Version in base suite: 1.1.1n-0+deb11u4 Version in overlay suite: 1.1.1n-0+deb11u5 Base version: openssl_1.1.1n-0+deb11u5 Target version: openssl_1.1.1v-0~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_1.1.1n-0+deb11u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_1.1.1v-0~deb11u1.dsc CHANGES | 265 ++ Configurations/10-main.conf | 16 Configurations/descrip.mms.tmpl | 10 Configurations/windows-makefile.tmpl | 3 Configure | 20 NEWS | 49 README | 4 apps/apps.c | 17 apps/apps.h | 11 apps/ca.c | 8 apps/ocsp.c | 4 apps/s_cb.c | 28 apps/s_server.c | 49 apps/x509.c | 16 config | 3 crypto/aes/asm/aesni-x86.pl | 6 crypto/aes/asm/aesv8-armx.pl | 64 crypto/aes/asm/bsaes-armv7.pl | 4 crypto/asn1/a_bitstr.c | 8 crypto/asn1/asn_mime.c | 6 crypto/asn1/bio_asn1.c | 4 crypto/asn1/bio_ndef.c | 41 crypto/asn1/charmap.pl | 9 crypto/bio/b_print.c | 21 crypto/bn/asm/x86_64-mont5.pl | 198 -- crypto/bn/bn_asm.c | 108 - crypto/bn/bn_blind.c | 5 crypto/bn/bn_div.c | 8 crypto/bn/bn_err.c | 2 crypto/bn/bn_exp.c | 83 crypto/bn/bn_gcd.c | 8 crypto/bn/bn_lib.c | 24 crypto/bn/bn_local.h | 48 crypto/bn/bn_mont.c | 4 crypto/bn/bn_nist.c | 35 crypto/bn/bn_prime.pl | 9 crypto/bn/rsaz_exp.c | 10 crypto/bn/rsaz_exp.h | 25 crypto/cms/cms_enc.c | 5 crypto/cms/cms_err.c | 2 crypto/conf/conf_sap.c | 7 crypto/conf/keysets.pl | 10 crypto/dh/dh_check.c | 20 crypto/dh/dh_err.c | 3 crypto/ec/curve448/curve448.c | 3 crypto/ec/ec_asn1.c | 16 crypto/ec/ec_key.c | 15 crypto/ec/ecp_nistz256.c | 3 crypto/engine/eng_dyn.c | 33 crypto/err/err.c | 45 crypto/err/openssl.txt | 5 crypto/evp/bio_enc.c | 9 crypto/evp/evp_enc.c | 10 crypto/evp/evp_local.h | 4 crypto/init.c | 13 crypto/objects/obj_dat.c | 21 crypto/objects/obj_dat.pl | 11 crypto/objects/objects.pl | 13 crypto/objects/objxref.pl | 13 crypto/pem/pem_lib.c | 10 crypto/rand/drbg_lib.c | 20 crypto/rand/rand_lib.c | 8 crypto/rand/rand_vms.c | 90 crypto/rand/rand_win.c | 6 crypto/rsa/rsa_ameth.c | 1 crypto/rsa/rsa_ossl.c | 15 crypto/s390x_arch.h | 5 crypto/s390xcap.c | 5 crypto/txt_db/txt_db.c | 4 crypto/ui/ui_lib.c | 6 crypto/ui/ui_util.c | 6 crypto/x509/by_dir.c | 18 crypto/x509/x509_cmp.c | 6 crypto/x509/x509_req.c | 46 crypto/x509/x509_vfy.c | 17 crypto/x509/x_all.c | 11 crypto/x509/x_crl.c | 14 crypto/x509/x_name.c | 8 crypto/x509v3/pcy_local.h | 10 crypto/x509v3/pcy_node.c | 26 crypto/x509v3/pcy_tree.c | 56 crypto/x509v3/v3_addr.c | 33 crypto/x509v3/v3_asid.c | 33 crypto/x509v3/v3_genn.c | 4 crypto/x509v3/v3_lib.c | 6 crypto/x509v3/v3_sxnet.c | 22 crypto/x509v3/v3_utl.c | 9 debian/changelog | 9 debian/patches/AES-OCB-test-vectors.patch | 79 debian/patches/Add-a-Certificate-Policies-Test.patch | 45 debian/patches/Add-a-test-for-CVE-2022-4450.patch | 55 debian/patches/Alternative-fix-for-CVE-2022-4304.patch | 454 ---- debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch | 33 debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch | 87 debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch | 72 debian/patches/Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch | 49 debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch | 69 debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch | 798 -------- debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch | 99 - debian/patches/Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch | 42 debian/patches/Fix-file-operations-in-c_rehash.patch | 216 -- debian/patches/Generate-some-certificates-with-the-certificatePolicies-e.patch | 141 - debian/patches/Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch | 24 debian/patches/Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch | 57 debian/patches/Revert-Fix-Timing-Oracle-in-RSA-decryption.patch | 789 -------- debian/patches/Update-expired-SCT-certificates.patch | 187 - debian/patches/Update-further-expiring-certificates-that-affect-tests.patch | 959 ---------- debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch | 72 debian/patches/c_rehash-compat.patch | 61 debian/patches/ct_test.c-Update-the-epoch-time.patch | 24 debian/patches/series | 22 debian/patches/x509-excessive-resource-use-verifying-policy-constraints.patch | 218 -- debian/upstream/signing-key.asc | 768 +++----- doc/fingerprints.txt | 15 doc/man1/x509.pod | 24 doc/man3/BIO_f_base64.pod | 5 doc/man3/CMS_add0_cert.pod | 34 doc/man3/CMS_verify.pod | 83 doc/man3/EC_KEY_new.pod | 20 doc/man3/EVP_EncryptInit.pod | 4 doc/man3/OPENSSL_LH_COMPFUNC.pod | 4 doc/man3/OPENSSL_init_crypto.pod | 4 doc/man3/PKCS7_sign.pod | 47 doc/man3/PKCS7_sign_add_signer.pod | 55 doc/man3/PKCS7_verify.pod | 110 - doc/man3/SSL_CTX_set1_verify_cert_store.pod | 15 doc/man3/SSL_CTX_set_timeout.pod | 12 doc/man3/SSL_get_current_cipher.pod | 6 doc/man3/X509_STORE_CTX_new.pod | 10 doc/man3/X509_VERIFY_PARAM_set_flags.pod | 11 engines/asm/e_padlock-x86.pl | 4 engines/asm/e_padlock-x86_64.pl | 4 engines/e_padlock.c | 17 include/crypto/bn.h | 2 include/openssl/bnerr.h | 3 include/openssl/cmserr.h | 1 include/openssl/dh.h | 5 include/openssl/dherr.h | 3 include/openssl/opensslv.h | 6 include/openssl/ssl.h | 12 include/openssl/x509v3.h | 4 ssl/packet.c | 8 ssl/packet_local.h | 39 ssl/record/rec_layer_s3.c | 33 ssl/record/ssl3_buffer.c | 9 ssl/record/ssl3_record.c | 16 ssl/s3_enc.c | 4 ssl/s3_lib.c | 12 ssl/ssl_cert.c | 6 ssl/ssl_ciph.c | 6 ssl/ssl_init.c | 19 ssl/ssl_lib.c | 30 ssl/ssl_local.h | 3 ssl/ssl_rsa.c | 83 ssl/ssl_txt.c | 6 ssl/statem/extensions_clnt.c | 23 ssl/statem/extensions_srvr.c | 21 ssl/statem/statem_clnt.c | 7 ssl/statem/statem_dtls.c | 8 ssl/statem/statem_srvr.c | 23 ssl/t1_enc.c | 4 ssl/t1_lib.c | 18 ssl/tls13_enc.c | 3 test/certs/ca-pol-cert.pem | 19 test/certs/ee-cert-policies-bad.pem | 20 test/certs/ee-cert-policies.pem | 20 test/certs/ee-ed25519.pem | 43 test/certs/embeddedSCTs1-key.pem | 38 test/certs/embeddedSCTs1.pem | 35 test/certs/embeddedSCTs1.sct | 12 test/certs/embeddedSCTs1_issuer-key.pem | 15 test/certs/embeddedSCTs1_issuer.pem | 30 test/certs/mkcert.sh | 11 test/certs/root-ed25519.pem | 45 test/certs/rootCA.pem | 94 test/certs/setup.sh | 6 test/ct_test.c | 4 test/dhtest.c | 29 test/dtls_mtu_test.c | 50 test/dtlstest.c | 90 test/ec_internal_test.c | 36 test/exptest.c | 33 test/pemtest.c | 32 test/recipes/10-test_bn_data/bnmod.txt | 65 test/recipes/25-test_verify.t | 15 test/recipes/25-test_x509.t | 63 test/recipes/30-test_evp_data/evpciph.txt | 52 test/recipes/70-test_tls13hrr.t | 53 test/recipes/80-test_cms.t | 17 test/recipes/80-test_policy_tree.t | 43 test/recipes/80-test_policy_tree_data/large_leaf.pem | 11 test/recipes/80-test_policy_tree_data/large_policy_tree.pem | 434 ++++ test/recipes/80-test_policy_tree_data/small_leaf.pem | 11 test/recipes/80-test_policy_tree_data/small_policy_tree.pem | 70 test/recipes/80-test_ssl_new.t | 6 test/recipes/95-test_external_pyca_data/cryptography.sh | 20 test/smime-certs/badrsa.pem | 18 test/smime-certs/mksmime-certs.sh | 24 test/smime-certs/smdh.pem | 72 test/smime-certs/smdsa1.pem | 86 test/smime-certs/smdsa2.pem | 86 test/smime-certs/smdsa3.pem | 86 test/smime-certs/smec1.pem | 36 test/smime-certs/smec2.pem | 38 test/smime-certs/smroot.pem | 90 test/smime-certs/smrsa1.pem | 90 test/smime-certs/smrsa2.pem | 90 test/smime-certs/smrsa3.pem | 90 test/ssl-tests/10-resumption.conf | 121 + test/ssl-tests/11-dtls_resumption.conf | 124 + test/ssl-tests/30-supported-groups.conf | 54 test/ssl-tests/30-supported-groups.conf.in | 45 test/ssl-tests/protocol_version.pm | 65 test/sslapitest.c | 558 +++++ test/ssltestlib.c | 35 test/ssltestlib.h | 3 test/test_test.c | 398 ++-- test/testutil/driver.c | 4 test/v3ext.c | 295 +++ test/v3nametest.c | 10 test/x509_internal_test.c | 57 tools/c_rehash.in | 231 +- util/mkdef.pl | 3 util/perl/OpenSSL/copyright.pm | 41 util/private.num | 4 225 files changed, 5851 insertions(+), 6844 deletions(-) diff -Nru openssl-1.1.1n/CHANGES openssl-1.1.1v/CHANGES --- openssl-1.1.1n/CHANGES 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/CHANGES 2023-08-01 13:51:35.000000000 +0000 @@ -7,6 +7,271 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1u and 1.1.1v [1 Aug 2023] + + *) Fix excessive time spent checking DH q parameter value. + + The function DH_check() performs various checks on DH parameters. After + fixing CVE-2023-3446 it was discovered that a large q parameter value can + also trigger an overly long computation during some of these checks. + A correct q value, if present, cannot be larger than the modulus p + parameter, thus it is unnecessary to perform these checks if q is larger + than p. + + If DH_check() is called with such q parameter value, + DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally + intensive checks are skipped. + + (CVE-2023-3817) + [Tomáš Mráz] + + *) Fix DH_check() excessive time with over sized modulus + + The function DH_check() performs various checks on DH parameters. One of + those checks confirms that the modulus ("p" parameter) is not too large. + Trying to use a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. + + However the DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the supplied + modulus value even if it has already been found to be too large. + + A new limit has been added to DH_check of 32,768 bits. Supplying a + key/parameters with a modulus over this size will simply cause DH_check() + to fail. + (CVE-2023-3446) + [Matt Caswell] + + Changes between 1.1.1t and 1.1.1u [30 May 2023] + + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + [Richard Levitte] + + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 1.1.1s. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + [Bernd Edlinger] + + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + + *) Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. (CVE-2023-0465) + [Matt Caswell] + + *) Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. (CVE-2023-0464) + [Paul Dale] + + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] + + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + [Hugo Landau] + + *) Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + (CVE-2023-0215) + [Viktor Dukhovni, Matt Caswell] + + *) Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + (CVE-2022-4450) + [Kurt Roeckx, Matt Caswell] + + *) Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + (CVE-2022-4304) + [Dmitry Belyavsky, Hubert Kario] + + Changes between 1.1.1r and 1.1.1s [1 Nov 2022] + + *) Fixed a regression introduced in 1.1.1r version not refreshing the + certificate data to be signed before signing the certificate. + [Gibeom Gwon] + + Changes between 1.1.1q and 1.1.1r [11 Oct 2022] + + *) Fixed the linux-mips64 Configure target which was missing the + SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that + platform. + [Adam Joseph] + + *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was + causing incorrect results in some cases as a result. + [Paul Dale] + + *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + [Matt Caswell] + + *) Fixed a regression introduced in 1.1.1o for re-signing certificates with + different key sizes + [Todd Short] + + *) Added the loongarch64 target + [Shi Pujin] + + *) Fixed a DRBG seed propagation thread safety issue + [Bernd Edlinger] + + *) Fixed a memory leak in tls13_generate_secret + [Bernd Edlinger] + + *) Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid + 32-bit lane assignment in CTR mode") for 64bit targets only, since it is + reportedly 2-17% slower and the silicon errata only affects 32bit targets. + The new algorithm is still used for 32 bit targets. + [Bernd Edlinger] + + *) Added a missing header for memcmp that caused compilation failure on some + platforms + [Gregor Jasny] + + Changes between 1.1.1p and 1.1.1q [5 Jul 2022] + + *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. + (CVE-2022-2097) + [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] + + Changes between 1.1.1o and 1.1.1p [21 Jun 2022] + + *) In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + [Daniel Fiala, Tomáš Mráz] + + *) When OpenSSL TLS client is connecting without any supported elliptic + curves and TLS-1.3 protocol is disabled the connection will no longer fail + if a ciphersuite that does not use a key exchange based on elliptic + curves can be negotiated. + [Tomáš Mráz] + + Changes between 1.1.1n and 1.1.1o [3 May 2022] + + *) Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed + by some operating systems in a manner where it is automatically executed. + On such operating systems, an attacker could execute arbitrary commands + with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-1292) + [Tomáš Mráz] + Changes between 1.1.1m and 1.1.1n [15 Mar 2022] *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever diff -Nru openssl-1.1.1n/Configurations/10-main.conf openssl-1.1.1v/Configurations/10-main.conf --- openssl-1.1.1n/Configurations/10-main.conf 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/Configurations/10-main.conf 2023-08-01 13:51:35.000000000 +0000 @@ -742,7 +742,7 @@ inherit_from => [ "linux-generic32", asm("mips64_asm") ], cflags => add("-mabi=n32"), cxxflags => add("-mabi=n32"), - bn_ops => "RC4_CHAR", + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", perlasm_scheme => "n32", multilib => "32", }, @@ -761,6 +761,13 @@ perlasm_scheme => "linux64", }, + # loongarch64 below refers to contemporary LoongArch Architecture + # specifications, + "linux64-loongarch64" => { + inherit_from => [ "linux-generic64"], + perlasm_scheme => "linux64", + }, + #### IA-32 targets... #### These two targets are a bit aged and are to be used on older Linux #### machines where gcc doesn't understand -m32 and -m64 @@ -995,6 +1002,13 @@ perlasm_scheme => "linux64", }, + "BSD-aarch64" => { + inherit_from => [ "BSD-generic64", asm("aarch64_asm") ], + lib_cppflags => add("-DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "linux64", + }, + "bsdi-elf-gcc" => { inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], CC => "gcc", diff -Nru openssl-1.1.1n/Configurations/descrip.mms.tmpl openssl-1.1.1v/Configurations/descrip.mms.tmpl --- openssl-1.1.1n/Configurations/descrip.mms.tmpl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/Configurations/descrip.mms.tmpl 2023-08-01 13:51:35.000000000 +0000 @@ -13,6 +13,8 @@ our $sover_dirname = sprintf "%02d%02d", split(/\./, $config{shlib_version_number}); our $osslver = sprintf "%02d%02d", split(/\./, $config{version}); + our $shlibvariant = $target{shlib_variant} || ""; + our $sourcedir = $config{sourcedir}; our $builddir = $config{builddir}; sub sourcefile { @@ -47,13 +49,13 @@ map { (my $x = $_) =~ s/\.a$//; $x } @{$unified_info{libraries}}; our @shlibs = - map { $unified_info{sharednames}->{$_} || () } + map { $unified_info{sharednames}->{$_}.$shlibvariant || () } grep(!/\.a$/, @{$unified_info{libraries}}); our @install_libs = map { (my $x = $_) =~ s/\.a$//; $x } @{$unified_info{install}->{libraries}}; our @install_shlibs = - map { $unified_info{sharednames}->{$_} || () } + map { $unified_info{sharednames}->{$_}.$shlibvariant || () } grep(!/\.a$/, @{$unified_info{install}->{libraries}}); # This is a horrible hack, but is needed because recursive inclusion of files @@ -695,7 +697,7 @@ } return map { $_ =~ /\.a$/ ? $`.".OLB" - : $unified_info{sharednames}->{$_}.".EXE" } @_; + : $unified_info{sharednames}->{$_}.$shlibvariant.".EXE" } @_; } # Helper function to deal with inclusion directory specs. @@ -912,7 +914,7 @@ sub libobj2shlib { my %args = @_; my $lib = $args{lib}; - my $shlib = $args{shlib}; + my $shlib = $args{shlib}.$shlibvariant; my $libd = dirname($lib); my $libn = basename($lib); my @objs = map { (my $x = $_) =~ s|\.o$|.OBJ|; $x } diff -Nru openssl-1.1.1n/Configurations/windows-makefile.tmpl openssl-1.1.1v/Configurations/windows-makefile.tmpl --- openssl-1.1.1n/Configurations/windows-makefile.tmpl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/Configurations/windows-makefile.tmpl 2023-08-01 13:51:35.000000000 +0000 @@ -9,6 +9,7 @@ our $exeext = $target{exe_extension} || ".exe"; our $libext = $target{lib_extension} || ".lib"; our $shlibext = $target{shared_extension} || ".dll"; + our $shlibvariant = $target{shlib_variant} || ""; our $shlibextimport = $target{shared_import_extension} || ".lib"; our $dsoext = $target{dso_extension} || ".dll"; @@ -35,7 +36,7 @@ my $lib = shift; return () if $disabled{shared} || $lib =~ /\.a$/; return () unless defined $unified_info{sharednames}->{$lib}; - return $unified_info{sharednames}->{$lib} . $shlibext; + return $unified_info{sharednames}->{$lib} . $shlibvariant . $shlibext; } sub lib { diff -Nru openssl-1.1.1n/Configure openssl-1.1.1v/Configure --- openssl-1.1.1n/Configure 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/Configure 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1215,7 +1215,7 @@ my ($builder, $builder_platform, @builder_opts) = @{$target{build_scheme}}; -foreach my $checker (($builder_platform."-".$target{build_file}."-checker.pm", +foreach my $checker (($builder_platform."-".$config{build_file}."-checker.pm", $builder_platform."-checker.pm")) { my $checker_path = catfile($srcdir, "Configurations", $checker); if (-f $checker_path) { @@ -1244,7 +1244,7 @@ } if ($target =~ /linux.*-mips/ && !$disabled{asm} - && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { + && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); @@ -1712,8 +1712,8 @@ # Store the name of the template file we will build the build file from # in %config. This may be useful for the build file itself. my @build_file_template_names = - ( $builder_platform."-".$target{build_file}.".tmpl", - $target{build_file}.".tmpl" ); + ( $builder_platform."-".$config{build_file}.".tmpl", + $config{build_file}.".tmpl" ); my @build_file_templates = (); # First, look in the user provided directory, if given @@ -1937,8 +1937,8 @@ } next if @skip && $skip[$#skip] <= 0; push @rawlines, $_ - if ($target_kind eq $target{build_file} - || $target_kind eq $target{build_file}."(".$builder_platform.")"); + if ($target_kind eq $config{build_file} + || $target_kind eq $config{build_file}."(".$builder_platform.")"); } }, qr/^\s*(?:#.*)?$/ => sub { }, @@ -2813,8 +2813,8 @@ my %builders = ( unified => sub { - print 'Creating ',$target{build_file},"\n"; - run_dofile(catfile($blddir, $target{build_file}), + print 'Creating ',$config{build_file},"\n"; + run_dofile(catfile($blddir, $config{build_file}), @{$config{build_file_templates}}); }, ); @@ -2868,7 +2868,7 @@ # sub death_handler { die @_ if $^S; # To prevent the added message in eval blocks - my $build_file = $target{build_file} // "build file"; + my $build_file = $config{build_file} // "build file"; my @message = ( <<"_____", @_ ); Failure! $build_file wasn't produced. diff -Nru openssl-1.1.1n/NEWS openssl-1.1.1v/NEWS --- openssl-1.1.1n/NEWS 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/NEWS 2023-08-01 13:51:35.000000000 +0000 @@ -5,10 +5,57 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] + + o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) + o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) + + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] + + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic + OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) + o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] + + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) + o Fixed Timing Oracle in RSA Decryption (CVE-2022-4304) + + Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] + + o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the + certificate data to be signed before signing the certificate. + + Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] + + o Added a missing header for memcmp that caused compilation failure on + some platforms + + Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] + + o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms + (CVE-2022-2097) + + Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] + + o Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + (CVE-2022-2068) + + Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] + + o Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection (CVE-2022-1292) + Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop - forever for non-prime moduli ([CVE-2022-0778]) + forever for non-prime moduli (CVE-2022-0778) Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] diff -Nru openssl-1.1.1n/README openssl-1.1.1v/README --- openssl-1.1.1n/README 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/README 2023-08-01 13:51:35.000000000 +0000 @@ -1,7 +1,7 @@ - OpenSSL 1.1.1n 15 Mar 2022 + OpenSSL 1.1.1v 1 Aug 2023 - Copyright (c) 1998-2021 The OpenSSL Project + Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff -Nru openssl-1.1.1n/apps/apps.c openssl-1.1.1v/apps/apps.c --- openssl-1.1.1n/apps/apps.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/apps.c 2023-08-01 13:51:35.000000000 +0000 @@ -307,6 +307,8 @@ if (cb_data != NULL && cb_data->password != NULL && *(const char*)cb_data->password != '\0') pw_min_len = 1; + else if (!verify) + pw_min_len = 0; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); @@ -1374,7 +1376,8 @@ static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) #undef BSIZE #define BSIZE 256 -BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) +BIGNUM *load_serial(const char *serialfile, int *exists, int create, + ASN1_INTEGER **retai) { BIO *in = NULL; BIGNUM *ret = NULL; @@ -1386,6 +1389,8 @@ goto err; in = BIO_new_file(serialfile, "r"); + if (exists != NULL) + *exists = in != NULL; if (in == NULL) { if (!create) { perror(serialfile); @@ -1393,8 +1398,14 @@ } ERR_clear_error(); ret = BN_new(); - if (ret == NULL || !rand_serial(ret, ai)) + if (ret == NULL) { BIO_printf(bio_err, "Out of memory\n"); + } else if (!rand_serial(ret, ai)) { + BIO_printf(bio_err, "Error creating random number to store in %s\n", + serialfile); + BN_free(ret); + ret = NULL; + } } else { if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { BIO_printf(bio_err, "unable to load number from %s\n", @@ -1414,6 +1425,8 @@ ai = NULL; } err: + if (ret == NULL) + ERR_print_errors(bio_err); BIO_free(in); ASN1_INTEGER_free(ai); return ret; diff -Nru openssl-1.1.1n/apps/apps.h openssl-1.1.1v/apps/apps.h --- openssl-1.1.1n/apps/apps.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/apps.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -527,9 +527,12 @@ } CA_DB; void* app_malloc(int sz, const char *what); -BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai); -int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, - ASN1_INTEGER **retai); + +/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */ +BIGNUM *load_serial(const char *serialfile, int *exists, int create, + ASN1_INTEGER **retai); +int save_serial(const char *serialfile, const char *suffix, + const BIGNUM *serial, ASN1_INTEGER **retai); int rotate_serial(const char *serialfile, const char *new_suffix, const char *old_suffix); int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); diff -Nru openssl-1.1.1n/apps/ca.c openssl-1.1.1v/apps/ca.c --- openssl-1.1.1n/apps/ca.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/ca.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -842,7 +842,8 @@ goto end; } } else { - if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { + serial = load_serial(serialfile, NULL, create_ser, NULL); + if (serial == NULL) { BIO_printf(bio_err, "error while loading serial number\n"); goto end; } @@ -1078,7 +1079,8 @@ if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) != NULL) - if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { + if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL)) + == NULL) { BIO_printf(bio_err, "error while loading CRL number\n"); goto end; } diff -Nru openssl-1.1.1n/apps/ocsp.c openssl-1.1.1v/apps/ocsp.c --- openssl-1.1.1n/apps/ocsp.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/ocsp.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -176,7 +176,7 @@ {"no_intern", OPT_NO_INTERN, '-', "Don't search certificates contained in response for signer"}, {"badsig", OPT_BADSIG, '-', - "Corrupt last byte of loaded OSCP response signature (for test)"}, + "Corrupt last byte of loaded OCSP response signature (for test)"}, {"text", OPT_TEXT, '-', "Print text form of request and response"}, {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, diff -Nru openssl-1.1.1n/apps/s_cb.c openssl-1.1.1v/apps/s_cb.c --- openssl-1.1.1n/apps/s_cb.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/s_cb.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,22 +74,28 @@ } switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - BIO_puts(bio_err, "issuer= "); - X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, get_nameopt()); - BIO_puts(bio_err, "\n"); + if (err_cert != NULL) { + BIO_puts(bio_err, "issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, get_nameopt()); + BIO_puts(bio_err, "\n"); + } break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - BIO_printf(bio_err, "notBefore="); - ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); - BIO_printf(bio_err, "\n"); + if (err_cert != NULL) { + BIO_printf(bio_err, "notBefore="); + ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); + BIO_printf(bio_err, "\n"); + } break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - BIO_printf(bio_err, "notAfter="); - ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); - BIO_printf(bio_err, "\n"); + if (err_cert != NULL) { + BIO_printf(bio_err, "notAfter="); + ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); + BIO_printf(bio_err, "\n"); + } break; case X509_V_ERR_NO_EXPLICIT_POLICY: if (!verify_args.quiet) diff -Nru openssl-1.1.1n/apps/s_server.c openssl-1.1.1v/apps/s_server.c --- openssl-1.1.1n/apps/s_server.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/s_server.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2236,6 +2236,30 @@ SSL_CTX_sess_get_cache_size(ssl_ctx)); } +static long int count_reads_callback(BIO *bio, int cmd, const char *argp, + int argi, long int argl, long int ret) +{ + unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio); + + switch (cmd) { + case BIO_CB_READ: /* No break here */ + case BIO_CB_GETS: + if (p_counter != NULL) + ++*p_counter; + break; + default: + break; + } + + if (s_debug) { + BIO_set_callback_arg(bio, (char *)bio_s_out); + ret = bio_dump_callback(bio, cmd, argp, argi, argl, ret); + BIO_set_callback_arg(bio, (char *)p_counter); + } + + return ret; +} + static int sv_body(int s, int stype, int prot, unsigned char *context) { char *buf = NULL; @@ -2353,10 +2377,7 @@ SSL_set_accept_state(con); /* SSL_set_fd(con,s); */ - if (s_debug) { - BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); - } + BIO_set_callback(SSL_get_rbio(con), count_reads_callback); if (s_msg) { #ifndef OPENSSL_NO_SSL_TRACE if (s_msg == 2) @@ -2648,7 +2669,25 @@ */ if ((!async || !SSL_waiting_for_async(con)) && !SSL_is_init_finished(con)) { + /* + * Count number of reads during init_ssl_connection. + * It helps us to distinguish configuration errors from errors + * caused by a client. + */ + unsigned int read_counter = 0; + + BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter); i = init_ssl_connection(con); + BIO_set_callback_arg(SSL_get_rbio(con), NULL); + + /* + * If initialization fails without reads, then + * there was a fatal error in configuration. + */ + if (i <= 0 && read_counter == 0) { + ret = -1; + goto err; + } if (i < 0) { ret = 0; diff -Nru openssl-1.1.1n/apps/x509.c openssl-1.1.1v/apps/x509.c --- openssl-1.1.1n/apps/x509.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/apps/x509.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -400,7 +400,7 @@ aliasout = ++num; break; case OPT_CACREATESERIAL: - CA_createserial = ++num; + CA_createserial = 1; break; case OPT_CLREXT: clrext = 1; @@ -590,6 +590,8 @@ xca = load_cert(CAfile, CAformat, "CA Certificate"); if (xca == NULL) goto end; + if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca))) + goto end; } out = bio_open_default(outfile, 'w', outformat); @@ -914,6 +916,7 @@ char *buf = NULL; ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; + int defaultfile = 0, file_exists; if (serialfile == NULL) { const char *p = strrchr(CAfile, '.'); @@ -923,9 +926,10 @@ memcpy(buf, CAfile, len); memcpy(buf + len, POSTFIX, sizeof(POSTFIX)); serialfile = buf; + defaultfile = 1; } - serial = load_serial(serialfile, create, NULL); + serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL); if (serial == NULL) goto end; @@ -934,8 +938,10 @@ goto end; } - if (!save_serial(serialfile, NULL, serial, &bs)) - goto end; + if (file_exists || create) + save_serial(serialfile, NULL, serial, &bs); + else + bs = BN_to_ASN1_INTEGER(serial, NULL); end: OPENSSL_free(buf); diff -Nru openssl-1.1.1n/config openssl-1.1.1v/config --- openssl-1.1.1n/config 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/config 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -709,6 +709,7 @@ ia64-*-*bsd*) OUT="BSD-ia64" ;; x86_64-*-dragonfly*) OUT="BSD-x86_64" ;; amd64-*-*bsd*) OUT="BSD-x86_64" ;; + arm64-*-*bsd*) OUT="BSD-aarch64" ;; *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc... if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD libc=/usr/lib/libc.so diff -Nru openssl-1.1.1n/crypto/aes/asm/aesni-x86.pl openssl-1.1.1v/crypto/aes/asm/aesni-x86.pl --- openssl-1.1.1n/crypto/aes/asm/aesni-x86.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/aes/asm/aesni-x86.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2027,7 +2027,7 @@ &movdqu (&QWP(-16*2,$out,$inp),$inout4); &movdqu (&QWP(-16*1,$out,$inp),$inout5); &cmp ($inp,$len); # done yet? - &jb (&label("grandloop")); + &jbe (&label("grandloop")); &set_label("short"); &add ($len,16*6); @@ -2453,7 +2453,7 @@ &pxor ($rndkey1,$inout5); &movdqu (&QWP(-16*1,$out,$inp),$inout5); &cmp ($inp,$len); # done yet? - &jb (&label("grandloop")); + &jbe (&label("grandloop")); &set_label("short"); &add ($len,16*6); diff -Nru openssl-1.1.1n/crypto/aes/asm/aesv8-armx.pl openssl-1.1.1v/crypto/aes/asm/aesv8-armx.pl --- openssl-1.1.1n/crypto/aes/asm/aesv8-armx.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/aes/asm/aesv8-armx.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -740,6 +740,21 @@ #ifndef __ARMEB__ rev $ctr, $ctr #endif +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat1,$dat0,$dat0 + add $tctr1, $ctr, #1 + vorr $dat2,$dat0,$dat0 + add $ctr, $ctr, #2 + vorr $ivec,$dat0,$dat0 + rev $tctr1, $tctr1 + vmov.32 ${dat1}[3],$tctr1 + b.ls .Lctr32_tail + rev $tctr2, $ctr + sub $len,$len,#3 // bias + vmov.32 ${dat2}[3],$tctr2 +___ +$code.=<<___ if ($flavour !~ /64/); add $tctr1, $ctr, #1 vorr $ivec,$dat0,$dat0 rev $tctr1, $tctr1 @@ -751,6 +766,8 @@ vmov.32 ${ivec}[3],$tctr2 sub $len,$len,#3 // bias vorr $dat2,$ivec,$ivec +___ +$code.=<<___; b .Loop3x_ctr32 .align 4 @@ -777,11 +794,25 @@ aese $dat1,q8 aesmc $tmp1,$dat1 vld1.8 {$in0},[$inp],#16 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat0,$ivec,$ivec +___ +$code.=<<___ if ($flavour !~ /64/); add $tctr0,$ctr,#1 +___ +$code.=<<___; aese $dat2,q8 aesmc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat1,$ivec,$ivec +___ +$code.=<<___ if ($flavour !~ /64/); rev $tctr0,$tctr0 +___ +$code.=<<___; aese $tmp0,q9 aesmc $tmp0,$tmp0 aese $tmp1,q9 @@ -790,6 +821,12 @@ mov $key_,$key aese $dat2,q9 aesmc $tmp2,$dat2 +___ +$code.=<<___ if ($flavour =~ /64/); + vorr $dat2,$ivec,$ivec + add $tctr0,$ctr,#1 +___ +$code.=<<___; aese $tmp0,q12 aesmc $tmp0,$tmp0 aese $tmp1,q12 @@ -805,22 +842,47 @@ aese $tmp1,q13 aesmc $tmp1,$tmp1 veor $in2,$in2,$rndlast +___ +$code.=<<___ if ($flavour =~ /64/); + rev $tctr0,$tctr0 + aese $tmp2,q13 + aesmc $tmp2,$tmp2 + vmov.32 ${dat0}[3], $tctr0 +___ +$code.=<<___ if ($flavour !~ /64/); vmov.32 ${ivec}[3], $tctr0 aese $tmp2,q13 aesmc $tmp2,$tmp2 vorr $dat0,$ivec,$ivec +___ +$code.=<<___; rev $tctr1,$tctr1 aese $tmp0,q14 aesmc $tmp0,$tmp0 +___ +$code.=<<___ if ($flavour !~ /64/); vmov.32 ${ivec}[3], $tctr1 rev $tctr2,$ctr +___ +$code.=<<___; aese $tmp1,q14 aesmc $tmp1,$tmp1 +___ +$code.=<<___ if ($flavour =~ /64/); + vmov.32 ${dat1}[3], $tctr1 + rev $tctr2,$ctr + aese $tmp2,q14 + aesmc $tmp2,$tmp2 + vmov.32 ${dat2}[3], $tctr2 +___ +$code.=<<___ if ($flavour !~ /64/); vorr $dat1,$ivec,$ivec vmov.32 ${ivec}[3], $tctr2 aese $tmp2,q14 aesmc $tmp2,$tmp2 vorr $dat2,$ivec,$ivec +___ +$code.=<<___; subs $len,$len,#3 aese $tmp0,q15 aese $tmp1,q15 diff -Nru openssl-1.1.1n/crypto/aes/asm/bsaes-armv7.pl openssl-1.1.1v/crypto/aes/asm/bsaes-armv7.pl --- openssl-1.1.1n/crypto/aes/asm/bsaes-armv7.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/aes/asm/bsaes-armv7.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ # details see http://www.openssl.org/~appro/cryptogams/. # # Specific modes and adaptation for Linux kernel by Ard Biesheuvel -# of Linaro. Permission to use under GPL terms is granted. +# of Linaro. # ==================================================================== # Bit-sliced AES for ARM NEON diff -Nru openssl-1.1.1n/crypto/asn1/a_bitstr.c openssl-1.1.1v/crypto/asn1/a_bitstr.c --- openssl-1.1.1n/crypto/asn1/a_bitstr.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/asn1/a_bitstr.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -148,6 +148,9 @@ int w, v, iv; unsigned char *c; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); iv = ~v; @@ -182,6 +185,9 @@ { int w, v; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL)) diff -Nru openssl-1.1.1n/crypto/asn1/asn_mime.c openssl-1.1.1v/crypto/asn1/asn_mime.c --- openssl-1.1.1n/crypto/asn1/asn_mime.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/asn1/asn_mime.c 2023-08-01 13:51:35.000000000 +0000 @@ -489,6 +489,7 @@ char eol; int len; char linebuf[MAX_SMLEN]; + int ret; /* * Buffer output so we don't write one line at a time. This is useful * when streaming as we don't end up with one OCTET STRING per line. @@ -523,9 +524,12 @@ BIO_write(out, "\r\n", 2); } } - (void)BIO_flush(out); + ret = BIO_flush(out); BIO_pop(out); BIO_free(bf); + if (ret <= 0) + return 0; + return 1; } diff -Nru openssl-1.1.1n/crypto/asn1/bio_asn1.c openssl-1.1.1v/crypto/asn1/bio_asn1.c --- openssl-1.1.1n/crypto/asn1/bio_asn1.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/asn1/bio_asn1.c 2023-08-01 13:51:35.000000000 +0000 @@ -172,7 +172,7 @@ case ASN1_STATE_START: if (!asn1_bio_setup_ex(b, ctx, ctx->prefix, ASN1_STATE_PRE_COPY, ASN1_STATE_HEADER)) - return 0; + return -1; break; /* Copy any pre data first */ @@ -189,7 +189,7 @@ case ASN1_STATE_HEADER: ctx->buflen = ASN1_object_size(0, inl, ctx->asn1_tag) - inl; if (!ossl_assert(ctx->buflen <= ctx->bufsize)) - return 0; + return -1; p = ctx->buf; ASN1_put_object(&p, 0, inl, ctx->asn1_tag, ctx->asn1_class); ctx->copylen = inl; diff -Nru openssl-1.1.1n/crypto/asn1/bio_ndef.c openssl-1.1.1v/crypto/asn1/bio_ndef.c --- openssl-1.1.1n/crypto/asn1/bio_ndef.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/asn1/bio_ndef.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,12 +49,19 @@ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg); +/* + * On success, the returned BIO owns the input BIO as part of its BIO chain. + * On failure, NULL is returned and the input BIO is owned by the caller. + * + * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() + */ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) { NDEF_SUPPORT *ndef_aux = NULL; BIO *asn_bio = NULL; const ASN1_AUX *aux = it->funcs; ASN1_STREAM_ARG sarg; + BIO *pop_bio = NULL; if (!aux || !aux->asn1_cb) { ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); @@ -69,21 +76,39 @@ out = BIO_push(asn_bio, out); if (out == NULL) goto err; + pop_bio = asn_bio; - BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); - BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); + if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 + || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 + || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) + goto err; /* - * Now let callback prepends any digest, cipher etc BIOs ASN1 structure - * needs. + * Now let the callback prepend any digest, cipher, etc., that the BIO's + * ASN1 structure needs. */ sarg.out = out; sarg.ndef_bio = NULL; sarg.boundary = NULL; - if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) + /* + * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the + * middle of some partially built, but not returned BIO chain. + */ + if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { + /* + * ndef_aux is now owned by asn_bio so we must not free it in the err + * clean up block + */ + ndef_aux = NULL; goto err; + } + + /* + * We must not fail now because the callback has prepended additional + * BIOs to the chain + */ ndef_aux->val = val; ndef_aux->it = it; @@ -91,11 +116,11 @@ ndef_aux->boundary = sarg.boundary; ndef_aux->out = out; - BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); - return sarg.ndef_bio; err: + /* BIO_pop() is NULL safe */ + (void)BIO_pop(pop_bio); BIO_free(asn_bio); OPENSSL_free(ndef_aux); return NULL; diff -Nru openssl-1.1.1n/crypto/asn1/charmap.pl openssl-1.1.1v/crypto/asn1/charmap.pl --- openssl-1.1.1n/crypto/asn1/charmap.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/asn1/charmap.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,9 @@ # https://www.openssl.org/source/license.html use strict; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my ($i, @arr); @@ -82,8 +85,8 @@ # Now generate the C code -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; +# Year the file was generated. +my $YEAR = OpenSSL::copyright::year_of($0); print < +#include /* * Copyright Patrick Powell 1995 @@ -31,8 +32,10 @@ const char *, int, int, int); static int fmtint(char **, char **, size_t *, size_t *, int64_t, int, int, int, int); +#ifndef OPENSSL_SYS_UEFI static int fmtfp(char **, char **, size_t *, size_t *, LDOUBLE, int, int, int, int); +#endif static int doapr_outch(char **, char **, size_t *, size_t *, int); static int _dopr(char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, @@ -88,7 +91,9 @@ { char ch; int64_t value; +#ifndef OPENSSL_SYS_UEFI LDOUBLE fvalue; +#endif char *strvalue; int min; int max; @@ -259,6 +264,7 @@ min, max, flags)) return 0; break; +#ifndef OPENSSL_SYS_UEFI case 'f': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -292,6 +298,15 @@ flags, G_FORMAT)) return 0; break; +#else + case 'f': + case 'E': + case 'e': + case 'G': + case 'g': + /* not implemented for UEFI */ + return 0; +#endif case 'c': if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, va_arg(args, int))) @@ -512,6 +527,8 @@ return 1; } +#ifndef OPENSSL_SYS_UEFI + static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; @@ -803,6 +820,8 @@ return 1; } +#endif /* OPENSSL_SYS_UEFI */ + #define BUFFER_INC 1024 static int diff -Nru openssl-1.1.1n/crypto/bn/asm/x86_64-mont5.pl openssl-1.1.1v/crypto/bn/asm/x86_64-mont5.pl --- openssl-1.1.1n/crypto/bn/asm/x86_64-mont5.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/asm/x86_64-mont5.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2101,193 +2101,6 @@ .size __bn_post4x_internal,.-__bn_post4x_internal ___ } -{ -$code.=<<___; -.globl bn_from_montgomery -.type bn_from_montgomery,\@abi-omnipotent -.align 32 -bn_from_montgomery: -.cfi_startproc - testl \$7,`($win64?"48(%rsp)":"%r9d")` - jz bn_from_mont8x - xor %eax,%eax - ret -.cfi_endproc -.size bn_from_montgomery,.-bn_from_montgomery - -.type bn_from_mont8x,\@function,6 -.align 32 -bn_from_mont8x: -.cfi_startproc - .byte 0x67 - mov %rsp,%rax -.cfi_def_cfa_register %rax - push %rbx -.cfi_push %rbx - push %rbp -.cfi_push %rbp - push %r12 -.cfi_push %r12 - push %r13 -.cfi_push %r13 - push %r14 -.cfi_push %r14 - push %r15 -.cfi_push %r15 -.Lfrom_prologue: - - shl \$3,${num}d # convert $num to bytes - lea ($num,$num,2),%r10 # 3*$num in bytes - neg $num - mov ($n0),$n0 # *n0 - - ############################################################## - # Ensure that stack frame doesn't alias with $rptr+3*$num - # modulo 4096, which covers ret[num], am[num] and n[num] - # (see bn_exp.c). The stack is allocated to aligned with - # bn_power5's frame, and as bn_from_montgomery happens to be - # last operation, we use the opportunity to cleanse it. - # - lea -320(%rsp,$num,2),%r11 - mov %rsp,%rbp - sub $rptr,%r11 - and \$4095,%r11 - cmp %r11,%r10 - jb .Lfrom_sp_alt - sub %r11,%rbp # align with $aptr - lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256) - jmp .Lfrom_sp_done - -.align 32 -.Lfrom_sp_alt: - lea 4096-320(,$num,2),%r10 - lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256) - sub %r10,%r11 - mov \$0,%r10 - cmovc %r10,%r11 - sub %r11,%rbp -.Lfrom_sp_done: - and \$-64,%rbp - mov %rsp,%r11 - sub %rbp,%r11 - and \$-4096,%r11 - lea (%rbp,%r11),%rsp - mov (%rsp),%r10 - cmp %rbp,%rsp - ja .Lfrom_page_walk - jmp .Lfrom_page_walk_done - -.Lfrom_page_walk: - lea -4096(%rsp),%rsp - mov (%rsp),%r10 - cmp %rbp,%rsp - ja .Lfrom_page_walk -.Lfrom_page_walk_done: - - mov $num,%r10 - neg $num - - ############################################################## - # Stack layout - # - # +0 saved $num, used in reduction section - # +8 &t[2*$num], used in reduction section - # +32 saved *n0 - # +40 saved %rsp - # +48 t[2*$num] - # - mov $n0, 32(%rsp) - mov %rax, 40(%rsp) # save original %rsp -.cfi_cfa_expression %rsp+40,deref,+8 -.Lfrom_body: - mov $num,%r11 - lea 48(%rsp),%rax - pxor %xmm0,%xmm0 - jmp .Lmul_by_1 - -.align 32 -.Lmul_by_1: - movdqu ($aptr),%xmm1 - movdqu 16($aptr),%xmm2 - movdqu 32($aptr),%xmm3 - movdqa %xmm0,(%rax,$num) - movdqu 48($aptr),%xmm4 - movdqa %xmm0,16(%rax,$num) - .byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00 # lea 64($aptr),$aptr - movdqa %xmm1,(%rax) - movdqa %xmm0,32(%rax,$num) - movdqa %xmm2,16(%rax) - movdqa %xmm0,48(%rax,$num) - movdqa %xmm3,32(%rax) - movdqa %xmm4,48(%rax) - lea 64(%rax),%rax - sub \$64,%r11 - jnz .Lmul_by_1 - - movq $rptr,%xmm1 - movq $nptr,%xmm2 - .byte 0x67 - mov $nptr,%rbp - movq %r10, %xmm3 # -num -___ -$code.=<<___ if ($addx); - mov OPENSSL_ia32cap_P+8(%rip),%r11d - and \$0x80108,%r11d - cmp \$0x80108,%r11d # check for AD*X+BMI2+BMI1 - jne .Lfrom_mont_nox - - lea (%rax,$num),$rptr - call __bn_sqrx8x_reduction - call __bn_postx4x_internal - - pxor %xmm0,%xmm0 - lea 48(%rsp),%rax - jmp .Lfrom_mont_zero - -.align 32 -.Lfrom_mont_nox: -___ -$code.=<<___; - call __bn_sqr8x_reduction - call __bn_post4x_internal - - pxor %xmm0,%xmm0 - lea 48(%rsp),%rax - jmp .Lfrom_mont_zero - -.align 32 -.Lfrom_mont_zero: - mov 40(%rsp),%rsi # restore %rsp -.cfi_def_cfa %rsi,8 - movdqa %xmm0,16*0(%rax) - movdqa %xmm0,16*1(%rax) - movdqa %xmm0,16*2(%rax) - movdqa %xmm0,16*3(%rax) - lea 16*4(%rax),%rax - sub \$32,$num - jnz .Lfrom_mont_zero - - mov \$1,%rax - mov -48(%rsi),%r15 -.cfi_restore %r15 - mov -40(%rsi),%r14 -.cfi_restore %r14 - mov -32(%rsi),%r13 -.cfi_restore %r13 - mov -24(%rsi),%r12 -.cfi_restore %r12 - mov -16(%rsi),%rbp -.cfi_restore %rbp - mov -8(%rsi),%rbx -.cfi_restore %rbx - lea (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lfrom_epilogue: - ret -.cfi_endproc -.size bn_from_mont8x,.-bn_from_mont8x -___ -} }}} if ($addx) {{{ @@ -3894,10 +3707,6 @@ .rva .LSEH_begin_bn_power5 .rva .LSEH_end_bn_power5 .rva .LSEH_info_bn_power5 - - .rva .LSEH_begin_bn_from_mont8x - .rva .LSEH_end_bn_from_mont8x - .rva .LSEH_info_bn_from_mont8x ___ $code.=<<___ if ($addx); .rva .LSEH_begin_bn_mulx4x_mont_gather5 @@ -3929,11 +3738,6 @@ .byte 9,0,0,0 .rva mul_handler .rva .Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue # HandlerData[] -.align 8 -.LSEH_info_bn_from_mont8x: - .byte 9,0,0,0 - .rva mul_handler - .rva .Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue # HandlerData[] ___ $code.=<<___ if ($addx); .align 8 diff -Nru openssl-1.1.1n/crypto/bn/bn_asm.c openssl-1.1.1v/crypto/bn/bn_asm.c --- openssl-1.1.1n/crypto/bn/bn_asm.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_asm.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -381,25 +381,33 @@ #ifndef OPENSSL_SMALL_FOOTPRINT while (n & ~3) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); t1 = a[1]; - t2 = b[1]; - r[1] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[1]; + t1 = (t2 - t1) & BN_MASK2; + r[1] = t1; + c += (t1 > t2); t1 = a[2]; - t2 = b[2]; - r[2] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[2]; + t1 = (t2 - t1) & BN_MASK2; + r[2] = t1; + c += (t1 > t2); t1 = a[3]; - t2 = b[3]; - r[3] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[3]; + t1 = (t2 - t1) & BN_MASK2; + r[3] = t1; + c += (t1 > t2); a += 4; b += 4; r += 4; @@ -408,10 +416,12 @@ #endif while (n) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); a++; b++; r++; @@ -446,7 +456,7 @@ t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1top = (int)(rtop & ~mask) | (ntop & mask); n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); + bn_correct_top_consttime(n); } else { ret = BN_mod_mul(n, n, r, b->mod, ctx); } diff -Nru openssl-1.1.1n/crypto/bn/bn_div.c openssl-1.1.1v/crypto/bn/bn_div.c --- openssl-1.1.1n/crypto/bn/bn_div.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_div.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -446,8 +446,10 @@ snum->neg = num_neg; snum->top = div_n; snum->flags |= BN_FLG_FIXED_TOP; - if (rm != NULL) - bn_rshift_fixed_top(rm, snum, norm_shift); + + if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0) + goto err; + BN_CTX_end(ctx); return 1; err: diff -Nru openssl-1.1.1n/crypto/bn/bn_err.c openssl-1.1.1v/crypto/bn/bn_err.c --- openssl-1.1.1n/crypto/bn/bn_err.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_err.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/crypto/bn/bn_exp.c openssl-1.1.1v/crypto/bn/bn_exp.c --- openssl-1.1.1n/crypto/bn/bn_exp.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_exp.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,6 +37,15 @@ /* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 +/* + * Beyond this limit the constant time code is disabled due to + * the possible overflow in the computation of powerbufLen in + * BN_mod_exp_mont_consttime. + * When this limit is exceeded, the computation will be done using + * non-constant time code, but it will take very long. + */ +#define BN_CONSTTIME_SIZE_LIMIT (INT_MAX / BN_BYTES / 256) + /* this one works - simple but works */ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { @@ -188,13 +197,14 @@ return ret; } + BN_RECP_CTX_init(&recp); + BN_CTX_start(ctx); aa = BN_CTX_get(ctx); val[0] = BN_CTX_get(ctx); if (val[0] == NULL) goto err; - BN_RECP_CTX_init(&recp); if (m->neg) { /* ignore sign of 'm' */ if (!BN_copy(aa, m)) @@ -304,12 +314,6 @@ BIGNUM *val[TABLE_SIZE]; BN_MONT_CTX *mont = NULL; - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 - || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) { - return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); - } - bn_check_top(a); bn_check_top(p); bn_check_top(m); @@ -318,6 +322,14 @@ BNerr(BN_F_BN_MOD_EXP_MONT, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } + + if (m->top <= BN_CONSTTIME_SIZE_LIMIT + && (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 + || BN_get_flags(m, BN_FLG_CONSTTIME) != 0)) { + return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); + } + bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1, or x**0 mod -1 is still zero. */ @@ -617,6 +629,11 @@ top = m->top; + if (top > BN_CONSTTIME_SIZE_LIMIT) { + /* Prevent overflowing the powerbufLen computation below */ + return BN_mod_exp_mont(rr, a, p, m, ctx, in_mont); + } + /* * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak * whether the top bits are zero. @@ -696,7 +713,7 @@ else #endif #if defined(OPENSSL_BN_ASM_MONT5) - if (window >= 5) { + if (window >= 5 && top <= BN_SOFT_LIMIT) { window = 5; /* ~5% improvement for RSA2048 sign, and even * for RSA4096 */ /* reserve space for mont->N.d[] copy */ @@ -757,6 +774,9 @@ if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; + if (top > BN_SOFT_LIMIT) + goto fallback; + #if defined(SPARC_T4_MONT) if (t4) { typedef int (*bn_pwr5_mont_f) (BN_ULONG *tp, const BN_ULONG *np, @@ -899,14 +919,21 @@ #if defined(OPENSSL_BN_ASM_MONT5) if (window == 5 && top > 1) { /* - * This optimization uses ideas from http://eprint.iacr.org/2011/239, - * specifically optimization of cache-timing attack countermeasures - * and pre-computation optimization. - */ - - /* - * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as - * 512-bit RSA is hardly relevant, we omit it to spare size... + * This optimization uses ideas from https://eprint.iacr.org/2011/239, + * specifically optimization of cache-timing attack countermeasures, + * pre-computation optimization, and Almost Montgomery Multiplication. + * + * The paper discusses a 4-bit window to optimize 512-bit modular + * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer + * important. + * + * |bn_mul_mont_gather5| and |bn_power5| implement the "almost" + * reduction variant, so the values here may not be fully reduced. + * They are bounded by R (i.e. they fit in |top| words), not |m|. + * Additionally, we pass these "almost" reduced inputs into + * |bn_mul_mont|, which implements the normal reduction variant. + * Given those inputs, |bn_mul_mont| may not give reduced + * output, but it will still produce "almost" reduced output. */ void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, const void *table, const BN_ULONG *np, @@ -918,9 +945,6 @@ const void *table, const BN_ULONG *np, const BN_ULONG *n0, int num, int power); int bn_get_bits5(const BN_ULONG *ap, int off); - int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *not_used, const BN_ULONG *np, - const BN_ULONG *n0, int num); BN_ULONG *n0 = mont->n0, *np; @@ -1009,17 +1033,22 @@ } } - ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top); tmp.top = top; - bn_correct_top(&tmp); - if (ret) { - if (!BN_copy(rr, &tmp)) - ret = 0; - goto err; /* non-zero ret means it's not error */ - } + /* + * The result is now in |tmp| in Montgomery form, but it may not be + * fully reduced. This is within bounds for |BN_from_montgomery| + * (tmp < R <= m*R) so it will, when converting from Montgomery form, + * produce a fully reduced result. + * + * This differs from Figure 2 of the paper, which uses AMM(h, 1) to + * convert from Montgomery form with unreduced output, followed by an + * extra reduction step. In the paper's terminology, we replace + * steps 9 and 10 with MM(h, 1). + */ } else #endif { + fallback: if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) diff -Nru openssl-1.1.1n/crypto/bn/bn_gcd.c openssl-1.1.1v/crypto/bn/bn_gcd.c --- openssl-1.1.1n/crypto/bn/bn_gcd.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_gcd.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -47,7 +47,8 @@ if (R == NULL) goto err; - BN_one(X); + if (!BN_one(X)) + goto err; BN_zero(Y); if (BN_copy(B, a) == NULL) goto err; @@ -235,7 +236,8 @@ if (R == NULL) goto err; - BN_one(X); + if (!BN_one(X)) + goto err; BN_zero(Y); if (BN_copy(B, a) == NULL) goto err; diff -Nru openssl-1.1.1n/crypto/bn/bn_lib.c openssl-1.1.1v/crypto/bn/bn_lib.c --- openssl-1.1.1n/crypto/bn/bn_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1001,6 +1001,28 @@ return (words <= a->dmax) ? a : bn_expand2(a, words); } +void bn_correct_top_consttime(BIGNUM *a) +{ + int j, atop; + BN_ULONG limb; + unsigned int mask; + + for (j = 0, atop = 0; j < a->dmax; j++) { + limb = a->d[j]; + limb |= 0 - limb; + limb >>= BN_BITS2 - 1; + limb = 0 - limb; + mask = (unsigned int)limb; + mask &= constant_time_msb(j - a->top); + atop = constant_time_select_int(mask, j + 1, atop); + } + + mask = constant_time_eq_int(atop, 0); + a->top = atop; + a->neg = constant_time_select_int(mask, 0, a->neg); + a->flags &= ~BN_FLG_FIXED_TOP; +} + void bn_correct_top(BIGNUM *a) { BN_ULONG *ftl; diff -Nru openssl-1.1.1n/crypto/bn/bn_local.h openssl-1.1.1v/crypto/bn/bn_local.h --- openssl-1.1.1n/crypto/bn/bn_local.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_local.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,6 +35,26 @@ /* #define BN_DEBUG */ /* #define BN_DEBUG_RAND */ +/* + * This should limit the stack usage due to alloca to about 4K. + * BN_SOFT_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS. + * Beyond that size bn_mul_mont is no longer used, and the constant time + * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage. + * Note that bn_mul_mont does an alloca that is hidden away in assembly. + * It is not recommended to do computations with numbers exceeding this limit, + * since the result will be highly version dependent: + * While the current OpenSSL version will use non-optimized, but safe code, + * previous versions will use optimized code, that may crash due to unexpected + * stack overflow, and future versions may very well turn this into a hard + * limit. + * Note however, that it is possible to override the size limit using + * "./config -DBN_SOFT_LIMIT=" if necessary, and the O/S specific + * stack limit is known and taken into consideration. + */ +# ifndef BN_SOFT_LIMIT +# define BN_SOFT_LIMIT (4096 / BN_BYTES) +# endif + # ifndef OPENSSL_SMALL_FOOTPRINT # define BN_MUL_COMBA # define BN_SQR_COMBA @@ -495,10 +515,10 @@ ret = (r); \ BN_UMULT_LOHI(low,high,w,tmp); \ ret += (c); \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret>(BN_BITS4-1); \ m =(m&BN_MASK2l)<<(BN_BITS4+1); \ - l=(l+m)&BN_MASK2; if (l < m) h++; \ + l=(l+m)&BN_MASK2; h += (l < m); \ (lo)=l; \ (ho)=h; \ } @@ -603,9 +623,9 @@ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=(r); \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=h&BN_MASK2; \ (r)=l; \ } @@ -619,7 +639,7 @@ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l+=(c); if ((l&BN_MASK2) < (c)) h++; \ + l+=(c); h += ((l&BN_MASK2) < (c)); \ (c)=h&BN_MASK2; \ (r)=l&BN_MASK2; \ } @@ -649,7 +669,7 @@ int cl, int dl); int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); - +void bn_correct_top_consttime(BIGNUM *a); BIGNUM *int_bn_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, int *noinv); diff -Nru openssl-1.1.1n/crypto/bn/bn_mont.c openssl-1.1.1v/crypto/bn/bn_mont.c --- openssl-1.1.1n/crypto/bn/bn_mont.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_mont.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,7 +42,7 @@ int num = mont->N.top; #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) - if (num > 1 && a->top == num && b->top == num) { + if (num > 1 && num <= BN_SOFT_LIMIT && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return 0; if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { diff -Nru openssl-1.1.1n/crypto/bn/bn_nist.c openssl-1.1.1v/crypto/bn/bn_nist.c --- openssl-1.1.1n/crypto/bn/bn_nist.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_nist.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -249,17 +249,28 @@ return &_bignum_nist_p_521; } -static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max) -{ - int i; - -#ifdef BN_DEBUG - (void)ossl_assert(top <= max); -#endif - for (i = 0; i < top; i++) - dst[i] = src[i]; - for (; i < max; i++) - dst[i] = 0; +/* + * To avoid more recent compilers (specifically clang-14) from treating this + * code as a violation of the strict aliasing conditions and omiting it, this + * cannot be declared as a function. Moreover, the dst parameter cannot be + * cached in a local since this no longer references the union and again falls + * foul of the strict aliasing criteria. Refer to #18225 for the initial + * diagnostics and llvm/llvm-project#55255 for the later discussions with the + * LLVM developers. The problem boils down to if an array in the union is + * converted to a pointer or if it is used directly. + * + * This function was inlined regardless, so there is no space cost to be + * paid for making it a macro. + */ +#define nist_cp_bn_0(dst, src_in, top, max) \ +{ \ + int ii; \ + const BN_ULONG *src = src_in; \ + \ + for (ii = 0; ii < top; ii++) \ + (dst)[ii] = src[ii]; \ + for (; ii < max; ii++) \ + (dst)[ii] = 0; \ } static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top) diff -Nru openssl-1.1.1n/crypto/bn/bn_prime.pl openssl-1.1.1v/crypto/bn/bn_prime.pl --- openssl-1.1.1n/crypto/bn/bn_prime.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/bn_prime.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,13 +1,16 @@ #! /usr/bin/env perl -# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::year_of($0); print <<"EOF"; /* * WARNING: do not edit! diff -Nru openssl-1.1.1n/crypto/bn/rsaz_exp.c openssl-1.1.1v/crypto/bn/rsaz_exp.c --- openssl-1.1.1n/crypto/bn/rsaz_exp.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/rsaz_exp.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2012, Intel Corporation. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -66,6 +66,7 @@ unsigned char *R2 = table_s; /* borrow */ int index; int wvalue; + BN_ULONG tmp[16]; if ((((size_t)p_str & 4095) + 320) >> 12) { result = p_str; @@ -237,7 +238,10 @@ rsaz_1024_red2norm_avx2(result_norm, result); + bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16); + OPENSSL_cleanse(storage, sizeof(storage)); + OPENSSL_cleanse(tmp, sizeof(tmp)); } /* @@ -266,6 +270,7 @@ unsigned char *p_str = (unsigned char *)exponent; int index; unsigned int wvalue; + BN_ULONG tmp[8]; /* table[0] = 1_inv */ temp[0] = 0 - m[0]; @@ -309,7 +314,10 @@ /* from Montgomery */ rsaz_512_mul_by_one(result, temp, m, k0); + bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8); + OPENSSL_cleanse(storage, sizeof(storage)); + OPENSSL_cleanse(tmp, sizeof(tmp)); } #endif diff -Nru openssl-1.1.1n/crypto/bn/rsaz_exp.h openssl-1.1.1v/crypto/bn/rsaz_exp.h --- openssl-1.1.1n/crypto/bn/rsaz_exp.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/bn/rsaz_exp.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2012, Intel Corporation. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -22,6 +22,8 @@ # define RSAZ_ENABLED # include +# include "internal/constant_time.h" +# include "bn_local.h" void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], @@ -35,6 +37,27 @@ const BN_ULONG m_norm[8], BN_ULONG k0, const BN_ULONG RR[8]); +static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask, + const BN_ULONG *a, + const BN_ULONG *b, size_t num) +{ + size_t i; + + for (i = 0; i < num; i++) { + r[i] = constant_time_select_64(mask, a[i], b[i]); + } +} + +static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, + BN_ULONG carry, + const BN_ULONG *m, + BN_ULONG *tmp, size_t num) +{ + carry -= bn_sub_words(tmp, r, m, num); + bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num); + return carry; +} + # endif #endif diff -Nru openssl-1.1.1n/crypto/cms/cms_enc.c openssl-1.1.1v/crypto/cms/cms_enc.c --- openssl-1.1.1n/crypto/cms/cms_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/cms/cms_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -68,7 +68,12 @@ if (enc) { int ivlen; + calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + if (calg->algorithm == NULL) { + CMSerr(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); + goto err; + } /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { diff -Nru openssl-1.1.1n/crypto/cms/cms_err.c openssl-1.1.1v/crypto/cms/cms_err.c --- openssl-1.1.1n/crypto/cms/cms_err.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/cms/cms_err.c 2023-08-01 13:51:35.000000000 +0000 @@ -264,6 +264,8 @@ {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM), + "unsupported content encryption algorithm"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), "unsupported content type"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM), diff -Nru openssl-1.1.1n/crypto/conf/conf_sap.c openssl-1.1.1v/crypto/conf/conf_sap.c --- openssl-1.1.1n/crypto/conf/conf_sap.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/conf/conf_sap.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,16 +43,19 @@ int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings) { int ret = 0; +#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) const char *filename; const char *appname; unsigned long flags; +#endif if (openssl_configured) return 1; - +#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) filename = settings ? settings->filename : NULL; appname = settings ? settings->appname : NULL; flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS; +#endif #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n", diff -Nru openssl-1.1.1n/crypto/conf/keysets.pl openssl-1.1.1v/crypto/conf/keysets.pl --- openssl-1.1.1n/crypto/conf/keysets.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/conf/keysets.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,9 @@ use strict; use warnings; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my $NUMBER = 0x0001; my $UPPER = 0x0002; @@ -54,9 +57,8 @@ push(@V_w32, $v); } -# Output year depends on the year of the script. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; - +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::year_of($0); print <<"EOF"; /* * WARNING: do not edit! diff -Nru openssl-1.1.1n/crypto/dh/dh_check.c openssl-1.1.1v/crypto/dh/dh_check.c --- openssl-1.1.1n/crypto/dh/dh_check.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/dh/dh_check.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -97,10 +97,17 @@ int DH_check(const DH *dh, int *ret) { - int ok = 0, r; + int ok = 0, r, q_good = 0; BN_CTX *ctx = NULL; BIGNUM *t1 = NULL, *t2 = NULL; + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); + *ret = DH_CHECK_P_NOT_PRIME; + return 0; + } + if (!DH_check_params(dh, ret)) return 0; @@ -113,7 +120,14 @@ if (t2 == NULL) goto err; - if (dh->q) { + if (dh->q != NULL) { + if (BN_ucmp(dh->p, dh->q) > 0) + q_good = 1; + else + *ret |= DH_CHECK_INVALID_Q_VALUE; + } + + if (q_good) { if (BN_cmp(dh->g, BN_value_one()) <= 0) *ret |= DH_NOT_SUITABLE_GENERATOR; else if (BN_cmp(dh->g, dh->p) >= 0) diff -Nru openssl-1.1.1n/crypto/dh/dh_err.c openssl-1.1.1v/crypto/dh/dh_err.c --- openssl-1.1.1n/crypto/dh/dh_err.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/dh/dh_err.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,6 +18,7 @@ {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), "dh_builtin_genparams"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, diff -Nru openssl-1.1.1n/crypto/ec/curve448/curve448.c openssl-1.1.1v/crypto/ec/curve448/curve448.c --- openssl-1.1.1n/crypto/ec/curve448/curve448.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ec/curve448/curve448.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -577,6 +577,7 @@ int32_t delta = odd & mask; assert(position >= 0); + assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */ if (odd & (1 << (table_bits + 1))) delta -= (1 << (table_bits + 1)); current -= delta * (1 << pos); diff -Nru openssl-1.1.1n/crypto/ec/ec_asn1.c openssl-1.1.1v/crypto/ec/ec_asn1.c --- openssl-1.1.1n/crypto/ec/ec_asn1.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ec/ec_asn1.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -751,6 +751,16 @@ /* extract seed (optional) */ if (params->curve->seed != NULL) { + /* + * This happens for instance with + * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a + * and causes the OPENSSL_malloc below to choke on the + * zero length allocation request. + */ + if (params->curve->seed->length == 0) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); + goto err; + } OPENSSL_free(ret->seed); if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE); @@ -784,7 +794,7 @@ } /* extract the order */ - if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) { + if (ASN1_INTEGER_to_BN(params->order, a) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } @@ -801,7 +811,7 @@ if (params->cofactor == NULL) { BN_free(b); b = NULL; - } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) { + } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } diff -Nru openssl-1.1.1n/crypto/ec/ec_key.c openssl-1.1.1v/crypto/ec/ec_key.c --- openssl-1.1.1n/crypto/ec/ec_key.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ec/ec_key.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -444,6 +444,16 @@ return 0; /* + * Return `0` to comply with legacy behavior for this function, see + * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696 + */ + if (priv_key == NULL) { + BN_clear_free(key->priv_key); + key->priv_key = NULL; + return 0; /* intentional for legacy compatibility */ + } + + /* * We should never leak the bit length of the secret scalar in the key, * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` * holding the secret scalar. @@ -657,8 +667,7 @@ ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE); return 0; } - eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key); - if (eckey->priv_key == NULL) { + if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) { ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB); return 0; } diff -Nru openssl-1.1.1n/crypto/ec/ecp_nistz256.c openssl-1.1.1v/crypto/ec/ecp_nistz256.c --- openssl-1.1.1n/crypto/ec/ecp_nistz256.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ec/ecp_nistz256.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2014, Intel Corporation. All Rights Reserved. * Copyright (c) 2015, CloudFlare, Inc. * @@ -973,6 +973,7 @@ return 0; } + memset(&p, 0, sizeof(p)); BN_CTX_start(ctx); if (scalar) { diff -Nru openssl-1.1.1n/crypto/engine/eng_dyn.c openssl-1.1.1v/crypto/engine/eng_dyn.c --- openssl-1.1.1n/crypto/engine/eng_dyn.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/engine/eng_dyn.c 2023-08-01 13:51:35.000000000 +0000 @@ -393,6 +393,26 @@ return 0; } +/* + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 3.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_get_base_id is exported + * as a function in openssl 3.x, while it is named EVP_PKEY_base_id + * in openssl 1.1.x. Therefore we take the presence of that symbol + * as an indication that the engine will be incompatible. + */ +static int using_libcrypto_3(dynamic_data_ctx *ctx) +{ + int ret; + + ERR_set_mark(); + ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL; + ERR_pop_to_mark(); + + return ret; +} + static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) { ENGINE cpy; @@ -442,18 +462,9 @@ /* * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too - * old. - * Unfortunately the version checker does not distinguish between - * engines built for openssl 1.1.x and openssl 3.x, but loading - * an engine that is built for openssl 3.x will cause a fatal - * error. Detect such engines, since EVP_PKEY_get_base_id is exported - * as a function in openssl 3.x, while it is named EVP_PKEY_base_id - * in openssl 1.1.x. Therefore we take the presence of that symbol - * as an indication that the engine will be incompatible. + * old. Also fail if this is engine for openssl 3.x. */ - if (vcheck_res < OSSL_DYNAMIC_OLDEST - || DSO_bind_func(ctx->dynamic_dso, - "EVP_PKEY_get_base_id") != NULL) { + if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL; diff -Nru openssl-1.1.1n/crypto/err/err.c openssl-1.1.1v/crypto/err/err.c --- openssl-1.1.1n/crypto/err/err.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/err/err.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,9 @@ #include "internal/constant_time.h" #include "e_os.h" +#ifndef OPENSSL_NO_ERR static int err_load_strings(const ERR_STRING_DATA *str); +#endif static void ERR_STATE_free(ERR_STATE *s); #ifndef OPENSSL_NO_ERR @@ -76,9 +78,9 @@ {ERR_PACK(0, SYS_F_BIND, 0), "bind"}, {ERR_PACK(0, SYS_F_LISTEN, 0), "listen"}, {ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"}, -# ifdef OPENSSL_SYS_WINDOWS +#ifdef OPENSSL_SYS_WINDOWS {ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"}, -# endif +#endif {ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"}, {ERR_PACK(0, SYS_F_FREAD, 0), "fread"}, {ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"}, @@ -141,21 +143,26 @@ static CRYPTO_THREAD_LOCAL err_thread_local; static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT; -static CRYPTO_RWLOCK *err_string_lock; +static CRYPTO_RWLOCK *err_string_lock = NULL; +#ifndef OPENSSL_NO_ERR static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *); +#endif /* * The internal state */ +#ifndef OPENSSL_NO_ERR static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL; +#endif static int int_err_library_number = ERR_LIB_USER; static unsigned long get_error_values(int inc, int top, const char **file, int *line, const char **data, int *flags); +#ifndef OPENSSL_NO_ERR static unsigned long err_string_data_hash(const ERR_STRING_DATA *a) { unsigned long ret, l; @@ -184,7 +191,6 @@ return p; } -#ifndef OPENSSL_NO_ERR /* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ # define SPACE_SYS_STR_REASONS 8 * 1024 # define NUM_SYS_STR_REASONS 127 @@ -299,6 +305,7 @@ err_string_lock = CRYPTO_THREAD_lock_new(); if (err_string_lock == NULL) return 0; +#ifndef OPENSSL_NO_ERR int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash, err_string_data_cmp); if (int_error_hash == NULL) { @@ -306,6 +313,7 @@ err_string_lock = NULL; return 0; } +#endif return 1; } @@ -315,10 +323,13 @@ CRYPTO_THREAD_cleanup_local(&err_thread_local); CRYPTO_THREAD_lock_free(err_string_lock); err_string_lock = NULL; +#ifndef OPENSSL_NO_ERR lh_ERR_STRING_DATA_free(int_error_hash); int_error_hash = NULL; +#endif } +#ifndef OPENSSL_NO_ERR /* * Legacy; pack in the library. */ @@ -342,6 +353,7 @@ CRYPTO_THREAD_unlock(err_string_lock); return 1; } +#endif int ERR_load_ERR_strings(void) { @@ -360,24 +372,31 @@ int ERR_load_strings(int lib, ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (ERR_load_ERR_strings() == 0) return 0; err_patch(lib, str); err_load_strings(str); +#endif + return 1; } int ERR_load_strings_const(const ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (ERR_load_ERR_strings() == 0) return 0; err_load_strings(str); +#endif + return 1; } int ERR_unload_strings(int lib, ERR_STRING_DATA *str) { +#ifndef OPENSSL_NO_ERR if (!RUN_ONCE(&err_string_init, do_err_strings_init)) return 0; @@ -389,14 +408,14 @@ for (; str->error; str++) (void)lh_ERR_STRING_DATA_delete(int_error_hash, str); CRYPTO_THREAD_unlock(err_string_lock); +#endif return 1; } void err_free_strings_int(void) { - if (!RUN_ONCE(&err_string_init, do_err_strings_init)) - return; + /* obsolete */ } /********************************************************/ @@ -636,6 +655,7 @@ const char *ERR_lib_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p; unsigned long l; @@ -647,10 +667,14 @@ d.error = ERR_PACK(l, 0, 0); p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } const char *ERR_func_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p; unsigned long l, f; @@ -663,10 +687,14 @@ d.error = ERR_PACK(l, f, 0); p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } const char *ERR_reason_error_string(unsigned long e) { +#ifndef OPENSSL_NO_ERR ERR_STRING_DATA d, *p = NULL; unsigned long l, r; @@ -683,6 +711,9 @@ p = int_err_get_item(&d); } return ((p == NULL) ? NULL : p->string); +#else + return NULL; +#endif } void err_delete_thread_state(void) diff -Nru openssl-1.1.1n/crypto/err/openssl.txt openssl-1.1.1v/crypto/err/openssl.txt --- openssl-1.1.1n/crypto/err/openssl.txt 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/err/openssl.txt 2023-08-01 13:51:35.000000000 +0000 @@ -1,4 +1,4 @@ -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -401,6 +401,7 @@ DH_F_COMPUTE_KEY:102:compute_key DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams +DH_F_DH_CHECK:126:DH_check DH_F_DH_CHECK_EX:121:DH_check_ex DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex @@ -2023,6 +2024,8 @@ CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm CMS_R_UNKNOWN_ID:150:unknown id CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm +CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\ + unsupported content encryption algorithm CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\ diff -Nru openssl-1.1.1n/crypto/evp/bio_enc.c openssl-1.1.1v/crypto/evp/bio_enc.c --- openssl-1.1.1n/crypto/evp/bio_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/evp/bio_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -299,6 +299,7 @@ int i; EVP_CIPHER_CTX **c_ctx; BIO *next; + int pend; ctx = BIO_get_data(b); next = BIO_next(b); @@ -334,8 +335,14 @@ /* do a final write */ again: while (ctx->buf_len != ctx->buf_off) { + pend = ctx->buf_len - ctx->buf_off; i = enc_write(b, NULL, 0); - if (i < 0) + /* + * i should never be > 0 here because we didn't ask to write any + * new data. We stop if we get an error or we failed to make any + * progress writing pending data. + */ + if (i < 0 || (ctx->buf_len - ctx->buf_off) == pend) return i; } diff -Nru openssl-1.1.1n/crypto/evp/evp_enc.c openssl-1.1.1v/crypto/evp/evp_enc.c --- openssl-1.1.1n/crypto/evp/evp_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/evp/evp_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -281,7 +281,7 @@ # define PTRDIFF_T size_t #endif -int is_partially_overlapping(const void *ptr1, const void *ptr2, int len) +int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len) { PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2; /* @@ -299,7 +299,8 @@ unsigned char *out, int *outl, const unsigned char *in, int inl) { - int i, j, bl, cmpl = inl; + int i, j, bl; + size_t cmpl = (size_t)inl; if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) cmpl = (cmpl + 7) / 8; @@ -464,8 +465,9 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int fix_len, cmpl = inl; + int fix_len; unsigned int b; + size_t cmpl = (size_t)inl; /* Prevent accidental use of encryption context when decrypting */ if (ctx->encrypt) { diff -Nru openssl-1.1.1n/crypto/evp/evp_local.h openssl-1.1.1v/crypto/evp/evp_local.h --- openssl-1.1.1n/crypto/evp/evp_local.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/evp/evp_local.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,4 +65,4 @@ typedef struct evp_pbe_st EVP_PBE_CTL; DEFINE_STACK_OF(EVP_PBE_CTL) -int is_partially_overlapping(const void *ptr1, const void *ptr2, int len); +int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len); diff -Nru openssl-1.1.1n/crypto/init.c openssl-1.1.1v/crypto/init.c --- openssl-1.1.1n/crypto/init.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/init.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -211,7 +211,7 @@ } static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT; -static int load_crypto_strings_inited = 0; + DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings) { int ret = 1; @@ -225,7 +225,6 @@ "err_load_crypto_strings_int()\n"); # endif ret = err_load_crypto_strings_int(); - load_crypto_strings_inited = 1; #endif return ret; } @@ -549,14 +548,6 @@ async_deinit(); } - if (load_crypto_strings_inited) { -#ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: " - "err_free_strings_int()\n"); -#endif - err_free_strings_int(); - } - key = destructor_key.value; destructor_key.sane = -1; CRYPTO_THREAD_cleanup_local(&key); diff -Nru openssl-1.1.1n/crypto/objects/obj_dat.c openssl-1.1.1v/crypto/objects/obj_dat.c --- openssl-1.1.1n/crypto/objects/obj_dat.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/objects/obj_dat.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -428,6 +428,25 @@ first = 1; bl = NULL; + /* + * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: + * + * > 3.5. OBJECT IDENTIFIER values + * > + * > An OBJECT IDENTIFIER value is an ordered list of non-negative + * > numbers. For the SMIv2, each number in the list is referred to as a + * > sub-identifier, there are at most 128 sub-identifiers in a value, + * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 + * > decimal). + * + * So a legitimate OID according to this RFC is at most (32 * 128 / 7), + * i.e. 586 bytes long. + * + * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + */ + if (len > 586) + goto err; + while (len > 0) { l = 0; use_bn = 0; diff -Nru openssl-1.1.1n/crypto/objects/obj_dat.pl openssl-1.1.1v/crypto/objects/obj_dat.pl --- openssl-1.1.1n/crypto/objects/obj_dat.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/objects/obj_dat.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,9 @@ use integer; use strict; use warnings; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; # Generate the DER encoding for the given OID. sub der_it @@ -36,10 +39,8 @@ return $ret; } -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[0])); # Read input, parse all #define's into OID name and value. # Populate %ln and %sn with long and short names (%dupln and %dupsn) diff -Nru openssl-1.1.1n/crypto/objects/objects.pl openssl-1.1.1v/crypto/objects/objects.pl --- openssl-1.1.1n/crypto/objects/objects.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/objects/objects.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,16 +7,15 @@ # https://www.openssl.org/source/license.html use Getopt::Std; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; our($opt_n); getopts('n'); -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; -$iYEAR = [localtime([stat($ARGV[1])]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[1], $ARGV[0])); open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]"; $max_nid=0; diff -Nru openssl-1.1.1n/crypto/objects/objxref.pl openssl-1.1.1v/crypto/objects/objxref.pl --- openssl-1.1.1n/crypto/objects/objxref.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/objects/objxref.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,18 +8,17 @@ use strict; +use FindBin; +use lib "$FindBin::Bin/../../util/perl"; +use OpenSSL::copyright; my %xref_tbl; my %oid_tbl; my ($mac_file, $xref_file) = @ARGV; -# Output year depends on the year of the script and the input file. -my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900; -my $iYEAR = [localtime([stat($mac_file)]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; -$iYEAR = [localtime([stat($xref_file)]->[9])]->[5] + 1900; -$YEAR = $iYEAR if $iYEAR > $YEAR; +# The year the output file is generated. +my $YEAR = OpenSSL::copyright::latest(($0, $mac_file, $xref_file)); open(IN, $mac_file) || die "Can't open $mac_file, $!\n"; diff -Nru openssl-1.1.1n/crypto/pem/pem_lib.c openssl-1.1.1v/crypto/pem/pem_lib.c --- openssl-1.1.1n/crypto/pem/pem_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/pem/pem_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -621,7 +621,7 @@ (BIO_write(bp, "-----\n", 6) != 6)) goto err; - i = strlen(header); + i = header != NULL ? strlen(header) : 0; if (i > 0) { if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1)) goto err; @@ -791,7 +791,7 @@ { BIO *tmp = *header; char *linebuf, *p; - int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; + int len, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ enum header_status got_header = MAYBE_HEADER; unsigned int flags_mask; @@ -805,7 +805,7 @@ return 0; } - for (line = 0; ; line++) { + for (;;) { flags_mask = ~0u; len = BIO_gets(bp, linebuf, LINESIZE); if (len <= 0) { @@ -957,7 +957,9 @@ *data = pem_malloc(len, flags); if (*header == NULL || *data == NULL) { pem_free(*header, flags, 0); + *header = NULL; pem_free(*data, flags, 0); + *data = NULL; goto end; } BIO_read(headerB, *header, headerlen); diff -Nru openssl-1.1.1n/crypto/rand/drbg_lib.c openssl-1.1.1v/crypto/rand/drbg_lib.c --- openssl-1.1.1n/crypto/rand/drbg_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rand/drbg_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -354,13 +354,8 @@ drbg->state = DRBG_READY; drbg->generate_counter = 1; drbg->reseed_time = time(NULL); - if (drbg->enable_reseed_propagation) { - if (drbg->parent == NULL) - tsan_counter(&drbg->reseed_counter); - else - tsan_store(&drbg->reseed_counter, - tsan_load(&drbg->parent->reseed_counter)); - } + if (drbg->enable_reseed_propagation && drbg->parent == NULL) + tsan_counter(&drbg->reseed_counter); end: if (entropy != NULL && drbg->cleanup_entropy != NULL) @@ -444,13 +439,8 @@ drbg->state = DRBG_READY; drbg->generate_counter = 1; drbg->reseed_time = time(NULL); - if (drbg->enable_reseed_propagation) { - if (drbg->parent == NULL) - tsan_counter(&drbg->reseed_counter); - else - tsan_store(&drbg->reseed_counter, - tsan_load(&drbg->parent->reseed_counter)); - } + if (drbg->enable_reseed_propagation && drbg->parent == NULL) + tsan_counter(&drbg->reseed_counter); end: if (entropy != NULL && drbg->cleanup_entropy != NULL) diff -Nru openssl-1.1.1n/crypto/rand/rand_lib.c openssl-1.1.1v/crypto/rand/rand_lib.c --- openssl-1.1.1n/crypto/rand/rand_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rand/rand_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -172,8 +172,12 @@ if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, prediction_resistance, - (unsigned char *)&drbg, sizeof(drbg)) != 0) + (unsigned char *)&drbg, sizeof(drbg)) != 0) { bytes = bytes_needed; + if (drbg->enable_reseed_propagation) + tsan_store(&drbg->reseed_counter, + tsan_load(&drbg->parent->reseed_counter)); + } rand_drbg_unlock(drbg->parent); rand_pool_add_end(pool, bytes, 8 * bytes); diff -Nru openssl-1.1.1n/crypto/rand/rand_vms.c openssl-1.1.1v/crypto/rand/rand_vms.c --- openssl-1.1.1n/crypto/rand/rand_vms.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rand/rand_vms.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -479,31 +479,6 @@ return rand_pool_entropy_available(pool); } -int rand_pool_add_nonce_data(RAND_POOL *pool) -{ - struct { - pid_t pid; - CRYPTO_THREAD_ID tid; - unsigned __int64 time; - } data = { 0 }; - - /* - * Add process id, thread id, and a high resolution timestamp - * (where available, which is OpenVMS v8.4 and up) to ensure that - * the nonce is unique with high probability for different process - * instances. - */ - data.pid = getpid(); - data.tid = CRYPTO_THREAD_get_current_id(); -#if __CRTL_VER >= 80400000 - sys$gettim_prec(&data.time); -#else - sys$gettim((void*)&data.time); -#endif - - return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); -} - /* * SYS$GET_ENTROPY METHOD * ====================== @@ -577,6 +552,59 @@ return data_collect_method(pool); } +int rand_pool_add_nonce_data(RAND_POOL *pool) +{ + /* + * Two variables to ensure that two nonces won't ever be the same + */ + static unsigned __int64 last_time = 0; + static unsigned __int32 last_seq = 0; + + struct { + pid_t pid; + CRYPTO_THREAD_ID tid; + unsigned __int64 time; + unsigned __int32 seq; + } data; + + /* Erase the entire structure including any padding */ + memset(&data, 0, sizeof(data)); + + /* + * Add process id, thread id, a timestamp, and a sequence number in case + * the same time stamp is repeated, to ensure that the nonce is unique + * with high probability for different process instances. + * + * The normal OpenVMS time is specified to be high granularity (100ns), + * but the time update granularity given by sys$gettim() may be lower. + * + * OpenVMS version 8.4 (which is the latest for Alpha and Itanium) and + * on have sys$gettim_prec() as well, which is supposedly having a better + * time update granularity, but tests on Itanium (and even Alpha) have + * shown that compared with sys$gettim(), the difference is marginal, + * so of very little significance in terms of entropy. + * Given that, and that it's a high ask to expect everyone to have + * upgraded to OpenVMS version 8.4, only sys$gettim() is used, and a + * sequence number is added as well, in case sys$gettim() returns the + * same time value more than once. + * + * This function is assumed to be called under thread lock, and does + * therefore not take concurrency into account. + */ + data.pid = getpid(); + data.tid = CRYPTO_THREAD_get_current_id(); + data.seq = 0; + sys$gettim((void*)&data.time); + + if (data.time == last_time) { + data.seq = ++last_seq; + } else { + last_time = data.time; + last_seq = 0; + } + + return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); +} int rand_pool_add_additional_data(RAND_POOL *pool) { @@ -586,16 +614,12 @@ } data = { 0 }; /* - * Add some noise from the thread id and a high resolution timer. - * The thread id adds a little randomness if the drbg is accessed - * concurrently (which is the case for the drbg). + * Add some noise from the thread id and a timer. The thread id adds a + * little randomness if the drbg is accessed concurrently (which is the + * case for the drbg). */ data.tid = CRYPTO_THREAD_get_current_id(); -#if __CRTL_VER >= 80400000 - sys$gettim_prec(&data.time); -#else sys$gettim((void*)&data.time); -#endif return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); } diff -Nru openssl-1.1.1n/crypto/rand/rand_win.c openssl-1.1.1v/crypto/rand/rand_win.c --- openssl-1.1.1n/crypto/rand/rand_win.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rand/rand_win.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,9 @@ # ifdef USE_BCRYPTGENRANDOM # include -# pragma comment(lib, "bcrypt.lib") +# ifdef _MSC_VER +# pragma comment(lib, "bcrypt.lib") +# endif # ifndef STATUS_SUCCESS # define STATUS_SUCCESS ((NTSTATUS)0x00000000L) # endif diff -Nru openssl-1.1.1n/crypto/rsa/rsa_ameth.c openssl-1.1.1v/crypto/rsa/rsa_ameth.c --- openssl-1.1.1n/crypto/rsa/rsa_ameth.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rsa/rsa_ameth.c 2023-08-01 13:51:35.000000000 +0000 @@ -172,6 +172,7 @@ strtype, str, rk, rklen)) { RSAerr(RSA_F_RSA_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(str); + OPENSSL_clear_free(rk, rklen); return 0; } diff -Nru openssl-1.1.1n/crypto/rsa/rsa_ossl.c openssl-1.1.1v/crypto/rsa/rsa_ossl.c --- openssl-1.1.1n/crypto/rsa/rsa_ossl.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/rsa/rsa_ossl.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -226,6 +226,7 @@ * will only read the modulus from BN_BLINDING. In both cases it's safe * to access the blinding without a lock. */ + BN_set_flags(f, BN_FLG_CONSTTIME); return BN_BLINDING_invert_ex(f, unblind, b, ctx); } @@ -412,6 +413,11 @@ goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -449,13 +455,6 @@ goto err; } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, - rsa->n, ctx)) { - BN_free(d); - goto err; - } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { BN_free(d); diff -Nru openssl-1.1.1n/crypto/s390x_arch.h openssl-1.1.1v/crypto/s390x_arch.h --- openssl-1.1.1n/crypto/s390x_arch.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/s390x_arch.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -47,6 +47,9 @@ unsigned long long kma[2]; }; +#if defined(__GNUC__) && defined(__linux) +__attribute__ ((visibility("hidden"))) +#endif extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; /* convert facility bit number or function code to bit mask */ diff -Nru openssl-1.1.1n/crypto/s390xcap.c openssl-1.1.1v/crypto/s390xcap.c --- openssl-1.1.1n/crypto/s390xcap.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/s390xcap.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,6 +26,9 @@ struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +#if defined(__GNUC__) && defined(__linux) +__attribute__ ((visibility("hidden"))) +#endif void OPENSSL_cpuid_setup(void) { sigset_t oset; diff -Nru openssl-1.1.1n/crypto/txt_db/txt_db.c openssl-1.1.1v/crypto/txt_db/txt_db.c --- openssl-1.1.1n/crypto/txt_db/txt_db.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/txt_db/txt_db.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,7 +21,6 @@ { TXT_DB *ret = NULL; int esc = 0; - long ln = 0; int i, add, n; int size = BUFSIZE; int offset = 0; @@ -61,7 +60,6 @@ } buf->data[offset] = '\0'; BIO_gets(in, &(buf->data[offset]), size - offset); - ln++; if (buf->data[offset] == '\0') break; if ((offset == 0) && (buf->data[0] == '#')) diff -Nru openssl-1.1.1n/crypto/ui/ui_lib.c openssl-1.1.1v/crypto/ui/ui_lib.c --- openssl-1.1.1n/crypto/ui/ui_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ui/ui_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -529,6 +529,10 @@ ok = 0; break; } + } else { + ui->flags &= ~UI_FLAG_REDOABLE; + ok = -2; + goto err; } } diff -Nru openssl-1.1.1n/crypto/ui/ui_util.c openssl-1.1.1v/crypto/ui/ui_util.c --- openssl-1.1.1n/crypto/ui/ui_util.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/ui/ui_util.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) { - int ok = 0; + int ok = -2; UI *ui; if (size < 1) @@ -47,8 +47,6 @@ ok = UI_process(ui); UI_free(ui); } - if (ok > 0) - ok = 0; return ok; } diff -Nru openssl-1.1.1n/crypto/x509/by_dir.c openssl-1.1.1v/crypto/x509/by_dir.c --- openssl-1.1.1n/crypto/x509/by_dir.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/by_dir.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -332,9 +332,13 @@ tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); X509_STORE_unlock(xl->store_ctx); - /* If a CRL, update the last file suffix added for this */ - - if (type == X509_LU_CRL) { + /* + * If a CRL, update the last file suffix added for this. + * We don't need to add an entry if k is 0 as this is the initial value. + * This avoids the need for a write lock and sort operation in the + * simple case where no CRL is present for a hash. + */ + if (type == X509_LU_CRL && k > 0) { CRYPTO_THREAD_write_lock(ctx->lock); /* * Look for entry again in case another thread added an entry @@ -362,6 +366,12 @@ ok = 0; goto finish; } + + /* + * Ensure stack is sorted so that subsequent sk_BY_DIR_HASH_find + * will not mutate the stack and therefore require a write lock. + */ + sk_BY_DIR_HASH_sort(ent->hashes); } else if (hent->suffix < k) { hent->suffix = k; } diff -Nru openssl-1.1.1n/crypto/x509/x509_cmp.c openssl-1.1.1v/crypto/x509/x509_cmp.c --- openssl-1.1.1n/crypto/x509/x509_cmp.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x509_cmp.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -34,7 +34,7 @@ unsigned long ret = 0; EVP_MD_CTX *ctx = EVP_MD_CTX_new(); unsigned char md[16]; - char *f; + char *f = NULL; if (ctx == NULL) goto err; @@ -45,7 +45,6 @@ goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) goto err; - OPENSSL_free(f); if (!EVP_DigestUpdate (ctx, (unsigned char *)a->cert_info.serialNumber.data, (unsigned long)a->cert_info.serialNumber.length)) @@ -56,6 +55,7 @@ ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL; err: + OPENSSL_free(f); EVP_MD_CTX_free(ctx); return ret; } diff -Nru openssl-1.1.1n/crypto/x509/x509_req.c openssl-1.1.1v/crypto/x509/x509_req.c --- openssl-1.1.1n/crypto/x509/x509_req.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x509_req.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -167,7 +167,9 @@ ext = X509_ATTRIBUTE_get0_type(attr, 0); break; } - if (!ext || (ext->type != V_ASN1_SEQUENCE)) + if (ext == NULL) /* no extensions is not an error */ + return sk_X509_EXTENSION_new_null(); + if (ext->type != V_ASN1_SEQUENCE) return NULL; p = ext->value.sequence->data; return (STACK_OF(X509_EXTENSION) *) @@ -227,44 +229,52 @@ X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) { - return X509at_delete_attr(req->req_info.attributes, loc); + X509_ATTRIBUTE *attr = X509at_delete_attr(req->req_info.attributes, loc); + + if (attr != NULL) + req->req_info.enc.modified = 1; + return attr; } int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) { - if (X509at_add1_attr(&req->req_info.attributes, attr)) - return 1; - return 0; + if (!X509at_add1_attr(&req->req_info.attributes, attr)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_NID(&req->req_info.attributes, nid, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname, - type, bytes, len)) - return 1; - return 0; + if (!X509at_add1_attr_by_txt(&req->req_info.attributes, attrname, + type, bytes, len)) + return 0; + req->req_info.enc.modified = 1; + return 1; } long X509_REQ_get_version(const X509_REQ *req) diff -Nru openssl-1.1.1n/crypto/x509/x509_vfy.c openssl-1.1.1v/crypto/x509/x509_vfy.c --- openssl-1.1.1n/crypto/x509/x509_vfy.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x509_vfy.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -973,14 +973,14 @@ time_t *ptime; int i; - if (notify) - ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) return 1; else ptime = NULL; + if (notify) + ctx->current_crl = crl; i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); if (i == 0) { @@ -1649,18 +1649,25 @@ } /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; + cbcalled = 1; if (!verify_cb_cert(ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION)) return 0; } + if (!cbcalled) { + /* Should not be able to get here */ + X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) { diff -Nru openssl-1.1.1n/crypto/x509/x_all.c openssl-1.1.1v/crypto/x509/x_all.c --- openssl-1.1.1n/crypto/x509/x_all.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x_all.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,13 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { + /* + * Setting the modified flag before signing it. This makes the cached + * encoding to be ignored, so even if the certificate fields have changed, + * they are signed correctly. + * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions + * which exist below are the same. + */ x->cert_info.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, &x->sig_alg, &x->signature, &x->cert_info, pkey, @@ -65,12 +72,14 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->req_info.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, x->signature, &x->req_info, pkey, md)); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) { + x->req_info.enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, x->signature, &x->req_info, ctx); diff -Nru openssl-1.1.1n/crypto/x509/x_crl.c openssl-1.1.1v/crypto/x509/x_crl.c --- openssl-1.1.1n/crypto/x509/x_crl.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x_crl.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -103,13 +103,17 @@ if (gtmp) { gens = gtmp; - if (!crl->issuers) { + if (crl->issuers == NULL) { crl->issuers = sk_GENERAL_NAMES_new_null(); - if (!crl->issuers) + if (crl->issuers == NULL) { + GENERAL_NAMES_free(gtmp); return 0; + } } - if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) + if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) { + GENERAL_NAMES_free(gtmp); return 0; + } } rev->issuer = gens; @@ -255,7 +259,7 @@ break; case ASN1_OP_FREE_POST: - if (crl->meth->crl_free) { + if (crl->meth != NULL && crl->meth->crl_free != NULL) { if (!crl->meth->crl_free(crl)) return 0; } diff -Nru openssl-1.1.1n/crypto/x509/x_name.c openssl-1.1.1v/crypto/x509/x_name.c --- openssl-1.1.1n/crypto/x509/x_name.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509/x_name.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -493,9 +493,7 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) { char *s, *c, *b; - int l, i; - - l = 80 - 2 - obase; + int i; b = X509_NAME_oneline(name, NULL, 0); if (!b) @@ -521,12 +519,10 @@ if (BIO_write(bp, ", ", 2) != 2) goto err; } - l--; } if (*s == '\0') break; s++; - l--; } OPENSSL_free(b); diff -Nru openssl-1.1.1n/crypto/x509v3/pcy_local.h openssl-1.1.1v/crypto/x509v3/pcy_local.h --- openssl-1.1.1n/crypto/x509v3/pcy_local.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/pcy_local.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,11 @@ }; struct X509_POLICY_TREE_st { + /* The number of nodes in the tree */ + size_t node_count; + /* The maximum number of nodes in the tree */ + size_t node_maximum; + /* This is the tree 'level' data */ X509_POLICY_LEVEL *levels; int nlevel; @@ -159,7 +164,8 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); + X509_POLICY_TREE *tree, + int extra_data); void policy_node_free(X509_POLICY_NODE *node); int policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); diff -Nru openssl-1.1.1n/crypto/x509v3/pcy_node.c openssl-1.1.1v/crypto/x509v3/pcy_node.c --- openssl-1.1.1n/crypto/x509v3/pcy_node.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/pcy_node.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,10 +59,15 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree) + X509_POLICY_TREE *tree, + int extra_data) { X509_POLICY_NODE *node; + /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ + if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) + return NULL; + node = OPENSSL_zalloc(sizeof(*node)); if (node == NULL) { X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); @@ -70,7 +75,7 @@ } node->data = data; node->parent = parent; - if (level) { + if (level != NULL) { if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { if (level->anyPolicy) goto node_error; @@ -90,24 +95,33 @@ } } - if (tree) { + if (extra_data) { if (tree->extra_data == NULL) tree->extra_data = sk_X509_POLICY_DATA_new_null(); if (tree->extra_data == NULL){ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } } + tree->node_count++; if (parent) parent->nchild++; return node; + extra_data_error: + if (level != NULL) { + if (level->anyPolicy == node) + level->anyPolicy = NULL; + else + (void) sk_X509_POLICY_NODE_pop(level->nodes); + } + node_error: policy_node_free(node); return NULL; diff -Nru openssl-1.1.1n/crypto/x509v3/pcy_tree.c openssl-1.1.1v/crypto/x509v3/pcy_tree.c --- openssl-1.1.1n/crypto/x509v3/pcy_tree.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/pcy_tree.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,20 @@ #include "pcy_local.h" /* + * If the maximum number of nodes in the policy tree isn't defined, set it to + * a generous default of 1000 nodes. + * + * Defining this to be zero means unlimited policy tree growth which opens the + * door on CVE-2023-0464. + */ + +#ifndef OPENSSL_POLICY_TREE_NODES_MAX +# define OPENSSL_POLICY_TREE_NODES_MAX 1000 +#endif + +static void exnode_free(X509_POLICY_NODE *node); + +/* * Enable this to print out the complete policy tree at various point during * evaluation. */ @@ -168,6 +182,9 @@ return X509_PCY_TREE_INTERNAL; } + /* Limit the growth of the tree to mitigate CVE-2023-0464 */ + tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; + /* * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. * @@ -184,7 +201,7 @@ level = tree->levels; if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) goto bad_tree; - if (level_add_node(level, data, NULL, tree) == NULL) { + if (level_add_node(level, data, NULL, tree, 1) == NULL) { policy_data_free(data); goto bad_tree; } @@ -243,7 +260,8 @@ * Return value: 1 on success, 0 otherwise */ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data) + X509_POLICY_DATA *data, + X509_POLICY_TREE *tree) { X509_POLICY_LEVEL *last = curr - 1; int i, matched = 0; @@ -253,13 +271,13 @@ X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); if (policy_node_match(last, node, data->valid_policy)) { - if (level_add_node(curr, data, node, NULL) == NULL) + if (level_add_node(curr, data, node, tree, 0) == NULL) return 0; matched = 1; } } if (!matched && last->anyPolicy) { - if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) + if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) return 0; } return 1; @@ -272,7 +290,8 @@ * Return value: 1 on success, 0 otherwise. */ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; @@ -280,7 +299,7 @@ X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) + if (!tree_link_matching_nodes(curr, data, tree)) return 0; } return 1; @@ -311,7 +330,7 @@ /* Curr may not have anyPolicy */ data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (level_add_node(curr, data, node, tree) == NULL) { + if (level_add_node(curr, data, node, tree, 1) == NULL) { policy_data_free(data); return 0; } @@ -373,7 +392,7 @@ } /* Finally add link to anyPolicy */ if (last->anyPolicy && - level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) + level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) return 0; return 1; } @@ -555,15 +574,24 @@ extra->qualifier_set = anyPolicy->data->qualifier_set; extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; - node = level_add_node(NULL, extra, anyPolicy->parent, tree); + node = level_add_node(NULL, extra, anyPolicy->parent, + tree, 1); + if (node == NULL) { + policy_data_free(extra); + return 0; + } } if (!tree->user_policies) { tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; + if (!tree->user_policies) { + exnode_free(node); + return 0; + } } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { + exnode_free(node); return 0; + } } return 1; } @@ -582,7 +610,7 @@ for (i = 1; i < tree->nlevel; i++, curr++) { cache = policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) + if (!tree_link_nodes(curr, cache, tree)) return X509_PCY_TREE_INTERNAL; if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff -Nru openssl-1.1.1n/crypto/x509v3/v3_addr.c openssl-1.1.1v/crypto/x509v3/v3_addr.c --- openssl-1.1.1n/crypto/x509v3/v3_addr.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_addr.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,8 @@ #include #include +#include +#include #include "internal/cryptlib.h" #include @@ -342,8 +344,13 @@ unsigned char mask; int i, j; - if (memcmp(min, max, length) <= 0) - return -1; + /* + * It is the responsibility of the caller to confirm min <= max. We don't + * use ossl_assert() here since we have no way of signalling an error from + * this function - so we just use a plain assert instead. + */ + assert(memcmp(min, max, length) <= 0); + for (i = 0; i < length && min[i] == max[i]; i++) ; for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; if (i < j) @@ -385,12 +392,14 @@ /* * Construct a prefix. */ -static int make_addressPrefix(IPAddressOrRange **result, - unsigned char *addr, const int prefixlen) +static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, + const int prefixlen, const int afilen) { int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; IPAddressOrRange *aor = IPAddressOrRange_new(); + if (prefixlen < 0 || prefixlen > (afilen * 8)) + return 0; if (aor == NULL) return 0; aor->type = IPAddressOrRange_addressPrefix; @@ -426,8 +435,11 @@ IPAddressOrRange *aor; int i, prefixlen; + if (memcmp(min, max, length) > 0) + return 0; + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) - return make_addressPrefix(result, min, prefixlen); + return make_addressPrefix(result, min, prefixlen, length); if ((aor = IPAddressOrRange_new()) == NULL) return 0; @@ -589,7 +601,9 @@ { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; - if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + + if (aors == NULL + || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi))) return 0; if (sk_IPAddressOrRange_push(aors, aor)) return 1; @@ -986,7 +1000,10 @@ switch (delim) { case '/': prefixlen = (int)strtoul(s + i2, &t, 10); - if (t == s + i2 || *t != '\0') { + if (t == s + i2 + || *t != '\0' + || prefixlen > (length * 8) + || prefixlen < 0) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); X509V3_conf_err(val); diff -Nru openssl-1.1.1n/crypto/x509v3/v3_asid.c openssl-1.1.1v/crypto/x509v3/v3_asid.c --- openssl-1.1.1n/crypto/x509v3/v3_asid.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_asid.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -700,15 +700,28 @@ */ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) { - return (a == NULL || - a == b || - (b != NULL && - !X509v3_asid_inherits(a) && - !X509v3_asid_inherits(b) && - asid_contains(b->asnum->u.asIdsOrRanges, - a->asnum->u.asIdsOrRanges) && - asid_contains(b->rdi->u.asIdsOrRanges, - a->rdi->u.asIdsOrRanges))); + int subset; + + if (a == NULL || a == b) + return 1; + + if (b == NULL) + return 0; + + if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b)) + return 0; + + subset = a->asnum == NULL + || (b->asnum != NULL + && asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges)); + if (!subset) + return 0; + + return a->rdi == NULL + || (b->rdi != NULL + && asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges)); } /* diff -Nru openssl-1.1.1n/crypto/x509v3/v3_genn.c openssl-1.1.1v/crypto/x509v3/v3_genn.c --- openssl-1.1.1n/crypto/x509v3/v3_genn.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_genn.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,7 @@ return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: diff -Nru openssl-1.1.1n/crypto/x509v3/v3_lib.c openssl-1.1.1v/crypto/x509v3/v3_lib.c --- openssl-1.1.1n/crypto/x509v3/v3_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -242,8 +242,10 @@ } /* If delete, just delete it */ if (ext_op == X509V3_ADD_DELETE) { - if (!sk_X509_EXTENSION_delete(*x, extidx)) + extmp = sk_X509_EXTENSION_delete(*x, extidx); + if (extmp == NULL) return -1; + X509_EXTENSION_free(extmp); return 1; } } else { diff -Nru openssl-1.1.1n/crypto/x509v3/v3_sxnet.c openssl-1.1.1v/crypto/x509v3/v3_sxnet.c --- openssl-1.1.1n/crypto/x509v3/v3_sxnet.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_sxnet.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,15 +57,29 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) { - long v; + int64_t v; char *tmp; SXNETID *id; int i; - v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); + + /* + * Since we add 1 to the version number to display it, we don't support + * LONG_MAX since that would cause on overflow. + */ + if (!ASN1_INTEGER_get_int64(&v, sx->version) + || v >= LONG_MAX + || v < LONG_MIN) { + BIO_printf(out, "%*sVersion: ", indent, ""); + } else { + long vl = (long)v; + + BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl); + } for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { id = sk_SXNETID_value(sx->ids, i); tmp = i2s_ASN1_INTEGER(NULL, id->zone); + if (tmp == NULL) + return 0; BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp); OPENSSL_free(tmp); ASN1_STRING_print(out, id->user); diff -Nru openssl-1.1.1n/crypto/x509v3/v3_utl.c openssl-1.1.1v/crypto/x509v3/v3_utl.c --- openssl-1.1.1n/crypto/x509v3/v3_utl.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/crypto/x509v3/v3_utl.c 2023-08-01 13:51:35.000000000 +0000 @@ -1087,12 +1087,17 @@ static int ipv4_from_asc(unsigned char *v4, const char *in) { - int a0, a1, a2, a3; - if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) + const char *p; + int a0, a1, a2, a3, n; + + if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4) return 0; if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255)) return 0; + p = in + n; + if (!(*p == '\0' || ossl_isspace(*p))) + return 0; v4[0] = a0; v4[1] = a1; v4[2] = a2; diff -Nru openssl-1.1.1n/debian/changelog openssl-1.1.1v/debian/changelog --- openssl-1.1.1n/debian/changelog 2023-05-26 21:30:44.000000000 +0000 +++ openssl-1.1.1v/debian/changelog 2023-08-26 11:17:12.000000000 +0000 @@ -1,3 +1,12 @@ +openssl (1.1.1v-0~deb11u1) bullseye; urgency=medium + + * Import 1.1.1v + - CVE-2023-3446 (Excessive time spent checking DH keys and parameters). + (Closes: #1041817). + - CVE-2023-3817 (Excessive time spent checking DH q parameter value). + + -- Sebastian Andrzej Siewior Sat, 26 Aug 2023 13:17:12 +0200 + openssl (1.1.1n-0+deb11u5) bullseye-security; urgency=medium * CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy diff -Nru openssl-1.1.1n/debian/patches/AES-OCB-test-vectors.patch openssl-1.1.1v/debian/patches/AES-OCB-test-vectors.patch --- openssl-1.1.1n/debian/patches/AES-OCB-test-vectors.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/AES-OCB-test-vectors.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,79 +0,0 @@ -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:02:37 +1000 -Subject: AES OCB test vectors -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++++++++++ - 1 file changed, 50 insertions(+) - -diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt -index 1c02ea1e9c2d..e12670d9a4b4 100644 ---- a/test/recipes/30-test_evp_data/evpciph.txt -+++ b/test/recipes/30-test_evp_data/evpciph.txt -@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21 - Operation = DECRYPT - Result = CIPHERFINAL_ERROR - -+#Test vectors generated to validate aesni_ocb_encrypt on x86 -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = C14DFF7D62A13C4A3422456207453190 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 41970D13737B7BD1B5FBF49ED4412CA5 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = BE0228651ED4E48A11BDED68D953F3A0 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 17BC6E10B16E5FDC52836E7D589518C7 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = E84AAC18666116990A3A37B3A5FC55BD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 3E5EA7EE064FE83B313E28D411E91EAD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C -+ - Title = AES XTS test vectors from IEEE Std 1619-2007 - - # Using the same key twice for encryption is always banned. diff -Nru openssl-1.1.1n/debian/patches/Add-a-Certificate-Policies-Test.patch openssl-1.1.1v/debian/patches/Add-a-Certificate-Policies-Test.patch --- openssl-1.1.1n/debian/patches/Add-a-Certificate-Policies-Test.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Add-a-Certificate-Policies-Test.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -From: Matt Caswell -Date: Tue, 7 Mar 2023 17:07:57 +0000 -Subject: Add a Certificate Policies Test - -Test that a valid certificate policy is accepted and that an invalid -certificate policy is rejected. Specifically we are checking that a -leaf certificate with an invalid policy is detected. - -Related-to: CVE-2023-0465 - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20588) ---- - test/recipes/25-test_verify.t | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index ffa48ed20bbf..e7e352df0bf5 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -27,7 +27,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 146; -+plan tests => 148; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -409,3 +409,14 @@ SKIP: { - "ED25519 signature"); - - } -+ -+# Certificate Policies -+ok(verify("ee-cert-policies", "sslserver", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Certificate policy"); -+ -+ok(!verify("ee-cert-policies-bad", "sslserver", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Bad certificate policy"); diff -Nru openssl-1.1.1n/debian/patches/Add-a-test-for-CVE-2022-4450.patch openssl-1.1.1v/debian/patches/Add-a-test-for-CVE-2022-4450.patch --- openssl-1.1.1n/debian/patches/Add-a-test-for-CVE-2022-4450.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Add-a-test-for-CVE-2022-4450.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -From: Matt Caswell -Date: Tue, 13 Dec 2022 15:02:26 +0000 -Subject: Add a test for CVE-2022-4450 - -Call PEM_read_bio_ex() and expect a failure. There should be no dangling -ptrs and therefore there should be no double free if we free the ptrs on -error. ---- - test/pemtest.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/test/pemtest.c b/test/pemtest.c -index 3203d976be76..edeb0a12059e 100644 ---- a/test/pemtest.c -+++ b/test/pemtest.c -@@ -83,9 +83,39 @@ static int test_invalid(void) - return 1; - } - -+static int test_empty_payload(void) -+{ -+ BIO *b; -+ static char *emptypay = -+ "-----BEGIN CERTIFICATE-----\n" -+ "-\n" /* Base64 EOF character */ -+ "-----END CERTIFICATE-----"; -+ char *name = NULL, *header = NULL; -+ unsigned char *data = NULL; -+ long len; -+ int ret = 0; -+ -+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); -+ if (!TEST_ptr(b)) -+ return 0; -+ -+ /* Expected to fail because the payload is empty */ -+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) -+ goto err; -+ -+ ret = 1; -+ err: -+ OPENSSL_free(name); -+ OPENSSL_free(header); -+ OPENSSL_free(data); -+ BIO_free(b); -+ return ret; -+} -+ - int setup_tests(void) - { - ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); - ADD_TEST(test_invalid); -+ ADD_TEST(test_empty_payload); - return 1; - } diff -Nru openssl-1.1.1n/debian/patches/Alternative-fix-for-CVE-2022-4304.patch openssl-1.1.1v/debian/patches/Alternative-fix-for-CVE-2022-4304.patch --- openssl-1.1.1n/debian/patches/Alternative-fix-for-CVE-2022-4304.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Alternative-fix-for-CVE-2022-4304.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,454 +0,0 @@ -From: Bernd Edlinger -Date: Mon, 13 Feb 2023 17:46:41 +0100 -Subject: Alternative fix for CVE-2022-4304 - -This is about a timing leak in the topmost limb -of the internal result of RSA_private_decrypt, -before the padding check. - -There are in fact at least three bugs together that -caused the timing leak: - -First and probably most important is the fact that -the blinding did not use the constant time code path -at all when the RSA object was used for a private -decrypt, due to the fact that the Montgomery context -rsa->_method_mod_n was not set up early enough in -rsa_ossl_private_decrypt, when BN_BLINDING_create_param -needed it, and that was persisted as blinding->m_ctx, -although the RSA object creates the Montgomery context -just a bit later. - -Then the infamous bn_correct_top was used on the -secret value right after the blinding was removed. - -And finally the function BN_bn2binpad did not use -the constant-time code path since the BN_FLG_CONSTTIME -was not set on the secret value. - -In order to address the first problem, this patch -makes sure that the rsa->_method_mod_n is initialized -right before the blinding context. - -And to fix the second problem, we add a new utility -function bn_correct_top_consttime, a const-time -variant of bn_correct_top. - -Together with the fact, that BN_bn2binpad is already -constant time if the flag BN_FLG_CONSTTIME is set, -this should eliminate the timing oracle completely. - -In addition the no-asm variant may also have -branches that depend on secret values, because the last -invocation of bn_sub_words in bn_from_montgomery_word -had branches when the function is compiled by certain -gcc compiler versions, due to the clumsy coding style. - -So additionally this patch stream-lined the no-asm -C-code in order to avoid branches where possible and -improve the resulting code quality. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20284) ---- - crypto/bn/bn_asm.c | 106 +++++++++++++++++++++++++++----------------------- - crypto/bn/bn_blind.c | 3 +- - crypto/bn/bn_lib.c | 22 +++++++++++ - crypto/bn/bn_local.h | 26 ++++++------- - crypto/rsa/rsa_ossl.c | 13 +++---- - 5 files changed, 101 insertions(+), 69 deletions(-) - -diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c -index 4d83a8cf1115..177558c6477f 100644 ---- a/crypto/bn/bn_asm.c -+++ b/crypto/bn/bn_asm.c -@@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - #ifndef OPENSSL_SMALL_FOOTPRINT - while (n & ~3) { - t1 = a[0]; -- t2 = b[0]; -- r[0] = (t1 - t2 - c) & BN_MASK2; -- if (t1 != t2) -- c = (t1 < t2); -+ t2 = (t1 - c) & BN_MASK2; -+ c = (t2 > t1); -+ t1 = b[0]; -+ t1 = (t2 - t1) & BN_MASK2; -+ r[0] = t1; -+ c += (t1 > t2); - t1 = a[1]; -- t2 = b[1]; -- r[1] = (t1 - t2 - c) & BN_MASK2; -- if (t1 != t2) -- c = (t1 < t2); -+ t2 = (t1 - c) & BN_MASK2; -+ c = (t2 > t1); -+ t1 = b[1]; -+ t1 = (t2 - t1) & BN_MASK2; -+ r[1] = t1; -+ c += (t1 > t2); - t1 = a[2]; -- t2 = b[2]; -- r[2] = (t1 - t2 - c) & BN_MASK2; -- if (t1 != t2) -- c = (t1 < t2); -+ t2 = (t1 - c) & BN_MASK2; -+ c = (t2 > t1); -+ t1 = b[2]; -+ t1 = (t2 - t1) & BN_MASK2; -+ r[2] = t1; -+ c += (t1 > t2); - t1 = a[3]; -- t2 = b[3]; -- r[3] = (t1 - t2 - c) & BN_MASK2; -- if (t1 != t2) -- c = (t1 < t2); -+ t2 = (t1 - c) & BN_MASK2; -+ c = (t2 > t1); -+ t1 = b[3]; -+ t1 = (t2 - t1) & BN_MASK2; -+ r[3] = t1; -+ c += (t1 > t2); - a += 4; - b += 4; - r += 4; -@@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - #endif - while (n) { - t1 = a[0]; -- t2 = b[0]; -- r[0] = (t1 - t2 - c) & BN_MASK2; -- if (t1 != t2) -- c = (t1 < t2); -+ t2 = (t1 - c) & BN_MASK2; -+ c = (t2 > t1); -+ t1 = b[0]; -+ t1 = (t2 - t1) & BN_MASK2; -+ r[0] = t1; -+ c += (t1 > t2); - a++; - b++; - r++; -@@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - t += c0; /* no carry */ \ - c0 = (BN_ULONG)Lw(t); \ - hi = (BN_ULONG)Hw(t); \ -- c1 = (c1+hi)&BN_MASK2; if (c1top = (int)(rtop & ~mask) | (ntop & mask); - n->flags |= (BN_FLG_FIXED_TOP & ~mask); - } -- ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); -+ ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); -+ bn_correct_top_consttime(n); - } else { - ret = BN_mod_mul(n, n, r, b->mod, ctx); - } -diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c -index eb4a31849bef..fe6fb0e40fbb 100644 ---- a/crypto/bn/bn_lib.c -+++ b/crypto/bn/bn_lib.c -@@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words) - return (words <= a->dmax) ? a : bn_expand2(a, words); - } - -+void bn_correct_top_consttime(BIGNUM *a) -+{ -+ int j, atop; -+ BN_ULONG limb; -+ unsigned int mask; -+ -+ for (j = 0, atop = 0; j < a->dmax; j++) { -+ limb = a->d[j]; -+ limb |= 0 - limb; -+ limb >>= BN_BITS2 - 1; -+ limb = 0 - limb; -+ mask = (unsigned int)limb; -+ mask &= constant_time_msb(j - a->top); -+ atop = constant_time_select_int(mask, j + 1, atop); -+ } -+ -+ mask = constant_time_eq_int(atop, 0); -+ a->top = atop; -+ a->neg = constant_time_select_int(mask, 0, a->neg); -+ a->flags &= ~BN_FLG_FIXED_TOP; -+} -+ - void bn_correct_top(BIGNUM *a) - { - BN_ULONG *ftl; -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 8ad69ccd3639..80b89e632d31 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -495,10 +495,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, - ret = (r); \ - BN_UMULT_LOHI(low,high,w,tmp); \ - ret += (c); \ -- (c) = (ret<(c))?1:0; \ -+ (c) = (ret<(c)); \ - (c) += high; \ - ret += low; \ -- (c) += (ret>(BN_BITS4-1); \ - m =(m&BN_MASK2l)<<(BN_BITS4+1); \ -- l=(l+m)&BN_MASK2; if (l < m) h++; \ -+ l=(l+m)&BN_MASK2; h += (l < m); \ - (lo)=l; \ - (ho)=h; \ - } -@@ -603,9 +603,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, - mul64(l,h,(bl),(bh)); \ - \ - /* non-multiply part */ \ -- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ -+ l=(l+(c))&BN_MASK2; h += (l < (c)); \ - (c)=(r); \ -- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ -+ l=(l+(c))&BN_MASK2; h += (l < (c)); \ - (c)=h&BN_MASK2; \ - (r)=l; \ - } -@@ -619,7 +619,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, - mul64(l,h,(bl),(bh)); \ - \ - /* non-multiply part */ \ -- l+=(c); if ((l&BN_MASK2) < (c)) h++; \ -+ l+=(c); h += ((l&BN_MASK2) < (c)); \ - (c)=h&BN_MASK2; \ - (r)=l&BN_MASK2; \ - } -@@ -649,7 +649,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); - int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); -- -+void bn_correct_top_consttime(BIGNUM *a); - BIGNUM *int_bn_mod_inverse(BIGNUM *in, - const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, - int *noinv); -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index b52a66f6a628..88371b1dbe16 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -226,6 +226,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, - * will only read the modulus from BN_BLINDING. In both cases it's safe - * to access the blinding without a lock. - */ -+ BN_set_flags(f, BN_FLG_CONSTTIME); - return BN_BLINDING_invert_ex(f, unblind, b, ctx); - } - -@@ -412,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - } - -+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, -+ rsa->n, ctx)) -+ goto err; -+ - if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { - blinding = rsa_get_blinding(rsa, &local_blinding, ctx); - if (blinding == NULL) { -@@ -449,13 +455,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -- -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, -- rsa->n, ctx)) { -- BN_free(d); -- goto err; -- } - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, - rsa->_method_mod_n)) { - BN_free(d); diff -Nru openssl-1.1.1n/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch openssl-1.1.1v/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch --- openssl-1.1.1n/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -From: Matt Caswell -Date: Tue, 13 Dec 2022 14:54:55 +0000 -Subject: Avoid dangling ptrs in header and data params for PEM_read_bio_ex - -In the event of a failure in PEM_read_bio_ex() we free the buffers we -allocated for the header and data buffers. However we were not clearing -the ptrs stored in *header and *data. Since, on success, the caller is -responsible for freeing these ptrs this can potentially lead to a double -free if the caller frees them even on failure. - -Thanks to Dawei Wang for reporting this issue. - -Based on a proposed patch by Kurt Roeckx. - -CVE-2022-4450 ---- - crypto/pem/pem_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index 2de093595d0d..173045be21ea 100644 ---- a/crypto/pem/pem_lib.c -+++ b/crypto/pem/pem_lib.c -@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - goto end; - } - BIO_read(headerB, *header, headerlen); diff -Nru openssl-1.1.1n/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch openssl-1.1.1v/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch --- openssl-1.1.1n/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -From: Hugo Landau -Date: Tue, 17 Jan 2023 17:45:42 +0000 -Subject: CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) - ---- - CHANGES | 20 ++++++++++++++++++++ - crypto/x509v3/v3_genn.c | 2 +- - include/openssl/x509v3.h | 2 +- - test/v3nametest.c | 8 ++++++++ - 4 files changed, 30 insertions(+), 2 deletions(-) - -diff --git a/CHANGES b/CHANGES -index 3ef3fa28cfa8..265555ab95c5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -7,6 +7,26 @@ - https://github.com/openssl/openssl/commits/ and pick the appropriate - release branch. - -+ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx] -+ -+ *) Fixed a type confusion vulnerability relating to X.400 address processing -+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING -+ but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This -+ vulnerability may allow an attacker who can provide a certificate chain and -+ CRL (neither of which need have a valid signature) to pass arbitrary -+ pointers to a memcmp call, creating a possible read primitive, subject to -+ some constraints. Refer to the advisory for more information. Thanks to -+ David Benjamin for discovering this issue. (CVE-2023-0286) -+ -+ This issue has been fixed by changing the public header file definition of -+ GENERAL_NAME so that x400Address reflects the implementation. It was not -+ possible for any existing application to successfully use the existing -+ definition; however, if any application references the x400Address field -+ (e.g. in dead code), note that the type of this field has changed. There is -+ no ABI change. -+ -+ [Hugo Landau] -+ - Changes between 1.1.1m and 1.1.1n [15 Mar 2022] - - *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever -diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c -index 87a5eff47cd9..e54ddc55c957 100644 ---- a/crypto/x509v3/v3_genn.c -+++ b/crypto/x509v3/v3_genn.c -@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h -index 90fa3592ce58..e61c0f29d4b4 100644 ---- a/include/openssl/x509v3.h -+++ b/include/openssl/x509v3.h -@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; -diff --git a/test/v3nametest.c b/test/v3nametest.c -index d1852190b84e..37819da8fd78 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -646,6 +646,14 @@ static struct gennamedata { - 0xb7, 0x09, 0x02, 0x02 - }, - 15 -+ }, { -+ /* -+ * Regression test for CVE-2023-0286. -+ */ -+ { -+ 0xa3, 0x00 -+ }, -+ 2 - } - }; - diff -Nru openssl-1.1.1n/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch openssl-1.1.1v/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch --- openssl-1.1.1n/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -From: Matt Caswell -Date: Wed, 14 Dec 2022 17:15:18 +0000 -Subject: Check CMS failure during BIO setup with -stream is handled correctly - -Test for the issue fixed in the previous commit ---- - test/recipes/80-test_cms.t | 15 +++++++++++++-- - test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - create mode 100644 test/smime-certs/badrsa.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 5dc6a3aebe01..ec11bfc2538b 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; - use OpenSSL::Test::Utils; - - setup("test_cms"); -@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); - my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - = disabled qw/des dh dsa ec ec2m rc2 zlib/; - --plan tests => 6; -+plan tests => 7; - - my @smime_pkcs7_tests = ( - -@@ -584,3 +584,14 @@ sub check_availability { - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem -new file mode 100644 -index 000000000000..f824fc226732 ---- /dev/null -+++ b/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/debian/patches/Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch openssl-1.1.1v/debian/patches/Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch --- openssl-1.1.1n/debian/patches/Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -From: Matt Caswell -Date: Tue, 7 Mar 2023 16:52:55 +0000 -Subject: Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs - -Even though we check the leaf cert to confirm it is valid, we -later ignored the invalid flag and did not notice that the leaf -cert was bad. - -Fixes: CVE-2023-0465 - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20588) ---- - crypto/x509/x509_vfy.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index b18489f67f6e..861a1ae732c9 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) - } - /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { -- int i; -+ int i, cbcalled = 0; - - /* Locate certificates with bad extensions and notify callback. */ -- for (i = 1; i < sk_X509_num(ctx->chain); i++) { -+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; -+ cbcalled = 1; - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_INVALID_POLICY_EXTENSION)) - return 0; - } -+ if (!cbcalled) { -+ /* Should not be able to get here */ -+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ /* The callback ignored the error so we return success */ - return 1; - } - if (ret == X509_PCY_TREE_FAILURE) { diff -Nru openssl-1.1.1n/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch openssl-1.1.1v/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch --- openssl-1.1.1n/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl -index fe2b26542ab6..812758e02e04 100644 ---- a/crypto/aes/asm/aesni-x86.pl -+++ b/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); diff -Nru openssl-1.1.1n/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch openssl-1.1.1v/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch --- openssl-1.1.1n/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,798 +0,0 @@ -From: Matt Caswell -Date: Fri, 20 Jan 2023 15:26:54 +0000 -Subject: Fix Timing Oracle in RSA decryption - -A timing based side channel exists in the OpenSSL RSA Decryption -implementation which could be sufficient to recover a plaintext across -a network in a Bleichenbacher style attack. To achieve a successful -decryption an attacker would have to be able to send a very large number -of trial messages for decryption. The vulnerability affects all RSA -padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. - -Patch written by Dmitry Belyavsky and Hubert Kario - -CVE-2022-4304 ---- - crypto/bn/bn_blind.c | 14 -- - crypto/bn/bn_err.c | 2 + - crypto/bn/bn_local.h | 14 ++ - crypto/bn/build.info | 3 +- - crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++++++++++ - crypto/err/openssl.txt | 3 +- - crypto/rsa/rsa_ossl.c | 17 +- - include/crypto/bn.h | 5 + - include/openssl/bnerr.h | 1 + - 9 files changed, 653 insertions(+), 20 deletions(-) - create mode 100644 crypto/bn/rsa_sup_mul.c - -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 76fc7ebcffc0..6e9d23932119 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c -index dd87c152cf37..3dd8d9a5682b 100644 ---- a/crypto/bn/bn_err.c -+++ b/crypto/bn/bn_err.c -@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, -+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), -+ "ossl_bn_rsa_do_unblind"}, - {0, NULL} - }; - -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 8ad69ccd3639..096513533b70 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -263,6 +263,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index b9ed5322fa68..c9fe2fdada69 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ - {- $target{bn_asm_src} -} \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c -+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ -+ rsa_sup_mul.c - - INCLUDE[bn_exp.o]=.. - -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 000000000000..acafefd5febf ---- /dev/null -+++ b/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,614 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+/* nonstandard; implemented by gcc on 64-bit platforms */ -+typedef __uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint64_t big = 0; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+ } else { -+ return host; -+ } -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint32_t big = 0; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+ } else { -+ return host; -+ } -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 902e97b84355..e0f0ab7c76f8 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1,4 +1,4 @@ --# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift - BN_F_BN_SET_WORDS:144:bn_set_words - BN_F_BN_STACK_PUSH:148:BN_STACK_push - BN_F_BN_USUB:115:BN_usub -+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind - BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow - BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean - BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index b52a66f6a628..6c3c0cf78d30 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 60afda1dadee..b5f36fb25aa2 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); - - #endif -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index 9f3c7cfaab67..a0752cea52d7 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 -+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. diff -Nru openssl-1.1.1n/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch openssl-1.1.1v/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch --- openssl-1.1.1n/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,99 +0,0 @@ -From: Matt Caswell -Date: Wed, 14 Dec 2022 16:18:14 +0000 -Subject: Fix a UAF resulting from a bug in BIO_new_NDEF - -If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will -be part of an invalid BIO chain. This causes a "use after free" when the -BIO is eventually freed. - -Based on an original patch by Viktor Dukhovni and an idea from Theo -Buehler. - -Thanks to Octavio Galland for reporting this issue. ---- - crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c -index 760e4846a474..f8d4b1b9aa67 100644 ---- a/crypto/asn1/bio_ndef.c -+++ b/crypto/asn1/bio_ndef.c -@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; diff -Nru openssl-1.1.1n/debian/patches/Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch openssl-1.1.1v/debian/patches/Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch --- openssl-1.1.1n/debian/patches/Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -From: Tomas Mraz -Date: Tue, 21 Mar 2023 16:15:47 +0100 -Subject: Fix documentation of X509_VERIFY_PARAM_add0_policy() - -The function was incorrectly documented as enabling policy checking. - -Fixes: CVE-2023-0466 - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20564) ---- - doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -index f6f304bf7bd0..aa292f9336fc 100644 ---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod -+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -@@ -92,8 +92,9 @@ B. - X509_VERIFY_PARAM_set_time() sets the verification time in B to - B. Normally the current time is used. - --X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled --by default) and adds B to the acceptable policy set. -+X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. -+Contrary to preexisting documentation of this function it does not enable -+policy checking. - - X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled - by default) and sets the acceptable policy set to B. Any existing -@@ -377,6 +378,10 @@ and has no effect. - - The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. - -+The function X509_VERIFY_PARAM_add0_policy() was historically documented as -+enabling policy checking however the implementation has never done this. -+The documentation was changed to align with the implementation. -+ - =head1 COPYRIGHT - - Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. diff -Nru openssl-1.1.1n/debian/patches/Fix-file-operations-in-c_rehash.patch openssl-1.1.1v/debian/patches/Fix-file-operations-in-c_rehash.patch --- openssl-1.1.1n/debian/patches/Fix-file-operations-in-c_rehash.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Fix-file-operations-in-c_rehash.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,216 +0,0 @@ -From: Daniel Fiala -Date: Sun, 29 May 2022 20:11:24 +0200 -Subject: Fix file operations in c_rehash. - -CVE-2022-2068 - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte - -[bigeasy: ported from the 3.0 branch with the compat patch] ---- - tools/c_rehash.in | 131 ++++++++++++++++++++++++------------------------------ - 1 file changed, 59 insertions(+), 72 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index 914be03da14f..a8511ac816d8 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -1,7 +1,7 @@ - #!{- $config{HASHBANGPERL} -} - - # {- join("\n# ", @autowarntext) -} --# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -99,18 +99,41 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -+ my $dir = shift; - my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { -- print "unlink $_" if $verbose; -+ print "unlink $_\n" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } -@@ -123,17 +146,18 @@ sub hash_dir { - next; - } - link_hash_cert($fname) if ($cert); -- link_hash_cert_old($fname) if ($cert); - link_hash_crl($fname) if ($crl); -- link_hash_crl_old($fname) if ($crl); - } -+ -+ chdir $pwd; - } - - sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; -- open IN, $fname; -- while() { -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -@@ -145,7 +169,7 @@ sub check_file { - } - } - } -- close IN; -+ close $in; - return ($is_cert, $is_crl); - } - -@@ -174,9 +198,24 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my $x509hash = $_[1] || '-subject_hash'; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ link_hash($_[0], 'cert', '-subject_hash'); -+ link_hash($_[0], 'cert', '-subject_hash_old'); -+} -+ -+# Same as above except for a CRL. CRL links are of the form .r -+ -+sub link_hash_crl { -+ link_hash($_[0], 'crl', '-hash'); -+ link_hash($_[0], 'crl', '-hash_old'); -+} -+ -+sub link_hash { -+ my ($fname, $type, $hash_name) = @_; -+ my $is_cert = $type eq 'cert' or $type eq 'cert_old'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $hash_name, - "-fingerprint", "-noout", - "-in", $fname); - chomp $hash; -@@ -186,75 +225,23 @@ sub link_hash_cert { - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; - return; - } - $suffix++; - } -- $hash .= ".$suffix"; -+ $hash .= ".$crlmark$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; --} -- --sub link_hash_cert_old { -- link_hash_cert($_[0], '-subject_hash_old'); --} -- --sub link_hash_crl_old { -- link_hash_crl($_[0], '-hash_old'); --} -- -- --# Same as above except for a CRL. CRL links are of the form .r -- --sub link_hash_crl { -- my $fname = $_[0]; -- my $crlhash = $_[1] || "-hash"; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -+ copy_file($fname, $hash); - } - $hashlist{$hash} = $fprint; - } diff -Nru openssl-1.1.1n/debian/patches/Generate-some-certificates-with-the-certificatePolicies-e.patch openssl-1.1.1v/debian/patches/Generate-some-certificates-with-the-certificatePolicies-e.patch --- openssl-1.1.1n/debian/patches/Generate-some-certificates-with-the-certificatePolicies-e.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Generate-some-certificates-with-the-certificatePolicies-e.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,141 +0,0 @@ -From: Matt Caswell -Date: Tue, 7 Mar 2023 15:22:40 +0000 -Subject: Generate some certificates with the certificatePolicies extension - -Related-to: CVE-2023-0465 - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20588) ---- - test/certs/ca-pol-cert.pem | 19 +++++++++++++++++++ - test/certs/ee-cert-policies-bad.pem | 20 ++++++++++++++++++++ - test/certs/ee-cert-policies.pem | 20 ++++++++++++++++++++ - test/certs/mkcert.sh | 9 +++++++-- - test/certs/setup.sh | 6 ++++++ - 5 files changed, 72 insertions(+), 2 deletions(-) - create mode 100644 test/certs/ca-pol-cert.pem - create mode 100644 test/certs/ee-cert-policies-bad.pem - create mode 100644 test/certs/ee-cert-policies.pem - -diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem -new file mode 100644 -index 000000000000..244af3292b21 ---- /dev/null -+++ b/test/certs/ca-pol-cert.pem -@@ -0,0 +1,19 @@ -+-----BEGIN CERTIFICATE----- -+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD -+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd -+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz -+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W -+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l -+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc -+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD -+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE -+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 -+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H -+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ -+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g -+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C -+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem -new file mode 100644 -index 000000000000..0fcd6372b317 ---- /dev/null -+++ b/test/certs/ee-cert-policies-bad.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G -+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ -+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs -+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N -+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa -+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx -+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem -new file mode 100644 -index 000000000000..2f06d7433fd9 ---- /dev/null -+++ b/test/certs/ee-cert-policies.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB -+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D -+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl -+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa -+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK -+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk -+D3brBn24UISaFRZoB7jsjok= -+-----END CERTIFICATE----- -diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh -index d8e70423911f..dd04aee48d23 100755 ---- a/test/certs/mkcert.sh -+++ b/test/certs/mkcert.sh -@@ -117,11 +117,12 @@ genca() { - local OPTIND=1 - local purpose= - -- while getopts p: o -+ while getopts p:c: o - do - case $o in - p) purpose="$OPTARG";; -- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 -+ c) certpol="$OPTARG";; -+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 - return 1;; - esac - done -@@ -142,6 +143,10 @@ genca() { - if [ -n "$NC" ]; then - exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") - fi -+ if [ -n "$certpol" ]; then -+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") -+ fi -+ - csr=$(req "$key" "CN = $cn") || return 1 - echo "$csr" | - cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -diff --git a/test/certs/setup.sh b/test/certs/setup.sh -index 020f6ce97342..1cbef67ae00f 100755 ---- a/test/certs/setup.sh -+++ b/test/certs/setup.sh -@@ -405,3 +405,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \ - root-ed448-key root-ed448-cert - OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ - server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert -+ -+# certificatePolicies extension -+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" -+# We can create a cert with a duplicate policy oid - but its actually invalid! -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" diff -Nru openssl-1.1.1n/debian/patches/Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch openssl-1.1.1v/debian/patches/Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch --- openssl-1.1.1n/debian/patches/Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,24 +0,0 @@ -From: Tomas Mraz -Date: Thu, 20 Apr 2023 10:24:38 +0200 -Subject: Re-add BN_F_OSSL_BN_RSA_DO_UNBLIND which was incorrectly removed - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20784) ---- - include/openssl/bnerr.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index 9f3c7cfaab67..a0752cea52d7 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 -+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. diff -Nru openssl-1.1.1n/debian/patches/Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch openssl-1.1.1v/debian/patches/Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch --- openssl-1.1.1n/debian/patches/Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch 2023-05-26 21:30:44.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,57 +0,0 @@ -From: Richard Levitte -Date: Fri, 12 May 2023 10:00:13 +0200 -Subject: Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will - translate - -OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical -numeric text form. For gigantic sub-identifiers, this would take a very -long time, the time complexity being O(n^2) where n is the size of that -sub-identifier. - -To mitigate this, a restriction on the size that OBJ_obj2txt() will -translate to canonical numeric text form is added, based on RFC 2578 -(STD 58), which says this: - -> 3.5. OBJECT IDENTIFIER values -> -> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. -> For the SMIv2, each number in the list is referred to as a sub-identifier, -> there are at most 128 sub-identifiers in a value, and each sub-identifier -> has a maximum value of 2^32-1 (4294967295 decimal). - -Fixes otc/security#96 -Fixes CVE-2023-2650 ---- - crypto/objects/obj_dat.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 7e8de727f310..d699915b20e7 100644 ---- a/crypto/objects/obj_dat.c -+++ b/crypto/objects/obj_dat.c -@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - first = 1; - bl = NULL; - -+ /* -+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: -+ * -+ * > 3.5. OBJECT IDENTIFIER values -+ * > -+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative -+ * > numbers. For the SMIv2, each number in the list is referred to as a -+ * > sub-identifier, there are at most 128 sub-identifiers in a value, -+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 -+ * > decimal). -+ * -+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), -+ * i.e. 586 bytes long. -+ * -+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ */ -+ if (len > 586) -+ goto err; -+ - while (len > 0) { - l = 0; - use_bn = 0; diff -Nru openssl-1.1.1n/debian/patches/Revert-Fix-Timing-Oracle-in-RSA-decryption.patch openssl-1.1.1v/debian/patches/Revert-Fix-Timing-Oracle-in-RSA-decryption.patch --- openssl-1.1.1n/debian/patches/Revert-Fix-Timing-Oracle-in-RSA-decryption.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Revert-Fix-Timing-Oracle-in-RSA-decryption.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,789 +0,0 @@ -From: Sebastian Andrzej Siewior -Date: Fri, 26 May 2023 23:12:04 +0200 -Subject: Revert "Fix Timing Oracle in RSA decryption" - -This reverts commit ce888cab5b576f53bfe6aebe374efdba5e74e519. ---- - crypto/bn/bn_blind.c | 14 ++ - crypto/bn/bn_err.c | 2 - - crypto/bn/bn_local.h | 14 -- - crypto/bn/build.info | 3 +- - crypto/bn/rsa_sup_mul.c | 614 ------------------------------------------------ - crypto/err/openssl.txt | 3 +- - crypto/rsa/rsa_ossl.c | 17 +- - include/crypto/bn.h | 5 - - include/openssl/bnerr.h | 1 - - 9 files changed, 20 insertions(+), 653 deletions(-) - delete mode 100644 crypto/bn/rsa_sup_mul.c - -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 6e9d23932119..76fc7ebcffc0 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,6 +13,20 @@ - - #define BN_BLINDING_COUNTER 32 - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c -index 3dd8d9a5682b..dd87c152cf37 100644 ---- a/crypto/bn/bn_err.c -+++ b/crypto/bn/bn_err.c -@@ -73,8 +73,6 @@ static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, -- {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), -- "ossl_bn_rsa_do_unblind"}, - {0, NULL} - }; - -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 096513533b70..8ad69ccd3639 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -263,20 +263,6 @@ struct bn_gencb_st { - } cb; - }; - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index c9fe2fdada69..b9ed5322fa68 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -5,8 +5,7 @@ SOURCE[../../libcrypto]=\ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ - {- $target{bn_asm_src} -} \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ -- rsa_sup_mul.c -+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c - - INCLUDE[bn_exp.o]=.. - -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -deleted file mode 100644 -index acafefd5febf..000000000000 ---- a/crypto/bn/rsa_sup_mul.c -+++ /dev/null -@@ -1,614 +0,0 @@ --#include --#include --#include --#include --#include --#include --#include --#include "internal/numbers.h" --#include "internal/constant_time.h" --#include "bn_local.h" -- --# if BN_BYTES == 8 --typedef uint64_t limb_t; --# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 --/* nonstandard; implemented by gcc on 64-bit platforms */ --typedef __uint128_t limb2_t; --# define HAVE_LIMB2_T --# endif --# define LIMB_BIT_SIZE 64 --# define LIMB_BYTE_SIZE 8 --# elif BN_BYTES == 4 --typedef uint32_t limb_t; --typedef uint64_t limb2_t; --# define LIMB_BIT_SIZE 32 --# define LIMB_BYTE_SIZE 4 --# define HAVE_LIMB2_T --# else --# error "Not supported" --# endif -- --/* -- * For multiplication we're using schoolbook multiplication, -- * so if we have two numbers, each with 6 "digits" (words) -- * the multiplication is calculated as follows: -- * A B C D E F -- * x I J K L M N -- * -------------- -- * N*F -- * N*E -- * N*D -- * N*C -- * N*B -- * N*A -- * M*F -- * M*E -- * M*D -- * M*C -- * M*B -- * M*A -- * L*F -- * L*E -- * L*D -- * L*C -- * L*B -- * L*A -- * K*F -- * K*E -- * K*D -- * K*C -- * K*B -- * K*A -- * J*F -- * J*E -- * J*D -- * J*C -- * J*B -- * J*A -- * I*F -- * I*E -- * I*D -- * I*C -- * I*B -- * + I*A -- * ========================== -- * N*B N*D N*F -- * + N*A N*C N*E -- * + M*B M*D M*F -- * + M*A M*C M*E -- * + L*B L*D L*F -- * + L*A L*C L*E -- * + K*B K*D K*F -- * + K*A K*C K*E -- * + J*B J*D J*F -- * + J*A J*C J*E -- * + I*B I*D I*F -- * + I*A I*C I*E -- * -- * 1+1 1+3 1+5 -- * 1+0 1+2 1+4 -- * 0+1 0+3 0+5 -- * 0+0 0+2 0+4 -- * -- * 0 1 2 3 4 5 6 -- * which requires n^2 multiplications and 2n full length additions -- * as we can keep every other result of limb multiplication in two separate -- * limbs -- */ -- --#if defined HAVE_LIMB2_T --static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) --{ -- limb2_t t; -- /* -- * this is idiomatic code to tell compiler to use the native mul -- * those three lines will actually compile to single instruction -- */ -- -- t = (limb2_t)a * b; -- *hi = t >> LIMB_BIT_SIZE; -- *lo = (limb_t)t; --} --#elif (BN_BYTES == 8) && (defined _MSC_VER) --/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ --#pragma intrinsic(_umul128) --static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) --{ -- *lo = _umul128(a, b, hi); --} --#else --/* -- * if the compiler doesn't have either a 128bit data type nor a "return -- * high 64 bits of multiplication" -- */ --static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) --{ -- limb_t a_low = (limb_t)(uint32_t)a; -- limb_t a_hi = a >> 32; -- limb_t b_low = (limb_t)(uint32_t)b; -- limb_t b_hi = b >> 32; -- -- limb_t p0 = a_low * b_low; -- limb_t p1 = a_low * b_hi; -- limb_t p2 = a_hi * b_low; -- limb_t p3 = a_hi * b_hi; -- -- uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -- -- *lo = p0 + (p1 << 32) + (p2 << 32); -- *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; --} --#endif -- --/* add two limbs with carry in, return carry out */ --static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) --{ -- limb_t carry1, carry2, t; -- /* -- * `c = a + b; if (c < a)` is idiomatic code that makes compilers -- * use add with carry on assembly level -- */ -- -- *ret = a + carry; -- if (*ret < a) -- carry1 = 1; -- else -- carry1 = 0; -- -- t = *ret; -- *ret = t + b; -- if (*ret < t) -- carry2 = 1; -- else -- carry2 = 0; -- -- return carry1 + carry2; --} -- --/* -- * add two numbers of the same size, return overflow -- * -- * add a to b, place result in ret; all arrays need to be n limbs long -- * return overflow from addition (0 or 1) -- */ --static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) --{ -- limb_t c = 0; -- ossl_ssize_t i; -- -- for(i = n - 1; i > -1; i--) -- c = _add_limb(&ret[i], a[i], b[i], c); -- -- return c; --} -- --/* -- * return number of limbs necessary for temporary values -- * when multiplying numbers n limbs large -- */ --static ossl_inline size_t mul_limb_numb(size_t n) --{ -- return 2 * n * 2; --} -- --/* -- * multiply two numbers of the same size -- * -- * multiply a by b, place result in ret; a and b need to be n limbs long -- * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -- * long -- */ --static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) --{ -- limb_t *r_odd, *r_even; -- size_t i, j, k; -- -- r_odd = tmp; -- r_even = &tmp[2 * n]; -- -- memset(ret, 0, 2 * n * sizeof(limb_t)); -- -- for (i = 0; i < n; i++) { -- for (k = 0; k < i + n + 1; k++) { -- r_even[k] = 0; -- r_odd[k] = 0; -- } -- for (j = 0; j < n; j++) { -- /* -- * place results from even and odd limbs in separate arrays so that -- * we don't have to calculate overflow every time we get individual -- * limb multiplication result -- */ -- if (j % 2 == 0) -- _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -- else -- _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -- } -- /* -- * skip the least significant limbs when adding multiples of -- * more significant limbs (they're zero anyway) -- */ -- add(ret, ret, r_even, n + i + 1); -- add(ret, ret, r_odd, n + i + 1); -- } --} -- --/* modifies the value in place by performing a right shift by one bit */ --static ossl_inline void rshift1(limb_t *val, size_t n) --{ -- limb_t shift_in = 0, shift_out = 0; -- size_t i; -- -- for (i = 0; i < n; i++) { -- shift_out = val[i] & 1; -- val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -- shift_in = shift_out; -- } --} -- --/* extend the LSB of flag to all bits of limb */ --static ossl_inline limb_t mk_mask(limb_t flag) --{ -- flag |= flag << 1; -- flag |= flag << 2; -- flag |= flag << 4; -- flag |= flag << 8; -- flag |= flag << 16; --#if (LIMB_BYTE_SIZE == 8) -- flag |= flag << 32; --#endif -- return flag; --} -- --/* -- * copy from either a or b to ret based on flag -- * when flag == 0, then copies from b -- * when flag == 1, then copies from a -- */ --static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) --{ -- /* -- * would be more efficient with non volatile mask, but then gcc -- * generates code with jumps -- */ -- volatile limb_t mask; -- size_t i; -- -- mask = mk_mask(flag); -- for (i = 0; i < n; i++) { --#if (LIMB_BYTE_SIZE == 8) -- ret[i] = constant_time_select_64(mask, a[i], b[i]); --#else -- ret[i] = constant_time_select_32(mask, a[i], b[i]); --#endif -- } --} -- --static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) --{ -- limb_t borrow1, borrow2, t; -- /* -- * while it doesn't look constant-time, this is idiomatic code -- * to tell compilers to use the carry bit from subtraction -- */ -- -- *ret = a - borrow; -- if (*ret > a) -- borrow1 = 1; -- else -- borrow1 = 0; -- -- t = *ret; -- *ret = t - b; -- if (*ret > t) -- borrow2 = 1; -- else -- borrow2 = 0; -- -- return borrow1 + borrow2; --} -- --/* -- * place the result of a - b into ret, return the borrow bit. -- * All arrays need to be n limbs long -- */ --static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) --{ -- limb_t borrow = 0; -- ossl_ssize_t i; -- -- for (i = n - 1; i > -1; i--) -- borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -- -- return borrow; --} -- --/* return the number of limbs necessary to allocate for the mod() tmp operand */ --static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) --{ -- return (anum + modnum) * 3; --} -- --/* -- * calculate a % mod, place the result in ret -- * size of a is defined by anum, size of ret and mod is modnum, -- * size of tmp is returned by mod_limb_numb() -- */ --static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -- size_t modnum, limb_t *tmp) --{ -- limb_t *atmp, *modtmp, *rettmp; -- limb_t res; -- size_t i; -- -- memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -- -- atmp = tmp; -- modtmp = &tmp[anum + modnum]; -- rettmp = &tmp[(anum + modnum) * 2]; -- -- for (i = modnum; i 0; i--, rp--) { -- v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); -- v = v + carry + rp[-1]; -- carry |= (v != rp[-1]); -- carry &= (v <= rp[-1]); -- rp[-1] = v; -- } -- -- /* perform the final reduction by mod... */ -- carry -= sub(ret, rp, mod, modnum); -- -- /* ...conditionally */ -- cselect(carry, ret, rp, ret, modnum); --} -- --/* allocated buffer should be freed afterwards */ --static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) --{ -- int i; -- int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -- limb_t *ptr = buf + (limbs - real_limbs); -- -- for (i = 0; i < real_limbs; i++) -- ptr[i] = bn->d[real_limbs - i - 1]; --} -- --#if LIMB_BYTE_SIZE == 8 --static ossl_inline uint64_t be64(uint64_t host) --{ -- const union { -- long one; -- char little; -- } is_endian = { 1 }; -- -- if (is_endian.little) { -- uint64_t big = 0; -- -- big |= (host & 0xff00000000000000) >> 56; -- big |= (host & 0x00ff000000000000) >> 40; -- big |= (host & 0x0000ff0000000000) >> 24; -- big |= (host & 0x000000ff00000000) >> 8; -- big |= (host & 0x00000000ff000000) << 8; -- big |= (host & 0x0000000000ff0000) << 24; -- big |= (host & 0x000000000000ff00) << 40; -- big |= (host & 0x00000000000000ff) << 56; -- return big; -- } else { -- return host; -- } --} -- --#else --/* Not all platforms have htobe32(). */ --static ossl_inline uint32_t be32(uint32_t host) --{ -- const union { -- long one; -- char little; -- } is_endian = { 1 }; -- -- if (is_endian.little) { -- uint32_t big = 0; -- -- big |= (host & 0xff000000) >> 24; -- big |= (host & 0x00ff0000) >> 8; -- big |= (host & 0x0000ff00) << 8; -- big |= (host & 0x000000ff) << 24; -- return big; -- } else { -- return host; -- } --} --#endif -- --/* -- * We assume that intermediate, possible_arg2, blinding, and ctx are used -- * similar to BN_BLINDING_invert_ex() arguments. -- * to_mod is RSA modulus. -- * buf and num is the serialization buffer and its length. -- * -- * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -- * we serialize the new structure instead of BIGNUMs taking endianness into account. -- */ --int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -- const BN_BLINDING *blinding, -- const BIGNUM *possible_arg2, -- const BIGNUM *to_mod, BN_CTX *ctx, -- unsigned char *buf, int num) --{ -- limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -- limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -- size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -- size_t l_tmp_count = 0; -- int ret = 0; -- size_t i; -- unsigned char *tmp; -- const BIGNUM *arg1 = intermediate; -- const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -- -- l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -- l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -- l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -- -- l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -- l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -- l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -- l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -- -- if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -- goto err; -- -- BN_to_limb(arg1, l_im, l_size); -- BN_to_limb(arg2, l_mul, l_size); -- BN_to_limb(to_mod, l_mod, l_mod_count); -- -- l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -- -- if (blinding->m_ctx != NULL) { -- l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -- mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -- l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -- } else { -- l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -- mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -- l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -- } -- -- if ((l_ret == NULL) || (l_tmp == NULL)) -- goto err; -- -- if (blinding->m_ctx != NULL) { -- limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -- mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -- blinding->m_ctx->n0[0], l_tmp); -- } else { -- limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -- mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -- } -- -- /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -- if (num < BN_num_bytes(to_mod)) { -- BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); -- goto err; -- } -- -- memset(buf, 0, num); -- tmp = buf + num - BN_num_bytes(to_mod); -- for (i = 0; i < l_mod_count; i++) { --#if LIMB_BYTE_SIZE == 8 -- l_buf = be64(l_ret[i]); --#else -- l_buf = be32(l_ret[i]); --#endif -- if (i == 0) { -- int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -- -- memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -- tmp += delta; -- } else { -- memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -- tmp += LIMB_BYTE_SIZE; -- } -- } -- ret = num; -- -- err: -- OPENSSL_free(l_im); -- OPENSSL_free(l_mul); -- OPENSSL_free(l_mod); -- OPENSSL_free(l_tmp); -- OPENSSL_free(l_ret); -- -- return ret; --} -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e0f0ab7c76f8..902e97b84355 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1,4 +1,4 @@ --# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -232,7 +232,6 @@ BN_F_BN_RSHIFT:146:BN_rshift - BN_F_BN_SET_WORDS:144:bn_set_words - BN_F_BN_STACK_PUSH:148:BN_STACK_push - BN_F_BN_USUB:115:BN_usub --BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind - BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow - BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean - BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 6c3c0cf78d30..b52a66f6a628 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -465,20 +465,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) { -- /* -- * ossl_bn_rsa_do_unblind() combines blinding inversion and -- * 0-padded BN BE serialization -- */ -- j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -- buf, num); -- if (j == 0) -+ if (blinding) -+ if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) - goto err; -- } else { -- j = BN_bn2binpad(ret, buf, num); -- if (j < 0) -- goto err; -- } -+ -+ j = BN_bn2binpad(ret, buf, num); - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index b5f36fb25aa2..60afda1dadee 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -86,10 +86,5 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); --int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -- const BN_BLINDING *blinding, -- const BIGNUM *possible_arg2, -- const BIGNUM *to_mod, BN_CTX *ctx, -- unsigned char *buf, int num); - - #endif -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index a0752cea52d7..9f3c7cfaab67 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -72,7 +72,6 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 --# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. diff -Nru openssl-1.1.1n/debian/patches/Update-expired-SCT-certificates.patch openssl-1.1.1v/debian/patches/Update-expired-SCT-certificates.patch --- openssl-1.1.1n/debian/patches/Update-expired-SCT-certificates.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Update-expired-SCT-certificates.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,187 +0,0 @@ -From: Tomas Mraz -Date: Wed, 1 Jun 2022 12:47:44 +0200 -Subject: Update expired SCT certificates - -Reviewed-by: Matt Caswell -Reviewed-by: Dmitry Belyavskiy -(Merged from https://github.com/openssl/openssl/pull/18446) ---- - test/certs/embeddedSCTs1-key.pem | 38 ++++++++++++++++++++++----------- - test/certs/embeddedSCTs1.pem | 35 +++++++++++++++--------------- - test/certs/embeddedSCTs1.sct | 12 +++++------ - test/certs/embeddedSCTs1_issuer-key.pem | 15 +++++++++++++ - test/certs/embeddedSCTs1_issuer.pem | 30 +++++++++++++------------- - 5 files changed, 79 insertions(+), 51 deletions(-) - create mode 100644 test/certs/embeddedSCTs1_issuer-key.pem - -diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem -index e3e66d55c510..28dd206dbe8d 100644 ---- a/test/certs/embeddedSCTs1-key.pem -+++ b/test/certs/embeddedSCTs1-key.pem -@@ -1,15 +1,27 @@ - -----BEGIN RSA PRIVATE KEY----- --MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k --WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X --EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB --AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g --PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf --flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU --X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ --pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA --b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt --9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR --83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs --n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ --1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== -+MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw -+XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT -+48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ -+b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L -+eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG -+a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm -+tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf -+3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r -+zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF -+nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ -+XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw -+ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ -+S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi -+BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 -+2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn -+MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU -+JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn -+j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA -+jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu -+ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk -+3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P -+o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI -+fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 -+5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP -+RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= - -----END RSA PRIVATE KEY----- -diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem -index d1e85120a043..d2a111fb8235 100644 ---- a/test/certs/embeddedSCTs1.pem -+++ b/test/certs/embeddedSCTs1.pem -@@ -1,20 +1,21 @@ - -----BEGIN CERTIFICATE----- --MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk -+MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk - MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX --YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw --MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu --c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G --CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ --BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk --EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw --FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q --Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD --VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w --DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK --BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L --vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw --KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG --SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE --oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr --5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg -+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy -+NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 -+DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK -+/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE -+FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI -+0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I -+QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S -+wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB -+CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I -+Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD -+ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI -+/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB -+u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ -+BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR -+RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 -+IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W -+YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== - -----END CERTIFICATE----- -diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct -index 59362dcee1f4..35c9eb9e3bed 100644 ---- a/test/certs/embeddedSCTs1.sct -+++ b/test/certs/embeddedSCTs1.sct -@@ -2,11 +2,11 @@ - Version : v1 (0x0) - Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: - 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 -- Timestamp : Apr 5 17:04:16.275 2013 GMT -+ Timestamp : Jan 1 00:00:00.000 2020 GMT - Extensions: none - Signature : ecdsa-with-SHA256 -- 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: -- D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: -- E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: -- F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: -- 05:51:9D:89:ED:BF:08 -\ No newline at end of file -+ 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: -+ D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: -+ BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: -+ 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: -+ 60:EB:A8:AF:03:5E:C3 -\ No newline at end of file -diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem -new file mode 100644 -index 000000000000..9326e38b1eb7 ---- /dev/null -+++ b/test/certs/embeddedSCTs1_issuer-key.pem -@@ -0,0 +1,15 @@ -+-----BEGIN RSA PRIVATE KEY----- -+MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR -+yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm -+JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB -+AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK -+QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL -+GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq -+r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr -+4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw -++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ -+b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY -+xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN -+lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei -+T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= -+-----END RSA PRIVATE KEY----- -diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem -index 1fa449d5a098..6aa9455f09ed 100644 ---- a/test/certs/embeddedSCTs1_issuer.pem -+++ b/test/certs/embeddedSCTs1_issuer.pem -@@ -1,18 +1,18 @@ - -----BEGIN CERTIFICATE----- --MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk -+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk - MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX --YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw --MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu --c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf --MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 --jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP --KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL --svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk --tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG --A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO --MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB --/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt --OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy --f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP --OwqULg== -+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw -+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy -+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w -+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG -+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 -+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG -+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw -+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw -+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB -+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD -+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq -++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo -+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c -+Doud4XrO - -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/debian/patches/Update-further-expiring-certificates-that-affect-tests.patch openssl-1.1.1v/debian/patches/Update-further-expiring-certificates-that-affect-tests.patch --- openssl-1.1.1n/debian/patches/Update-further-expiring-certificates-that-affect-tests.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/Update-further-expiring-certificates-that-affect-tests.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,959 +0,0 @@ -From: Tomas Mraz -Date: Thu, 2 Jun 2022 18:12:05 +0200 -Subject: Update further expiring certificates that affect tests - -Namely the smime certificates used in test_cms -will expire soon and affect tests. - -Fixes #15179 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18481) ---- - test/smime-certs/mksmime-certs.sh | 22 +++++----- - test/smime-certs/smdh.pem | 72 ++++++++++++++++++------------- - test/smime-certs/smdsa1.pem | 86 ++++++++++++++++++------------------- - test/smime-certs/smdsa2.pem | 86 ++++++++++++++++++------------------- - test/smime-certs/smdsa3.pem | 86 ++++++++++++++++++------------------- - test/smime-certs/smec1.pem | 36 ++++++++-------- - test/smime-certs/smec2.pem | 38 ++++++++--------- - test/smime-certs/smroot.pem | 90 +++++++++++++++++++-------------------- - test/smime-certs/smrsa1.pem | 90 +++++++++++++++++++-------------------- - test/smime-certs/smrsa2.pem | 90 +++++++++++++++++++-------------------- - test/smime-certs/smrsa3.pem | 90 +++++++++++++++++++-------------------- - 11 files changed, 400 insertions(+), 386 deletions(-) - -diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh -index c98e164b1871..caa191ed770c 100644 ---- a/test/smime-certs/mksmime-certs.sh -+++ b/test/smime-certs/mksmime-certs.sh -@@ -15,23 +15,23 @@ export OPENSSL_CONF - - # Root CA: create certificate directly - CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \ -- -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 -+ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 - - # EE RSA certificates: create request first - CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \ - -keyout smrsa1.pem -out req.pem -newkey rsa:2048 - # Sign request: end entity extensions --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem - - CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \ - -keyout smrsa2.pem -out req.pem -newkey rsa:2048 --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem - - CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \ - -keyout smrsa3.pem -out req.pem -newkey rsa:2048 --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem - - # Create DSA parameters -@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048 - - CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \ - -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem - CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \ - -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem - CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \ - -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem - - # Create EC parameters -@@ -58,15 +58,15 @@ $OPENSSL ecparam -out ecp2.pem -name K-283 - - CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \ - -keyout smec1.pem -out req.pem -newkey ec:ecp.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem - CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \ - -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem - CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \ - -keyout smec3.pem -out req.pem -newkey ec:ecp.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem - # Create X9.42 DH parameters. - $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \ -@@ -78,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem - CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \ - -keyout smtmp.pem -out req.pem -newkey rsa:2048 - # Sign request but force public key to DH --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -force_pubkey dhpub.pem \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem - # Remove temp files. -diff --git a/test/smime-certs/smdh.pem b/test/smime-certs/smdh.pem -index f831b0713b95..273dfca5e05c 100644 ---- a/test/smime-certs/smdh.pem -+++ b/test/smime-certs/smdh.pem -@@ -1,33 +1,47 @@ - -----BEGIN PRIVATE KEY----- --MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ --9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B --mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF --cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V --thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh --atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC --FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA== -+MIICXAIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCB6AUA/1eXRh+iLWHXe+lUl6e+ -++460tAIIpsQ1jw1ZaTmlH9SlrWSBNVRVHwDuBW7vA+lKgBvDpCIjmhRbgrZIGwcZ -+6ruCYy5KF/B3AW5MApC9QCDaVrG6Hb7NfpMgwuUIKvvvOMrrvn4r5Oxtsx9rORTE -+bdS33MuZCOIbodjs5u+e/2hhssOwgUTMASDwXppJTyeMwAAZ+p78ByrSULP6yYdP -+PTh8sK1begDG6YTSKE3VqYNg1yaE5tQvCQ0U2L4qZ8JqexAVHbR8LA8MNhtA1pma -+Zj4q2WNAEevpprIIRXgJEZY278nPlvVeoKfOef9RBHgQ6ZTnZ1Et5iLMCwYHAoIB -+AFVgJaHfnBVJYfaQh1NyoVZJ5xX6UvvL5xEKUwwEMgs8JSOzp2UI+KRDpy9KbNH7 -+93Kwa2d8Q7ynciDiCmd1ygF4CJKb4ZOwjWjpZ4DedHr0XokGhyBCyjaBxOi3i4tP -+EFO8YHs5B/yOZHzcpTfs2VxJqIm3KF8q0Ify9PWDAsgo+d21/+eye60FHjF9o2/D -+l3NRlOhUhHNGykfqFgKEEEof3/3c6r5BS0oRXdsu6dx/y2/v8j9aJoHfyGHkswxr -+ULSBxJENOBB89C+GET6yhbxV1e4SFwzHnXgG8bWXwk7bea6ZqXbHq0pT3kUiQeKe -+assXKqRBAG9NLbQ3mmx8RFkCHQDIVBWPf6VwBa2s1CAcsIziVJ8qr/KAKx9DZ3h5 -+BB4CHAF3VZBAC/TB85J4PzsLJ+VrOWr0c8kQlYUR9rw= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM --BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC --oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV --Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5 --30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z --EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh --A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve --cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw --3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD --umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw --DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf --BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC --AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi --0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD --48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d --LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z --vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu --Uj6tw18ExOYxqoEGixNLPA5qsQ== -+MIIFmDCCBICgAwIBAgIUWlJkHZZ2eZgkGCHFtcMAjlLdDH8wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgREggIzEwggNCMIICNQYHKoZIzj4C -+ATCCAigCggEBAIHoBQD/V5dGH6ItYdd76VSXp777jrS0AgimxDWPDVlpOaUf1KWt -+ZIE1VFUfAO4Fbu8D6UqAG8OkIiOaFFuCtkgbBxnqu4JjLkoX8HcBbkwCkL1AINpW -+sbodvs1+kyDC5Qgq++84yuu+fivk7G2zH2s5FMRt1Lfcy5kI4huh2Ozm757/aGGy -+w7CBRMwBIPBemklPJ4zAABn6nvwHKtJQs/rJh089OHywrVt6AMbphNIoTdWpg2DX -+JoTm1C8JDRTYvipnwmp7EBUdtHwsDww2G0DWmZpmPirZY0AR6+mmsghFeAkRljbv -+yc+W9V6gp855/1EEeBDplOdnUS3mIswLBgcCggEAVWAlod+cFUlh9pCHU3KhVknn -+FfpS+8vnEQpTDAQyCzwlI7OnZQj4pEOnL0ps0fv3crBrZ3xDvKdyIOIKZ3XKAXgI -+kpvhk7CNaOlngN50evReiQaHIELKNoHE6LeLi08QU7xgezkH/I5kfNylN+zZXEmo -+ibcoXyrQh/L09YMCyCj53bX/57J7rQUeMX2jb8OXc1GU6FSEc0bKR+oWAoQQSh/f -+/dzqvkFLShFd2y7p3H/Lb+/yP1omgd/IYeSzDGtQtIHEkQ04EHz0L4YRPrKFvFXV -+7hIXDMedeAbxtZfCTtt5rpmpdserSlPeRSJB4p5qyxcqpEEAb00ttDeabHxEWQId -+AMhUFY9/pXAFrazUIBywjOJUnyqv8oArH0NneHkDggEFAAKCAQBigH0Mp4jUMSfK -+yOhKlEfyZ/hj/EImsUYW4+u8xjBN+ruOJUTJ06Mtgw3g2iLkhQoO9NROqvC9rdLj -++j3e+1QWm9EDNKQAa4nUp8/W+XZ5KkQWudmtaojEXD1+kd44ieNLtPGuVnPtDGO4 -+zPf04IUq7tDGbMDMMn6YXvW6f28lR3gF5vvVIsnjsd/Lau6orzmNSrymXegsEsFR -+Q7hT+/tPoAtro6Hx9rBrYb/0OCiRe4YuYrFKkC0aaJfUQepVyuVMSTxxKTzq8T06 -+M8SBITlmkPFZJHyGzV/+a72hpJsAa0BaDnpxH3cFpEMzeYG1XQK461zexoIYN3ub -+i3xNPUzPo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4E -+FgQULayIqKcWHtUH4pFolI6dKxycIG8wHwYDVR0jBBgwFoAUFcETIWviVV+nah1X -+INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAKjKvvJ6Vc9HiQXACqqRZnekz2gO -+ue71nsXXDr2+y4PPpgcDzgtO3vhQc7Akv6Uyca9LY7w/X+temP63yxdLpKXTV19w -+Or0p4VEvTZ8AttMjFh4Hl8caVYk/J4TIudSXLIfKROP6sFu5GOw7W3xpBkL5Zio6 -+3dqe6xAYK0woNQPDfj5yOAlqj1Ohth81JywW5h2g8GfLtNe62coAqwjMJT+ExHfU -+EkF/beSqRGOvXwyhSxFpe7HVjUMgrgdfoZnNsoPmpH3eTiF4BjamGWI1+Z0o+RHa -+oPwN+cCzbDsi9uTQJO1D5S697heX00zzzU/KSW7djNzKv55vm24znuFkXTM= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem -index b424f6704ed9..0104e207cb27 100644 ---- a/test/smime-certs/smdsa1.pem -+++ b/test/smime-certs/smdsa1.pem -@@ -1,47 +1,47 @@ - -----BEGIN PRIVATE KEY----- --MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 --k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou --zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO --wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK --v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC --0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA --rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM --zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx --DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy --xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 --ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h --Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ --TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0= -+MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 -+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t -+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa -+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg -+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S -+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A -+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw -+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 -+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR -+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL -+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL -+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX -+ygQeAhwE9yuqObvNXzUTN+PY2rg00PzdyJw3XJAUrmlY - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x --EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV --86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE --DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp --O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit --1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO --xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx --d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3 --MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z --Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt --17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf --0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO -+MIIFmjCCBIKgAwIBAgIUUoOmJmXAY29/2rWY0wJphQ5/pzUwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMxMIIDQzCCAjYGByqGSM44 -+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL -+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 -+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd -+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt -+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l -+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK -+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b -+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ -+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 -+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B -+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV -+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBACGS7hCpTL0g -+lx9C1Bwz5xfVd0mwCqx9UGiH8Bf4lRsSagL0Irwvnjz++WH1vecZa2bWsYsPhQ+D -+KDzaCo20CYln4IFEPgY0fSE+KTF1icFj/mD+MgxWgsgKoTI120ENPGHqHpKkv0Uv -+OlwTImU4BxxkctZ5273XEv3VPQE8COGnXgqt7NBazU/O7vibFm0iaEsVjHFHYcoo -++sMcm3F2E/gvR9IJGaGPeCk0sMW8qloPzErWIugx/OGqM7fni2cIcZwGdju52O+l -+cLV0tZdgC7eTbVDMLspyuiYME+zvEzRwCQF/GqcCDSn68zxJv/zSNZ9XxOgZaBfs -+Na7e8YGATiujYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud -+DgQWBBSFVrWPZrHzhHUg0MMEAAKwQIfsazAfBgNVHSMEGDAWgBQVwRMha+JVX6dq -+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAbm49FB+eyeX7OBUC/akhnkFw -+cDXqw7Fl2OibRK+g/08zp4CruwJdb72j5+pTmG+9SF7tGyQBfHFf1+epa3ZiIc+0 -+UzFf2xQBMyHjesL19cTe4i176dHz8pCxx9OEow0GlZVV85+Anev101NskKVNNVA7 -+YnB2xKQWgf8HORh66XVCk54xMcd99ng8xQ8vhZC6KckVbheQgdPp7gUAcDgxH2Yo -+JF8jHQlsWNcCGURDldP6FQ49TGWHj24IGjnjGapWxMUjvCz+kV6sGW/OIYu+MM9w -+FMIOyEdUUtKowWT6eXwrITup3T6pspPTicbK61ZCPuxMvP2JBFGZsqat+F5g+w== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem -index 648447fc89a1..7d5b969dc3b3 100644 ---- a/test/smime-certs/smdsa2.pem -+++ b/test/smime-certs/smdsa2.pem -@@ -1,47 +1,47 @@ - -----BEGIN PRIVATE KEY----- --MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 --k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou --zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO --wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK --v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC --0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA --rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM --zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx --DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy --xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 --ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h --Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ --TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA== -+MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 -+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t -+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa -+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg -+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S -+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A -+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw -+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 -+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR -+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL -+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL -+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX -+ygQeAhwmRauZi+nQ3kQ+GSKD7JCwv8XkD9NObMGlW018 - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E --h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt --tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa --LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn --3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0 --KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k --qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp --VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb --uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV --6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD --2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96 --GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I -+MIIFmjCCBIKgAwIBAgIUHGKu2FMhT1wCiJTK3uAnklo55uowDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMyMIIDQzCCAjYGByqGSM44 -+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL -+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 -+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd -+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt -+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l -+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK -+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b -+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ -+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 -+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B -+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV -+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAE0+OYS0s8/o -+HwuuiPsBZTlRynqdwF6FHdE0Ei2uVTxnJouPYB2HvaMioG2inbISzPtEcnLF9Pyx -+4hsXz7D49yqyMFjE3G8ObBOs/Vdno6E9ZZshWiRDwPf8JmoYp551UuJDoVaOTnhx -+pEs30nuidtqd54PMdWUQPfp58kTu6bXvcRxdUj5CK/PyjavJCnGfppq/6j8jtrji -+mOjIIeLZIbWp7hTVS/ffmfqZ8Lx/ShOcUzDa0VS3lfO28XqXpeqbyHdojsYlG2oA -+shKJL7/scq3ab8cI5QuHEIGSbxinKfjCX4OEQ04CNsgUwMY9emPSaNdYDZOPqq/K -+3bGk2PLcRsyjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud -+DgQWBBTQAQyUCqYWGo5RuwGCtHNgXgzEQzAfBgNVHSMEGDAWgBQVwRMha+JVX6dq -+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAc3rayE2FGgG1RhLXAHYAs1Ky -+4fcVcrzaPaz5jjWbpBCStkx+gNcUiBf+aSxNrRvUoPOSwMDLpMhbNBj2cjJqQ0W1 -+oq4RUQth11qH89uPtBqiOqRTdlWAGZJbUTtVfrlc58DsDxFCwdcktSDYZwlO2lGO -+vMCOn9N7oqEEuwRa++xVnYc8ZbY8lGwJD3bGR6iC7NkYk+2LSqPS52m8e0GO8dpf -+RUrndbhmtsYa925dj2LlI218F3XwVcAUPW67dbpeEVw5OG8OCHRHqrwBEJj2PMV3 -+tHeNXDEhjTzI3wiFia4kDBAKIsrC/XQ4tEiFzq0V00BiVY0ykhy+v/qNPskTsg== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem -index 77acc5e46ffc..6df4699450f0 100644 ---- a/test/smime-certs/smdsa3.pem -+++ b/test/smime-certs/smdsa3.pem -@@ -1,47 +1,47 @@ - -----BEGIN PRIVATE KEY----- --MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 --k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou --zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO --wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK --v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC --0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA --rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM --zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx --DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy --xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 --ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h --Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ --TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY= -+MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 -+i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t -+4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa -+kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg -+c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S -+8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A -+mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw -+V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 -+ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR -+CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL -+5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL -+QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX -+ygQfAh0AkfI6533W5nBIVrDPcp2DCXC8u2SIwBob6OoK5A== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9 --msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf --zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7 --cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp --N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS --2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE --FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask --pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK --YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM --khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i --Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv --4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660 -+MIIFmjCCBIKgAwIBAgIUO2QHMd9V/S6KlrFDIPd7asRP4FAwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMzMIIDQzCCAjYGByqGSM44 -+BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL -+J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 -+LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd -+62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt -+MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l -+aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK -+3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b -+bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ -+9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 -+DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B -+E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV -+hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAEj25Os9f57G -+TaxsP8NzdCRBThCLqZWqLADh6S/aFOQQFpRRk3vGkvrOK/5La8KGKIDyzCEQo7Kg -+sPwI1o4N5GKx15Cer2ekDWLtP4hA2CChs4tWJzEa8VxIDTg4EUnASFCbfDUY/Yt0 -+5NM4nxtBhnr6PT7XmRehEFaTAgmsQFJ29jKx4tJkr+Gmj9J4i10CPd9DvIgIEnNt -+rYMAlfbGovaZVCgKp5INVA4IkDfCcbzDeNiOGaACeV+4QuEbgIbUhMq9vbw3Vvqe -+jwozPdrTYjd7oNxx/tY7gqxFRFxdDPXPno230afsAJsHmNF7lpj9Q4vBhy8w/EI1 -+jGzuiXjei9qjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud -+DgQWBBTwbCT+wSR9cvTg70jA2yIWgQSDZjAfBgNVHSMEGDAWgBQVwRMha+JVX6dq -+HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAe5t9oi8K76y+wnV6I21vKgEh -+M6DEe3+XTq10kAgYbcbMm+a6n86beaID7FANGET+3bsShxFeAX9g4Qsdw+Z3PF3P -+wvqiBD8MaXczj28zP6j9TxsjGzpAsV3xo1n7aQ+hHzpopJUxAyx4hLBqSSwdj/xe -+azELeVKoXY/nlokXnONWC5AvtfR7m7mKFPOmUghbeGCJH7+FXnC58eiF7BEpSbQl -+SniAdQFis+Dne6/kwZnQQaSDg55ELfaZOLhaLcRtqqgU+kv24mXGGEBhs9bBKMz5 -+ZNiKLafE3tCGRA5iMRwzdeSgrdnkQDHFiYXh3JHk5oKwGOdxusgt3DTHAFej1A== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem -index 75a862666b25..a94f65c60042 100644 ---- a/test/smime-certs/smec1.pem -+++ b/test/smime-certs/smec1.pem -@@ -1,22 +1,22 @@ - -----BEGIN PRIVATE KEY----- --MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS --DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV --3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x -+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdOomk0EB/oWMnTZB -+Qm5XMjlKnZNF4PMpwgov0Tj3u8OhRANCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ -+7hpSjs4bd95L+Lli+O91/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Ky - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I --iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi --ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg --MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK --Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy --WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt --7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV --FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y --S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1 --DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7 --qtcHJA== -+MIICrTCCAZWgAwIBAgIUdLT4B443vbxt0B8Mzy0sR4+6AyowDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzEwWTATBgcqhkjOPQIBBggq -+hkjOPQMBBwNCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ7hpSjs4bd95L+Lli+O91 -+/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Kyo2AwXjAMBgNVHRMBAf8EAjAAMA4G -+A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUOia9H7l0qw3ftsDgEEeSBrHwQrwwHwYD -+VR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQELBQADggEB -+AC7h/QkMocYANPqMQAO2okygG+OaE4qpKnlzHPUFMYedJGCvAWrwxu4hWL9T+hZo -+qilM7Fwaxw/P4Zaaa15SOOhXkIdn9Fu2ROmBQtEiklmWGMjiZ6F+9NCZPk0cTAXK -+2WQZOy41YNuvts+20osD4X/8x3fiARlokufj/TVyE73wG8pSSDh4KxWDfKv5Pi1F -+PC5IJh8XVELnFkeY3xjtoux5AYT+1xIQHO4eBua02Y1oPiWG7l/sK3grVlxrupd9 -+pXowwFlezWZP9q12VlWkcqwNb9hF9PkZge9bpiOJipSYgyobtAnms/CRHu3e6izl -+LJRua7p4Wt/8GQENDrVkHqU= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem -index 457297a760f1..3fe14b3a1193 100644 ---- a/test/smime-certs/smec2.pem -+++ b/test/smime-certs/smec2.pem -@@ -1,23 +1,23 @@ - -----BEGIN PRIVATE KEY----- --MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl --brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7 --uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8 --6bQ= -+MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAEkuzLBwx5bIw3Q2PMNQ -+HzaY8yL3QLjzaJ8tCHrI/JTb9Q7VoUwDSgAEAu8b2HvLzKd0qhPtIw65Lh3OgF3X -+IN5874qHwt9zPSvokijSAH3v9tcBJPdRLD3Lweh2ZPn5hMwVwVorHqSgASk5vnjp -+HqER - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+ --huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj --JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E --BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA --FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez --ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK --xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0 --uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P --rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq --IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0 --4ZdCllHZkhop -+MIICsjCCAZqgAwIBAgIUFMjrNKt+D8tzvn7jtjZ5HrLcUlswDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw -+NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzIwXjAQBgcqhkjOPQIBBgUr -+gQQAEANKAAQC7xvYe8vMp3SqE+0jDrkuHc6AXdcg3nzviofC33M9K+iSKNIAfe/2 -+1wEk91EsPcvB6HZk+fmEzBXBWisepKABKTm+eOkeoRGjYDBeMAwGA1UdEwEB/wQC -+MAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBSqWRYUy2syIUwfSR31e19LeNXK -+9TAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsF -+AAOCAQEASbh+sI03xUMMzPT8bRbWNF5gG3ab8IUzqm05rTa54NCPRSn+ZdMXcCFz -+5fSU0T1dgEjeD+cCRVAZxskTZF7FWmRLc2weJMf7x+nPE5KaWyRAoD7FIKGP2m6m -+IMCVOmiafuzmHASBYOz6RwjgWS0AWES48DJX6o0KpuT4bsknz+H7Xo+4+NYGCRao -+enqIMZmWesGVXJ63pl32jUlXeAg59W6PpV2L9XRWLzDW1t1q2Uji7coCWtNjkojZ -+rv0yRMc1czkT+mAJRAJ8D9MoTnRXm1dH4bOxte4BGUHNQ2P1HeV01vkd1RTL0g0R -+lPyDAlBASvMn7RZ9nX8G3UOOL6gtVA== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem -index d1a253f40958..9af38d310b4f 100644 ---- a/test/smime-certs/smroot.pem -+++ b/test/smime-certs/smroot.pem -@@ -1,49 +1,49 @@ - -----BEGIN PRIVATE KEY----- --MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq --nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL --DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc --BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI --MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV --kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q --LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c --b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R --Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu --ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4 --Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF --ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp --PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx --mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw --nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z --8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw --fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu --PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T --5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP --aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq --qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr --yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK --NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53 --bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI --vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ --KfvPCYimQwBjVrEnSntLPR0= -+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDZLSl8LdU54OUA -+T8ctFuKLShJul2IMzaEDkFLoL4agccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7Ke -+iSuFJOrQtvDt+HkU5c706YDmw15mBpDSHapkXr80G/ABFbstWafOfagVW45wv65K -+H4cnpcqwrLhagmC8QG0KfWbf+Z2efOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+Ubzg -+cY4Y/hJ7Fw1/IeEhgr/iVJhQIUAklp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR -+0YZWyIKfKzbeJLBzDqY2hQzVL6kAvY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt -++UTEkuBdAgMBAAECggEAF3Eagz7nPyIZVdlGpIVN2r8aEjng6YTglmPjrxBCNdtS -+F6AxvY9UKklIF2Gg4tXlhU0TlDWvedM4Koif2/VKK1Ez3FvvpePQXPs/YKlB7T1U -+MHnnRII9nUBOva88zv5YcJ97nyKM03q9M18H1a29nShnlc1w56EEpBc5HX/yFYMv -+kMYydvB5j0DQkJlkQNFn4yRag0wIIPeyXwwh5l98SMlr40hO10OYTOQPrrgP/ham -+AOZ//DvGo5gF8hGJYoqG4vcYbxRfTqbc2lQ4XRknOT182l9gRum52ahkBY6LKb4r -+IZXPStS6fCAR5S0lcdBb3uN/ap9SUfb9w/Dhj5DZAQKBgQDr06DcsBpoGV2dK9ib -+YL5MxC5JL7G79IBPi3ThRiOSttKXv3oDAFB0AlJvFKwYmVz8SxXqQ2JUA4BfvMGF -+TNrbhukzo0ou5boExnQW/RjLN3fWVq1JM7iLbNU9YYpPCIG5LXrt4ZDOwITeGe8f -+bmZK9zxWxc6BBJtc3mTFS5tm4QKBgQDrwRyEn6oZ9TPbR69fPgWvDqQwKs+6TtYn -+0otMG9UejbSMcyU4sI+bZouoca2CzoNi2qZVIvI9aOygUHQAP7Dyq1KhsvYtzJub -+KEua379WnzBMMjJ56Q/e4aKTq229QvOk+ZEYl6aklZX7xnYetYNZQrp4QzUyOQTG -+gfxgxKi0/QKBgQCy1esAUJ/F366JOS3rLqNBjehX4c5T7ae8KtJ433qskO4E29TI -+H93jC7u9txyHDw5f2QUGgRE5Cuq4L2lGEDFMFvQUD7l69QVrB6ATqt25hhffuB1z -+DMDfIqpXAPgk1Rui9SVq7gqlb4OS9nHLESqLoQ/l8d2XI4o6FACxSZPQoQKBgQCR -+8AvwSUoqIXDFaB22jpVEJYMb0hSfFxhYtGvIZF5MOJowa0L6UcnD//mp/xzSoXYR -+pppaj3R28VGxd7wnP0YRIl7XfAoKleMpbAtJRwKR458pO9WlQ9GwPeq/ENqw0xYx -+5M+d8pqUvYiHv/X00pYJllYKBkiS21sKawLJAFQTHQKBgQCJCwVHxvxkdQ8G0sU2 -+Vtv2W38hWOSg5+cxa+g1W6My2LhX34RkgKzuaUpYMlWGHzILpxIxhPrVLk1ZIjil -+GIP969XJ1BjB/kFtLWdxXG8tH1If3JgzfSHUofPHF3CENoJYEZ1ugEfIPzWPZJDI -+DL5zP8gmBL9ZAOO/J9YacxWYMQ== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC --ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT --JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+ --LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E --J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/ --MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe --untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb --i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G --A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB --AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb --Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl --zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt --9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C --7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt --Emsny2ah6fU2z7PztrUy/A80 -+MIIDezCCAmOgAwIBAgIUBxh2L3ItsVPuBogDI0WfUX1lFnMwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw -+NTEwMTUzMzEzWjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgUlNBIFJvb3QwggEiMA0GCSqGSIb3DQEB -+AQUAA4IBDwAwggEKAoIBAQDZLSl8LdU54OUAT8ctFuKLShJul2IMzaEDkFLoL4ag -+ccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7KeiSuFJOrQtvDt+HkU5c706YDmw15m -+BpDSHapkXr80G/ABFbstWafOfagVW45wv65KH4cnpcqwrLhagmC8QG0KfWbf+Z2e -+fOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+UbzgcY4Y/hJ7Fw1/IeEhgr/iVJhQIUAk -+lp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR0YZWyIKfKzbeJLBzDqY2hQzVL6kA -+vY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt+UTEkuBdAgMBAAGjYzBhMB0GA1Ud -+DgQWBBQVwRMha+JVX6dqHVcg1s/zqXNkWTAfBgNVHSMEGDAWgBQVwRMha+JVX6dq -+HVcg1s/zqXNkWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq -+hkiG9w0BAQsFAAOCAQEAvdAmpDPi1Wt7Hk30dXKF7Ug6MUKETi+uoO1Suo9JhNko -+/cpvoi8fbo/dnWVDfHVoItEn644Svver5UJdKJY62DvhilpCtAywYfCpgxkpKoKE -+dnpjnRBSMcbVDImsqvf1YjzFKiOiD7kcVvz4V0NZY91ZWwu3vgaSvcTJQkpWN0a+ -+LWanpVKqigl8nskttnBeiHDHGebxj3hawlIdtVlkbQwLLwlVkX99x1F73uS33IzB -+Y6+ZJ2is7mD839B8fOVd9pvPvBBgahIrw5tzJ/Q+gITuVQd9E6RVXh10/Aw+i/8S -+7tHpEUgP3hBk1P+wRQBWDxbHB28lE+41jvh3JObQWQ== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem -index d0d0b9e66b01..d32d88904788 100644 ---- a/test/smime-certs/smrsa1.pem -+++ b/test/smime-certs/smrsa1.pem -@@ -1,49 +1,49 @@ - -----BEGIN PRIVATE KEY----- --MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC --xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID --3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU --/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D --orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs --CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH --XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp --KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i --cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL --s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35 --27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak --cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT --8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze --j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG --ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da --ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk --LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+ --msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q --55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or --sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8 --d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR --355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG --hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu --iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST --1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn --zQpuMJliRlrq/5JkIbH6SA== -+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDax3T7alefZcbm -+CcdN0kEoBLwV8H25vre43RYjuPo64TBjeKUy27ayC1TXydF1eYm3HPrFYfkS0fZ6 -+YK0xvwyxiQnesvcfnVe2fpXFPsl5RQvu1JKM7rJAuLC+YTRLez07IHhQnHQ25ZkR -++B4SL5mIhuOSJ9yyFJYJQ3Kdw/aX/jtnWVR8p3FyghJptWIm90ufW4xWFY0yNSW1 -+KmkZuOWF7VPh5RC1C7woB/RHhyD2gOP7tF+eDJ/QbX4iki4gPRFHuNrSV8ZpvDkI -+qqyF5BW8tyJneDkoWW8IuEpmNIzfbOCHvI6y7roeAmRrwH4/o5WxaEIsnQ/3pNvj -+n6+vA+nfAgMBAAECggEAFR5MHQQYCYjDXoDoI7YdgwA+AFIoGLjKYZu5yjX4tZv3 -+gJ/si7sTaMlY5cGTU1HUPirxIVeCjv4Eha31BJ3KsGJ9jj6Gm0nOuzd/O+ctKeRv -+2/HaDvpFlk4dsCrlkjmxteuS9u5l9hygniWYutcBwjY0cRnMScZcm0VO+DVVMDj0 -+9yNrFzhlmqV+ckawjK/J91r0uvnCVIsGA6akhlc5K0gwvFb/CC1WuceEeGx/38k3 -+4OuiHtLyJfIlgyGD8C3QfJlMOBHeQ/DCo6GMqrOAad/chtcO7JklcJ+k2qylP2gu -+e25NJCQVh+L32b9WrH3quH6fbLIg8a8MmUWl6te3FQKBgQDddu0Dp8R8fe2WnAE5 -+oXdASAf2BpthRNqUdYpkkO7gOV0MXCKIEiGZ+WuWEYmNlsXZCJRABprqLw9O/5Td -+2q+rCbdG9mSW2x82t/Ia4zd3r0RSHZyKbtOLtgmWfQkwVHy+rED8Juie5bNzHbjS -+1mYtFP2KDQ5yZA95yFg8ZtXOawKBgQD85VOPnfXGOJ783JHepAn4J2x1Edi+ZDQ+ -+Ml9g2LwetI46dQ0bF6V8RtcyWp0+6+ydX5U4JKhERFDivolD7Z1KFmlNLPs0cqSX -+5g5kzTD+R+zpr9FRragYKyLdHsLP0ur75Rh5FQkUl2DmeKCMvMKAkio0cduVpVXT -+SvWUBtkHXQKBgBy4VoZZ1GZcolocwx/pK6DfdoDWXIIhvsLv91GRZhkX91QqAqRo -+zYi9StF8Vr1Q5zl9HlSrRp3GGpMhG/olaRCiQu1l+KeDpSmgczo/aysPRKntgyaE -+ttRweA/XCUEGQ+MqTYcluJcarMnp+dUFztxb04F6rfvxs/wUGjVDFMkfAoGBAK+F -+wx9UtPZk6gP6Wsu58qlnQ2Flh5dtGM1qTMR86OQu0OBFyVjaaqL8z/NE7Qp02H7J -+jlmvJ5JqD/Gv6Llau+Zl86P66kcWoqJCrA7OU4jJBueSfadA7gAIQGRUK0Xuz+UQ -+tpGjRfAiuMB9TIEhqaVuzRglRhBw9kZ2KkgZEJyJAoGBANrEpEwOhCv8Vt1Yiw6o -+co96wYj+0LARJXw6rIfEuLkthBRRoHqQMKqwIGMrwjHlHXPnQmajONzIJd+u+OS4 -+psCGetAIGegd3xNVpK2uZv9QBWBpQbuofOh/c2Ctmm2phL2sVwCZ0qwIeXuBwJEc -+NOlOojKDO+dELErpShJgFIaU - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK --2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt --+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF --Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe --bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM --kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o --E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK --WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp --lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT --GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu --9Hjq6s316fk4Ne0EUF3PbA== -+MIIDeTCCAmGgAwIBAgIUM6U1Peo3wzfAJIrzINejJJfmRzkwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw -+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMxMIIBIjANBgkqhkiG9w0B -+AQEFAAOCAQ8AMIIBCgKCAQEA2sd0+2pXn2XG5gnHTdJBKAS8FfB9ub63uN0WI7j6 -+OuEwY3ilMtu2sgtU18nRdXmJtxz6xWH5EtH2emCtMb8MsYkJ3rL3H51Xtn6VxT7J -+eUUL7tSSjO6yQLiwvmE0S3s9OyB4UJx0NuWZEfgeEi+ZiIbjkifcshSWCUNyncP2 -+l/47Z1lUfKdxcoISabViJvdLn1uMVhWNMjUltSppGbjlhe1T4eUQtQu8KAf0R4cg -+9oDj+7Rfngyf0G1+IpIuID0RR7ja0lfGabw5CKqsheQVvLciZ3g5KFlvCLhKZjSM -+32zgh7yOsu66HgJka8B+P6OVsWhCLJ0P96Tb45+vrwPp3wIDAQABo2AwXjAMBgNV -+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUHw4Us7FXwgLtZ1JB -+MOAHSkNYfEkwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI -+hvcNAQELBQADggEBAAMAXEjTNo7evn6BvfEaG2q21q9xfFear/M0zxc5xcTj+WP+ -+BKrlxXg5RlVFyvmzGhwZBERsDMJYa54aw8scDJsy/0zPdWST39dNev7xH13pP8nF -+QF4MGPKIqBzX8iDCqhz70p1w2ndLjz1dvsAqn6z9/Sh3T2kj6DfZY3jA49pMEim1 -+vYd4lWa5AezU3+cLtBbo2c2iyG2W7SFpnNTjLX823f9rbVPnUb93ZI/tDXDIf5hL -+0hocZs+MWdC7Ly1Ru4PXa6+DeOM0z673me/Q27e24OBbG2eq5g7eW5euxJinGkpI -+XGGKTKrBCPxSdTtwSNHU9HsggT8a0wXL2QocZ3w= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem -index 2f17cb2978f4..a7a21fc80fac 100644 ---- a/test/smime-certs/smrsa2.pem -+++ b/test/smime-certs/smrsa2.pem -@@ -1,49 +1,49 @@ - -----BEGIN PRIVATE KEY----- --MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2 --iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq --V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD --lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5 --U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3 --NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB --Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1 --J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI --dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW --3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz --XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK --3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK --Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa --P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI --LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN --bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX --q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8 --38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm --hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t --QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb --0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS --8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0 --KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e --y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR --hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n --yrLyf+8hjm6H6zkjqiOkHAl+ -+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkoMi4sqj2mN8j -+SaFAibXEfeYYrzBHIdCm/uaXWit81fXOSFVw1rbeAppxz7bOcSEN50lpdP2UX3/b -+FYFD3exHXjvch9NPNgQaNkCqTNTuYa2L9wrpltXnon7tH3W/zZfF+/qpUSu1f6rk -+GyxjVXxLwjIawCX0rbLcdFCVVy+EyvQkvSxXjafrDMzshWzPDbtjUv3SH6avqrPn -+4NX0fv3BdBwTfDLAw/m8nN+9B9Mg0V7UNM1IJY/Vo5pLhv+MrEf8SnAS+1Wt43rT -+3PY9iMZMMWUswdgmPY0yCN95ggwNrSMGV60yvEDxINWuJoR8s0lybDdFa+AB5v4T -+hqKpspFNAgMBAAECggEAZmWu0K5QJ7Y7Rlo9ayLicsFyk36vUESQZ6MF0ybzEEPi -+BkR2ZAX+vDuNQckm1pprlAcRZbactl35bT3Z+fQE1cgaZoC8/x6xwq2m0796pNPB -+v0zjqdBBOLAaSgjLm56wyd88GqZ8vZsTBnw3KrxIYcP13e5OcaJ0V/GOf/yfD0lg -+Tq9i7V5Iq++Fpo2KvJA8FMgqcfhvhdo40rRykoBfzEZpBk4Ia/Yijsbx5sE15pFZ -+DfmsMbD+vViuM8IavHo61mBNyYeydwlgIMqUgP/6xbYUov/XSUojrLG+IQuvDx9D -+xzTHGM+IBJxQZMza/mDVcjUAcDEjWt/Mve8ibTQCbwKBgQDyaiGsURtlf/8xmmvT -+RQQFFFsJ8SXHNYmnceNULIjfDxpLk1yC4kBNUD+liAJscoVlOcByHmXQRtnY1PHq -+AwyrwplGd82773mtriDVFSjhD+GB7I0Hv2j+uiFZury0jR/6/AsWKCtTqd0opyuB -+8rGZjguiwZIjeyxd8mL1dncUHwKBgQDxcNxHUvIeDBvAmtK65xWUuLcqtK9BblBH -+YVA7p93RqX4E+w3J0OCvQRQ3r1GCMMzFEO0oOvNfMucU4rbQmx1pbzF8aQU+8iEW -+kYpaWUbPUQ2hmBblhjGYHsigt/BrzaW0QveVIWcGiyVVX9wiCzJH5moJlCRK2oHR -+B36hdlmNEwKBgQCSlWSpOx4y4RQiHXtn9Eq6+5UVTPGIJTKIwxAwnQFiyFIhMwl0 -+x3UUixsBcF3uz80j6akaGJF+QOmH+TQTSibGUdS3TMhmBSfxwuJtlu7yMNUu6Chb -+b/4AUfLKvGVRVCjrbq8Rhda1L3jhFTz0xhlofgFBOIWy2M96O5BlV24oBwKBgQDs -+cf93ZfawkGEZVUXsPeQ3mlHe48YCCPtbfCSr13B3JErCq+5L52AyoUQgaHQlUI8o -+qrPmQx0V7O662G/6iP3bxEYtNVgq1cqrpGpeorGi1BjKWPyLWMj21abbJmev21xc -+1XxLMsQHd3tfSZp2SIq8OR09NjP4jla1k2Ziz1lRuwKBgQCUJXjhW4dPoOzC7DJK -+u4PsxcKkJDwwtfNudVDaHcbvvaHELTAkE2639vawH0TRwP6TDwmlbTQJP4EW+/0q -+13VcNXVAZSruA9dvxlh4vNUH3PzTDdFIJzGVbYbV9p5t++EQ7gRLuLZqs99BOzM9 -+k6W9F60mEFz1Owh+lQv7WfSIVA== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF --AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp --cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS --0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1 --NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0 --EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47 --Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv --/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c --XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv --6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i --NzYzLAPBkHCMY0Is3KKIBw== -+MIIDeTCCAmGgAwIBAgIUTMQXiTcI/rpzqO91NyFWpjLE3KkwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw -+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMyMIIBIjANBgkqhkiG9w0B -+AQEFAAOCAQ8AMIIBCgKCAQEA5KDIuLKo9pjfI0mhQIm1xH3mGK8wRyHQpv7ml1or -+fNX1zkhVcNa23gKacc+2znEhDedJaXT9lF9/2xWBQ93sR1473IfTTzYEGjZAqkzU -+7mGti/cK6ZbV56J+7R91v82Xxfv6qVErtX+q5BssY1V8S8IyGsAl9K2y3HRQlVcv -+hMr0JL0sV42n6wzM7IVszw27Y1L90h+mr6qz5+DV9H79wXQcE3wywMP5vJzfvQfT -+INFe1DTNSCWP1aOaS4b/jKxH/EpwEvtVreN609z2PYjGTDFlLMHYJj2NMgjfeYIM -+Da0jBletMrxA8SDVriaEfLNJcmw3RWvgAeb+E4aiqbKRTQIDAQABo2AwXjAMBgNV -+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUSJ0v3SKahe6eKssR -+rBvYLBprFTgwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI -+hvcNAQELBQADggEBAKoyszyZ3DfCOIVzeJrnScXuMvRkVqO5aGmgZxtY9r6gPk8v -+gXaEFXDKqRbGqEnuwEjpew+SVZO8nrVpdIP7fydpufy7Cu91Ev4YL1ui5Vc66+IK -+7dXV7eZYcH/dDJBPZddHx9vGhcr0w8B1W9nldM3aQE/RQjOmMRDc7/Hnk0f0RzJp -+LA0adW3ry27z2s4qeCwkV9DNSh1KoGfcLwydBiXmJ1XINMFH/scD4pk9UeJpUL+5 -+zvTaDzUmzLsI1gH3j/rlzJuNJ7EMfggKlfQdit9Qn6+6Gjk6T5jkZfzcq3LszuEA -+EFtkxWyBmmEgh4EmvZGAyrUvne1hIIksKe3iJ+E= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem -index 14c27f64aa90..980d3af3b4c9 100644 ---- a/test/smime-certs/smrsa3.pem -+++ b/test/smime-certs/smrsa3.pem -@@ -1,49 +1,49 @@ - -----BEGIN PRIVATE KEY----- --MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji --OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3 --Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX --63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H --XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l --vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6 --L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP --lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf --BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR --OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+ --i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se --snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9 --wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn --8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+ --ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm --oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX --LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E --yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7 --2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc --RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK --KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk --isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL --rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw --IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh --yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF --RvOAi5wVkYylDxV4238MAZIq -+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167 -+toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB -+GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi -+ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK -+2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M -+jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq -+DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb -+Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ -+0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh -+/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG -+A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI -+vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I -+pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi -+YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS -+wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+ -+BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto -+NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o -+c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K -+7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt -+oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L -+3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk -+YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr -+Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs -+Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz -+TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X -+fNcb5iDYqZRzD8ixBbLxUw== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC --FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF --STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW --m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha --v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p --1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp --sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa --VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr --O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7 --tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY --CscFo2Z2pYROGtZDmYqhRw== -+MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw -+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 -+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B -+AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC -+XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+ -+qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK -+wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI -+U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N -+f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV -+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi -+V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI -+hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq -+112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd -+CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2 -+iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW -+ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE -+BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg= - -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch openssl-1.1.1v/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch --- openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,72 +0,0 @@ -From: Tomas Mraz -Date: Tue, 26 Apr 2022 12:40:24 +0200 -Subject: c_rehash: Do not use shell to invoke openssl - -Except on VMS where it is safe. - -This fixes CVE-2022-1292. - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Matt Caswell ---- - tools/c_rehash.in | 29 +++++++++++++++++++++++++---- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index a7e538a72d7d..914be03da14f 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -149,6 +149,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -159,10 +176,12 @@ sub check_file { - sub link_hash_cert { - my $fname = $_[0]; - my $x509hash = $_[1] || '-subject_hash'; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -210,10 +229,12 @@ sub link_hash_crl_old { - sub link_hash_crl { - my $fname = $_[0]; - my $crlhash = $_[1] || "-hash"; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; diff -Nru openssl-1.1.1n/debian/patches/c_rehash-compat.patch openssl-1.1.1v/debian/patches/c_rehash-compat.patch --- openssl-1.1.1n/debian/patches/c_rehash-compat.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/c_rehash-compat.patch 2023-08-26 11:01:19.000000000 +0000 @@ -3,11 +3,11 @@ Subject: [PATCH] also create old hash for compatibility --- - tools/c_rehash.in | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) + tools/c_rehash.in | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index fa7c6c9fef91..a7e538a72d7d 100644 +index 9d2a6f6db73b..d5673a3fa6e4 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -}; @@ -31,42 +31,33 @@ help(); } elsif ( $flag eq '-n' ) { $removelinks = 0; -@@ -128,7 +123,9 @@ sub hash_dir { - next; - } - link_hash_cert($fname) if ($cert); -+ link_hash_cert_old($fname) if ($cert); - link_hash_crl($fname) if ($crl); -+ link_hash_crl_old($fname) if ($crl); - } - } - -@@ -161,6 +158,7 @@ sub check_file { +@@ -203,22 +198,24 @@ sub compute_hash { + # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; -+ my $x509hash = $_[1] || '-subject_hash'; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; -@@ -198,10 +196,20 @@ sub link_hash_cert { - $hashlist{$hash} = $fprint; +- link_hash($_[0], 'cert'); ++ link_hash($_[0], 'cert', '-subject_hash'); ++ link_hash($_[0], 'cert', '-subject_hash_old'); } -+sub link_hash_cert_old { -+ link_hash_cert($_[0], '-subject_hash_old'); -+} -+ -+sub link_hash_crl_old { -+ link_hash_crl($_[0], '-hash_old'); -+} -+ -+ # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; -+ my $crlhash = $_[1] || "-hash"; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; +- link_hash($_[0], 'crl'); ++ link_hash($_[0], 'crl', '-hash'); ++ link_hash($_[0], 'crl', '-hash_old'); + } + + sub link_hash { +- my ($fname, $type) = @_; +- my $is_cert = $type eq 'cert'; ++ my ($fname, $type, $hash_name) = @_; ++ my $is_cert = $type eq 'cert' or $type eq 'cert_old'; + + my ($hash, $fprint) = compute_hash($openssl, + $is_cert ? "x509" : "crl", +- $is_cert ? $x509hash : $crlhash, ++ $hash_name, + "-fingerprint", "-noout", + "-in", $fname); + chomp $hash; diff -Nru openssl-1.1.1n/debian/patches/ct_test.c-Update-the-epoch-time.patch openssl-1.1.1v/debian/patches/ct_test.c-Update-the-epoch-time.patch --- openssl-1.1.1n/debian/patches/ct_test.c-Update-the-epoch-time.patch 2023-05-26 21:28:41.000000000 +0000 +++ openssl-1.1.1v/debian/patches/ct_test.c-Update-the-epoch-time.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,24 +0,0 @@ -From: Tomas Mraz -Date: Wed, 1 Jun 2022 13:06:46 +0200 -Subject: ct_test.c: Update the epoch time - -Reviewed-by: Matt Caswell -Reviewed-by: Dmitry Belyavskiy -(Merged from https://github.com/openssl/openssl/pull/18446) ---- - test/ct_test.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/ct_test.c b/test/ct_test.c -index 78d11ca98cf7..535897d09a77 100644 ---- a/test/ct_test.c -+++ b/test/ct_test.c -@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name) - if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) - goto end; - fixture->test_case_name = test_case_name; -- fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ -+ fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ - if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) - || !TEST_int_eq( - CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) diff -Nru openssl-1.1.1n/debian/patches/series openssl-1.1.1v/debian/patches/series --- openssl-1.1.1n/debian/patches/series 2023-05-26 21:30:44.000000000 +0000 +++ openssl-1.1.1v/debian/patches/series 2023-08-26 11:01:19.000000000 +0000 @@ -4,25 +4,3 @@ pic.patch c_rehash-compat.patch Set-systemwide-default-settings-for-libssl-users.patch -c_rehash-Do-not-use-shell-to-invoke-openssl.patch -Fix-file-operations-in-c_rehash.patch -Update-expired-SCT-certificates.patch -ct_test.c-Update-the-epoch-time.patch -Update-further-expiring-certificates-that-affect-tests.patch -Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch -Add-a-test-for-CVE-2022-4450.patch -CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch -Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch -Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch -Fix-Timing-Oracle-in-RSA-decryption.patch -Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch -AES-OCB-test-vectors.patch -x509-excessive-resource-use-verifying-policy-constraints.patch -Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in-leaf.patch -Generate-some-certificates-with-the-certificatePolicies-e.patch -Add-a-Certificate-Policies-Test.patch -Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch -Revert-Fix-Timing-Oracle-in-RSA-decryption.patch -Alternative-fix-for-CVE-2022-4304.patch -Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorrectly-.patch -Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj2txt-.patch diff -Nru openssl-1.1.1n/debian/patches/x509-excessive-resource-use-verifying-policy-constraints.patch openssl-1.1.1v/debian/patches/x509-excessive-resource-use-verifying-policy-constraints.patch --- openssl-1.1.1n/debian/patches/x509-excessive-resource-use-verifying-policy-constraints.patch 2023-05-26 21:28:42.000000000 +0000 +++ openssl-1.1.1v/debian/patches/x509-excessive-resource-use-verifying-policy-constraints.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,218 +0,0 @@ -From: Pauli -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20569) ---- - crypto/x509v3/pcy_local.h | 8 +++++++- - crypto/x509v3/pcy_node.c | 12 +++++++++--- - crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- - 3 files changed, 43 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h -index 5daf78de4585..344aa067659c 100644 ---- a/crypto/x509v3/pcy_local.h -+++ b/crypto/x509v3/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void policy_node_free(X509_POLICY_NODE *node); - int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c -index e2d7b1532236..d574fb9d665d 100644 ---- a/crypto/x509v3/pcy_node.c -+++ b/crypto/x509v3/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c -index 6e8322cbc5e3..6c7fd3540500 100644 ---- a/crypto/x509v3/pcy_tree.c -+++ b/crypto/x509v3/pcy_tree.c -@@ -13,6 +13,18 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - /* - * Enable this to print out the complete policy tree at various point during - * evaluation. -@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - level = tree->levels; - if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (level_add_node(level, data, NULL, tree) == NULL) { -+ if (level_add_node(level, data, NULL, tree, 1) == NULL) { - policy_data_free(data); - goto bad_tree; - } -@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (policy_node_match(last, node, data->valid_policy)) { -- if (level_add_node(curr, data, node, NULL) == NULL) -+ if (level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (level_add_node(curr, data, node, tree) == NULL) { -+ if (level_add_node(curr, data, node, tree, 1) == NULL) { - policy_data_free(data); - return 0; - } -@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy && -- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) -+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; -- node = level_add_node(NULL, extra, anyPolicy->parent, tree); -+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff -Nru openssl-1.1.1n/debian/upstream/signing-key.asc openssl-1.1.1v/debian/upstream/signing-key.asc --- openssl-1.1.1n/debian/upstream/signing-key.asc 2023-05-26 20:37:29.000000000 +0000 +++ openssl-1.1.1v/debian/upstream/signing-key.asc 2023-08-26 10:26:44.000000000 +0000 @@ -1,398 +1,376 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFAAbq4BEACzaRctf1/dafs2TQtOrMebzky4TGw1BrWFWn/xdc9HLm61+Y9c -GkEFquLwvDDds/cSt+J6U+6vqPpWVt0pqmvo7bXF5w62QGA88c5R/2owB6fw54rx -GvdJneRtHbsqPuBtW+/8EiAjpCvShw5/YB/VT/zbBguwH4JRzNY3yRrpFJ0cwRD7 -lo1wntACMFPG5eMu8flU/yXhP6Hp92pnNukBjxgayuvivYpCl3lmJrE2QBIvaIES -2W9XBq8Madx/JlN7TvnGhAz2Gn1Z4h8Y/EPtuy7OXV7mtQfW0ByPdv4FmXO+dfKv -hyrTJg+KQlpnoyIVcS6gOALUOLYlPIBEmwZTDpx5A5ZRsfUzxquwvsvvDVDBikuQ -Al261hO5P5Xxy5ZaLo8fi+xMA8j8HfVVgsgFPAvAy8iM/pNt3BFUulVxjZBxrq9p -d5PXdxLxtqpAEZ+Xnzw5QgjJe3MMWX85eE2nQTLyevzERKFWi6M9dBpCEM34uKF5 -9ZUQ/i6GSOkoxpokNVWnOnpiOgp6AAEOtC8G9+Z+pjQlPCf9LU5Xmb/1Kx/DRkmL -us4nHY9qtaiV1XUSAP1WZSrXUlVQMOwiJgvewWJqFivy82lM7n4Wkk1wfjI8bR8r -QAKBiHiwVDnpXgr9bDDWu3OSZ7CU5bizAoGgIliwgXcigZqrPUBNkjY2CwARAQAB -tBxLdXJ0IFJvZWNreCA8a3VydEByb2Vja3guYmU+iQI3BBMBCgAhBQJQAG6uAhsD -BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJECBkxTZBwl5dzCQP+gOSp8Xz63jE -ZGmsUPElufn6OLARL9pKZnCruzdcOOWsir1xRZhZunsrJ0qCMaqQZUxK4tXluMq6 -t7qdsIylpI67WoE39obc///eQhnRT7T1pHwR1Ehg5Um6j4/jnGtegtLzSugkCtFJ -xaQ8aDqaT3FbY654xWwtKV2HXMoMBv9TMWhks+l6QrzOfbs1XSReoUxXGNhGAp9y -g2PRTtnqrZ6OLUegjCX3UR23pOaNubAw7N6EuPnqS8U/WHXammKbf7LPmuvFejxn -W6erUanFdj+/QKIE1kAEdfWprTz2wmSKUSsunHkbhELxVAX4ofRPiTo/sQ//hIO7 -xYOXM2he09VZh3em2KpThSB6ApX8CyKCdR4fhTagx3KLV+7pbKXEYEmPqJRci27Z -WjXJzAID4Hyxz84iLLpvgbrsvRWCyKWk5sB8z5issawv4EvJ7khh6V5Efp/4UnIM -4yHHNyalDd7vtUx5Y8Sqp2sY3I5CoNZ1CIM8pem3CSdKs7KYV+FiqjCF2kDwKpEK -CewHvGNENCRbaDFs1463UP9+10rhmeED5u65eLtVXohITDLDrkLoJWOvxhFsMmC4 -dCUpOFWoBIrnOx7nIb5s3sccXGSoJitsXANG5tBMADe2z2Mq+yHL9fpG9hegmFFc -mbl+7GTJ6WfqQkc7SoqN1Zjc4qfU0oStuDMEVaub5RYJKwYBBAHaRw8BAQdAHp9Y -bPAXkR2TsdnPFLmhQf9C2mY0XO37TPS1IEMmeT6JAn8EGAEKAAkFAlWrm+UCGwIA -agkQIGTFNkHCXl1fIAQZFgoABgUCVaub5QAKCRAIbqUF3KLT8/MxAP9ISev0B/SM -Qv0UZJArqEDvpGlvxIQ7EijvPSDez/flQQEA3cw/RVGItC2FZIlX+WAguY3kwCh2 -fCfOpm+TGnfyCQgAIRAAhwwrwXR3Gaf1L7E0ttaYq1fnUUhp8SO86RXvJLXzm6d5 -CwjqR9eTind36F92Xvxc+h+CazSkAR0aLvOUxYEcFimO164bHaVN4BPH14xxqYyr -60DHi6kv95q5a/8xw9VFMc9tSaXgJxPRUHNMFM6MjlgFW+5SW4BuAq+c5wnLY2VD -YuMbM7wqB25xw4iKSWy4sYkm8G/NeltBjhDUjhhEpSInoTqnkgZMyPWnLH3XnI07 -6SQ+6nMeR9QHHrZn+32ZcGOLsfK9qcxoFa1gVQxvT6pit/jm9G45S+kGSn+Gb0h1 -PwyZ00b/Ay5ALsWAx0TnuX0MET5AFV7+bfngnwnzKAYs5ScMuSCMzxn1aVxfq+Og -mHdCO4tD2FUuOS2WCmtJ3H0bu1IMbYufp9A/0XY9ZrYgWtXBJlp7B9LYjJJ0HOEw -dH4+Ciss1zayI6eBGIDv/GwX6Bm7k5+lnaU2zb5xbIyaen+xCTJmC0sVQdb/CE0k -eo9LlC08S2HbHiEkCbz1VxVzlTpxhke7crpYptKnKsZ/pe35pdQK5BZHbb+WBrI+ -7pHI2Xpazv2oLhu2vhQsdntqTqBbI6CPD87pkMSk/PYXP+WMhG9Zqsc5jBDWIrgf -rU8/Cfx5zU3Dlz3wjsH+eCOrLOc/UD3nFnOCwLbgrdC3IZh3bznBCOluynlgaKy5 -Ag0EUABurgEQAPBbF7My7232h0PktP61YzyCJx8ZNDYARe5ugGXndfxOBFN4Oxnj -x7ZIKymFmQ6Gw8orJaROxvh2ggxzVkm3T05BHJuNBQpTFR3Ye3HFat5gPI6Cr3h5 -/U9lP5LNqRf9RX0DR/D7ske+0Tp0DepIi/aPIb2eS4tj4APUG1kQRdWfhg9EBPu9 -jhvYBN8ZGu74tU+ypFFwDAP+MsWdMMBWEp/OeEfBAQ6GK3UsUtmOw3ObG8JZ5qMZ -1kU8KwM3e3BiLdQbvYLg8VHYkK6noYsAaijX8udlyUe9dkQ8eoFX0mz8ZriOKurR -Tbsx6yYMNPiq+aO1J+jnKsnhM4nI8qgyJk/DKy530ITvgwhcCDdP9vtahzrWXGEt -QUrR/lm1ZmbN/TJUjyCS6SmF6BVnPPvezmiT1woaxp3Ucvn0KCOayuBfs2fGeGyo -WH14QHKYrDdn17uHIvu1+ZjftfiZZWmji/ibKBq7SzstunSkAeMLApV7x9do/nVX -wiXFVEVBFFRToHTL6902P/EPq7LitsmWPyA89EXPBn2t27BlqWW9GxXvfiVZEYqq -rn82nr+D/R9S5wVL3+bnfLmwEFDrLwcruRziaSCClcaD6aMzlPJgIUauKnyJFF5s -NCUFzlTnk5KfOYi2VRXUkN+teVLustJoesZO54HUjmo/1cZhW+zNlDxLABEBAAGJ -Ah8EGAEKAAkFAlAAbq4CGwwACgkQIGTFNkHCXl2HiA//Zo6g+mb7d716LnhWMyzr -TnB4wmCZZwSRlX77DY3aQ8oWibVwGtFbWEvJG+YT/iRAl2EzrDWGYTRSBDnbdPAx -Ev7gUtQA8sXuRuVUp9KuTjIXRyBp4oZH8HpTw+JInErliHNs9IPMMEu0HiDa/aVA -vnG5M8LvAy+ysE2759sm8YJ3j3/oQ0Tu2doCl2BSzU0t6NYQQ5nBXvXuVSufjng3 -LEk033Cy9LQw4Qp0NizRBYYcg0/Q/g5tWIb1gR+/inPj2Tzk9EvV4YaoqJR5zZHp -+J479oRU+GF8VxnjAGI+461tvpsQ6/Q5f8v8jgRuT6YzBzMVwaTnlq3w/DaFwOZk -BRcWYXZXlfyVIEwbbq+xa+YMM+R0uyxM2B2+jTbiX4aZAkG6ezfwMTCprSBPvm2G -Zupv/vcGyAgFpN6OGnp8DK2RErG0uvOPy49lI04nrel17h79JgKIWBnMh0ZxrWTc -Y9EFsxEbdOFACC/028FaW8c8GBE0CbbziRw1CCXJq6Tyz2cPXmZ8Lg5m9yo1Bco4 -laE0oqqdWIepzDaVp/bPlbwcmbBo7PVWqbAW0J3s3vPj1r7a7sjxILkqG5hXAWGS -77cv2tGfnG5I1r9Y7jxJsFzJVwjTWJ9dyQ0045RlD+4kbPFd6fLghjUQo7FrGxuQ -JMeog4NgWTChpQSDcCTgv4K5Ag0EUADi4gEQALnZQB3RhzQwM8SmVGvUzEBpGlQL -PbImzQhRUPIpat7cyLP78QpBY6TakiaQwKut82rIlApq1BnwzUFvyGEar//SQWQb -/OM9SPSH2I2pe7iomqi+cQAxSDUuX58SBLhYrSleI0oqJ8G1LpiVqFg6xWLQYUSA -AkmfySMWZe4QcE5Xx+iozr+531ihjEBfljocvqbG6YTTVpVMa6pg1emkb0kOBg5Y -XgxD/dw56sGC73yd0252xWn7qd1Q3dg9d7+mS06lzfA5pA7lNyPaB29pCm98ZE9r -UVBprt4NIVPy1n/eZvMlqf8iLqUkNW3PqvRv0MpzvfAuaePRPA5jkxwAD+8SuJ/R -+RGwJtlFX1PErYLMNwSfeqJYQRyPjCoYi6I+8iNX/WwKkXYphtDjp75nTa/KS6O0 -lak8H19ZvHgP97YMQyFvbTW/m3xeD8xGQuhjoAKUTHmAlqYzG31pnzcaqtrIgUp+ -u3OQaTMZdX/r4nm3+p1RHhZXKF2zQPbfVEy/RXhK2v0oQFOMpm46wwb3eXax9dhH -98/X5Up3R8xXg1n3vuPj1YonAsBLmIZtxb+9n0II6xDNhwu9/vVG/B5+Ufk0CJ7d -VHjxVnWGN7ghA6Pj0hshn/4qssi8a6idXaj2bxVCu6C3kU/fMiSr0aPpXWHfdL99 -TU0enPWoSr+kSw7hABEBAAGJBD4EGAEKAAkFAlAA4uICGwICKQkQIGTFNkHCXl3B -XSAEGQEKAAYFAlAA4uIACgkQoZ8sMBpVIt0CCw/9H2+XvbVfdJGO7g2xvy99Rpag -KgsQ+S9FcRbLb2ch//EUTGfMN8jID+92RhevH5nZgls7rQDUMWPU4MU4rL7ocF22 -lrHptGB9vUJPFwCADKoc7OfQxVkrtIqDAmMVYsoYcs1VX2dJtw78z45G7I13yVkj -xwK82u43OwWR8BKgNX4uGqiu77vgT/whpY110Fh1ceMhUQFV84XGjW0OnK9L6snn -KLXhiR5seVt40KhmuvHYIM89V5o0uCbl7r8PGOxs5xsMIPWdKLXBzaPpAbQ5tyoX -1zXk4yBwYPlOOTKr1xNL+ZoQkr5zymL/ClPJIbyMX9QLh6/dk4ndq0/TZoEEI783 -QisB5xqYftI2jFlcHE/79Ud0vY0NEI/zXKIu3d+qLuXzbXI11LPuw6g/uqTonHmk -EYPMoCYrjFWGFcwVopPqYQJUzXNU34D7MLyPTwUBJyYGV32o2fWFyU1TerBSC/7U -8lLJB2di4GUG5kg7kdx07CXb7Twm5GCvkSHFACHAS9JVtqiW7ZMJRk+zay2QyRWE -tB0jc7+tha+QjuWfRwyplNogfKZ3MYJQ3LI0+PD7oX1mtgk+qKEtCcrlpjwLzIeV -ZWLy9325g/s0x3cQuJiqSHTD1WkMlSnO7lOZ3VvNz0Wek4SMQLSwEc4ts9KivlPd -tyu9xOoJyPCdMhC4cdj+8BAAgNqdDtS+YLcgJ3wkxrZ9DSwg19qNEipUFRAXajAW -Io4n0duMUdvb/QjPcoNhlZs/sYi2kXWds3CXCUPx+R0ZVwkSwVNPq+KVrdZO3hr6 -7YeWPjIp6kR6hs/NwUA2B3/snGYZK+WQou5Mnh6WTcjw7gFeBoffuQge+SUq/oMQ -Xa4yg0dAbl1eGlVM4ZoQXRX4mYX88CWh/8gK532/P/viA3/1J2lYI+vtkGlHMHCI -+k0r3XMz84Lp74xAeWM7mYYcICRtiM1yoo1nCYcv3ZexsRTQioAKS11EhuW9eMDQ -jDLms1AaMLMfbS/YLT8JkfDOz0h49m+wfxvY4fqP5PDirnpU9tpkOOp3LlDK0zXr -f552sM3PTHGlvEpKqrl52LCMU/MJjaKx5DycR+fPQC3GZnzb++M10G3OHlQjhVW+ -NTSMKyp4vE3lRMOz4C2jM4zIo4dfHnxJxv3VQYHdNWf1+fbq3BHWbx+981dytwFV -zIUQ68GKhndn3QoZW4B6edsWIZ63EGOoBUh/wQ2k6ncMXBz13ou/vLhg+crwBXAC -31I3rvkZLC0FnFxsJVXzZf7TSSRaNE3VsUUA+nl8FYvxHdlTYHnU5NVWKCJSKL4x -CgnOpvonSXTDY3RRJk5uHZKmoYgrgx+eicIH/tM7f3FfbOXkAsx/lJXHjEqqwJ7T -BX25Ag0EVH8XxQEQALTvIQg6VEY5u49MCR8OxmfEllnypF0ZTLX/tXbRbF8Y1Rs8 -brf3H43cXSGJvsRvMrtJDl4iz6DaoF7Oy8gj+KrpB7wNBYuO4wlhR/sat9NfFUB+ -tMLO5SZU7CgBPjZ+4x7yfdb+h752g52BqkertVSG2YMqFSI8mie3W6elsdnx5ZxW -8ol2ZLGZKYQS7uK2eWomYKyYKdunuIXz3wEJZT9seeh8pNWmV0/n9kyoqZ+25EOd -oA//Wov3Q8nwCmuv9UhoHOetRDNrAVfS4tvaHIzleTc73BQz1anXjI7v1nDzbJti -umOJCW/ACJPDz7nCfkyR3Z4BI3ROFl2qp+TWqaX8XDirwvjoNYB5jSbqgK/Yve9e -dYVZfM0QNXoqmFPzUEBMs/czA/0Y66bWkS9JGRmiITWpQooujOpLY1pizb91iv+6 -dBsZRSvvsDMJjZ84AI1nSPhIusHijEvvezlFiObZL8/TreEzqIuO+sYvK8zFVx/a -vnqaOBXceyiLti3ZWjwHFyyfSLfmIlYtlt//pg7bFdyAGKepixPvnVe5eCPmsg50 -x3et2x6MPc1EEH1wbsJ7b4UgT88lrFMlaCYHJuKoHvI+l/lLUn0zUvLR5cZNwtLV -zyvDqTTwIbkKY5URQ2eL1yWb6NoaugigDPaQIecUQxD0POY31qs7vrMxSNghABEB -AAGJBD4EGAEKAAkFAlR/F8UCGwICKQkQIGTFNkHCXl3BXSAEGQEKAAYFAlR/F8UA -CgkQ48TdzR5MEkTHLA//fXUEdBCTH/9HXnrJgfpaSAJRwOEX1UxSoJlrRmRESxXN -FHPZd5a3Ff99VISd5BQJeT1EJoQGZToATbI6F6742Uv2mkeEz/iBbYEPTnJvcVux -E8zEGY4RdTiBYEUVunRTXizF7mh3kswIVZc3jya5JsBLe2NSDv6TLoBdjz/OsLmc -YD+eiE4vT47SfofDI2TMxq6JH7ezMBrVciibcXH3MSyacDbmgj2DzisrWnkdDvAP -Ry4+0dg5bo0KKo2e1cm0aOZZyE467ynO7+y+QrFRIZrvZozgvHtyAqstWVrM5gAV -xyJtPCpY4k3+UmwQ61wqGM2lPqlnskyCA+VeO7LyYiUop4GmEi/z99jg7RtiY0mQ -Tq19mAZd5dBwxjCRI7Zb7Pw8sMqzEpbmu9etmdmJvzODlSqi100EYCG44fPbUfss -/6Uj6k0YQ7NFEqLezUYQcZRT8l3REx8J7HQwcQ5vYZfP/OBxp94xPuBqpOLgWQb0 -WR5V4QzCNpRpn0AKt4NrFB4v1su0nuQlMdvjLL2T222tPpxDkFmlfI/TyzsIO4s/ -54gBbZkbF324OwFTNL4Gbbqf2Uun1cGgt16k7HvX/YtOiUidS6emhakVmxpZe11j -og7rwP1LInm95gPPZ/AhS2focWzXSbg9BxB1GxQaUxGiz1zHZ67WuzKtRXB1Rsn6 -ahAAmm1+BUUVmtf0+e5ITls9fff7Gc1Hhxfa99Eloz3J32YMXjusqZQyRoU1IRfx -F7wKbEM/I9S95KEcXIFT1HyRpUjd02+uJTakWg95S2Rw29hFe/q0qQrjH6sCK6Vt -unDg4bLjnw4wxiCeAUVzzGwiYsx9rbNDJVYepM/0kcX0elztgJbZhFfWwDdl+JN2 -ezWrDNJ64EV3nb5MMky990COFFXAOB4KhDY0Qtw7pRVODViz51w0PpFbzdmr2n9L -7noG+rzGjN64tLcLwB4ngqr3ypqv2GyoPg+t+iDWMv0e/7WOYRT0kmznk/Dc+0sN -2i2NQ9taNnjvZlH/WD9AYM0fMS5r0eTTEvFLZC3ilik5zGfGGf3EPfuB9GUzvNj+ -FvjgG8oBZwjUuXfSGli3l/iOFDY9UkzEXGUqm9lXE0U8f4hST7Med/ifum/GBEFP -rudn/i0xgmZi2wLqm7gBRwRSpGmQAmnk/Eap/quN6/7QnHfYJIwF9mJqGlEO2tq7 -XUTiC81d42Ys8tu9/zqQS6Y2wND4rbCJ4Z/yD7ercyDrL+9OKDmbOgLo09dJ0QQF -fKwjKnST3x2RZsuN1Be7fd+lUXHqF2IpV6UiFDLmsT0F0qouNnEj/2+HzPyVj+Qq -d/1OlzNpIX81R4Xm7XXyjuvIoAeJl/JLXqb88HAyikF06OeZAQ0EUYAuwgEIAMGS -HrN/Ft7BbYomNoxqKyFKunG6JVpTK9aCl7oyhp7sk0JbxrKElvAC2xDr1IYDiBST -KtHo8G8MxVgSJipnBcH/cgStK0RKNy76CRuaxrRdzAemQTeI3sjxpTrrIy3vXScY -SZytHkTi7g242ge2c4EoSH5EIsanmajqHBtRhTMbd5Qj/OLaEsCk+loBNecPdmSG -C0dXeWfdnXqdRZAB0hVOjFiG9WejYRCyp7xDeJ+XZR/Rilo3X0EMGvEzdY84Apsm -TQBvVuOARp1q+sUEI6X0KttOF7BEaaQ53ElZpWQRFcxKGXNTOMm8o5QRQY7EkKad -9CKY9CgJ1DJUUuAd9EUAEQEAAbQfTWF0dCBDYXN3ZWxsIDxtYXR0QG9wZW5zc2wu -b3JnPokBOAQTAQIAIgUCU96+vAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA -CgkQ2cTSbQ5gRJGgPQf/WUQld+vrqt2+yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr -9OOfzVPenCavcXghwsY0sPPgSDrvFur9PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZ -tEG7bgUozuhfcpC+Ah0lZ3EccmyOkYJWITWYgUBEDOU37qne09udDMA2NHLuL89h -T+eIZ2pVwyFydkJfkXtgfrDq3RmZgfebVB5ESdap/G7t7Iewi95syApMj9swbxns -qUtmFr0fCsVdAA8hJPqx9zVuUon0g1QMz2IroNH+6WTDt7SGYcuqNapizk/PJd6g -2ew9cm3r3CIANiqPgo0Mh02nVGgX2p9vWcT4MzquBrQgTWF0dCBDYXN3ZWxsIDxm -cm9kb0BiYWdnaW5zLm9yZz6JATgEEwECACIFAlGALsICGwMGCwkIBwMCBhUIAgkK -CwQWAgMBAh4BAheAAAoJENnE0m0OYESRY/4H/RKxZJ4saj6+Khvz3flSKt6LgW+f -MY5RXXD92AMtLNq+bKxXFvir2mynW+PUoS2bXy/Nk7v0B4BEbBZNBgaYWas1FZnY -OBuMbIngtLmQsGpD0VoXu9QW2aXpHTjLH5FOBBODrTVewCN5Ty5JquZ5mAZUwAie -x0ytRzviUl5YpKei+vggU52CJT96e/X20rfnlux9O9vSSwTlDvCeehFd0vI163QB -Z/h52dYMSdFvpwhUMXbxRGPEfrIh+oBV7tWe4MHhJ+5yThHiBgVL/EZ9OChw9QNn -itTPzCV4YvAMiJTsamKWa1lOXUVM+QVr+aptwmB1VMmotk7m8hImRm+oTlS5AQ0E -UYAuwgEIAM9nUJAEpsVBYwK92PP9Mlo1/etXp6JgBI68sOCJxTwzBrbTzIlevVQX -qW9zdODD6ObKcgGNuG+G6Nwn54P6McRpd2dxor9YA+yaI0yT6CVnhxsXjwc/vuQ4 -tBAL6tfuMAXRVIeEVk22cKk4HJB68ImXCCRdyRi9HIE5iTrZHsHC4sjAsirhlc0o -8hU3gqkKh2Ehwa6+U8lzNx06hoFEZxIVRteoz1jzCHImF7EXztEcDIamO8uckVKA -uKbJgFGkU3bkvNgWlc8Pgx4tRUNJGC1LE4nYqaSEwee1SpA/VewiDObj97PozCTF -zRCUBCnSvaAlTnpA90TnODH7ar+L5aEAEQEAAYkBHwQYAQIACQUCUYAuwgIbDAAK -CRDZxNJtDmBEkQs2B/96XB9hyFpX/bhu41YNr7nSA65dDi9d+PkMqvLppickG3VR -4xXWywzEJTw6W2DNMyFO6mOtdXWgNdgDF7HKZYvHBr6pyttLAMP7BfWBvU7YY59u -KmUSc5vl0NzsaSbx5PDSQEkSICLI+/hIwuEXOb6Z7gOrX7F1uy83TmHFOOjD2mLl -5isUzFhaLVk0fZSY+mCgg3/inbwb8g3191Ybk2LfXmndaEsdEzMLrT0g6wIgmybz -6UdVuVPfSPGly0VWVAG1sNPOCpAuJpNV6+VxrdViAx3vQPbx3XzqDFS1ISlnd0qS -/7RXwMuFDpVH/BDvzQcoikWnpRY/loPGkSg4TB7amQENBFIOPE4BCAC65kaDpN/H -2OawMMUjPE4OR0dq9o0/qf6ZEEX3NVFIRZR6FUI0f6LsobNB4gf5iC1aUMPSGky5 -BIY+AtTmVKM/3py8+pg2+lSvrHmuhkAFJlQfhjrvGz8dd9zO4Sfd7M6xEFJIYfaL -ia9tq4tNkGeoO5q7zJBJJKK1og+Is3pvJLELp4LGFDx8zbhRPgMU0vOFJMgyXuGX -fWVoqDtOKZlw073hasHiEGFhwU/9hS5yabbz29LHehCILryxtNQwOWmhJFVl1fui -AYRenKjezgYxRKSZM/npyNayTN+9dCdOacuT4y2kCSrzNQAuzytYiysnCIouBOE1 -u5icWbgxKi/7ABEBAAG0HFJpY2ggU2FseiA8cnNhbHpAYWthbWFpLmNvbT6JAVUE -EwECAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE0JloTcfCHgLhSor+ -8jR5RVxRsnwFAlogQlsFCQvVvoUACgkQ8jR5RVxRsnxKcAf/arP6yZ8tin2yieuN -Ov2Hj2FGdzeFBbEVrlDRiXVnwGw6Yb6FNBZCjrXRTtVzmIeDZgiTN06WjBIQpYXZ -Ff8bbayxu2LQjhg3NZt66iqRrBYbMu4CLMQDK+XPHWqJLFjSjjThE8LWktYNWaTW -kkVrSQLcCdJgm04ZnpOUygU6+m93HKvbv3D8kUAUzivoRBU58lr2hox6W7kS46PU -tV31H7IKrihkLrodXeNnKCWB45LJ3NykwH2ldqxQmXRJksIOeMoRGrEWNtJCie9o -I+PJxIv0YoPmn2P8nPF9+JeC0uyfSZaMFW3B4ZLLyMDvh+3W6p4dpqDWV2oe3GJ/ -gSZzCLQdUmljaCBTYWx6IDxyc2FsekBvcGVuc3NsLm9yZz6JAVUEEwECAD8CGwMG -CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE0JloTcfCHgLhSor+8jR5RVxRsnwF -AlogQlsFCQvVvoUACgkQ8jR5RVxRsnx70gf9Gw1vdnDihY/ZyW7L9mSr+bqnANpH -BKjJPSLyjMmBsW0ac3Es9Q+hsucE1QFNp9SJ9WXwy7bynGUE66PbeDaQd//4uDmi -uos358pAkGZVoNAMTNRbHSEIwPiiyB5/qNN14R4WorDhGdmOdz64vwnMBEKen+WR -iqrNiHLiUQG4AGSDapkBrki83Z4ZnZ5vQPgLAnUN/IEVVrTyZQaeDMBZztui0IuE -mmNlykoLPCv6h2ImjH3Ox76yTOt1BAzzMRMZZrOl5TLqRFulBtsqvtJ6nyDYtfTI -FTDvhMzKn4n5yUcWvbtutnAQG6JuX0EhwDta/UooEffDjsVCwqT6H+o/vbQfUmlj -aCBTYWx6IDxyaWNoLnNhbHpAZ21haWwuY29tPokBVQQTAQIAPwIbAwYLCQgHAwIG -FQgCCQoLBBYCAwECHgECF4AWIQTQmWhNx8IeAuFKiv7yNHlFXFGyfAUCWiBCUwUJ -C9W+hQAKCRDyNHlFXFGyfJsXB/9dJApKTorE1QHzy/G2+mHIBRkjnlfEB369Axaw -XwLPmBOlpnmmuv7mESiEmTj4oDVvslSpaEkmvzZiEw0qcwZ7ejbYbKY9q9qUDUKl -tNDWowW+nvPZ/XmySIxSxRhNvNYNwqld3x77Yjar7j08dzPbcxDblIL21wegvPz8 -gfePYPT14roK+FSm1RdJ5AmAzSnmzM/31le2/z1QcY+PYeNzO/uCiKNs9D5Qp6WA -Y2NYcoM/12/M+an2OZlVQxoQzoCxMbHB8Vm9GH86qKfHG+ZZSryADqENo41fdSnS -N0XLuozsE94T9q1NrGcZnMovISAYIT9XXZbxDxsCh/UGZVgtuQENBFIOPE4BCADE -H2XYHa+Hk8EisPQzpDuTNDHUw2lFOY3QiRFx1PKRVUyYCzNlWIWtOh3cYf8tamc/ -nfZ/tDXTKyXxe/pmPQO6gJWzl1Yvws6vc710vqNt/7KJDJfiWPdIlW0x3+8O3rtE -gFT6asywj+WuG7LHODByysbvVOVq2vYStz+Pn3tEdoTTCnJS/IFyJq5yeU7rUPHH -d2xgOMycPtYxAigesS3C3IPYbWPV5+3ELpemkJPHc3GlWwOGw9vt6tUmurcPVKtw -hh9lso217e+5Dhn8PLUO2Dm98KLTUZxEOTvfww3i5nphuEDTu15nGNF+QWra+jv6 -08AQBEv5GHfs9JUV32WvABEBAAGJATwEGAECACYCGwwWIQTQmWhNx8IeAuFKiv7y -NHlFXFGyfAUCWiBDlgUJC9W/yAAKCRDyNHlFXFGyfDUFB/4/pRvFCXse+GDcYa9c -G9nfB+hwL3OSQCHnmmHkKTQiV3JF+swZtmhkm/8l5gQQ2K/F3pNkj1Sr8DddX+w2 -aORGWtv6Xsq+6a9SrlMb25frVlkdcSqffqWbtUHcvxUUJC6IGe5WVlyxAsFhNegL -54bh6Ic4FotB++0Yfu5lQ71pzifEqBbvi5lBySErFcNrOpFxx8CBjc63btqwUPBp -DrKpvH+3pzMKJzybg/KJy6P6dd9g8R7dbv2zY9avO+IQkYRasL4pJKxUp+4tX/yo -a/aXP1vazrpAyCAYXNBtq3gPCw4VS2pDTCbxIwDWs6pW+NPy2Gng4IaF93QCY5gE -7tbXmQINBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pX -vmqx5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+ -OmvlG7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGK -ZMnr94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5X -Tj+BiVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1Kd -qlwDF+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2Dsgl -jQuWSj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gG -QTUJDeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+ -t/iH3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whi -tGG+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VP -Mt2L732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQAR -AQABtB9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+iQI4BBMBAgAiBQJU -MGwdAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujKu0D/4j -YQRAyWEU62HOiQJkSIOmMoio3jsfJF7VQnvfqgswvmPXocmQeQ8pdGG3o/YzSXRA -ycwxys1cFODa33n3E1qlDkAzW6QpRrV3EB5VLYY0RD1qcgBB9ToQ+TQ00jCOWGCm -QxH4jeqBKVpXO1itJl2bmOZhzqNAd8jQ31fOOfuwhjyvc7hOev3/Ui5gmhbApDTB -m71eMmy0aAX2XZwuTTzisiV0NExtAm8RjICDeXDqwaYVPmaz2GPqeIxKA+a7xboE -JePqEbL8coKSVebfKXtYoTTIZs7twqUbTI5kQHcyvtu2fKe5vATkbqAvjW11aXJo -yLnlw5GHcT/tPalMsPMRN/fLQLhF6WwlaEOvG+jQwgaaMIL1Lt+M8Q59MCnbdmBh -wes+ype2/EcnFht2PLvx7PpekHoRJosulCl5e81tzyIt9fdlsxJVIu07Rv27agum -D7NFN0kDJDVs8JI2yjPWwuIDxTCtOWvEBDXOujPlElozYNE4gJBj/Tw5aWMobY4n -Ak4C+dZQ5vCwV6/XG8712r+yXOjVYe2W8vPa9Q7Dxc3w5HHDl+p0p6mDCEpr0VBq -xn4K5HnjNDDbvd2j067PtH8avhySGRIV/2AskDeI6jPoUBofWzsDOwWnGj/Rfb56 -toQytliF5VgoV/UO9MQK1YiasyPP++j4dYpz242yXLQlUmljaGFyZCBMZXZpdHRl -IDxsZXZpdHRlQG9wZW5zc2wub3JnPokCOAQTAQIAIgUCVDBsCgIbAwYLCQgHAwIG -FQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357ozVsA//RvKgkyIyyzBqlsHKlAJP -+9CZqheNnM1xTioAqUHkQyUeTGXVPzK0RfGY0x397SW1X0cAt4GpfV5gdLuhMbes -xcq5hVhM7X14zbAuIJbrrgRS06wH3MCemnpf7xRYyg0SlaUQeCR2UANDTEiusfem -3b1IBt3HRCy/CRY9rASgoyhSIY+dVjiEC3tfH2AOZYRrZPq0TF32ygEFMi4ilMfc -xsAQey+cFt3Jqs2W0YX+ldgYyYZpiZTRa6OorOqkGnLfPB3RHHUqazl7RlzKlXOr -HdeBy55bx9sw9Nlsb5n3bYZQUMnXf1aMADYWwwn0RLtcgigmH/id8HCT49dyPb1O -J4OeXat3jHtjGeqnhXNq74gBHP1WvU4gVWVBtpJ1d+YMWL9+9V/0IlmdbBxLCSqn -imTnRnKcQD7xPMRCPTyN2PT7Ksk29tHGpshp/NKahTvtsA2ziBzRY51NOm+/iGid -RBE4BGkb8lPjuETsBNUY10XtuZY0TIRgW1kx0Y/TEP4rTESCyKvrlqu5WLFWs0rE -5f3CrHokbMdNJOC0BVgC8wixYlMu4JdlsxGaaaa5t/JVowCKzPlQhgP5MI+dy4nV -0xRb1Yi4s0UYtNEYeuLTURZ7Z6lodlYDRYHRxBlp4alzsL3zpayQOL1ID1nMIgZb -ihAgFBeVEmONjEgEKePG1Ra0JVJpY2hhcmQgTGV2aXR0ZSA8cmljaGFyZEBsZXZp -dHRlLm9yZz6JAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJU -MG0mAhkBAAoJENXp5D99+e6MmN0P/AmpB8DasBnjh9fAlBM8kEZ23MHVdEguPWX8 -KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh4V86hIYgLK9tisZyby+5NT4d -El6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvdooy/4ThXNS16HcsJRckan6oF -jCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1C3I+oL3+qWwiqAG9hp/zedsI -sNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6MZPiFBRGsARRRFfTRGkzI9W1 -M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFAnwf5MeO3MqzvjocoUyoZNc4t -7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4+1WmLxwcF0n3xaB04KCvXTaB -Z5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbYk81XfXBuBKv7Vxk0fRYf9+HJ -7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9fyZn/sv+UCLrMR6fyD/5Etzg -zW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W3mDDxJoaYe5bE2p0ca+mwEHZ -QpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlFIEUgucXLOLQHyEl+kEkCLEmS -bn71WsM8tCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAb3BlbnNzbC5jb20+iQI4 -BBMBAgAiBQJUO42DAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ -ffnujLPhD/4n7Jl5/FIKKNPIDJDAYmq/Z36t1m+m0IvSL0yuZh2WSCDo+xurZWVL -PQIrP14ORvWJJzZTmRLUWTxQPDF0z3S4kkopMyqTeHl++to/4eTQPF0QkpLcDXVK -zRe5jzRUTYC8x7mtJHdgKjmWqbgqm63RJg2PphRSbFqoPkfoZ0/kNdzG3bkELlpW -8YphA4guQBlU3N7p52KOavVny03UDLN1jVE/QmD641g4E7iNNxyXNs15iRi884Ox -4+EjBZOQFygx7RtrWXVokOS4Ba4fp3yDnkAdqhN3DtjKGPv7oqMcJuJpuBP6F1Rm -d7eJPS6+nIfJac0EnhDu25k5m248mUAgvtX8PR9n6OB39G6UEKnBoBFpmDpUCJKe -OLwGjvkpB04gAVdIbWJVXVkYVUyX6i2VRQiVEEmEsTNRZKrjyWtHyAzfSg0oEKUT -xijtVbkHZk33SuCSATq+8qKMXDDJHhcpX8/K3zgVOMDTRexY5Zpe47IiL0/CbK3M -N+SnBfgZzsw/TNasJ0a/AUw+FDGIq71UNysVL7dKHeKQX3nRRvHp7blpdCf0bOlB -c4Ni5Rk/QYMAR1zVHgXHOrANzTim1dUHensnlquYGx3sdws2d7G3p0VX5Ke+Drea -l5NraRhMYk0hJTgOy34vf+z1UGejbViVkEgts1X2nRmBInJhZOSyP7QvUmljaGFy -ZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLmNvbT6JAjgEEwEC -ACIFAlQwa/UCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6M -3KkP/izg32cHPYfDZaWDVbzV1V1EcyMM1hpsQm4C3bo2UY/06NtLescn/6kUwAlh -Bnn9jfqbhoPzqJXc/kbNxtVRc5JvZxhulBj+UdgoB3wiyrY8tM0+eYMWB4Tej483 -0s4c5rUenM2OrUNrpaLVL5pFm1M7k4m5xaMIkKUVQB0PaCms9NB4yplSIEcL9c3M -5UFm/ipQYML6qp07qknd/NTbNNPUfZreLYQiAr/kZxsjZR4mcCMaal8rcRZVhzkG -wX78aReu0xIdkPaNfJAvrO7NMCz7U3yntwbXmRi1jw4PAXvZjAfgRbOv7ug1xPcV -dbr7YbhL3miyYXH8H72muLvslOvba2CBAE4x6wZi7IEx3VNG9aklOx09PDZy29ty -Px4AhMLPj9GnGROUcMzC3+ZvOPmteaQjdA1MmR2PEAdm1OZLJ1Lb78FcGoWBXdWm -I0XFM09YxAAD1YNvVijPnS193jtTqesKtu57D4PEqLPUupHZZpic9X9T17veSjbI -6B1VCi46HHF4MEbQt7pTsGiNMKS2i/YVTap29Fj8x+cTxAmV2Fb8BWPjdLee5VGy -H8dwDYtMXK7fE6hQFZX3Vn7RXInv4onouolcyq7aPvxYPVnGdijNSMDtHdFx78vS -t9kMx75s8jyJ0ILojuAqB7C2G/ScybtQNYBXAIZtFZWLiPuEuQINBFQwazYBEADP -NcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45kx/wO -5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3i0eS -Spa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEoMSVU -6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8ZcEgT -ah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ/dEv -MQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+iwMUk -QQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31m7se -zA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjauCZQW -3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJBHsd7 -GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTjMkj1 -s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJBQJU -MGs2AhsMAAoJENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivPNqT4 -V3yal/JfB9c8h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyDt+/5 -UAXKY7wH8vR1qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIbR1ut -S972wQHM/VTEmsvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd6knl -9ArEQe1heVWDGpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek51RFS -dO7NJ59co96uyIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJeyHfzO -tZNMijrrB3cw3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCwEzBP -kx/SeXjatAObEUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQW3w3 -4fKEYRLCAkOq7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmayk1J0 -RKR9dNqYNQsOr9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCzEBlr -5Dmz1xGC5XdlBeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlHVhMV -8mypBNjWmQENBE76Z9YBCAClJEJJTPrqEX9P84lgfWoeAz6MqIgDxxmIjFMeJZ+s -p47tHnPaam0t4+8v+63RpsIlepNZtsufUyeIVq104YB+2pLWlTLCG0vQRmA5D6Ri -D7PeadLnAZtBMzhTNRyx0gD2hLM9HN19KftTa9ar4SfIVd2e/N6vgSSJKsI12x9M -4G3Zd0poEnz897HGftxg5APVsJoBw7tSQKHmKxLgJWAmxFV7bMxquF8tGSgaEeV+ -AceRKQmVWFWBb2JIa2qihptuJOfIlSke6h09oVa1jZ6kI3ATWCbzAWUjcT9nHCmE -VzT/Fha7JNW5JT8tyO08B5b82HyL+83n+87FVbOkncULABEBAAG0HFRpbSBIdWRz -b24gPHRqaEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlOctAQCGyMGCwkIBwMCBhUI -AgkKCwQWAgMBAh4BAheAAAoJEJGVxIJB+/fdlikH/RLnyBDNaQuyPkl09ZDKYiYq -g0uL/BtjEdzZzGzfV5uk9RctMd5UMU5Lh6phdc/Jei0d/VpQnSxhSoWmQHn6reYf -q9SabApzZzQcscBxL9g0P4mMj4PzYGmhYCkkh1GOTtDtm5wleTaoIKz8KTHzvc7b -LP5XIwrzwrtiRAiAfCCdmKz9hVqllM7yV9HZZzXnd5lAqoxV9wt6eiGfB4ORVJFa -sQsPAA0/+YoWhc8Zta819MRABKw+egfWoRm+DVAEVl+5hPBOJGzrFpZdPVPiGt16 -QgmHVKVh9z46OBup/CfhvXWHY7J7X28c0/zHgI1dFJBOlgGxAzvBGmXkYNLXXMG0 -JlRpbSBIdWRzb24gPHRqaEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQE4BBMBAgAi -BQJO+mfWAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRlcSCQfv33cdH -CACS9HhOWAyEAGNhCPjOhYsJRY0iQk57Ekxh2kWTO66NLfX6HwnmOv+6z2uMo6Xx -IDqLtCMFYoURkOUuoYNhZBhbLNNCqBY47382zuivs4X4RUNuewQGCmQd5ASzbCxt -Z6eqMG6qJpnn8lsAbI9yGQ8ofwqSs98CTbRsv4P1DVacwXFqGDeu4qKQ2liIdbQm -CP9mkl7dkwJ2BJrc5X8msu226WVeT7z3lPWlmEWnYtJLnjaLeGjP4wEcaUDm6Lub -RWxUAZ7gqRWqP8dX37Y9VSZvKHOmUINrvLAmhhYlZvt8z32PUA+hICJ7AMwB3V4H -oNy/qJfAtkWqODvnG2HT00BduQENBE76Z9YBCAC5xpa7smrlstM6q6gnBkjTs1Tb -68mtEXTGPpc8ds6T/79sApVbyIq3xXCinqtSwYeH/kkYnB3+kBQDgDsSFos8XpxB -Lqr9mrVk2Bu4Pz/c5/vF9L2uhf1p8nt/V+HlC9p7Q7ZCf/TRFQj+3WFafHbBjzDZ -w6kkJm7gBtzNj6FTHNUxv1t3NzbPSeW7tQbo6ptrclLk+S7rgEnG5t8VOYbo60I6 -bniGUvUVYMVVR49BsZ5tW7jrLToZf5wQEE2C6iud46poPpcDNiBiPi/LBFHCr71K -zGnAWsfHu8lt7v9MarEuXDPoC045DLQyWSKHGP9/uSuesEOpnb63J9gDlgaPABEB -AAGJAR8EGAECAAkFAk76Z9YCGwwACgkQkZXEgkH7990gaAf9FD6fsKERbpB5aSiy -CyXWm4vgIla4U2WE8ttGRNOVX646XHN/lA3W9r84HOsFgK4JvbLomiwZLQS+bvSj -9qplO+s5OqzfWyZpdpjZNhAeb4GsfaYThrT0mCngb6gVnAEpvtf/6+4KIQSxqvbe -GXJyaHtWhhXtqd8qzV6RbXDc5kCDJQMSZiwTxHUo7UmWR3fPJDTfhyyLlD+fjI/H -hHwR140q1xnP2L/4wWF8pNqxX3qcMkXm6uDfRgY0eCdT/BlrJAQ0lfa09h6fsMkH -soHd5Pvpz+TkGHUI7TNMj3oOSrSKSu+qI6kJnOUY9PFNwTq4ljvTdbNLymjJiugL -yosU15kBDQRVlEpGAQgAmdVZaxAD6wKTiQ/VUd6EIuOocLXUuU4v9yRooArbbpLN -lgTyzlDRcNYFpvW5gZ/KXt7sfE72pbDWV2HVFfcf8zyTMygz+2tzDL9ldWTAEqYe -is4NYIH9yQToZGoc1oEkgBYwKoEQUnpq2A4IMggRaD4KSc/7W98raf63IrBOK2u9 -tfg6CZDgKHRsv6d5AHSZTFrJR7vh9EIg33z/qzaebZ5lO7woV0q69yqUdzBsdFEc -20fUUIEv2PsWcfNKx+BzKmbddlfwSWVv6xua7KDFge6uDrg3ISWQWCwd8iz3jOUs -eeiaLYk5QOUJapWyKBqYJiOAbbQSTzkVuQMMB4QSmQARAQABtBdNYXJrIENveCA8 -bWFya0Bhd2UuY29tPokBOgQTAQIAJAIbLwIeAQIXgAULCQgHAwUVCgkICwUWAwIB -AAUCVZUDDgIZAQAKCRA2zuTesAz+MyFiB/99TL4ML2eevVmxbtcN3f70VZtteoKv -wIcZ6hDw3sG8DVAjFlyiwtXtDG/mNOBxuW78o9dCceCI/ngbH4qHbCuiKUXpkh6L -Bw3VnS6eORHWJOk4xPwktHHl9YPf4DO4sraq8OeJyooSqcRO++eCMR1JQiUcG59q -oL93c9zibpanh8K7aoHe5P3bsACJED4kqis4sEa5oDA6JVu4LPccic2LTpOF9LDd -Zxn92Ii6MHdyia3E8tkJiFOXurOw2JNHZHbFBHZaARLES4GLAP28VEfuEZirPECI -w9tJ+jecmxMIYj0SdvMp/bOEdlH1ot/JGMhWEsAlZUG4OEj9V9UDkHP5tBlNYXJr -IENveCA8bWpjQGFwYWNoZS5vcmc+iQE3BBMBAgAhAhsvAh4BAheABQJVlQLqBQsJ -CAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zohwH/jOC5HbMlwaMbPHRVkDz5wdV -9qivHXuV1PxNKjCPEv9dEdOq8CcyQqTBfZoc2mUFLrulvZAUxpl3ki6afSL3yjl3 -VlXD8VtFmaAmdBgtLQvQ/PvovW2xnc2alM2iY3e/MXdyRCEx1b6zHYUWJALtZXyQ -a20UE6g9oTePNzaValNnup24ymmPDHy8YWdeHuDTL8dh6ji6v58nwAQkZ3NlYJgp -bUBj4TJfk38fm0h1BRnKCMgOxYp69lwLmC7EbvbgauzYn0Elwl68t02njv0Yga+8 -cHvo84nRQHnn7aVWBaJWwwYKMzMlXndJWsj52gPKXyO51X2Su4jAvGxM59m2VcG0 -GU1hcmsgQ294IDxtamNAcmVkaGF0LmNvbT6JATcEEwECACECGy8CHgECF4AFAlWV -Au4FCwkIBwMFFQoJCAsFFgMCAQAACgkQNs7k3rAM/jODoQf7BTBbQ7v7nJ8CxSr4 -P3Yqsr4jXgaY2O3M0ilodmeo0EgxhK384O1JZ4NV86YVzsGI//+6quGcYGt4fcsk -Rf/9cE4LhhnbP6N2Z4XyyyXVlwJNR6oDyH1zqpZTCtQNmou8hxm1MvmpM67ue2sm -LVg/p1g+h1NWbfjoo4L0UyRUlDlELun6Y737pg6usNK2IOcv6G9gv+QVi3DVGpmU -2+z2SK6Rxh/5Dk5sDoT4oM0e5DL7KTt5Po+dWrUyo+nUtm/3L3ugNHl48vA/Fvy2 -HBH4zxs+Y5kCyiotePiTww49l5QQDYPdFylab8Jd44wpwiJEV93cqxVuzIABFM3R -eFqU5bQbTWFyayBDb3ggPG1hcmtAb3BlbnNzbC5vcmc+iQE3BBMBAgAhAhsvAh4B -AheABQJVlQLuBQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zu7UH/0Y42wgW -GcVzDJu9zFlMX/XPMXJYbSENOsSyq+LUhGKLK7xPjXAl4eWVrUWsGFQTO+syA4fi -pMw1XbTPpXDaNxacfjSwayeTV25H3KmgnQgKQXH3Kkfze9Zxe10vG+knssaOkf5E -YEVtthbBL/k6qKC2zIrixzfS5MOpSK3sAepn1mNBFjtPSikaNwHtxcBXdIbikhuT -pImu/PfGlOaeYwgUm7Sx9BmfGnZLvTz8MGDtqziXld0NxO0lXTh5Y2+Ojv0yWisU -oXA44blslYYWC8aRR3FCWCxMmKfkDb9ztM5KQbQXS/nyYra6/Nsh/Acvgg4GBPOI -enT+uE82YZfpPWG5AQ0EVZT51AEIAO91fZyiPkiioZURT8zZfUtpQxLJOHnovp0h -1yo1xfX7okpq2nM1hytWu3ICZ0CpZw2kv+bmbRdD11xbobFnl/QWb42KThqDL7T/ -+chZz/uMzrHNFgzRCRiTJlkTcI+Q4jK71eyVzMWoiv0xnLRNf46x66AxieXYTkn0 -e7KPC2sUppfIbpRA2BshXuJqCzjaHH/z4+QI7JTAoROayyApVcGgO7njWKVAk+JO -d3iThS+wjnzU0sBIg12yT6q4w/M6MSMOBsqcwOMtx/iXmEHCWCuYzubhOL6Bv3k1 -1pkkBgArD+wZGA5JuFYfTSAnKsCWbDxVmJzGTkqwY9DgIAOpQgUAEQEAAYkCPgQY -AQIACQUCVZT51AIbAgEpCRA2zuTesAz+M8BdIAQZAQIABgUCVZT51AAKCRABClBA -fEyMvSc6B/9tpCI1LeZx9TxpYo8PLw1QcZdwpxQU9hanlg55ZeyL2j104cz/7fzE -qHd4zNlzS5J1fs2xiuDl3pLP+tPz3uOBxiergyAOcprXMCZOjAksvUpwuX/Ek8NI -HjUAk6iCbFB0awUrrXMQq7WY+yYfCP7dUxVkXP6dHOQGs2B94TMUYkJs7/QVYYE0 -qGb4XkgwENH07Wywt/oejBn9UXFo80pv7Rz6jdELoPF60hMT14ZuDu7f9Jxn2of9 -4QJGNlA3OuueQR4W25iaJQe4P4alr3PCTmyuoaFI5K0yHByB489JO4eSPLOer4pf -tNESsDyBwc8A4Fx8ro88xLuufYnoPwrTAkcH/3d/MGABEEmqDwRDXzH/cLh0h9/O -inNEgilOCc+zK+6+7bi7x/jUw+aAIN+bmO/6+EEnl1GQuUj7F2ZxXU9tPRvbYF0u -Coyd+ZMayHbuMc8etThWqvMNlbNeZegLHbNO7NsoDxPmDb/rPlc7tvKdxUVGKfZS -WT78tQAb4JeJUR4G1Rm+3jlkCNoiaFCV02C9HGXu3Amqkz33FJKjCnEv61tmwYZv -kLc9bYQzqXt8rvb3nlZbvbFYlf3oNU7YFV43a4W0y07NtxiXzPhC+E4FIAdiaBbJ -mv9EEXzrMRyXuZFOUZx9wGAC77dHcJ8cw7+MUxpJ5ja8aoFS7ly7sk442gK5AQ0E -VZT5+AEIALH40GSCbgSuXVHjhUYYLeo0TNBevlZD7Po1OEyhi2eEhrWYg/3cAwr0 -/neLXXD6xiAlOXcN01H+OjY4ZAmKzm290LCRBuo9WPsRvHIECAY9XZBeL+tu69bi -SXv07vhvqmMG8yZ6Hi8Q5wUHJvISo6MC6fbq2RUVnkscgqp4jlBVjRNo97Ngi+WE -co+znvu7pio7uXYGPT9UorIPX7cQ2kpbiYM4UU4i/ezbAELc8Ttq4IXzz5zi/Rea -/r7HR7aSpapzVB56Wwg87F3c4zcwK9bdxxgdpRfHnBJ84mrBZlSGwKN6a1ksN/zk -s6R6eNVhO9UbozzVqgl1Riz/aXlv2tsAEQEAAYkBHwQYAQIACQUCVZT5+AIbDAAK -CRA2zuTesAz+M2u5B/997Q3sXvQo3J2ZB/gSXYVIjh76pzabO9NIlhW2fX3Z41Vs -gZKX6tpTGlqUn9Q14EkntzpGBtX/3PtoycH+Ta0E+IfpoINwSy/7SQfWmPhYxjMn -u3LH0ho1mkGMuxXf/dMoapovKY3d//ud6KcPruq+W+8ZXD8CT4zay6z/5JIgFAP1 -viRNtyVmFh6NfZTIsKGyS+jaHniAR9N3cRa1Y7gutwT6cNV1zpTOAOBx0L75xLxG -y6WuyBLaaZIhk0f3ONryFQslIsVGGs/d2QJm2xxywvaq4JrSor+TPJxXu3JrumME -E9U0zENea7N8dQxWQBmXnChX88eRPHOIAdXEWrOj -=YY/2 +mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay +hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3 +iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi +2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa +N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz +UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8 +bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH +jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR +nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p +3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH +sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0 +hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h +dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD +BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+ +viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA +RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj +eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE +5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R +4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO +5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg +icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM +k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6 +2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex +F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ +P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC +AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v +Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb +SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x +dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL +HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2 +8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2pkCDQRg +8UwlARAAotCdQIMF8Y6wFfxmpuaOGmUlXDxQXDtG31jC+Zk/GVHN8TtXK+eQ7HG5 +F29uzivxUna6tWD+/qQrUmTrLTT2P+5OFczUtaPFaDMyWdywIlyOVgfyxxfF0ssx +rhRHKP1U9YY072/BFtipXAQkemNts+Vpta1S6ru0PG/339fjP5GljOgRYlCqnwWX +aibgwzRURqha9CYwqJdA9b9b6JZZutdjgESqc7lEjhEXXNdbrYnZBooWoKSQ8j+W +vqh2eBjc2ZGfgQXbrmQzFHRCoCtvD4tD9DZte10c19Tn9bl6IzL66KL+yvwZG6b/ +rr2aIkhAHg/hv/k8pPVS4Zso4vT/tJcGMh29wAoEt8BJc+wmcBYAd5IybzF/dzpQ +gDK7hYbf/uoULtM8dSj8cfueY/8O6Elcx/GZmDQ+ZDOM5RlZycSZOmgbvJWjgEWc +OxBDc93PoXYKPgvpF6LLTbG4rkE0J5RRWiDO1MtNvcFp5QikhJshJVvWQR5z4XIo +YvFm36EXU3HXzK2sQhCFNRv6FcWCn81dpKGU0pMD6aiWHJMox7O2Xs+QN81ZQFzx +RFSxAhK9NhEqVsRWm5PIrQM9KDGUp+bW95QR7NVxag7yWqjBNbp2rI49OmFLg4Ch +8QlmS8aP3HyUa1cZUXLA4Gd7OD48SpAJs1F7ecm+ytxFVg0K4tMAEQEAAbQbVG9t +w6HFoSBNcsOheiA8dG1AdDhtLmluZm8+iQJUBBMBCAA+FiEEoh+rdLAIiqNhFSWG +uO8aa6naLVwFAmDxTJECGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA +CgkQuO8aa6naLVxBqA//QskRTPLc3HULEAXkHsChkxnSbz8fbGgyzuhFclPZRMvL +yyjB55gJPvZslQX9FB8Qo1WW5b1xC+lP3giDVvEwbvWR+egDJD0IL32ZBCq6QaD9 +sn5APf9q3woXnO45BVMAK1igAfIciz4gAV3Zt70WTIYgQLBU7/a3a6/PVpwL3HfT +lz8axDO5jZJAg1JUZH0cHcUns0rZif9fGzOZa5UeA4/TGFDonmCArLv54dbvQvkA +zhq7qP8ZLuwfO6lUpyjODMtvP0bUnho0wTcN0DxJrpgKyDTVAzWW3t3viJtt5erc +j+55rS26NMD3EQfauCtRpZnnKs0oC7HX/GAjmSmsfQy2gNn1lSQsqdtlI5Aph5FY +Hl5gcp3VlXX2MiTuCxiYTOwX5lhmv8iESkSmRpSWr0WPlAJH6pFwm84RQyDMkU1N +86iXyXF61Q7JbwdZjGwRiEe4Ji9h0k6DbzeRNsYhGph20jr9M3tFcOQNTPEu9Yvo +y1Enpxk4Iy3budviu0hi7coRv5AOTabzMgiwTmGfuBz4GyMCi5XJuUkSes+LCi0m +ZlOxyzKevY13xkKo2GyaFBB7ArCznlTBojlWaqGVkFnDB8vVbzgNBVceNca6XQy3 +7fWnfnDP6GomFxFoamEZwTOXiB9AdxzpP5Ji2enKzRPl+cRtaoaGYALqzDK4jxW0 +H1RvbcOhxaEgTXLDoXogPHRvbWFzQGFybGV0by5jej6JAlQEEwEIAD4WIQSiH6t0 +sAiKo2EVJYa47xprqdotXAUCYPFMagIbAwUJEswDAAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC47xprqdotXHrLD/4xu3Rb/2BCJ+6eO8APqvuNyqK45PCy6XW/ +mIVRKV4Cyt8lDTnIIbPnvlMUpUuIw1fU4aSoARIEwp+lfLxFnuXY7y1XDlDRv8Md +95LGSgzq2bdqhs8/VQXdrq9dNB4wN4mxgpTI3ITEAnLZQBwQiP41e4PUrxSB6/6h +Ag56+dJYeJDXgWR/+oGBJwdVKpHPu8v9IKKZN5BHMTtNKio/XfED2rbKFhTgVujk +9JXV+ZtfRC/seCrtv2sgcJqG7EMo93A1fHCTfUMScQdQKiwClyt16REPEFBEaK+m +doELvWwkaEApd17vpX6odoJn6F6FomRYp6AcxBE7SCxFHTWtjLCYXjblck3/lv76 +38gClZew4D5Pp9+tH68ZkfJ+6ZEqQ6tdrPSeHopl+2lJW4Q19l4jKP5BktqKNrpQ +dPN6CatPVIniNmnMESJ+nxQDl8eAq/SEQJyrbxsU9185AyfFpAv/kBO8FpI7Q/fe +JA9iX9RgqhSFj8fifPFV6eVG6GzhDWARlr3OT5IueNWhSpF3uZryvZ9hZk93zngZ +8oU9uye/VGEpDoPWZNKO5XCyr4F906jsEa8DDhqsgSKx5C6ayG3l+SjgSMr7aL8k +7qt6YhejnHzmLmSTnFeC551ujpPbIImtVoKjcifhUnUperS2m83DOrGdSPLZlweA +XKBxQfTdALQhVG9tw6HFoSBNcsOheiA8dG9tYXNAb3BlbnNzbC5vcmc+iQJUBBMB +CAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwMFCRLMAwAFCwkIBwIG +FQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6naLVyVHw//ahSVEV68q/P1ISiSAGEG +sHN64EgnjGkoutH4D4bXgX/VTwOcPODii7Z2RXD3KbxqWh7kcY/pnITkqNh5GM+3 +rHk7Fm34Lg4gTX9bANCFuv1nyI6nxpYsP4pC5/5gPBoC84DzxIhG2R/oGfidbbcb +9eRPHVlUmCCyXJ+1S1/BIGHPd7moj23HOsBt6gc+VA+xVuqYOgIxIc+o+MkAav3Q +FFC/Z3668fKeuePGrJQEeQO3tZFj0jJK1w+hAnZSfC0Xmj44lq7ywrX9THJgECZF +1/Tyx7T7ZF830/exnXBFrTxd6qbvZPICt0Av3T6AAiLA1FNfprmqpUQdwKMy1RW0 +idpANAapx74Qfu3CAf2ZAGrIiNYyfVz8CSZ82RpURRiZ1IOjEV//xSL5clYvoRbd +Q0NrVjKOqXrtbDQwzjWCi+/zYRXnSYSEaGFIkLXBLlqrU4zlJ+xK5GgtsqvIc1oG +Antmn8tbFL8g7VI7pXVUzc1dYnODDwvkGeWRMNrh3z9qBC5Sts1JS2SKbQcL4M6s +OanMY9JwR6Gg00ciV61w1n/w7Mkug39bfFInaHOlt8zRISm2m702+ILVo4Yf0Hsy +TbckUoOEmdmcfhMYAJ4BXYSlJNNV8rS3BKmB4zozumR6T9P/hO0/Mme7CMOQJwQv +5pE26qeTbG5P7KaDdFpez2W5Ag0EYPFMqAEQAKYlkax43RLvRadsneyvd1abbbAF +hnmaOmnQO5Cq3QfgxcMkHUECBhdTKMcym963DtrMaFP0p2P06cXVW0jtu9TC1HKq +BHORfrsbl7KeE8ebOol2PcU8EHgYvKQFEEi5VnP8qGpBeLGoRvuftDVA6XYwhHr0 +cNpx1WzG8swAoAdFURK4aWOoDgSuy5B8FwBF4daTfN+j9bNwyyyJ46DOdCBkCSyd +/P3QXln/Zaiaw4n95WfQa+4dsR1YWo/tPIlihV2/jA5FupVzrk/gPKcxym89U1Ya +KYnfTTnMPMLNNFZ6vUdP3YZPhU/NVyQuhpqAYtho4yqSzTM3wROiJCY4Z4DGPVs+ +bEn14cndMe2RnUt8PUoiF16McN+cKAtf1HukFWrJv5XQjUjR+t8vBuW+8DQPOP34 +VWvf07oPM8s0Y/aeRnu29cjG7VcvUXrfHtcQd8jiR/K48Jndd6HDQaxWIQ+G9fj9 +A0nK+E27q0d0uIMM2sAdo7iE6BC0BrHkfJ0IPJOhZOb2fDGmLJTFNs2ux2t+/QvP +gPYdAtpqG6rcOxqvDcwx9h+AYKctAnvAclp0RxCK2XCuL2Q08wX1vpWCQRxZTXNJ +oXldooer45s/eNHGpMy7xheuVAOvbbEvEP97Fh9kCxU8sHXBFGTYGUVp3JwGiziP +58NcnXoMPBfrNQCxABEBAAGJBHIEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdot +XAUCYPFMqAIbAgUJC0c1AAJACRC47xprqdotXMF0IAQZAQgAHRYhBNxwMmYq+IXi +9H8kP1J0ZqIcp55tBQJg8UyoAAoJEFJ0ZqIcp55t7/kP/jaWELjvtGue/qLcL7jd +8aDLDpoop4J3eruX3n4vKgox4GCcZ2UIYoZODDsomOOgsSSJhSiOjNdx+UpbLmhj +G5de3+VfHRO61Aw/Q/bQ+PoVXudOFLAHamihxYRPMcliduIrfS5iF2N+fHEO4Jvx +MwP8AihHs9WfyFJceoaxugZwLhOhWIS00LeVnAhmwNeyO9jNR+dK1/H2tPKjoOK8 +8jRDnrM9WriN6bdVTsv1SaO1fqDtss+DTRgaowjdZjDpgZdbwZXWc+KGSb6qAhYM +eAY+IfCx4pcoNjlmVeF4e31Bh9v0SHXwGIQk8+PeTdbHQx3sPUHNzz9L1cs8KAiW +NpqAomdeitKNtea4GACXGNiggorYY8PpLR2fxNdPHJiSRNGVxvbBVXRegBxBKH2m +EYFxL8BTsBAZ8rQKtpdXj5pU3unruf4UjGJWp/d2KbBdraJfo8OxfmrKYCtiT1qg +eBbLqcZ77wL8xga00xnwi+M+yvP+kJmKyQQcsdFv5ZBbHmxHzs9EmP0b7GhkNyxJ +kJG5/gs9nNj8JiLmCYrLpxzQtax+pRdWtfQ9paXvNhId07FxLII7ctvrIbh7Cgl/ +7J0mvs8kqjG7BOqP/AKrrk+7ZHRzta2H69337yHl/B1Y+jSptXspOrsghHG9PI6g +VjhvLc6TbejyL4sq0Eayvp3Ei48P/Rk+C4WSp3yzOaVQBVdI1an9vZVYZERw3ojZ +naa6qb1t+XAEuyx9sL9sRo+PsBmiZpLK7oiY9irTQFmvu1L3eMb57ay9xfZBuagt +OIk8fZ54OKpYmQCNcBsU/3wCkteuS+bHU10b3MsKJLIcbbD4Al3B/ydr/yQugRp+ +OKPKqPwixiGkwZOlfDX2OGKjRcjGjEQEEkPT5NCl0MbMHcQEmmM002/d4JrqDu16 +yLu2ntZaaXi9xweYUNP8xdXFcwqy1337BGTVVv9f/VWponEzlj/HVf8pTfOnezb3 +yZPC+zvmCLBCmIShA3wlyGaxe2J7vUglokfCwKsWaQcdv+paJpkCe0ZSqxwZFlBs +gvFh2K/7MTkctLsUnrxhXHytrBTJ6SyYQugvN9DtOQekhU1k6w/XPzQtkgw1kAq9 +U7ndxmet+AaME5UEYCaRiXNrOMDjGgEZ4Vba/xmUIXwszoXGhwFTAV9BRHHvi5LY +oRJ8xCSYHP280x/rd3yFvG0uHOuWJcAszAidaGMgC5Q9QZWesIRUlVGa6LmFbvHY +ieAJX/foXGDlPxp28ot2xW0RoQVc/JQd03BHj9NvoEkhQ+4g4tlrd4ZJmGGk+5N2 +BjNpLF3UNuUhjNWluHa8WqgI+bGePDl0zDU/Yq2t0y/6P16ehkYVRPIjpSSmxqKg +vsHIR5jiuQINBGDxTCUBEADfyegcqR2Ls6sFQx/IawkCdLPSNXxXYrutLmni00D3 +gdiVcFeLfVmbDOplTBFGSRiKG5NmORRcy7B7Wz5UrOzF7S4ZS2tOYojF6qGbEuxG +CPhgzTujj9Y/IfTp9iJORJyv9HVhkIJUmP68sPuUoXQIx0neIQkbwcX1+xSRja7y +JCKfAMZU7zQUMrkeK5bjp30tS1xQ5Wk1sUQGQSXQfxsgGwqippH25F2WzGRQPdxN +rJKyyeugj4GivN6/g1IuvhMrzik5GcNDlOktJO8U+GdX9AG0vzjeRvMIy78Srvk5 +ndixyzFEzIkkO/ytIsOPqZrNfjDgVhQ1/Gkv6aEXtDUu+/USJPh8uDhu/ovUaX+M +FPmdkB21GK7p+oe/kckr/hNu0FgoDbgHZthfHCLMUNwdJgGqan9hAiJDWz37Q5b/ +4g6swMQKGzSc5bCkK3EZhDyDqjcYt0z/h/OXpMB03cMHT2+bvKYHoaQ7pnIsh32G +ewN3jZekbm0DCFkIEM8VG63lCZCox8C6KpExw2nyXiiO/tpyCOK96XkHxDdI2eR0 +lx0x7uOdtBVARzbrb7h6gstJ0K4b6FxHw+MKGJNuzjsEih7tWXRBWuoiR3gFtH+q +UjjJBDA0bRVr9P4VaTQ24QPowLMMw+Pl2A5PsWXQzjbmvYpzvd9DBiNgbC0NZKLR +UwARAQABiQI8BBgBCAAmFiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwwF +CRLMAwAACgkQuO8aa6naLVwVNg/+Lxf+Ra5D8+/I0pe2De+4HP7E6QRjIUMYWcSq +X/vMRP6IoPfxfdATCmhQH5QoYhDD3Pg49FawhsD9sTE1TuCe5cO20690QbhE7lav +Et14LZk5V8KEUC/dV7aBowI4X4KV24vwxMmevt+EMDGK+O+K7CojLAXDEp1kw7qk +apBWAGheC0Ww+kZFnJPgu5OKbPyiH5RCokhLr6Y5NU6Ym8KErfsyHmSOrrEi1mxn +AA6p1x3tBgpVKnDGGyIC81cl0EM1L368AM4vF731vvEIT/geaGU+svGAQzR0A3CE +wuDmGlR2J2VkvrT7T0GSuHbgJWUXf5QcSj2zVnnubnz4eQCxQCDaQVj9ApxylY/z +93wXAq89mWGh+YkJqoUmyd5chSiaEEIK3J1m5zliPdQ3YZrxNhiMp9SSRBU9mEKk +R+dnQ1+YDpeTnME+z8VdY3NN24WbDgspQaKtWHfYg91NG4IqiO9XRma12amkM7oo +AkcZb/Jxfe0lBiwwrr6guXo5nnEAWJiwq4CIkXCPhV0lZ2YVGJHgW4PbFwpWvJgo +MRdUYR9kvc/W5ayxH9q/pf/D9PiFppmk7wm2e5CK1LGxr+xTQrm1QN1F3Mz6w0e4 +UAv8TQF9UVzBjZj67vcFbYJ5+9lJ3qA/3S2GOuVP2RSzXkAJ6vXN1SSkNkyHY7xm +yf5OKseZAg0EYCmvuwEQAKjJzMcw2BaJWDiMyO12RvmPtywo90XHwHsUk0wWsv9n +8jUGPAxNDt/Eq8M3rPeaMAwqFT7AIv29RJIxS3LN79+jHT2fziNgPA3effujOSuF +wMHTWJqIoIJ5E0RbqZ5Ozf9ok8YLOcg6T+QweWdmdA9xKmEh7Gj9lTIHn2HqybPY +u+hNmDRp5l4nB7Rx9pWdZgDVr3Cv5AkNDBGQSp3LvvZwzTc+Gz+xFZ3j6cGo/VfF +aVffRiNUaMOxjeAf0ADLihSdvu06aTlL0Ugq4x2SRZ5TQBubz/fo59nIwVtkMAxs +7yLe6fh4hA6Dm2PKdJdh6XeeUn9/ChId58+Bq8KQF2SeTzjYsz3Gvba34gqbL325 +bsUOq+PBs+gyDrPYlquXQWq7caEiMKYox7pMF+RjAHh+nkq3NHCtKMOjXq+Qygzr +2ZeoDvB/UlX4Eq8TpBN4823yLHiJvlzqY86sWdgbVfe2Q05zj+ropwZu9LXExrHX +arb/NJk+agm/NZOtIXyVANkqMydeeGtkxjyHuW79ATgNDUz1TU8V1/q/Aus1ocd+ +L+tYpN5+ysanZMipTiWbjmnR8OuhioMwv6CnxExRkFTwzjAbCGW50SIKg4WNe7YQ +K++CsHskeuH4W0y65E/HirZ5E7vk16kN9mqanjw8iqS3ZvdWOKw1x4HvS5iJRDZ5 +ABEBAAG0HVBhdWwgRGFsZSA8cGF1bGlAb3BlbnNzbC5vcmc+iQJOBBMBCgA4FiEE +t8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwMFCwkIBwIGFQoJCAsCBBYCAwEC +HgECF4AACgkQIxyEzdzGnEVrRhAAgCec16Tf5Rdkv+7hHqGz+UmikL2n8wVsKcvR +vXNmdvMptu9rXQ8Dc8S/6zOHKUMp4MhsMoXXISMjgFM0ItLywsoRlZItMxbUxmGb +FablN0V5uGiPpOON/GZ7gRPKTf6/eELdiWbSOKoccSu61EA8hbVUMVBXEpk9qy/X +KPdg2IFKS1NIfUyNlm2UNiOn3PdVNzO+s7cEEklLFDkJjvj2kTC2PB0tOo5W2gkv +y2Fncn2NKdIOyAVWn+k81XHFX3xh3z0mozfgy864PeNhI4S0xQImAwVc1n9zb4Gl +atf6yw+qtj28Guruj3Ur45AdtvhnWmMr93MOrXzcTfa5M5htyjuBr8moTtz33vNj +R+BCwjOF0S94LigzJ3PAdD1bMdRhHsC1OAX2QqxMfLwfrJ7e5okwgxIR0C8jibEb ++T/Mb9Aqsi3WdQmH8zu67YhP18z4ChH7ZVXW7W+KbGkKk5elMHiZMhHlh+JpF9ec +ebnmKr+h3FWP/JWoVRy6PL5gL1ICgpEYlFBXQpm6vXEA4myDBQnWJclnDKmjCQjn +2OnCXapYJ9khLVmukh5uJWThkFocN7W/Xvy4s7chqxlHscu9wPsRJfxTzyeDwnWd +cer5RzviPkNzoIxN3lZhOQW+GM7fcmIedwrwItg4Wyd0gZe2z84SGnTw3kkQscJ5 +K67hQhu5Ag0EYCmvuwEQAM1DrDqNA2rFbEcOMnNxdyVAkU8HaqVP/l4xrtB45iIn +kOZjZVA/QyW2SatzxP8j019EWloHtn7zMTmWaNKLc3l9haOGhmn2g/RZh9It5/gq +kPsp8QRNoGiGfxzDQq36eYQ33TjD2SksT5YC8PSpEqeKVwJRYTkSzvX1bx0yH/xw +HoWIIjnybIi9XrfINXUOI3IRwo15qwgUXyfcUJ3SBY9ddL0V7ua5CkgngtvanfKW +pxj1RpTyf4tABvUsvWQLjrwxTQsGGGQKdnYFpxacm7smvNDU2KGT4lHJe3RABFyC +whO3z7etB1kNvqjqNOLEKU1c4nYsZkwAjY2tCml+fe4GfLTq97J172XeuLC05jCo +R8RO3o413LSA53jN6U86d8y3PAN48LSbRvmJs2wwZVga7lua7hcVmuTyK9wCISDh +Mkdxi1SZ443K6GZoJtwbyKfQZm9SBv9gtwGksGEUVRR3UAsF+LpxeW8WVJTQcdCg +1EgDIW0LUNBoA5ZD2/bUpIXrMUb1CDfIcrL7EGNeN+nQhk6o3mOuZfFt+X/4tapQ +cPni2ZKIetR/UKJbqej7hYEj1/r/5AJUsUGhK2U2ChG385whearVxMnalNI+XdLT +4ehsIRqWUQYQNeqwbGZXaQ2bGxSSz+ScQYUSWn9e0yuHKSJwh1Bie0xpF5uWOumL +ABEBAAGJAjYEGAEKACAWIQS3wcFDYPNTo2hi5NUjHITN3MacRQUCYCmvuwIbDAAK +CRAjHITN3MacRbZ7D/4jMZVeAHfg14edotUNO2JReCs2g5XjEVNL6S9lesYLmL6Y +yFp709yC8DKOywnt1U/ZEkFI2R93GtF3YPgcVx/d2f+frjoc2JOKeKt++hR/hUgD +WN0On2qLGL/+07t+w/Kffl3rvY4D0ALdxwGCOLpX1cDnxESicX5qnZsTQkElhMlm +sRP1afIE8SN592k5FIdpeqKZ8c3n1BXmBcQVngKLWMK32fpYRvSij6RBORRvzPsX +0/7uiOND7gquC2Vdv2KPELAx8ZE80iee6arIonQ+FNXCEzUk12LnefBVj3w4YRld +aIo8VDqUAbIstfBo5LO0oZJ2wU8r+2nJWKHCioeMkJTlK389WWm9EqFu2rbgV8O7 +tjIM7ZAOnb8X5Ah1WdQU7YjXF5vaT79PH7ed8pg26L4AVq505uWthDM+uWzAnMKa +YH85OS3C46qvae9CvYlTCZJpG90IB7wQj8cBr+6OUDztPr0vhProrAFa4GQhhlDE +W0KIL4GaSw8Jh71MFNmbb7zGTpSJIwq6vARJOQOP+5Qaa0YeLdxIk9JDnHjUI5IR +z7/JnSR5BNKeeRWsHvVwyvbJV71ZaJSpSgduTCKLL1gAeSnvqMdtNGwKOzw7ai2K +gBbTphvuvWJanq3CH+CIHOxUmd14/lKz/zlNB+uXzHzImO/U5CIhGtNPPoZ1TZkC +DQRUMGs2ARAAtNb/ePchWM8G59FJBJDNzB06w6lm6fnq4V6nVQ+cphv6V75qseSp +cS9U2TLlhBbmqvRFZFvFpuYJZOA9eCGpSFSgEQDA8KoDaz58NBggJjSH/jpr5Ru4 +HbEkfd3gCyadb7ymaXhFWY9DNIENYuECCEfDzKrPto2mMnneB4UWM1GximTJ6/eD +p28vBSAGKtAe/Vagb+TXzHNihCqy18Lg0o7WXdkxge6nixe7AnM8haIuV04/gYlX +3cQs6GBGtUY6eYRpZVY/OcNg3XyhA/wVu1QnpeB/lk2RqkxUNXt5D6NSnapcAxfg +otiRVOpsj8tC6R6zYZ+hbHUBjrkSoGD8nKJe1cyRyrXBjTA5FBRldg7IJY0Llko+ +UzTV+bphQiCDfeHi7x7VfW1z/fMigf+aa9iYWoC+pHVOzhNHP5roANOYBkE1CQ3i +zbEaueGAvgi8jPXcTLx+8geN8jH1L4CnEkbdLB1KPIOWjmHRatEl0FK/Prf4h97e +fycYagYpPBQYrtGiErEw1G728UEEHvy4X0fhVg2URcBzi9FRC2qX8NcIYrRhvsvh +fX0CCX2ucsxIgvQFmGYx0WhQe6uiwLxdFfLz/qZE9ee30yut1ud5rdflTzLdi+99 +ovvwqsv+h88DnZzZzcnxHb5tiaI7PClzdtLwoZ31Bon7048bohYm/bEAEQEAAbQf +UmljaGFyZCBMZXZpdHRlIDxsZXZpdHRlQGxwLnNlPokCOAQTAQIAIgUCVDBsHQIb +AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyrtA/+I2EEQMlh +FOthzokCZEiDpjKIqN47HyRe1UJ736oLML5j16HJkHkPKXRht6P2M0l0QMnMMcrN +XBTg2t959xNapQ5AM1ukKUa1dxAeVS2GNEQ9anIAQfU6EPk0NNIwjlhgpkMR+I3q +gSlaVztYrSZdm5jmYc6jQHfI0N9Xzjn7sIY8r3O4Tnr9/1IuYJoWwKQ0wZu9XjJs +tGgF9l2cLk084rIldDRMbQJvEYyAg3lw6sGmFT5ms9hj6niMSgPmu8W6BCXj6hGy +/HKCklXm3yl7WKE0yGbO7cKlG0yOZEB3Mr7btnynubwE5G6gL41tdWlyaMi55cOR +h3E/7T2pTLDzETf3y0C4RelsJWhDrxvo0MIGmjCC9S7fjPEOfTAp23ZgYcHrPsqX +tvxHJxYbdjy78ez6XpB6ESaLLpQpeXvNbc8iLfX3ZbMSVSLtO0b9u2oLpg+zRTdJ +AyQ1bPCSNsoz1sLiA8UwrTlrxAQ1zroz5RJaM2DROICQY/08OWljKG2OJwJOAvnW +UObwsFev1xvO9dq/slzo1WHtlvLz2vUOw8XN8ORxw5fqdKepgwhKa9FQasZ+CuR5 +4zQw273do9Ouz7R/Gr4ckhkSFf9gLJA3iOoz6FAaH1s7AzsFpxo/0X2+eraEMrZY +heVYKFf1DvTECtWImrMjz/vo+HWKc9uNsly0JVJpY2hhcmQgTGV2aXR0ZSA8bGV2 +aXR0ZUBvcGVuc3NsLm9yZz6JAjgEEwECACIFAlQwbAoCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJENXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX +jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY +TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd +x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv +nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue +W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r +d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy +nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp +G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6 +JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI +uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX +lRJjjYxIBCnjxtUWtCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v +cmc+iQI7BBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ +AQAKCRDV6eQ/ffnujJjdD/wJqQfA2rAZ44fXwJQTPJBGdtzB1XRILj1l/CgTC+C+ +nlZVkZ+4XX6bzkvdC5eS03bVjwELPJQ2IeFfOoSGICyvbYrGcm8vuTU+HRJegl4B +20Y3Q26dMSnxnORfY1sz2aRvGXQ8+mW73aKMv+E4VzUteh3LCUXJGp+qBYwjQFkj +aVw2HC7QO/vZ3IpqwvwvpBmJcj1iRmGbtQtyPqC9/qlsIqgBvYaf83nbCLDT+6Nu +MG9EoA9HU86YZjgD8E0Xxktgx4aWwB/T+jGT4hQURrAEUURX00RpMyPVtTOG7/Zf +y/LOkk6Yw/PuNH/mlBPHMlHDY9cnMkRhQJ8H+THjtzKs746HKFMqGTXOLe/+q4er +HHhY4DLfwxRWW4t5L8/XCQXGjek1lpLXePtVpi8cHBdJ98WgdOCgr102gWeX/x8+ +Q+DvB8mLEuhpVusiFIrgDr2r/Fos2kzG2JPNV31wbgSr+1cZNH0WH/fhye38lsiJ +SDfRaq0ooqKQNyUfvID/LnhXMnJi55dg/X8mZ/7L/lAi6zEen8g/+RLc4M1tACfA +QycOZ+3LZmelIbmrA2WTDwtrgfS1YaUPFt5gw8SaGmHuWxNqdHGvpsBB2UKW6Y5r +U/9seaxhWWMQVDobhp//eMxGEqiyw4q5RSBFILnFyzi0B8hJfpBJAixJkm5+9VrD +PLQlUmljaGFyZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2wuY29tPokCOAQTAQIA +IgUCVDuNgwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyz +4Q/+J+yZefxSCijTyAyQwGJqv2d+rdZvptCL0i9MrmYdlkgg6Psbq2VlSz0CKz9e +Dkb1iSc2U5kS1Fk8UDwxdM90uJJKKTMqk3h5fvraP+Hk0DxdEJKS3A11Ss0XuY80 +VE2AvMe5rSR3YCo5lqm4Kput0SYNj6YUUmxaqD5H6GdP5DXcxt25BC5aVvGKYQOI +LkAZVNze6edijmr1Z8tN1AyzdY1RP0Jg+uNYOBO4jTcclzbNeYkYvPODsePhIwWT +kBcoMe0ba1l1aJDkuAWuH6d8g55AHaoTdw7Yyhj7+6KjHCbiabgT+hdUZne3iT0u +vpyHyWnNBJ4Q7tuZOZtuPJlAIL7V/D0fZ+jgd/RulBCpwaARaZg6VAiSnji8Bo75 +KQdOIAFXSG1iVV1ZGFVMl+otlUUIlRBJhLEzUWSq48lrR8gM30oNKBClE8Yo7VW5 +B2ZN90rgkgE6vvKijFwwyR4XKV/Pyt84FTjA00XsWOWaXuOyIi9PwmytzDfkpwX4 +Gc7MP0zWrCdGvwFMPhQxiKu9VDcrFS+3Sh3ikF950Ubx6e25aXQn9GzpQXODYuUZ +P0GDAEdc1R4FxzqwDc04ptXVB3p7J5armBsd7HcLNnext6dFV+Snvg63mpeTa2kY +TGJNISU4Dst+L3/s9VBno21YlZBILbNV9p0ZgSJyYWTksj+0L1JpY2hhcmQgTGV2 +aXR0ZSA8cmljaGFyZEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQI4BBMBAgAiBQJU +MGv1AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujNypD/4s +4N9nBz2Hw2Wlg1W81dVdRHMjDNYabEJuAt26NlGP9OjbS3rHJ/+pFMAJYQZ5/Y36 +m4aD86iV3P5GzcbVUXOSb2cYbpQY/lHYKAd8Isq2PLTNPnmDFgeE3o+PN9LOHOa1 +HpzNjq1Da6Wi1S+aRZtTO5OJucWjCJClFUAdD2gprPTQeMqZUiBHC/XNzOVBZv4q +UGDC+qqdO6pJ3fzU2zTT1H2a3i2EIgK/5GcbI2UeJnAjGmpfK3EWVYc5BsF+/GkX +rtMSHZD2jXyQL6zuzTAs+1N8p7cG15kYtY8ODwF72YwH4EWzr+7oNcT3FXW6+2G4 +S95osmFx/B+9pri77JTr22tggQBOMesGYuyBMd1TRvWpJTsdPTw2ctvbcj8eAITC +z4/RpxkTlHDMwt/mbzj5rXmkI3QNTJkdjxAHZtTmSydS2+/BXBqFgV3VpiNFxTNP +WMQAA9WDb1Yoz50tfd47U6nrCrbuew+DxKiz1LqR2WaYnPV/U9e73ko2yOgdVQou +OhxxeDBG0Le6U7BojTCktov2FU2qdvRY/MfnE8QJldhW/AVj43S3nuVRsh/HcA2L +TFyu3xOoUBWV91Z+0VyJ7+KJ6LqJXMqu2j78WD1ZxnYozUjA7R3Rce/L0rfZDMe+ +bPI8idCC6I7gKgewthv0nMm7UDWAVwCGbRWVi4j7hLQvUmljaGFyZCBMZXZpdHRl +IDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLm9yZz6JAjgEEwECACIFAlbPAe0C +GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6M0mkP/3mgwmAw +TgX1pC3JMF457JF0wEWmnIkm1yfLVI5xBH8X0i0J9y3IeyYWcGm5Kwj5PEpI00BM +i4Xa4tJNK3rnusTFqcg98pmCYw6t7baujhj8IA+jVyZALD3rYBwQYa60Ax6QuULJ +vBz/h1GFajah+2py6VS4JodBLD2MBWGIyoVmnTwsXBet+zNvugnb34uTsGM7I5Vz +icUu6966lze9Lp7WkEF2GmHq+ZIE0B/ttP4uNhkCuxGZJtEFGk3GgwRUlfxWyyeJ +x0os1yUjk4GEPkx9Yl/Aah03BUgLbRBFiGYm/DnUIq96sVNa31X4CcZyQSGmeat8 +oBkGM46Irn8xqItgO7oF2U3abPucHd6c81zM0TWyXztsK+VGiHQ23Dsn36ThZ1o4 +lqboHKQ8JFtGdukC4XmgOS+IKShxWPN6g4Mqs0xkXyqey8+Lrwwg0b51gDoZtVn0 +jxQwQk25NM36FUXDPNKNCYhFNSmB0WAZ8LKumeAd0eVgCantCdY4PR5WgRWbv3eQ +62l+V6oH2VsT1xQgd13vTXxfz7HhleJClwvx/QHLjtKD1L1vUbF+GF/tc0/nwMPV +7cJO2OnbV6iIjfRGxslI4t+rhYbj5JajGOszat2aPySso5MkF4WTfdn2jPeah8as +1W8A+DAkqBGFltJBTD8VYqfu3F52MkCjShaiuQINBFQwazYBEADPNcBdaXTUwkG8 +1K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45kx/wO5KiTVj+bM+sc +SzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3i0eSSpa1Kpx8eAHK +cVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEoMSVU6Jy86E908OLa +JbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8ZcEgTah7huS6lUA4s +eQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ/dEvMQpFxLCOBNQP +0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+iwMUkQQXJRw7Vlp9F +p9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31m7sezA3cLnFR86ol +2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjauCZQW3KYx31Il5bO3 +ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJBHsd7GNkwzb1Qivcq +nYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTjMkj1s9cppQ8tdqiV +4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJBQJUMGs2AhsMAAoJ +ENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivPNqT4V3yal/JfB9c8 +h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyDt+/5UAXKY7wH8vR1 +qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIbR1utS972wQHM/VTE +msvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd6knl9ArEQe1heVWD +GpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek51RFSdO7NJ59co96u +yIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJeyHfzOtZNMijrrB3cw +3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCwEzBPkx/SeXjatAOb +EUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQW3w34fKEYRLCAkOq +7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmayk1J0RKR9dNqYNQsO +r9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCzEBlr5Dmz1xGC5Xdl +BeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlHVhMV8mypBNjWmQIN +BFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWMkRhx +9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholByyUGF +Tb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt4vMI +oWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5Qivu +OvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q2zR8 +3QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9Ce9t +Wq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO3GLc +yTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf5HCn +afDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWczYY6 +spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfKeCOV +NtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQABtCVP +cGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+AhsD +BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9efUF +AmPX/O0FCRGJRs4ACgkQ2JTizos9efVwcw//SJ1HcktYXQu39rhGw+QPuVBVMMvY +as8vLFy6xn1DLSQt1K/ggEaqR8OiwvaKhZQDIXUqSCDc7MC76WKmClJZUFsNG0ra +lnnesLqJwu50JOHyYWloUzBMlTQu4KctRXBUGGWf68FcX7b1ehHrDiC/nDPU4NiC +r3aybLhbZoXKxJqwFaz7jlZCAWzo8pVOYh27N4VteQ6jF4rurPcC5cUiballnBk+ +F6d0o1Mtl0c7FsBT63bJ2XI9YdQtaJ4JSKTbqu8kBeq6wZilHcuxQpV7MBIPh3uq +lesy4WaOm0QGTtm/4OGjVzVToeQUvWaUHbORXox8d5Wuhs3zzP7MwtFiUdq/+kak +f3Ys6z5YbCV94OSPn0ZzRpjq1Gu0vzq0d0JVshOab8rSk56NFLz7iEwOzBrUH98+ +J+FGzO22Mi5giFRJA0JfSmsdb7RGCyise7FS5iVEFaqPEZpo6LbUWevgeVFjgfnV +77d2fpiSx7fdsujS5OIjl6t24DvXjD4JPhnS144LYHru0t9wTRPfOP9Afowy6oYB +IytrKQOdLj1wVLQ5vgLvrNc33jyVX0MXWqCmNNIjpbbo0UurKhNT7W3m0x4A2pMZ +6/TApc05kc+spgIJcaO9qIJNDiQjRC3XJCtBx3eYRixCgZUlRmEsdiffOaO1RP62 +ga+/2FC5uJNC1yW0L09wZW5TU0wgU2VjdXJpdHkgPG9wZW5zc2wtc2VjdXJpdHlA +b3BlbnNzbC5vcmc+iQJVBBMBCgA/AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX +gBYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJiKerwBQkXYALFAAoJENiU4s6LPXn1 +m8gP/3MOYfZM6oxzT61slJ6nIUgPwQMRgH7/CFub01yiBqLv72xftnleKRnvHI2B +K34hDCNlxKoFtzarQfCHtSabx2/yQEQ6V0QHjtJwM+vFGYr9LPgWBtXC9DCYMUps +CxKNVyMcfjWEET2iD4ViHYHSZoTspRh0W2T31LtILF9ybxWGCb6km2WCceOycy4L +7GkbWNOqDrfPYalTqfYHkuB7cHGYiKIatROBcvPk2Ee4jL+tpQQBtMTqCwsuFMzN +6VWwoc3H5iy7R+GWwztpLL4Wn3nOpVHrcTCbr6gpaeKGA6fbnK3GRd6SQNH3khhe +hFzpmKNyjIlWxt+Q6nyayPIL2ukD0xaPFkbE2e4VK5/wYqF8ezq65rZefviDwFO3 +P9CTxwlaK3cYpw/1w3XBVbNiCH+Yi/dePwmiPAF5njOB9JvZLmkvTdFCPPt4CAYT +tfXD9VSQcPxFncI8B7VJX3epjgG8LlQIzxFkJnH9IyMaFEfbft4nmYz3XB7rOXff +8R9oji3RB2EER0Yi5Shbbj4VoKsu1IKVkcnv+tvGreQvZuU3xkAZXUqDpFMz0Bhq +Vd6VIh3iZUDwQGJdQALwCvPmNk/YkmV1LjF4jKd5aZQxM1yh41Gl11JIBbhrPy/G +AfgQTQUhPxktO/JEK3Olrsu5ppxNtmhX+xtDf4Yp/vUHiFiatDRPcGVuU1NMIHNl +Y3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNzbC5vcmc+iQJUBBMB +CgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTi +zos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negna1HZIWs18LDktjV4 +9a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJuBl1MZElcmrqIsVC +KHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl4EeTkPsOCo20QEC8 +jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNEXBjzqxHGKcq4iyOK +TGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY3Y/9rVvtU/Na044F +QBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAzZQ5CqauGvjTJ4GXi ++pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGeHW4qagRaLDtDRtkF +nIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8c281Nv9o+xaNI4TN +3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAVnRF2iAB25Vjcz/92 +Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZjhnZdL3b3F4iKpyz +DhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqtVH02VwVHMVt4no62 +mZj2UNT2+Ci5p+tze4Rhfl65Ag0EVC/pnwEQAMB3s+8dq5T8fW+b3OcGujEcbhyg +uc6D5shlNWsuCV3W7+izsVUe+0hD1YwD30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL +7GQiA/n192hX2DuHxvQwnDNkHxYghtrFKOlXAyte2awA0fC+e0o8lHa1Yd2ZZNql +DC23qJtLMJH8bX8CIr59KckNyv64bF+hVPIN3evnh1Ajn4A85848EZMQcjedg72M +sA3TW2D4omayY7eXE5uut7FYcY6SM4pThIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxy +XiA8XF+FZukXc/iM68P0VS/sMml9QPsYMWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/ +Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6lVa7GCSASTRrS3OvmY++fTsUPzSOvit0 +kqQfimziYx7QcJIagG92mvUmuf2PEfzvSi6iaIqMhaTaJq5qxOR0q430KakQktNP +X53HflWL7YenDPYw1rEyQFxGqjaBY1X8NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvS +TsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/ +4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5 +IUO3SoTs5kl6bARzABEBAAGJAjwEGAEKACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLO +iz159QUCY9f9DQUJEYlG7gAKCRDYlOLOiz159f5RD/9Dhv5+muyWX9U4wNH7Dt7K +HOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJsHwFuiaIjnZmQwiUJm72jCMUncL3OsWrQ +Xm6SU60aG20XeQl1oXWmSD9D/len23hOYo/3WsC3o1AIkLA9cJ3h/oo3I7RE30sk +w4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaK +SBJQDya2TkEh6OUf1B/7EIk811oeNSaL9eJXS9VGDytVyjGGXSbudBw2XAV0/oiP +PDKYElbOZH66d6marGwCCdc29cNono/7zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9 +GEAz0O1rss/4hxnGqn/m3gue+aQx4hji/K/vAV+531YT9MEp6m6e3074a7Hvn2l/ +tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1LzsQXmyjgr1yTlCShgNQCYXAgprWXPCwv1 +76kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDo +rK3Pbu5/VeIeEfIkc717EgvdZU4EB70vE/jnY1V9GLFzdPcygy7bz5aA4IA/Y12V +FdhQ9/E7HFvEv0KUa294rQiH86lRyCJIaEUqeymypLjoU2oeR4Cujkne+5spQHBf +n2/RWGqH28v+vqHysb/8GA== +=BQaf -----END PGP PUBLIC KEY BLOCK----- diff -Nru openssl-1.1.1n/doc/fingerprints.txt openssl-1.1.1v/doc/fingerprints.txt --- openssl-1.1.1n/doc/fingerprints.txt 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/fingerprints.txt 2023-08-01 13:51:35.000000000 +0000 @@ -12,6 +12,11 @@ The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: +pub rsa4096 2014-10-04 + Key fingerprint = EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 +uid OpenSSL OMC +uid OpenSSL Security + pub 4096R/7DF9EE8C 2014-10-04 Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C uid Richard Levitte @@ -22,3 +27,13 @@ Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 uid Matt Caswell uid Matt Caswell + +pub rsa4096 2021-02-14 + B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 +uid Paul Dale + +pub rsa4096 2021-07-16 + A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C +uid Tomáš Mráz +uid Tomáš Mráz +uid Tomáš Mráz diff -Nru openssl-1.1.1n/doc/man1/x509.pod openssl-1.1.1v/doc/man1/x509.pod --- openssl-1.1.1n/doc/man1/x509.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man1/x509.pod 2023-08-01 13:51:35.000000000 +0000 @@ -434,22 +434,26 @@ Sets the CA serial number file to use. -When the B<-CA> option is used to sign a certificate it uses a serial -number specified in a file. This file consists of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. +When creating a certificate with this option, and with the B<-CA> option, +the certificate serial number is stored in the given file. +This file consists of one line containing +an even number of hex digits with the serial number used last time. +After reading this number, it is incremented and used, and the file is updated. The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". +If the B<-CA> option is specified and neither <-CAserial> or <-CAcreateserial> +is given and the default serial number file does not exist, +a random number is generated; this is the recommended practice. + =item B<-CAcreateserial> -With this option the CA serial number file is created if it does not exist: -it will contain the serial number "02" and the certificate being signed will -have the 1 as its serial number. If the B<-CA> option is specified -and the serial number file does not exist a random number is generated; -this is the recommended practice. +With this option and the B<-CA> option +the CA serial number file is created if it does not exist. +A random number is generated, used for the certificate, +and saved into the serial number file determined as described above. =item B<-extfile filename> @@ -932,7 +936,7 @@ =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/BIO_f_base64.pod openssl-1.1.1v/doc/man3/BIO_f_base64.pod --- openssl-1.1.1n/doc/man3/BIO_f_base64.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/BIO_f_base64.pod 2023-08-01 13:51:35.000000000 +0000 @@ -38,9 +38,8 @@ The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags(). For writing, it causes all data to be written on one line without newline at the end. -For reading, it forces the decoder to process the data regardless -of newlines. All newlines are ignored and the input does not need -to contain any newline at all. +For reading, it expects the data to be all on one line (with or +without a trailing newline). =head1 NOTES diff -Nru openssl-1.1.1n/doc/man3/CMS_add0_cert.pod openssl-1.1.1v/doc/man3/CMS_add0_cert.pod --- openssl-1.1.1n/doc/man3/CMS_add0_cert.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/CMS_add0_cert.pod 2023-08-01 13:51:35.000000000 +0000 @@ -19,25 +19,33 @@ =head1 DESCRIPTION -CMS_add0_cert() and CMS_add1_cert() add certificate B to B. -must be of type signed data or enveloped data. +CMS_add0_cert() and CMS_add1_cert() add certificate I to I. +I must be of type signed data or (authenticated) enveloped data. +For signed data, such a certificate can be used when signing or verifying +to fill in the signer certificate or to provide an extra CA certificate +that may be needed for chain building in certificate validation. + +CMS_get1_certs() returns all certificates in I. + +CMS_add0_crl() and CMS_add1_crl() add CRL I to I. +I must be of type signed data or (authenticated) enveloped data. +For signed data, such a CRL may be used in certificate validation. +It may be given both for inclusion when signing a CMS message +and when verifying a signed CMS message. -CMS_get1_certs() returns all certificates in B. - -CMS_add0_crl() and CMS_add1_crl() add CRL B to B. CMS_get1_crls() -returns any CRLs in B. +CMS_get1_crls() returns all CRLs in I. =head1 NOTES -The CMS_ContentInfo structure B must be of type signed data or enveloped +The CMS_ContentInfo structure I must be of type signed data or enveloped data or an error will be returned. -For signed data certificates and CRLs are added to the B and -B fields of SignedData structure. For enveloped data they are added to +For signed data certificates and CRLs are added to the I and +I fields of SignedData structure. For enveloped data they are added to B. -As the B<0> implies CMS_add0_cert() adds B internally to B and it -must not be freed up after the call as opposed to CMS_add1_cert() where B +As the I<0> implies CMS_add0_cert() adds I internally to I and it +must not be freed up after the call as opposed to CMS_add1_cert() where I must be freed up. The same certificate or CRL must not be added to the same cms structure more @@ -50,7 +58,7 @@ CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs or NULL if there are none or an error occurs. The only error which will occur -in practice is if the B type is invalid. +in practice is if the I type is invalid. =head1 SEE ALSO @@ -60,7 +68,7 @@ =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/CMS_verify.pod openssl-1.1.1v/doc/man3/CMS_verify.pod --- openssl-1.1.1n/doc/man3/CMS_verify.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/CMS_verify.pod 2023-08-01 13:51:35.000000000 +0000 @@ -15,50 +15,58 @@ =head1 DESCRIPTION -CMS_verify() verifies a CMS SignedData structure. B is the CMS_ContentInfo -structure to verify. B is a set of certificates in which to search for -the signing certificate(s). B is a trusted certificate store used for -chain verification. B is the detached content if the content is not -present in B. The content is written to B if it is not NULL. +CMS_verify() is very similar to L. It verifies a +B structure contained in a structure of type B. +I points to the B structure to verify. +The optional I parameter refers to a set of certificates +in which to search for signing certificates. +I may contain extra untrusted CA certificates that may be used for +chain building as well as CRLs that may be used for certificate validation. +I may be NULL or point to +the trusted certificate store to use for chain verification. +I refers to the signed data if the content is detached from I. +Otherwise I should be NULL and the signed data must be in I. +The content is written to the BIO I unless it is NULL. +I is an optional set of flags, which can be used to modify the operation. -B is an optional set of flags, which can be used to modify the verify -operation. - -CMS_get0_signers() retrieves the signing certificate(s) from B, it may only +CMS_get0_signers() retrieves the signing certificate(s) from I, it may only be called after a successful CMS_verify() operation. =head1 VERIFY PROCESS Normally the verify process proceeds as follows. -Initially some sanity checks are performed on B. The type of B must +Initially some sanity checks are performed on I. The type of I must be SignedData. There must be at least one signature on the data and if -the content is detached B cannot be B. +the content is detached I cannot be NULL. An attempt is made to locate all the signing certificate(s), first looking in -the B parameter (if it is not NULL) and then looking in any -certificates contained in the B structure itself. If any signing -certificate cannot be located the operation fails. - -Each signing certificate is chain verified using the B purpose and -the supplied trusted certificate store. Any internal certificates in the message -are used as untrusted CAs. If CRL checking is enabled in B any internal -CRLs are used in addition to attempting to look them up in B. If any -chain verify fails an error code is returned. +the I parameter (if it is not NULL) and then looking in any +certificates contained in the I structure unless B is set. +If any signing certificate cannot be located the operation fails. + +Each signing certificate is chain verified using the I purpose and +using the trusted certificate store I if supplied. +Any internal certificates in the message, which may have been added using +L, are used as untrusted CAs. +If CRL checking is enabled in I and B is not set, +any internal CRLs, which may have been added using L, +are used in addition to attempting to look them up in I. +If I is not NULL and any chain verify fails an error code is returned. -Finally the signed content is read (and written to B if it is not NULL) -and the signature's checked. +Finally the signed content is read (and written to I unless it is NULL) +and the signature is checked. -If all signature's verify correctly then the function is successful. +If all signatures verify correctly then the function is successful. -Any of the following flags (ored together) can be passed in the B +Any of the following flags (ored together) can be passed in the I parameter to change the default verify behaviour. If B is set the certificates in the message itself are not -searched when locating the signing certificate(s). This means that all the -signing certificates must be in the B parameter. +searched when locating the signing certificate(s). +This means that all the signing certificates must be in the I parameter. -If B is set and CRL checking is enabled in B then any +If B is set and CRL checking is enabled in I then any CRLs in the message itself are ignored. If the B flag is set MIME headers for type B are deleted @@ -66,7 +74,7 @@ returned. If B is set the signing certificates are not -verified. +chain verified. If B is set the signed attributes signature is not verified. @@ -77,20 +85,20 @@ One application of B is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the B parameter. In this case if the signer is not one of the -certificates supplied in B then the verify will fail because the +in the I parameter. In this case if the signer certificate is not one +of the certificates supplied in I then the verify will fail because the signer cannot be found. In some cases the standard techniques for looking up and validating certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This -can be achieved by setting and verifying the signers certificates manually +can be achieved by setting and verifying the signer certificates manually using the signed data utility functions. Care should be taken when modifying the default verify behaviour, for example setting B will totally disable all content verification and any modified content will be considered valid. This combination is however -useful if one merely wishes to write the content to B and its validity +useful if one merely wishes to write the content to I and its validity is not considered important. Chain verification should arguably be performed using the signing time rather @@ -100,8 +108,7 @@ =head1 RETURN VALUES -CMS_verify() returns 1 for a successful verification and zero if an error -occurred. +CMS_verify() returns 1 for a successful verification and 0 if an error occurred. CMS_get0_signers() returns all signers or NULL if an error occurred. @@ -109,8 +116,8 @@ =head1 BUGS -The trusted certificate store is not searched for the signing certificate, -this is primarily due to the inadequacies of the current B +The trusted certificate store is not searched for the signing certificate. +This is primarily due to the inadequacies of the current B functionality. The lack of single pass processing means that the signed content must all @@ -118,11 +125,13 @@ =head1 SEE ALSO +L, L, L, +L, L, L =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/EC_KEY_new.pod openssl-1.1.1v/doc/man3/EC_KEY_new.pod --- openssl-1.1.1n/doc/man3/EC_KEY_new.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/EC_KEY_new.pod 2023-08-01 13:51:35.000000000 +0000 @@ -33,7 +33,7 @@ const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); - int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv); + int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key); const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); @@ -102,7 +102,9 @@ The functions EC_KEY_get0_group(), EC_KEY_set_group(), EC_KEY_get0_private_key(), EC_KEY_set_private_key(), EC_KEY_get0_public_key(), and EC_KEY_set_public_key() get and set the EC_GROUP object, the private key, -and the EC_POINT public key for the B respectively. +and the EC_POINT public key for the B respectively. The function +EC_KEY_set_private_key() accepts NULL as the priv_key argument to securely clear +the private key component from the EC_KEY. The functions EC_KEY_get_conv_form() and EC_KEY_set_conv_form() get and set the point_conversion_form for the B. For a description of @@ -160,10 +162,14 @@ EC_KEY_get0_engine() returns a pointer to an ENGINE, or NULL if it wasn't set. -EC_KEY_up_ref(), EC_KEY_set_group(), EC_KEY_set_private_key(), -EC_KEY_set_public_key(), EC_KEY_precompute_mult(), EC_KEY_generate_key(), -EC_KEY_check_key(), EC_KEY_set_public_key_affine_coordinates(), -EC_KEY_oct2key() and EC_KEY_oct2priv() return 1 on success or 0 on error. +EC_KEY_up_ref(), EC_KEY_set_group(), EC_KEY_set_public_key(), +EC_KEY_precompute_mult(), EC_KEY_generate_key(), EC_KEY_check_key(), +EC_KEY_set_public_key_affine_coordinates(), EC_KEY_oct2key() and +EC_KEY_oct2priv() return 1 on success or 0 on error. + +EC_KEY_set_private_key() returns 1 on success or 0 on error except when the +priv_key argument is NULL, in that case it returns 0, for legacy compatibility, +and should not be treated as an error. EC_KEY_get0_group() returns the EC_GROUP associated with the EC_KEY. @@ -184,7 +190,7 @@ =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/EVP_EncryptInit.pod openssl-1.1.1v/doc/man3/EVP_EncryptInit.pod --- openssl-1.1.1n/doc/man3/EVP_EncryptInit.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/EVP_EncryptInit.pod 2023-08-01 13:51:35.000000000 +0000 @@ -313,7 +313,7 @@ EVP_CIPHER_CTX_set_padding() always returns 1. EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV -length or zero if the cipher does not use an IV. +length, zero if the cipher does not use an IV and a negative value on error. EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. @@ -661,7 +661,7 @@ =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/OPENSSL_LH_COMPFUNC.pod openssl-1.1.1v/doc/man3/OPENSSL_LH_COMPFUNC.pod --- openssl-1.1.1n/doc/man3/OPENSSL_LH_COMPFUNC.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/OPENSSL_LH_COMPFUNC.pod 2023-08-01 13:51:35.000000000 +0000 @@ -23,7 +23,7 @@ TYPE *lh_TYPE_insert(LHASH_OF(TYPE) *table, TYPE *data); TYPE *lh_TYPE_delete(LHASH_OF(TYPE) *table, TYPE *data); - TYPE *lh_retrieve(LHASH_OF(TYPE) *table, TYPE *data); + TYPE *lh_TYPE_retrieve(LHASH_OF(TYPE) *table, TYPE *data); void lh_TYPE_doall(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNC func); void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func, @@ -229,7 +229,7 @@ =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/OPENSSL_init_crypto.pod openssl-1.1.1v/doc/man3/OPENSSL_init_crypto.pod --- openssl-1.1.1n/doc/man3/OPENSSL_init_crypto.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/OPENSSL_init_crypto.pod 2023-08-01 13:51:35.000000000 +0000 @@ -81,7 +81,7 @@ With this option the library will automatically load and make available all libcrypto digests. This option is a default option. Once selected subsequent calls to OPENSSL_init_crypto() with the option -B will be ignored. +B will be ignored. =item OPENSSL_INIT_NO_ADD_ALL_CIPHERS @@ -264,7 +264,7 @@ =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/PKCS7_sign.pod openssl-1.1.1v/doc/man3/PKCS7_sign.pod --- openssl-1.1.1n/doc/man3/PKCS7_sign.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/PKCS7_sign.pod 2023-08-01 13:51:35.000000000 +0000 @@ -13,29 +13,26 @@ =head1 DESCRIPTION -PKCS7_sign() creates and returns a PKCS#7 signedData structure. B is -the certificate to sign with, B is the corresponding private key. -B is an optional additional set of certificates to include in the PKCS#7 -structure (for example any intermediate CAs in the chain). +PKCS7_sign() creates and returns a PKCS#7 signedData structure. +I is the certificate to sign with, I is the corresponding +private key. I is an optional set of extra certificates to include +in the PKCS#7 structure (for example any intermediate CAs in the chain). -The data to be signed is read from BIO B. +The data to be signed is read from BIO I. -B is an optional set of flags. +I is an optional set of flags. -=head1 NOTES - -Any of the following flags (ored together) can be passed in the B -parameter. +Any of the following flags (ored together) can be passed in the I Many S/MIME clients expect the signed content to include valid MIME headers. If -the B flag is set MIME headers for type B are prepended +the B flag is set MIME headers for type C are prepended to the data. -If B is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the -B parameter though. This can reduce the size of the signature if the -signers certificate can be obtained by other means: for example a previously -signed message. +If B is set the signer's certificate and the extra I +will not be included in the PKCS7 structure. +The signer's certificate must still be supplied in the I parameter +though. This can reduce the size of the signatures if the signer's certificates +can be obtained by other means: for example a previously signed message. The data being signed is included in the PKCS7 structure, unless B is set in which case it is omitted. This is used for PKCS7 @@ -59,7 +56,7 @@ If the flags B is set then the returned B structure is just initialized ready to perform the signing operation. The signing is however -B performed and the data to be signed is not read from the B +B performed and the data to be signed is not read from the I parameter. Signing is deferred until after the data has been written. In this way data can be signed in a single pass. @@ -80,17 +77,17 @@ If a signer is specified it will use the default digest for the signing algorithm. This is B for both RSA and DSA keys. -The B, B and B parameters can all be -B if the B flag is set. One or more signers can be added +The I, I and I parameters can all be +NULL if the B flag is set. One or more signers can be added using the function PKCS7_sign_add_signer(). PKCS7_final() must also be called to finalize the structure if streaming is not enabled. Alternative signing digests can also be specified using this method. -If B and B are NULL then a certificates only +If I and I are NULL then a certificates only PKCS#7 structure is output. -In versions of OpenSSL before 1.0.0 the B and B parameters must -B be NULL. +In versions of OpenSSL before 1.0.0 the I and I parameters must +not be NULL. =head1 BUGS @@ -107,14 +104,14 @@ =head1 HISTORY -The B flag, and the ability for B, B, -and B parameters to be B were added in OpenSSL 1.0.0. +The B flag, and the ability for I, I, +and I parameters to be NULL were added in OpenSSL 1.0.0. The B flag was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/PKCS7_sign_add_signer.pod openssl-1.1.1v/doc/man3/PKCS7_sign_add_signer.pod --- openssl-1.1.1n/doc/man3/PKCS7_sign_add_signer.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/PKCS7_sign_add_signer.pod 2023-08-01 13:51:35.000000000 +0000 @@ -2,7 +2,8 @@ =head1 NAME -PKCS7_sign_add_signer - add a signer PKCS7 signed data structure +PKCS7_sign_add_signer, +PKCS7_add_certificate, PKCS7_add_crl - add information to PKCS7 structure =head1 SYNOPSIS @@ -10,22 +11,22 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); - + int PKCS7_add_certificate(PKCS7 *p7, X509 *cert); + int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl); =head1 DESCRIPTION -PKCS7_sign_add_signer() adds a signer with certificate B and private -key B using message digest B to a PKCS7 signed data structure -B. +PKCS7_sign_add_signer() adds a signer with certificate I and private +key I using message digest I to a PKCS7 signed data structure I. -The PKCS7 structure should be obtained from an initial call to PKCS7_sign() -with the flag B set or in the case or re-signing a valid PKCS7 +The B structure should be obtained from an initial call to PKCS7_sign() +with the flag B set or in the case or re-signing a valid PKCS#7 signed data structure. -If the B parameter is B then the default digest for the public +If the I parameter is NULL then the default digest for the public key algorithm will be used. -Unless the B flag is set the returned PKCS7 structure +Unless the B flag is set the returned B structure is not complete and must be finalized either by streaming (if applicable) or a call to PKCS7_final(). @@ -37,13 +38,13 @@ not appropriate. For example if multiple signers or non default digest algorithms are needed. -Any of the following flags (ored together) can be passed in the B +Any of the following flags (ored together) can be passed in the I parameter. If B is set then an attempt is made to copy the content -digest value from the PKCS7 structure: to add a signer to an existing structure. +digest value from the B structure: to add a signer to an existing structure. An error occurs if a matching digest value cannot be found to copy. The -returned PKCS7 structure will be valid and finalized when this flag is set. +returned B structure will be valid and finalized when this flag is set. If B is set in addition to B then the B structure will not be finalized so additional attributes @@ -51,8 +52,8 @@ needed to finalize it. If B is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the -B parameter though. This can reduce the size of the signature if the +B structure, the signer's certificate must still be supplied in the +I parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. @@ -66,20 +67,32 @@ algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of these algorithms is disabled then it will not be included. - -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO -structure just added, this can be used to set additional attributes +PKCS7_sign_add_signers() returns an internal pointer to the B +structure just added, which can be used to set additional attributes before it is finalized. +PKCS7_add_certificate() adds to the B structure I the certificate +I, which may be an end-entity (signer) certificate +or a CA certificate useful for chain building. +This is done internally by L and similar signing functions. +It may have to be used before calling L +in order to provide any missing certificate(s) needed for verification. + +PKCS7_add_crl() adds the CRL I to the B structure I. +This may be called to provide certificate status information +to be included when signing or to use when verifying the B structure. + =head1 RETURN VALUES -PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO +PKCS7_sign_add_signers() returns an internal pointer to the B structure just added or NULL if an error occurs. +PKCS7_add_certificate() and PKCS7_add_crl() return 1 on success, 0 on error. + =head1 SEE ALSO -L, L, -L, +L, L, +L, L =head1 HISTORY @@ -87,7 +100,7 @@ =head1 COPYRIGHT -Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/PKCS7_verify.pod openssl-1.1.1v/doc/man3/PKCS7_verify.pod --- openssl-1.1.1n/doc/man3/PKCS7_verify.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/PKCS7_verify.pod 2023-08-01 13:51:35.000000000 +0000 @@ -15,64 +15,76 @@ =head1 DESCRIPTION -PKCS7_verify() verifies a PKCS#7 signedData structure. B is the PKCS7 -structure to verify. B is a set of certificates in which to search for -the signer's certificate. B is a trusted certificate store (used for -chain verification). B is the signed data if the content is not -present in B (that is it is detached). The content is written to B -if it is not NULL. - -B is an optional set of flags, which can be used to modify the verify -operation. - -PKCS7_get0_signers() retrieves the signer's certificates from B, it does -B check their validity or whether any signatures are valid. The B -and B parameters have the same meanings as in PKCS7_verify(). +PKCS7_verify() is very similar to L. +It verifies a PKCS#7 signedData structure given in I. +The optional I parameter refers to a set of certificates +in which to search for signer's certificates. +I may contain extra untrusted CA certificates that may be used for +chain building as well as CRLs that may be used for certificate validation. +I may be NULL or point to +the trusted certificate store to use for chain verification. +I refers to the signed data if the content is detached from I. +Otherwise I should be NULL, and then the signed data must be in I. +The content is written to the BIO I unless it is NULL. +I is an optional set of flags, which can be used to modify the operation. + +PKCS7_get0_signers() retrieves the signer's certificates from I, it does +B check their validity or whether any signatures are valid. The I +and I parameters have the same meanings as in PKCS7_verify(). =head1 VERIFY PROCESS Normally the verify process proceeds as follows. -Initially some sanity checks are performed on B. The type of B must -be signedData. There must be at least one signature on the data and if -the content is detached B cannot be B. If the content is -not detached and B is not B, then the structure has both +Initially some sanity checks are performed on I. The type of I must +be SignedData. There must be at least one signature on the data and if +the content is detached I cannot be NULL. If the content is +not detached and I is not NULL then the structure has both embedded and external content. To treat this as an error, use the flag B. The default behavior allows this, for compatibility with older versions of OpenSSL. An attempt is made to locate all the signer's certificates, first looking in -the B parameter (if it is not B) and then looking in any certificates -contained in the B structure itself. If any signer's certificates cannot be -located the operation fails. +the I parameter (if it is not NULL). Then they are looked up in any +certificates contained in the I structure unless B is set. +If any signer's certificates cannot be located the operation fails. Each signer's certificate is chain verified using the B purpose and -the supplied trusted certificate store. Any internal certificates in the message -are used as untrusted CAs. If any chain verify fails an error code is returned. - -Finally the signed content is read (and written to B is it is not NULL) and -the signature's checked. - -If all signature's verify correctly then the function is successful. - -Any of the following flags (ored together) can be passed in the B parameter -to change the default verify behaviour. Only the flag B is -meaningful to PKCS7_get0_signers(). +using the trusted certificate store I if supplied. +Any internal certificates in the message, which may have been added using +L, are used as untrusted CAs unless B +is set. +If CRL checking is enabled in I and B is not set, +any internal CRLs, which may have been added using L, +are used in addition to attempting to look them up in I. +If I is not NULL and any chain verify fails an error code is returned. + +Finally the signed content is read (and written to I unless it is NULL) +and the signature is checked. + +If all signatures verify correctly then the function is successful. + +Any of the following flags (ored together) can be passed in the I +parameter to change the default verify behaviour. +Only the flag B is meaningful to PKCS7_get0_signers(). If B is set the certificates in the message itself are not -searched when locating the signer's certificate. This means that all the signers -certificates must be in the B parameter. +searched when locating the signer's certificates. +This means that all the signer's certificates must be in the I parameter. + +If B is set and CRL checking is enabled in I then any +CRLs in the message itself are ignored. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. If B is set the signer's certificates are not chain verified. If B is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from -the signer's certificate) must be contained in the trusted store. +the signer's certificates) must be contained in the trusted store. If B is set then the signatures on the data are not checked. @@ -80,46 +92,46 @@ One application of B is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the B parameter. In this case if the signer is not one of the -certificates supplied in B then the verify will fail because the +in the I parameter. In this case if the signer's certificate is not one +of the certificates supplied in I then the verify will fail because the signer cannot be found. Care should be taken when modifying the default verify behaviour, for example setting B will totally disable all verification and any signed message will be considered valid. This combination is however -useful if one merely wishes to write the content to B and its validity +useful if one merely wishes to write the content to I and its validity is not considered important. -Chain verification should arguably be performed using the signing time rather +Chain verification should arguably be performed using the signing time rather than the current time. However, since the signing time is supplied by the signer it cannot be trusted without additional evidence (such as a trusted timestamp). =head1 RETURN VALUES -PKCS7_verify() returns one for a successful verification and zero -if an error occurs. +PKCS7_verify() returns 1 for a successful verification and 0 if an error occurs. -PKCS7_get0_signers() returns all signers or B if an error occurred. +PKCS7_get0_signers() returns all signers or NULL if an error occurred. -The error can be obtained from L +The error can be obtained from L. =head1 BUGS -The trusted certificate store is not searched for the signers certificate, -this is primarily due to the inadequacies of the current B +The trusted certificate store is not searched for the signer's certificates. +This is primarily due to the inadequacies of the current B functionality. -The lack of single pass processing and need to hold all data in memory as -mentioned in PKCS7_sign() also applies to PKCS7_verify(). +The lack of single pass processing means that the signed content must all +be held in memory if it is not detached. =head1 SEE ALSO +L, L, L, L, L =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/SSL_CTX_set1_verify_cert_store.pod openssl-1.1.1v/doc/man3/SSL_CTX_set1_verify_cert_store.pod --- openssl-1.1.1n/doc/man3/SSL_CTX_set1_verify_cert_store.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/SSL_CTX_set1_verify_cert_store.pod 2023-08-01 13:51:35.000000000 +0000 @@ -5,7 +5,9 @@ SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store, SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store, SSL_set0_verify_cert_store, SSL_set1_verify_cert_store, -SSL_set0_chain_cert_store, SSL_set1_chain_cert_store - set certificate +SSL_set0_chain_cert_store, SSL_set1_chain_cert_store, +SSL_CTX_get0_verify_cert_store, SSL_CTX_get0_chain_cert_store, +SSL_get0_verify_cert_store, SSL_get0_chain_cert_store - set certificate verification or chain store =head1 SYNOPSIS @@ -16,11 +18,15 @@ int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); + int SSL_CTX_get0_verify_cert_store(SSL_CTX *ctx, X509_STORE **st); + int SSL_CTX_get0_chain_cert_store(SSL_CTX *ctx, X509_STORE **st); int SSL_set0_verify_cert_store(SSL *ctx, X509_STORE *st); int SSL_set1_verify_cert_store(SSL *ctx, X509_STORE *st); int SSL_set0_chain_cert_store(SSL *ctx, X509_STORE *st); int SSL_set1_chain_cert_store(SSL *ctx, X509_STORE *st); + int SSL_get0_verify_cert_store(SSL *ctx, X509_STORE **st); + int SSL_get0_chain_cert_store(SSL *ctx, X509_STORE **st); =head1 DESCRIPTION @@ -34,6 +40,11 @@ SSL_set0_chain_cert_store() and SSL_set1_chain_cert_store() are similar except they apply to SSL structure B. +SSL_CTX_get0_verify_chain_store(), SSL_get0_verify_chain_store(), +SSL_CTX_get0_chain_cert_store() and SSL_get0_chain_cert_store() retrieve the +objects previously set via the above calls. A pointer to the object (or NULL if +no such object has been set) is written to B<*st>. + All these functions are implemented as macros. Those containing a B<1> increment the reference count of the supplied store so it must be freed at some point after the operation. Those containing a B<0> do @@ -90,7 +101,7 @@ =head1 COPYRIGHT -Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/SSL_CTX_set_timeout.pod openssl-1.1.1v/doc/man3/SSL_CTX_set_timeout.pod --- openssl-1.1.1n/doc/man3/SSL_CTX_set_timeout.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/SSL_CTX_set_timeout.pod 2023-08-01 13:51:35.000000000 +0000 @@ -42,6 +42,16 @@ All currently supported protocols have the same default timeout value of 300 seconds. +This timeout value is used as the ticket lifetime hint for stateless session +tickets. It is also used as the timeout value within the ticket itself. + +For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 +seconds). + +For TLSv1.2, tickets generated during an initial handshake use the value +as specified. Tickets generated during a resumed handshake have a value +of 0 for the ticket lifetime hint. + =head1 RETURN VALUES SSL_CTX_set_timeout() returns the previously set timeout value. @@ -58,7 +68,7 @@ =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/SSL_get_current_cipher.pod openssl-1.1.1v/doc/man3/SSL_get_current_cipher.pod --- openssl-1.1.1n/doc/man3/SSL_get_current_cipher.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/SSL_get_current_cipher.pod 2023-08-01 13:51:35.000000000 +0000 @@ -10,8 +10,8 @@ #include - SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); - SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); + const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); + const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); const char *SSL_get_cipher_name(const SSL *s); const char *SSL_get_cipher(const SSL *s); @@ -61,7 +61,7 @@ =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/doc/man3/X509_STORE_CTX_new.pod openssl-1.1.1v/doc/man3/X509_STORE_CTX_new.pod --- openssl-1.1.1n/doc/man3/X509_STORE_CTX_new.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/X509_STORE_CTX_new.pod 2023-08-01 13:51:35.000000000 +0000 @@ -175,14 +175,18 @@ X509_STORE_CTX_purpose_inherit() directly. Typically applications should call X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this function it is possible to set the purpose and trust values for the I at -the same time. The I and I arguments can have the same +the same time. +Both I and its internal verification parameter pointer must not be NULL. +The I and I arguments can have the same purpose values as described for X509_STORE_CTX_set_purpose() above. The I argument can have the same trust values as described in X509_STORE_CTX_set_trust() above. Any of the I, I or I values may also have the value 0 to indicate that the supplied parameter should be ignored. After calling this function the purpose to be used -for verification is set from the I argument, and the trust is set from -the I argument. If I is 0 then the trust value will be set from +for verification is set from the I argument unless the purpose was +already set in I before, and the trust is set from the I argument +unless the trust was already set in I before. +If I is 0 then the trust value will be set from the default trust value for I. If the default trust value for the purpose is I and I is 0 then the default trust value associated with the I value is used for the trust setting instead. diff -Nru openssl-1.1.1n/doc/man3/X509_VERIFY_PARAM_set_flags.pod openssl-1.1.1v/doc/man3/X509_VERIFY_PARAM_set_flags.pod --- openssl-1.1.1n/doc/man3/X509_VERIFY_PARAM_set_flags.pod 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/doc/man3/X509_VERIFY_PARAM_set_flags.pod 2023-08-01 13:51:35.000000000 +0000 @@ -92,8 +92,9 @@ X509_VERIFY_PARAM_set_time() sets the verification time in B to B. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B. Any existing @@ -377,9 +378,13 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT -Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/engines/asm/e_padlock-x86.pl openssl-1.1.1v/engines/asm/e_padlock-x86.pl --- openssl-1.1.1n/engines/asm/e_padlock-x86.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/engines/asm/e_padlock-x86.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -116,6 +116,8 @@ &function_begin_B("padlock_key_bswap"); &mov ("edx",&wparam(0)); &mov ("ecx",&DWP(240,"edx")); + &inc ("ecx"); + &shl ("ecx",2); &set_label("bswap_loop"); &mov ("eax",&DWP(0,"edx")); &bswap ("eax"); diff -Nru openssl-1.1.1n/engines/asm/e_padlock-x86_64.pl openssl-1.1.1v/engines/asm/e_padlock-x86_64.pl --- openssl-1.1.1n/engines/asm/e_padlock-x86_64.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/engines/asm/e_padlock-x86_64.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -92,6 +92,8 @@ .align 16 padlock_key_bswap: mov 240($arg1),%edx + inc %edx + shl \$2,%edx .Lbswap_loop: mov ($arg1),%eax bswap %eax diff -Nru openssl-1.1.1n/engines/e_padlock.c openssl-1.1.1v/engines/e_padlock.c --- openssl-1.1.1n/engines/e_padlock.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/engines/e_padlock.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -144,6 +144,19 @@ return (padlock_use_rng || padlock_use_ace); } +# ifndef AES_ASM +static int padlock_aes_set_encrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +static int padlock_aes_set_decrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +# define AES_ASM +# define AES_set_encrypt_key padlock_aes_set_encrypt_key +# define AES_set_decrypt_key padlock_aes_set_decrypt_key +# include "../crypto/aes/aes_core.c" +# endif + /* * This stuff is needed if this ENGINE is being compiled into a * self-contained shared-library. @@ -639,12 +652,10 @@ AES_set_decrypt_key(key, key_len, &cdata->ks); else AES_set_encrypt_key(key, key_len, &cdata->ks); -# ifndef AES_ASM /* * OpenSSL C functions use byte-swapped extended key. */ padlock_key_bswap(&cdata->ks); -# endif cdata->cword.b.keygen = 1; break; diff -Nru openssl-1.1.1n/include/crypto/bn.h openssl-1.1.1v/include/crypto/bn.h --- openssl-1.1.1n/include/crypto/bn.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/crypto/bn.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1n/include/openssl/bnerr.h openssl-1.1.1v/include/openssl/bnerr.h --- openssl-1.1.1n/include/openssl/bnerr.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/bnerr.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -72,6 +72,7 @@ # define BN_F_BN_SET_WORDS 144 # define BN_F_BN_STACK_PUSH 148 # define BN_F_BN_USUB 115 +# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 /* * BN reason codes. diff -Nru openssl-1.1.1n/include/openssl/cmserr.h openssl-1.1.1v/include/openssl/cmserr.h --- openssl-1.1.1n/include/openssl/cmserr.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/cmserr.h 2023-08-01 13:51:35.000000000 +0000 @@ -187,6 +187,7 @@ # define CMS_R_UNKNOWN_DIGEST_ALGORITHM 149 # define CMS_R_UNKNOWN_ID 150 # define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151 +# define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM 194 # define CMS_R_UNSUPPORTED_CONTENT_TYPE 152 # define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153 # define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM 179 diff -Nru openssl-1.1.1n/include/openssl/dh.h openssl-1.1.1v/include/openssl/dh.h --- openssl-1.1.1n/include/openssl/dh.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/dh.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,6 +29,9 @@ # ifndef OPENSSL_DH_MAX_MODULUS_BITS # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS +# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 +# endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 diff -Nru openssl-1.1.1n/include/openssl/dherr.h openssl-1.1.1v/include/openssl/dherr.h --- openssl-1.1.1n/include/openssl/dherr.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/dherr.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,6 +30,7 @@ # define DH_F_COMPUTE_KEY 102 # define DH_F_DHPARAMS_PRINT_FP 101 # define DH_F_DH_BUILTIN_GENPARAMS 106 +# define DH_F_DH_CHECK 126 # define DH_F_DH_CHECK_EX 121 # define DH_F_DH_CHECK_PARAMS_EX 122 # define DH_F_DH_CHECK_PUB_KEY_EX 123 diff -Nru openssl-1.1.1n/include/openssl/opensslv.h openssl-1.1.1v/include/openssl/opensslv.h --- openssl-1.1.1n/include/openssl/opensslv.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/opensslv.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010efL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n 15 Mar 2022" +# define OPENSSL_VERSION_NUMBER 0x1010116fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1v 1 Aug 2023" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff -Nru openssl-1.1.1n/include/openssl/ssl.h openssl-1.1.1v/include/openssl/ssl.h --- openssl-1.1.1n/include/openssl/ssl.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/ssl.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1305,6 +1305,8 @@ # define SSL_CTRL_GET_MAX_PROTO_VERSION 131 # define SSL_CTRL_GET_SIGNATURE_NID 132 # define SSL_CTRL_GET_TMP_KEY 133 +# define SSL_CTRL_GET_VERIFY_CERT_STORE 137 +# define SSL_CTRL_GET_CHAIN_CERT_STORE 138 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -1360,10 +1362,14 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set1_verify_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) +# define SSL_CTX_get0_verify_cert_store(ctx,st) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set0_chain_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set1_chain_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) +# define SSL_CTX_get0_chain_cert_store(ctx,st) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_set0_chain(s,sk) \ SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk)) # define SSL_set1_chain(s,sk) \ @@ -1386,10 +1392,14 @@ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_set1_verify_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) +#define SSL_get0_verify_cert_store(s,st) \ + SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_set0_chain_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_set1_chain_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) +#define SSL_get0_chain_cert_store(s,st) \ + SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_get1_groups(s, glist) \ SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) # define SSL_CTX_set1_groups(ctx, glist, glistlen) \ diff -Nru openssl-1.1.1n/include/openssl/x509v3.h openssl-1.1.1v/include/openssl/x509v3.h --- openssl-1.1.1n/include/openssl/x509v3.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/include/openssl/x509v3.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,7 +136,7 @@ OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; diff -Nru openssl-1.1.1n/ssl/packet.c openssl-1.1.1v/ssl/packet.c --- openssl-1.1.1n/ssl/packet.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/packet.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -161,7 +161,7 @@ } /* Store the |value| of length |len| at location |data| */ -static int put_value(unsigned char *data, size_t value, size_t len) +static int put_value(unsigned char *data, uint64_t value, size_t len) { for (data += len - 1; len > 0; len--) { *data = (unsigned char)(value & 0xff); @@ -306,12 +306,12 @@ return WPACKET_start_sub_packet_len__(pkt, 0); } -int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size) +int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t size) { unsigned char *data; /* Internal API, so should not fail */ - if (!ossl_assert(size <= sizeof(unsigned int)) + if (!ossl_assert(size <= sizeof(uint64_t)) || !WPACKET_allocate_bytes(pkt, size, &data) || !put_value(data, val, size)) return 0; diff -Nru openssl-1.1.1n/ssl/packet_local.h openssl-1.1.1v/ssl/packet_local.h --- openssl-1.1.1n/ssl/packet_local.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/packet_local.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,6 +227,28 @@ return 1; } +/* + * Peek ahead at 8 bytes in network order from |pkt| and store the value in + * |*data| + */ +__owur static ossl_inline int PACKET_peek_net_8(const PACKET *pkt, + uint64_t *data) +{ + if (PACKET_remaining(pkt) < 8) + return 0; + + *data = ((uint64_t)(*pkt->curr)) << 56; + *data |= ((uint64_t)(*(pkt->curr + 1))) << 48; + *data |= ((uint64_t)(*(pkt->curr + 2))) << 40; + *data |= ((uint64_t)(*(pkt->curr + 3))) << 32; + *data |= ((uint64_t)(*(pkt->curr + 4))) << 24; + *data |= ((uint64_t)(*(pkt->curr + 5))) << 16; + *data |= ((uint64_t)(*(pkt->curr + 6))) << 8; + *data |= *(pkt->curr + 7); + + return 1; +} + /* Equivalent of n2l */ /* Get 4 bytes in network order from |pkt| and store the value in |*data| */ __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data) @@ -250,6 +272,17 @@ return ret; } + +/* Get 8 bytes in network order from |pkt| and store the value in |*data| */ +__owur static ossl_inline int PACKET_get_net_8(PACKET *pkt, uint64_t *data) +{ + if (!PACKET_peek_net_8(pkt, data)) + return 0; + + packet_forward(pkt, 8); + + return 1; +} /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */ __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt, @@ -808,7 +841,7 @@ * 1 byte will fail. Don't call this directly. Use the convenience macros below * instead. */ -int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); +int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t bytes); /* * Convenience macros for calling WPACKET_put_bytes with different @@ -822,6 +855,8 @@ WPACKET_put_bytes__((pkt), (val), 3) #define WPACKET_put_bytes_u32(pkt, val) \ WPACKET_put_bytes__((pkt), (val), 4) +#define WPACKET_put_bytes_u64(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 8) /* Set a maximum size that we will not allow the WPACKET to grow beyond */ int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize); diff -Nru openssl-1.1.1n/ssl/record/rec_layer_s3.c openssl-1.1.1v/ssl/record/rec_layer_s3.c --- openssl-1.1.1n/ssl/record/rec_layer_s3.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/record/rec_layer_s3.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include #include "record_local.h" #include "../packet_local.h" +#include "internal/cryptlib.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AESNI_ASM) && ( \ @@ -115,10 +116,22 @@ if (s->rlayer.rstate == SSL_ST_READ_BODY) return 0; + /* Take into account DTLS buffered app data */ + if (SSL_IS_DTLS(s)) { + DTLS1_RECORD_DATA *rdata; + pitem *item, *iter; + + iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); + while ((item = pqueue_next(&iter)) != NULL) { + rdata = item->data; + num += rdata->rrec.length; + } + } + for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) { if (SSL3_RECORD_get_type(&s->rlayer.rrec[i]) != SSL3_RT_APPLICATION_DATA) - return 0; + return num; num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]); } @@ -971,11 +984,14 @@ } /* - * Reserve some bytes for any growth that may occur during encryption. - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ - if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE, + * Reserve some bytes for any growth that may occur during encryption. If + * we are adding the MAC independently of the cipher algorithm, then the + * max encrypted overhead does not need to include an allocation for that + * MAC + */ + if (!WPACKET_reserve_bytes(thispkt, + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size, NULL) /* * We also need next the amount of bytes written to this @@ -1025,6 +1041,9 @@ /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) + /* Check we allowed enough room for the encryption growth */ + || !ossl_assert(origlen + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + - mac_size >= thiswr->length) /* Encryption should never shrink the data! */ || origlen > thiswr->length || (thiswr->length > origlen diff -Nru openssl-1.1.1n/ssl/record/ssl3_buffer.c openssl-1.1.1v/ssl/record/ssl3_buffer.c --- openssl-1.1.1n/ssl/record/ssl3_buffer.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/record/ssl3_buffer.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -97,11 +97,16 @@ #endif len = ssl_get_max_send_fragment(s) - + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; + + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align + + SSL_RT_MAX_CIPHER_BLOCK_SIZE /* Explicit IV allowance */; #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + /* + * We don't need to add an allowance for eivlen here since empty + * fragments only occur when we don't have an explicit IV + */ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; } diff -Nru openssl-1.1.1n/ssl/record/ssl3_record.c openssl-1.1.1v/ssl/record/ssl3_record.c --- openssl-1.1.1n/ssl/record/ssl3_record.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/record/ssl3_record.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1532,6 +1532,7 @@ #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; unsigned char *rotated_mac; + char aux1, aux2, aux3, mask; #else unsigned char rotated_mac[EVP_MAX_MD_SIZE]; #endif @@ -1581,9 +1582,16 @@ #if defined(CBC_MAC_ROTATE_IN_PLACE) j = 0; for (i = 0; i < md_size; i++) { - /* in case cache-line is 32 bytes, touch second line */ - ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; - out[j++] = rotated_mac[rotate_offset++]; + /* + * in case cache-line is 32 bytes, + * load from both lines and select appropriately + */ + aux1 = rotated_mac[rotate_offset & ~32]; + aux2 = rotated_mac[rotate_offset | 32]; + mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset); + aux3 = constant_time_select_8(mask, aux1, aux2); + out[j++] = aux3; + rotate_offset++; rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #else diff -Nru openssl-1.1.1n/ssl/s3_enc.c openssl-1.1.1v/ssl/s3_enc.c --- openssl-1.1.1n/ssl/s3_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/s3_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -589,6 +589,8 @@ return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; + case SSL_AD_MISSING_EXTENSION: + return SSL_AD_HANDSHAKE_FAILURE; default: return -1; } diff -Nru openssl-1.1.1n/ssl/s3_lib.c openssl-1.1.1v/ssl/s3_lib.c --- openssl-1.1.1n/ssl/s3_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/s3_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -3676,6 +3676,12 @@ case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(s->cert, parg, 1, larg); + case SSL_CTRL_GET_VERIFY_CERT_STORE: + return ssl_cert_get_cert_store(s->cert, parg, 0); + + case SSL_CTRL_GET_CHAIN_CERT_STORE: + return ssl_cert_get_cert_store(s->cert, parg, 1); + case SSL_CTRL_GET_PEER_SIGNATURE_NID: if (s->s3->tmp.peer_sigalg == NULL) return 0; @@ -3949,6 +3955,12 @@ case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); + case SSL_CTRL_GET_VERIFY_CERT_STORE: + return ssl_cert_get_cert_store(ctx->cert, parg, 0); + + case SSL_CTRL_GET_CHAIN_CERT_STORE: + return ssl_cert_get_cert_store(ctx->cert, parg, 1); + /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) { diff -Nru openssl-1.1.1n/ssl/ssl_cert.c openssl-1.1.1v/ssl/ssl_cert.c --- openssl-1.1.1n/ssl/ssl_cert.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_cert.c 2023-08-01 13:51:35.000000000 +0000 @@ -876,6 +876,12 @@ return 1; } +int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain) +{ + *pstore = (chain ? c->chain_store : c->verify_store); + return 1; +} + int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) { int level; diff -Nru openssl-1.1.1n/ssl/ssl_ciph.c openssl-1.1.1v/ssl/ssl_ciph.c --- openssl-1.1.1n/ssl/ssl_ciph.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_ciph.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1026,9 +1026,7 @@ * alphanumeric, so we call this an error. */ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); - retval = found = 0; - l++; - break; + return 0; } if (rule == CIPHER_SPECIAL) { diff -Nru openssl-1.1.1n/ssl/ssl_init.c openssl-1.1.1v/ssl/ssl_init.c --- openssl-1.1.1n/ssl/ssl_init.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_init.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -116,7 +116,7 @@ } static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT; -static int ssl_strings_inited = 0; + DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) { /* @@ -129,7 +129,6 @@ "ERR_load_SSL_strings()\n"); # endif ERR_load_SSL_strings(); - ssl_strings_inited = 1; #endif return 1; } @@ -157,20 +156,6 @@ ssl_comp_free_compression_methods_int(); #endif } - - if (ssl_strings_inited) { -#ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: " - "err_free_strings_int()\n"); -#endif - /* - * If both crypto and ssl error strings are inited we will end up - * calling err_free_strings_int() twice - but that's ok. The second - * time will be a no-op. It's easier to do that than to try and track - * between the two libraries whether they have both been inited. - */ - err_free_strings_int(); - } } /* diff -Nru openssl-1.1.1n/ssl/ssl_lib.c openssl-1.1.1v/ssl/ssl_lib.c --- openssl-1.1.1n/ssl/ssl_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1510,12 +1510,26 @@ { /* * Similar to SSL_pending() but returns a 1 to indicate that we have - * unprocessed data available or 0 otherwise (as opposed to the number of - * bytes available). Unlike SSL_pending() this will take into account - * read_ahead data. A 1 return simply indicates that we have unprocessed - * data. That data may not result in any application data, or we may fail - * to parse the records for some reason. - */ + * processed or unprocessed data available or 0 otherwise (as opposed to the + * number of bytes available). Unlike SSL_pending() this will take into + * account read_ahead data. A 1 return simply indicates that we have data. + * That data may not result in any application data, or we may fail to parse + * the records for some reason. + */ + + /* Check buffered app data if any first */ + if (SSL_IS_DTLS(s)) { + DTLS1_RECORD_DATA *rdata; + pitem *item, *iter; + + iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); + while ((item = pqueue_next(&iter)) != NULL) { + rdata = item->data; + if (rdata->rrec.length > 0) + return 1; + } + } + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) return 1; @@ -2084,6 +2098,7 @@ if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + memset(&args, 0, sizeof(args)); args.s = s; args.type = OTHERFUNC; args.f.func_other = s->method->ssl_shutdown; @@ -3709,6 +3724,7 @@ if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + memset(&args, 0, sizeof(args)); args.s = s; ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); diff -Nru openssl-1.1.1n/ssl/ssl_local.h openssl-1.1.1v/ssl/ssl_local.h --- openssl-1.1.1n/ssl/ssl_local.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_local.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2301,6 +2301,7 @@ __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags); __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); +__owur int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain); __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, diff -Nru openssl-1.1.1n/ssl/ssl_rsa.c openssl-1.1.1v/ssl/ssl_rsa.c --- openssl-1.1.1n/ssl/ssl_rsa.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_rsa.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -727,6 +727,34 @@ return 1; } +static size_t extension_contextoff(unsigned int version) +{ + return version == SSL_SERVERINFOV1 ? 4 : 0; +} + +static size_t extension_append_length(unsigned int version, size_t extension_length) +{ + return extension_length + extension_contextoff(version); +} + +static void extension_append(unsigned int version, + const unsigned char *extension, + const size_t extension_length, + unsigned char *serverinfo) +{ + const size_t contextoff = extension_contextoff(version); + + if (contextoff > 0) { + /* We know this only uses the last 2 bytes */ + serverinfo[0] = 0; + serverinfo[1] = 0; + serverinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; + serverinfo[3] = SYNTHV1CONTEXT & 0xff; + } + + memcpy(serverinfo + contextoff, extension, extension_length); +} + static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *arg) @@ -842,12 +870,36 @@ const unsigned char *serverinfo, size_t serverinfo_length) { - unsigned char *new_serverinfo; + unsigned char *new_serverinfo = NULL; if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (version == SSL_SERVERINFOV1) { + /* + * Convert serverinfo version v1 to v2 and call yourself recursively + * over the converted serverinfo. + */ + const size_t sinfo_length = extension_append_length(SSL_SERVERINFOV1, + serverinfo_length); + unsigned char *sinfo; + int ret; + + sinfo = OPENSSL_malloc(sinfo_length); + if (sinfo == NULL) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); + return 0; + } + + extension_append(SSL_SERVERINFOV1, serverinfo, serverinfo_length, sinfo); + + ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, sinfo, + sinfo_length); + + OPENSSL_free(sinfo); + return ret; + } if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, NULL)) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); @@ -899,7 +951,7 @@ char namePrefix2[] = "SERVERINFOV2 FOR "; int ret = 0; BIO *bin = NULL; - size_t num_extensions = 0, contextoff = 0; + size_t num_extensions = 0; if (ctx == NULL || file == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); @@ -918,6 +970,7 @@ for (num_extensions = 0;; num_extensions++) { unsigned int version; + size_t append_length; if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0) { @@ -962,11 +1015,6 @@ SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); goto end; } - /* - * File does not have a context value so we must take account of - * this later. - */ - contextoff = 4; } else { /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */ if (extension_length < 8 @@ -977,25 +1025,16 @@ } } /* Append the decoded extension to the serverinfo buffer */ - tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length - + contextoff); + append_length = extension_append_length(version, extension_length); + tmp = OPENSSL_realloc(serverinfo, serverinfo_length + append_length); if (tmp == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); goto end; } serverinfo = tmp; - if (contextoff > 0) { - unsigned char *sinfo = serverinfo + serverinfo_length; - - /* We know this only uses the last 2 bytes */ - sinfo[0] = 0; - sinfo[1] = 0; - sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; - sinfo[3] = SYNTHV1CONTEXT & 0xff; - } - memcpy(serverinfo + serverinfo_length + contextoff, - extension, extension_length); - serverinfo_length += extension_length + contextoff; + extension_append(version, extension, extension_length, + serverinfo + serverinfo_length); + serverinfo_length += append_length; OPENSSL_free(name); name = NULL; diff -Nru openssl-1.1.1n/ssl/ssl_txt.c openssl-1.1.1v/ssl/ssl_txt.c --- openssl-1.1.1n/ssl/ssl_txt.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/ssl_txt.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -130,11 +130,11 @@ } #endif if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) <= 0) + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { - if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0) + if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0) goto err; } if (BIO_puts(bp, "\n") <= 0) diff -Nru openssl-1.1.1n/ssl/statem/extensions_clnt.c openssl-1.1.1v/ssl/statem/extensions_clnt.c --- openssl-1.1.1n/ssl/statem/extensions_clnt.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/statem/extensions_clnt.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -118,6 +118,8 @@ int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; + const uint16_t *pgroups = NULL; + size_t num_groups, j; /* See if we support any ECC ciphersuites */ if (s->version == SSL3_VERSION) @@ -139,7 +141,19 @@ } sk_SSL_CIPHER_free(cipher_stack); - return ret; + if (!ret) + return 0; + + /* Check we have at least one EC supported group */ + tls1_get_supported_groups(s, &pgroups, &num_groups); + for (j = 0; j < num_groups; j++) { + uint16_t ctmp = pgroups[j]; + + if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) + return 1; + } + + return 0; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, @@ -988,7 +1002,7 @@ X509 *x, size_t chainidx) { #ifndef OPENSSL_NO_TLS1_3 - uint32_t now, agesec, agems = 0; + uint32_t agesec, agems = 0; size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; @@ -1045,8 +1059,7 @@ * this in multiple places in the code, so portability shouldn't be an * issue. */ - now = (uint32_t)time(NULL); - agesec = now - (uint32_t)s->session->time; + agesec = (uint32_t)(time(NULL) - s->session->time); /* * We calculate the age in seconds but the server may work in ms. Due to * rounding errors we could overestimate the age by up to 1s. It is diff -Nru openssl-1.1.1n/ssl/statem/extensions_srvr.c openssl-1.1.1v/ssl/statem/extensions_srvr.c --- openssl-1.1.1n/ssl/statem/extensions_srvr.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/statem/extensions_srvr.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,16 +12,16 @@ #include "statem_local.h" #include "internal/cryptlib.h" -#define COOKIE_STATE_FORMAT_VERSION 0 +#define COOKIE_STATE_FORMAT_VERSION 1 /* * 2 bytes for packet length, 2 bytes for format version, 2 bytes for * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for - * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen, + * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen, * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. */ -#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \ +#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \ + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) /* @@ -741,7 +741,7 @@ unsigned char hmac[SHA256_DIGEST_LENGTH]; unsigned char hrr[MAX_HRR_SIZE]; size_t rawlen, hmaclen, hrrlen, ciphlen; - unsigned long tm, now; + uint64_t tm, now; /* Ignore any cookie if we're not set up to verify it */ if (s->ctx->verify_stateless_cookie_cb == NULL @@ -851,7 +851,7 @@ } if (!PACKET_get_1(&cookie, &key_share) - || !PACKET_get_net_4(&cookie, &tm) + || !PACKET_get_net_8(&cookie, &tm) || !PACKET_get_length_prefixed_2(&cookie, &chhash) || !PACKET_get_length_prefixed_1(&cookie, &appcookie) || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { @@ -861,7 +861,7 @@ } /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ - now = (unsigned long)time(NULL); + now = time(NULL); if (tm > now || (now - tm) > 600) { /* Cookie is stale. Ignore it */ return 1; @@ -1167,7 +1167,7 @@ s->ext.early_data_ok = 1; s->ext.ticket_expected = 1; } else { - uint32_t ticket_age = 0, now, agesec, agems; + uint32_t ticket_age = 0, agesec, agems; int ret; /* @@ -1209,8 +1209,7 @@ } ticket_age = (uint32_t)ticket_agel; - now = (uint32_t)time(NULL); - agesec = now - (uint32_t)sess->time; + agesec = (uint32_t)(time(NULL) - sess->time); agems = agesec * (uint32_t)1000; ticket_age -= sess->ext.tick_age_add; @@ -1800,7 +1799,7 @@ &ciphlen) /* Is there a key_share extension present in this HRR? */ || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL) - || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL)) + || !WPACKET_put_bytes_u64(pkt, time(NULL)) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, diff -Nru openssl-1.1.1n/ssl/statem/statem_clnt.c openssl-1.1.1v/ssl/statem/statem_clnt.c --- openssl-1.1.1n/ssl/statem/statem_clnt.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/statem/statem_clnt.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1422,6 +1422,11 @@ && sversion == TLS1_2_VERSION && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { + if (s->hello_retry_request != SSL_HRR_NONE) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto err; + } s->hello_retry_request = SSL_HRR_PENDING; hrr = 1; if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { diff -Nru openssl-1.1.1n/ssl/statem/statem_dtls.c openssl-1.1.1v/ssl/statem/statem_dtls.c --- openssl-1.1.1n/ssl/statem/statem_dtls.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/statem/statem_dtls.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -218,8 +218,8 @@ else len = s->init_num; - if (len > s->max_send_fragment) - len = s->max_send_fragment; + if (len > ssl_get_max_send_fragment(s)) + len = ssl_get_max_send_fragment(s); /* * XDTLS: this function is too long. split out the CCS part @@ -241,7 +241,7 @@ ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, &written); - if (ret < 0) { + if (ret <= 0) { /* * might need to update MTU here, but we don't know which * previous packet caused the failure -- so can't really diff -Nru openssl-1.1.1n/ssl/statem/statem_srvr.c openssl-1.1.1v/ssl/statem/statem_srvr.c --- openssl-1.1.1n/ssl/statem/statem_srvr.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/statem/statem_srvr.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -3820,15 +3820,24 @@ static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, unsigned char *tick_nonce) { + uint32_t timeout = (uint32_t)s->session->timeout; + /* - * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this - * unspecified for resumed session (for simplicity). + * Ticket lifetime hint: * In TLSv1.3 we reset the "time" field above, and always specify the - * timeout. + * timeout, limited to a 1 week period per RFC8446. + * For TLSv1.2 this is advisory only and we leave this unspecified for + * resumed session (for simplicity). */ - if (!WPACKET_put_bytes_u32(pkt, - (s->hit && !SSL_IS_TLS13(s)) - ? 0 : s->session->timeout)) { +#define ONE_WEEK_SEC (7 * 24 * 60 * 60) + + if (SSL_IS_TLS13(s)) { + if (s->session->timeout > ONE_WEEK_SEC) + timeout = ONE_WEEK_SEC; + } else if (s->hit) + timeout = 0; + + if (!WPACKET_put_bytes_u32(pkt, timeout)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, ERR_R_INTERNAL_ERROR); return 0; diff -Nru openssl-1.1.1n/ssl/t1_enc.c openssl-1.1.1v/ssl/t1_enc.c --- openssl-1.1.1n/ssl/t1_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/t1_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -672,6 +672,8 @@ return TLS1_AD_NO_APPLICATION_PROTOCOL; case SSL_AD_CERTIFICATE_REQUIRED: return SSL_AD_HANDSHAKE_FAILURE; + case SSL_AD_MISSING_EXTENSION: + return SSL_AD_HANDSHAKE_FAILURE; default: return -1; } diff -Nru openssl-1.1.1n/ssl/t1_lib.c openssl-1.1.1v/ssl/t1_lib.c --- openssl-1.1.1n/ssl/t1_lib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/t1_lib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2369,22 +2369,20 @@ ca_dn = s->s3->tmp.peer_ca_names; - if (!sk_X509_NAME_num(ca_dn)) + if (ca_dn == NULL + || sk_X509_NAME_num(ca_dn) == 0 + || ssl_check_ca_name(ca_dn, x)) rv |= CERT_PKEY_ISSUER_NAME; - - if (!(rv & CERT_PKEY_ISSUER_NAME)) { - if (ssl_check_ca_name(ca_dn, x)) - rv |= CERT_PKEY_ISSUER_NAME; - } - if (!(rv & CERT_PKEY_ISSUER_NAME)) { + else for (i = 0; i < sk_X509_num(chain); i++) { X509 *xtmp = sk_X509_value(chain, i); + if (ssl_check_ca_name(ca_dn, xtmp)) { rv |= CERT_PKEY_ISSUER_NAME; break; } } - } + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) goto end; } else @@ -2555,6 +2553,8 @@ int rv, start_idx, i; if (x == NULL) { x = sk_X509_value(sk, 0); + if (x == NULL) + return ERR_R_INTERNAL_ERROR; start_idx = 1; } else start_idx = 0; diff -Nru openssl-1.1.1n/ssl/tls13_enc.c openssl-1.1.1v/ssl/tls13_enc.c --- openssl-1.1.1n/ssl/tls13_enc.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/ssl/tls13_enc.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -190,6 +190,7 @@ if (!ossl_assert(mdleni >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, ERR_R_INTERNAL_ERROR); + EVP_PKEY_CTX_free(pctx); return 0; } mdlen = (size_t)mdleni; diff -Nru openssl-1.1.1n/test/certs/ca-pol-cert.pem openssl-1.1.1v/test/certs/ca-pol-cert.pem --- openssl-1.1.1n/test/certs/ca-pol-cert.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/certs/ca-pol-cert.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 +DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 +Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H +unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ +7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g +DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C +9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/ee-cert-policies-bad.pem openssl-1.1.1v/test/certs/ee-cert-policies-bad.pem --- openssl-1.1.1n/test/certs/ee-cert-policies-bad.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/certs/ee-cert-policies-bad.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H +mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC +MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w +bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G +CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ +P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs +YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N +XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa +QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx +wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/ee-cert-policies.pem openssl-1.1.1v/test/certs/ee-cert-policies.pem --- openssl-1.1.1n/test/certs/ee-cert-policies.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/certs/ee-cert-policies.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H +mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC +MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w +bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB +AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D +QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl +CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa +dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK +NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk +D3brBn24UISaFRZoB7jsjok= +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/ee-ed25519.pem openssl-1.1.1v/test/certs/ee-ed25519.pem --- openssl-1.1.1n/test/certs/ee-ed25519.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/ee-ed25519.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,9 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6197312946105598768 (0x5601474a2a8dc330) + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Aug 1 12:19:24 2016 GMT + Not After : Nov 11 16:34:03 2121 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: X25519 + X25519 Public-Key: + pub: + 85:20:f0:09:89:30:a7:54:74:8b:7d:dc:b4:3e:f7: + 5a:0d:bf:3a:0d:26:38:1a:f4:eb:a4:a9:8e:aa:9b: + 4e:6a + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Key Agreement + X509v3 Subject Key Identifier: + 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B + Signature Algorithm: ED25519 + 72:b4:22:9c:d5:7b:85:10:ff:7c:28:59:e5:bb:1e:e8:b6:5f: + 74:39:94:dd:2f:8a:3d:6c:f3:23:28:d1:5e:3c:d1:56:e7:0a: + ea:99:ff:62:5c:48:0f:1c:24:24:35:98:1a:bb:ae:96:b9:93: + b3:cb:8e:45:e3:c0:ef:2e:5c:07 -----BEGIN CERTIFICATE----- -MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX -N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD -DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj -ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg -BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v -/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg -w1AH9efZBw== +MIIBLjCB4aADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBU +ZXN0IERlbW8wIBcNMTYwODAxMTIxOTI0WhgPMjEyMTExMTExNjM0MDNaMBkxFzAV +BgNVBAMMDklFVEYgVGVzdCBEZW1vMCowBQYDK2VuAyEAhSDwCYkwp1R0i33ctD73 +Wg2/Og0mOBr066SpjqqbTmqjRTBDMA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQEA +BAQDAgMIMCAGA1UdDgEBAAQWBBSbH17t7QQzheT3vGI8WXW5C8i7OzAFBgMrZXAD +QQBytCKc1XuFEP98KFnlux7otl90OZTdL4o9bPMjKNFePNFW5wrqmf9iXEgPHCQk +NZgau66WuZOzy45F48DvLlwH -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/embeddedSCTs1-key.pem openssl-1.1.1v/test/certs/embeddedSCTs1-key.pem --- openssl-1.1.1n/test/certs/embeddedSCTs1-key.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/embeddedSCTs1-key.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,15 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k -WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X -EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB -AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g -PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf -flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU -X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ -pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA -b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt -9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR -83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs -n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ -1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== +MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw +XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT +48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ +b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L +eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG +a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm +tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf +3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r +zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF +nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ +XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw +ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ +S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi +BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 +2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn +MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU +JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn +j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA +jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu +ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk +3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P +o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI +fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 +5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP +RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= -----END RSA PRIVATE KEY----- diff -Nru openssl-1.1.1n/test/certs/embeddedSCTs1.pem openssl-1.1.1v/test/certs/embeddedSCTs1.pem --- openssl-1.1.1n/test/certs/embeddedSCTs1.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/embeddedSCTs1.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk +MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw -MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu -c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G -CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ -BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk -EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw -FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q -Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD -VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w -DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK -BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L -vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw -KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG -SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE -oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr -5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy +NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK +/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE +FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI +0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I +QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S +wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB +CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I +Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD +ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI +/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB +u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ +BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR +RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 +IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W +YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/embeddedSCTs1.sct openssl-1.1.1v/test/certs/embeddedSCTs1.sct --- openssl-1.1.1n/test/certs/embeddedSCTs1.sct 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/embeddedSCTs1.sct 2023-08-01 13:51:35.000000000 +0000 @@ -2,11 +2,11 @@ Version : v1 (0x0) Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 - Timestamp : Apr 5 17:04:16.275 2013 GMT + Timestamp : Jan 1 00:00:00.000 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: - D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: - E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: - F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: - 05:51:9D:89:ED:BF:08 \ No newline at end of file + 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: + D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: + BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: + 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: + 60:EB:A8:AF:03:5E:C3 \ No newline at end of file diff -Nru openssl-1.1.1n/test/certs/embeddedSCTs1_issuer-key.pem openssl-1.1.1v/test/certs/embeddedSCTs1_issuer-key.pem --- openssl-1.1.1n/test/certs/embeddedSCTs1_issuer-key.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/certs/embeddedSCTs1_issuer-key.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR +yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm +JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB +AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK +QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL +GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq +r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr +4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw ++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ +b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY +xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN +lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei +T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= +-----END RSA PRIVATE KEY----- diff -Nru openssl-1.1.1n/test/certs/embeddedSCTs1_issuer.pem openssl-1.1.1v/test/certs/embeddedSCTs1_issuer.pem --- openssl-1.1.1n/test/certs/embeddedSCTs1_issuer.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/embeddedSCTs1_issuer.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk +MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw -MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu -c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf -MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 -jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP -KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL -svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk -tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG -A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO -MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt -OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy -f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP -OwqULg== +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw +ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy +YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG +0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 +SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG +acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw +wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw +CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB +MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq ++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo +2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c +Doud4XrO -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/mkcert.sh openssl-1.1.1v/test/certs/mkcert.sh --- openssl-1.1.1n/test/certs/mkcert.sh 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/mkcert.sh 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/bash # -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2016 Viktor Dukhovni . # All rights reserved. # @@ -117,11 +117,12 @@ local OPTIND=1 local purpose= - while getopts p: o + while getopts p:c: o do case $o in p) purpose="$OPTARG";; - *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 + c) certpol="$OPTARG";; + *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 return 1;; esac done @@ -142,6 +143,10 @@ if [ -n "$NC" ]; then exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") fi + if [ -n "$certpol" ]; then + exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") + fi + csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ diff -Nru openssl-1.1.1n/test/certs/root-ed25519.pem openssl-1.1.1v/test/certs/root-ed25519.pem --- openssl-1.1.1n/test/certs/root-ed25519.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/root-ed25519.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,9 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 84:f1:08:3d:1c:e3:2d:95 + Signature Algorithm: ED25519 + Issuer: CN = IETF Test Demo + Validity + Not Before: Apr 19 21:36:39 2017 GMT + Not After : Nov 11 15:37:05 2122 GMT + Subject: CN = IETF Test Demo + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b: + 96:c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31: + 66:e1 + X509v3 extensions: + X509v3 Subject Key Identifier: + A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + X509v3 Authority Key Identifier: + keyid:A2:8C:C1:F8:6E:59:60:D3:E0:3A:E7:5C:96:2C:97:A8:D4:48:29:3C + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ED25519 + 08:f9:fc:49:37:0c:03:64:ed:90:70:89:eb:f1:69:ca:75:3b: + 71:15:8f:eb:80:45:00:db:88:9b:66:46:9c:a4:e1:50:c5:59: + 43:98:66:37:6d:b7:59:51:5d:b4:9d:1d:89:25:b4:f6:87:43: + b7:d3:3b:85:b9:8e:e1:a8:46:04 -----BEGIN CERTIFICATE----- -MIIBODCB66ADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg -VGVzdCBEZW1vMB4XDTE3MDQxOTIxMzYzOVoXDTQxMDIxMjIxMzYzOVowGTEXMBUG -A1UEAwwOSUVURiBUZXN0IERlbW8wKjAFBgMrZXADIQAZv0QJaYTN/oVBusFn3DuW -yFCGqjC2tssMXDitcDFm4aNQME4wHQYDVR0OBBYEFKKMwfhuWWDT4DrnXJYsl6jU -SCk8MB8GA1UdIwQYMBaAFKKMwfhuWWDT4DrnXJYsl6jUSCk8MAwGA1UdEwQFMAMB -Af8wBQYDK2VwA0EAa6iEoQZBWB1MhCzASv5HuFM7fR5Nz2/KM7GxYjQWsfvK2Ds1 -jaPSG7Lx4uywIndMafp5CoPoFr6yLBkt+NZLAg== +MIIBOjCB7aADAgECAgkAhPEIPRzjLZUwBQYDK2VwMBkxFzAVBgNVBAMMDklFVEYg +VGVzdCBEZW1vMCAXDTE3MDQxOTIxMzYzOVoYDzIxMjIxMTExMTUzNzA1WjAZMRcw +FQYDVQQDDA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlcAMhABm/RAlphM3+hUG6wWfc +O5bIUIaqMLa2ywxcOK1wMWbho1AwTjAdBgNVHQ4EFgQUoozB+G5ZYNPgOudcliyX +qNRIKTwwHwYDVR0jBBgwFoAUoozB+G5ZYNPgOudcliyXqNRIKTwwDAYDVR0TBAUw +AwEB/zAFBgMrZXADQQAI+fxJNwwDZO2QcInr8WnKdTtxFY/rgEUA24ibZkacpOFQ +xVlDmGY3bbdZUV20nR2JJbT2h0O30zuFuY7hqEYE -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/rootCA.pem openssl-1.1.1v/test/certs/rootCA.pem --- openssl-1.1.1n/test/certs/rootCA.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/rootCA.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,21 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 88:43:29:cb:c2:eb:15:9a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Validity + Not Before: Jul 2 13:15:11 2015 GMT + Not After : Jul 2 17:50:05 2122 GMT + Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:f1:6b:77:88:ac:35:df:fb:73:53:2f:92:80: + 2f:74:16:32:4d:f5:10:20:6f:6c:3a:8e:d1:dc:6b: + e1:2e:3e:c3:04:0f:bf:9b:c4:c9:12:d1:e4:0b:45: + 97:e5:06:cd:66:3a:e1:e0:e2:2b:df:a2:c4:ec:7b: + d3:3d:3c:8a:ff:5e:74:a0:ab:a7:03:6a:16:5b:5e: + 92:c4:7e:5b:79:8a:69:d4:bc:83:5e:ae:42:92:74: + a5:2b:e7:00:c1:a9:dc:d5:b1:53:07:0f:73:f7:8e: + ad:14:3e:25:9e:e5:1e:e6:cc:91:cd:95:0c:80:44: + 20:c3:fd:17:cf:91:3d:63:10:1c:14:5b:fb:c3:a8: + c1:88:b2:77:ff:9c:db:fc:6a:44:44:44:f7:85:ec: + 08:2c:d4:df:81:a3:79:c9:fe:1e:9b:93:16:53:b7: + 97:ab:be:4f:1a:a5:e2:fa:46:05:e4:0d:9c:2a:a4: + cc:b9:1e:21:a0:6c:c4:ab:59:b0:40:39:bb:f9:88: + ad:fd:df:8d:b4:0b:af:7e:41:e0:21:3c:c8:33:45: + 49:84:2f:93:06:ee:fd:4f:ed:4f:f3:bc:9b:de:fc: + 25:5e:55:d5:75:d4:c5:7b:3a:40:35:06:9f:c4:84: + b4:6c:93:0c:af:37:5a:af:b6:41:4d:26:23:1c:b8: + 02:b3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + X509v3 Authority Key Identifier: + keyid:85:56:89:35:E2:9F:00:1A:E1:86:03:0B:4B:AF:76:12:6B:33:6D:FD + + Signature Algorithm: sha256WithRSAEncryption + b9:5c:c3:39:31:e9:c1:63:f9:f1:29:2c:c6:84:80:ed:33:e5: + 72:3c:2c:e8:93:1f:07:03:65:cd:bb:04:ed:10:29:00:5f:ea: + 91:08:19:df:10:88:e9:00:5c:2e:eb:b5:af:98:70:c8:c4:8b: + 53:c4:26:c5:a1:d8:46:b9:9f:7d:48:e0:26:74:2c:61:b8:c1: + 89:06:b6:e5:b5:ba:6b:75:2b:16:ad:ca:88:26:25:73:9b:15: + 22:59:6a:94:dc:61:34:88:28:58:9f:de:fd:71:1e:37:af:90: + 74:7b:cf:bb:93:1c:73:24:15:26:7a:33:8c:5d:5b:81:97:14: + 62:01:7e:17:76:fb:aa:7a:4d:ed:81:2b:bd:d9:f3:12:69:86: + 01:b3:91:0a:8d:6b:bd:71:41:a9:93:63:c2:a1:ab:0d:48:05: + 99:7d:9e:a2:a4:ac:9f:73:0d:5b:5c:05:3a:52:64:fe:17:79: + 2a:27:51:d7:5b:af:dc:10:d5:23:6b:2c:62:51:00:c9:67:17: + 2d:29:a3:21:88:fd:14:48:0d:99:8c:d8:f8:c8:c7:ec:d2:83: + 3d:ba:d4:94:7b:df:39:61:4b:e3:7c:b9:ea:77:09:01:bc:ec: + db:1c:fa:42:1b:6d:1d:b1:51:5f:e4:87:dd:41:24:00:a2:52: + e0:1a:c0:1c -----BEGIN CERTIFICATE----- -MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +MIIDgTCCAmmgAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa -Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 -YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM -BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf -+3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i -xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO -rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU -34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL -r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 -QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf -ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w -DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 -mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ -WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI -qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 -GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT -JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAgFw0xNTA3MDIxMzE1MTFa +GA8yMTIyMDcwMjE3NTAwNVowVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt +U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UE +AwwGcm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPFrd4is +Nd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/m8TJEtHkC0WX5QbNZjrh4OIr +36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyDXq5CknSlK+cAwanc1bFTBw9z +946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7w6jBiLJ3/5zb/GpERET3hewI +LNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTMuR4hoGzEq1mwQDm7+Yit/d+N +tAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXVddTFezpANQafxIS0bJMMrzda +r7ZBTSYjHLgCswIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSFVok1 +4p8AGuGGAwtLr3YSazNt/TAfBgNVHSMEGDAWgBSFVok14p8AGuGGAwtLr3YSazNt +/TANBgkqhkiG9w0BAQsFAAOCAQEAuVzDOTHpwWP58SksxoSA7TPlcjws6JMfBwNl +zbsE7RApAF/qkQgZ3xCI6QBcLuu1r5hwyMSLU8QmxaHYRrmffUjgJnQsYbjBiQa2 +5bW6a3UrFq3KiCYlc5sVIllqlNxhNIgoWJ/e/XEeN6+QdHvPu5MccyQVJnozjF1b +gZcUYgF+F3b7qnpN7YErvdnzEmmGAbORCo1rvXFBqZNjwqGrDUgFmX2eoqSsn3MN +W1wFOlJk/hd5KidR11uv3BDVI2ssYlEAyWcXLSmjIYj9FEgNmYzY+MjH7NKDPbrU +lHvfOWFL43y56ncJAbzs2xz6QhttHbFRX+SH3UEkAKJS4BrAHA== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/certs/setup.sh openssl-1.1.1v/test/certs/setup.sh --- openssl-1.1.1n/test/certs/setup.sh 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/certs/setup.sh 2023-08-01 13:51:35.000000000 +0000 @@ -405,3 +405,9 @@ root-ed448-key root-ed448-cert OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert + +# certificatePolicies extension +./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert +./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" +# We can create a cert with a duplicate policy oid - but its actually invalid! +./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" diff -Nru openssl-1.1.1n/test/ct_test.c openssl-1.1.1v/test/ct_test.c --- openssl-1.1.1n/test/ct_test.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ct_test.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,7 +63,7 @@ if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) goto end; fixture->test_case_name = test_case_name; - fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ + fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) || !TEST_int_eq( CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) diff -Nru openssl-1.1.1n/test/dhtest.c openssl-1.1.1v/test/dhtest.c --- openssl-1.1.1n/test/dhtest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/dhtest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,7 +63,7 @@ || !TEST_true(DH_set0_pqg(dh, p, q, g))) goto err1; - if (!DH_check(dh, &i)) + if (!TEST_true(DH_check(dh, &i))) goto err2; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) @@ -123,6 +123,29 @@ /* check whether the public key was calculated correctly */ TEST_uint_eq(BN_get_word(pub_key2), 3331L); + if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) + goto err3; + + if (!TEST_true(DH_check(dh, &i))) + goto err3; + if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) + || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) + goto err3; + + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) + goto err3; + + /* + * We expect no checks at all for an excessively large modulus + */ + if (!TEST_false(DH_check(dh, &i))) + goto err3; + + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + /* * II) key generation */ @@ -137,7 +160,7 @@ goto err3; /* ... and check whether it is valid */ - if (!DH_check(a, &i)) + if (!TEST_true(DH_check(a, &i))) goto err3; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff -Nru openssl-1.1.1n/test/dtls_mtu_test.c openssl-1.1.1v/test/dtls_mtu_test.c --- openssl-1.1.1n/test/dtls_mtu_test.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/dtls_mtu_test.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -185,12 +185,58 @@ end: SSL_CTX_free(ctx); - bio_s_mempacket_test_free(); return ret; } +static int test_server_mtu_larger_than_max_fragment_length(void) +{ + SSL_CTX *ctx = NULL; + SSL *srvr_ssl = NULL, *clnt_ssl = NULL; + int rv = 0; + + if (!TEST_ptr(ctx = SSL_CTX_new(DTLS_method()))) + goto end; + + SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback); + SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback); + +#ifndef OPENSSL_NO_DH + if (!TEST_true(SSL_CTX_set_dh_auto(ctx, 1))) + goto end; +#endif + + if (!TEST_true(create_ssl_objects(ctx, ctx, &srvr_ssl, &clnt_ssl, + NULL, NULL))) + goto end; + + SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU); + if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500))) + goto end; + + SSL_set_tlsext_max_fragment_length(clnt_ssl, + TLSEXT_max_fragment_length_512); + + if (!TEST_true(create_ssl_connection(srvr_ssl, clnt_ssl, + SSL_ERROR_NONE))) + goto end; + + rv = 1; + + end: + SSL_free(clnt_ssl); + SSL_free(srvr_ssl); + SSL_CTX_free(ctx); + return rv; +} + int setup_tests(void) { ADD_TEST(run_mtu_tests); + ADD_TEST(test_server_mtu_larger_than_max_fragment_length); return 1; } + +void cleanup_tests(void) +{ + bio_s_mempacket_test_free(); +} diff -Nru openssl-1.1.1n/test/dtlstest.c openssl-1.1.1v/test/dtlstest.c --- openssl-1.1.1n/test/dtlstest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/dtlstest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -328,6 +328,93 @@ return testresult; } +/* + * Test that swapping an app data record so that it is received before the + * Finished message still works. + */ +static int test_swap_app_data(void) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *sssl = NULL, *cssl = NULL; + int testresult = 0; + BIO *bio; + char msg[] = { 0x00, 0x01, 0x02, 0x03 }; + char buf[10]; + + if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + DTLS_client_method(), + DTLS1_VERSION, 0, + &sctx, &cctx, cert, privkey))) + return 0; + +#ifndef OPENSSL_NO_DTLS1_2 + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) + goto end; +#else + /* Default sigalgs are SHA1 based in priv_key), 1)) + goto err; + + /* Test compliance with legacy behavior for NULL private keys */ + if (!TEST_int_eq(EC_KEY_set_private_key(key, NULL), 0) + || !TEST_ptr_null(key->priv_key)) + goto err; + + testresult = 1; + + err: + EC_KEY_free(key); + EC_KEY_free(aux_key); + return testresult; +} + +/* * Tests behavior of the decoded_from_explicit_params flag and API */ static int decoded_flag_test(void) @@ -337,6 +370,7 @@ ADD_TEST(field_tests_ec2_simple); #endif ADD_ALL_TESTS(field_tests_default, crv_len); + ADD_TEST(set_private_key); ADD_TEST(decoded_flag_test); ADD_ALL_TESTS(ecpkparams_i2d2i_test, crv_len); diff -Nru openssl-1.1.1n/test/exptest.c openssl-1.1.1v/test/exptest.c --- openssl-1.1.1n/test/exptest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/exptest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,7 +49,8 @@ BIGNUM *r = NULL; BN_ULONG one_word = 1; BN_CTX *ctx = BN_CTX_new(); - int ret = 1, failed = 0; + int ret = 0, failed = 0; + BN_MONT_CTX *mont = NULL; if (!TEST_ptr(m = BN_new()) || !TEST_ptr(a = BN_new()) @@ -94,6 +95,33 @@ if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) failed = 1; + if (!TEST_ptr(mont = BN_MONT_CTX_new())) + goto err; + + ERR_set_mark(); + /* mont is not set but passed in */ + if (!TEST_false(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + if (!TEST_false(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + ERR_pop_to_mark(); + + if (!TEST_true(BN_MONT_CTX_set(mont, m, ctx))) + goto err; + + /* we compute 0 ** a mod 1 here, to execute code that uses mont */ + if (!TEST_true(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) + failed = 1; + + if (!TEST_true(BN_mod_exp_mont(r, p, a, m, ctx, mont))) + goto err; + + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a))) + failed = 1; + /* * A different codepath exists for single word multiplication * in non-constant-time only. @@ -114,6 +142,7 @@ BN_free(a); BN_free(p); BN_free(m); + BN_MONT_CTX_free(mont); BN_CTX_free(ctx); return ret; diff -Nru openssl-1.1.1n/test/pemtest.c openssl-1.1.1v/test/pemtest.c --- openssl-1.1.1n/test/pemtest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/pemtest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,9 +83,39 @@ return 1; } +static int test_empty_payload(void) +{ + BIO *b; + static char *emptypay = + "-----BEGIN CERTIFICATE-----\n" + "-\n" /* Base64 EOF character */ + "-----END CERTIFICATE-----"; + char *name = NULL, *header = NULL; + unsigned char *data = NULL; + long len; + int ret = 0; + + b = BIO_new_mem_buf(emptypay, strlen(emptypay)); + if (!TEST_ptr(b)) + return 0; + + /* Expected to fail because the payload is empty */ + if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) + goto err; + + ret = 1; + err: + OPENSSL_free(name); + OPENSSL_free(header); + OPENSSL_free(data); + BIO_free(b); + return ret; +} + int setup_tests(void) { ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); ADD_TEST(test_invalid); + ADD_TEST(test_empty_payload); return 1; } diff -Nru openssl-1.1.1n/test/recipes/10-test_bn_data/bnmod.txt openssl-1.1.1v/test/recipes/10-test_bn_data/bnmod.txt --- openssl-1.1.1n/test/recipes/10-test_bn_data/bnmod.txt 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/10-test_bn_data/bnmod.txt 2023-08-01 13:51:35.000000000 +0000 @@ -2474,6 +2474,71 @@ E = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae159400943725570726cdc92b3ea94f9f206729516fdda83e31d815b0c7720e7598a91d992273e3bd8ac413b441d8f1dfe5aa7c3bf3ef573adc38292676217467731e6cf440a59611b8110af88d3e62f60209b513b01fbb69a097458ad02096b5e38f0 M = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7 +# The following inputs trigger an edge case between Montgomery reduction and the +# "almost" reduction variant from https://eprint.iacr.org/2011/239 +ModExp = 00 +A = 19c7bc9b97c6083cd7b8d1cd001452c9b67983247169c6532047eb7fc8933014dbf69fee7a358769f1429802c8ea89d4f9ca6ba6f368fbdb1fa5717b4a00 +E = bbc7e09147408571050e8d0c634682c5863b7e8a573626648902cff12e590c74f5a23ecce39732266bc15b8afbd6c48a48c83fbdc33947515cc0b6e4fb98ae2cd730e58f951fec8be7e2e3c74f4506c7fd7e29bdb28675fe8a59789ab1148e931a2ebd2d36f78bc241682a3d8083d8ff538858cd240c5a693936e5a391dc9d77118062a3f868c058440a4192267faaaba91112f45eee5842060febbf9353a6d3e7f7996573209136a5506062ea23d74067f08c613f3ff74bade25f8c3368e6dba84eae672eac11be1137fc514924fcab8c82e46d092bd047dcbadaa48c67a096ec1a04f392a8511e6acbad9954949b703e71ff837337b594055ae6f3c0fc154447a687c9ac8a2cdfd64a2e680c6ff21254735af7f5eb6b43f0bce86bda55a04143a991711081435ed4f4a89b23fc3a588022b7a8543db4bf5c8ac93603367c750ff2191f59a716340fab49bb7544759c8d846465eec1438e76395f73e7b5e945f31f1b87fefa854a0d208846eaab5fa27144fd039911608bab0eaee80f1d3553dfa2d9ba95268479b97a059613660df5ad79796e0b272244aca90ccc13449ec15c206eeed7b60405a4c5cfdf5da5d136c27fa9385d810ad198dfe794ffce9955e10520efea1e2eb794e379401b9affd863b9566ce941c4726755574a1b1946acf0090bfb93f37dd55f524485bbba7fa84b53addfde01ae1de9c57fe50d4b708dd0fa45d02af398b3d05c6d17f84c11e9aacdbe0b146cad6ddbd877731e26a17f3ebed459560d12ed7a6abc2ea6fe922e69d2622ef11b6b245b9ba8f0940faaa671a4beb727be5393a94dafaeff7221b29183e7418f4c5bb95a6a586c93dbc8ce0236d9dbe26c40513611b4141fed66599adbfb20fc30e09a4815e4159f65a6708f34584a7a77b3843941cd61a6917dcc3d07a3dfb5a2cb108bacea7e782f2111b4d22ecaaeff469ecd0da371df1ac5e9bf6df6ccba2d3a9f393d597499eaca2c206bfb81c3426c5fe45bcf16e38aecd246a319a1f37041c638b75a4839517e43a6d01bee7d85eaeedbce13cd15699d3ee42c7414cfed576590e4fb6ddb6edd3e1957efaf039bfe8b9dc75869b1f93abff15cae8b234161070fa3542303c2ed35ca66083d0ac299b81182317a2a3985269602b1fa1e822fcbda48e686d80b273f06b0a702ca7f42cbbbd2fc2b3601422c8bff6302eda3c61b293049636002649b16f3c1f0be2b6599d66493a4497cd795b10a2ab8220fafad24fa90e1bfcf39ecce337e705695c7a224bf9f445a287d6aab221341659ca4be7861f6ac4c9d33dac811e6 +M = 519b6e57781d40d897ec0c1b648d195526726b295438c9a70928ac25979563d72db91c8c42298a33b572edecdf40904c68a23337aa5341b56e92b0da5041 + +# To fully exercise BN_mod_exp_mont_consttime codepaths, we generate inputs at +# different bitwidths. rsaz-avx2.pl only runs at 1024-bit moduli, and +# x86_64-mont5.pl unrolls 8 64-bit words at a time, so we want to capture both +# multiples of 512- and non-multiples. Also include moduli that are not quite a +# full word. +# 512-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 8f42c9e9e351ba9b32ab0cf69da43f4acf7028d19cff6e5059ea0e3fcc97c97f36a31470044737d4c0c933ac441ecb29e32c81401523afdac7de9c3fd8493c97 + +# 1024-bit +ModExp = 00 +A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 9da8dc26fdf4d2e49833b240ee552beb7a6e251caa91bfb5d6cafaf8ed9461877fda8f6ac299036d35806bc1ae7872e54eaac1ec6bee6d02c6621a9cf8883b3abc33c49b3e601203e0e86ef8f0562412cc689ee2670704583909ca6d7774c9f9f9f4d77d37fedef9cb51d207cb629ec02fa03b526fd6594bfa8f2da71238a0b7 + +# 1025-bit +ModExp = 00 +A = 010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 010223abfdda02e84e11cec8ee7fc784fa135733935f7b9054bb70f1f06d234d76dcf3beed55c7f39e955dc1fef2b65009240fd02f7a1b27a78fc2867144bf666efb929856db9f671c356c4c67a068a70fe83c52eebda03668872fd270d0794f0771d217fb6b93b12529a944f7f0496a9158757c55b8ee14f803f1d2d887e2f561 + +# 1088-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = e91f6d748773cb212a23aa348125615123b1800c9ea222c9374c757702ae4140fa333790ed8f6bf60a1d7dda65c2767cc5f33e32e333d19fbfb5a2b85795757c9ca070268763a618e9d33873d28a89bf88acd209efbb15b80cd33b92a6b3a682e1c91782fc24fb86ddff4f809219c977b54b99359094bbcc51dfe17b992ab24b74a17950ad754281 + +# 1472-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = a8770362f4bfe4fc1ab0e52705c11a9b6ba235d5a5f22197c2d68e27ed18426ede3316af706aa79bcf943dbd51459eb15ae1f9386216b3f3a847f94440a65b97659bc5ba2adb67173714ecaa886c0b926d7a64ea45576f9d2171784ce7e801724d5b0abfd93357d538ea7ad3ad89a74f4660bdb66dfb5f684dcf00402e3cdf0ab58afd867c943c8f47b80268a789456aa7c50a619dd2f9f5e3f74b5d810f0f8dadbf4ad5b917cdcb156c4c132611c8b3b035118a9e03551f + +# 1536-bit +ModExp = 00 +A = 800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 878cd000778f927b2f1a4b8bac86efd282079a7ac0d25e09ffd2f72fbc282e65e233929d2457c7b1d63c56fb706cdfa04fb87e654c578c98d7cf59c2293dc5641086b68db4867105981daaf147a0ee91f6932ef064deae4142c19e58d50c0686f0eaf778be72450f89a98b4680bbc5ffab942195e44dd20616150fd1deca058068ca31ab2f861e99082588f17a2025bf5e536150142fca3187a259c791fc721430f24d7e338f8dc02e693a7e694d42775e80f7f7c03600b6ae86b4aba2b0e991 + +# 2048-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 9f40a7535c561208ecb38e17c9336d9bc8484d335901b2cd42759cf03689227f6992f10cb6b586d767fbcdf30e9d82a0eda60d2694ccd0194fa96b50b56e0cdeec1951ea9e58b07e334a7f108841a0ab28256917fecea561388807ed124a17386a7a7b501f9cbf3404247a76948d0561e48137d3f9669e36f175731796aeaf78851f7d866917f661422186a4814aa35c066b5a90b9cfc918af769a9f0bb30c12581027df64ac328a0f07dbd20adb704479f6d0f233a131828c71bab19c3c34795ea4fb68aa632c6f688e5b3b84413c9031d8dc251003a590dec0dd09bfa6109ed4570701439b6f265b84ac2170c317357b5fbe5535e2bbdd93c1aacfdaa28c85 + +# 3072-bit +ModExp = 00 +A = 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = c23dfd244a58a668d514498a705c8f8f548311b24f0f98b023d2d33632534c2ae948d6641d41fd7a29fbbd594bfc7fdd6e8162cbb3056af3075347b6fc8876458d33a9d0ffdbcdf482de0c73d1310fd8fa8f9f92dd0dbb0e2034e98a30f6c11b482f7476c5b593f673a322b1130daa4314e9074270dce1076436f0d56cf196afcbb235a9a7b3ac85b9062e85fc0e63a12c468c787019f6805f9faab64fc6a0babc80785d88740243f11366bffb40ccbe8b2bb7a99a2c8238a6f656bb0117d7b2602aa400f4d77de5f93c673f13264ca70de949454e3e3f261993c1aa427e8ef4f507af744f71f3b4aaf3c981d44cc1bfb1eb1151168762b242b740573df698e500d99612e17dc760f7b3bf7c235e39e81ad7edbe6c07dbb8b139745bb394d61cb799bcafec5de074932b0b2d74797e779ac8d81f63a2b2e9baa229dfaa7f90f34ffade1d2ad022a3407d35eb2d7477c6ae8ad100f6e95c05b4f947c1fabfb11a17add384e6b4cd3a02fd9b43f46805c6c74e366b74aa3b766be7a5fbbd67fa81 + +# 4096-bit +ModExp = 00 +A = 8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 +E = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +M = 8030411ecbddcb0fe4e76fd6b5bf542e8b015d1610cf96130ded12ba2cda0641bd9692080f218ea8b0d751845b519d95b843542ec8d2a07f1f93afe3189b69a4f35c983011c7f7928c3df458cc3eae85c36e6934a4b1bc0a67c8a521de336642c49e10a7ffa8d0af911aacc19e3900449161940f139220e099a150dcaf0ff96ffff6e726c1ac139969103cf6a828ac3adf0301506aa02787b4f570d5dde53a34acab8fec6fa94760abf16ee99954371ad65a6e899daab87b95811d069404991de9abe064ebbddf886e970f10d260c899dda940191a82d4c8bd36651363aff5493f4f59e700007dcadf37ebea7fcfd7600d16617ffea0d9ae659446d851d93c564e50e558f734c894d735fa273770703dab62844d9f01badf632f3d14a00f739c022c9be95f54e9cea46ec6da7cb11f4602e06962951c48204726b7f120ddbd0eb3566dc8d1e6f195a9196e96db33322d088b43aecffe9b4df182dd016aca0bd14f1c56cd1a18b89165c027029862b09ffd78e92ab614349c4fd67f49cb12cd33d0728930d0538bda57acef1365a73cc8fbac7d463b9e3c3bae0bb6224b080cdb8b5cd47d546d53111fdc22b7ff679bcfe27192920ee163b2be337d8cccc93b4de7d2d31934b9c0e97af291dcc1135b4a473bd37114eec3ba75c411887b57799d3188e7353f33a4d31735ebfc9fcfc044985148dd96da3876a5ab7ea7a404b411 # These test vectors satisfy (ModSqrt * ModSqrt) mod P = A mod P with P a prime. # ModSqrt is in [0, (P-1)/2]. diff -Nru openssl-1.1.1n/test/recipes/25-test_verify.t openssl-1.1.1v/test/recipes/25-test_verify.t --- openssl-1.1.1n/test/recipes/25-test_verify.t 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/25-test_verify.t 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -27,7 +27,7 @@ run(app([@args])); } -plan tests => 146; +plan tests => 148; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -409,3 +409,14 @@ "ED25519 signature"); } + +# Certificate Policies +ok(verify("ee-cert-policies", "sslserver", ["root-cert"], ["ca-pol-cert"], + "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", + "-explicit_policy"), + "Certificate policy"); + +ok(!verify("ee-cert-policies-bad", "sslserver", ["root-cert"], ["ca-pol-cert"], + "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", + "-explicit_policy"), + "Bad certificate policy"); diff -Nru openssl-1.1.1n/test/recipes/25-test_x509.t openssl-1.1.1v/test/recipes/25-test_x509.t --- openssl-1.1.1n/test/recipes/25-test_x509.t 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/25-test_x509.t 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,11 @@ setup("test_x509"); -plan tests => 9; +plan tests => 16; + +# Prevent MSys2 filename munging for arguments that look like file paths but +# aren't +$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -46,4 +50,59 @@ subtest 'x509 -- pathlen' => sub { ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")]))); +}; + +# extracts issuer from a -text formatted-output +sub get_issuer { + my $f = shift(@_); + my $issuer = ""; + open my $fh, $f or die; + while (my $line = <$fh>) { + if ($line =~ /Issuer:/) { + $issuer = $line; + } + } + close $fh; + return $issuer; } + +# Tests for signing certs (broken in 1.1.1o) +my $a_key = "a-key.pem"; +my $a_cert = "a-cert.pem"; +my $a2_cert = "a2-cert.pem"; +my $ca_key = "ca-key.pem"; +my $ca_cert = "ca-cert.pem"; +my $cnf = srctop_file('apps', 'openssl.cnf'); + +# Create cert A +ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:2048", + "-config", $cnf, + "-keyout", $a_key, "-out", $a_cert, "-days", "365", + "-nodes", "-subj", "/CN=test.example.com"]))); +# Create cert CA - note key size +ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:4096", + "-config", $cnf, + "-keyout", $ca_key, "-out", $ca_cert, "-days", "3650", + "-nodes", "-subj", "/CN=ca.example.com"]))); +# Sign cert A with CA (errors on 1.1.1o) +ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert, + "-CAkey", $ca_key, "-set_serial", "1234567890", + "-preserve_dates", "-sha256", "-text", "-out", $a2_cert]))); +# verify issuer is CA +ok (get_issuer($a2_cert) =~ /CN = ca.example.com/); + +# Tests for issue #16080 (fixed in 1.1.1o) +my $b_key = "b-key.pem"; +my $b_csr = "b-cert.csr"; +my $b_cert = "b-cert.pem"; +# Create the CSR +ok(run(app(["openssl", "req", "-new", "-newkey", "rsa:4096", + "-keyout", $b_key, "-out", $b_csr, "-nodes", + "-config", $cnf, + "-subj", "/CN=b.example.com"]))); +# Sign it - position of "-text" matters! +ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial", + "-CA", $ca_cert, "-CAkey", $ca_key, + "-in", $b_csr, "-out", $b_cert]))); +# Verify issuer is CA +ok(get_issuer($b_cert) =~ /CN = ca.example.com/); diff -Nru openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt openssl-1.1.1v/test/recipes/30-test_evp_data/evpciph.txt --- openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/30-test_evp_data/evpciph.txt 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ # -# Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1188,6 +1188,56 @@ Operation = DECRYPT Result = CIPHERFINAL_ERROR +#Test vectors generated to validate aesni_ocb_encrypt on x86 +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = C14DFF7D62A13C4A3422456207453190 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 41970D13737B7BD1B5FBF49ED4412CA5 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = BE0228651ED4E48A11BDED68D953F3A0 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 17BC6E10B16E5FDC52836E7D589518C7 +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = E84AAC18666116990A3A37B3A5FC55BD +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED + +Cipher = aes-128-ocb +Key = 000102030405060708090A0B0C0D0E0F +IV = 000000000001020304050607 +Tag = 3E5EA7EE064FE83B313E28D411E91EAD +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D +Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C + Title = AES XTS test vectors from IEEE Std 1619-2007 # Using the same key twice for encryption is always banned. diff -Nru openssl-1.1.1n/test/recipes/70-test_tls13hrr.t openssl-1.1.1v/test/recipes/70-test_tls13hrr.t --- openssl-1.1.1n/test/recipes/70-test_tls13hrr.t 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/70-test_tls13hrr.t 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -37,7 +37,8 @@ use constant { CHANGE_HRR_CIPHERSUITE => 0, - CHANGE_CH1_CIPHERSUITE => 1 + CHANGE_CH1_CIPHERSUITE => 1, + DUPLICATE_HRR => 2 }; #Test 1: A client should fail if the server changes the ciphersuite between the @@ -46,7 +47,7 @@ $proxy->serverflags("-curves P-256"); my $testtype = CHANGE_HRR_CIPHERSUITE; $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 2; +plan tests => 3; ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); #Test 2: It is an error if the client changes the offered ciphersuites so that @@ -58,6 +59,19 @@ $proxy->start(); ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); +#Test 3: A client should fail with unexpected_message alert if the server +# sends more than 1 HRR +my $fatal_alert = 0; +$proxy->clear(); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} +$testtype = DUPLICATE_HRR; +$proxy->start(); +ok($fatal_alert, "Server duplicated HRR"); + sub hrr_filter { my $proxy = shift; @@ -78,6 +92,39 @@ return; } + if ($testtype == DUPLICATE_HRR) { + # We're only interested in the HRR + # and the unexpected_message alert from client + if ($proxy->flight == 4) { + $fatal_alert = 1 + if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10; + return; + } + if ($proxy->flight != 3) { + return; + } + + # Find ServerHello record (HRR actually) and insert after that + my $i; + for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) { + next; + } + my $hrr_record = ${$proxy->record_list}[$i]; + my $dup_hrr = TLSProxy::Record->new(3, + $hrr_record->content_type(), + $hrr_record->version(), + $hrr_record->len(), + $hrr_record->sslv2(), + $hrr_record->len_real(), + $hrr_record->decrypt_len(), + $hrr_record->data(), + $hrr_record->decrypt_data()); + + $i++; + splice @{$proxy->record_list}, $i, 0, $dup_hrr; + return; + } + # CHANGE_CH1_CIPHERSUITE if ($proxy->flight != 0) { return; diff -Nru openssl-1.1.1n/test/recipes/80-test_cms.t openssl-1.1.1v/test/recipes/80-test_cms.t --- openssl-1.1.1n/test/recipes/80-test_cms.t 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_cms.t 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ use POSIX; use File::Spec::Functions qw/catfile/; use File::Compare qw/compare_text/; -use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; use OpenSSL::Test::Utils; setup("test_cms"); @@ -27,7 +27,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) = disabled qw/des dh dsa ec ec2m rc2 zlib/; -plan tests => 6; +plan tests => 7; my @smime_pkcs7_tests = ( @@ -584,3 +584,14 @@ return ""; } + +# Check that we get the expected failure return code +with({ exit_checker => sub { return shift == 6; } }, + sub { + ok(run(app(['openssl', 'cms', '-encrypt', + '-in', srctop_file("test", "smcont.txt"), + '-aes128', '-stream', '-recip', + srctop_file("test/smime-certs", "badrsa.pem"), + ])), + "Check failure during BIO setup with -stream is handled correctly"); + }); diff -Nru openssl-1.1.1n/test/recipes/80-test_policy_tree.t openssl-1.1.1v/test/recipes/80-test_policy_tree.t --- openssl-1.1.1n/test/recipes/80-test_policy_tree.t 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_policy_tree.t 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,43 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use OpenSSL::Test qw/:DEFAULT srctop_file with data_file/; + +use OpenSSL::Test::Utils; +use OpenSSL::Glob; + +setup("test_policy_tree"); + +plan skip_all => "No EC support" if disabled("ec"); + +plan tests => 2; + +# The small pathological tree is expected to work +my $small_chain = srctop_file("test", "recipes", "80-test_policy_tree_data", + "small_policy_tree.pem"); +my $small_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data", + "small_leaf.pem"); + +ok(run(app(["openssl", "verify", "-CAfile", $small_chain, + "-policy_check", $small_leaf])), + "test small policy tree"); + +# The large pathological tree is expected to fail +my $large_chain = srctop_file("test", "recipes", "80-test_policy_tree_data", + "large_policy_tree.pem"); +my $large_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data", + "large_leaf.pem"); + +ok(!run(app(["openssl", "verify", "-CAfile", $large_chain, + "-policy_check", $large_leaf])), + "test large policy tree"); diff -Nru openssl-1.1.1n/test/recipes/80-test_policy_tree_data/large_leaf.pem openssl-1.1.1v/test/recipes/80-test_policy_tree_data/large_leaf.pem --- openssl-1.1.1n/test/recipes/80-test_policy_tree_data/large_leaf.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_policy_tree_data/large_leaf.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE +AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp6Qe +jrN6A0ZjqaFbX/zO01aVYXH5kthBDTEO/fU4H0CdwqrfyMsFrObwssrTJcsmSFKP +x1FYr8wT2wCACs19lqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t +MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49 +BAMCA0gAMEUCIDGT8SVBkWJEZ2EzXm8M895NrNRmfc8uoheP0KKv+ndHAiEA2Onr +20J+zTaR7vONY/1DleMm7fGY3UxTobSHSvOKbfY= +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/recipes/80-test_policy_tree_data/large_policy_tree.pem openssl-1.1.1v/test/recipes/80-test_policy_tree_data/large_policy_tree.pem --- openssl-1.1.1n/test/recipes/80-test_policy_tree_data/large_policy_tree.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_policy_tree_data/large_policy_tree.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,434 @@ +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgyLz1C0dD +ib5J/QmoE4d+Nf5yvvlzjVZHWIu7iCMEqK67cnA1RtMp1d0xdiNQS6si3ExNPBF+ +ELdkP0E6x26Jo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSs+ml5upH1h25oUB0Ep4vd +SUdZ/DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAOME8j1/cMogNnuNCb0O +RIOE9pLP4je78KJiP8CZm0iOAiALr8NI67orD/VpfRptkjCmOd7rTWMVOOJfBr6N +VJFLjw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIdzU/FF3Y +rTsTX04fRIN2yrZwxvOAfZ6DuEgKRxEimJx1nCyETuMmfDowm52mx/Cyk08xorp8 +PhGEbacMd9kio4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSwok/8RfJbVGTzyF5jhWLc +hO7pcDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgYVF7bXxUuOzAZF6SmeIJ +s+iL15bLSQ2rW7QDc6QYp9MCIAup6YokIcr8JaGttHmLaKbASQLxYDGHhfFIVZuI +BDvT +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ38Llxxj32 +H3NN4Z1V8IuRKXLNhdU4z+NbT1rahusEyAHF+z9VTjim+HHfqFKV1QyNOJZ4rMA9 +J/gODWsNCT4po4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS11YgFNKTx3a6kssIijnA9 +DiOhoTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAJXNZHMpvlnMfxhcG6EF +Vw1pEXJ+iZnWT+Yu02a2zhamAiAiOKNhALBw/iKhQrwLo0cdx6UEfUKbaqTSGiax +tHUylA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATo81HWQ/we +egmoO/LMntQK1VQ9YzU627nblv/XWoOjEd/tBeE8+Un4jUnhZqNrP2TAzy48jEaT +1DShCQNQGek7o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS6/F38QgbZSHib0W1XtMfs +4O5DTDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgXMYCQWi5/6iQw+zqyEav +CE7kOfTpm9GN4bZX5Eau5AACIQD0rDZwsjWf6hI2Hn8IlpwYVVC9bpxrAM/JmYuu +79V/uw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARsPMjOkmzJ +2jwT30mKUvAFYVgOlgcoXxYr61p54mbQMmmH49ABmJQMu5rjwjwYlYA3UzbEN9ki +hMsJz/4JIrJGo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeflZRWUze+7jne9MkYYy5 +iWFgJDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAIN6BjMnPlixl3i6Z1Xa +pZQt52MOCHPm0XzXDn2XlC9+AiAn146u8rbppdEGMFr21vfFZaktwEb0cZkC9fBp +S1uKwQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBBjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVmpozZzxX +f6rFinkqS0y8sfbOwcM0gNuR0x83mmZH5+a8W4ug5W80QiBaS3rHtwTsFHpCeQKq +eJvfb/esgJu8o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQPuF2sXR0vOHJynh57qefK ++h7RGDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgDX0jHPq1alZoMbPDmbZp +QYuM9UQagQ5KJgVU1B0Mh2ECIQCtdyfT2h5jZvz3lLKkQ9a6LddIuqsyNKDAxbpb +PlBOOA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgODAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb+9fN9RLe +SHGynsKXhLWGhIS/kZ6Yl97+h23xpjLaZUOzhn5VafXdmLrQ4BmqSMHqIKzcc8IB +STV3NwO4NxPBo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTBF9x+MrsyqoCaTQ2kB7Bn +tpK2qDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAI37Di/5MrSj2clr+2pX +iXzeDIvlaxzVetyH3ibUZZBSAiA41aPIssHi9evv2mZonEvXY8g+DKbh/3L2mSub +/AyLoA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbagAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgOTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrRS12/zEP +RUNye9SLadN4xK+xfTwyXfxeC+jam+J98lOMcHz6abnLpk5tJ7wab4Pkygsbj1V2 +STxeW+YH23dto4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQYpYFLhosbir7KoyYdehsQ +6DdLfzAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAPTCN+zWFG2cFzJ+nlfg +JMY4U2e3vqTQmFeBXYlBASb9AiEA0KvsyNwloF1YeeaYcP5iHoRGRo8UMD3QWKEE +vWI14Uk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbegAwIBAgIBCTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBYxFDASBgNV +BAMTC1BvbGljeSBDQSA5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoR4udEgt +usb9f946+Xznm7Q3OaW4DTZjO7wqX1I+27zDp0JrUbCZwtm0Cw+pYkG5kPpNcFTK +7yG3YgqM1sT+6aOB8jCB7zAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjgtOHvFBcUQ03AKUbvuJ +IWO5lzUwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwcQYD +VR0hBGowaDAYBgpghkgBZQMCATABBgpghkgBZQMCATABMBgGCmCGSAFlAwIBMAEG +CmCGSAFlAwIBMAIwGAYKYIZIAWUDAgEwAgYKYIZIAWUDAgEwATAYBgpghkgBZQMC +ATACBgpghkgBZQMCATACMAoGCCqGSM49BAMCA0cAMEQCICIboTAzG1DvCY/0tA/o +l18zrW9qKVnt4mxih5JQe4fOAiBOF2ZeUT2/ZtdFhZmg+zl/fGrQ1xEx09/S956k +Ig4S9Q== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBCjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLxetqJp +VR6apJytboxFCCooQ7jVcc7yoHhjlH8HsaJS3GrWpyMgiqOfyWt4KFMynKkgCU1K +1QcU9aC5BfRQpyWjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD6etMtD6Qpa7TjVQBgV +/4PhZP4DMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA+5uiOjJoq5nU7lKN +rZtBdYNqUKvHuYB+jiNEfWvxx2cCIFZEJCGw8fzqkAyGWkLe10w8PUzPM64nh757 +pEtxCzZh +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBCzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPQuXEeo +BrbyENdz9HqAoWMSQx1BErsUcQaneq3L0/VHHJBPKihb8s4nB/2yZaEarr8LFAvi +ofx+4egydkP0mJ+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIoC4qL79Uy3+m26Y+ch ++sE6gCOMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAx/vMDhaH4EYTM2v9 +GeM1xTP9pNRgak69JQLKLu1VM1YCIF1RYC8Fma5Bc0cZAYY+Gj7dEf9qHj1TODA5 +C9es2CPY +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbigAwIBAgIBDDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDlEv73o +ej8Xvc3UodhSHkech80DbuBKdeldOTrRp6ZaVUP3vMgjNUJkh4WkvP3UVTe5SV4D +zQXDIiwAEJu+zdmjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCAn0wYXyRdliJOBFvvJ +eZoGTiyOMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiAo2PPmLBZpcT0bst/C +SXvnl3gztIZu89O1MKsNwFcM9QIgIzqZx/o9MF/fP7zbLWErVcUQViOGiCRBLVh7 +ppb7CoA= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBDTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8mgAoN +rmFo937IBKXKuxHedUjOL7y3cpDYD1H3C4HRDBQDVOL31lC5kJUhS4HBLvJQwebR +2kW35E3AnhbY/oKjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBGbO20Xp/q0fPChjLHL +WuJwSNc1MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA3qGzdevdYfmiSBj9 +t9oE8hfEP+APqGiStlOLKD6xVK0CIQDq9cVa2KXMEz7YwmMO3lxoQFDPEXftbRaC +edFB7q/YXg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBDjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHDiOMtx +5sfJs/WDnw0xS5NYlkbgy2eOZHAmC/jhRp6cjShZrr2/S4IJsH8B2VMcYAHgum6a +eMjqWFIMxIjN5xyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOWtYUeAPk66m0o6Z7ax +1RN42wmkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA+AcazVKKPfqkpcJw +rkXWIyZrTe+1PNETQzaJCooGNGkCIQDdfHf1I78e+ogaDcjkDe0s3R9VhkvjCty6 +uKKFtNGHMQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBDzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKCkdSYz ++zyHItG2rQSyCh018b4bu9Zrw8nzkCBgkT2IyycNtpabYkWhxcEL29ZFqBnB+l7N +5fYmHl5CmflJPh+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNanrmjMEN3PndPGeucm +mST9ucNWMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiAFt48yhTTv0rP29N8H +yRhAQGfnV4t1b8JucixLSfe32QIhAOef6iiwLxbBOMUn5ZN/WAK5TERem6DLSzWN +/PTXHAAt +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbigAwIBAgIBEDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH5txyDp +DfRsIyYPTAQ+fuxk08E3/tpChVWoog4XQvod61wcUO1/nhoTGNKZZOhN5uhKWJWb +1futz+XxV2QxTCyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHSlcxgh3gxgVag1JvAk +zbHlgMbEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiA9Ee47PnxqW0QmELB+ +dd90Fz8wcQFZlNmkPW4Oq2xr/wIgGlxfutQq7l3TU5hyyO0Lh01AHn2DC5KPFPwE +l8S9VeY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBETAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJvlQKB +gJZ+Tysa6iwhllPXCeJrkan6WUm+oqOIY02/SpI5Mba1Kwg73Fsswx3Eywt8sxA2 +4fiaqwg+xZoil06jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM/udZ1ib8qDfShdfdfX +8gL6w7VMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA6kK7vAYF2TPXzywn ++SDLsiGbU6Sj8aTtsJZf9DmhKr4CIQCt4FfI7IWinqNlURXe4HSBPsekcQkOpwjK +PuJRx3fuFw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBEjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMTkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEerejCw +gAy7GecLVbQw6eL8k1cGWwLt+wl3sn8he8fA0I+KoFfcOCgtvOF59RMXnjZ1+7OC +kz3mNDVSbKY6KO2jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM0OUOtOKTcTMRXGQwbw +GOoLCOEYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAziPsm2dArB/3ILqm +04mZl8/DX6dB4EmU+FPF2UpAeLwCIQCofc27tisg3L1mPNeiwZ26+rDe5SdixiUc +S3KWOJ1cTg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBEzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAxOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPmB5spr +C64/21ssufcbshGnQtAWbk2o2l+ej6pMMPIZhmNyvM450L3dFX12UBNcaERCABmr +BEJL7IubGWE9CVOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJCh/1mh0Hl2+LE0osUv +OJCmV3IYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAtxMIkO4xCRSQCU6d +0jt+Go4xj/R4bQFWbZrlS9+fYUECICuWAgT3evhoo34o04pU84UaYOvO5V0GJsTt +hrS1v3hT +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBFDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHdvTDYo +M/padIV3LdTnrzwMy1HSTeJ2aTUalkVV17uL2i3C51rWM2pl+qlRordq6W2GboMz +/+78HhKMcCrMWKCjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAbZN0eSPw3MyvWIEix6 +GnYRIiFkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAlaapLXHwGNkeEwc0 +jsY2XhuR3RlVhD4T2k/QyJRQ0s0CIQD5E+e+5QTe5s+534Lwcxe2iFb3oFm+8g81 +OBVtfmSMGg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBFTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLTu8R5Y +7Po4W05hWperfod6mXezwWgAVk2RW2EG2vy4NeZeML2EFhg2geNc6N5Goep9t7pn +d+BtORRvR75oCDijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNs0d2vXsRj3YYsBrWDo +jrvcEA+eMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBB603Ui+L60FcUWPrB +Ch06hmgle2u0P07Go/XjTk00ZQIhALGhNArJFEY0gu+XUtyKEZt7BZ0/sh5dtLDP +xkRgR6Wh +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBFjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPXpzC9/ +KGblQyjhdcS0a8KBPAiS7c0n+V0i9JItbyze38Ncrctp0wIGHZLjRoB4DZYX1I8e +K5C7KVeUPEE9eOGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFISsw9orkX/cBVWcK5KA +//kldz8HMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA1gazdApLS91ql8Am +4gb4Ku7Lgll4jV+BrLkbABE2cI0CIQCEH1GUJ6ARJB1GdcHrPyaLgeZ5jV2p63UW +UV2QL6aETA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBFzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKdweprb +RZmuUk4og1Xa9Skb1vu7jsLozlm9CtDhKLbJ+cDX/VeKj/b8FuvakBO3L1QV5XU0 +iFswsIVBVZ3m+TyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPgcEbHfKHt0o/PCS0kD +XWW9XkqMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA9XDj0w5qMS/tLlr9 +Z2j8JtVR4M7pF/Wx2U43vmPFJEACIBAlAiUnCm1Nfj16t2cojrW+m2t1cU80ihmj +Ld1U+dRD +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbigAwIBAgIBGDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAq2PphK +4oVsc+ml3zskBLiMa+dz64k+PrrfKIGSG2Ri5Du/orj0dO9639LeCkkMwWpXAfSx +wxHHQX0I1KwsudGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEqcfkso+ynKq2eFaJy8 +mzNBdN2PMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiBZ71jDD33HFFqMkLAW +gTAGMmzh9b/vZ8jAclPDKHRghQIgf2GBOF1eEF8Ino9F1n1ia5c3EryvXnvVoklw +cjMIQ5g= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBGTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJRoDkj7 +iDlIygt4YmMgw4pizu2sx4436MGtw5fFHhjy7T+pPMGjYFg3dixxUOu1NHORpdJq +8Y7SN8p8Y0XsDpijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOutMoKSOv5lEGZaqYZM +zNFwpX3KMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAks62lsAHmN6xkZsF +6ocGONpH/XmHLpoO6RfMoRCnWkICIFNFD+W6pSSvdDB96sn8jnZ7W/Y0hyLzscBO +WtkzqqJJ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBGjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE3seRj5 +LVNKi9sZk7qv5cBVUG8BLXXfDRUhCUzT10YAU1J0yd2wmLTbwPyYm65GaecvAHSR +SExOzX6bC35nNt6jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNx5XhDdoflDgPrW/HyU +tCokuJ0AMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEApAQVb0KQedyAw1SJ +J8At4uxxm2b8W13s6ENapxw+lwwCIQC7326NFPsDjbfBKhFDQhCIMkAkYq2wzRJ7 +ubTwkdT19g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBGzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC+FQF2E +TrZ4YGNyxFxzpTQBjlu9QUrwgHzabAn47toqRkWUGAS68jBfSdR+j2c7/oehQHhO +relHcbQilhZnh4ijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIOlwsa4FjZWhzQYTAY3 +c2TSYhsEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAwxNBi+8baAU76yng ++XvMpY62aqPO4bAe/uedaxBb2jMCIQDJHXqibgIAm1T4/YHimllVlLQudQL5OkbF +Krj3uVHtBg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBHDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMjkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBmhjGvk +C3QfSVdY5zuHEY4Rf3eKVro6vcKymgdBPFjjDggZNktR3OMnayCabJB51g2VL7Fg +MegdwzJWzPvQreyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEvevGIfitXek0IStYIR +5ne2SkJwMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBzlv0TggDJWUWx0UHl +cqxuMpoNdy+ifizQIlcjWcrzvgIhAJdQfkPaZdc4/j/HfGaVNN9InJuBWGrPYU6A +iwsSB0jY +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEzCCAbigAwIBAgIBHTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMzAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAyOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCrC5p+Z +ywMukm1LRuXeJ5V1M6V+8A8PjqB3tgHVeEn973HOfia8lt2/7EoKaLKzP8A7D3eC +aBJUmTgHauaolYOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGG5D5h1FRA+aZMbSXfZ +Mp8pjYUEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAnI2IhyXtBCRiv+Xs +EzsO497oVf1U8SJiVR8SaEx0gzgCIQC0+un/Hcb0OWvpvoeHKcRi7e8SZkX+vn2i +u+KsPqlfzA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBHjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAzMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHg1qbhT +bpV0agLQkk6di7EdwrrqIn7yCiBCfPwoDI7czY1bHwkR2E8EdrG4ZLBHHFXYNHau +kEo9nueljxbA6MGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGXSqDk/Zov8a62kkXDr +8YhtqdkTMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA1D2Fm3D8REQtj8o4 +ZrnDyWam0Rx6cEMsvmeoafOBUeUCIBW0IoUYmF46faRQWKN7R8wnvbjUw0bxztzy +okUR5Pma +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEjCCAbigAwIBAgIBHzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg +Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV +BAMTDFBvbGljeSBDQSAzMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIwGMmHl +/QJSpu6KHakSe4gkf3L+NpsrtQpxu6sNfmSjO++dGv6sj2v3+DZNeyagVUJRVHaD +IZzpoyVVrBBO6vijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA+f9g1sP2kM5sOT/8Ge +IDKq5FcUMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG +A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB +BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD +AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAvQlbAmF3pS041Zo2 +eHrxMO3j8thB+XqHU8RatCZ60WACIG1vUFPH7UwzTTann7Sgp4s+Gd/jLOkrJnEk +W3De9dSX +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/recipes/80-test_policy_tree_data/small_leaf.pem openssl-1.1.1v/test/recipes/80-test_policy_tree_data/small_leaf.pem --- openssl-1.1.1n/test/recipes/80-test_policy_tree_data/small_leaf.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_policy_tree_data/small_leaf.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmjCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE +AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER7oh +z+MnwilNhyEB2bZTuYBpeiwW4QlpYZU6b/8uWOldyMXCaPmaXwY60nrMznfFJX6F +h8dC6XIzvQmjUMdSoqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t +MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49 +BAMCA0kAMEYCIQC2km5juUULIRYsRgHuLFEiABBR0pDAyTbl9LRjlkSeEQIhAO9b +ye60dMNbhY1OOzrr4mDRv0tuNmbGBErcFs61YZkC +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/recipes/80-test_policy_tree_data/small_policy_tree.pem openssl-1.1.1v/test/recipes/80-test_policy_tree_data/small_policy_tree.pem --- openssl-1.1.1n/test/recipes/80-test_policy_tree_data/small_policy_tree.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_policy_tree_data/small_policy_tree.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,70 @@ +-----BEGIN CERTIFICATE----- +MIICETCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu7GyNFjN6 +Sqwk1CZAt+lzTC/Us6ZkO5nsmb8yAuPb6RJ0A2LvUbsmZea+UyBFq3VuEbbuCoeE +KRbKkS6wefAzo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQkJvfn8gFHIXVTBJ4hrtP +ypA9QTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhALn6/b3H+jLusJE5QiaS +PiwrLcl+NDguWCnxo0c6AfduAiEApkXUN+7vRfXeFFd9CfA1BnTW3eUzBOsukZoN +zaj+utk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+p+A+K6MI +R3eVP/+2O7lam32HU10frEKpyQslZAabYJwkc9iq5WatMbTMPQibuOIWHFl02uJ8 +cxGKy/Hke8P5o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSSOt6HCXw+L/4uzJsInqqA +XrWt8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgS/vh3osFy+q1MLuVnAdg +gMINfiIJw1+3zbYsJYlNhWgCICu6Qgzee4NwIrJagcdVA0RAfnCOo6wfvikpl0ts +EepA +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQONHKgpAJ6 +vE41FYBekpLzybpBQp/gUmgRPKrcL0z4lLTDjCG3j6yIbZma8u2bPM1MBXw5otZ7 +xVFhQ1AkZIOco4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ69465BL89BXORf4sSnneU +exkm0jAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPK9PqPxgme9x6TPFh2z +vv+qVEM2WxOTdRKOPgUYzCp9AiBl8qO3szv5jNDzb0fRIqVp37v9yBjWcgO9Wl02 +QDCpGw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICETCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLrUP7BFi7 ++LE2uDVCZ2Z2HK6BpL/kjBbwKkLxlJe+LqNolzu53b8+WtHwrvPPVkD9t3KMdWXU +K7NtHYgXUz07o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS0kaY2oJVEBLtjkqI8pXsv +eqm3VDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAJuTMvMUda4Y29V1Tm5O +jCqBThR2NwdQfnET1sjch3Q7AiEA7nEudfXKMljjz608aWtafTkw5V5I2/SbuUKr +vjprfIo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg +Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE +AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9RuYVzUGB +FkAEM9kHe9xynDo/NcsiaAO3+E2u7jJQQN50d6hVEDHf9961omldhKhP4HTNfhqj +VMIHKGMhXCgKo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTVrjWaVjkfMpilq5tGZ4zZ +iJtaSDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV +HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK +YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB +MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPVgPpACX2ylQMEMSntw +izxKHTSPhXuF6IHhNHRz7KFnAiB8y/QcF7N2iXNZEqffWSkVted/XOw3Xrck0sJ6 +4eXNcw== +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/recipes/80-test_ssl_new.t openssl-1.1.1v/test/recipes/80-test_ssl_new.t --- openssl-1.1.1n/test/recipes/80-test_ssl_new.t 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/80-test_ssl_new.t 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -28,7 +28,7 @@ # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 29; # = scalar @conf_srcs +plan tests => 30; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -70,6 +70,8 @@ "25-cipher.conf" => disabled("poly1305") || disabled("chacha"), "27-ticket-appdata.conf" => !$is_default_tls, "28-seclevel.conf" => disabled("tls1_2") || $no_ec, + "30-supported-groups.conf" => disabled("tls1_2") || disabled("tls1_3") + || $no_ec || $no_ec2m ); # Add your test here if it should be skipped for some compile-time diff -Nru openssl-1.1.1n/test/recipes/95-test_external_pyca_data/cryptography.sh openssl-1.1.1v/test/recipes/95-test_external_pyca_data/cryptography.sh --- openssl-1.1.1n/test/recipes/95-test_external_pyca_data/cryptography.sh 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/recipes/95-test_external_pyca_data/cryptography.sh 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. # # Licensed under the OpenSSL license (the "License"). You may not use @@ -12,6 +12,7 @@ # OpenSSL external testing using the Python Cryptography module # set -e +set -x O_EXE=`pwd`/$BLDTOP/apps O_BINC=`pwd`/$BLDTOP/include @@ -35,30 +36,27 @@ cd $SRCTOP # Create a python virtual env and activate -rm -rf venv-pycrypto -virtualenv venv-pycrypto -. ./venv-pycrypto/bin/activate +rm -rf venv-cryptography +python -m venv venv-cryptography +. ./venv-cryptography/bin/activate cd pyca-cryptography -pip install .[test] - echo "------------------------------------------------------------------" echo "Building cryptography" echo "------------------------------------------------------------------" -python ./setup.py clean - -CFLAGS="-I$O_BINC -I$O_SINC -L$O_LIB" python ./setup.py build +LDFLAGS="-L$O_LIB" CFLAGS="-I$O_BINC -I$O_SINC" pip install .[test] +pip install -e vectors echo "------------------------------------------------------------------" echo "Running tests" echo "------------------------------------------------------------------" -CFLAGS="-I$O_BINC -I$O_SINC -L$O_LIB" python ./setup.py test +pytest -n auto tests --wycheproof-root=../wycheproof cd ../ deactivate -rm -rf venv-pycrypto +rm -rf venv-cryptography exit 0 diff -Nru openssl-1.1.1n/test/smime-certs/badrsa.pem openssl-1.1.1v/test/smime-certs/badrsa.pem --- openssl-1.1.1n/test/smime-certs/badrsa.pem 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/badrsa.pem 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD +VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY +DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw +I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A +/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s +yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 +zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB +lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww +CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm +ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW +eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt +5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d +rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv +yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ +j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= +-----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/mksmime-certs.sh openssl-1.1.1v/test/smime-certs/mksmime-certs.sh --- openssl-1.1.1n/test/smime-certs/mksmime-certs.sh 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/mksmime-certs.sh 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,23 +15,23 @@ # Root CA: create certificate directly CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \ - -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 + -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 # EE RSA certificates: create request first CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa1.pem -out req.pem -newkey rsa:2048 # Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa2.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smrsa3.pem -out req.pem -newkey rsa:2048 -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem # Create DSA parameters @@ -40,15 +40,15 @@ CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem # Create EC parameters @@ -58,15 +58,15 @@ CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smec1.pem -out req.pem -newkey ec:ecp.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \ -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \ -keyout smec3.pem -out req.pem -newkey ec:ecp.pem -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem # Create X9.42 DH parameters. $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \ @@ -78,7 +78,7 @@ CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \ -keyout smtmp.pem -out req.pem -newkey rsa:2048 # Sign request but force public key to DH -$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -force_pubkey dhpub.pem \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem # Remove temp files. diff -Nru openssl-1.1.1n/test/smime-certs/smdh.pem openssl-1.1.1v/test/smime-certs/smdh.pem --- openssl-1.1.1n/test/smime-certs/smdh.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smdh.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,33 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ -9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B -mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF -cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V -thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh -atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC -FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA== +MIICXAIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCB6AUA/1eXRh+iLWHXe+lUl6e+ ++460tAIIpsQ1jw1ZaTmlH9SlrWSBNVRVHwDuBW7vA+lKgBvDpCIjmhRbgrZIGwcZ +6ruCYy5KF/B3AW5MApC9QCDaVrG6Hb7NfpMgwuUIKvvvOMrrvn4r5Oxtsx9rORTE +bdS33MuZCOIbodjs5u+e/2hhssOwgUTMASDwXppJTyeMwAAZ+p78ByrSULP6yYdP +PTh8sK1begDG6YTSKE3VqYNg1yaE5tQvCQ0U2L4qZ8JqexAVHbR8LA8MNhtA1pma +Zj4q2WNAEevpprIIRXgJEZY278nPlvVeoKfOef9RBHgQ6ZTnZ1Et5iLMCwYHAoIB +AFVgJaHfnBVJYfaQh1NyoVZJ5xX6UvvL5xEKUwwEMgs8JSOzp2UI+KRDpy9KbNH7 +93Kwa2d8Q7ynciDiCmd1ygF4CJKb4ZOwjWjpZ4DedHr0XokGhyBCyjaBxOi3i4tP +EFO8YHs5B/yOZHzcpTfs2VxJqIm3KF8q0Ify9PWDAsgo+d21/+eye60FHjF9o2/D +l3NRlOhUhHNGykfqFgKEEEof3/3c6r5BS0oRXdsu6dx/y2/v8j9aJoHfyGHkswxr +ULSBxJENOBB89C+GET6yhbxV1e4SFwzHnXgG8bWXwk7bea6ZqXbHq0pT3kUiQeKe +assXKqRBAG9NLbQ3mmx8RFkCHQDIVBWPf6VwBa2s1CAcsIziVJ8qr/KAKx9DZ3h5 +BB4CHAF3VZBAC/TB85J4PzsLJ+VrOWr0c8kQlYUR9rw= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM -BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC -oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV -Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5 -30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z -EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh -A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve -cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw -3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD -umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf -BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC -AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi -0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD -48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d -LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z -vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu -Uj6tw18ExOYxqoEGixNLPA5qsQ== +MIIFmDCCBICgAwIBAgIUWlJkHZZ2eZgkGCHFtcMAjlLdDH8wDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgREggIzEwggNCMIICNQYHKoZIzj4C +ATCCAigCggEBAIHoBQD/V5dGH6ItYdd76VSXp777jrS0AgimxDWPDVlpOaUf1KWt +ZIE1VFUfAO4Fbu8D6UqAG8OkIiOaFFuCtkgbBxnqu4JjLkoX8HcBbkwCkL1AINpW +sbodvs1+kyDC5Qgq++84yuu+fivk7G2zH2s5FMRt1Lfcy5kI4huh2Ozm757/aGGy +w7CBRMwBIPBemklPJ4zAABn6nvwHKtJQs/rJh089OHywrVt6AMbphNIoTdWpg2DX +JoTm1C8JDRTYvipnwmp7EBUdtHwsDww2G0DWmZpmPirZY0AR6+mmsghFeAkRljbv +yc+W9V6gp855/1EEeBDplOdnUS3mIswLBgcCggEAVWAlod+cFUlh9pCHU3KhVknn +FfpS+8vnEQpTDAQyCzwlI7OnZQj4pEOnL0ps0fv3crBrZ3xDvKdyIOIKZ3XKAXgI +kpvhk7CNaOlngN50evReiQaHIELKNoHE6LeLi08QU7xgezkH/I5kfNylN+zZXEmo +ibcoXyrQh/L09YMCyCj53bX/57J7rQUeMX2jb8OXc1GU6FSEc0bKR+oWAoQQSh/f +/dzqvkFLShFd2y7p3H/Lb+/yP1omgd/IYeSzDGtQtIHEkQ04EHz0L4YRPrKFvFXV +7hIXDMedeAbxtZfCTtt5rpmpdserSlPeRSJB4p5qyxcqpEEAb00ttDeabHxEWQId +AMhUFY9/pXAFrazUIBywjOJUnyqv8oArH0NneHkDggEFAAKCAQBigH0Mp4jUMSfK +yOhKlEfyZ/hj/EImsUYW4+u8xjBN+ruOJUTJ06Mtgw3g2iLkhQoO9NROqvC9rdLj ++j3e+1QWm9EDNKQAa4nUp8/W+XZ5KkQWudmtaojEXD1+kd44ieNLtPGuVnPtDGO4 +zPf04IUq7tDGbMDMMn6YXvW6f28lR3gF5vvVIsnjsd/Lau6orzmNSrymXegsEsFR +Q7hT+/tPoAtro6Hx9rBrYb/0OCiRe4YuYrFKkC0aaJfUQepVyuVMSTxxKTzq8T06 +M8SBITlmkPFZJHyGzV/+a72hpJsAa0BaDnpxH3cFpEMzeYG1XQK461zexoIYN3ub +i3xNPUzPo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4E +FgQULayIqKcWHtUH4pFolI6dKxycIG8wHwYDVR0jBBgwFoAUFcETIWviVV+nah1X +INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAKjKvvJ6Vc9HiQXACqqRZnekz2gO +ue71nsXXDr2+y4PPpgcDzgtO3vhQc7Akv6Uyca9LY7w/X+temP63yxdLpKXTV19w +Or0p4VEvTZ8AttMjFh4Hl8caVYk/J4TIudSXLIfKROP6sFu5GOw7W3xpBkL5Zio6 +3dqe6xAYK0woNQPDfj5yOAlqj1Ohth81JywW5h2g8GfLtNe62coAqwjMJT+ExHfU +EkF/beSqRGOvXwyhSxFpe7HVjUMgrgdfoZnNsoPmpH3eTiF4BjamGWI1+Z0o+RHa +oPwN+cCzbDsi9uTQJO1D5S697heX00zzzU/KSW7djNzKv55vm24znuFkXTM= -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smdsa1.pem openssl-1.1.1v/test/smime-certs/smdsa1.pem --- openssl-1.1.1n/test/smime-certs/smdsa1.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smdsa1.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0= +MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQeAhwE9yuqObvNXzUTN+PY2rg00PzdyJw3XJAUrmlY -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x -EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV -86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE -DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp -O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit -1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO -xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx -d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3 -MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z -Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt -17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf -0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO +MIIFmjCCBIKgAwIBAgIUUoOmJmXAY29/2rWY0wJphQ5/pzUwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMxMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBACGS7hCpTL0g +lx9C1Bwz5xfVd0mwCqx9UGiH8Bf4lRsSagL0Irwvnjz++WH1vecZa2bWsYsPhQ+D +KDzaCo20CYln4IFEPgY0fSE+KTF1icFj/mD+MgxWgsgKoTI120ENPGHqHpKkv0Uv +OlwTImU4BxxkctZ5273XEv3VPQE8COGnXgqt7NBazU/O7vibFm0iaEsVjHFHYcoo ++sMcm3F2E/gvR9IJGaGPeCk0sMW8qloPzErWIugx/OGqM7fni2cIcZwGdju52O+l +cLV0tZdgC7eTbVDMLspyuiYME+zvEzRwCQF/GqcCDSn68zxJv/zSNZ9XxOgZaBfs +Na7e8YGATiujYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBSFVrWPZrHzhHUg0MMEAAKwQIfsazAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAbm49FB+eyeX7OBUC/akhnkFw +cDXqw7Fl2OibRK+g/08zp4CruwJdb72j5+pTmG+9SF7tGyQBfHFf1+epa3ZiIc+0 +UzFf2xQBMyHjesL19cTe4i176dHz8pCxx9OEow0GlZVV85+Anev101NskKVNNVA7 +YnB2xKQWgf8HORh66XVCk54xMcd99ng8xQ8vhZC6KckVbheQgdPp7gUAcDgxH2Yo +JF8jHQlsWNcCGURDldP6FQ49TGWHj24IGjnjGapWxMUjvCz+kV6sGW/OIYu+MM9w +FMIOyEdUUtKowWT6eXwrITup3T6pspPTicbK61ZCPuxMvP2JBFGZsqat+F5g+w== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smdsa2.pem openssl-1.1.1v/test/smime-certs/smdsa2.pem --- openssl-1.1.1n/test/smime-certs/smdsa2.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smdsa2.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA== +MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQeAhwmRauZi+nQ3kQ+GSKD7JCwv8XkD9NObMGlW018 -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E -h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt -tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa -LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn -3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0 -KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k -qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp -VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb -uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV -6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD -2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96 -GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I +MIIFmjCCBIKgAwIBAgIUHGKu2FMhT1wCiJTK3uAnklo55uowDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMyMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAE0+OYS0s8/o +HwuuiPsBZTlRynqdwF6FHdE0Ei2uVTxnJouPYB2HvaMioG2inbISzPtEcnLF9Pyx +4hsXz7D49yqyMFjE3G8ObBOs/Vdno6E9ZZshWiRDwPf8JmoYp551UuJDoVaOTnhx +pEs30nuidtqd54PMdWUQPfp58kTu6bXvcRxdUj5CK/PyjavJCnGfppq/6j8jtrji +mOjIIeLZIbWp7hTVS/ffmfqZ8Lx/ShOcUzDa0VS3lfO28XqXpeqbyHdojsYlG2oA +shKJL7/scq3ab8cI5QuHEIGSbxinKfjCX4OEQ04CNsgUwMY9emPSaNdYDZOPqq/K +3bGk2PLcRsyjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBTQAQyUCqYWGo5RuwGCtHNgXgzEQzAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAc3rayE2FGgG1RhLXAHYAs1Ky +4fcVcrzaPaz5jjWbpBCStkx+gNcUiBf+aSxNrRvUoPOSwMDLpMhbNBj2cjJqQ0W1 +oq4RUQth11qH89uPtBqiOqRTdlWAGZJbUTtVfrlc58DsDxFCwdcktSDYZwlO2lGO +vMCOn9N7oqEEuwRa++xVnYc8ZbY8lGwJD3bGR6iC7NkYk+2LSqPS52m8e0GO8dpf +RUrndbhmtsYa925dj2LlI218F3XwVcAUPW67dbpeEVw5OG8OCHRHqrwBEJj2PMV3 +tHeNXDEhjTzI3wiFia4kDBAKIsrC/XQ4tEiFzq0V00BiVY0ykhy+v/qNPskTsg== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smdsa3.pem openssl-1.1.1v/test/smime-certs/smdsa3.pem --- openssl-1.1.1n/test/smime-certs/smdsa3.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smdsa3.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,47 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6 -k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou -zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO -wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK -v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC -0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA -rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM -zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx -DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy -xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9 -ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h -Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ -TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY= +MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1 +i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t +4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa +kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg +c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S +8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A +mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw +V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7 +ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR +CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL +5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL +QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX +ygQfAh0AkfI6533W5nBIVrDPcp2DCXC8u2SIwBob6OoK5A== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 -uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS -7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS -wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 -+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 -Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D -AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb -0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu -g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 -0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv -yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf -7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P -aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9 -msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf -zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7 -cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp -N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS -2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg -MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE -FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs -MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask -pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK -YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM -khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i -Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv -4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660 +MIIFmjCCBIKgAwIBAgIUO2QHMd9V/S6KlrFDIPd7asRP4FAwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMzMIIDQzCCAjYGByqGSM44 +BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL +J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5 +LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd +62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt +MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l +aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK +3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b +bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ +9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2 +DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B +E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV +hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAEj25Os9f57G +TaxsP8NzdCRBThCLqZWqLADh6S/aFOQQFpRRk3vGkvrOK/5La8KGKIDyzCEQo7Kg +sPwI1o4N5GKx15Cer2ekDWLtP4hA2CChs4tWJzEa8VxIDTg4EUnASFCbfDUY/Yt0 +5NM4nxtBhnr6PT7XmRehEFaTAgmsQFJ29jKx4tJkr+Gmj9J4i10CPd9DvIgIEnNt +rYMAlfbGovaZVCgKp5INVA4IkDfCcbzDeNiOGaACeV+4QuEbgIbUhMq9vbw3Vvqe +jwozPdrTYjd7oNxx/tY7gqxFRFxdDPXPno230afsAJsHmNF7lpj9Q4vBhy8w/EI1 +jGzuiXjei9qjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud +DgQWBBTwbCT+wSR9cvTg70jA2yIWgQSDZjAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAe5t9oi8K76y+wnV6I21vKgEh +M6DEe3+XTq10kAgYbcbMm+a6n86beaID7FANGET+3bsShxFeAX9g4Qsdw+Z3PF3P +wvqiBD8MaXczj28zP6j9TxsjGzpAsV3xo1n7aQ+hHzpopJUxAyx4hLBqSSwdj/xe +azELeVKoXY/nlokXnONWC5AvtfR7m7mKFPOmUghbeGCJH7+FXnC58eiF7BEpSbQl +SniAdQFis+Dne6/kwZnQQaSDg55ELfaZOLhaLcRtqqgU+kv24mXGGEBhs9bBKMz5 +ZNiKLafE3tCGRA5iMRwzdeSgrdnkQDHFiYXh3JHk5oKwGOdxusgt3DTHAFej1A== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smec1.pem openssl-1.1.1v/test/smime-certs/smec1.pem --- openssl-1.1.1n/test/smime-certs/smec1.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smec1.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,22 +1,22 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS -DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV -3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdOomk0EB/oWMnTZB +Qm5XMjlKnZNF4PMpwgov0Tj3u8OhRANCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ +7hpSjs4bd95L+Lli+O91/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Ky -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I -iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi -ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg -MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK -Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy -WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt -7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV -FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y -S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1 -DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7 -qtcHJA== +MIICrTCCAZWgAwIBAgIUdLT4B443vbxt0B8Mzy0sR4+6AyowDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzEwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ7hpSjs4bd95L+Lli+O91 +/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Kyo2AwXjAMBgNVHRMBAf8EAjAAMA4G +A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUOia9H7l0qw3ftsDgEEeSBrHwQrwwHwYD +VR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQELBQADggEB +AC7h/QkMocYANPqMQAO2okygG+OaE4qpKnlzHPUFMYedJGCvAWrwxu4hWL9T+hZo +qilM7Fwaxw/P4Zaaa15SOOhXkIdn9Fu2ROmBQtEiklmWGMjiZ6F+9NCZPk0cTAXK +2WQZOy41YNuvts+20osD4X/8x3fiARlokufj/TVyE73wG8pSSDh4KxWDfKv5Pi1F +PC5IJh8XVELnFkeY3xjtoux5AYT+1xIQHO4eBua02Y1oPiWG7l/sK3grVlxrupd9 +pXowwFlezWZP9q12VlWkcqwNb9hF9PkZge9bpiOJipSYgyobtAnms/CRHu3e6izl +LJRua7p4Wt/8GQENDrVkHqU= -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smec2.pem openssl-1.1.1v/test/smime-certs/smec2.pem --- openssl-1.1.1n/test/smime-certs/smec2.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smec2.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,23 +1,23 @@ -----BEGIN PRIVATE KEY----- -MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl -brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7 -uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8 -6bQ= +MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAEkuzLBwx5bIw3Q2PMNQ +HzaY8yL3QLjzaJ8tCHrI/JTb9Q7VoUwDSgAEAu8b2HvLzKd0qhPtIw65Lh3OgF3X +IN5874qHwt9zPSvokijSAH3v9tcBJPdRLD3Lweh2ZPn5hMwVwVorHqSgASk5vnjp +HqER -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+ -huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj -JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E -BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA -FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez -ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK -xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0 -uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P -rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq -IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0 -4ZdCllHZkhop +MIICsjCCAZqgAwIBAgIUFMjrNKt+D8tzvn7jtjZ5HrLcUlswDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw +NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzIwXjAQBgcqhkjOPQIBBgUr +gQQAEANKAAQC7xvYe8vMp3SqE+0jDrkuHc6AXdcg3nzviofC33M9K+iSKNIAfe/2 +1wEk91EsPcvB6HZk+fmEzBXBWisepKABKTm+eOkeoRGjYDBeMAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBSqWRYUy2syIUwfSR31e19LeNXK +9TAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsF +AAOCAQEASbh+sI03xUMMzPT8bRbWNF5gG3ab8IUzqm05rTa54NCPRSn+ZdMXcCFz +5fSU0T1dgEjeD+cCRVAZxskTZF7FWmRLc2weJMf7x+nPE5KaWyRAoD7FIKGP2m6m +IMCVOmiafuzmHASBYOz6RwjgWS0AWES48DJX6o0KpuT4bsknz+H7Xo+4+NYGCRao +enqIMZmWesGVXJ63pl32jUlXeAg59W6PpV2L9XRWLzDW1t1q2Uji7coCWtNjkojZ +rv0yRMc1czkT+mAJRAJ8D9MoTnRXm1dH4bOxte4BGUHNQ2P1HeV01vkd1RTL0g0R +lPyDAlBASvMn7RZ9nX8G3UOOL6gtVA== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smroot.pem openssl-1.1.1v/test/smime-certs/smroot.pem --- openssl-1.1.1n/test/smime-certs/smroot.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smroot.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq -nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL -DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc -BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI -MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV -kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q -LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c -b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R -Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu -ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4 -Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF -ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp -PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx -mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw -nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z -8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw -fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu -PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T -5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP -aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq -qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr -yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK -NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53 -bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI -vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ -KfvPCYimQwBjVrEnSntLPR0= +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDZLSl8LdU54OUA +T8ctFuKLShJul2IMzaEDkFLoL4agccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7Ke +iSuFJOrQtvDt+HkU5c706YDmw15mBpDSHapkXr80G/ABFbstWafOfagVW45wv65K +H4cnpcqwrLhagmC8QG0KfWbf+Z2efOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+Ubzg +cY4Y/hJ7Fw1/IeEhgr/iVJhQIUAklp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR +0YZWyIKfKzbeJLBzDqY2hQzVL6kAvY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt ++UTEkuBdAgMBAAECggEAF3Eagz7nPyIZVdlGpIVN2r8aEjng6YTglmPjrxBCNdtS +F6AxvY9UKklIF2Gg4tXlhU0TlDWvedM4Koif2/VKK1Ez3FvvpePQXPs/YKlB7T1U +MHnnRII9nUBOva88zv5YcJ97nyKM03q9M18H1a29nShnlc1w56EEpBc5HX/yFYMv +kMYydvB5j0DQkJlkQNFn4yRag0wIIPeyXwwh5l98SMlr40hO10OYTOQPrrgP/ham +AOZ//DvGo5gF8hGJYoqG4vcYbxRfTqbc2lQ4XRknOT182l9gRum52ahkBY6LKb4r +IZXPStS6fCAR5S0lcdBb3uN/ap9SUfb9w/Dhj5DZAQKBgQDr06DcsBpoGV2dK9ib +YL5MxC5JL7G79IBPi3ThRiOSttKXv3oDAFB0AlJvFKwYmVz8SxXqQ2JUA4BfvMGF +TNrbhukzo0ou5boExnQW/RjLN3fWVq1JM7iLbNU9YYpPCIG5LXrt4ZDOwITeGe8f +bmZK9zxWxc6BBJtc3mTFS5tm4QKBgQDrwRyEn6oZ9TPbR69fPgWvDqQwKs+6TtYn +0otMG9UejbSMcyU4sI+bZouoca2CzoNi2qZVIvI9aOygUHQAP7Dyq1KhsvYtzJub +KEua379WnzBMMjJ56Q/e4aKTq229QvOk+ZEYl6aklZX7xnYetYNZQrp4QzUyOQTG +gfxgxKi0/QKBgQCy1esAUJ/F366JOS3rLqNBjehX4c5T7ae8KtJ433qskO4E29TI +H93jC7u9txyHDw5f2QUGgRE5Cuq4L2lGEDFMFvQUD7l69QVrB6ATqt25hhffuB1z +DMDfIqpXAPgk1Rui9SVq7gqlb4OS9nHLESqLoQ/l8d2XI4o6FACxSZPQoQKBgQCR +8AvwSUoqIXDFaB22jpVEJYMb0hSfFxhYtGvIZF5MOJowa0L6UcnD//mp/xzSoXYR +pppaj3R28VGxd7wnP0YRIl7XfAoKleMpbAtJRwKR458pO9WlQ9GwPeq/ENqw0xYx +5M+d8pqUvYiHv/X00pYJllYKBkiS21sKawLJAFQTHQKBgQCJCwVHxvxkdQ8G0sU2 +Vtv2W38hWOSg5+cxa+g1W6My2LhX34RkgKzuaUpYMlWGHzILpxIxhPrVLk1ZIjil +GIP969XJ1BjB/kFtLWdxXG8tH1If3JgzfSHUofPHF3CENoJYEZ1ugEfIPzWPZJDI +DL5zP8gmBL9ZAOO/J9YacxWYMQ== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT -JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+ -LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E -J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/ -MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe -untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb -i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G -A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB -AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb -Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl -zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt -9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C -7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt -Emsny2ah6fU2z7PztrUy/A80 +MIIDezCCAmOgAwIBAgIUBxh2L3ItsVPuBogDI0WfUX1lFnMwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTEwMTUzMzEzWjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgUlNBIFJvb3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDZLSl8LdU54OUAT8ctFuKLShJul2IMzaEDkFLoL4ag +ccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7KeiSuFJOrQtvDt+HkU5c706YDmw15m +BpDSHapkXr80G/ABFbstWafOfagVW45wv65KH4cnpcqwrLhagmC8QG0KfWbf+Z2e +fOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+UbzgcY4Y/hJ7Fw1/IeEhgr/iVJhQIUAk +lp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR0YZWyIKfKzbeJLBzDqY2hQzVL6kA +vY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt+UTEkuBdAgMBAAGjYzBhMB0GA1Ud +DgQWBBQVwRMha+JVX6dqHVcg1s/zqXNkWTAfBgNVHSMEGDAWgBQVwRMha+JVX6dq +HVcg1s/zqXNkWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAQEAvdAmpDPi1Wt7Hk30dXKF7Ug6MUKETi+uoO1Suo9JhNko +/cpvoi8fbo/dnWVDfHVoItEn644Svver5UJdKJY62DvhilpCtAywYfCpgxkpKoKE +dnpjnRBSMcbVDImsqvf1YjzFKiOiD7kcVvz4V0NZY91ZWwu3vgaSvcTJQkpWN0a+ +LWanpVKqigl8nskttnBeiHDHGebxj3hawlIdtVlkbQwLLwlVkX99x1F73uS33IzB +Y6+ZJ2is7mD839B8fOVd9pvPvBBgahIrw5tzJ/Q+gITuVQd9E6RVXh10/Aw+i/8S +7tHpEUgP3hBk1P+wRQBWDxbHB28lE+41jvh3JObQWQ== -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smrsa1.pem openssl-1.1.1v/test/smime-certs/smrsa1.pem --- openssl-1.1.1n/test/smime-certs/smrsa1.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smrsa1.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC -xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID -3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU -/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D -orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs -CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH -XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp -KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i -cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL -s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35 -27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak -cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT -8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze -j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG -ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da -ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk -LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+ -msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q -55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or -sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8 -d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR -355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG -hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu -iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST -1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn -zQpuMJliRlrq/5JkIbH6SA== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDax3T7alefZcbm +CcdN0kEoBLwV8H25vre43RYjuPo64TBjeKUy27ayC1TXydF1eYm3HPrFYfkS0fZ6 +YK0xvwyxiQnesvcfnVe2fpXFPsl5RQvu1JKM7rJAuLC+YTRLez07IHhQnHQ25ZkR ++B4SL5mIhuOSJ9yyFJYJQ3Kdw/aX/jtnWVR8p3FyghJptWIm90ufW4xWFY0yNSW1 +KmkZuOWF7VPh5RC1C7woB/RHhyD2gOP7tF+eDJ/QbX4iki4gPRFHuNrSV8ZpvDkI +qqyF5BW8tyJneDkoWW8IuEpmNIzfbOCHvI6y7roeAmRrwH4/o5WxaEIsnQ/3pNvj +n6+vA+nfAgMBAAECggEAFR5MHQQYCYjDXoDoI7YdgwA+AFIoGLjKYZu5yjX4tZv3 +gJ/si7sTaMlY5cGTU1HUPirxIVeCjv4Eha31BJ3KsGJ9jj6Gm0nOuzd/O+ctKeRv +2/HaDvpFlk4dsCrlkjmxteuS9u5l9hygniWYutcBwjY0cRnMScZcm0VO+DVVMDj0 +9yNrFzhlmqV+ckawjK/J91r0uvnCVIsGA6akhlc5K0gwvFb/CC1WuceEeGx/38k3 +4OuiHtLyJfIlgyGD8C3QfJlMOBHeQ/DCo6GMqrOAad/chtcO7JklcJ+k2qylP2gu +e25NJCQVh+L32b9WrH3quH6fbLIg8a8MmUWl6te3FQKBgQDddu0Dp8R8fe2WnAE5 +oXdASAf2BpthRNqUdYpkkO7gOV0MXCKIEiGZ+WuWEYmNlsXZCJRABprqLw9O/5Td +2q+rCbdG9mSW2x82t/Ia4zd3r0RSHZyKbtOLtgmWfQkwVHy+rED8Juie5bNzHbjS +1mYtFP2KDQ5yZA95yFg8ZtXOawKBgQD85VOPnfXGOJ783JHepAn4J2x1Edi+ZDQ+ +Ml9g2LwetI46dQ0bF6V8RtcyWp0+6+ydX5U4JKhERFDivolD7Z1KFmlNLPs0cqSX +5g5kzTD+R+zpr9FRragYKyLdHsLP0ur75Rh5FQkUl2DmeKCMvMKAkio0cduVpVXT +SvWUBtkHXQKBgBy4VoZZ1GZcolocwx/pK6DfdoDWXIIhvsLv91GRZhkX91QqAqRo +zYi9StF8Vr1Q5zl9HlSrRp3GGpMhG/olaRCiQu1l+KeDpSmgczo/aysPRKntgyaE +ttRweA/XCUEGQ+MqTYcluJcarMnp+dUFztxb04F6rfvxs/wUGjVDFMkfAoGBAK+F +wx9UtPZk6gP6Wsu58qlnQ2Flh5dtGM1qTMR86OQu0OBFyVjaaqL8z/NE7Qp02H7J +jlmvJ5JqD/Gv6Llau+Zl86P66kcWoqJCrA7OU4jJBueSfadA7gAIQGRUK0Xuz+UQ +tpGjRfAiuMB9TIEhqaVuzRglRhBw9kZ2KkgZEJyJAoGBANrEpEwOhCv8Vt1Yiw6o +co96wYj+0LARJXw6rIfEuLkthBRRoHqQMKqwIGMrwjHlHXPnQmajONzIJd+u+OS4 +psCGetAIGegd3xNVpK2uZv9QBWBpQbuofOh/c2Ctmm2phL2sVwCZ0qwIeXuBwJEc +NOlOojKDO+dELErpShJgFIaU -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK -2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt -+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF -Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe -bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM -kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o -E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK -WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp -lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT -GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu -9Hjq6s316fk4Ne0EUF3PbA== +MIIDeTCCAmGgAwIBAgIUM6U1Peo3wzfAJIrzINejJJfmRzkwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMxMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA2sd0+2pXn2XG5gnHTdJBKAS8FfB9ub63uN0WI7j6 +OuEwY3ilMtu2sgtU18nRdXmJtxz6xWH5EtH2emCtMb8MsYkJ3rL3H51Xtn6VxT7J +eUUL7tSSjO6yQLiwvmE0S3s9OyB4UJx0NuWZEfgeEi+ZiIbjkifcshSWCUNyncP2 +l/47Z1lUfKdxcoISabViJvdLn1uMVhWNMjUltSppGbjlhe1T4eUQtQu8KAf0R4cg +9oDj+7Rfngyf0G1+IpIuID0RR7ja0lfGabw5CKqsheQVvLciZ3g5KFlvCLhKZjSM +32zgh7yOsu66HgJka8B+P6OVsWhCLJ0P96Tb45+vrwPp3wIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUHw4Us7FXwgLtZ1JB +MOAHSkNYfEkwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAAMAXEjTNo7evn6BvfEaG2q21q9xfFear/M0zxc5xcTj+WP+ +BKrlxXg5RlVFyvmzGhwZBERsDMJYa54aw8scDJsy/0zPdWST39dNev7xH13pP8nF +QF4MGPKIqBzX8iDCqhz70p1w2ndLjz1dvsAqn6z9/Sh3T2kj6DfZY3jA49pMEim1 +vYd4lWa5AezU3+cLtBbo2c2iyG2W7SFpnNTjLX823f9rbVPnUb93ZI/tDXDIf5hL +0hocZs+MWdC7Ly1Ru4PXa6+DeOM0z673me/Q27e24OBbG2eq5g7eW5euxJinGkpI +XGGKTKrBCPxSdTtwSNHU9HsggT8a0wXL2QocZ3w= -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smrsa2.pem openssl-1.1.1v/test/smime-certs/smrsa2.pem --- openssl-1.1.1n/test/smime-certs/smrsa2.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smrsa2.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2 -iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq -V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD -lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5 -U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3 -NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB -Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1 -J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI -dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW -3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz -XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK -3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK -Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa -P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI -LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN -bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX -q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8 -38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm -hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t -QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb -0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS -8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0 -KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e -y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR -hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n -yrLyf+8hjm6H6zkjqiOkHAl+ +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkoMi4sqj2mN8j +SaFAibXEfeYYrzBHIdCm/uaXWit81fXOSFVw1rbeAppxz7bOcSEN50lpdP2UX3/b +FYFD3exHXjvch9NPNgQaNkCqTNTuYa2L9wrpltXnon7tH3W/zZfF+/qpUSu1f6rk +GyxjVXxLwjIawCX0rbLcdFCVVy+EyvQkvSxXjafrDMzshWzPDbtjUv3SH6avqrPn +4NX0fv3BdBwTfDLAw/m8nN+9B9Mg0V7UNM1IJY/Vo5pLhv+MrEf8SnAS+1Wt43rT +3PY9iMZMMWUswdgmPY0yCN95ggwNrSMGV60yvEDxINWuJoR8s0lybDdFa+AB5v4T +hqKpspFNAgMBAAECggEAZmWu0K5QJ7Y7Rlo9ayLicsFyk36vUESQZ6MF0ybzEEPi +BkR2ZAX+vDuNQckm1pprlAcRZbactl35bT3Z+fQE1cgaZoC8/x6xwq2m0796pNPB +v0zjqdBBOLAaSgjLm56wyd88GqZ8vZsTBnw3KrxIYcP13e5OcaJ0V/GOf/yfD0lg +Tq9i7V5Iq++Fpo2KvJA8FMgqcfhvhdo40rRykoBfzEZpBk4Ia/Yijsbx5sE15pFZ +DfmsMbD+vViuM8IavHo61mBNyYeydwlgIMqUgP/6xbYUov/XSUojrLG+IQuvDx9D +xzTHGM+IBJxQZMza/mDVcjUAcDEjWt/Mve8ibTQCbwKBgQDyaiGsURtlf/8xmmvT +RQQFFFsJ8SXHNYmnceNULIjfDxpLk1yC4kBNUD+liAJscoVlOcByHmXQRtnY1PHq +AwyrwplGd82773mtriDVFSjhD+GB7I0Hv2j+uiFZury0jR/6/AsWKCtTqd0opyuB +8rGZjguiwZIjeyxd8mL1dncUHwKBgQDxcNxHUvIeDBvAmtK65xWUuLcqtK9BblBH +YVA7p93RqX4E+w3J0OCvQRQ3r1GCMMzFEO0oOvNfMucU4rbQmx1pbzF8aQU+8iEW +kYpaWUbPUQ2hmBblhjGYHsigt/BrzaW0QveVIWcGiyVVX9wiCzJH5moJlCRK2oHR +B36hdlmNEwKBgQCSlWSpOx4y4RQiHXtn9Eq6+5UVTPGIJTKIwxAwnQFiyFIhMwl0 +x3UUixsBcF3uz80j6akaGJF+QOmH+TQTSibGUdS3TMhmBSfxwuJtlu7yMNUu6Chb +b/4AUfLKvGVRVCjrbq8Rhda1L3jhFTz0xhlofgFBOIWy2M96O5BlV24oBwKBgQDs +cf93ZfawkGEZVUXsPeQ3mlHe48YCCPtbfCSr13B3JErCq+5L52AyoUQgaHQlUI8o +qrPmQx0V7O662G/6iP3bxEYtNVgq1cqrpGpeorGi1BjKWPyLWMj21abbJmev21xc +1XxLMsQHd3tfSZp2SIq8OR09NjP4jla1k2Ziz1lRuwKBgQCUJXjhW4dPoOzC7DJK +u4PsxcKkJDwwtfNudVDaHcbvvaHELTAkE2639vawH0TRwP6TDwmlbTQJP4EW+/0q +13VcNXVAZSruA9dvxlh4vNUH3PzTDdFIJzGVbYbV9p5t++EQ7gRLuLZqs99BOzM9 +k6W9F60mEFz1Owh+lQv7WfSIVA== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF -AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp -cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS -0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1 -NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0 -EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47 -Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv -/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c -XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv -6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i -NzYzLAPBkHCMY0Is3KKIBw== +MIIDeTCCAmGgAwIBAgIUTMQXiTcI/rpzqO91NyFWpjLE3KkwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA5KDIuLKo9pjfI0mhQIm1xH3mGK8wRyHQpv7ml1or +fNX1zkhVcNa23gKacc+2znEhDedJaXT9lF9/2xWBQ93sR1473IfTTzYEGjZAqkzU +7mGti/cK6ZbV56J+7R91v82Xxfv6qVErtX+q5BssY1V8S8IyGsAl9K2y3HRQlVcv +hMr0JL0sV42n6wzM7IVszw27Y1L90h+mr6qz5+DV9H79wXQcE3wywMP5vJzfvQfT +INFe1DTNSCWP1aOaS4b/jKxH/EpwEvtVreN609z2PYjGTDFlLMHYJj2NMgjfeYIM +Da0jBletMrxA8SDVriaEfLNJcmw3RWvgAeb+E4aiqbKRTQIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUSJ0v3SKahe6eKssR +rBvYLBprFTgwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAKoyszyZ3DfCOIVzeJrnScXuMvRkVqO5aGmgZxtY9r6gPk8v +gXaEFXDKqRbGqEnuwEjpew+SVZO8nrVpdIP7fydpufy7Cu91Ev4YL1ui5Vc66+IK +7dXV7eZYcH/dDJBPZddHx9vGhcr0w8B1W9nldM3aQE/RQjOmMRDc7/Hnk0f0RzJp +LA0adW3ry27z2s4qeCwkV9DNSh1KoGfcLwydBiXmJ1XINMFH/scD4pk9UeJpUL+5 +zvTaDzUmzLsI1gH3j/rlzJuNJ7EMfggKlfQdit9Qn6+6Gjk6T5jkZfzcq3LszuEA +EFtkxWyBmmEgh4EmvZGAyrUvne1hIIksKe3iJ+E= -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/smime-certs/smrsa3.pem openssl-1.1.1v/test/smime-certs/smrsa3.pem --- openssl-1.1.1n/test/smime-certs/smrsa3.pem 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/smime-certs/smrsa3.pem 2023-08-01 13:51:35.000000000 +0000 @@ -1,49 +1,49 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji -OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3 -Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX -63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H -XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l -vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6 -L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP -lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf -BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR -OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+ -i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se -snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9 -wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn -8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+ -ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm -oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX -LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E -yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7 -2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc -RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK -KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk -isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL -rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw -IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh -yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF -RvOAi5wVkYylDxV4238MAZIq +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167 +toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB +GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi +ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK +2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M +jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq +DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb +Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ +0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh +/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG +A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI +vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I +pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi +YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS +wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+ +BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto +NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o +c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K +7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt +oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L +3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk +YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr +Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs +Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz +TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X +fNcb5iDYqZRzD8ixBbLxUw== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU -ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC -FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF -STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW -m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha -v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p -1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD -VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV -HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA -JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp -sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa -VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr -O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7 -tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY -CscFo2Z2pYROGtZDmYqhRw== +MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC +XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+ +qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK +wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI +U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N +f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi +V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq +112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd +CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2 +iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW +ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE +BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg= -----END CERTIFICATE----- diff -Nru openssl-1.1.1n/test/ssl-tests/10-resumption.conf openssl-1.1.1v/test/ssl-tests/10-resumption.conf --- openssl-1.1.1n/test/ssl-tests/10-resumption.conf 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ssl-tests/10-resumption.conf 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 65 +num_tests = 68 test-0 = 0-resumption test-1 = 1-resumption @@ -67,6 +67,9 @@ test-62 = 62-resumption test-63 = 63-resumption test-64 = 64-resumption-with-hrr +test-65 = 65-resumption-when-mfl-ext-is-missing +test-66 = 66-resumption-when-mfl-ext-is-different +test-67 = 67-resumption-when-mfl-ext-is-correct # =========================================================== [0-resumption] @@ -2437,3 +2440,119 @@ ResumptionExpected = Yes +# =========================================================== + +[65-resumption-when-mfl-ext-is-missing] +ssl_conf = 65-resumption-when-mfl-ext-is-missing-ssl + +[65-resumption-when-mfl-ext-is-missing-ssl] +server = 65-resumption-when-mfl-ext-is-missing-server +client = 65-resumption-when-mfl-ext-is-missing-client +resume-server = 65-resumption-when-mfl-ext-is-missing-server +resume-client = 65-resumption-when-mfl-ext-is-missing-resume-client + +[65-resumption-when-mfl-ext-is-missing-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[65-resumption-when-mfl-ext-is-missing-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[65-resumption-when-mfl-ext-is-missing-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-65] +ExpectedResult = ServerFail +HandshakeMode = Resume +ResumptionExpected = No +client = 65-resumption-when-mfl-ext-is-missing-client-extra + +[65-resumption-when-mfl-ext-is-missing-client-extra] +MaxFragmentLenExt = 512 + + +# =========================================================== + +[66-resumption-when-mfl-ext-is-different] +ssl_conf = 66-resumption-when-mfl-ext-is-different-ssl + +[66-resumption-when-mfl-ext-is-different-ssl] +server = 66-resumption-when-mfl-ext-is-different-server +client = 66-resumption-when-mfl-ext-is-different-client +resume-server = 66-resumption-when-mfl-ext-is-different-server +resume-client = 66-resumption-when-mfl-ext-is-different-resume-client + +[66-resumption-when-mfl-ext-is-different-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[66-resumption-when-mfl-ext-is-different-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[66-resumption-when-mfl-ext-is-different-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-66] +ExpectedResult = ServerFail +HandshakeMode = Resume +ResumptionExpected = No +client = 66-resumption-when-mfl-ext-is-different-client-extra +resume-client = 66-resumption-when-mfl-ext-is-different-resume-client-extra + +[66-resumption-when-mfl-ext-is-different-client-extra] +MaxFragmentLenExt = 512 + +[66-resumption-when-mfl-ext-is-different-resume-client-extra] +MaxFragmentLenExt = 1024 + + +# =========================================================== + +[67-resumption-when-mfl-ext-is-correct] +ssl_conf = 67-resumption-when-mfl-ext-is-correct-ssl + +[67-resumption-when-mfl-ext-is-correct-ssl] +server = 67-resumption-when-mfl-ext-is-correct-server +client = 67-resumption-when-mfl-ext-is-correct-client +resume-server = 67-resumption-when-mfl-ext-is-correct-server +resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client + +[67-resumption-when-mfl-ext-is-correct-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[67-resumption-when-mfl-ext-is-correct-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[67-resumption-when-mfl-ext-is-correct-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-67] +ExpectedResult = Success +HandshakeMode = Resume +ResumptionExpected = Yes +client = 67-resumption-when-mfl-ext-is-correct-client-extra +resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client-extra + +[67-resumption-when-mfl-ext-is-correct-client-extra] +MaxFragmentLenExt = 512 + +[67-resumption-when-mfl-ext-is-correct-resume-client-extra] +MaxFragmentLenExt = 512 + + diff -Nru openssl-1.1.1n/test/ssl-tests/11-dtls_resumption.conf openssl-1.1.1v/test/ssl-tests/11-dtls_resumption.conf --- openssl-1.1.1n/test/ssl-tests/11-dtls_resumption.conf 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ssl-tests/11-dtls_resumption.conf 2023-08-01 13:51:35.000000000 +0000 @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 16 +num_tests = 19 test-0 = 0-resumption test-1 = 1-resumption @@ -18,6 +18,9 @@ test-13 = 13-resumption test-14 = 14-resumption test-15 = 15-resumption +test-16 = 16-resumption-when-mfl-ext-is-missing +test-17 = 17-resumption-when-mfl-ext-is-different +test-18 = 18-resumption-when-mfl-ext-is-correct # =========================================================== [0-resumption] @@ -618,3 +621,122 @@ ResumptionExpected = Yes +# =========================================================== + +[16-resumption-when-mfl-ext-is-missing] +ssl_conf = 16-resumption-when-mfl-ext-is-missing-ssl + +[16-resumption-when-mfl-ext-is-missing-ssl] +server = 16-resumption-when-mfl-ext-is-missing-server +client = 16-resumption-when-mfl-ext-is-missing-client +resume-server = 16-resumption-when-mfl-ext-is-missing-server +resume-client = 16-resumption-when-mfl-ext-is-missing-resume-client + +[16-resumption-when-mfl-ext-is-missing-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[16-resumption-when-mfl-ext-is-missing-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[16-resumption-when-mfl-ext-is-missing-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedResult = ServerFail +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = No +client = 16-resumption-when-mfl-ext-is-missing-client-extra + +[16-resumption-when-mfl-ext-is-missing-client-extra] +MaxFragmentLenExt = 512 + + +# =========================================================== + +[17-resumption-when-mfl-ext-is-different] +ssl_conf = 17-resumption-when-mfl-ext-is-different-ssl + +[17-resumption-when-mfl-ext-is-different-ssl] +server = 17-resumption-when-mfl-ext-is-different-server +client = 17-resumption-when-mfl-ext-is-different-client +resume-server = 17-resumption-when-mfl-ext-is-different-server +resume-client = 17-resumption-when-mfl-ext-is-different-resume-client + +[17-resumption-when-mfl-ext-is-different-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[17-resumption-when-mfl-ext-is-different-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[17-resumption-when-mfl-ext-is-different-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-17] +ExpectedResult = ServerFail +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = No +client = 17-resumption-when-mfl-ext-is-different-client-extra +resume-client = 17-resumption-when-mfl-ext-is-different-resume-client-extra + +[17-resumption-when-mfl-ext-is-different-client-extra] +MaxFragmentLenExt = 512 + +[17-resumption-when-mfl-ext-is-different-resume-client-extra] +MaxFragmentLenExt = 1024 + + +# =========================================================== + +[18-resumption-when-mfl-ext-is-correct] +ssl_conf = 18-resumption-when-mfl-ext-is-correct-ssl + +[18-resumption-when-mfl-ext-is-correct-ssl] +server = 18-resumption-when-mfl-ext-is-correct-server +client = 18-resumption-when-mfl-ext-is-correct-client +resume-server = 18-resumption-when-mfl-ext-is-correct-server +resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client + +[18-resumption-when-mfl-ext-is-correct-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[18-resumption-when-mfl-ext-is-correct-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[18-resumption-when-mfl-ext-is-correct-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-18] +ExpectedResult = Success +HandshakeMode = Resume +Method = DTLS +ResumptionExpected = Yes +client = 18-resumption-when-mfl-ext-is-correct-client-extra +resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client-extra + +[18-resumption-when-mfl-ext-is-correct-client-extra] +MaxFragmentLenExt = 512 + +[18-resumption-when-mfl-ext-is-correct-resume-client-extra] +MaxFragmentLenExt = 512 + + diff -Nru openssl-1.1.1n/test/ssl-tests/30-supported-groups.conf openssl-1.1.1v/test/ssl-tests/30-supported-groups.conf --- openssl-1.1.1n/test/ssl-tests/30-supported-groups.conf 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/ssl-tests/30-supported-groups.conf 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,54 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 2 + +test-0 = 0-Just a sanity test case +test-1 = 1-Pass with empty groups with TLS1.2 +# =========================================================== + +[0-Just a sanity test case] +ssl_conf = 0-Just a sanity test case-ssl + +[0-Just a sanity test case-ssl] +server = 0-Just a sanity test case-server +client = 0-Just a sanity test case-client + +[0-Just a sanity test case-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-Just a sanity test case-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-Pass with empty groups with TLS1.2] +ssl_conf = 1-Pass with empty groups with TLS1.2-ssl + +[1-Pass with empty groups with TLS1.2-ssl] +server = 1-Pass with empty groups with TLS1.2-server +client = 1-Pass with empty groups with TLS1.2-client + +[1-Pass with empty groups with TLS1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-Pass with empty groups with TLS1.2-client] +CipherString = DEFAULT +Groups = sect163k1 +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + diff -Nru openssl-1.1.1n/test/ssl-tests/30-supported-groups.conf.in openssl-1.1.1v/test/ssl-tests/30-supported-groups.conf.in --- openssl-1.1.1n/test/ssl-tests/30-supported-groups.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/test/ssl-tests/30-supported-groups.conf.in 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,45 @@ +# -*- mode: perl; -*- +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; +use OpenSSL::Test::Utils; + +our @tests = ( + { + name => "Just a sanity test case", + server => { }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, +); + +our @tests_tls1_3 = ( + { + name => "Fail empty groups with TLS1.3", + server => { }, + client => { "Groups" => "sect163k1" }, + test => { "ExpectedResult" => "ClientFail" }, + }, +); + +our @tests_tls1_2 = ( + { + name => "Pass with empty groups with TLS1.2", + server => { }, + client => { "Groups" => "sect163k1", + "MaxProtocol" => "TLSv1.2" }, + test => { "ExpectedResult" => "Success" }, + }, +); + +push @tests, @tests_tls1_3 unless disabled("tls1_3") + || !disabled("ec2m") || disabled("ec"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); diff -Nru openssl-1.1.1n/test/ssl-tests/protocol_version.pm openssl-1.1.1v/test/ssl-tests/protocol_version.pm --- openssl-1.1.1n/test/ssl-tests/protocol_version.pm 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ssl-tests/protocol_version.pm 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -265,6 +265,69 @@ }; } + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-missing", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "No", + "ExpectedResult" => "ServerFail", + } + }; + + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-different", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + "extra" => { + "MaxFragmentLenExt" => 1024, + }, + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "No", + "ExpectedResult" => "ServerFail", + } + }; + + push @client_tests, { + "name" => "resumption-when-mfl-ext-is-correct", + "server" => { + }, + "client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "resume_client" => { + "extra" => { + "MaxFragmentLenExt" => 512, + }, + }, + "test" => { + "Method" => $method, + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success", + } + }; + return (@server_tests, @client_tests); } diff -Nru openssl-1.1.1n/test/sslapitest.c openssl-1.1.1v/test/sslapitest.c --- openssl-1.1.1n/test/sslapitest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/sslapitest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -85,20 +85,6 @@ }; -static unsigned char serverinfov1[] = { - 0xff, 0xff, /* Dummy extension type */ - 0x00, 0x01, /* Extension length is 1 byte */ - 0xff /* Dummy extension data */ -}; - -static unsigned char serverinfov2[] = { - 0x00, 0x00, 0x00, - (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */ - 0xff, 0xff, /* Dummy extension type */ - 0x00, 0x01, /* Extension length is 1 byte */ - 0xff /* Dummy extension data */ -}; - static int hostname_cb(SSL *s, int *al, void *arg) { const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); @@ -808,6 +794,157 @@ } #endif +/* + * Test we can successfully send the maximum amount of application data. We + * test each protocol version individually, each with and without EtM enabled. + * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is + * simpler this way. We also test all combinations with and without the + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the + * underlying buffer. + */ +static int test_large_app_data(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0, prot; + unsigned char *msg, *buf = NULL; + size_t written, readbytes; + const SSL_METHOD *smeth = TLS_server_method(); + const SSL_METHOD *cmeth = TLS_client_method(); + + switch (tst >> 2) { + case 0: +#ifndef OPENSSL_NO_TLS1_3 + prot = TLS1_3_VERSION; + break; +#else + return 1; +#endif + + case 1: +#ifndef OPENSSL_NO_TLS1_2 + prot = TLS1_2_VERSION; + break; +#else + return 1; +#endif + + case 2: +#ifndef OPENSSL_NO_TLS1_1 + prot = TLS1_1_VERSION; + break; +#else + return 1; +#endif + + case 3: +#ifndef OPENSSL_NO_TLS1 + prot = TLS1_VERSION; + break; +#else + return 1; +#endif + + case 4: +#ifndef OPENSSL_NO_SSL3 + prot = SSL3_VERSION; + break; +#else + return 1; +#endif + + case 5: +#ifndef OPENSSL_NO_DTLS1_2 + prot = DTLS1_2_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + case 6: +#ifndef OPENSSL_NO_DTLS1 + prot = DTLS1_VERSION; + smeth = DTLS_server_method(); + cmeth = DTLS_client_method(); + break; +#else + return 1; +#endif + + default: + /* Shouldn't happen */ + return 0; + } + + /* Maximal sized message of zeros */ + msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (!TEST_ptr(msg)) + goto end; + + buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1); + if (!TEST_ptr(buf)) + goto end; + /* Set whole buffer to all bits set */ + memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1); + + if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, prot, prot, &sctx, &cctx, + cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if ((tst & 1) != 0) { + /* Setting this option gives us a minimally sized underlying buffer */ + if (!TEST_true(SSL_set_options(serverssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) + goto end; + } + + if ((tst & 2) != 0) { + /* + * Setting this option means the MAC is added before encryption + * giving us a larger record for the encryption process + */ + if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC)) + || !TEST_true(SSL_set_options(clientssl, + SSL_OP_NO_ENCRYPT_THEN_MAC))) + goto end; + } + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH, + &written)) + || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH)) + goto end; + + /* We provide a buffer slightly larger than what we are actually expecting */ + if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1, + &readbytes))) + goto end; + + if (!TEST_mem_eq(msg, written, buf, readbytes)) + goto end; + + testresult = 1; +end: + OPENSSL_free(msg); + OPENSSL_free(buf); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + + #ifndef OPENSSL_NO_OCSP static int ocsp_server_cb(SSL *s, void *arg) { @@ -4349,62 +4486,137 @@ return testresult; } -/* - * Test loading of serverinfo data in various formats. test_sslmessages actually - * tests to make sure the extensions appear in the handshake - */ -static int test_serverinfo(int tst) -{ - unsigned int version; - unsigned char *sibuf; - size_t sibuflen; - int ret, expected, testresult = 0; - SSL_CTX *ctx; +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) - ctx = SSL_CTX_new(TLS_method()); - if (!TEST_ptr(ctx)) - goto end; +#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ + | SSL_EXT_CLIENT_HELLO \ + | SSL_EXT_TLS1_2_SERVER_HELLO \ + | SSL_EXT_IGNORE_ON_RESUMPTION) + +#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \ + | SSL_EXT_TLS1_2_SERVER_HELLO \ + | SSL_EXT_CLIENT_HELLO) + +#define SERVERINFO_CUSTOM \ + 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \ + 0x00, 0x03, \ + 0x04, 0x05, 0x06 \ + +static const unsigned char serverinfo_custom_tls13[] = { + 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff, + SERVERINFO_CUSTOM +}; +static const unsigned char serverinfo_custom_v2[] = { + 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff, + SERVERINFO_CUSTOM +}; +static const unsigned char serverinfo_custom_v1[] = { + SERVERINFO_CUSTOM +}; +static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13); +static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2); +static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1); + +static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, + size_t chainidx, int *al, + void *parse_arg) +{ + const size_t len = serverinfo_custom_v1_len; + const unsigned char *si = &serverinfo_custom_v1[len - 3]; + int *p_cb_result = (int*)parse_arg; + *p_cb_result = TEST_mem_eq(in, inlen, si, 3); + return 1; +} - if ((tst & 0x01) == 0x01) - version = SSL_SERVERINFOV2; - else - version = SSL_SERVERINFOV1; +static int test_serverinfo_custom(const int idx) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int cb_result = 0; - if ((tst & 0x02) == 0x02) { - sibuf = serverinfov2; - sibuflen = sizeof(serverinfov2); - expected = (version == SSL_SERVERINFOV2); - } else { - sibuf = serverinfov1; - sibuflen = sizeof(serverinfov1); - expected = (version == SSL_SERVERINFOV1); + /* + * Following variables are set in the switch statement + * according to the test iteration. + * Default values do not make much sense: test would fail with them. + */ + int serverinfo_version = 0; + int protocol_version = 0; + unsigned int extension_context = 0; + const unsigned char *si = NULL; + size_t si_len = 0; + + const int call_use_serverinfo_ex = idx > 0; + switch (idx) { + case 0: /* FALLTHROUGH */ + case 1: + serverinfo_version = SSL_SERVERINFOV1; + protocol_version = TLS1_2_VERSION; + extension_context = SYNTHV1CONTEXT; + si = serverinfo_custom_v1; + si_len = serverinfo_custom_v1_len; + break; + case 2: + serverinfo_version = SSL_SERVERINFOV2; + protocol_version = TLS1_2_VERSION; + extension_context = SYNTHV1CONTEXT; + si = serverinfo_custom_v2; + si_len = serverinfo_custom_v2_len; + break; + case 3: + serverinfo_version = SSL_SERVERINFOV2; + protocol_version = TLS1_3_VERSION; + extension_context = TLS13CONTEXT; + si = serverinfo_custom_tls13; + si_len = serverinfo_custom_tls13_len; + break; } - if ((tst & 0x04) == 0x04) { - ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen); - } else { - ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen); + if (!TEST_true(create_ssl_ctx_pair(TLS_method(), + TLS_method(), + protocol_version, + protocol_version, + &sctx, &cctx, cert, privkey))) + goto end; - /* - * The version variable is irrelevant in this case - it's what is in the - * buffer that matters - */ - if ((tst & 0x02) == 0x02) - expected = 0; - else - expected = 1; + if (call_use_serverinfo_ex) { + if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version, + si, si_len))) + goto end; + } else { + if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len))) + goto end; } - if (!TEST_true(ret == expected)) + if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp, + extension_context, + NULL, NULL, NULL, + serverinfo_custom_parse_cb, + &cb_result)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_int_eq(SSL_do_handshake(clientssl), 1)) + goto end; + + if (!TEST_true(cb_result)) goto end; testresult = 1; end: - SSL_CTX_free(ctx); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); return testresult; } +#endif /* * Test that SSL_export_keying_material() produces expected results. There are @@ -6734,6 +6946,69 @@ SSL_CTX_free(cctx); return testresult; } + +/* + * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week + * 0 = TLSv1.2 + * 1 = TLSv1.3 + */ +static int test_ticket_lifetime(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int version = TLS1_3_VERSION; + +#define ONE_WEEK_SEC (7 * 24 * 60 * 60) +#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) + + if (idx == 0) { +#ifdef OPENSSL_NO_TLS1_2 + TEST_info("Skipping: TLS 1.2 is disabled."); + return 1; +#else + version = TLS1_2_VERSION; +#endif + } + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), version, version, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + /* + * Set the timeout to be more than 1 week + * make sure the returned value is the default + */ + if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), + SSL_get_default_timeout(serverssl))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (idx == 0) { + /* TLSv1.2 uses the set value */ + if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) + goto end; + } else { + /* TLSv1.3 uses the limited value */ + if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) + goto end; + } + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} #endif /* * Test that setting an ALPN does not violate RFC @@ -6807,6 +7082,171 @@ return testresult; } +/* + * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store. + */ +static int test_set_verify_cert_store_ssl_ctx(void) +{ + SSL_CTX *ctx = NULL; + int testresult = 0; + X509_STORE *store = NULL, *new_store = NULL, + *cstore = NULL, *new_cstore = NULL; + + /* Create an initial SSL_CTX. */ + ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + /* Retrieve verify store pointer. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + /* Retrieve chain store pointer. */ + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + /* We haven't set any yet, so this should be NULL. */ + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + /* Create stores. We use separate stores so pointers are different. */ + new_store = X509_STORE_new(); + if (!TEST_ptr(new_store)) + goto end; + + new_cstore = X509_STORE_new(); + if (!TEST_ptr(new_cstore)) + goto end; + + /* Set stores. */ + if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store))) + goto end; + + if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore))) + goto end; + + /* Should be able to retrieve the same pointer. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) + goto end; + + /* Should be able to unset again. */ + if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL))) + goto end; + + if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL))) + goto end; + + /* Should now be NULL. */ + if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store))) + goto end; + + if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore))) + goto end; + + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + testresult = 1; + +end: + X509_STORE_free(new_store); + X509_STORE_free(new_cstore); + SSL_CTX_free(ctx); + return testresult; +} + +/* + * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store. + */ +static int test_set_verify_cert_store_ssl(void) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + int testresult = 0; + X509_STORE *store = NULL, *new_store = NULL, + *cstore = NULL, *new_cstore = NULL; + + /* Create an initial SSL_CTX. */ + ctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + /* Create an SSL object. */ + ssl = SSL_new(ctx); + if (!TEST_ptr(ssl)) + goto end; + + /* Retrieve verify store pointer. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + /* Retrieve chain store pointer. */ + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + /* We haven't set any yet, so this should be NULL. */ + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + /* Create stores. We use separate stores so pointers are different. */ + new_store = X509_STORE_new(); + if (!TEST_ptr(new_store)) + goto end; + + new_cstore = X509_STORE_new(); + if (!TEST_ptr(new_cstore)) + goto end; + + /* Set stores. */ + if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store))) + goto end; + + if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore))) + goto end; + + /* Should be able to retrieve the same pointer. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore)) + goto end; + + /* Should be able to unset again. */ + if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL))) + goto end; + + if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL))) + goto end; + + /* Should now be NULL. */ + if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store))) + goto end; + + if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore))) + goto end; + + if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore)) + goto end; + + testresult = 1; + +end: + X509_STORE_free(new_store); + X509_STORE_free(new_cstore); + SSL_free(ssl); + SSL_CTX_free(ctx); + return testresult; +} + static int test_inherit_verify_param(void) { int testresult = 0; @@ -6886,6 +7326,7 @@ #ifndef OPENSSL_NO_DTLS ADD_TEST(test_large_message_dtls); #endif + ADD_ALL_TESTS(test_large_app_data, 28); #ifndef OPENSSL_NO_OCSP ADD_TEST(test_tlsext_status_type); #endif @@ -6947,7 +7388,6 @@ #else ADD_ALL_TESTS(test_custom_exts, 3); #endif - ADD_ALL_TESTS(test_serverinfo, 8); ADD_ALL_TESTS(test_export_key_mat, 6); #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); @@ -6973,9 +7413,15 @@ #endif #ifndef OPENSSL_NO_TLS1_3 ADD_TEST(test_sni_tls13); + ADD_ALL_TESTS(test_ticket_lifetime, 2); #endif ADD_TEST(test_set_alpn); + ADD_TEST(test_set_verify_cert_store_ssl_ctx); + ADD_TEST(test_set_verify_cert_store_ssl); ADD_TEST(test_inherit_verify_param); +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) + ADD_ALL_TESTS(test_serverinfo_custom, 4); +#endif return 1; } diff -Nru openssl-1.1.1n/test/ssltestlib.c openssl-1.1.1v/test/ssltestlib.c --- openssl-1.1.1n/test/ssltestlib.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ssltestlib.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -435,6 +435,39 @@ return outl; } +/* Take the last and penultimate packets and swap them around */ +int mempacket_swap_recent(BIO *bio) +{ + MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio); + MEMPACKET *thispkt; + int numpkts = sk_MEMPACKET_num(ctx->pkts); + + /* We need at least 2 packets to be able to swap them */ + if (numpkts <= 1) + return 0; + + /* Get the penultimate packet */ + thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); + if (thispkt == NULL) + return 0; + + if (sk_MEMPACKET_delete(ctx->pkts, numpkts - 2) != thispkt) + return 0; + + /* Re-add it to the end of the list */ + thispkt->num++; + if (sk_MEMPACKET_insert(ctx->pkts, thispkt, numpkts - 1) <= 0) + return 0; + + /* We also have to adjust the packet number of the other packet */ + thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); + if (thispkt == NULL) + return 0; + thispkt->num--; + + return 1; +} + int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, int type) { diff -Nru openssl-1.1.1n/test/ssltestlib.h openssl-1.1.1v/test/ssltestlib.h --- openssl-1.1.1n/test/ssltestlib.h 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/ssltestlib.h 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -46,6 +46,7 @@ #define MEMPACKET_CTRL_GET_DROP_REC (3 << 15) #define MEMPACKET_CTRL_SET_DUPLICATE_REC (4 << 15) +int mempacket_swap_recent(BIO *bio); int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, int type); diff -Nru openssl-1.1.1n/test/test_test.c openssl-1.1.1v/test/test_test.c --- openssl-1.1.1n/test/test_test.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/test_test.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -33,19 +33,19 @@ static int test_int(void) { if (!TEST(1, TEST_int_eq(1, 1)) - | !TEST(0, TEST_int_eq(1, -1)) - | !TEST(1, TEST_int_ne(1, 2)) - | !TEST(0, TEST_int_ne(3, 3)) - | !TEST(1, TEST_int_lt(4, 9)) - | !TEST(0, TEST_int_lt(9, 4)) - | !TEST(1, TEST_int_le(4, 9)) - | !TEST(1, TEST_int_le(5, 5)) - | !TEST(0, TEST_int_le(9, 4)) - | !TEST(1, TEST_int_gt(8, 5)) - | !TEST(0, TEST_int_gt(5, 8)) - | !TEST(1, TEST_int_ge(8, 5)) - | !TEST(1, TEST_int_ge(6, 6)) - | !TEST(0, TEST_int_ge(5, 8))) + || !TEST(0, TEST_int_eq(1, -1)) + || !TEST(1, TEST_int_ne(1, 2)) + || !TEST(0, TEST_int_ne(3, 3)) + || !TEST(1, TEST_int_lt(4, 9)) + || !TEST(0, TEST_int_lt(9, 4)) + || !TEST(1, TEST_int_le(4, 9)) + || !TEST(1, TEST_int_le(5, 5)) + || !TEST(0, TEST_int_le(9, 4)) + || !TEST(1, TEST_int_gt(8, 5)) + || !TEST(0, TEST_int_gt(5, 8)) + || !TEST(1, TEST_int_ge(8, 5)) + || !TEST(1, TEST_int_ge(6, 6)) + || !TEST(0, TEST_int_ge(5, 8))) goto err; return 1; @@ -56,19 +56,19 @@ static int test_uint(void) { if (!TEST(1, TEST_uint_eq(3u, 3u)) - | !TEST(0, TEST_uint_eq(3u, 5u)) - | !TEST(1, TEST_uint_ne(4u, 2u)) - | !TEST(0, TEST_uint_ne(6u, 6u)) - | !TEST(1, TEST_uint_lt(5u, 9u)) - | !TEST(0, TEST_uint_lt(9u, 5u)) - | !TEST(1, TEST_uint_le(5u, 9u)) - | !TEST(1, TEST_uint_le(7u, 7u)) - | !TEST(0, TEST_uint_le(9u, 5u)) - | !TEST(1, TEST_uint_gt(11u, 1u)) - | !TEST(0, TEST_uint_gt(1u, 11u)) - | !TEST(1, TEST_uint_ge(11u, 1u)) - | !TEST(1, TEST_uint_ge(6u, 6u)) - | !TEST(0, TEST_uint_ge(1u, 11u))) + || !TEST(0, TEST_uint_eq(3u, 5u)) + || !TEST(1, TEST_uint_ne(4u, 2u)) + || !TEST(0, TEST_uint_ne(6u, 6u)) + || !TEST(1, TEST_uint_lt(5u, 9u)) + || !TEST(0, TEST_uint_lt(9u, 5u)) + || !TEST(1, TEST_uint_le(5u, 9u)) + || !TEST(1, TEST_uint_le(7u, 7u)) + || !TEST(0, TEST_uint_le(9u, 5u)) + || !TEST(1, TEST_uint_gt(11u, 1u)) + || !TEST(0, TEST_uint_gt(1u, 11u)) + || !TEST(1, TEST_uint_ge(11u, 1u)) + || !TEST(1, TEST_uint_ge(6u, 6u)) + || !TEST(0, TEST_uint_ge(1u, 11u))) goto err; return 1; @@ -79,19 +79,19 @@ static int test_char(void) { if (!TEST(1, TEST_char_eq('a', 'a')) - | !TEST(0, TEST_char_eq('a', 'A')) - | !TEST(1, TEST_char_ne('a', 'c')) - | !TEST(0, TEST_char_ne('e', 'e')) - | !TEST(1, TEST_char_lt('i', 'x')) - | !TEST(0, TEST_char_lt('x', 'i')) - | !TEST(1, TEST_char_le('i', 'x')) - | !TEST(1, TEST_char_le('n', 'n')) - | !TEST(0, TEST_char_le('x', 'i')) - | !TEST(1, TEST_char_gt('w', 'n')) - | !TEST(0, TEST_char_gt('n', 'w')) - | !TEST(1, TEST_char_ge('w', 'n')) - | !TEST(1, TEST_char_ge('p', 'p')) - | !TEST(0, TEST_char_ge('n', 'w'))) + || !TEST(0, TEST_char_eq('a', 'A')) + || !TEST(1, TEST_char_ne('a', 'c')) + || !TEST(0, TEST_char_ne('e', 'e')) + || !TEST(1, TEST_char_lt('i', 'x')) + || !TEST(0, TEST_char_lt('x', 'i')) + || !TEST(1, TEST_char_le('i', 'x')) + || !TEST(1, TEST_char_le('n', 'n')) + || !TEST(0, TEST_char_le('x', 'i')) + || !TEST(1, TEST_char_gt('w', 'n')) + || !TEST(0, TEST_char_gt('n', 'w')) + || !TEST(1, TEST_char_ge('w', 'n')) + || !TEST(1, TEST_char_ge('p', 'p')) + || !TEST(0, TEST_char_ge('n', 'w'))) goto err; return 1; @@ -102,19 +102,19 @@ static int test_uchar(void) { if (!TEST(1, TEST_uchar_eq(49, 49)) - | !TEST(0, TEST_uchar_eq(49, 60)) - | !TEST(1, TEST_uchar_ne(50, 2)) - | !TEST(0, TEST_uchar_ne(66, 66)) - | !TEST(1, TEST_uchar_lt(60, 80)) - | !TEST(0, TEST_uchar_lt(80, 60)) - | !TEST(1, TEST_uchar_le(60, 80)) - | !TEST(1, TEST_uchar_le(78, 78)) - | !TEST(0, TEST_uchar_le(80, 60)) - | !TEST(1, TEST_uchar_gt(88, 37)) - | !TEST(0, TEST_uchar_gt(37, 88)) - | !TEST(1, TEST_uchar_ge(88, 37)) - | !TEST(1, TEST_uchar_ge(66, 66)) - | !TEST(0, TEST_uchar_ge(37, 88))) + || !TEST(0, TEST_uchar_eq(49, 60)) + || !TEST(1, TEST_uchar_ne(50, 2)) + || !TEST(0, TEST_uchar_ne(66, 66)) + || !TEST(1, TEST_uchar_lt(60, 80)) + || !TEST(0, TEST_uchar_lt(80, 60)) + || !TEST(1, TEST_uchar_le(60, 80)) + || !TEST(1, TEST_uchar_le(78, 78)) + || !TEST(0, TEST_uchar_le(80, 60)) + || !TEST(1, TEST_uchar_gt(88, 37)) + || !TEST(0, TEST_uchar_gt(37, 88)) + || !TEST(1, TEST_uchar_ge(88, 37)) + || !TEST(1, TEST_uchar_ge(66, 66)) + || !TEST(0, TEST_uchar_ge(37, 88))) goto err; return 1; @@ -125,19 +125,19 @@ static int test_long(void) { if (!TEST(1, TEST_long_eq(123l, 123l)) - | !TEST(0, TEST_long_eq(123l, -123l)) - | !TEST(1, TEST_long_ne(123l, 500l)) - | !TEST(0, TEST_long_ne(1000l, 1000l)) - | !TEST(1, TEST_long_lt(-8923l, 102934563l)) - | !TEST(0, TEST_long_lt(102934563l, -8923l)) - | !TEST(1, TEST_long_le(-8923l, 102934563l)) - | !TEST(1, TEST_long_le(12345l, 12345l)) - | !TEST(0, TEST_long_le(102934563l, -8923l)) - | !TEST(1, TEST_long_gt(84325677l, 12345l)) - | !TEST(0, TEST_long_gt(12345l, 84325677l)) - | !TEST(1, TEST_long_ge(84325677l, 12345l)) - | !TEST(1, TEST_long_ge(465869l, 465869l)) - | !TEST(0, TEST_long_ge(12345l, 84325677l))) + || !TEST(0, TEST_long_eq(123l, -123l)) + || !TEST(1, TEST_long_ne(123l, 500l)) + || !TEST(0, TEST_long_ne(1000l, 1000l)) + || !TEST(1, TEST_long_lt(-8923l, 102934563l)) + || !TEST(0, TEST_long_lt(102934563l, -8923l)) + || !TEST(1, TEST_long_le(-8923l, 102934563l)) + || !TEST(1, TEST_long_le(12345l, 12345l)) + || !TEST(0, TEST_long_le(102934563l, -8923l)) + || !TEST(1, TEST_long_gt(84325677l, 12345l)) + || !TEST(0, TEST_long_gt(12345l, 84325677l)) + || !TEST(1, TEST_long_ge(84325677l, 12345l)) + || !TEST(1, TEST_long_ge(465869l, 465869l)) + || !TEST(0, TEST_long_ge(12345l, 84325677l))) goto err; return 1; @@ -148,19 +148,19 @@ static int test_ulong(void) { if (!TEST(1, TEST_ulong_eq(919ul, 919ul)) - | !TEST(0, TEST_ulong_eq(919ul, 10234ul)) - | !TEST(1, TEST_ulong_ne(8190ul, 66ul)) - | !TEST(0, TEST_ulong_ne(10555ul, 10555ul)) - | !TEST(1, TEST_ulong_lt(10234ul, 1000000ul)) - | !TEST(0, TEST_ulong_lt(1000000ul, 10234ul)) - | !TEST(1, TEST_ulong_le(10234ul, 1000000ul)) - | !TEST(1, TEST_ulong_le(100000ul, 100000ul)) - | !TEST(0, TEST_ulong_le(1000000ul, 10234ul)) - | !TEST(1, TEST_ulong_gt(100000000ul, 22ul)) - | !TEST(0, TEST_ulong_gt(22ul, 100000000ul)) - | !TEST(1, TEST_ulong_ge(100000000ul, 22ul)) - | !TEST(1, TEST_ulong_ge(10555ul, 10555ul)) - | !TEST(0, TEST_ulong_ge(22ul, 100000000ul))) + || !TEST(0, TEST_ulong_eq(919ul, 10234ul)) + || !TEST(1, TEST_ulong_ne(8190ul, 66ul)) + || !TEST(0, TEST_ulong_ne(10555ul, 10555ul)) + || !TEST(1, TEST_ulong_lt(10234ul, 1000000ul)) + || !TEST(0, TEST_ulong_lt(1000000ul, 10234ul)) + || !TEST(1, TEST_ulong_le(10234ul, 1000000ul)) + || !TEST(1, TEST_ulong_le(100000ul, 100000ul)) + || !TEST(0, TEST_ulong_le(1000000ul, 10234ul)) + || !TEST(1, TEST_ulong_gt(100000000ul, 22ul)) + || !TEST(0, TEST_ulong_gt(22ul, 100000000ul)) + || !TEST(1, TEST_ulong_ge(100000000ul, 22ul)) + || !TEST(1, TEST_ulong_ge(10555ul, 10555ul)) + || !TEST(0, TEST_ulong_ge(22ul, 100000000ul))) goto err; return 1; @@ -171,19 +171,19 @@ static int test_size_t(void) { if (!TEST(1, TEST_size_t_eq((size_t)10, (size_t)10)) - | !TEST(0, TEST_size_t_eq((size_t)10, (size_t)12)) - | !TEST(1, TEST_size_t_ne((size_t)10, (size_t)12)) - | !TEST(0, TEST_size_t_ne((size_t)24, (size_t)24)) - | !TEST(1, TEST_size_t_lt((size_t)30, (size_t)88)) - | !TEST(0, TEST_size_t_lt((size_t)88, (size_t)30)) - | !TEST(1, TEST_size_t_le((size_t)30, (size_t)88)) - | !TEST(1, TEST_size_t_le((size_t)33, (size_t)33)) - | !TEST(0, TEST_size_t_le((size_t)88, (size_t)30)) - | !TEST(1, TEST_size_t_gt((size_t)52, (size_t)33)) - | !TEST(0, TEST_size_t_gt((size_t)33, (size_t)52)) - | !TEST(1, TEST_size_t_ge((size_t)52, (size_t)33)) - | !TEST(1, TEST_size_t_ge((size_t)38, (size_t)38)) - | !TEST(0, TEST_size_t_ge((size_t)33, (size_t)52))) + || !TEST(0, TEST_size_t_eq((size_t)10, (size_t)12)) + || !TEST(1, TEST_size_t_ne((size_t)10, (size_t)12)) + || !TEST(0, TEST_size_t_ne((size_t)24, (size_t)24)) + || !TEST(1, TEST_size_t_lt((size_t)30, (size_t)88)) + || !TEST(0, TEST_size_t_lt((size_t)88, (size_t)30)) + || !TEST(1, TEST_size_t_le((size_t)30, (size_t)88)) + || !TEST(1, TEST_size_t_le((size_t)33, (size_t)33)) + || !TEST(0, TEST_size_t_le((size_t)88, (size_t)30)) + || !TEST(1, TEST_size_t_gt((size_t)52, (size_t)33)) + || !TEST(0, TEST_size_t_gt((size_t)33, (size_t)52)) + || !TEST(1, TEST_size_t_ge((size_t)52, (size_t)33)) + || !TEST(1, TEST_size_t_ge((size_t)38, (size_t)38)) + || !TEST(0, TEST_size_t_ge((size_t)33, (size_t)52))) goto err; return 1; @@ -194,19 +194,19 @@ static int test_time_t(void) { if (!TEST(1, TEST_time_t_eq((time_t)10, (time_t)10)) - | !TEST(0, TEST_time_t_eq((time_t)10, (time_t)12)) - | !TEST(1, TEST_time_t_ne((time_t)10, (time_t)12)) - | !TEST(0, TEST_time_t_ne((time_t)24, (time_t)24)) - | !TEST(1, TEST_time_t_lt((time_t)30, (time_t)88)) - | !TEST(0, TEST_time_t_lt((time_t)88, (time_t)30)) - | !TEST(1, TEST_time_t_le((time_t)30, (time_t)88)) - | !TEST(1, TEST_time_t_le((time_t)33, (time_t)33)) - | !TEST(0, TEST_time_t_le((time_t)88, (time_t)30)) - | !TEST(1, TEST_time_t_gt((time_t)52, (time_t)33)) - | !TEST(0, TEST_time_t_gt((time_t)33, (time_t)52)) - | !TEST(1, TEST_time_t_ge((time_t)52, (time_t)33)) - | !TEST(1, TEST_time_t_ge((time_t)38, (time_t)38)) - | !TEST(0, TEST_time_t_ge((time_t)33, (time_t)52))) + || !TEST(0, TEST_time_t_eq((time_t)10, (time_t)12)) + || !TEST(1, TEST_time_t_ne((time_t)10, (time_t)12)) + || !TEST(0, TEST_time_t_ne((time_t)24, (time_t)24)) + || !TEST(1, TEST_time_t_lt((time_t)30, (time_t)88)) + || !TEST(0, TEST_time_t_lt((time_t)88, (time_t)30)) + || !TEST(1, TEST_time_t_le((time_t)30, (time_t)88)) + || !TEST(1, TEST_time_t_le((time_t)33, (time_t)33)) + || !TEST(0, TEST_time_t_le((time_t)88, (time_t)30)) + || !TEST(1, TEST_time_t_gt((time_t)52, (time_t)33)) + || !TEST(0, TEST_time_t_gt((time_t)33, (time_t)52)) + || !TEST(1, TEST_time_t_ge((time_t)52, (time_t)33)) + || !TEST(1, TEST_time_t_ge((time_t)38, (time_t)38)) + || !TEST(0, TEST_time_t_ge((time_t)33, (time_t)52))) goto err; return 1; @@ -220,19 +220,19 @@ char y = 1; if (!TEST(1, TEST_ptr(&y)) - | !TEST(0, TEST_ptr(NULL)) - | !TEST(0, TEST_ptr_null(&y)) - | !TEST(1, TEST_ptr_null(NULL)) - | !TEST(1, TEST_ptr_eq(NULL, NULL)) - | !TEST(0, TEST_ptr_eq(NULL, &y)) - | !TEST(0, TEST_ptr_eq(&y, NULL)) - | !TEST(0, TEST_ptr_eq(&y, &x)) - | !TEST(1, TEST_ptr_eq(&x, &x)) - | !TEST(0, TEST_ptr_ne(NULL, NULL)) - | !TEST(1, TEST_ptr_ne(NULL, &y)) - | !TEST(1, TEST_ptr_ne(&y, NULL)) - | !TEST(1, TEST_ptr_ne(&y, &x)) - | !TEST(0, TEST_ptr_ne(&x, &x))) + || !TEST(0, TEST_ptr(NULL)) + || !TEST(0, TEST_ptr_null(&y)) + || !TEST(1, TEST_ptr_null(NULL)) + || !TEST(1, TEST_ptr_eq(NULL, NULL)) + || !TEST(0, TEST_ptr_eq(NULL, &y)) + || !TEST(0, TEST_ptr_eq(&y, NULL)) + || !TEST(0, TEST_ptr_eq(&y, &x)) + || !TEST(1, TEST_ptr_eq(&x, &x)) + || !TEST(0, TEST_ptr_ne(NULL, NULL)) + || !TEST(1, TEST_ptr_ne(NULL, &y)) + || !TEST(1, TEST_ptr_ne(&y, NULL)) + || !TEST(1, TEST_ptr_ne(&y, &x)) + || !TEST(0, TEST_ptr_ne(&x, &x))) goto err; return 1; @@ -243,9 +243,9 @@ static int test_bool(void) { if (!TEST(0, TEST_true(0)) - | !TEST(1, TEST_true(1)) - | !TEST(1, TEST_false(0)) - | !TEST(0, TEST_false(1))) + || !TEST(1, TEST_true(1)) + || !TEST(1, TEST_false(0)) + || !TEST(0, TEST_false(1))) goto err; return 1; @@ -258,19 +258,19 @@ static char buf[] = "abc"; if (!TEST(1, TEST_str_eq(NULL, NULL)) - | !TEST(1, TEST_str_eq("abc", buf)) - | !TEST(0, TEST_str_eq("abc", NULL)) - | !TEST(0, TEST_str_eq("abc", "")) - | !TEST(0, TEST_str_eq(NULL, buf)) - | !TEST(0, TEST_str_ne(NULL, NULL)) - | !TEST(0, TEST_str_eq("", NULL)) - | !TEST(0, TEST_str_eq(NULL, "")) - | !TEST(0, TEST_str_ne("", "")) - | !TEST(0, TEST_str_eq("\1\2\3\4\5", "\1x\3\6\5")) - | !TEST(0, TEST_str_ne("abc", buf)) - | !TEST(1, TEST_str_ne("abc", NULL)) - | !TEST(1, TEST_str_ne(NULL, buf)) - | !TEST(0, TEST_str_eq("abcdef", "abcdefghijk"))) + || !TEST(1, TEST_str_eq("abc", buf)) + || !TEST(0, TEST_str_eq("abc", NULL)) + || !TEST(0, TEST_str_eq("abc", "")) + || !TEST(0, TEST_str_eq(NULL, buf)) + || !TEST(0, TEST_str_ne(NULL, NULL)) + || !TEST(0, TEST_str_eq("", NULL)) + || !TEST(0, TEST_str_eq(NULL, "")) + || !TEST(0, TEST_str_ne("", "")) + || !TEST(0, TEST_str_eq("\1\2\3\4\5", "\1x\3\6\5")) + || !TEST(0, TEST_str_ne("abc", buf)) + || !TEST(1, TEST_str_ne("abc", NULL)) + || !TEST(1, TEST_str_ne(NULL, buf)) + || !TEST(0, TEST_str_eq("abcdef", "abcdefghijk"))) goto err; return 1; @@ -283,16 +283,16 @@ static char buf[] = "xyz"; if (!TEST(1, TEST_mem_eq(NULL, 0, NULL, 0)) - | !TEST(1, TEST_mem_eq(NULL, 1, NULL, 2)) - | !TEST(0, TEST_mem_eq(NULL, 0, "xyz", 3)) - | !TEST(0, TEST_mem_eq(NULL, 7, "abc", 3)) - | !TEST(0, TEST_mem_ne(NULL, 0, NULL, 0)) - | !TEST(0, TEST_mem_eq(NULL, 0, "", 0)) - | !TEST(0, TEST_mem_eq("", 0, NULL, 0)) - | !TEST(0, TEST_mem_ne("", 0, "", 0)) - | !TEST(0, TEST_mem_eq("xyz", 3, NULL, 0)) - | !TEST(0, TEST_mem_eq("xyz", 3, buf, sizeof(buf))) - | !TEST(1, TEST_mem_eq("xyz", 4, buf, sizeof(buf)))) + || !TEST(1, TEST_mem_eq(NULL, 1, NULL, 2)) + || !TEST(0, TEST_mem_eq(NULL, 0, "xyz", 3)) + || !TEST(0, TEST_mem_eq(NULL, 7, "abc", 3)) + || !TEST(0, TEST_mem_ne(NULL, 0, NULL, 0)) + || !TEST(0, TEST_mem_eq(NULL, 0, "", 0)) + || !TEST(0, TEST_mem_eq("", 0, NULL, 0)) + || !TEST(0, TEST_mem_ne("", 0, "", 0)) + || !TEST(0, TEST_mem_eq("xyz", 3, NULL, 0)) + || !TEST(0, TEST_mem_eq("xyz", 3, buf, sizeof(buf))) + || !TEST(1, TEST_mem_eq("xyz", 4, buf, sizeof(buf)))) goto err; return 1; @@ -315,61 +315,61 @@ int r = 0; if (!TEST(1, TEST_int_eq(BN_dec2bn(&a, "0"), 1)) - | !TEST(1, TEST_BN_eq_word(a, 0)) - | !TEST(0, TEST_BN_eq_word(a, 30)) - | !TEST(1, TEST_BN_abs_eq_word(a, 0)) - | !TEST(0, TEST_BN_eq_one(a)) - | !TEST(1, TEST_BN_eq_zero(a)) - | !TEST(0, TEST_BN_ne_zero(a)) - | !TEST(1, TEST_BN_le_zero(a)) - | !TEST(0, TEST_BN_lt_zero(a)) - | !TEST(1, TEST_BN_ge_zero(a)) - | !TEST(0, TEST_BN_gt_zero(a)) - | !TEST(1, TEST_BN_even(a)) - | !TEST(0, TEST_BN_odd(a)) - | !TEST(1, TEST_BN_eq(b, c)) - | !TEST(0, TEST_BN_eq(a, b)) - | !TEST(0, TEST_BN_ne(NULL, c)) - | !TEST(1, TEST_int_eq(BN_dec2bn(&b, "1"), 1)) - | !TEST(1, TEST_BN_eq_word(b, 1)) - | !TEST(1, TEST_BN_eq_one(b)) - | !TEST(0, TEST_BN_abs_eq_word(b, 0)) - | !TEST(1, TEST_BN_abs_eq_word(b, 1)) - | !TEST(0, TEST_BN_eq_zero(b)) - | !TEST(1, TEST_BN_ne_zero(b)) - | !TEST(0, TEST_BN_le_zero(b)) - | !TEST(0, TEST_BN_lt_zero(b)) - | !TEST(1, TEST_BN_ge_zero(b)) - | !TEST(1, TEST_BN_gt_zero(b)) - | !TEST(0, TEST_BN_even(b)) - | !TEST(1, TEST_BN_odd(b)) - | !TEST(1, TEST_int_eq(BN_dec2bn(&c, "-334739439"), 10)) - | !TEST(0, TEST_BN_eq_word(c, 334739439)) - | !TEST(1, TEST_BN_abs_eq_word(c, 334739439)) - | !TEST(0, TEST_BN_eq_zero(c)) - | !TEST(1, TEST_BN_ne_zero(c)) - | !TEST(1, TEST_BN_le_zero(c)) - | !TEST(1, TEST_BN_lt_zero(c)) - | !TEST(0, TEST_BN_ge_zero(c)) - | !TEST(0, TEST_BN_gt_zero(c)) - | !TEST(0, TEST_BN_even(c)) - | !TEST(1, TEST_BN_odd(c)) - | !TEST(1, TEST_BN_eq(a, a)) - | !TEST(0, TEST_BN_ne(a, a)) - | !TEST(0, TEST_BN_eq(a, b)) - | !TEST(1, TEST_BN_ne(a, b)) - | !TEST(0, TEST_BN_lt(a, c)) - | !TEST(1, TEST_BN_lt(c, b)) - | !TEST(0, TEST_BN_lt(b, c)) - | !TEST(0, TEST_BN_le(a, c)) - | !TEST(1, TEST_BN_le(c, b)) - | !TEST(0, TEST_BN_le(b, c)) - | !TEST(1, TEST_BN_gt(a, c)) - | !TEST(0, TEST_BN_gt(c, b)) - | !TEST(1, TEST_BN_gt(b, c)) - | !TEST(1, TEST_BN_ge(a, c)) - | !TEST(0, TEST_BN_ge(c, b)) - | !TEST(1, TEST_BN_ge(b, c))) + || !TEST(1, TEST_BN_eq_word(a, 0)) + || !TEST(0, TEST_BN_eq_word(a, 30)) + || !TEST(1, TEST_BN_abs_eq_word(a, 0)) + || !TEST(0, TEST_BN_eq_one(a)) + || !TEST(1, TEST_BN_eq_zero(a)) + || !TEST(0, TEST_BN_ne_zero(a)) + || !TEST(1, TEST_BN_le_zero(a)) + || !TEST(0, TEST_BN_lt_zero(a)) + || !TEST(1, TEST_BN_ge_zero(a)) + || !TEST(0, TEST_BN_gt_zero(a)) + || !TEST(1, TEST_BN_even(a)) + || !TEST(0, TEST_BN_odd(a)) + || !TEST(1, TEST_BN_eq(b, c)) + || !TEST(0, TEST_BN_eq(a, b)) + || !TEST(0, TEST_BN_ne(NULL, c)) + || !TEST(1, TEST_int_eq(BN_dec2bn(&b, "1"), 1)) + || !TEST(1, TEST_BN_eq_word(b, 1)) + || !TEST(1, TEST_BN_eq_one(b)) + || !TEST(0, TEST_BN_abs_eq_word(b, 0)) + || !TEST(1, TEST_BN_abs_eq_word(b, 1)) + || !TEST(0, TEST_BN_eq_zero(b)) + || !TEST(1, TEST_BN_ne_zero(b)) + || !TEST(0, TEST_BN_le_zero(b)) + || !TEST(0, TEST_BN_lt_zero(b)) + || !TEST(1, TEST_BN_ge_zero(b)) + || !TEST(1, TEST_BN_gt_zero(b)) + || !TEST(0, TEST_BN_even(b)) + || !TEST(1, TEST_BN_odd(b)) + || !TEST(1, TEST_int_eq(BN_dec2bn(&c, "-334739439"), 10)) + || !TEST(0, TEST_BN_eq_word(c, 334739439)) + || !TEST(1, TEST_BN_abs_eq_word(c, 334739439)) + || !TEST(0, TEST_BN_eq_zero(c)) + || !TEST(1, TEST_BN_ne_zero(c)) + || !TEST(1, TEST_BN_le_zero(c)) + || !TEST(1, TEST_BN_lt_zero(c)) + || !TEST(0, TEST_BN_ge_zero(c)) + || !TEST(0, TEST_BN_gt_zero(c)) + || !TEST(0, TEST_BN_even(c)) + || !TEST(1, TEST_BN_odd(c)) + || !TEST(1, TEST_BN_eq(a, a)) + || !TEST(0, TEST_BN_ne(a, a)) + || !TEST(0, TEST_BN_eq(a, b)) + || !TEST(1, TEST_BN_ne(a, b)) + || !TEST(0, TEST_BN_lt(a, c)) + || !TEST(1, TEST_BN_lt(c, b)) + || !TEST(0, TEST_BN_lt(b, c)) + || !TEST(0, TEST_BN_le(a, c)) + || !TEST(1, TEST_BN_le(c, b)) + || !TEST(0, TEST_BN_le(b, c)) + || !TEST(1, TEST_BN_gt(a, c)) + || !TEST(0, TEST_BN_gt(c, b)) + || !TEST(1, TEST_BN_gt(b, c)) + || !TEST(1, TEST_BN_ge(a, c)) + || !TEST(0, TEST_BN_ge(c, b)) + || !TEST(1, TEST_BN_ge(b, c))) goto err; r = 1; diff -Nru openssl-1.1.1n/test/testutil/driver.c openssl-1.1.1v/test/testutil/driver.c --- openssl-1.1.1n/test/testutil/driver.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/testutil/driver.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -99,7 +99,7 @@ return a; } -void setup_test_framework() +void setup_test_framework(void) { char *TAP_levels = getenv("HARNESS_OSSL_LEVEL"); char *test_seed = getenv("OPENSSL_TEST_RAND_ORDER"); diff -Nru openssl-1.1.1n/test/v3ext.c openssl-1.1.1v/test/v3ext.c --- openssl-1.1.1n/test/v3ext.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/v3ext.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,10 +8,12 @@ */ #include +#include #include #include #include #include +#include "internal/nelem.h" #include "testutil.h" @@ -37,11 +39,302 @@ return ret; } +#ifndef OPENSSL_NO_RFC3779 +static int test_asid(void) +{ + ASN1_INTEGER *val1 = NULL, *val2 = NULL; + ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(), + *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new(); + int testresult = 0; + + if (!TEST_ptr(asid1) + || !TEST_ptr(asid2) + || !TEST_ptr(asid3)) + goto err; + + if (!TEST_ptr(val1 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))) + goto err; + + if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL))) + goto err; + + val1 = NULL; + if (!TEST_ptr(val2 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) + goto err; + + if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL))) + goto err; + + val2 = NULL; + if (!TEST_ptr(val1 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)) + || !TEST_ptr(val2 = ASN1_INTEGER_new()) + || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) + goto err; + + /* + * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also + * test V3_ASID_RDI if we think it is worth it. + */ + if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2))) + goto err; + val1 = val2 = NULL; + + /* Actual subsets */ + if (!TEST_true(X509v3_asid_subset(NULL, NULL)) + || !TEST_true(X509v3_asid_subset(NULL, asid1)) + || !TEST_true(X509v3_asid_subset(asid1, asid1)) + || !TEST_true(X509v3_asid_subset(asid2, asid2)) + || !TEST_true(X509v3_asid_subset(asid1, asid3)) + || !TEST_true(X509v3_asid_subset(asid2, asid3)) + || !TEST_true(X509v3_asid_subset(asid3, asid3)) + || !TEST_true(X509v3_asid_subset(asid4, asid1)) + || !TEST_true(X509v3_asid_subset(asid4, asid2)) + || !TEST_true(X509v3_asid_subset(asid4, asid3))) + goto err; + + /* Not subsets */ + if (!TEST_false(X509v3_asid_subset(asid1, NULL)) + || !TEST_false(X509v3_asid_subset(asid1, asid2)) + || !TEST_false(X509v3_asid_subset(asid2, asid1)) + || !TEST_false(X509v3_asid_subset(asid3, asid1)) + || !TEST_false(X509v3_asid_subset(asid3, asid2)) + || !TEST_false(X509v3_asid_subset(asid1, asid4)) + || !TEST_false(X509v3_asid_subset(asid2, asid4)) + || !TEST_false(X509v3_asid_subset(asid3, asid4))) + goto err; + + testresult = 1; + err: + ASN1_INTEGER_free(val1); + ASN1_INTEGER_free(val2); + ASIdentifiers_free(asid1); + ASIdentifiers_free(asid2); + ASIdentifiers_free(asid3); + ASIdentifiers_free(asid4); + return testresult; +} + +static struct ip_ranges_st { + const unsigned int afi; + const char *ip1; + const char *ip2; + int rorp; +} ranges[] = { + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.2", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.3", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.254", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.255", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.255", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.0.0", "192.168.255.255", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV4, "192.168.1.0", "192.168.255.255", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::2", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::3", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::fffe", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::ffff", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::ffff", IPAddressOrRange_addressRange}, + { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::1", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::0:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressPrefix}, + { IANA_AFI_IPV6, "2001:0db8::1:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressRange} +}; + +static int check_addr(IPAddrBlocks *addr, int type) +{ + IPAddressFamily *fam; + IPAddressOrRange *aorr; + + if (!TEST_int_eq(sk_IPAddressFamily_num(addr), 1)) + return 0; + + fam = sk_IPAddressFamily_value(addr, 0); + if (!TEST_ptr(fam)) + return 0; + + if (!TEST_int_eq(fam->ipAddressChoice->type, IPAddressChoice_addressesOrRanges)) + return 0; + + if (!TEST_int_eq(sk_IPAddressOrRange_num(fam->ipAddressChoice->u.addressesOrRanges), 1)) + return 0; + + aorr = sk_IPAddressOrRange_value(fam->ipAddressChoice->u.addressesOrRanges, 0); + if (!TEST_ptr(aorr)) + return 0; + + if (!TEST_int_eq(aorr->type, type)) + return 0; + + return 1; +} + +static int test_addr_ranges(void) +{ + IPAddrBlocks *addr = NULL; + ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL; + size_t i; + int testresult = 0; + + for (i = 0; i < OSSL_NELEM(ranges); i++) { + addr = sk_IPAddressFamily_new_null(); + if (!TEST_ptr(addr)) + goto end; + /* + * Has the side effect of installing the comparison function onto the + * stack. + */ + if (!TEST_true(X509v3_addr_canonize(addr))) + goto end; + + ip1 = a2i_IPADDRESS(ranges[i].ip1); + if (!TEST_ptr(ip1)) + goto end; + if (!TEST_true(ip1->length == 4 || ip1->length == 16)) + goto end; + ip2 = a2i_IPADDRESS(ranges[i].ip2); + if (!TEST_ptr(ip2)) + goto end; + if (!TEST_int_eq(ip2->length, ip1->length)) + goto end; + if (!TEST_true(memcmp(ip1->data, ip2->data, ip1->length) <= 0)) + goto end; + + if (!TEST_true(X509v3_addr_add_range(addr, ranges[i].afi, NULL, ip1->data, ip2->data))) + goto end; + + if (!TEST_true(X509v3_addr_is_canonical(addr))) + goto end; + + if (!check_addr(addr, ranges[i].rorp)) + goto end; + + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + addr = NULL; + ASN1_OCTET_STRING_free(ip1); + ASN1_OCTET_STRING_free(ip2); + ip1 = ip2 = NULL; + } + + testresult = 1; + end: + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + ASN1_OCTET_STRING_free(ip1); + ASN1_OCTET_STRING_free(ip2); + return testresult; +} + +static struct extvalues_st { + const char *value; + int pass; +} extvalues[] = { + /* No prefix is ok */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.1\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/0\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/1\n", 1 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/32\n", 1 }, + /* Prefix is too long */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/33\n", 0 }, + /* Unreasonably large prefix */ + { "sbgp-ipAddrBlock = IPv4:192.0.0.0/12341234\n", 0 }, + /* Invalid IP addresses */ + { "sbgp-ipAddrBlock = IPv4:192.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:256.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:-1.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv4:192.0.0.0.0\n", 0 }, + { "sbgp-ipAddrBlock = IPv3:192.0.0.0\n", 0 }, + + /* IPv6 */ + /* No prefix is ok */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001::db8\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/0\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/1\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/32\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000/32\n", 1 }, + { "sbgp-ipAddrBlock = IPv6:2001:db8::/128\n", 1 }, + /* Prefix is too long */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::/129\n", 0 }, + /* Unreasonably large prefix */ + { "sbgp-ipAddrBlock = IPv6:2001:db8::/12341234\n", 0 }, + /* Invalid IP addresses */ + /* Not enough blocks of numbers */ + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000\n", 0 }, + /* Too many blocks of numbers */ + { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value too large */ + { "sbgp-ipAddrBlock = IPv6:1ffff:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value with invalid characters */ + { "sbgp-ipAddrBlock = IPv6:fffg:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, + /* First value is negative */ + { "sbgp-ipAddrBlock = IPv6:-1:0db8:0000:0000:0000:0000:0000:0000\n", 0 } +}; + +static int test_ext_syntax(void) +{ + size_t i; + int testresult = 1; + + for (i = 0; i < OSSL_NELEM(extvalues); i++) { + X509V3_CTX ctx; + BIO *extbio = BIO_new_mem_buf(extvalues[i].value, + strlen(extvalues[i].value)); + CONF *conf; + long eline; + + if (!TEST_ptr(extbio)) + return 0 ; + + conf = NCONF_new(NULL); + if (!TEST_ptr(conf)) { + BIO_free(extbio); + return 0; + } + if (!TEST_long_gt(NCONF_load_bio(conf, extbio, &eline), 0)) { + testresult = 0; + } else { + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, conf); + + if (extvalues[i].pass) { + if (!TEST_true(X509V3_EXT_add_nconf(conf, &ctx, "default", + NULL))) { + TEST_info("Value: %s", extvalues[i].value); + testresult = 0; + } + } else { + ERR_set_mark(); + if (!TEST_false(X509V3_EXT_add_nconf(conf, &ctx, "default", + NULL))) { + testresult = 0; + TEST_info("Value: %s", extvalues[i].value); + ERR_clear_last_mark(); + } else { + ERR_pop_to_mark(); + } + } + } + BIO_free(extbio); + NCONF_free(conf); + } + + return testresult; +} +#endif /* OPENSSL_NO_RFC3779 */ + int setup_tests(void) { if (!TEST_ptr(infile = test_get_argument(0))) return 0; ADD_TEST(test_pathlen); +#ifndef OPENSSL_NO_RFC3779 + ADD_TEST(test_asid); + ADD_TEST(test_addr_ranges); + ADD_TEST(test_ext_syntax); +#endif /* OPENSSL_NO_RFC3779 */ return 1; } diff -Nru openssl-1.1.1n/test/v3nametest.c openssl-1.1.1v/test/v3nametest.c --- openssl-1.1.1n/test/v3nametest.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/v3nametest.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -646,6 +646,14 @@ 0xb7, 0x09, 0x02, 0x02 }, 15 + }, { + /* + * Regression test for CVE-2023-0286. + */ + { + 0xa3, 0x00 + }, + 2 } }; diff -Nru openssl-1.1.1n/test/x509_internal_test.c openssl-1.1.1v/test/x509_internal_test.c --- openssl-1.1.1n/test/x509_internal_test.c 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/test/x509_internal_test.c 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,8 +57,63 @@ return good; } +typedef struct { + const char *ipasc; + const char *data; + int length; +} IP_TESTDATA; + +static IP_TESTDATA a2i_ipaddress_tests[] = { + {"127.0.0.1", "\x7f\x00\x00\x01", 4}, + {"1.2.3.4", "\x01\x02\x03\x04", 4}, + {"1.2.3.255", "\x01\x02\x03\xff", 4}, + {"1.2.3", NULL, 0}, + {"1.2.3 .4", NULL, 0}, + + {"::1", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16}, + {"1:1:1:1:1:1:1:1", "\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01", 16}, + {"2001:db8::ff00:42:8329", "\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\xff\x00\x00\x42\x83\x29", 16}, + {"1:1:1:1:1:1:1:1.test", NULL, 0}, + {":::1", NULL, 0}, + {"2001::123g", NULL, 0}, + + {"example.test", NULL, 0}, + {"", NULL, 0}, + + {"1.2.3.4 ", "\x01\x02\x03\x04", 4}, + {" 1.2.3.4", "\x01\x02\x03\x04", 4}, + {" 1.2.3.4 ", "\x01\x02\x03\x04", 4}, + {"1.2.3.4.example.test", NULL, 0}, +}; + + +static int test_a2i_ipaddress(int idx) +{ + int good = 1; + ASN1_OCTET_STRING *ip; + int len = a2i_ipaddress_tests[idx].length; + + ip = a2i_IPADDRESS(a2i_ipaddress_tests[idx].ipasc); + if (len == 0) { + if (!TEST_ptr_null(ip)) { + good = 0; + TEST_note("'%s' should not be parsed as IP address", a2i_ipaddress_tests[idx].ipasc); + } + } else { + if (!TEST_ptr(ip) + || !TEST_int_eq(ASN1_STRING_length(ip), len) + || !TEST_mem_eq(ASN1_STRING_get0_data(ip), len, + a2i_ipaddress_tests[idx].data, len)) { + good = 0; + } + } + ASN1_OCTET_STRING_free(ip); + return good; +} + int setup_tests(void) { ADD_TEST(test_standard_exts); + ADD_ALL_TESTS(test_a2i_ipaddress, OSSL_NELEM(a2i_ipaddress_tests)); return 1; } diff -Nru openssl-1.1.1n/tools/c_rehash.in openssl-1.1.1v/tools/c_rehash.in --- openssl-1.1.1n/tools/c_rehash.in 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/tools/c_rehash.in 2023-08-01 13:51:35.000000000 +0000 @@ -1,7 +1,7 @@ #!{- $config{HASHBANGPERL} -} # {- join("\n# ", @autowarntext) -} -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -104,54 +104,97 @@ } exit($errorcount); +sub copy_file { + my ($src_fname, $dst_fname) = @_; + + if (open(my $in, "<", $src_fname)) { + if (open(my $out, ">", $dst_fname)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "Cannot open $dst_fname for write, $!"; + } + close $in; + } else { + warn "Cannot open $src_fname for read, $!"; + } +} + sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my $dir = shift; + my %hashlist; + + print "Doing $dir\n"; + + if (!chdir $dir) { + print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; + return; + } + + opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_\n" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } + + chdir $pwd; } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + + open(my $in, "<", $fname); + while(<$in>) { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close $in; + return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists @@ -160,72 +203,48 @@ # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'cert'); } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'crl'); +} + +sub link_hash { + my ($fname, $type) = @_; + my $is_cert = $type eq 'cert'; + + my ($hash, $fprint) = compute_hash($openssl, + $is_cert ? "x509" : "crl", + $is_cert ? $x509hash : $crlhash, + "-fingerprint", "-noout", + "-in", $fname); + chomp $hash; + chomp $fprint; + return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + my $crlmark = $is_cert ? "" : "r"; + while(exists $hashlist{"$hash.$crlmark$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { + my $what = $is_cert ? 'certificate' : 'CRL'; + print STDERR "WARNING: Skipping duplicate $what $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$crlmark$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + copy_file($fname, $hash); + } + $hashlist{$hash} = $fprint; } diff -Nru openssl-1.1.1n/util/mkdef.pl openssl-1.1.1v/util/mkdef.pl --- openssl-1.1.1n/util/mkdef.pl 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/util/mkdef.pl 2023-08-01 13:51:35.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -197,6 +197,7 @@ } $libname = $unified_info{sharednames}->{libcrypto} if $do_crypto; $libname = $unified_info{sharednames}->{libssl} if $do_ssl; +$libname .= $target{shlib_variant} || ""; if (!$libname) { if ($do_ssl) { diff -Nru openssl-1.1.1n/util/perl/OpenSSL/copyright.pm openssl-1.1.1v/util/perl/OpenSSL/copyright.pm --- openssl-1.1.1n/util/perl/OpenSSL/copyright.pm 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1v/util/perl/OpenSSL/copyright.pm 2023-08-01 13:51:35.000000000 +0000 @@ -0,0 +1,41 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +package OpenSSL::copyright; + +sub year_of { + my $file = shift; + + return $ENV{'OSSL_COPYRIGHT_YEAR'} if defined $ENV{'OSSL_COPYRIGHT_YEAR'}; + + # Use the file date for backward compatibility. + my $YEAR = [localtime([stat($file)]->[9])]->[5] + 1900; + + # See if git's available + open my $FH, + "git log -1 --date=short --format=format:%cd $file 2>/dev/null|" + or return $YEAR; + my $LINE = <$FH>; + close $FH; + $LINE =~ s/^([0-9]*)-.*/$1/ if $LINE; + $YEAR = $LINE if $LINE; + return $YEAR; +} + +sub latest { + my $l = 0; + foreach my $f (@_ ) { + my $y = year_of($f); + $l = $y if $y > $l; + } + return $l +} +1; diff -Nru openssl-1.1.1n/util/private.num openssl-1.1.1v/util/private.num --- openssl-1.1.1n/util/private.num 2022-03-15 14:37:47.000000000 +0000 +++ openssl-1.1.1v/util/private.num 2023-08-01 13:51:35.000000000 +0000 @@ -323,6 +323,8 @@ SSL_CTX_disable_ct define SSL_CTX_generate_session_ticket_fn define SSL_CTX_get0_chain_certs define +SSL_CTX_get0_chain_cert_store define +SSL_CTX_get0_verify_cert_store define SSL_CTX_get_default_read_ahead define SSL_CTX_get_max_cert_list define SSL_CTX_get_max_proto_version define @@ -388,6 +390,8 @@ SSL_disable_ct define SSL_get0_chain_certs define SSL_get0_session define +SSL_get0_chain_cert_store define +SSL_get0_verify_cert_store define SSL_get1_curves define SSL_get1_groups define SSL_get_cipher define