10 files changed, 54 insertions, 67 deletions
diff --git a/src/lib/libcrypto/cms/cms_dd.c b/src/lib/libcrypto/cms/cms_dd.c
index 0a357094c5..daccbcd988 100644
--- a/src/lib/libcrypto/cms/cms_dd.c
+++ b/src/lib/libcrypto/cms/cms_dd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_dd.c,v 1.17 2023/10/26 09:08:57 tb Exp $ */
+/* $OpenBSD: cms_dd.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -56,11 +56,11 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 /* CMS DigestedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index ef6925dbd6..928b396815 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.25 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -58,12 +58,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* CMS EncryptedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
index 629d23215e..7fa578466d 100644
--- a/src/lib/libcrypto/cms/cms_env.c
+++ b/src/lib/libcrypto/cms/cms_env.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.28 2024/11/01 18:42:10 tb Exp $ */
+/* $OpenBSD: cms_env.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -59,12 +59,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* CMS EnvelopedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
index f01dcf73ed..5435fa404c 100644
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,13 +57,13 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "cms_local.h"
+#include "err_local.h"
 CMS_ReceiptRequest *
 d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len)
diff --git a/src/lib/libcrypto/cms/cms_io.c b/src/lib/libcrypto/cms/cms_io.c
index 84ada47c49..a9be5461a3 100644
--- a/src/lib/libcrypto/cms/cms_io.c
+++ b/src/lib/libcrypto/cms/cms_io.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_io.c,v 1.21 2024/03/30 01:53:05 joshua Exp $ */
+/* $OpenBSD: cms_io.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -54,12 +54,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 int
 CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms)
diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c
index 86b1ad9e83..c23da18058 100644
--- a/src/lib/libcrypto/cms/cms_kari.c
+++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_kari.c,v 1.17 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_kari.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,10 +57,10 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include "cms_local.h"
+#include "err_local.h"
 /* Key Agreement Recipient Info (KARI) routines */
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
index 2d7a8d9f21..b9fc5c21c7 100644
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_lib.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_lib.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,13 +57,13 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 CMS_ContentInfo *
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index b6fe5df961..f64f4ab68c 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.31 2024/01/14 18:40:24 tb Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.35 2025/09/30 12:51:16 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -58,13 +58,13 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -267,7 +267,7 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                /* Check byte failure */
                goto err;
        }
-        if (inlen < (size_t)(tmp[0] - 4)) {
+        if (inlen < 4 + (size_t)tmp[0]) {
                /* Invalid length value */
                goto err;
        }
@@ -368,13 +368,13 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
        kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
        if (!kekcipher) {
                CMSerror(CMS_R_UNKNOWN_CIPHER);
-                return 0;
+                goto err;
        }
        kekctx = EVP_CIPHER_CTX_new();
        if (kekctx == NULL) {
                CMSerror(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
        /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
        if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
@@ -389,8 +389,8 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
        /* Finish password based key derivation to setup key in "ctx" */
-        if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
+        if (!EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
-            pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) {
+            pwri->passlen, algtmp->parameter, kekctx, en_de)) {
                CMSerror(ERR_R_EVP_LIB);
                goto err;
        }
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
index 9cdd4ce143..abcac83e47 100644
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_sd.c,v 1.33 2024/04/20 10:11:55 tb Exp $ */
+/* $OpenBSD: cms_sd.c,v 1.36 2025/07/31 02:24:21 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,7 +57,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
@@ -66,6 +65,7 @@
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -484,35 +484,6 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
 }
 LCRYPTO_ALIAS(CMS_add1_signer);
-static int
-cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
-{
-        ASN1_TIME *tt;
-        int r = 0;
-        if (t)
-                tt = t;
-        else
-                tt = X509_gmtime_adj(NULL, 0);
-        if (!tt)
-                goto merr;
-        if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
-                                                tt->type, tt, -1) <= 0)
-                goto merr;
-        r = 1;
- merr:
-        if (!t)
-                ASN1_TIME_free(tt);
-        if (!r)
-                CMSerror(ERR_R_MALLOC_FAILURE);
-        return r;
-}
 EVP_PKEY_CTX *
 CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)
 {
@@ -778,6 +749,7 @@ cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
 int
 CMS_SignerInfo_sign(CMS_SignerInfo *si)
 {
+        ASN1_TIME *at = NULL;
        const EVP_MD *md;
        unsigned char *buf = NULL, *sig = NULL;
        int buf_len = 0;
@@ -788,7 +760,12 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
                goto err;
        if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
-                if (!cms_add1_signingTime(si, NULL))
+                if ((at = X509_gmtime_adj(NULL, 0)) == NULL) {
+                        CMSerror(ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
+                    at->type, at, -1))
                        goto err;
        }
@@ -828,6 +805,7 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
        ret = 1;
 err:
+        ASN1_TIME_free(at);
        (void)EVP_MD_CTX_reset(si->mctx);
        freezero(buf, buf_len);
        freezero(sig, sig_len);
@@ -1012,6 +990,8 @@ LCRYPTO_ALIAS(CMS_add_smimecap);
 * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
 * set |*out_algs| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has
 * an integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also PKCS7_simple_smimecap().
 */
 int
 CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **out_algs, int nid, int keysize)
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 5a194748d9..a4918643d2 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.28 2023/12/22 10:23:11 tb Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.31 2025/11/28 06:07:09 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -59,7 +59,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
@@ -67,6 +66,7 @@
 #include <openssl/x509_vfy.h>
 #include "cms_local.h"
+#include "err_local.h"
 static BIO *
 cms_get_text_bio(BIO *out, unsigned int flags)
@@ -277,25 +277,32 @@ CMS_ContentInfo *
 CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
    const unsigned char *key, size_t keylen, unsigned int flags)
 {
-        CMS_ContentInfo *cms;
+        CMS_ContentInfo *cms = NULL;
-        if (!cipher) {
+        if (cipher == NULL) {
                CMSerror(CMS_R_NO_CIPHER);
-                return NULL;
+                goto err;
        }
-        cms = CMS_ContentInfo_new();
-        if (cms == NULL)
+        if ((cms = CMS_ContentInfo_new()) == NULL)
-                return NULL;
+                goto err;
        if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
-                return NULL;
+                goto err;
-        if (!(flags & CMS_DETACHED))
+        if ((flags & CMS_DETACHED) == 0) {
-                CMS_set_detached(cms, 0);
+                if (!CMS_set_detached(cms, 0))
+                        goto err;
+        }
-        if ((flags & (CMS_STREAM | CMS_PARTIAL)) ||
+        if ((flags & (CMS_STREAM | CMS_PARTIAL)) == 0) {
-            CMS_final(cms, in, NULL, flags))
+                if (!CMS_final(cms, in, NULL, flags))
-                return cms;
+                        goto err;
+        }
+        return cms;
+ err:
        CMS_ContentInfo_free(cms);
        return NULL;

diff --git a/src/lib/libcrypto/cms/cms_dd.c b/src/lib/libcrypto/cms/cms_dd.c index 0a357094c5..daccbcd988 100644 --- a/src/lib/libcrypto/cms/cms_dd.c +++ b/src/lib/libcrypto/cms/cms_dd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_dd.c,v 1.17 2023/10/26 09:08:57 tb Exp $ */	1	/* $OpenBSD: cms_dd.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -56,11 +56,11 @@
56		56
57	#include <openssl/asn1.h>	57	#include <openssl/asn1.h>
58	#include <openssl/cms.h>	58	#include <openssl/cms.h>
59	#include <openssl/err.h>
60	#include <openssl/evp.h>	59	#include <openssl/evp.h>
61	#include <openssl/objects.h>	60	#include <openssl/objects.h>
62		61
63	#include "cms_local.h"	62	#include "cms_local.h"
		63	#include "err_local.h"
64	#include "x509_local.h"	64	#include "x509_local.h"
65		65
66	/* CMS DigestedData Utilities */	66	/* CMS DigestedData Utilities */


diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c index ef6925dbd6..928b396815 100644 --- a/src/lib/libcrypto/cms/cms_enc.c +++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_enc.c,v 1.25 2024/11/01 18:34:06 tb Exp $ */	1	/* $OpenBSD: cms_enc.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -58,12 +58,12 @@
58	#include <openssl/asn1.h>	58	#include <openssl/asn1.h>
59	#include <openssl/bio.h>	59	#include <openssl/bio.h>
60	#include <openssl/cms.h>	60	#include <openssl/cms.h>
61	#include <openssl/err.h>
62	#include <openssl/evp.h>	61	#include <openssl/evp.h>
63	#include <openssl/objects.h>	62	#include <openssl/objects.h>
64	#include <openssl/x509.h>	63	#include <openssl/x509.h>
65		64
66	#include "cms_local.h"	65	#include "cms_local.h"
		66	#include "err_local.h"
67	#include "evp_local.h"	67	#include "evp_local.h"
68		68
69	/* CMS EncryptedData Utilities */	69	/* CMS EncryptedData Utilities */


diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c index 629d23215e..7fa578466d 100644 --- a/src/lib/libcrypto/cms/cms_env.c +++ b/src/lib/libcrypto/cms/cms_env.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_env.c,v 1.28 2024/11/01 18:42:10 tb Exp $ */	1	/* $OpenBSD: cms_env.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -59,12 +59,12 @@
59	#include <openssl/asn1.h>	59	#include <openssl/asn1.h>
60	#include <openssl/bio.h>	60	#include <openssl/bio.h>
61	#include <openssl/cms.h>	61	#include <openssl/cms.h>
62	#include <openssl/err.h>
63	#include <openssl/evp.h>	62	#include <openssl/evp.h>
64	#include <openssl/objects.h>	63	#include <openssl/objects.h>
65	#include <openssl/x509.h>	64	#include <openssl/x509.h>
66		65
67	#include "cms_local.h"	66	#include "cms_local.h"
		67	#include "err_local.h"
68	#include "evp_local.h"	68	#include "evp_local.h"
69		69
70	/* CMS EnvelopedData Utilities */	70	/* CMS EnvelopedData Utilities */


diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c index f01dcf73ed..5435fa404c 100644 --- a/src/lib/libcrypto/cms/cms_ess.c +++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_ess.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */	1	/* $OpenBSD: cms_ess.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -57,13 +57,13 @@
57		57
58	#include <openssl/asn1.h>	58	#include <openssl/asn1.h>
59	#include <openssl/cms.h>	59	#include <openssl/cms.h>
60	#include <openssl/err.h>
61	#include <openssl/evp.h>	60	#include <openssl/evp.h>
62	#include <openssl/objects.h>	61	#include <openssl/objects.h>
63	#include <openssl/x509.h>	62	#include <openssl/x509.h>
64	#include <openssl/x509v3.h>	63	#include <openssl/x509v3.h>
65		64
66	#include "cms_local.h"	65	#include "cms_local.h"
		66	#include "err_local.h"
67		67
68	CMS_ReceiptRequest *	68	CMS_ReceiptRequest *
69	d2i_CMS_ReceiptRequest(CMS_ReceiptRequest a, const unsigned char in, long len)	69	d2i_CMS_ReceiptRequest(CMS_ReceiptRequest a, const unsigned char in, long len)


diff --git a/src/lib/libcrypto/cms/cms_io.c b/src/lib/libcrypto/cms/cms_io.c index 84ada47c49..a9be5461a3 100644 --- a/src/lib/libcrypto/cms/cms_io.c +++ b/src/lib/libcrypto/cms/cms_io.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_io.c,v 1.21 2024/03/30 01:53:05 joshua Exp $ */	1	/* $OpenBSD: cms_io.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -54,12 +54,12 @@
54		54
55	#include <openssl/asn1t.h>	55	#include <openssl/asn1t.h>
56	#include <openssl/cms.h>	56	#include <openssl/cms.h>
57	#include <openssl/err.h>
58	#include <openssl/pem.h>	57	#include <openssl/pem.h>
59	#include <openssl/x509.h>	58	#include <openssl/x509.h>
60		59
61	#include "asn1_local.h"	60	#include "asn1_local.h"
62	#include "cms_local.h"	61	#include "cms_local.h"
		62	#include "err_local.h"
63		63
64	int	64	int
65	CMS_stream(unsigned char **boundary, CMS_ContentInfo cms)	65	CMS_stream(unsigned char **boundary, CMS_ContentInfo cms)


diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c index 86b1ad9e83..c23da18058 100644 --- a/src/lib/libcrypto/cms/cms_kari.c +++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_kari.c,v 1.17 2024/11/01 18:34:06 tb Exp $ */	1	/* $OpenBSD: cms_kari.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -57,10 +57,10 @@
57		57
58	#include <openssl/asn1.h>	58	#include <openssl/asn1.h>
59	#include <openssl/cms.h>	59	#include <openssl/cms.h>
60	#include <openssl/err.h>
61	#include <openssl/evp.h>	60	#include <openssl/evp.h>
62		61
63	#include "cms_local.h"	62	#include "cms_local.h"
		63	#include "err_local.h"
64		64
65	/* Key Agreement Recipient Info (KARI) routines */	65	/* Key Agreement Recipient Info (KARI) routines */
66		66


diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c index 2d7a8d9f21..b9fc5c21c7 100644 --- a/src/lib/libcrypto/cms/cms_lib.c +++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_lib.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */	1	/* $OpenBSD: cms_lib.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -57,13 +57,13 @@
57	#include <openssl/asn1.h>	57	#include <openssl/asn1.h>
58	#include <openssl/bio.h>	58	#include <openssl/bio.h>
59	#include <openssl/cms.h>	59	#include <openssl/cms.h>
60	#include <openssl/err.h>
61	#include <openssl/evp.h>	60	#include <openssl/evp.h>
62	#include <openssl/objects.h>	61	#include <openssl/objects.h>
63	#include <openssl/x509.h>	62	#include <openssl/x509.h>
64	#include <openssl/x509v3.h>	63	#include <openssl/x509v3.h>
65		64
66	#include "cms_local.h"	65	#include "cms_local.h"
		66	#include "err_local.h"
67	#include "x509_local.h"	67	#include "x509_local.h"
68		68
69	CMS_ContentInfo *	69	CMS_ContentInfo *


diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c index b6fe5df961..f64f4ab68c 100644 --- a/src/lib/libcrypto/cms/cms_pwri.c +++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_pwri.c,v 1.31 2024/01/14 18:40:24 tb Exp $ */	1	/* $OpenBSD: cms_pwri.c,v 1.35 2025/09/30 12:51:16 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -58,13 +58,13 @@
58	#include <string.h>	58	#include <string.h>
59		59
60	#include <openssl/asn1.h>	60	#include <openssl/asn1.h>
61	#include <openssl/err.h>
62	#include <openssl/evp.h>	61	#include <openssl/evp.h>
63	#include <openssl/cms.h>	62	#include <openssl/cms.h>
64	#include <openssl/objects.h>	63	#include <openssl/objects.h>
65	#include <openssl/x509.h>	64	#include <openssl/x509.h>
66		65
67	#include "cms_local.h"	66	#include "cms_local.h"
		67	#include "err_local.h"
68	#include "evp_local.h"	68	#include "evp_local.h"
69	#include "x509_local.h"	69	#include "x509_local.h"
70		70
@@ -267,7 +267,7 @@ kek_unwrap_key(unsigned char out, size_t outlen, const unsigned char *in,
267	/* Check byte failure */	267	/* Check byte failure */
268	goto err;	268	goto err;
269	}	269	}
270	if (inlen < (size_t)(tmp[0] - 4)) {	270	if (inlen < 4 + (size_t)tmp[0]) {
271	/* Invalid length value */	271	/* Invalid length value */
272	goto err;	272	goto err;
273	}	273	}
@@ -368,13 +368,13 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo cms, CMS_RecipientInfo ri,
368	kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);	368	kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
369	if (!kekcipher) {	369	if (!kekcipher) {
370	CMSerror(CMS_R_UNKNOWN_CIPHER);	370	CMSerror(CMS_R_UNKNOWN_CIPHER);
371	return 0;	371	goto err;
372	}	372	}
373		373
374	kekctx = EVP_CIPHER_CTX_new();	374	kekctx = EVP_CIPHER_CTX_new();
375	if (kekctx == NULL) {	375	if (kekctx == NULL) {
376	CMSerror(ERR_R_MALLOC_FAILURE);	376	CMSerror(ERR_R_MALLOC_FAILURE);
377	return 0;	377	goto err;
378	}	378	}
379	/* Fixup cipher based on AlgorithmIdentifier to set IV etc */	379	/* Fixup cipher based on AlgorithmIdentifier to set IV etc */
380	if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))	380	if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
@@ -389,8 +389,8 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo cms, CMS_RecipientInfo ri,
389		389
390	/* Finish password based key derivation to setup key in "ctx" */	390	/* Finish password based key derivation to setup key in "ctx" */
391		391
392	if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,	392	if (!EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
393	pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) {	393	pwri->passlen, algtmp->parameter, kekctx, en_de)) {
394	CMSerror(ERR_R_EVP_LIB);	394	CMSerror(ERR_R_EVP_LIB);
395	goto err;	395	goto err;
396	}	396	}


diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c index 9cdd4ce143..abcac83e47 100644 --- a/src/lib/libcrypto/cms/cms_sd.c +++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_sd.c,v 1.33 2024/04/20 10:11:55 tb Exp $ */	1	/* $OpenBSD: cms_sd.c,v 1.36 2025/07/31 02:24:21 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -57,7 +57,6 @@
57		57
58	#include <openssl/asn1.h>	58	#include <openssl/asn1.h>
59	#include <openssl/bio.h>	59	#include <openssl/bio.h>
60	#include <openssl/err.h>
61	#include <openssl/evp.h>	60	#include <openssl/evp.h>
62	#include <openssl/cms.h>	61	#include <openssl/cms.h>
63	#include <openssl/objects.h>	62	#include <openssl/objects.h>
@@ -66,6 +65,7 @@
66		65
67	#include "asn1_local.h"	66	#include "asn1_local.h"
68	#include "cms_local.h"	67	#include "cms_local.h"
		68	#include "err_local.h"
69	#include "evp_local.h"	69	#include "evp_local.h"
70	#include "x509_local.h"	70	#include "x509_local.h"
71		71
@@ -484,35 +484,6 @@ CMS_add1_signer(CMS_ContentInfo cms, X509 signer, EVP_PKEY *pk,
484	}	484	}
485	LCRYPTO_ALIAS(CMS_add1_signer);	485	LCRYPTO_ALIAS(CMS_add1_signer);
486		486
487	static int
488	cms_add1_signingTime(CMS_SignerInfo si, ASN1_TIME t)
489	{
490	ASN1_TIME *tt;
491	int r = 0;
492
493	if (t)
494	tt = t;
495	else
496	tt = X509_gmtime_adj(NULL, 0);
497
498	if (!tt)
499	goto merr;
500
501	if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
502	tt->type, tt, -1) <= 0)
503	goto merr;
504
505	r = 1;
506
507	merr:
508	if (!t)
509	ASN1_TIME_free(tt);
510	if (!r)
511	CMSerror(ERR_R_MALLOC_FAILURE);
512
513	return r;
514	}
515
516	EVP_PKEY_CTX *	487	EVP_PKEY_CTX *
517	CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)	488	CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)
518	{	489	{
@@ -778,6 +749,7 @@ cms_SignedData_final(CMS_ContentInfo cms, BIO chain)
778	int	749	int
779	CMS_SignerInfo_sign(CMS_SignerInfo *si)	750	CMS_SignerInfo_sign(CMS_SignerInfo *si)
780	{	751	{
		752	ASN1_TIME *at = NULL;
781	const EVP_MD *md;	753	const EVP_MD *md;
782	unsigned char buf = NULL, sig = NULL;	754	unsigned char buf = NULL, sig = NULL;
783	int buf_len = 0;	755	int buf_len = 0;
@@ -788,7 +760,12 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
788	goto err;	760	goto err;
789		761
790	if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {	762	if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
791	if (!cms_add1_signingTime(si, NULL))	763	if ((at = X509_gmtime_adj(NULL, 0)) == NULL) {
		764	CMSerror(ERR_R_MALLOC_FAILURE);
		765	goto err;
		766	}
		767	if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
		768	at->type, at, -1))
792	goto err;	769	goto err;
793	}	770	}
794		771
@@ -828,6 +805,7 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
828	ret = 1;	805	ret = 1;
829		806
830	err:	807	err:
		808	ASN1_TIME_free(at);
831	(void)EVP_MD_CTX_reset(si->mctx);	809	(void)EVP_MD_CTX_reset(si->mctx);
832	freezero(buf, buf_len);	810	freezero(buf, buf_len);
833	freezero(sig, sig_len);	811	freezero(sig, sig_len);
@@ -1012,6 +990,8 @@ LCRYPTO_ALIAS(CMS_add_smimecap);
1012	* Add AlgorithmIdentifier OID of type \|nid\| to the SMIMECapability attribute	990	* Add AlgorithmIdentifier OID of type \|nid\| to the SMIMECapability attribute
1013	* set \|*out_algs\| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has	991	* set \|*out_algs\| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has
1014	* an integer parameter of value \|keysize\|, otherwise parameters are omitted.	992	* an integer parameter of value \|keysize\|, otherwise parameters are omitted.
		993	*
		994	* See also PKCS7_simple_smimecap().
1015	*/	995	*/
1016	int	996	int
1017	CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **out_algs, int nid, int keysize)	997	CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **out_algs, int nid, int keysize)


diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c index 5a194748d9..a4918643d2 100644 --- a/src/lib/libcrypto/cms/cms_smime.c +++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cms_smime.c,v 1.28 2023/12/22 10:23:11 tb Exp $ */	1	/* $OpenBSD: cms_smime.c,v 1.31 2025/11/28 06:07:09 tb Exp $ */
2	/*	2	/*
3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	3	* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4	* project.	4	* project.
@@ -59,7 +59,6 @@
59	#include <openssl/asn1.h>	59	#include <openssl/asn1.h>
60	#include <openssl/bio.h>	60	#include <openssl/bio.h>
61	#include <openssl/cms.h>	61	#include <openssl/cms.h>
62	#include <openssl/err.h>
63	#include <openssl/evp.h>	62	#include <openssl/evp.h>
64	#include <openssl/objects.h>	63	#include <openssl/objects.h>
65	#include <openssl/pkcs7.h>	64	#include <openssl/pkcs7.h>
@@ -67,6 +66,7 @@
67	#include <openssl/x509_vfy.h>	66	#include <openssl/x509_vfy.h>
68		67
69	#include "cms_local.h"	68	#include "cms_local.h"
		69	#include "err_local.h"
70		70
71	static BIO *	71	static BIO *
72	cms_get_text_bio(BIO *out, unsigned int flags)	72	cms_get_text_bio(BIO *out, unsigned int flags)
@@ -277,25 +277,32 @@ CMS_ContentInfo *
277	CMS_EncryptedData_encrypt(BIO in, const EVP_CIPHER cipher,	277	CMS_EncryptedData_encrypt(BIO in, const EVP_CIPHER cipher,
278	const unsigned char *key, size_t keylen, unsigned int flags)	278	const unsigned char *key, size_t keylen, unsigned int flags)
279	{	279	{
280	CMS_ContentInfo *cms;	280	CMS_ContentInfo *cms = NULL;
281		281
282	if (!cipher) {	282	if (cipher == NULL) {
283	CMSerror(CMS_R_NO_CIPHER);	283	CMSerror(CMS_R_NO_CIPHER);
284	return NULL;	284	goto err;
285	}	285	}
286	cms = CMS_ContentInfo_new();	286
287	if (cms == NULL)	287	if ((cms = CMS_ContentInfo_new()) == NULL)
288	return NULL;	288	goto err;
		289
289	if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))	290	if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
290	return NULL;	291	goto err;
291		292
292	if (!(flags & CMS_DETACHED))	293	if ((flags & CMS_DETACHED) == 0) {
293	CMS_set_detached(cms, 0);	294	if (!CMS_set_detached(cms, 0))
		295	goto err;
		296	}
294		297
295	if ((flags & (CMS_STREAM \| CMS_PARTIAL)) \|\|	298	if ((flags & (CMS_STREAM \| CMS_PARTIAL)) == 0) {
296	CMS_final(cms, in, NULL, flags))	299	if (!CMS_final(cms, in, NULL, flags))
297	return cms;	300	goto err;
		301	}
298		302
		303	return cms;
		304
		305	err:
299	CMS_ContentInfo_free(cms);	306	CMS_ContentInfo_free(cms);
300		307
301	return NULL;	308	return NULL;