diff --git a/debian/apertis/copyright b/debian/apertis/copyright
index 2832e6d47d0a94a9d98893f21c7d3e257512ece6..ae078dd1d1a5d88c3acb68998d0f14ff8306aa70 100644
--- a/debian/apertis/copyright
+++ b/debian/apertis/copyright
@@ -1,7 +1,8 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
-Copyright: no-info-found
+Copyright: 1998-2019, The OpenSSL Project.
+ 1995-1998, Eric A. Young, Tim J. Hudson
License: Apache-1.0 and/or BSD-4-clause or OpenSSL
Files: ACKNOWLEDGEMENTS
@@ -38,18 +39,19 @@ Copyright: no-info-found
License: OpenSSL
Files: Configurations/shared-info.pl
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: Configure
config
config.com
e_os.h
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: README
-Copyright: no-info-found
+Copyright: 1998-2021, The OpenSSL Project
+ 1995-1998, Eric A. Young, Tim J. Hudson
License: OpenSSL
Files: VMS/*
@@ -58,11 +60,11 @@ License: OpenSSL
Files: VMS/VMSify-conf.pl
VMS/translatesyms.pl
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: apps/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: apps/build.info
@@ -104,31 +106,39 @@ Copyright: no-info-found
License: OpenSSL
Files: apps/ecparam.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: apps/rehash.c
-Copyright: no-info-found
+Copyright: 2015-2020, The OpenSSL Project Authors.
+ 2013, 2014, Timo Teräs <timo.teras@gmail.com>
License: OpenSSL
Files: apps/s_client.c
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 1995-2021, The OpenSSL Project Authors.
License: OpenSSL
Files: apps/s_server.c
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 2002, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: apps/speed.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: apps/srp.c
-Copyright: no-info-found
+Copyright: 2004-2021, The OpenSSL Project Authors.
+ 2004, EdelKey Project.
License: OpenSSL
Files: apps/tsget.in
-Copyright: no-info-found
+Copyright: 2002-2018, The OpenSSL Project Authors.
+ 2002, The OpenTSA Project.
License: OpenSSL
Files: apps/vms_decc_argv.c
@@ -137,11 +147,12 @@ License: Apache-2.0
Files: apps/vms_term_sock.c
apps/vms_term_sock.h
-Copyright: no-info-found
+Copyright: 2016, VMS Software, Inc.
+ 2016, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/LPdir_nyi.c
@@ -171,7 +182,8 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/aria/aria.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: crypto/asn1/build.info
@@ -199,12 +211,13 @@ Copyright: Copyright 2000-2016, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/bn/asm/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/bn/asm/rsaz-avx2.pl
crypto/bn/asm/rsaz-x86_64.pl
-Copyright: no-info-found
+Copyright: 2013-2020, The OpenSSL Project Authors.
+ 2012, Intel Corporation.
License: OpenSSL
Files: crypto/bn/asm/sparct4-mont.pl
@@ -244,20 +257,23 @@ Files: crypto/bn/bn_add.c
crypto/bn/bn_srp.c
crypto/bn/bn_word.c
crypto/bn/bn_x931p.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/bn/bn_gf2m.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: crypto/bn/build.info
+ crypto/bn/rsa_sup_mul.c
Copyright: no-info-found
License: OpenSSL
Files: crypto/bn/rsaz_exp.c
crypto/bn/rsaz_exp.h
-Copyright: no-info-found
+Copyright: 2013-2020, The OpenSSL Project Authors.
+ 2012, Intel Corporation.
License: OpenSSL
Files: crypto/buffer/build.info
@@ -305,7 +321,8 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/cryptlib.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/ct/build.info
@@ -338,7 +355,9 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/ec/asm/ecp_nistz256-x86_64.pl
-Copyright: no-info-found
+Copyright: 2015, CloudFlare, Inc.
+ 2014-2020, The OpenSSL Project Authors.
+ 2014, Intel Corporation.
License: OpenSSL
Files: crypto/ec/build.info
@@ -346,11 +365,12 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/ec/curve448/*
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2014-2016, Cryptography Research, Inc.
License: OpenSSL
Files: crypto/ec/curve448/curve448_local.h
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/ec/ec2_oct.c
@@ -361,7 +381,8 @@ Files: crypto/ec/ec2_oct.c
crypto/ec/ecdh_ossl.c
crypto/ec/eck_prn.c
crypto/ec/ecp_oct.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: crypto/ec/ec_cvt.c
@@ -371,7 +392,8 @@ Files: crypto/ec/ec_cvt.c
crypto/ec/ecp_mont.c
crypto/ec/ecp_nist.c
crypto/ec/ecp_smpl.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/ec/ecp_nistp224.c
@@ -382,7 +404,9 @@ Copyright: 2010-2020, The OpenSSL Project Authors.
License: Apache-2.0 and/or OpenSSL
Files: crypto/ec/ecp_nistz256.c
-Copyright: no-info-found
+Copyright: 2015, CloudFlare, Inc.
+ 2014-2020, The OpenSSL Project Authors.
+ 2014, Intel Corporation.
License: OpenSSL
Files: crypto/engine/*
@@ -409,14 +433,15 @@ Files: crypto/engine/eng_all.c
crypto/engine/tb_pkmeth.c
crypto/engine/tb_rand.c
crypto/engine/tb_rsa.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/engine/eng_fat.c
crypto/engine/eng_list.c
crypto/engine/eng_local.h
crypto/engine/eng_openssl.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/err/*
@@ -427,7 +452,7 @@ Files: crypto/err/err.c
crypto/err/err_all.c
crypto/err/err_prn.c
crypto/err/openssl.txt
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/evp/build.info
@@ -435,11 +460,13 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/evp/e_aria.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: crypto/evp/e_sm4.c
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: crypto/hmac/build.info
@@ -475,7 +502,8 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/mem_sec.c
-Copyright: no-info-found
+Copyright: 2015-2020, The OpenSSL Project Authors.
+ 2004-2014, Akamai Technologies.
License: OpenSSL
Files: crypto/modes/build.info
@@ -497,7 +525,7 @@ Files: crypto/objects/o_names.c
crypto/objects/obj_xref.h
crypto/objects/objects.pl
crypto/objects/objxref.pl
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/ocsp/build.info
@@ -521,7 +549,7 @@ Files: crypto/perlasm/arm-xlate.pl
crypto/perlasm/x86gas.pl
crypto/perlasm/x86masm.pl
crypto/perlasm/x86nasm.pl
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/pkcs12/build.info
@@ -561,7 +589,8 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/rsa/rsa_mp.c
-Copyright: no-info-found
+Copyright: 2017, BaishanCloud.
+ 2017, 2018, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/seed/build.info
@@ -582,11 +611,13 @@ License: OpenSSL
Files: crypto/sm2/sm2_crypt.c
crypto/sm2/sm2_sign.c
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: crypto/sm3/*
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: crypto/sm3/build.info
@@ -598,11 +629,13 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/sm4/sm4.c
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: crypto/srp/*
-Copyright: no-info-found
+Copyright: 2004-2021, The OpenSSL Project Authors.
+ 2004, EdelKey Project.
License: OpenSSL
Files: crypto/srp/build.info
@@ -614,7 +647,7 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/stack/stack.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/store/build.info
@@ -630,7 +663,7 @@ Copyright: no-info-found
License: OpenSSL
Files: crypto/txt_db/txt_db.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: crypto/ui/build.info
@@ -659,8 +692,9 @@ Copyright: no-info-found
License: OpenSSL
Files: debian/patches/Disable-failing-test-test-recipes-80-test_ssl_new.t.patch
+ debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch
debian/patches/Fix-file-operations-in-c_rehash.patch
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: debian/rules
@@ -668,11 +702,11 @@ Copyright: Designs and Patents Act 1988.) / 1994-1995, Ian Jackson.
License: OpenSSL
Files: debian/tests/25-test_verify.t
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: debian/tests/OpenSSL/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: demos/*
@@ -686,11 +720,11 @@ Files: demos/bio/client-arg.c
demos/bio/server-arg.c
demos/bio/server-cmod.c
demos/bio/server-conf.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: demos/cms/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: demos/cms/cacert.pem
@@ -704,7 +738,7 @@ Copyright: no-info-found
License: OpenSSL
Files: demos/evp/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: demos/evp/Makefile
@@ -712,7 +746,7 @@ Copyright: no-info-found
License: OpenSSL
Files: demos/pkcs12/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: demos/smime/smdec.c
@@ -720,7 +754,7 @@ Files: demos/smime/smdec.c
demos/smime/smsign.c
demos/smime/smsign2.c
demos/smime/smver.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: doc/*
@@ -1022,7 +1056,7 @@ Files: doc/man3/BIO_find_type.pod
doc/man3/SSL_CTX_set_ssl_version.pod
doc/man3/SSL_pending.pod
doc/man3/SSL_set_session.pod
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: doc/man3/BIO_meth_new.pod
@@ -1552,7 +1586,7 @@ Copyright: Copyright 2003-2021, The OpenSSL Project Authors.
License: OpenSSL
Files: engines/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: engines/build.info
@@ -1596,7 +1630,7 @@ Copyright: no-info-found
License: OpenSSL
Files: external/perl/transfer/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: fuzz/*
@@ -1620,25 +1654,28 @@ Files: fuzz/asn1.c
fuzz/server.c
fuzz/test-corpus.c
fuzz/x509.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: include/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: include/crypto/aria.h
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: include/crypto/sha.h
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: include/crypto/sm2.h
include/crypto/sm3.h
include/crypto/sm4.h
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: include/internal/o_dir.h
@@ -1650,24 +1687,29 @@ Files: include/openssl/bn.h
include/openssl/engine.h
include/openssl/ssl3.h
include/openssl/x509.h
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: include/openssl/ec.h
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: include/openssl/srp.h
-Copyright: no-info-found
+Copyright: 2004-2021, The OpenSSL Project Authors.
+ 2004, EdelKey Project.
License: OpenSSL
Files: include/openssl/ssl.h
include/openssl/tls1.h
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 2002, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: ms/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: os-dep/*
@@ -1675,7 +1717,7 @@ Copyright: no-info-found
License: OpenSSL
Files: ssl/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/build.info
@@ -1694,7 +1736,7 @@ Files: ssl/record/dtls1_bitmap.c
ssl/record/ssl3_buffer.c
ssl/record/ssl3_record.c
ssl/record/ssl3_record_tls13.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/s3_enc.c
@@ -1703,18 +1745,22 @@ Files: ssl/s3_enc.c
ssl/ssl_stat.c
ssl/ssl_txt.c
ssl/t1_enc.c
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 1995-2021, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/s3_lib.c
ssl/ssl_ciph.c
ssl/ssl_lib.c
ssl/ssl_local.h
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 2002, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/ssl_cert.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/statem/*
@@ -1729,20 +1775,24 @@ Files: ssl/statem/extensions.c
ssl/statem/statem.h
ssl/statem/statem_dtls.c
ssl/statem/statem_local.h
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/statem/statem_clnt.c
ssl/statem/statem_srvr.c
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 2002, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/statem/statem_lib.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: ssl/tls_srp.c
-Copyright: no-info-found
+Copyright: 2004-2021, The OpenSSL Project Authors.
+ 2004, EdelKey Project.
License: OpenSSL
Files: test/*
@@ -1868,17 +1918,19 @@ Files: test/aborttest.c
test/x509_internal_test.c
test/x509_time_test.c
test/x509aux.c
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/certs/mkcert.sh
-Copyright: no-info-found
+Copyright: 2016-2021, The OpenSSL Project Authors.
+ 2016, Viktor Dukhovni <openssl-users@dukhovni.org>.
License: OpenSSL
Files: test/ciphername_test.c
test/rsa_mp_test.c
test/servername_test.c
-Copyright: no-info-found
+Copyright: 2017-2019, The OpenSSL Project Authors.
+ 2017, BaishanCloud.
License: OpenSSL
Files: test/cmactest.c
@@ -1899,16 +1951,18 @@ Files: test/ecdsatest.c
test/lhash_test.c
test/stack_test.c
test/x509_dup_cert_test.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: test/ectest.c
test/test_test.c
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: test/ossl_shim/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/ossl_shim/build.info
@@ -1917,7 +1971,7 @@ Copyright: no-info-found
License: OpenSSL
Files: test/recipes/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/recipes/01-test_test.t
@@ -1925,11 +1979,13 @@ Files: test/recipes/01-test_test.t
test/recipes/02-test_stack.t
test/recipes/20-test_enc_more.t
test/recipes/60-test_x509_dup_cert.t
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: test/recipes/02-test_internal_ctype.t
-Copyright: no-info-found
+Copyright: 2002, 2017, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: test/recipes/03-test_internal_ec.t
@@ -1940,7 +1996,8 @@ Copyright: 1995-2022, The OpenSSL Project Authors.
License: Apache-2.0
Files: test/recipes/03-test_internal_sm4.t
-Copyright: no-info-found
+Copyright: 2017, [Ribose Inc.](https:www.ribose.com).
+ 2017, 2018, The OpenSSL Project Authors.
License: OpenSSL
Files: test/recipes/04-test_pem_data/*
@@ -1957,7 +2014,8 @@ License: OpenSSL
Files: test/recipes/15-test_mp_rsa.t
test/recipes/80-test_ciphername.t
-Copyright: no-info-found
+Copyright: 2017-2019, The OpenSSL Project Authors.
+ 2017, BaishanCloud.
License: OpenSSL
Files: test/recipes/15-test_mp_rsa_data/*
@@ -1973,7 +2031,8 @@ Copyright: no-info-found
License: OpenSSL
Files: test/recipes/70-test_servername.t
-Copyright: no-info-found
+Copyright: 2017, BaishanCloud.
+ 2017, 2018, The OpenSSL Project Authors.
License: OpenSSL
Files: test/recipes/80-test_cms_data/*
@@ -2017,7 +2076,8 @@ Copyright: no-info-found
License: OpenSSL
Files: test/recipes/95-test_external_pyca_data/*
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: test/recipes/ocsp-response.der
@@ -2029,11 +2089,12 @@ Copyright: no-info-found
License: OpenSSL
Files: test/sm4_internal_test.c
-Copyright: no-info-found
+Copyright: 2017-2021, The OpenSSL Project Authors.
+ 2017, Ribose Inc.
License: OpenSSL
Files: test/smime-certs/mksmime-certs.sh
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/ssl-tests/01-simple.conf.in
@@ -2063,7 +2124,7 @@ Files: test/ssl-tests/01-simple.conf.in
test/ssl-tests/28-seclevel.conf.in
test/ssl-tests/protocol_version.pm
test/ssl-tests/ssltests_base.pm
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/ssl-tests/29-dtls-sctp-label-bug.conf.in
@@ -2071,7 +2132,9 @@ Copyright: 1995-2022, The OpenSSL Project Authors.
License: Apache-2.0
Files: test/ssltest_old.c
-Copyright: no-info-found
+Copyright: 2005, Nokia.
+ 2002, Oracle and/or its affiliates.
+ 1995-2022, The OpenSSL Project Authors.
License: OpenSSL
Files: test/testrsa_withattrs.der
@@ -2079,7 +2142,7 @@ Copyright: no-info-found
License: OpenSSL
Files: test/testutil/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: test/testutil/random.c
@@ -2087,7 +2150,8 @@ Copyright: 1995-2022, The OpenSSL Project Authors.
License: Apache-2.0
Files: test/testutil/tap_bio.c
-Copyright: no-info-found
+Copyright: 2002-2021, The OpenSSL Project Authors.
+ 2002, 2017, 2018, Oracle and/or its affiliates.
License: OpenSSL
Files: tools/*
@@ -2095,11 +2159,11 @@ Copyright: no-info-found
License: OpenSSL
Files: tools/c_rehash.in
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: util/*
-Copyright: 1995-2022, The OpenSSL Project Authors.
+Copyright: 1995-2023, The OpenSSL Project Authors.
License: OpenSSL
Files: util/build.info
diff --git a/debian/changelog b/debian/changelog
index 596f78ed2d1820a76ef896f731d479ef86611974..d1e5762ab1caef3e3f7a4e4d73a5d7144e1e40f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+openssl (1.1.1n-0+deb11u4+apertis1) apertis; urgency=medium
+
+ * Sync updates from Debian Bullseye Security
+
+ -- Apertis CI <devel@lists.apertis.org> Wed, 08 Feb 2023 08:47:27 +0000
+
+openssl (1.1.1n-0+deb11u4) bullseye-security; urgency=medium
+
+ * CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
+ * CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
+ * CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
+ * CVE-2022-4304 (Timing Oracle in RSA Decryption).
+ * CVE-2022-2097 (AES OCB fails to encrypt some bytes).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sun, 05 Feb 2023 22:23:17 +0100
+
openssl (1.1.1n-0+deb11u3+apertis1) apertis; urgency=medium
* Sync updates from Debian Bullseye Security
diff --git a/debian/patches/AES-OCB-test-vectors.patch b/debian/patches/AES-OCB-test-vectors.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f7dabfb7b437073bb806de92e3015f6d2a737f82
--- /dev/null
+++ b/debian/patches/AES-OCB-test-vectors.patch
@@ -0,0 +1,79 @@
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:02:37 +1000
+Subject: AES OCB test vectors
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
+index 1c02ea1e9c2d..e12670d9a4b4 100644
+--- a/test/recipes/30-test_evp_data/evpciph.txt
++++ b/test/recipes/30-test_evp_data/evpciph.txt
+@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
+ Operation = DECRYPT
+ Result = CIPHERFINAL_ERROR
+
++#Test vectors generated to validate aesni_ocb_encrypt on x86
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = C14DFF7D62A13C4A3422456207453190
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 41970D13737B7BD1B5FBF49ED4412CA5
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = BE0228651ED4E48A11BDED68D953F3A0
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 17BC6E10B16E5FDC52836E7D589518C7
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = E84AAC18666116990A3A37B3A5FC55BD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 3E5EA7EE064FE83B313E28D411E91EAD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
++
+ Title = AES XTS test vectors from IEEE Std 1619-2007
+
+ # Using the same key twice for encryption is always banned.
diff --git a/debian/patches/Add-a-test-for-CVE-2022-4450.patch b/debian/patches/Add-a-test-for-CVE-2022-4450.patch
new file mode 100644
index 0000000000000000000000000000000000000000..94871c71f5f17eb428d0c60f2799d3e685e0c809
--- /dev/null
+++ b/debian/patches/Add-a-test-for-CVE-2022-4450.patch
@@ -0,0 +1,55 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 15:02:26 +0000
+Subject: Add a test for CVE-2022-4450
+
+Call PEM_read_bio_ex() and expect a failure. There should be no dangling
+ptrs and therefore there should be no double free if we free the ptrs on
+error.
+---
+ test/pemtest.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/test/pemtest.c b/test/pemtest.c
+index 3203d976be76..edeb0a12059e 100644
+--- a/test/pemtest.c
++++ b/test/pemtest.c
+@@ -83,9 +83,39 @@ static int test_invalid(void)
+ return 1;
+ }
+
++static int test_empty_payload(void)
++{
++ BIO *b;
++ static char *emptypay =
++ "-----BEGIN CERTIFICATE-----\n"
++ "-\n" /* Base64 EOF character */
++ "-----END CERTIFICATE-----";
++ char *name = NULL, *header = NULL;
++ unsigned char *data = NULL;
++ long len;
++ int ret = 0;
++
++ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
++ if (!TEST_ptr(b))
++ return 0;
++
++ /* Expected to fail because the payload is empty */
++ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
++ goto err;
++
++ ret = 1;
++ err:
++ OPENSSL_free(name);
++ OPENSSL_free(header);
++ OPENSSL_free(data);
++ BIO_free(b);
++ return ret;
++}
++
+ int setup_tests(void)
+ {
+ ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
+ ADD_TEST(test_invalid);
++ ADD_TEST(test_empty_payload);
+ return 1;
+ }
diff --git a/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch b/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0b7eb70bb5197d79df2c10901100f76013228f37
--- /dev/null
+++ b/debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch
@@ -0,0 +1,33 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 14:54:55 +0000
+Subject: Avoid dangling ptrs in header and data params for PEM_read_bio_ex
+
+In the event of a failure in PEM_read_bio_ex() we free the buffers we
+allocated for the header and data buffers. However we were not clearing
+the ptrs stored in *header and *data. Since, on success, the caller is
+responsible for freeing these ptrs this can potentially lead to a double
+free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+---
+ crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
+index 2de093595d0d..173045be21ea 100644
+--- a/crypto/pem/pem_lib.c
++++ b/crypto/pem/pem_lib.c
+@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+ *data = pem_malloc(len, flags);
+ if (*header == NULL || *data == NULL) {
+ pem_free(*header, flags, 0);
++ *header = NULL;
+ pem_free(*data, flags, 0);
++ *data = NULL;
+ goto end;
+ }
+ BIO_read(headerB, *header, headerlen);
diff --git a/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch b/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0a4337b74432b7a5ff905987a3986cc030c3980a
--- /dev/null
+++ b/debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch
@@ -0,0 +1,87 @@
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+---
+ CHANGES | 20 ++++++++++++++++++++
+ crypto/x509v3/v3_genn.c | 2 +-
+ include/openssl/x509v3.h | 2 +-
+ test/v3nametest.c | 8 ++++++++
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 3ef3fa28cfa8..265555ab95c5 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -7,6 +7,26 @@
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
+
++ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
++
++ *) Fixed a type confusion vulnerability relating to X.400 address processing
++ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
++ but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
++ vulnerability may allow an attacker who can provide a certificate chain and
++ CRL (neither of which need have a valid signature) to pass arbitrary
++ pointers to a memcmp call, creating a possible read primitive, subject to
++ some constraints. Refer to the advisory for more information. Thanks to
++ David Benjamin for discovering this issue. (CVE-2023-0286)
++
++ This issue has been fixed by changing the public header file definition of
++ GENERAL_NAME so that x400Address reflects the implementation. It was not
++ possible for any existing application to successfully use the existing
++ definition; however, if any application references the x400Address field
++ (e.g. in dead code), note that the type of this field has changed. There is
++ no ABI change.
++
++ [Hugo Landau]
++
+ Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+
+ *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47cd9..e54ddc55c957 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
+- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+ break;
+
+ case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce58..e61c0f29d4b4 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+ OTHERNAME *otherName; /* otherName */
+ ASN1_IA5STRING *rfc822Name;
+ ASN1_IA5STRING *dNSName;
+- ASN1_TYPE *x400Address;
++ ASN1_STRING *x400Address;
+ X509_NAME *directoryName;
+ EDIPARTYNAME *ediPartyName;
+ ASN1_IA5STRING *uniformResourceIdentifier;
+diff --git a/test/v3nametest.c b/test/v3nametest.c
+index d1852190b84e..37819da8fd78 100644
+--- a/test/v3nametest.c
++++ b/test/v3nametest.c
+@@ -646,6 +646,14 @@ static struct gennamedata {
+ 0xb7, 0x09, 0x02, 0x02
+ },
+ 15
++ }, {
++ /*
++ * Regression test for CVE-2023-0286.
++ */
++ {
++ 0xa3, 0x00
++ },
++ 2
+ }
+ };
+
diff --git a/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch b/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d09d7a50e89787825d14c08c385f726297fdf5e1
--- /dev/null
+++ b/debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch
@@ -0,0 +1,72 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 17:15:18 +0000
+Subject: Check CMS failure during BIO setup with -stream is handled correctly
+
+Test for the issue fixed in the previous commit
+---
+ test/recipes/80-test_cms.t | 15 +++++++++++++--
+ test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 test/smime-certs/badrsa.pem
+
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 5dc6a3aebe01..ec11bfc2538b 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+ = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+
+-plan tests => 6;
++plan tests => 7;
+
+ my @smime_pkcs7_tests = (
+
+@@ -584,3 +584,14 @@ sub check_availability {
+
+ return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++ sub {
++ ok(run(app(['openssl', 'cms', '-encrypt',
++ '-in', srctop_file("test", "smcont.txt"),
++ '-stream', '-recip',
++ srctop_file("test/smime-certs", "badrsa.pem"),
++ ])),
++ "Check failure during BIO setup with -stream is handled correctly");
++ });
+diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
+new file mode 100644
+index 000000000000..f824fc226732
+--- /dev/null
++++ b/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----
diff --git a/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch b/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7696a9525281a23f77520423e6a32149564c3861
--- /dev/null
+++ b/debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
@@ -0,0 +1,69 @@
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: Fix AES OCB encrypt/decrypt for x86 AES-NI
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index fe2b26542ab6..812758e02e04 100644
+--- a/crypto/aes/asm/aesni-x86.pl
++++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ &movdqu (&QWP(-16*2,$out,$inp),$inout4);
+ &movdqu (&QWP(-16*1,$out,$inp),$inout5);
+ &cmp ($inp,$len); # done yet?
+- &jb (&label("grandloop"));
++ &jbe (&label("grandloop"));
+
+ &set_label("short");
+ &add ($len,16*6);
+@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ &pxor ($rndkey1,$inout5);
+ &movdqu (&QWP(-16*1,$out,$inp),$inout5);
+ &cmp ($inp,$len); # done yet?
+- &jb (&label("grandloop"));
++ &jbe (&label("grandloop"));
+
+ &set_label("short");
+ &add ($len,16*6);
diff --git a/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch b/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a1e35449d97781036d5b04891cec555af256ed17
--- /dev/null
+++ b/debian/patches/Fix-Timing-Oracle-in-RSA-decryption.patch
@@ -0,0 +1,798 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 20 Jan 2023 15:26:54 +0000
+Subject: Fix Timing Oracle in RSA decryption
+
+A timing based side channel exists in the OpenSSL RSA Decryption
+implementation which could be sufficient to recover a plaintext across
+a network in a Bleichenbacher style attack. To achieve a successful
+decryption an attacker would have to be able to send a very large number
+of trial messages for decryption. The vulnerability affects all RSA
+padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+
+Patch written by Dmitry Belyavsky and Hubert Kario
+
+CVE-2022-4304
+---
+ crypto/bn/bn_blind.c | 14 --
+ crypto/bn/bn_err.c | 2 +
+ crypto/bn/bn_local.h | 14 ++
+ crypto/bn/build.info | 3 +-
+ crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++++++++++
+ crypto/err/openssl.txt | 3 +-
+ crypto/rsa/rsa_ossl.c | 17 +-
+ include/crypto/bn.h | 5 +
+ include/openssl/bnerr.h | 1 +
+ 9 files changed, 653 insertions(+), 20 deletions(-)
+ create mode 100644 crypto/bn/rsa_sup_mul.c
+
+diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
+index 76fc7ebcffc0..6e9d23932119 100644
+--- a/crypto/bn/bn_blind.c
++++ b/crypto/bn/bn_blind.c
+@@ -13,20 +13,6 @@
+
+ #define BN_BLINDING_COUNTER 32
+
+-struct bn_blinding_st {
+- BIGNUM *A;
+- BIGNUM *Ai;
+- BIGNUM *e;
+- BIGNUM *mod; /* just a reference */
+- CRYPTO_THREAD_ID tid;
+- int counter;
+- unsigned long flags;
+- BN_MONT_CTX *m_ctx;
+- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+- CRYPTO_RWLOCK *lock;
+-};
+-
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
+ {
+ BN_BLINDING *ret = NULL;
+diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
+index dd87c152cf37..3dd8d9a5682b 100644
+--- a/crypto/bn/bn_err.c
++++ b/crypto/bn/bn_err.c
+@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
++ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
++ "ossl_bn_rsa_do_unblind"},
+ {0, NULL}
+ };
+
+diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
+index 8ad69ccd3639..096513533b70 100644
+--- a/crypto/bn/bn_local.h
++++ b/crypto/bn/bn_local.h
+@@ -263,6 +263,20 @@ struct bn_gencb_st {
+ } cb;
+ };
+
++struct bn_blinding_st {
++ BIGNUM *A;
++ BIGNUM *Ai;
++ BIGNUM *e;
++ BIGNUM *mod; /* just a reference */
++ CRYPTO_THREAD_ID tid;
++ int counter;
++ unsigned long flags;
++ BN_MONT_CTX *m_ctx;
++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
++ CRYPTO_RWLOCK *lock;
++};
++
+ /*-
+ * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
+ *
+diff --git a/crypto/bn/build.info b/crypto/bn/build.info
+index b9ed5322fa68..c9fe2fdada69 100644
+--- a/crypto/bn/build.info
++++ b/crypto/bn/build.info
+@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
+ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
+ {- $target{bn_asm_src} -} \
+ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
+- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
++ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
++ rsa_sup_mul.c
+
+ INCLUDE[bn_exp.o]=..
+
+diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
+new file mode 100644
+index 000000000000..acafefd5febf
+--- /dev/null
++++ b/crypto/bn/rsa_sup_mul.c
+@@ -0,0 +1,614 @@
++#include <openssl/e_os2.h>
++#include <stddef.h>
++#include <sys/types.h>
++#include <string.h>
++#include <openssl/bn.h>
++#include <openssl/err.h>
++#include <openssl/rsaerr.h>
++#include "internal/numbers.h"
++#include "internal/constant_time.h"
++#include "bn_local.h"
++
++# if BN_BYTES == 8
++typedef uint64_t limb_t;
++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
++/* nonstandard; implemented by gcc on 64-bit platforms */
++typedef __uint128_t limb2_t;
++# define HAVE_LIMB2_T
++# endif
++# define LIMB_BIT_SIZE 64
++# define LIMB_BYTE_SIZE 8
++# elif BN_BYTES == 4
++typedef uint32_t limb_t;
++typedef uint64_t limb2_t;
++# define LIMB_BIT_SIZE 32
++# define LIMB_BYTE_SIZE 4
++# define HAVE_LIMB2_T
++# else
++# error "Not supported"
++# endif
++
++/*
++ * For multiplication we're using schoolbook multiplication,
++ * so if we have two numbers, each with 6 "digits" (words)
++ * the multiplication is calculated as follows:
++ * A B C D E F
++ * x I J K L M N
++ * --------------
++ * N*F
++ * N*E
++ * N*D
++ * N*C
++ * N*B
++ * N*A
++ * M*F
++ * M*E
++ * M*D
++ * M*C
++ * M*B
++ * M*A
++ * L*F
++ * L*E
++ * L*D
++ * L*C
++ * L*B
++ * L*A
++ * K*F
++ * K*E
++ * K*D
++ * K*C
++ * K*B
++ * K*A
++ * J*F
++ * J*E
++ * J*D
++ * J*C
++ * J*B
++ * J*A
++ * I*F
++ * I*E
++ * I*D
++ * I*C
++ * I*B
++ * + I*A
++ * ==========================
++ * N*B N*D N*F
++ * + N*A N*C N*E
++ * + M*B M*D M*F
++ * + M*A M*C M*E
++ * + L*B L*D L*F
++ * + L*A L*C L*E
++ * + K*B K*D K*F
++ * + K*A K*C K*E
++ * + J*B J*D J*F
++ * + J*A J*C J*E
++ * + I*B I*D I*F
++ * + I*A I*C I*E
++ *
++ * 1+1 1+3 1+5
++ * 1+0 1+2 1+4
++ * 0+1 0+3 0+5
++ * 0+0 0+2 0+4
++ *
++ * 0 1 2 3 4 5 6
++ * which requires n^2 multiplications and 2n full length additions
++ * as we can keep every other result of limb multiplication in two separate
++ * limbs
++ */
++
++#if defined HAVE_LIMB2_T
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ limb2_t t;
++ /*
++ * this is idiomatic code to tell compiler to use the native mul
++ * those three lines will actually compile to single instruction
++ */
++
++ t = (limb2_t)a * b;
++ *hi = t >> LIMB_BIT_SIZE;
++ *lo = (limb_t)t;
++}
++#elif (BN_BYTES == 8) && (defined _MSC_VER)
++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
++#pragma intrinsic(_umul128)
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ *lo = _umul128(a, b, hi);
++}
++#else
++/*
++ * if the compiler doesn't have either a 128bit data type nor a "return
++ * high 64 bits of multiplication"
++ */
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ limb_t a_low = (limb_t)(uint32_t)a;
++ limb_t a_hi = a >> 32;
++ limb_t b_low = (limb_t)(uint32_t)b;
++ limb_t b_hi = b >> 32;
++
++ limb_t p0 = a_low * b_low;
++ limb_t p1 = a_low * b_hi;
++ limb_t p2 = a_hi * b_low;
++ limb_t p3 = a_hi * b_hi;
++
++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
++
++ *lo = p0 + (p1 << 32) + (p2 << 32);
++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
++}
++#endif
++
++/* add two limbs with carry in, return carry out */
++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
++{
++ limb_t carry1, carry2, t;
++ /*
++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
++ * use add with carry on assembly level
++ */
++
++ *ret = a + carry;
++ if (*ret < a)
++ carry1 = 1;
++ else
++ carry1 = 0;
++
++ t = *ret;
++ *ret = t + b;
++ if (*ret < t)
++ carry2 = 1;
++ else
++ carry2 = 0;
++
++ return carry1 + carry2;
++}
++
++/*
++ * add two numbers of the same size, return overflow
++ *
++ * add a to b, place result in ret; all arrays need to be n limbs long
++ * return overflow from addition (0 or 1)
++ */
++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ limb_t c = 0;
++ ossl_ssize_t i;
++
++ for(i = n - 1; i > -1; i--)
++ c = _add_limb(&ret[i], a[i], b[i], c);
++
++ return c;
++}
++
++/*
++ * return number of limbs necessary for temporary values
++ * when multiplying numbers n limbs large
++ */
++static ossl_inline size_t mul_limb_numb(size_t n)
++{
++ return 2 * n * 2;
++}
++
++/*
++ * multiply two numbers of the same size
++ *
++ * multiply a by b, place result in ret; a and b need to be n limbs long
++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
++ * long
++ */
++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
++{
++ limb_t *r_odd, *r_even;
++ size_t i, j, k;
++
++ r_odd = tmp;
++ r_even = &tmp[2 * n];
++
++ memset(ret, 0, 2 * n * sizeof(limb_t));
++
++ for (i = 0; i < n; i++) {
++ for (k = 0; k < i + n + 1; k++) {
++ r_even[k] = 0;
++ r_odd[k] = 0;
++ }
++ for (j = 0; j < n; j++) {
++ /*
++ * place results from even and odd limbs in separate arrays so that
++ * we don't have to calculate overflow every time we get individual
++ * limb multiplication result
++ */
++ if (j % 2 == 0)
++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
++ else
++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
++ }
++ /*
++ * skip the least significant limbs when adding multiples of
++ * more significant limbs (they're zero anyway)
++ */
++ add(ret, ret, r_even, n + i + 1);
++ add(ret, ret, r_odd, n + i + 1);
++ }
++}
++
++/* modifies the value in place by performing a right shift by one bit */
++static ossl_inline void rshift1(limb_t *val, size_t n)
++{
++ limb_t shift_in = 0, shift_out = 0;
++ size_t i;
++
++ for (i = 0; i < n; i++) {
++ shift_out = val[i] & 1;
++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
++ shift_in = shift_out;
++ }
++}
++
++/* extend the LSB of flag to all bits of limb */
++static ossl_inline limb_t mk_mask(limb_t flag)
++{
++ flag |= flag << 1;
++ flag |= flag << 2;
++ flag |= flag << 4;
++ flag |= flag << 8;
++ flag |= flag << 16;
++#if (LIMB_BYTE_SIZE == 8)
++ flag |= flag << 32;
++#endif
++ return flag;
++}
++
++/*
++ * copy from either a or b to ret based on flag
++ * when flag == 0, then copies from b
++ * when flag == 1, then copies from a
++ */
++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ /*
++ * would be more efficient with non volatile mask, but then gcc
++ * generates code with jumps
++ */
++ volatile limb_t mask;
++ size_t i;
++
++ mask = mk_mask(flag);
++ for (i = 0; i < n; i++) {
++#if (LIMB_BYTE_SIZE == 8)
++ ret[i] = constant_time_select_64(mask, a[i], b[i]);
++#else
++ ret[i] = constant_time_select_32(mask, a[i], b[i]);
++#endif
++ }
++}
++
++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
++{
++ limb_t borrow1, borrow2, t;
++ /*
++ * while it doesn't look constant-time, this is idiomatic code
++ * to tell compilers to use the carry bit from subtraction
++ */
++
++ *ret = a - borrow;
++ if (*ret > a)
++ borrow1 = 1;
++ else
++ borrow1 = 0;
++
++ t = *ret;
++ *ret = t - b;
++ if (*ret > t)
++ borrow2 = 1;
++ else
++ borrow2 = 0;
++
++ return borrow1 + borrow2;
++}
++
++/*
++ * place the result of a - b into ret, return the borrow bit.
++ * All arrays need to be n limbs long
++ */
++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ limb_t borrow = 0;
++ ossl_ssize_t i;
++
++ for (i = n - 1; i > -1; i--)
++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
++
++ return borrow;
++}
++
++/* return the number of limbs necessary to allocate for the mod() tmp operand */
++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
++{
++ return (anum + modnum) * 3;
++}
++
++/*
++ * calculate a % mod, place the result in ret
++ * size of a is defined by anum, size of ret and mod is modnum,
++ * size of tmp is returned by mod_limb_numb()
++ */
++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
++ size_t modnum, limb_t *tmp)
++{
++ limb_t *atmp, *modtmp, *rettmp;
++ limb_t res;
++ size_t i;
++
++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
++
++ atmp = tmp;
++ modtmp = &tmp[anum + modnum];
++ rettmp = &tmp[(anum + modnum) * 2];
++
++ for (i = modnum; i <modnum + anum; i++)
++ atmp[i] = a[i-modnum];
++
++ for (i = 0; i < modnum; i++)
++ modtmp[i] = mod[i];
++
++ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
++ rshift1(modtmp, anum + modnum);
++ res = sub(rettmp, atmp, modtmp, anum+modnum);
++ cselect(res, atmp, atmp, rettmp, anum+modnum);
++ }
++
++ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
++}
++
++/* necessary size of tmp for a _mul_add_limb() call with provided anum */
++static ossl_inline size_t _mul_add_limb_numb(size_t anum)
++{
++ return 2 * (anum + 1);
++}
++
++/* multiply a by m, add to ret, return carry */
++static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
++ limb_t m, limb_t *tmp)
++{
++ limb_t carry = 0;
++ limb_t *r_odd, *r_even;
++ size_t i;
++
++ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
++
++ r_odd = tmp;
++ r_even = &tmp[anum + 1];
++
++ for (i = 0; i < anum; i++) {
++ /*
++ * place the results from even and odd limbs in separate arrays
++ * so that we have to worry about carry just once
++ */
++ if (i % 2 == 0)
++ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
++ else
++ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
++ }
++ /* assert: add() carry here will be equal zero */
++ add(r_even, r_even, r_odd, anum + 1);
++ /*
++ * while here it will not overflow as the max value from multiplication
++ * is -2 while max overflow from addition is 1, so the max value of
++ * carry is -1 (i.e. max int)
++ */
++ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
++
++ return carry;
++}
++
++static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
++{
++ return modnum * 2 + _mul_add_limb_numb(modnum);
++}
++
++/*
++ * calculate a % mod, place result in ret
++ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
++ * smallest power of two big enough to fit mod and that's also a power
++ * of the count of number of bits in limb_t (B).
++ * For calculation, we also need n', such that mod * n' == -1 mod B.
++ * anum must be <= 2 * modnum
++ * ret needs to be modnum words long
++ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
++ */
++static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
++ size_t modnum, limb_t ni0, limb_t *tmp)
++{
++ limb_t carry, v;
++ limb_t *res, *rp, *tmp2;
++ ossl_ssize_t i;
++
++ res = tmp;
++ /*
++ * for intermediate result we need an integer twice as long as modulus
++ * but keep the input in the least significant limbs
++ */
++ memset(res, 0, sizeof(limb_t) * (modnum * 2));
++ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
++ rp = &res[modnum];
++ tmp2 = &res[modnum * 2];
++
++ carry = 0;
++
++ /* add multiples of the modulus to the value until R divides it cleanly */
++ for (i = modnum; i > 0; i--, rp--) {
++ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
++ v = v + carry + rp[-1];
++ carry |= (v != rp[-1]);
++ carry &= (v <= rp[-1]);
++ rp[-1] = v;
++ }
++
++ /* perform the final reduction by mod... */
++ carry -= sub(ret, rp, mod, modnum);
++
++ /* ...conditionally */
++ cselect(carry, ret, rp, ret, modnum);
++}
++
++/* allocated buffer should be freed afterwards */
++static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
++{
++ int i;
++ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ limb_t *ptr = buf + (limbs - real_limbs);
++
++ for (i = 0; i < real_limbs; i++)
++ ptr[i] = bn->d[real_limbs - i - 1];
++}
++
++#if LIMB_BYTE_SIZE == 8
++static ossl_inline uint64_t be64(uint64_t host)
++{
++ const union {
++ long one;
++ char little;
++ } is_endian = { 1 };
++
++ if (is_endian.little) {
++ uint64_t big = 0;
++
++ big |= (host & 0xff00000000000000) >> 56;
++ big |= (host & 0x00ff000000000000) >> 40;
++ big |= (host & 0x0000ff0000000000) >> 24;
++ big |= (host & 0x000000ff00000000) >> 8;
++ big |= (host & 0x00000000ff000000) << 8;
++ big |= (host & 0x0000000000ff0000) << 24;
++ big |= (host & 0x000000000000ff00) << 40;
++ big |= (host & 0x00000000000000ff) << 56;
++ return big;
++ } else {
++ return host;
++ }
++}
++
++#else
++/* Not all platforms have htobe32(). */
++static ossl_inline uint32_t be32(uint32_t host)
++{
++ const union {
++ long one;
++ char little;
++ } is_endian = { 1 };
++
++ if (is_endian.little) {
++ uint32_t big = 0;
++
++ big |= (host & 0xff000000) >> 24;
++ big |= (host & 0x00ff0000) >> 8;
++ big |= (host & 0x0000ff00) << 8;
++ big |= (host & 0x000000ff) << 24;
++ return big;
++ } else {
++ return host;
++ }
++}
++#endif
++
++/*
++ * We assume that intermediate, possible_arg2, blinding, and ctx are used
++ * similar to BN_BLINDING_invert_ex() arguments.
++ * to_mod is RSA modulus.
++ * buf and num is the serialization buffer and its length.
++ *
++ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
++ * we serialize the new structure instead of BIGNUMs taking endianness into account.
++ */
++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
++ const BN_BLINDING *blinding,
++ const BIGNUM *possible_arg2,
++ const BIGNUM *to_mod, BN_CTX *ctx,
++ unsigned char *buf, int num)
++{
++ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
++ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
++ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
++ size_t l_tmp_count = 0;
++ int ret = 0;
++ size_t i;
++ unsigned char *tmp;
++ const BIGNUM *arg1 = intermediate;
++ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
++
++ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++
++ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
++ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
++ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
++ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
++
++ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
++ goto err;
++
++ BN_to_limb(arg1, l_im, l_size);
++ BN_to_limb(arg2, l_mul, l_size);
++ BN_to_limb(to_mod, l_mod, l_mod_count);
++
++ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
++
++ if (blinding->m_ctx != NULL) {
++ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
++ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
++ } else {
++ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
++ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
++ }
++
++ if ((l_ret == NULL) || (l_tmp == NULL))
++ goto err;
++
++ if (blinding->m_ctx != NULL) {
++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
++ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
++ blinding->m_ctx->n0[0], l_tmp);
++ } else {
++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
++ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
++ }
++
++ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
++ if (num < BN_num_bytes(to_mod)) {
++ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
++ goto err;
++ }
++
++ memset(buf, 0, num);
++ tmp = buf + num - BN_num_bytes(to_mod);
++ for (i = 0; i < l_mod_count; i++) {
++#if LIMB_BYTE_SIZE == 8
++ l_buf = be64(l_ret[i]);
++#else
++ l_buf = be32(l_ret[i]);
++#endif
++ if (i == 0) {
++ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
++
++ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
++ tmp += delta;
++ } else {
++ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
++ tmp += LIMB_BYTE_SIZE;
++ }
++ }
++ ret = num;
++
++ err:
++ OPENSSL_free(l_im);
++ OPENSSL_free(l_mul);
++ OPENSSL_free(l_mod);
++ OPENSSL_free(l_tmp);
++ OPENSSL_free(l_ret);
++
++ return ret;
++}
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 902e97b84355..e0f0ab7c76f8 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1,4 +1,4 @@
+-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ #
+ # Licensed under the OpenSSL license (the "License"). You may not use
+ # this file except in compliance with the License. You can obtain a copy
+@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
+ BN_F_BN_SET_WORDS:144:bn_set_words
+ BN_F_BN_STACK_PUSH:148:BN_STACK_push
+ BN_F_BN_USUB:115:BN_usub
++BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
+ BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
+ BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
+ BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
+diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
+index b52a66f6a628..6c3c0cf78d30 100644
+--- a/crypto/rsa/rsa_ossl.c
++++ b/crypto/rsa/rsa_ossl.c
+@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BN_free(d);
+ }
+
+- if (blinding)
+- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
++ if (blinding) {
++ /*
++ * ossl_bn_rsa_do_unblind() combines blinding inversion and
++ * 0-padded BN BE serialization
++ */
++ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
++ buf, num);
++ if (j == 0)
+ goto err;
+-
+- j = BN_bn2binpad(ret, buf, num);
++ } else {
++ j = BN_bn2binpad(ret, buf, num);
++ if (j < 0)
++ goto err;
++ }
+
+ switch (padding) {
+ case RSA_PKCS1_PADDING:
+diff --git a/include/crypto/bn.h b/include/crypto/bn.h
+index 60afda1dadee..b5f36fb25aa2 100644
+--- a/include/crypto/bn.h
++++ b/include/crypto/bn.h
+@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+ const BIGNUM *d, BN_CTX *ctx);
++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
++ const BN_BLINDING *blinding,
++ const BIGNUM *possible_arg2,
++ const BIGNUM *to_mod, BN_CTX *ctx,
++ unsigned char *buf, int num);
+
+ #endif
+diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
+index 9f3c7cfaab67..a0752cea52d7 100644
+--- a/include/openssl/bnerr.h
++++ b/include/openssl/bnerr.h
+@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
+ # define BN_F_BN_SET_WORDS 144
+ # define BN_F_BN_STACK_PUSH 148
+ # define BN_F_BN_USUB 115
++# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
+
+ /*
+ * BN reason codes.
diff --git a/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
new file mode 100644
index 0000000000000000000000000000000000000000..09f876939e6687fe9046bd2aa86fb75d41dff6a5
--- /dev/null
+++ b/debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
@@ -0,0 +1,99 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 16:18:14 +0000
+Subject: Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+---
+ crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index 760e4846a474..f8d4b1b9aa67 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+ void *parg);
+
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+ NDEF_SUPPORT *ndef_aux = NULL;
+ BIO *asn_bio = NULL;
+ const ASN1_AUX *aux = it->funcs;
+ ASN1_STREAM_ARG sarg;
++ BIO *pop_bio = NULL;
+
+ if (!aux || !aux->asn1_cb) {
+ ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ out = BIO_push(asn_bio, out);
+ if (out == NULL)
+ goto err;
++ pop_bio = asn_bio;
+
+- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++ goto err;
+
+ /*
+- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+- * needs.
++ * Now let the callback prepend any digest, cipher, etc., that the BIO's
++ * ASN1 structure needs.
+ */
+
+ sarg.out = out;
+ sarg.ndef_bio = NULL;
+ sarg.boundary = NULL;
+
+- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++ /*
++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++ * middle of some partially built, but not returned BIO chain.
++ */
++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++ /*
++ * ndef_aux is now owned by asn_bio so we must not free it in the err
++ * clean up block
++ */
++ ndef_aux = NULL;
+ goto err;
++ }
++
++ /*
++ * We must not fail now because the callback has prepended additional
++ * BIOs to the chain
++ */
+
+ ndef_aux->val = val;
+ ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ ndef_aux->boundary = sarg.boundary;
+ ndef_aux->out = out;
+
+- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+ return sarg.ndef_bio;
+
+ err:
++ /* BIO_pop() is NULL safe */
++ (void)BIO_pop(pop_bio);
+ BIO_free(asn_bio);
+ OPENSSL_free(ndef_aux);
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
index dc58b02ed225430f65eac8d7f7be3baa0657d932..6b210450003c6fcc249c9a79f73c0cb4370ad5cd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,11 @@ Fix-file-operations-in-c_rehash.patch
Update-expired-SCT-certificates.patch
ct_test.c-Update-the-epoch-time.patch
Update-further-expiring-certificates-that-affect-tests.patch
+Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch
+Add-a-test-for-CVE-2022-4450.patch
+CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch
+Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
+Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch
+Fix-Timing-Oracle-in-RSA-decryption.patch
+Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
+AES-OCB-test-vectors.patch