Upstream merge 2024 04 11

crypto/CMakeLists.txt

@@ -460,7 +460,42 @@ add_library(
  x509/t_req.c
  x509/t_x509.c
  x509/t_x509a.c
- x509/x509.c
+ x509/v3_akey.c
+ x509/v3_akeya.c
+ x509/v3_alt.c
+ x509/v3_bcons.c
+ x509/v3_bitst.c
+ x509/v3_conf.c
+ x509/v3_cpols.c
+ x509/v3_crld.c
+ x509/v3_enum.c
+ x509/v3_extku.c
+ x509/v3_genn.c
+ x509/v3_ia5.c
+ x509/v3_info.c
+ x509/v3_int.c
+ x509/v3_lib.c
+ x509/v3_ncons.c
+ x509/v3_ocsp.c
+ x509/v3_pcons.c
+ x509/v3_pmaps.c
+ x509/v3_prn.c
+ x509/v3_purp.c
+ x509/v3_skey.c
+ x509/v3_utl.c
+ x509/x_algor.c
+ x509/x_all.c
+ x509/x_attrib.c
+ x509/x_crl.c
+ x509/x_exten.c
+ x509/x_name.c
+ x509/x_pubkey.c
+ x509/x_req.c
+ x509/x_sig.c
+ x509/x_spki.c
+ x509/x_val.c
+ x509/x_x509.c
+ x509/x_x509a.c
  x509/x509_att.c
  x509/x509_cmp.c
  x509/x509_d2.c
@@ -475,46 +510,11 @@ add_library(
  x509/x509_v3.c
  x509/x509_vfy.c
  x509/x509_vpm.c
+ x509/x509.c
  x509/x509cset.c
  x509/x509name.c
  x509/x509rset.c
  x509/x509spki.c
- x509/x_algor.c
- x509/x_all.c
- x509/x_attrib.c
- x509/x_crl.c
- x509/x_exten.c
- x509/x_name.c
- x509/x_pubkey.c
- x509/x_req.c
- x509/x_sig.c
- x509/x_spki.c
- x509/x_val.c
- x509/x_x509.c
- x509/x_x509a.c
- x509v3/v3_akey.c
- x509v3/v3_akeya.c
- x509v3/v3_alt.c
- x509v3/v3_bcons.c
- x509v3/v3_bitst.c
- x509v3/v3_conf.c
- x509v3/v3_cpols.c
- x509v3/v3_crld.c
- x509v3/v3_enum.c
- x509v3/v3_extku.c
- x509v3/v3_genn.c
- x509v3/v3_ia5.c
- x509v3/v3_info.c
- x509v3/v3_int.c
- x509v3/v3_lib.c
- x509v3/v3_ncons.c
- x509v3/v3_ocsp.c
- x509v3/v3_pcons.c
- x509v3/v3_pmaps.c
- x509v3/v3_prn.c
- x509v3/v3_purp.c
- x509v3/v3_skey.c
- x509v3/v3_utl.c
  decrepit/bio/base64_bio.c
  decrepit/blowfish/blowfish.c
  decrepit/cast/cast.c
@@ -765,9 +765,9 @@ if(BUILD_TESTING)
  test/file_test_gtest.cc
  thread_test.cc
  trust_token/trust_token_test.cc
+ x509/tab_test.cc
  x509/x509_test.cc
  x509/x509_time_test.cc
- x509v3/tab_test.cc
  decrepit/blowfish/blowfish_test.cc
  decrepit/cast/cast_test.cc
  decrepit/cfb/cfb_test.cc

crypto/decrepit/x509/x509_decrepit.c

@@ -12,7 +12,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/x509v3.h>
+#include <openssl/x509.h>
 
 #include <assert.h>
 

crypto/fipsmodule/bn/add.c

@@ -117,10 +117,7 @@ int bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {
 
  BN_ULONG carry = bn_add_words(r->d, a->d, b->d, min);
  for (int i = min; i < max; i++) {
- // |r| and |a| may alias, so use a temporary.
- BN_ULONG tmp = carry + a->d[i];
- carry = tmp < a->d[i];
- r->d[i] = tmp;
+ r->d[i] = CRYPTO_addc_w(a->d[i], 0, carry, &carry);
  }
 
  r->d[max] = carry;
@@ -241,10 +238,7 @@ int bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {
 
  BN_ULONG borrow = bn_sub_words(r->d, a->d, b->d, b_width);
  for (int i = b_width; i < a->width; i++) {
- // |r| and |a| may alias, so use a temporary.
- BN_ULONG tmp = a->d[i];
- r->d[i] = a->d[i] - borrow;
- borrow = tmp < r->d[i];
+ r->d[i] = CRYPTO_subc_w(a->d[i], 0, borrow, &borrow);
  }
 
  if (borrow) {

crypto/fipsmodule/bn/generic.c

@@ -567,37 +567,6 @@ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) {
 
 #if !defined(BN_ADD_ASM)
 
-// bn_add_with_carry returns |x + y + carry|, and sets |*out_carry| to the
-// carry bit. |carry| must be zero or one.
-static inline BN_ULONG bn_add_with_carry(BN_ULONG x, BN_ULONG y, BN_ULONG carry,
- BN_ULONG *out_carry) {
- assert(carry == 0 || carry == 1);
-#if defined(BN_ULLONG)
- BN_ULLONG ret = carry;
- ret += (BN_ULLONG)x + y;
- *out_carry = (BN_ULONG)(ret >> BN_BITS2);
- return (BN_ULONG)ret;
-#else
- x += carry;
- carry = x < carry;
- BN_ULONG ret = x + y;
- carry += ret < x;
- *out_carry = carry;
- return ret;
-#endif
-}
-
-// bn_sub_with_borrow returns |x - y - borrow|, and sets |*out_borrow| to the
-// borrow bit. |borrow| must be zero or one.
-static inline BN_ULONG bn_sub_with_borrow(BN_ULONG x, BN_ULONG y,
- BN_ULONG borrow,
- BN_ULONG *out_borrow) {
- assert(borrow == 0 || borrow == 1);
- BN_ULONG ret = x - y - borrow;
- *out_borrow = (x < y) | ((x == y) & borrow);
- return ret;
-}
-
 BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
  size_t n) {
  if (n == 0) {
@@ -606,17 +575,17 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
  BN_ULONG carry = 0;
  while (n & ~3) {
- r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
- r[1] = bn_add_with_carry(a[1], b[1], carry, &carry);
- r[2] = bn_add_with_carry(a[2], b[2], carry, &carry);
- r[3] = bn_add_with_carry(a[3], b[3], carry, &carry);
+ r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);
+ r[1] = CRYPTO_addc_w(a[1], b[1], carry, &carry);
+ r[2] = CRYPTO_addc_w(a[2], b[2], carry, &carry);
+ r[3] = CRYPTO_addc_w(a[3], b[3], carry, &carry);
  a += 4;
  b += 4;
  r += 4;
  n -= 4;
  }
  while (n) {
- r[0] = bn_add_with_carry(a[0], b[0], carry, &carry);
+ r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);
  a++;
  b++;
  r++;
@@ -633,17 +602,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 
  BN_ULONG borrow = 0;
  while (n & ~3) {
- r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
- r[1] = bn_sub_with_borrow(a[1], b[1], borrow, &borrow);
- r[2] = bn_sub_with_borrow(a[2], b[2], borrow, &borrow);
- r[3] = bn_sub_with_borrow(a[3], b[3], borrow, &borrow);
+ r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);
+ r[1] = CRYPTO_subc_w(a[1], b[1], borrow, &borrow);
+ r[2] = CRYPTO_subc_w(a[2], b[2], borrow, &borrow);
+ r[3] = CRYPTO_subc_w(a[3], b[3], borrow, &borrow);
  a += 4;
  b += 4;
  r += 4;
  n -= 4;
  }
  while (n) {
- r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow);
+ r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);
  a++;
  b++;
  r++;

crypto/fipsmodule/bn/mul.c

@@ -144,17 +144,13 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
  // in |a| were zeros.
  dl = -dl;
  for (int i = 0; i < dl; i++) {
- r[i] = 0u - b[i] - borrow;
- borrow |= r[i] != 0;
+ r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow);
  }
  } else {
  // |b| is shorter than |a|. Complete the subtraction as if the excess words
  // in |b| were zeros.
  for (int i = 0; i < dl; i++) {
- // |r| and |a| may alias, so use a temporary.
- BN_ULONG tmp = a[i];
- r[i] = a[i] - borrow;
- borrow = tmp < r[i];
+ r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow);
  }
  }
 

crypto/fipsmodule/ec/p224-64.c

@@ -23,6 +23,7 @@
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/type_check.h>
 
 #include <string.h>
 
@@ -836,12 +837,12 @@ static void p224_select_point(const uint64_t idx, size_t size,
 
  for (size_t i = 0; i < size; i++) {
  const p224_limb *inlimbs = &pre_comp[i][0][0];
- uint64_t mask = i ^ idx;
- mask |= mask >> 4;
- mask |= mask >> 2;
- mask |= mask >> 1;
- mask &= 1;
- mask--;
+ OPENSSL_STATIC_ASSERT(sizeof(uint64_t) <= sizeof(crypto_word_t),
+  crypto_word_t_is_too_small);
+ OPENSSL_STATIC_ASSERT(sizeof(size_t) <= sizeof(crypto_word_t),
+  crypto_word_t_is_too_small);
+ // Without a value barrier, Clang adds a branch here.
+ uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx));
  for (size_t j = 0; j < 4 * 3; j++) {
  outlimbs[j] |= inlimbs[j] & mask;
  }

crypto/internal.h

@@ -210,6 +210,12 @@ typedef __uint128_t uint128_t;
 #define OPENSSL_ATTR_PURE
 #endif
 
+#if defined(__has_builtin)
+#define OPENSSL_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#define OPENSSL_HAS_BUILTIN(x) 0
+#endif
+
 
 // Pointer utility functions.
 
@@ -1078,6 +1084,110 @@ static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {
 }
 
 
+// Arithmetic functions.
+
+// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry
+// bit. |carry| must be zero or one.
+#if OPENSSL_HAS_BUILTIN(__builtin_addc)
+
+#define CRYPTO_GENERIC_ADDC(x, y, carry, out_carry) \
+ (_Generic((x), \
+ unsigned: __builtin_addc, \
+ unsigned long: __builtin_addcl, \
+ unsigned long long: __builtin_addcll))((x), (y), (carry), (out_carry))
+
+static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
+ uint32_t *out_carry) {
+ assert(carry <= 1);
+ return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
+}
+
+static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
+ uint64_t *out_carry) {
+ assert(carry <= 1);
+ return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
+}
+
+#else
+
+static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
+ uint32_t *out_carry) {
+ assert(carry <= 1);
+ uint64_t ret = carry;
+ ret += (uint64_t)x + y;
+ *out_carry = (uint32_t)(ret >> 32);
+ return (uint32_t)ret;
+}
+
+static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
+ uint64_t *out_carry) {
+ assert(carry <= 1);
+#if defined(BORINGSSL_HAS_UINT128)
+ uint128_t ret = carry;
+ ret += (uint128_t)x + y;
+ *out_carry = (uint64_t)(ret >> 64);
+ return (uint64_t)ret;
+#else
+ x += carry;
+ carry = x < carry;
+ uint64_t ret = x + y;
+ carry += ret < x;
+ *out_carry = carry;
+ return ret;
+#endif
+}
+#endif
+
+// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow
+// bit. |borrow| must be zero or one.
+#if OPENSSL_HAS_BUILTIN(__builtin_subc)
+
+#define CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow) \
+ (_Generic((x), \
+ unsigned: __builtin_subc, \
+ unsigned long: __builtin_subcl, \
+ unsigned long long: __builtin_subcll))((x), (y), (borrow), (out_borrow))
+
+static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
+ uint32_t *out_borrow) {
+ assert(borrow <= 1);
+ return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow);
+}
+
+static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
+ uint64_t *out_borrow) {
+ assert(borrow <= 1);
+ return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow);
+}
+
+#else
+
+static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
+ uint32_t *out_borrow) {
+ assert(borrow <= 1);
+ uint32_t ret = x - y - borrow;
+ *out_borrow = (x < y) | ((x == y) & borrow);
+ return ret;
+}
+
+static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
+ uint64_t *out_borrow) {
+ assert(borrow <= 1);
+ uint64_t ret = x - y - borrow;
+ *out_borrow = (x < y) | ((x == y) & borrow);
+ return ret;
+}
+#endif
+
+#if defined(OPENSSL_64_BIT)
+#define CRYPTO_addc_w CRYPTO_addc_u64
+#define CRYPTO_subc_w CRYPTO_subc_u64
+#else
+#define CRYPTO_addc_w CRYPTO_addc_u32
+#define CRYPTO_subc_w CRYPTO_subc_u32
+#endif
+
+
 // FIPS functions.
 
 #if defined(AWSLC_FIPS)