constraints_names *names,
struct x509_constraints_names *excluded, int *error);
int x509_constraints_chain(STACK_OF(X509) *chain, int *error,
int *depth);
void x509_verify_cert_info_populate(X509 *cert);
int x509_verify_cert_info_populate(X509 *cert);
int x509_vfy_check_security_level(X509_STORE_CTX *ctx);
__END_HIDDEN_DECLS

5
lib/libcrypto/x509/x509_purp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_purp.c,v 1.29 2023/08/18 08:42:41 tb Exp $ */
/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2001.
*/
@ -711,7 +711,8 @@ x509v3_cache_extensions_internal(X509 *x)
if (!x509_extension_oids_are_unique(x))
x->ex_flags |= EXFLAG_INVALID;
x509_verify_cert_info_populate(x);
if (!x509_verify_cert_info_populate(x))
x->ex_flags |= EXFLAG_INVALID;
x->ex_flags |= EXFLAG_SET;
}

38
lib/libcrypto/x509/x509_verify.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */
/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
@ -27,6 +27,7 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "asn1_local.h"
#include "x509_internal.h"
#include "x509_issuer_cache.h"
@ -44,21 +45,22 @@ static void x509_verify_chain_free(struct x509_verify_chain *chain);
* Parse an asn1 to a representable time_t as per RFC 5280 rules.
* Returns -1 if that can't be done for any reason.
*/
time_t
x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
int
x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
time_t *out)
{
struct tm tm = { 0 };
int type;
type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
if (type == -1)
return -1;
return 0;
/* RFC 5280 section 4.1.2.5 */
if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
return -1;
return 0;
if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
return -1;
return 0;
if (notAfter) {
/*
@ -67,7 +69,7 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
* date, limit the date to a 32 bit representable value.
*/
if (!ASN1_time_tm_clamp_notafter(&tm))
return -1;
return 0;
}
/*
@ -75,22 +77,36 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
* a time_t. A time_t must be sane if you care about times after
* Jan 19 2038.
*/
return timegm(&tm);
return asn1_time_tm_to_time_t(&tm, out);
}
/*
* Cache certificate hash, and values parsed out of an X509.
* called from cache_extensions()
*/
void
int
x509_verify_cert_info_populate(X509 *cert)
{
const ASN1_TIME *notBefore, *notAfter;
/*
* Parse and save the cert times, or remember that they
* are unacceptable/unparsable.
*/
cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);
cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);
cert->not_before = cert->not_after = -1;
if ((notBefore = X509_get_notBefore(cert)) == NULL)
return 0;
if ((notAfter = X509_get_notAfter(cert)) == NULL)
return 0;
if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
return 0;
if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
return 0;
return 1;
}
struct x509_verify_chain *

5
lib/libcrypto/x509/x509_vfy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vfy.c,v 1.125 2023/06/08 22:02:40 beck Exp $ */
/* $OpenBSD: x509_vfy.c,v 1.126 2023/11/13 10:33:00 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -1969,8 +1969,7 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter)
else
compare = *cmp_time;
if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) ==
-1)
if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time))
return 0; /* invalid time */
if (cert_time <= compare)

62
lib/libcrypto/x509/x509type.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509type.c,v 1.19 2023/06/15 18:30:09 tb Exp $ */
/* $OpenBSD: x509type.c,v 1.24 2023/11/13 16:16:14 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -69,20 +69,24 @@ int
X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
{
const EVP_PKEY *pk = pkey;
int ret = 0, i;
int nid;
int ret = 0;
if (x == NULL)
return (0);
goto done;
if (pk == NULL) {
if ((pk = X509_get0_pubkey(x)) == NULL)
return (0);
}
if (pk == NULL)
pk = X509_get0_pubkey(x);
if (pk == NULL)
goto done;
switch (pk->type) {
case EVP_PKEY_RSA:
ret = EVP_PK_RSA|EVP_PKT_SIGN|EVP_PKT_ENC;
break;
case EVP_PKEY_RSA_PSS:
ret = EVP_PK_RSA|EVP_PKT_SIGN;
break;
case EVP_PKEY_DSA:
ret = EVP_PK_DSA|EVP_PKT_SIGN;
break;
@ -103,28 +107,30 @@ X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
break;
}
i = OBJ_obj2nid(x->sig_alg->algorithm);
if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
switch (i) {
case NID_rsaEncryption:
case NID_rsa:
ret |= EVP_PKS_RSA;
break;
case NID_dsa:
case NID_dsa_2:
ret |= EVP_PKS_DSA;
break;
case NID_X9_62_id_ecPublicKey:
ret |= EVP_PKS_EC;
break;
default:
break;
}
if ((nid = X509_get_signature_nid(x)) == NID_undef)
goto done;
if (!OBJ_find_sigid_algs(nid, NULL, &nid))
goto done;
switch (nid) {
case NID_rsaEncryption:
case NID_rsa:
ret |= EVP_PKS_RSA;
break;
case NID_dsa:
case NID_dsa_2:
ret |= EVP_PKS_DSA;
break;
case NID_X9_62_id_ecPublicKey:
ret |= EVP_PKS_EC;
break;
default:
break;
}
/* /8 because it's 1024 bits we look for, not bytes */
if (EVP_PKEY_size(pk) <= 1024 / 8)
ret |= EVP_PKT_EXP;
return (ret);
done:
return ret;
}
LCRYPTO_ALIAS(X509_certificate_type);