openssl: Vendor import of OpenSSL-3.0.9

Summary:

Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .

Obtained from:  https://www.openssl.org/source/openssl-3.0.9.tar.gz

Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.9.tar.gz                                    14 MB   74 MBps    01s
openssl-3.0.9.tar.gz.asc                               833  B   10 MBps    00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.9
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2021-07-16 [SC] [expires: 2031-07-14]
      A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
uid           [ unknown] Tomáš Mráz <tm@t8m.info>
uid           [ unknown] Tomáš Mráz <tomas@arleto.cz>
uid           [ unknown] Tomáš Mráz <tomas@openssl.org>
sub   rsa4096 2021-07-16 [S] [expires: 2027-07-15]
sub   rsa4096 2021-07-16 [E] [expires: 2031-07-14]

$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue May 30 14:32:24 2023 CEST
gpg:                using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D
gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@arleto.cz>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A21F AB74 B008 8AA3 6115  2586 B8EF 1A6B A9DA 2D5C
     Subkey fingerprint: DC70 3266 2AF8 85E2 F47F  243F 5274 66A2 1CA7 9E6D

$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER}  .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
```
This commit is contained in:
Pierre Pronchery
2023-06-01 00:06:50 +02:00
committed by Ed Maste
parent e4520c8bd1
commit b84c4564ef
181 changed files with 2746 additions and 1762 deletions
+8 -2
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
};
struct X509_POLICY_TREE_st {
/* The number of nodes in the tree */
size_t node_count;
/* The maximum number of nodes in the tree */
size_t node_maximum;
/* This is the tree 'level' data */
X509_POLICY_LEVEL *levels;
int nlevel;
@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree);
X509_POLICY_TREE *tree,
int extra_data);
void ossl_policy_node_free(X509_POLICY_NODE *node);
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+20 -6
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree)
X509_POLICY_TREE *tree,
int extra_data)
{
X509_POLICY_NODE *node;
/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
return NULL;
node = OPENSSL_zalloc(sizeof(*node));
if (node == NULL) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
}
node->data = data;
node->parent = parent;
if (level) {
if (level != NULL) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
goto node_error;
@@ -90,24 +95,33 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
}
}
if (tree) {
if (extra_data) {
if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto node_error;
goto extra_data_error;
}
}
tree->node_count++;
if (parent)
parent->nchild++;
return node;
extra_data_error:
if (level != NULL) {
if (level->anyPolicy == node)
level->anyPolicy = NULL;
else
(void) sk_X509_POLICY_NODE_pop(level->nodes);
}
node_error:
ossl_policy_node_free(node);
return NULL;
+40 -14
View File
@@ -1,5 +1,5 @@
/*
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,19 @@
#include "pcy_local.h"
/*
* If the maximum number of nodes in the policy tree isn't defined, set it to
* a generous default of 1000 nodes.
*
* Defining this to be zero means unlimited policy tree growth which opens the
* door on CVE-2023-0464.
*/
#ifndef OPENSSL_POLICY_TREE_NODES_MAX
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
#endif
static void exnode_free(X509_POLICY_NODE *node);
static void expected_print(BIO *channel,
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
int indent)
@@ -163,6 +176,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
return X509_PCY_TREE_INTERNAL;
}
/* Limit the growth of the tree to mitigate CVE-2023-0464 */
tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
/*
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
*
@@ -180,7 +196,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
if ((data = ossl_policy_data_new(NULL,
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
ossl_policy_data_free(data);
goto bad_tree;
}
@@ -239,7 +255,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* Return value: 1 on success, 0 otherwise
*/
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data)
X509_POLICY_DATA *data,
X509_POLICY_TREE *tree)
{
X509_POLICY_LEVEL *last = curr - 1;
int i, matched = 0;
@@ -249,13 +266,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (ossl_policy_node_match(last, node, data->valid_policy)) {
if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
return 0;
matched = 1;
}
}
if (!matched && last->anyPolicy) {
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
return 0;
}
return 1;
@@ -268,7 +285,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
* Return value: 1 on success, 0 otherwise.
*/
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache)
const X509_POLICY_CACHE *cache,
X509_POLICY_TREE *tree)
{
int i;
@@ -276,7 +294,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
/* Look for matching nodes in previous level */
if (!tree_link_matching_nodes(curr, data))
if (!tree_link_matching_nodes(curr, data, tree))
return 0;
}
return 1;
@@ -307,7 +325,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
ossl_policy_data_free(data);
return 0;
}
@@ -370,7 +388,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
/* Finally add link to anyPolicy */
if (last->anyPolicy &&
ossl_policy_level_add_node(curr, cache->anyPolicy,
last->anyPolicy, NULL) == NULL)
last->anyPolicy, tree, 0) == NULL)
return 0;
return 1;
}
@@ -553,15 +571,23 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
tree);
tree, 1);
if (node == NULL) {
ossl_policy_data_free(extra);
return 0;
}
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
if (!tree->user_policies)
return 1;
if (!tree->user_policies) {
exnode_free(node);
return 0;
}
}
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
exnode_free(node);
return 0;
}
}
return 1;
}
@@ -580,7 +606,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = ossl_policy_cache_set(curr->cert);
if (!tree_link_nodes(curr, cache))
if (!tree_link_nodes(curr, cache, tree))
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+6 -1
View File
@@ -179,7 +179,7 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:
return "subject signature algorithm and issuer public key algorithm mismatch";
case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
return "cert info siganature and signature algorithm mismatch";
return "cert info signature and signature algorithm mismatch";
case X509_V_ERR_INVALID_CA:
return "invalid CA certificate";
case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
@@ -213,6 +213,11 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
return "Certificate public key has explicit ECC parameters";
/*
* Entries must be kept consistent with include/openssl/x509_vfy.h.in
* and with doc/man3/X509_STORE_CTX_get_error.pod
*/
default:
/* Printing an error number into a static buffer is not thread-safe */
return "unknown certificate verification error";
+12 -4
View File
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
goto memerr;
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
if (!cbcalled) {
/* Should not be able to get here */
ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
return 0;
}
/* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
@@ -3413,7 +3421,7 @@ static int check_curve(X509 *cert)
ret = EVP_PKEY_get_int_param(pkey,
OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
&val);
return ret < 0 ? ret : !val;
return ret == 1 ? !val : -1;
}
return 1;