sync

lib/libcrypto/crypto_init.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_init.c,v 1.8 2023/05/08 13:53:26 tb Exp $ */
+/*	$OpenBSD: crypto_init.c,v 1.9 2023/06/19 18:32:05 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -21,7 +21,9 @@
 #include <stdio.h>
 
 #include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -79,7 +81,9 @@ OPENSSL_cleanup(void)
 	ERR_free_strings();
 
 	CRYPTO_cleanup_all_ex_data();
+#ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
+#endif
 	EVP_cleanup();
 	x509_issuer_cache_free();
 

lib/libcrypto/ec/ec_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.57 2023/05/04 13:51:59 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.58 2023/06/20 14:37:15 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -236,7 +236,8 @@ EC_METHOD_get_field_type(const EC_METHOD *meth)
 }
 
 /*
- * Try computing the cofactor from generator order n and field cardinality q.
+ * If there is a user-provided cofactor, sanity check and use it. Otherwise
+ * try computing the cofactor from generator order n and field cardinality q.
  * This works for all curves of cryptographic interest.
  *
  * Hasse's theorem: | h * n - (q + 1) | <= 2 * sqrt(q)
@@ -250,38 +251,43 @@ EC_METHOD_get_field_type(const EC_METHOD *meth)
  * Otherwise, zero cofactor and return success.
  */
 static int
-ec_guess_cofactor(EC_GROUP *group)
+ec_set_cofactor(EC_GROUP *group, const BIGNUM *in_cofactor)
 {
 	BN_CTX *ctx = NULL;
-	BIGNUM *q = NULL;
+	BIGNUM *cofactor;
 	int ret = 0;
 
+	BN_zero(&group->cofactor);
+
+	if ((ctx = BN_CTX_new()) == NULL)
+		goto err;
+
+	BN_CTX_start(ctx);
+	if ((cofactor = BN_CTX_get(ctx)) == NULL)
+		goto err;
+
+	/*
+	 * Unfortunately, the cofactor is an optional field in many standards.
+	 * Internally, the library uses a 0 cofactor as a marker for "unknown
+	 * cofactor".  So accept in_cofactor == NULL or in_cofactor >= 0.
+	 */
+	if (in_cofactor != NULL && !BN_is_zero(in_cofactor)) {
+		if (BN_is_negative(in_cofactor)) {
+			ECerror(EC_R_UNKNOWN_COFACTOR);
+			goto err;
+		}
+		if (!bn_copy(cofactor, in_cofactor))
+			goto err;
+		goto done;
+	}
+
 	/*
 	 * If the cofactor is too large, we cannot guess it and default to zero.
 	 * The RHS of below is a strict overestimate of log(4 * sqrt(q)).
 	 */
 	if (BN_num_bits(&group->order) <=
-	    (BN_num_bits(&group->field) + 1) / 2 + 3) {
-		BN_zero(&group->cofactor);
-		return 1;
-	}
-
-	if ((ctx = BN_CTX_new()) == NULL)
-		goto err;
-
-	BN_CTX_start(ctx);
-	if ((q = BN_CTX_get(ctx)) == NULL)
-		goto err;
-
-	/* Set q = 2**m for binary fields; q = p otherwise. */
-	if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
-		BN_zero(q);
-		if (!BN_set_bit(q, BN_num_bits(&group->field) - 1))
-			goto err;
-	} else {
-		if (!bn_copy(q, &group->field))
-			goto err;
-	}
+	    (BN_num_bits(&group->field) + 1) / 2 + 3)
+		goto done;
 
 	/*
 	 * Compute
@@ -289,17 +295,26 @@ ec_guess_cofactor(EC_GROUP *group)
 	 */
 
 	/* h = n/2 */
-	if (!BN_rshift1(&group->cofactor, &group->order))
+	if (!BN_rshift1(cofactor, &group->order))
 		goto err;
 	/* h = 1 + n/2 */
-	if (!BN_add(&group->cofactor, &group->cofactor, BN_value_one()))
+	if (!BN_add_word(cofactor, 1))
 		goto err;
 	/* h = q + 1 + n/2 */
-	if (!BN_add(&group->cofactor, &group->cofactor, q))
+	if (!BN_add(cofactor, cofactor, &group->field))
 		goto err;
 	/* h = (q + 1 + n/2) / n */
-	if (!BN_div_ct(&group->cofactor, NULL, &group->cofactor, &group->order,
-	    ctx))
+	if (!BN_div_ct(cofactor, NULL, cofactor, &group->order, ctx))
+		goto err;
+
+ done:
+	/* Use Hasse's theorem to bound the cofactor. */
+	if (BN_num_bits(cofactor) > BN_num_bits(&group->field) + 1) {
+		ECerror(EC_R_INVALID_GROUP_ORDER);
+		goto err;
+	}
+
+	if (!bn_copy(&group->cofactor, cofactor))
 		goto err;
 
 	ret = 1;
@@ -308,9 +323,6 @@ ec_guess_cofactor(EC_GROUP *group)
 	BN_CTX_end(ctx);
 	BN_CTX_free(ctx);
 
-	if (ret != 1)
-		BN_zero(&group->cofactor);
-
 	return ret;
 }
 
@@ -339,16 +351,6 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
 		return 0;
 	}
 
-	/*
-	 * Unfortunately, the cofactor is an optional field in many standards.
-	 * Internally, the library uses a 0 cofactor as a marker for "unknown
-	 * cofactor".  So accept cofactor == NULL or cofactor >= 0.
-	 */
-	if (cofactor != NULL && BN_is_negative(cofactor)) {
-		ECerror(EC_R_UNKNOWN_COFACTOR);
-		return 0;
-	}
-
 	if (group->generator == NULL) {
 		group->generator = EC_POINT_new(group);
 		if (group->generator == NULL)
@@ -360,19 +362,9 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
 	if (!bn_copy(&group->order, order))
 		return 0;
 
-	/* Either take the provided positive cofactor, or try to compute it. */
-	if (cofactor != NULL && !BN_is_zero(cofactor)) {
-		if (!bn_copy(&group->cofactor, cofactor))
-			return 0;
-	} else if (!ec_guess_cofactor(group))
+	if (!ec_set_cofactor(group, cofactor))
 		return 0;
 
-	/* Use Hasse's theorem to bound the cofactor. */
-	if (BN_num_bits(&group->cofactor) > BN_num_bits(&group->field) + 1) {
-		ECerror(EC_R_INVALID_GROUP_ORDER);
-		return 0;
-	}
-
 	return 1;
 }
 

lib/libcrypto/evp/pmeth_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_lib.c,v 1.27 2022/12/26 07:18:52 jmc Exp $ */
+/* $OpenBSD: pmeth_lib.c,v 1.31 2023/06/20 14:14:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -151,69 +151,65 @@ EVP_PKEY_meth_find(int type)
 }
 
 static EVP_PKEY_CTX *
-int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
+evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *engine, int id)
 {
-	EVP_PKEY_CTX *ret;
+	EVP_PKEY_CTX *pkey_ctx = NULL;
 	const EVP_PKEY_METHOD *pmeth;
 
 	if (id == -1) {
-		if (!pkey || !pkey->ameth)
+		if (pkey == NULL || pkey->ameth == NULL)
 			return NULL;
 		id = pkey->ameth->pkey_id;
 	}
 #ifndef OPENSSL_NO_ENGINE
-	if (pkey && pkey->engine)
-		e = pkey->engine;
-	/* Try to find an ENGINE which implements this method */
-	if (e) {
-		if (!ENGINE_init(e)) {
+	if (pkey != NULL && pkey->engine != NULL)
+		engine = pkey->engine;
+	/* Try to find an ENGINE which implements this method. */
+	if (engine != NULL) {
+		if (!ENGINE_init(engine)) {
 			EVPerror(ERR_R_ENGINE_LIB);
 			return NULL;
 		}
 	} else
-		e = ENGINE_get_pkey_meth_engine(id);
+		engine = ENGINE_get_pkey_meth_engine(id);
 
-	/* If an ENGINE handled this method look it up. Otherwise
-	 * use internal tables.
-	 */
-
-	if (e)
-		pmeth = ENGINE_get_pkey_meth(e, id);
+	/* Look up method handler in ENGINE or use internal tables. */
+	if (engine != NULL)
+		pmeth = ENGINE_get_pkey_meth(engine, id);
 	else
 #endif
 		pmeth = EVP_PKEY_meth_find(id);
 
 	if (pmeth == NULL) {
 		EVPerror(EVP_R_UNSUPPORTED_ALGORITHM);
-		return NULL;
+		goto err;
 	}
 
-	ret = malloc(sizeof(EVP_PKEY_CTX));
-	if (ret == NULL) {
-#ifndef OPENSSL_NO_ENGINE
-		ENGINE_finish(e);
-#endif
+	if ((pkey_ctx = calloc(1, sizeof(*pkey_ctx))) == NULL) {
 		EVPerror(ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
-	ret->engine = e;
-	ret->pmeth = pmeth;
-	ret->operation = EVP_PKEY_OP_UNDEFINED;
-	ret->pkey = pkey;
-	ret->peerkey = NULL;
-	ret->pkey_gencb = 0;
-	if (pkey)
-		CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
-	ret->data = NULL;
+	pkey_ctx->engine = engine;
+	engine = NULL;
+	pkey_ctx->pmeth = pmeth;
+	pkey_ctx->operation = EVP_PKEY_OP_UNDEFINED;
+	if ((pkey_ctx->pkey = pkey) != NULL)
+		EVP_PKEY_up_ref(pkey_ctx->pkey);
 
-	if (pmeth->init) {
-		if (pmeth->init(ret) <= 0) {
-			EVP_PKEY_CTX_free(ret);
-			return NULL;
-		}
+	if (pmeth->init != NULL) {
+		if (pmeth->init(pkey_ctx) <= 0)
+			goto err;
 	}
 
-	return ret;
+	return pkey_ctx;
+
+ err:
+	EVP_PKEY_CTX_free(pkey_ctx);
+#ifndef OPENSSL_NO_ENGINE
+	ENGINE_finish(engine);
+#endif
+
+	return NULL;
 }
 
 EVP_PKEY_METHOD*
@@ -261,57 +257,54 @@ EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth)
 }
 
 EVP_PKEY_CTX *
-EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e)
+EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *engine)
 {
-	return int_ctx_new(pkey, e, -1);
+	return evp_pkey_ctx_new(pkey, engine, -1);
 }
 
 EVP_PKEY_CTX *
-EVP_PKEY_CTX_new_id(int id, ENGINE *e)
+EVP_PKEY_CTX_new_id(int id, ENGINE *engine)
 {
-	return int_ctx_new(NULL, e, id);
+	return evp_pkey_ctx_new(NULL, engine, id);
 }
 
 EVP_PKEY_CTX *
 EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx)
 {
-	EVP_PKEY_CTX *rctx;
+	EVP_PKEY_CTX *rctx = NULL;
 
-	if (!pctx->pmeth || !pctx->pmeth->copy)
-		return NULL;
+	if (pctx->pmeth == NULL || pctx->pmeth->copy == NULL)
+		goto err;
 #ifndef OPENSSL_NO_ENGINE
 	/* Make sure it's safe to copy a pkey context using an ENGINE */
-	if (pctx->engine && !ENGINE_init(pctx->engine)) {
+	if (pctx->engine != NULL && !ENGINE_init(pctx->engine)) {
 		EVPerror(ERR_R_ENGINE_LIB);
-		return 0;
+		goto err;
 	}
 #endif
-	rctx = malloc(sizeof(EVP_PKEY_CTX));
-	if (!rctx)
-		return NULL;
+	if ((rctx = calloc(1, sizeof(*rctx))) == NULL) {
+		EVPerror(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
 	rctx->pmeth = pctx->pmeth;
 #ifndef OPENSSL_NO_ENGINE
 	rctx->engine = pctx->engine;
 #endif
 
-	if (pctx->pkey)
-		CRYPTO_add(&pctx->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+	if ((rctx->pkey = pctx->pkey) != NULL)
+		EVP_PKEY_up_ref(rctx->pkey);
+	if ((rctx->peerkey = pctx->peerkey) != NULL)
+		EVP_PKEY_up_ref(rctx->peerkey);
 
-	rctx->pkey = pctx->pkey;
-
-	if (pctx->peerkey)
-		CRYPTO_add(&pctx->peerkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
-
-	rctx->peerkey = pctx->peerkey;
-
-	rctx->data = NULL;
-	rctx->app_data = NULL;
 	rctx->operation = pctx->operation;
 
-	if (pctx->pmeth->copy(rctx, pctx) > 0)
-		return rctx;
+	if (pctx->pmeth->copy(rctx, pctx) <= 0)
+		goto err;
 
+	return rctx;
+
+ err:
 	EVP_PKEY_CTX_free(rctx);
 	return NULL;
 }

lib/libcrypto/x509/x509_purp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.25 2023/04/23 21:49:15 job Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.26 2023/06/20 14:21:19 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -449,6 +449,7 @@ x509v3_cache_extensions_internal(X509 *x)
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
 	X509_EXTENSION *ex;
+	long version;
 	int i;
 
 	if (x->ex_flags & EXFLAG_SET)
@@ -456,12 +457,18 @@ x509v3_cache_extensions_internal(X509 *x)
 
 	X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL);
 
-	/* V1 should mean no extensions ... */
-	if (X509_get_version(x) == 0) {
+	version = X509_get_version(x);
+	if (version < 0 || version > 2)
+		x->ex_flags |= EXFLAG_INVALID;
+	if (version == 0) {
 		x->ex_flags |= EXFLAG_V1;
-		if (X509_get_ext_count(x) != 0)
+		/* UIDs may only appear in v2 or v3 certs */
+		if (x->cert_info->issuerUID != NULL ||
+		    x->cert_info->subjectUID != NULL)
 			x->ex_flags |= EXFLAG_INVALID;
 	}
+	if (version != 2 && X509_get_ext_count(x) != 0)
+		x->ex_flags |= EXFLAG_INVALID;
 
 	/* Handle basic constraints */
 	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {