diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:06:44 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:06:44 +0000 |
commit | ed5640d8b587fbcfed7dd7967f3de04b37a76f26 (patch) | |
tree | 7a5f7c6c9d02226d7471cb3cc8fbbf631b415303 /external/openssl | |
parent | Initial commit. (diff) | |
download | libreoffice-ed5640d8b587fbcfed7dd7967f3de04b37a76f26.tar.xz libreoffice-ed5640d8b587fbcfed7dd7967f3de04b37a76f26.zip |
Adding upstream version 4:7.4.7.upstream/4%7.4.7upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'external/openssl')
-rw-r--r-- | external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 | 222 | ||||
-rw-r--r-- | external/openssl/ExternalPackage_openssl.mk | 29 | ||||
-rw-r--r-- | external/openssl/ExternalProject_openssl.mk | 97 | ||||
-rw-r--r-- | external/openssl/Makefile | 7 | ||||
-rw-r--r-- | external/openssl/Module_openssl.mk | 18 | ||||
-rw-r--r-- | external/openssl/README | 7 | ||||
-rw-r--r-- | external/openssl/UnpackedTarball_openssl.mk | 21 | ||||
-rw-r--r-- | external/openssl/configurable-z-option.patch.0 | 34 | ||||
-rw-r--r-- | external/openssl/openssl-no-_umul128-on-aarch64.patch.1 | 58 | ||||
-rw-r--r-- | external/openssl/openssl-no-multilib.patch.0 | 38 |
10 files changed, 531 insertions, 0 deletions
diff --git a/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 b/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 new file mode 100644 index 000000000..f87f8f588 --- /dev/null +++ b/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 @@ -0,0 +1,222 @@ +From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 +From: Pauli <pauli@openssl.org> +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/20569) +--- + crypto/x509v3/pcy_local.h | 8 +++++++- + crypto/x509v3/pcy_node.c | 12 +++++++++--- + crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h +index 5daf78de45..344aa06765 100644 +--- a/crypto/x509v3/pcy_local.h ++++ b/crypto/x509v3/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void policy_node_free(X509_POLICY_NODE *node); + int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c +index e2d7b15322..d574fb9d66 100644 +--- a/crypto/x509v3/pcy_node.c ++++ b/crypto/x509v3/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c +index 6e8322cbc5..6c7fd35405 100644 +--- a/crypto/x509v3/pcy_tree.c ++++ b/crypto/x509v3/pcy_tree.c +@@ -13,6 +13,18 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + /* + * Enable this to print out the complete policy tree at various point during + * evaluation. +@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + level = tree->levels; + if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (level_add_node(level, data, NULL, tree) == NULL) { ++ if (level_add_node(level, data, NULL, tree, 1) == NULL) { + policy_data_free(data); + goto bad_tree; + } +@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (policy_node_match(last, node, data->valid_policy)) { +- if (level_add_node(curr, data, node, NULL) == NULL) ++ if (level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (level_add_node(curr, data, node, tree) == NULL) { ++ if (level_add_node(curr, data, node, tree, 1) == NULL) { + policy_data_free(data); + return 0; + } +@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + } + /* Finally add link to anyPolicy */ + if (last->anyPolicy && +- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) ++ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->qualifier_set = anyPolicy->data->qualifier_set; + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; +- node = level_add_node(NULL, extra, anyPolicy->parent, tree); ++ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) +-- +2.34.1 + diff --git a/external/openssl/ExternalPackage_openssl.mk b/external/openssl/ExternalPackage_openssl.mk new file mode 100644 index 000000000..d0c0dbaab --- /dev/null +++ b/external/openssl/ExternalPackage_openssl.mk @@ -0,0 +1,29 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_ExternalPackage_ExternalPackage,openssl,openssl)) + +$(eval $(call gb_ExternalPackage_use_external_project,openssl,openssl)) + +ifeq ($(COM),MSC) +$(eval $(call gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER),\ + libcrypto-1_1.dll \ + libssl-1_1.dll \ +)) +ifneq ($(DISABLE_PYTHON),TRUE) +ifneq ($(SYSTEM_PYTHON),TRUE) +$(eval $(call gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER)/python-core-$(PYTHON_VERSION)/lib, \ + libcrypto-1_1.dll \ + libssl-1_1.dll \ +)) +endif +endif +endif + +# vim: set noet sw=4 ts=4: diff --git a/external/openssl/ExternalProject_openssl.mk b/external/openssl/ExternalProject_openssl.mk new file mode 100644 index 000000000..e44ccf5f3 --- /dev/null +++ b/external/openssl/ExternalProject_openssl.mk @@ -0,0 +1,97 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_ExternalProject_ExternalProject,openssl)) + +$(eval $(call gb_ExternalProject_register_targets,openssl,\ + build \ +)) + +# For multi-line conditionals, align the $(if and the corresponding ), +# putting the latter on a line of its own. Also put the "else" comma +# on a line of its own. Hopefully should make the logic more clear. + +OPENSSL_PLATFORM := \ + $(if $(filter LINUX FREEBSD ANDROID,$(OS)),\ + $(if $(filter INTEL,$(CPUNAME)),\ + $(if $(filter GNU/kFreeBSD,$(shell uname)),debian-kfreebsd-i386,linux-elf)\ + ,\ + $(if $(filter X86_64,$(CPUNAME)),\ + $(if $(filter GNU/kFreeBSD,$(shell uname)),\ + debian-kfreebsd-amd64\ + ,\ + $(if $(filter TRUE, $(ENABLE_DBGUTIL)), debug-linux-generic64, linux-generic64) no-asm\ + )\ + ,\ + $(if $(filter TRUE, $(ENABLE_DBGUTIL)), debug-linux-generic32, linux-generic32)\ + )\ + )\ + ,\ + $(if $(filter SOLARIS,$(OS)),\ + $(if $(filter INTEL,$(CPUNAME)),solaris-x86-cc,\ + $(if $(filter X86_64,$(CPUNAME)),solaris64-x86_64-cc,solaris-sparcv9-cc)\ + )\ + ,\ + $(if $(filter iOS,$(OS)),\ + ios-aarch64\ + ,\ + $(if $(filter WNT,$(OS)),\ + $(if $(filter INTEL,$(CPUNAME)),VC-WIN32)\ + $(if $(filter X86_64,$(CPUNAME)),VC-WIN64A)\ + $(if $(filter AARCH64,$(CPUNAME)),VC-WIN64-ARM)\ + ,\ + $(if $(filter MACOSX,$(OS)),\ + $(if $(filter X86_64,$(CPUNAME)),darwin64-x86_64-cc)\ + $(if $(filter AARCH64,$(CPUNAME)),darwin64-arm64-cc)\ + ,\ + $(if $(filter EMSCRIPTEN,$(OS)),no-engine no-dso no-dgram no-srtp no-err no-ocsp no-psk no-ts no-asm) \ + )\ + )\ + )\ + )\ + ) + +ifeq ($(COM),MSC) +$(eval $(call gb_ExternalProject_use_nmake,openssl,build)) + +$(call gb_ExternalProject_get_state_target,openssl,build): + $(call gb_Trace_StartRange,openssl,EXTERNAL) + $(call gb_ExternalProject_run,build,\ + CONFIGURE_INSIST=1 $(PERL) Configure $(OPENSSL_PLATFORM) no-tests no-multilib \ + && export PERL="$(shell cygpath -w $(PERL))" \ + && nmake -f makefile \ + $(if $(call gb_Module__symbols_enabled,openssl),DEBUG_FLAGS_VALUE="$(gb_DEBUGINFO_FLAGS)") \ + ) + $(call gb_Trace_EndRange,openssl,EXTERNAL) + +else +$(call gb_ExternalProject_get_state_target,openssl,build): + $(call gb_Trace_StartRange,openssl,EXTERNAL) + $(call gb_ExternalProject_run,build,\ + unset MAKEFLAGS && \ + $(if $(filter LINUX MACOSX FREEBSD ANDROID SOLARIS iOS,$(OS)), \ + ./Configure, \ + $(if $(filter WNT,$(OS)), \ + $(PERL) Configure, \ + ./config)) \ + $(OPENSSL_PLATFORM) no-dso no-shared no-tests no-multilib threads \ + $(if $(filter-out ANDROID iOS WNT,$(OS)), \ + $(if $(SYSBASE),-I$(SYSBASE)/usr/include -L$(SYSBASE)/usr/lib)) \ + $(if $(filter MACOSX,$(OS)),--prefix=/@.__________________________________________________OOO) \ + && $(MAKE) build_libs \ + CC="$(CC) -fPIC \ + $(if $(filter TRUE, $(ENABLE_DBGUTIL)), -DPURIFY,) \ + $(if $(filter-out WNT MACOSX,$(OS)),-fvisibility=hidden)" \ + && ln -s . lib \ + ) + $(call gb_Trace_EndRange,openssl,EXTERNAL) +# symlink lib dir for python3 +endif + +# vim: set noet sw=4 ts=4: diff --git a/external/openssl/Makefile b/external/openssl/Makefile new file mode 100644 index 000000000..e4968cf85 --- /dev/null +++ b/external/openssl/Makefile @@ -0,0 +1,7 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- + +module_directory:=$(dir $(realpath $(firstword $(MAKEFILE_LIST)))) + +include $(module_directory)/../../solenv/gbuild/partial_build.mk + +# vim: set noet sw=4 ts=4: diff --git a/external/openssl/Module_openssl.mk b/external/openssl/Module_openssl.mk new file mode 100644 index 000000000..7a03fe536 --- /dev/null +++ b/external/openssl/Module_openssl.mk @@ -0,0 +1,18 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_Module_Module,openssl)) + +$(eval $(call gb_Module_add_targets,openssl,\ + UnpackedTarball_openssl \ + ExternalPackage_openssl \ + ExternalProject_openssl \ +)) + +# vim: set noet sw=4 ts=4: diff --git a/external/openssl/README b/external/openssl/README new file mode 100644 index 000000000..399bdd56f --- /dev/null +++ b/external/openssl/README @@ -0,0 +1,7 @@ +Open Source toolkit implementing SSL and TLS. + +From [http://www.openssl.org/]. + +SSL = Secure Sockets Layer (SSL v2/v3) protocol. +TLS = Transport Layer Security (TLS v1) protocol. + diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk new file mode 100644 index 000000000..650ca154d --- /dev/null +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -0,0 +1,21 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl)) + +$(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl)) + +$(eval $(call gb_UnpackedTarball_add_patches,openssl,\ + external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 \ + external/openssl/openssl-no-multilib.patch.0 \ + external/openssl/configurable-z-option.patch.0 \ + external/openssl/openssl-no-_umul128-on-aarch64.patch.1 \ +)) + +# vim: set noet sw=4 ts=4: diff --git a/external/openssl/configurable-z-option.patch.0 b/external/openssl/configurable-z-option.patch.0 new file mode 100644 index 000000000..99d46f754 --- /dev/null +++ b/external/openssl/configurable-z-option.patch.0 @@ -0,0 +1,34 @@ +--- Configurations/10-main.conf.sav 2021-08-24 13:38:47.000000000 +0000 ++++ Configurations/10-main.conf 2021-11-02 22:20:44.377653700 +0000 +@@ -13,7 +13,7 @@ + } elsif ($disabled{asm}) { + # assembler is still used to compile uplink shim + $vc_win64a_info = { AS => "ml64", +- ASFLAGS => "/nologo /Zi", ++ ASFLAGS => "/nologo $$(DEBUG_FLAGS_VALUE)", + asflags => "/c /Cp /Cx", + asoutflag => "/Fo" }; + } else { +@@ -41,7 +41,7 @@ + } elsif ($disabled{asm}) { + # not actually used, uplink shim is inlined into C code + $vc_win32_info = { AS => "ml", +- ASFLAGS => "/nologo /Zi", ++ ASFLAGS => "/nologo $$(DEBUG_FLAGS_VALUE)", + asflags => "/Cp /coff /c /Cx", + asoutflag => "/Fo", + perlasm_scheme => "win32" }; +@@ -1252,10 +1252,10 @@ + "UNICODE", "_UNICODE", + "_CRT_SECURE_NO_DEPRECATE", + "_WINSOCK_DEPRECATED_NO_WARNINGS"), +- lib_cflags => add("/Zi /Fdossl_static.pdb"), ++ lib_cflags => add("\$(DEBUG_FLAGS_VALUE)"), + lib_defines => add("L_ENDIAN"), +- dso_cflags => "/Zi /Fddso.pdb", +- bin_cflags => "/Zi /Fdapp.pdb", ++ dso_cflags => "\$(DEBUG_FLAGS_VALUE)", ++ bin_cflags => "\$(DEBUG_FLAGS_VALUE)", + shared_ldflag => "/dll", + shared_target => "win-shared", # meaningless except it gives Configure a hint + thread_scheme => "winthreads", diff --git a/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 b/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 new file mode 100644 index 000000000..c7ca53bc5 --- /dev/null +++ b/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 @@ -0,0 +1,58 @@ +From 98f9a401c3964c7ff0e6ca048685e28a2a6401d4 Mon Sep 17 00:00:00 2001 +From: Hubert Kario <hkario@redhat.com> +Date: Wed, 8 Feb 2023 14:13:24 +0100 +Subject: [PATCH] rsa: add msvc intrinsic for non x64 platforms + +_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but +doesn't generate optimal code on x64 + +Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/20244) + +(cherry picked from commit 075652f224479dad2e64b92e791b296177af8705) +--- + crypto/bn/rsa_sup_mul.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c +index 0e0d02e1946e..3b57161b4589 100644 +--- a/crypto/bn/rsa_sup_mul.c ++++ b/crypto/bn/rsa_sup_mul.c +@@ -110,12 +110,34 @@ static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) + *lo = (limb_t)t; + } + #elif (BN_BYTES == 8) && (defined _MSC_VER) +-/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ ++# if defined(_M_X64) ++/* ++ * on x86_64 (x64) we can use the _umul128 intrinsic to get one `mul` ++ * instruction to get both high and low 64 bits of the multiplication. ++ * https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-140 ++ */ ++#include <intrin.h> + #pragma intrinsic(_umul128) + static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) + { + *lo = _umul128(a, b, hi); + } ++# elif defined(_M_ARM64) || defined (_M_IA64) ++/* ++ * We can't use the __umulh() on x86_64 as then msvc generates two `mul` ++ * instructions; so use this more portable intrinsic on platforms that ++ * don't support _umul128 (like aarch64 (ARM64) or ia64) ++ * https://learn.microsoft.com/en-us/cpp/intrinsics/umulh?view=msvc-140 ++ */ ++#include <intrin.h> ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ *lo = a * b; ++ *hi = __umulh(a, b); ++} ++# else ++# error Only x64, ARM64 and IA64 supported. ++# endif /* defined(_M_X64) */ + #else + /* + * if the compiler doesn't have either a 128bit data type nor a "return diff --git a/external/openssl/openssl-no-multilib.patch.0 b/external/openssl/openssl-no-multilib.patch.0 new file mode 100644 index 000000000..3d0083ed4 --- /dev/null +++ b/external/openssl/openssl-no-multilib.patch.0 @@ -0,0 +1,38 @@ +--- Configure.orig 2020-04-21 14:22:39.000000000 +0200 ++++ Configure 2020-07-07 17:25:19.256297500 +0200 +@@ -24,7 +24,7 @@ + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [no-multilib] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + # Options: + # +@@ -59,6 +59,7 @@ + # If disabled, it also disables shared and dynamic-engine. + # no-asm do not use assembler + # no-egd do not compile support for the entropy-gathering daemon APIs ++# no-multilib exclude multilib identifier from library name + # [no-]zlib [don't] compile support for zlib compression. + # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared + # library and will be loaded in run-time by the OpenSSL library. +@@ -393,6 +394,7 @@ + "mdc2", + "msan", + "multiblock", ++ "multilib", + "nextprotoneg", + "pinshared", + "ocb", +@@ -1770,6 +1772,10 @@ + if (-f catfile($srcdir, "test", $_, "build.info")); + } + ++ if ($disabled{"multilib"}) { ++ $target{"multilib"} = ""; ++ } ++ + $config{build_infos} = [ ]; + + my %ordinals = (); |