From 31d61b19d554907fbc9d34f30c96c68c7e6c8e73 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 29 May 2019 17:23:31 +0200 Subject: [PATCH] update to the 1.1.1c release --- .gitignore | 1 + ectest.c | 72 +- openssl-1.1.1-ec-curves.patch | 154 +- openssl-1.1.1-evp-kdf.patch | 13 +- openssl-1.1.1-fips-post-rand.patch | 42 +- openssl-1.1.1-fips.patch | 47 +- openssl-1.1.1-regression-fixes.patch | 21 - openssl-1.1.1-system-cipherlist.patch | 80 +- openssl-1.1.1-upstream-sync.patch | 2331 +------------------------ openssl-1.1.1-version-override.patch | 12 +- openssl.spec | 7 +- sources | 2 +- 12 files changed, 319 insertions(+), 2463 deletions(-) diff --git a/.gitignore b/.gitignore index 3b8aa45..a3a6054 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1-hobbled.tar.xz /openssl-1.1.1a-hobbled.tar.xz /openssl-1.1.1b-hobbled.tar.xz +/openssl-1.1.1c-hobbled.tar.xz diff --git a/ectest.c b/ectest.c index 5c20ac3..53adf88 100644 --- a/ectest.c +++ b/ectest.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -728,6 +728,75 @@ err: BN_CTX_free(ctx); return r; } + +/* + * Tests a point known to cause an incorrect underflow in an old version of + * ecp_nist521.c + */ +static int underflow_test(void) +{ + BN_CTX *ctx = NULL; + EC_GROUP *grp = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL; + BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; + BIGNUM *k = NULL; + int testresult = 0; + const char *x1str = + "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" + "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; + const char *p521m1 = + "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; + + ctx = BN_CTX_new(); + if (!TEST_ptr(ctx)) + return 0; + + BN_CTX_start(ctx); + x1 = BN_CTX_get(ctx); + y1 = BN_CTX_get(ctx); + z1 = BN_CTX_get(ctx); + x2 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (!TEST_ptr(k)) + goto err; + + grp = EC_GROUP_new_by_curve_name(NID_secp521r1); + P = EC_POINT_new(grp); + Q = EC_POINT_new(grp); + R = EC_POINT_new(grp); + if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) + goto err; + + if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) + || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) + || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) + || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) + || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, + y1, z1, ctx)) + || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) + || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) + goto err; + + if (!TEST_int_eq(BN_cmp(x1, x2), 0) + || !TEST_int_eq(BN_cmp(y1, y2), 0)) + goto err; + + testresult = 1; + + err: + BN_CTX_end(ctx); + EC_POINT_free(P); + EC_POINT_free(Q); + EC_POINT_free(R); + EC_GROUP_free(grp); + BN_CTX_free(ctx); + + return testresult; +} # endif static const unsigned char p521_named[] = { @@ -835,6 +904,7 @@ int setup_tests(void) # endif # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); + ADD_TEST(underflow_test); # endif ADD_ALL_TESTS(internal_curve_test, crv_len); ADD_ALL_TESTS(internal_curve_test_method, crv_len); diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch index 368f544..a83a331 100644 --- a/openssl-1.1.1-ec-curves.patch +++ b/openssl-1.1.1-ec-curves.patch @@ -1,40 +1,38 @@ -diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c ---- openssl-1.1.1b/apps/speed.c.curves 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/apps/speed.c 2019-02-28 11:20:42.347170167 +0100 -@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = { - static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ +diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c +--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200 +@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; #endif /* OPENSSL_NO_RSA */ --#define R_EC_P160 0 --#define R_EC_P192 1 --#define R_EC_P224 2 --#define R_EC_P256 3 --#define R_EC_P384 4 --#define R_EC_P521 5 --#define R_EC_K163 6 --#define R_EC_K233 7 --#define R_EC_K283 8 --#define R_EC_K409 9 --#define R_EC_K571 10 --#define R_EC_B163 11 --#define R_EC_B233 12 --#define R_EC_B283 13 --#define R_EC_B409 14 --#define R_EC_B571 15 --#define R_EC_BRP256R1 16 --#define R_EC_BRP256T1 17 --#define R_EC_BRP384R1 18 --#define R_EC_BRP384T1 19 --#define R_EC_BRP512R1 20 --#define R_EC_BRP512T1 21 --#define R_EC_X25519 22 --#define R_EC_X448 23 -+#define R_EC_P224 0 -+#define R_EC_P256 1 -+#define R_EC_P384 2 -+#define R_EC_P521 3 -+#define R_EC_X25519 4 -+#define R_EC_X448 5 + enum { +- R_EC_P160, +- R_EC_P192, + R_EC_P224, + R_EC_P256, + R_EC_P384, + R_EC_P521, +-#ifndef OPENSSL_NO_EC2M +- R_EC_K163, +- R_EC_K233, +- R_EC_K283, +- R_EC_K409, +- R_EC_K571, +- R_EC_B163, +- R_EC_B233, +- R_EC_B283, +- R_EC_B409, +- R_EC_B571, +-#endif +- R_EC_BRP256R1, +- R_EC_BRP256T1, +- R_EC_BRP384R1, +- R_EC_BRP384T1, +- R_EC_BRP512R1, +- R_EC_BRP512T1, + R_EC_X25519, + R_EC_X448 + }; + #ifndef OPENSSL_NO_EC static OPT_PAIR ecdsa_choices[] = { - {"ecdsap160", R_EC_P160}, @@ -43,6 +41,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, {"ecdsap521", R_EC_P521}, +-# ifndef OPENSSL_NO_EC2M - {"ecdsak163", R_EC_K163}, - {"ecdsak233", R_EC_K233}, - {"ecdsak283", R_EC_K283}, @@ -53,6 +52,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c - {"ecdsab283", R_EC_B283}, - {"ecdsab409", R_EC_B409}, - {"ecdsab571", R_EC_B571}, +-# endif - {"ecdsabrp256r1", R_EC_BRP256R1}, - {"ecdsabrp256t1", R_EC_BRP256T1}, - {"ecdsabrp384r1", R_EC_BRP384R1}, @@ -71,6 +71,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, {"ecdhp521", R_EC_P521}, +-# ifndef OPENSSL_NO_EC2M - {"ecdhk163", R_EC_K163}, - {"ecdhk233", R_EC_K233}, - {"ecdhk283", R_EC_K283}, @@ -81,6 +82,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c - {"ecdhb283", R_EC_B283}, - {"ecdhb409", R_EC_B409}, - {"ecdhb571", R_EC_B571}, +-# endif - {"ecdhbrp256r1", R_EC_BRP256R1}, - {"ecdhbrp256t1", R_EC_BRP256T1}, - {"ecdhbrp384r1", R_EC_BRP384R1}, @@ -90,7 +92,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c {"ecdhx25519", R_EC_X25519}, {"ecdhx448", R_EC_X448} }; -@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv) +@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv) unsigned int bits; } test_curves[] = { /* Prime Curves */ @@ -100,6 +102,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, {"nistp521", NID_secp521r1, 521}, +-# ifndef OPENSSL_NO_EC2M - /* Binary Curves */ - {"nistk163", NID_sect163k1, 163}, - {"nistk233", NID_sect233k1, 233}, @@ -111,6 +114,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c - {"nistb283", NID_sect283r1, 283}, - {"nistb409", NID_sect409r1, 409}, - {"nistb571", NID_sect571r1, 571}, +-# endif - {"brainpoolP256r1", NID_brainpoolP256r1, 256}, - {"brainpoolP256t1", NID_brainpoolP256t1, 256}, - {"brainpoolP384r1", NID_brainpoolP384r1, 384}, @@ -120,7 +124,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c /* Other and ECDH only ones */ {"X25519", NID_X25519, 253}, {"X448", NID_X448, 448} -@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv) +@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv) # endif # ifndef OPENSSL_NO_EC @@ -133,46 +137,38 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) -@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv) +@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv) } } } -+#if 0 +-# ifndef OPENSSL_NO_EC2M ++# if 0 ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][1] = count / 1000 / 2; for (i = R_EC_K233; i <= R_EC_K571; i++) { -@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv) - } - } +@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv) } -- + # endif + - ecdh_c[R_EC_P160][0] = count / 1000; - for (i = R_EC_P192; i <= R_EC_P521; i++) { -+#endif + ecdh_c[R_EC_P224][0] = count / 1000; + for (i = R_EC_P256; i <= R_EC_P521; i++) { ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) ecdh_doit[i] = 0; -@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv) +@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv) } } } -+#if 0 +-# ifndef OPENSSL_NO_EC2M ++# if 0 ecdh_c[R_EC_K163][0] = count / 1000; for (i = R_EC_K233; i <= R_EC_K571; i++) { ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; -@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv) - } - } - } -+#endif - /* default iteration count for the last two EC Curves */ - ecdh_c[R_EC_X25519][0] = count / 1800; - ecdh_c[R_EC_X448][0] = count / 7200; -diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp_smpl.c ---- openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-02-28 11:19:30.628479300 +0100 +diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c +--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200 @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO return 0; } @@ -185,22 +181,30 @@ diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) -diff -up openssl-1.1.1b/test/ecdsatest.c.curves openssl-1.1.1b/test/ecdsatest.c ---- openssl-1.1.1b/test/ecdsatest.c.curves 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/ecdsatest.c 2019-02-28 11:19:30.628479300 +0100 -@@ -176,6 +176,7 @@ static int x9_62_tests(void) - if (!change_rand()) - goto x962_err; +diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h +--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200 ++++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200 +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; -+#if 0 - if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, - "3342403536405981729393488334694600415596881826869351677613", - "5735822328888155254683894997897571951568553642892029982342"))) -@@ -186,6 +187,7 @@ static int x9_62_tests(void) - "3238135532097973577080787768312505059318910517550078427819" - "78505179448783"))) - goto x962_err; -+#endif - - # ifndef OPENSSL_NO_EC2M - if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index cb10eba..6a73a61 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -5221,17 +5221,16 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -diff -up openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp.t ---- openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp.t 2019-02-28 13:05:05.659521326 +0100 -@@ -15,8 +15,8 @@ use OpenSSL::Test qw/:DEFAULT data_file/ +diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t +--- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200 ++++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200 +@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", - "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", -- "evpcase.txt" ); -+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", -+ "evppkey_ecc.txt", "evpcase.txt" ); ++ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", + "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch index 6e714bc..fc60e33 100644 --- a/openssl-1.1.1-fips-post-rand.patch +++ b/openssl-1.1.1-fips-post-rand.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c ---- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100 -+++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100 +diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c +--- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200 ++++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200 @@ -68,6 +68,7 @@ # include @@ -51,10 +51,10 @@ diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/ ret = 1; goto end; } -diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h ---- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100 -+++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100 -@@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void); +diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h +--- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200 ++++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200 +@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); @@ -63,9 +63,9 @@ diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openss int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, -diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c ---- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100 -+++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100 +diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c +--- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200 @@ -16,10 +16,12 @@ #include #include "rand_lcl.h" @@ -74,12 +74,13 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr #include #include "internal/dso.h" #if defined(__linux) - # include +-# include ++# include +# include #endif #if defined(__FreeBSD__) # include -@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf, +@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ @@ -88,7 +89,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr { /* * Note: 'buflen' equals the size of the buffer which is used by the -@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf, +@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf, * - Linux since 3.17 with glibc 2.25 * - FreeBSD since 12.0 (1200061) */ @@ -96,20 +97,21 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf, +@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif - +# endif /* Linux supports this since version 3.17 */ - # if defined(__linux) && defined(SYS_getrandom) -- return syscall(SYS_getrandom, buf, buflen, 0); +-# if defined(__linux) && defined(__NR_getrandom) +- return syscall(__NR_getrandom, buf, buflen, 0); ++# if defined(__linux) && defined(SYS_getrandom) + return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else -@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO size_t bytes_needed; size_t entropy_available = 0; unsigned char *buffer; @@ -121,7 +123,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr { ssize_t bytes; /* Maximum allowed number of consecutive unsuccessful attempts */ -@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -130,7 +132,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; -@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); @@ -142,7 +144,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO } } # endif diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 09d8692..d59c440 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,3 +1,15 @@ +diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c +--- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200 +@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv) + int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; + int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; + # ifndef OPENSSL_NO_RC2 +- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; ++ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC; + # else + int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + # endif diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c --- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200 +++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200 @@ -985,9 +997,9 @@ diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_all + } +#endif } -diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/digest.c ---- openssl-1.1.1b/crypto/evp/digest.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/digest.c 2019-02-28 11:30:06.803745726 +0100 +diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c +--- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200 @@ -14,6 +14,9 @@ #include #include "internal/evp_int.h" @@ -1027,17 +1039,18 @@ diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/diges if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); ctx->md_data = NULL; -@@ -150,6 +168,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c +@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif - return ctx->update(ctx, data, count); - } ++ + if (count == 0) + return 1; -@@ -167,6 +188,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, +@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, { int ret; @@ -9869,11 +9882,11 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c +#endif + return 0; +} -diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac.c ---- openssl-1.1.1b/crypto/hmac/hmac.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-02-28 11:30:06.817745466 +0100 -@@ -36,6 +36,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - } +diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c +--- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200 ++++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200 +@@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + return 0; if (key != NULL) { +#ifdef OPENSSL_FIPS @@ -11756,13 +11769,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1 Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num ---- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100 -+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100 -@@ -4579,3 +4579,38 @@ EVP_PKEY_meth_set_digest_custom - EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION: +diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num +--- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200 ++++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200 +@@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO + EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch index 4e8c388..11099a1 100644 --- a/openssl-1.1.1-regression-fixes.patch +++ b/openssl-1.1.1-regression-fixes.patch @@ -14,24 +14,3 @@ diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/ ret->flags = DEFAULT_CONF_MFLAGS; return ret; -diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.regression openssl-1.1.1b/crypto/evp/evp_enc.c ---- openssl-1.1.1b/crypto/evp/evp_enc.c.regression 2019-05-07 11:52:35.982596242 +0200 -+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-10 14:30:42.269243383 +0200 -@@ -338,7 +338,7 @@ static int evp_EncryptDecryptUpdate(EVP_ - - bl = ctx->cipher->block_size; - -- if (inl <= 0) { -+ if (out != NULL && in == NULL && inl <= 0) { - *outl = 0; - return inl == 0; - } -@@ -491,7 +491,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct - if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) - cmpl = (cmpl + 7) / 8; - -- if (inl <= 0) { -+ if (out != NULL && in == NULL && inl <= 0) { - *outl = 0; - return inl == 0; - } diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch index 08ac8e6..a70f20b 100644 --- a/openssl-1.1.1-system-cipherlist.patch +++ b/openssl-1.1.1-system-cipherlist.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-08-22 12:15:54.520742678 +0200 -+++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl 2018-08-22 12:15:54.554743511 +0200 +diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200 ++++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200 @@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -20,15 +20,15 @@ diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure ---- openssl-1.1.1-pre9/Configure.system-cipherlist 2018-08-21 14:14:11.000000000 +0200 -+++ openssl-1.1.1-pre9/Configure 2018-08-22 12:16:46.600018343 +0200 +diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure +--- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200 @@ -24,7 +24,7 @@ use OpenSSL::Glob; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; # Options: # @@ -50,18 +50,18 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -817,6 +821,10 @@ while (@argvcopy) - push @seed_sources, $x; - } +@@ -824,6 +828,10 @@ while (@argvcopy) + push @seed_sources, $x; + } } + elsif (/^--system-ciphers-file=(.*)$/) + { + $config{system_ciphers_file}=$1; + } - elsif (/^--cross-compile-prefix=(.*)$/) - { - $user{CROSS_COMPILE}=$1; -@@ -1003,6 +1011,8 @@ if ($target eq "HASH") { + elsif (/^--cross-compile-prefix=(.*)$/) + { + $user{CROSS_COMPILE}=$1; +@@ -1016,6 +1024,8 @@ if ($target eq "HASH") { exit 0; } @@ -70,9 +70,9 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi print "Configuring OpenSSL version $config{version} ($config{version_num}) "; print "for $target\n"; -diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod ---- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist 2018-08-21 14:14:13.000000000 +0200 -+++ openssl-1.1.1-pre9/doc/man1/ciphers.pod 2018-08-22 12:15:54.555743536 +0200 +diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod +--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200 @@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1 =item B "High" encryption cipher suites. This currently means those with key lengths -diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h ---- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist 2018-08-21 14:14:15.000000000 +0200 -+++ openssl-1.1.1-pre9/include/openssl/ssl.h 2018-08-22 12:15:54.557743585 +0200 +diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h +--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200 @@ -186,6 +186,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) @@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1. /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 -diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c ---- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200 -+++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:15:54.557743585 +0200 +diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c +--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200 @@ -9,6 +9,8 @@ * https://www.openssl.org/source/license.html */ @@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ #include #include #include -@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c +@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; @@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ #endif /* -@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); @@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ } /* -@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ } /* -@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ sk_SSL_CIPHER_free(cipherstack); return NULL; } -@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -274,10 +274,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c ---- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist 2018-08-22 12:15:54.552743462 +0200 -+++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:15:54.558743609 +0200 -@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c +--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200 ++++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200 +@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!ssl_create_cipher_list(ret->method, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -295,9 +295,9 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; -diff -up openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist openssl-1.1.1b/test/cipherlist_test.c ---- openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist 2019-02-28 11:27:15.181936081 +0100 -+++ openssl-1.1.1b/test/cipherlist_test.c 2019-02-28 11:28:53.357111055 +0100 +diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c +--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200 @@ -251,7 +251,9 @@ end: int setup_tests(void) diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch index 2cf849f..6735e6a 100644 --- a/openssl-1.1.1-upstream-sync.patch +++ b/openssl-1.1.1-upstream-sync.patch @@ -1,2282 +1,67 @@ -diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c ---- openssl-1.1.1b/apps/asn1pars.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/apps/asn1pars.c 2019-05-03 08:55:51.532407003 +0200 -@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv - if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL) - goto end; +diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c +--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200 +@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, -+ if ((buf = BUF_MEM_new()) == NULL) -+ goto end; - if (strictpem) { -- if (PEM_read_bio(in, &name, &header, &str, &num) != -- 1) { -+ if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { - BIO_printf(bio_err, "Error reading PEM file\n"); - ERR_print_errors(bio_err); - goto end; - } -+ buf->data = (char *)str; -+ buf->length = buf->max = num; - } else { -- -- if ((buf = BUF_MEM_new()) == NULL) -- goto end; - if (!BUF_MEM_grow(buf, BUFSIZ * 8)) - goto end; /* Pre-allocate :-) */ - -@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv - BUF_MEM_free(buf); - OPENSSL_free(name); - OPENSSL_free(header); -- if (strictpem) -- OPENSSL_free(str); - ASN1_TYPE_free(at); - sk_OPENSSL_STRING_free(osk); - return ret; -diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl ---- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl 2019-05-03 08:55:51.551406676 +0200 -@@ -1829,7 +1829,7 @@ Lctr32_enc8x_three: - stvx_u $out1,$x10,$out - stvx_u $out2,$x20,$out - addi $out,$out,0x30 -- b Lcbc_dec8x_done -+ b Lctr32_enc8x_done - - .align 5 - Lctr32_enc8x_two: -@@ -1841,7 +1841,7 @@ Lctr32_enc8x_two: - stvx_u $out0,$x00,$out - stvx_u $out1,$x10,$out - addi $out,$out,0x20 -- b Lcbc_dec8x_done -+ b Lctr32_enc8x_done - - .align 5 - Lctr32_enc8x_one: -diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c ---- openssl-1.1.1b/crypto/bio/b_addr.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/bio/b_addr.c 2019-05-03 08:55:51.555406608 +0200 -@@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons - hints.ai_family = family; - hints.ai_socktype = socktype; - hints.ai_protocol = protocol; -+#ifdef AI_ADDRCONFIG -+#ifdef AF_UNSPEC -+ if (family == AF_UNSPEC) -+#endif -+ hints.ai_flags |= AI_ADDRCONFIG; -+#endif - - if (lookup_type == BIO_LOOKUP_SERVER) - hints.ai_flags |= AI_PASSIVE; -diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c ---- openssl-1.1.1b/crypto/bio/bss_mem.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/bio/bss_mem.c 2019-05-03 08:55:51.556406591 +0200 -@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = - NULL, /* mem_callback_ctrl */ - }; - --/* BIO memory stores buffer and read pointer */ -+/* -+ * BIO memory stores buffer and read pointer -+ * however the roles are different for read only BIOs. -+ * In that case the readp just stores the original state -+ * to be used for reset. -+ */ - typedef struct bio_buf_mem_st { - struct buf_mem_st *buf; /* allocated buffer */ - struct buf_mem_st *readp; /* read pointer */ -@@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i - BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; - BUF_MEM *bm = bbm->readp; - -+ if (b->flags & BIO_FLAGS_MEM_RDONLY) -+ bm = bbm->buf; - BIO_clear_retry_flags(b); - ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl; - if ((out != NULL) && (ret > 0)) { - memcpy(out, bm->data, ret); - bm->length -= ret; -+ bm->max -= ret; - bm->data += ret; - } else if (bm->length == 0) { - ret = b->num; -@@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo - BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; - BUF_MEM *bm; - -+ if (b->flags & BIO_FLAGS_MEM_RDONLY) -+ bm = bbm->buf; -+ else -+ bm = bbm->readp; -+ - switch (cmd) { - case BIO_CTRL_RESET: - bm = bbm->buf; - if (bm->data != NULL) { -- /* For read only case reset to the start again */ -- if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) { -- bm->length = bm->max; -+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) { -+ if (b->flags & BIO_FLAGS_NONCLEAR_RST) { -+ bm->length = bm->max; -+ } else { -+ memset(bm->data, 0, bm->max); -+ bm->length = 0; -+ } -+ *bbm->readp = *bbm->buf; - } else { -- memset(bm->data, 0, bm->max); -- bm->length = 0; -+ /* For read only case just reset to the start again */ -+ *bbm->buf = *bbm->readp; - } -- *bbm->readp = *bbm->buf; - } - break; - case BIO_CTRL_EOF: -- bm = bbm->readp; - ret = (long)(bm->length == 0); - break; - case BIO_C_SET_BUF_MEM_EOF_RETURN: - b->num = (int)num; - break; - case BIO_CTRL_INFO: -- bm = bbm->readp; - ret = (long)bm->length; - if (ptr != NULL) { - pptr = (char **)ptr; -@@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo - break; - case BIO_C_GET_BUF_MEM_PTR: - if (ptr != NULL) { -- mem_buf_sync(b); -- bm = bbm->readp; -+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) -+ mem_buf_sync(b); -+ bm = bbm->buf; - pptr = (char **)ptr; - *pptr = (char *)bm; - } -@@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo - ret = 0L; - break; - case BIO_CTRL_PENDING: -- bm = bbm->readp; - ret = (long)bm->length; - break; - case BIO_CTRL_DUP: -@@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf, - BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr; - BUF_MEM *bm = bbm->readp; - -+ if (bp->flags & BIO_FLAGS_MEM_RDONLY) -+ bm = bbm->buf; - BIO_clear_retry_flags(bp); - j = bm->length; - if ((size - 1) < j) -diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl ---- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/bn/asm/ppc.pl 2019-05-03 08:55:51.530407037 +0200 -@@ -258,6 +258,7 @@ $data=<err_stack) - ctx->err_stack--; -diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c ---- openssl-1.1.1b/crypto/bn/bn_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/bn/bn_lib.c 2019-05-03 08:55:51.525407123 +0200 -@@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) - - void BN_clear(BIGNUM *a) - { -+ if (a == NULL) -+ return; - bn_check_top(a); - if (a->d != NULL) - OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); -diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c ---- openssl-1.1.1b/crypto/bn/bn_prime.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/bn/bn_prime.c 2019-05-03 08:55:51.525407123 +0200 -@@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in - found = 1; - err: - OPENSSL_free(mods); -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - bn_check_top(ret); - return found; -diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info ---- openssl-1.1.1b/crypto/chacha/build.info.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/chacha/build.info 2019-05-03 08:55:51.538406900 +0200 -@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv - INCLUDE[chacha-armv4.o]=.. - GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME) - INCLUDE[chacha-armv8.o]=.. -+GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME) -+INCLUDE[chacha-s390x.o]=.. - - BEGINRAW[Makefile(unix)] - ##### CHACHA assembler implementations -diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c ---- openssl-1.1.1b/crypto/conf/conf_sap.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/conf/conf_sap.c 2019-05-03 08:55:51.550406694 +0200 -@@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname) - memset(&settings, 0, sizeof(settings)); - if (appname != NULL) - settings.appname = strdup(appname); -+ settings.flags = DEFAULT_CONF_MFLAGS; - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings); - } - #endif -diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c ---- openssl-1.1.1b/crypto/dh/dh_check.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_check.c 2019-05-03 08:55:51.525407123 +0200 -@@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r - - ok = 1; - err: -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - return ok; - } - -@@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret) - } - ok = 1; - err: -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - return ok; - } - -@@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const - - ok = 1; - err: -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - return ok; - } -diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c ---- openssl-1.1.1b/crypto/dh/dh_gen.c.sync 2019-05-03 08:55:45.170516224 +0200 -+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-05-03 08:55:51.525407123 +0200 -@@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret, - ok = 0; - } - -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - return ok; - } -diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c ---- openssl-1.1.1b/crypto/dh/dh_key.c.sync 2019-05-03 08:55:45.170516224 +0200 -+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-05-03 08:55:51.526407106 +0200 -@@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke - - ret = BN_bn2bin(tmp, key); - err: -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - return ret; - } - -diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c ---- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync 2019-05-03 08:55:45.171516207 +0200 -+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-05-03 08:55:51.526407106 +0200 -@@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_ - if (seed_out) - memcpy(seed_out, seed, qsize); - } -- if (ctx) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_MONT_CTX_free(mont); - return ok; -@@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size - OPENSSL_free(seed); - if (seed_out != seed_tmp) - OPENSSL_free(seed_tmp); -- if (ctx) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_MONT_CTX_free(mont); - EVP_MD_CTX_free(mctx); -diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c ---- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync 2019-05-03 08:55:45.171516207 +0200 -+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-05-03 08:55:51.556406591 +0200 -@@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha - ret = 1; - - err: -- EC_POINT_free(tmp); -+ EC_POINT_clear_free(tmp); - if (ctx) - BN_CTX_end(ctx); - BN_CTX_free(ctx); -diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c ---- openssl-1.1.1b/crypto/ec/ec_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_lib.c 2019-05-03 08:55:51.527407088 +0200 -@@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons - ret = 1; - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; - } -diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c ---- openssl-1.1.1b/crypto/ec/ec_mult.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_mult.c 2019-05-03 08:55:51.540406865 +0200 -@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP - - err: - EC_POINT_free(p); -- EC_POINT_free(s); -+ EC_POINT_clear_free(s); - BN_CTX_end(ctx); - - return ret; -@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E - * scalar multiplication implementation based on a Montgomery ladder, - * with various timing attack defenses. - */ -- if ((scalar != NULL) && (num == 0)) { -+ if ((scalar != group->order) && (scalar != NULL) && (num == 0)) { - /*- - * In this case we want to compute scalar * GeneratorPoint: this - * codepath is reached most prominently by (ephemeral) key -@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E - */ - return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); - } -- if ((scalar == NULL) && (num == 1)) { -+ if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) { - /*- - * In this case we want to compute scalar * VariablePoint: this - * codepath is reached most prominently by the second half of ECDH, -@@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr - ret = 1; - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - EC_ec_pre_comp_free(pre_comp); - if (points) { -diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c ---- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c 2019-05-03 08:55:51.532407003 +0200 -@@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons - static void felem_diff_128_64(largefelem out, const felem in) - { - /* -- * In order to prevent underflow, we add 0 mod p before subtracting. -+ * In order to prevent underflow, we add 64p mod p (which is equivalent -+ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 -+ * digit number with all bits set to 1. See "The representation of field -+ * elements" comment above for a description of how limbs are used to -+ * represent a number. 64p is represented with 8 limbs containing a number -+ * with 58 bits set and one limb with a number with 57 bits set. - */ -- static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); -- static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); -+ static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); -+ static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); - - out[0] += two63m6 - in[0]; - out[1] += two63m5 - in[1]; -diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c ---- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c 2019-05-03 08:55:51.528407071 +0200 -@@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec - ret = 1; - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - - EC_nistz256_pre_comp_free(pre_comp); -diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c ---- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync 2019-05-03 08:55:45.152516533 +0200 -+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-05-03 08:55:51.528407071 +0200 -@@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina - ret = 1; - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; - } -@@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr - ret = 1; - - end: -- if (ctx) /* otherwise we already called BN_CTX_end */ -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; - } -diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c ---- openssl-1.1.1b/crypto/err/err.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/err/err.c 2019-05-03 08:55:51.548406728 +0200 -@@ -523,8 +523,24 @@ static unsigned long get_error_values(in - return ERR_R_INTERNAL_ERROR; - } - -+ while (es->bottom != es->top) { -+ if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { -+ err_clear(es, es->top); -+ es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; -+ continue; -+ } -+ i = (es->bottom + 1) % ERR_NUM_ERRORS; -+ if (es->err_flags[i] & ERR_FLAG_CLEAR) { -+ es->bottom = i; -+ err_clear(es, es->bottom); -+ continue; -+ } -+ break; -+ } -+ - if (es->bottom == es->top) - return 0; -+ - if (top) - i = es->top; /* last error */ - else -@@ -913,25 +929,6 @@ int ERR_clear_last_mark(void) - return 1; - } - --#ifdef UINTPTR_T --# undef UINTPTR_T --#endif --/* -- * uintptr_t is the answer, but unfortunately C89, current "least common -- * denominator" doesn't define it. Most legacy platforms typedef it anyway, -- * so that attempt to fill the gaps means that one would have to identify -- * that track these gaps, which would be undesirable. Macro it is... -- */ --#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 --/* -- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 -- * even in 64-bit builds, which means that it won't work as mask. -- */ --# define UINTPTR_T unsigned long long --#else --# define UINTPTR_T size_t --#endif -- - void err_clear_last_constant_time(int clear) - { - ERR_STATE *es; -@@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl - - top = es->top; - -- es->err_flags[top] &= ~(0 - clear); -- es->err_buffer[top] &= ~(0UL - clear); -- es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & -- ~((UINTPTR_T)0 - clear)); -- es->err_line[top] |= 0 - clear; -- -- es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; -+ /* -+ * Flag error as cleared but remove it elsewhere to avoid two errors -+ * accessing the same error stack location, revealing timing information. -+ */ -+ clear = constant_time_select_int(constant_time_eq_int(clear, 0), -+ 0, ERR_FLAG_CLEAR); -+ es->err_flags[top] |= clear; - } -diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c ---- openssl-1.1.1b/crypto/evp/digest.c.sync 2019-05-03 08:55:51.553406642 +0200 -+++ openssl-1.1.1b/crypto/evp/digest.c 2019-05-03 08:56:40.800561168 +0200 -@@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co - #ifdef OPENSSL_FIPS - FIPS_selftest_check(); - #endif -+ if (count == 0) + case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + *(int *)arg2 = NID_sha256; +- return 2; + return 1; -+ - return ctx->update(ctx, data, count); + + default: + return -2; +diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c +--- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200 +@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item } -diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c ---- openssl-1.1.1b/crypto/evp/e_aria.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_aria.c 2019-05-03 08:55:51.545406779 +0200 -@@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT - return 0; - } - -+static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx) -+{ -+ EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); -+ -+ if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx)) -+ OPENSSL_free(gctx->iv); -+ -+ return 1; -+} -+ - static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { -@@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT - } - } - -+#define aria_ccm_cleanup NULL -+ - #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ - | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ - | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ -@@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_ - ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ - aria_##mode##_init_key, \ - aria_##mode##_cipher, \ -- NULL, \ -+ aria_##mode##_cleanup, \ - sizeof(EVP_ARIA_##MODE##_CTX), \ - NULL,NULL,aria_##mode##_ctrl,NULL }; \ - const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ -diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c ---- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync 2019-05-03 08:55:45.216515434 +0200 -+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-05-03 08:55:51.551406676 +0200 -@@ -30,6 +30,8 @@ typedef struct { - - #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) - -+#define CHACHA20_POLY1305_MAX_IVLEN 12 -+ - static int chacha_init_key(EVP_CIPHER_CTX *ctx, - const unsigned char user_key[CHACHA_KEY_SIZE], - const unsigned char iv[CHACHA_CTR_SIZE], int enc) -@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI - return 1; - - case EVP_CTRL_AEAD_SET_IVLEN: -- if (arg <= 0 || arg > CHACHA_CTR_SIZE) -+ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) - return 0; - actx->nonce_len = arg; - return 1; -diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c ---- openssl-1.1.1b/crypto/evp/evp_enc.c.sync 2019-05-03 08:55:45.174516155 +0200 -+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-03 08:55:51.544406797 +0200 -@@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_ - - bl = ctx->cipher->block_size; - -+ if (inl <= 0) { -+ *outl = 0; -+ return inl == 0; -+ } -+ - if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - /* If block size > 1 then the cipher will have to do this check */ - if (bl == 1 && is_partially_overlapping(out, in, cmpl)) { -@@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_ - return 1; - } - -- if (inl <= 0) { -- *outl = 0; -- return inl == 0; -- } - if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) { - EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); - return 0; -@@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct - if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) - cmpl = (cmpl + 7) / 8; - -+ if (inl <= 0) { -+ *outl = 0; -+ return inl == 0; -+ } -+ - if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - if (b == 1 && is_partially_overlapping(out, in, cmpl)) { - EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); -@@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct - return 1; - } - -- if (inl <= 0) { -- *outl = 0; -- return inl == 0; -- } -- - if (ctx->flags & EVP_CIPH_NO_PADDING) - return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); - -diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c ---- openssl-1.1.1b/crypto/hmac/hmac.c.sync 2019-05-03 08:55:45.189515898 +0200 -+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-05-03 08:55:51.538406900 +0200 -@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - return 0; - } - -+ /* -+ * The HMAC construction is not allowed to be used with the -+ * extendable-output functions (XOF) shake128 and shake256. -+ */ -+ if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0) -+ return 0; -+ - if (key != NULL) { - #ifdef OPENSSL_FIPS - if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) -diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c ---- openssl-1.1.1b/crypto/init.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/init.c 2019-05-03 08:55:51.550406694 +0200 -@@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c - ret = RUN_ONCE(&config, ossl_init_config); - conf_settings = NULL; - CRYPTO_THREAD_unlock(init_lock); -- if (!ret) -+ if (ret <= 0) - return 0; - } - -diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl ---- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl 2019-05-03 08:55:51.534406969 +0200 -@@ -1155,6 +1155,7 @@ ___ - } else { - $code.=<<___; - jmp .L_init_clmul -+.cfi_endproc - .size gcm_init_avx,.-gcm_init_avx - ___ - } -@@ -1594,6 +1595,7 @@ ___ - } else { - $code.=<<___; - jmp .L_ghash_clmul -+.cfi_endproc - .size gcm_ghash_avx,.-gcm_ghash_avx - ___ - } -diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c ---- openssl-1.1.1b/crypto/modes/ccm128.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/modes/ccm128.c 2019-05-03 08:55:51.543406814 +0200 -@@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT - - M *= 2; - M += 2; -- if (len < M) -+ if (len != M) - return 0; - memcpy(tag, ctx->cmac.c, M); - return M; -diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c ---- openssl-1.1.1b/crypto/o_str.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/o_str.c 2019-05-03 08:55:51.550406694 +0200 -@@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char - #if defined(_MSC_VER) && _MSC_VER>=1400 - return !strerror_s(buf, buflen, errnum); - #elif defined(_GNU_SOURCE) -- return strerror_r(errnum, buf, buflen) != NULL; -+ char *err; -+ -+ /* -+ * GNU strerror_r may not actually set buf. -+ * It can return a pointer to some (immutable) static string in which case -+ * buf is left unused. -+ */ -+ err = strerror_r(errnum, buf, buflen); -+ if (err == NULL) -+ return 0; -+ /* -+ * If err is statically allocated, err != buf and we need to copy the data. -+ * If err points somewhere inside buf, OPENSSL_strlcpy can handle this, -+ * since src and dest are not annotated with __restrict and the function -+ * reads src byte for byte and writes to dest. -+ * If err == buf we do not have to copy anything. -+ */ -+ if (err != buf) -+ OPENSSL_strlcpy(buf, err, buflen); -+ return 1; - #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \ - (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600) - /* -@@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char - return !strerror_r(errnum, buf, buflen); - #else - char *err; -+ - /* Fall back to non-thread safe strerror()...its all we can do */ - if (buflen < 2) - return 0; -@@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char - /* Can this ever happen? */ - if (err == NULL) - return 0; -- strncpy(buf, err, buflen - 1); -- buf[buflen - 1] = '\0'; -+ OPENSSL_strlcpy(buf, err, buflen); - return 1; - #endif - } -diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info ---- openssl-1.1.1b/crypto/poly1305/build.info.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-03 08:55:51.538406900 +0200 -@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305- - INCLUDE[poly1305-armv8.o]=.. - GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) - INCLUDE[poly1305-mips.o]=.. -+GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME) - - BEGINRAW[Makefile(unix)] - {- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl -diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info ---- openssl-1.1.1b/crypto/rc4/build.info.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rc4/build.info 2019-05-03 08:55:51.538406900 +0200 -@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x - - GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME) - -+GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME) -+ - BEGINRAW[Makefile] - # GNU make "catch all" - {- $builddir -}/rc4-%.s: {- $sourcedir -}/asm/rc4-%.pl -diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c ---- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c 2019-05-03 08:55:51.533406986 +0200 -@@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV - return NULL; - if (saltlen == -1) { - saltlen = EVP_MD_size(sigmd); -- } else if (saltlen == -2) { -+ } else if (saltlen == -2 || saltlen == -3) { - saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; - if ((EVP_PKEY_bits(pk) & 0x7) == 1) - saltlen--; -+ if (saltlen < 0) -+ return NULL; - } - - return rsa_pss_params_create(sigmd, mgf1md, saltlen); -diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c ---- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync 2019-05-03 08:55:45.191515864 +0200 -+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-05-03 08:55:51.528407071 +0200 -@@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa, - RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); - ok = 0; - } -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ok; - } -diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c ---- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c 2019-05-03 08:55:51.549406711 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un - * |num| is the length of the modulus; |flen| is the length of the - * encoded message. Therefore, for any |from| that was obtained by - * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, -- * num < 2 * mdlen + 2 must hold for the modulus irrespective of -+ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of - * the ciphertext, see PKCS #1 v2.2, section 7.1.2. - * This does not leak any side-channel information. - */ -@@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un - from -= 1 & mask; - *--em = *from & mask; - } -- from = em; - - /* - * The first byte must be zero, however we must not leak if this is - * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA - * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). - */ -- good = constant_time_is_zero(from[0]); -+ good = constant_time_is_zero(em[0]); - -- maskedseed = from + 1; -- maskeddb = from + 1 + mdlen; -+ maskedseed = em + 1; -+ maskeddb = em + 1 + mdlen; - - if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) - goto cleanup; -@@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un - mlen = dblen - msg_index; - - /* -- * For good measure, do this check in constant tine as well. -+ * For good measure, do this check in constant time as well. - */ - good &= constant_time_ge(tlen, mlen); - - /* -- * Even though we can't fake result's length, we can pretend copying -- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| -- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, -- * where |mlen'| is "saturated" |mlen| value. Deducing information -- * about failure or |mlen| would take attacker's ability to observe -- * memory access pattern with byte granularity *as it occurs*. It -- * should be noted that failure is indistinguishable from normal -- * operation if |tlen| is fixed by protocol. -+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. -+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. -+ * Otherwise leave |to| unchanged. -+ * Copy the memory back in a way that does not reveal the size of -+ * the data being copied via a timing side channel. This requires copying -+ * parts of the buffer multiple times based on the bits set in the real -+ * length. Clear bits do a non-copy with identical access pattern. -+ * The loop below has overall complexity of O(N*log(N)). - */ -- tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); -- msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -- mlen = dblen - msg_index; -- for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { -- unsigned int equals = constant_time_eq(i, mlen); -- -- from -= dblen & equals; /* if (i == dblen) rewind */ -- mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ -- to[i] = constant_time_select_8(mask, from[i], to[i]); -+ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), -+ dblen - mdlen - 1, tlen); -+ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { -+ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); -+ for (i = mdlen + 1; i < dblen - msg_index; i++) -+ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); -+ } -+ for (i = 0; i < tlen; i++) { -+ mask = good & constant_time_lt(i, mlen); -+ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); - } - - /* -diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c ---- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync 2019-05-03 08:55:45.191515864 +0200 -+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-05-03 08:55:51.548406728 +0200 -@@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f - */ - r = BN_bn2binpad(ret, to, num); - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); - return r; -@@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int - */ - r = BN_bn2binpad(res, to, num); - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); - return r; -@@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int - goto err; - } - RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -- err_clear_last_constant_time(r >= 0); -+ err_clear_last_constant_time(1 & ~constant_time_msb(r)); - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); - return r; -@@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f - RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); - - err: -- if (ctx != NULL) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); - return r; -diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c ---- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c 2019-05-03 08:55:51.549406711 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig - from -= 1 & mask; - *--em = *from & mask; - } -- from = em; - -- good = constant_time_is_zero(from[0]); -- good &= constant_time_eq(from[1], 2); -+ good = constant_time_is_zero(em[0]); -+ good &= constant_time_eq(em[1], 2); - - /* scan over padding data */ - found_zero_byte = 0; - for (i = 2; i < num; i++) { -- unsigned int equals0 = constant_time_is_zero(from[i]); -+ unsigned int equals0 = constant_time_is_zero(em[i]); - - zero_index = constant_time_select_int(~found_zero_byte & equals0, - i, zero_index); -@@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig - } - - /* -- * PS must be at least 8 bytes long, and it starts two bytes into |from|. -+ * PS must be at least 8 bytes long, and it starts two bytes into |em|. - * If we never found a 0-byte, then |zero_index| is 0 and the check - * also fails. - */ -@@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig - good &= constant_time_ge(tlen, mlen); - - /* -- * Even though we can't fake result's length, we can pretend copying -- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| -- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, -- * where |mlen'| is "saturated" |mlen| value. Deducing information -- * about failure or |mlen| would take attacker's ability to observe -- * memory access pattern with byte granularity *as it occurs*. It -- * should be noted that failure is indistinguishable from normal -- * operation if |tlen| is fixed by protocol. -- */ -- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); -- msg_index = constant_time_select_int(good, msg_index, num - tlen); -- mlen = num - msg_index; -- for (from += msg_index, mask = good, i = 0; i < tlen; i++) { -- unsigned int equals = constant_time_eq(i, mlen); -- -- from -= tlen & equals; /* if (i == mlen) rewind */ -- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ -- to[i] = constant_time_select_8(mask, from[i], to[i]); -+ * Move the result in-place by |num|-11-|mlen| bytes to the left. -+ * Then if |good| move |mlen| bytes from |em|+11 to |to|. -+ * Otherwise leave |to| unchanged. -+ * Copy the memory back in a way that does not reveal the size of -+ * the data being copied via a timing side channel. This requires copying -+ * parts of the buffer multiple times based on the bits set in the real -+ * length. Clear bits do a non-copy with identical access pattern. -+ * The loop below has overall complexity of O(N*log(N)). -+ */ -+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), -+ num - 11, tlen); -+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { -+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); -+ for (i = 11; i < num - msg_index; i++) -+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); -+ } -+ for (i = 0; i < tlen; i++) { -+ mask = good & constant_time_lt(i, mlen); -+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]); - } - - OPENSSL_clear_free(em, num); -diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c ---- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-03 08:55:51.543406814 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+#include "internal/constant_time_locl.h" -+ - #include - #include "internal/cryptlib.h" - #include -@@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX - ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); - } -- if (ret < 0) -- return ret; -- *outlen = ret; -- return 1; -+ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); -+ ret = constant_time_select_int(constant_time_msb(ret), ret, 1); -+ return ret; - } - - static int check_padding_md(const EVP_MD *md, int padding) -diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c ---- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c 2019-05-03 08:55:51.550406694 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char - - /* - * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding -- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also -+ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also - * preserves error code reporting for backward compatibility. - */ - int RSA_padding_check_SSLv23(unsigned char *to, int tlen, -@@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch - unsigned int good, found_zero_byte, mask, threes_in_row; - int zero_index = 0, msg_index, mlen = -1, err; - -- if (flen < 10) { -+ if (tlen <= 0 || flen <= 0) -+ return -1; -+ -+ if (flen > num || num < 11) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); - return -1; - } -@@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch - from -= 1 & mask; - *--em = *from & mask; - } -- from = em; - -- good = constant_time_is_zero(from[0]); -- good &= constant_time_eq(from[1], 2); -+ good = constant_time_is_zero(em[0]); -+ good &= constant_time_eq(em[1], 2); - err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); - mask = ~good; - -@@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch - found_zero_byte = 0; - threes_in_row = 0; - for (i = 2; i < num; i++) { -- unsigned int equals0 = constant_time_is_zero(from[i]); -+ unsigned int equals0 = constant_time_is_zero(em[i]); - - zero_index = constant_time_select_int(~found_zero_byte & equals0, - i, zero_index); - found_zero_byte |= equals0; - - threes_in_row += 1 & ~found_zero_byte; -- threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); -+ threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); - } - - /* -- * PS must be at least 8 bytes long, and it starts two bytes into |from|. -+ * PS must be at least 8 bytes long, and it starts two bytes into |em|. - * If we never found a 0-byte, then |zero_index| is 0 and the check - * also fails. - */ -@@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch - RSA_R_NULL_BEFORE_BLOCK_MISSING); - mask = ~good; - -- good &= constant_time_lt(threes_in_row, 8); -+ good &= constant_time_ge(threes_in_row, 8); - err = constant_time_select_int(mask | good, err, - RSA_R_SSLV3_ROLLBACK_ATTACK); - mask = ~good; -@@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch - err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); - - /* -- * Even though we can't fake result's length, we can pretend copying -- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| -- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, -- * where |mlen'| is "saturated" |mlen| value. Deducing information -- * about failure or |mlen| would take attacker's ability to observe -- * memory access pattern with byte granularity *as it occurs*. It -- * should be noted that failure is indistinguishable from normal -- * operation if |tlen| is fixed by protocol. -+ * Move the result in-place by |num|-11-|mlen| bytes to the left. -+ * Then if |good| move |mlen| bytes from |em|+11 to |to|. -+ * Otherwise leave |to| unchanged. -+ * Copy the memory back in a way that does not reveal the size of -+ * the data being copied via a timing side channel. This requires copying -+ * parts of the buffer multiple times based on the bits set in the real -+ * length. Clear bits do a non-copy with identical access pattern. -+ * The loop below has overall complexity of O(N*log(N)). - */ -- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); -- msg_index = constant_time_select_int(good, msg_index, num - tlen); -- mlen = num - msg_index; -- for (from += msg_index, mask = good, i = 0; i < tlen; i++) { -- unsigned int equals = constant_time_eq(i, mlen); -- -- from -= tlen & equals; /* if (i == mlen) rewind */ -- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ -- to[i] = constant_time_select_8(mask, from[i], to[i]); -+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), -+ num - 11, tlen); -+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { -+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); -+ for (i = 11; i < num - msg_index; i++) -+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); -+ } -+ for (i = 0; i < tlen; i++) { -+ mask = good & constant_time_lt(i, mlen); -+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]); - } - - OPENSSL_clear_free(em, num); -diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c ---- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c 2019-05-03 08:55:51.530407037 +0200 -@@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM - - ret = 1; - err: -- if (ctx) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_CTX_free(ctx2); - -@@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i - ok = 1; - - error: -- if (ctx) -- BN_CTX_end(ctx); -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); - - if (ok) -diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c ---- openssl-1.1.1b/crypto/x509/x509_lu.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/x509/x509_lu.c 2019-05-03 08:55:51.546406762 +0200 -@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S - if (ctx == NULL) - return 0; - -+ stmp.type = X509_LU_NONE; -+ stmp.data.ptr = NULL; -+ - CRYPTO_THREAD_write_lock(ctx->lock); - tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); - CRYPTO_THREAD_unlock(ctx->lock); -diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod ---- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man1/pkeyutl.pod 2019-05-03 08:55:51.555406608 +0200 -@@ -272,20 +272,19 @@ value less than the minimum restriction. - =head1 DSA ALGORITHM - - The DSA algorithm supports signing and verification operations only. Currently --there are no additional options other than B. Only the SHA1 --digest can be used and this digest is assumed by default. -+there are no additional B<-pkeyopt> options other than B. The SHA1 -+digest is assumed by default. - - =head1 DH ALGORITHM - - The DH algorithm only supports the derivation operation and no additional --options. -+B<-pkeyopt> options. - - =head1 EC ALGORITHM - - The EC algorithm supports sign, verify and derive operations. The sign and --verify operations use ECDSA and derive uses ECDH. Currently there are no --additional options other than B. Only the SHA1 digest can be used and --this digest is assumed by default. -+verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for -+the B<-pkeyopt> B option. - - =head1 X25519 and X448 ALGORITHMS - -diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod ---- openssl-1.1.1b/doc/man1/ts.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man1/ts.pod 2019-05-03 08:55:51.554406625 +0200 -@@ -262,7 +262,7 @@ specified, the argument is given to the - =item B<-I> - - Signing digest to use. Overrides the B config file --option. (Optional) -+option. (Mandatory unless specified in the config file) - - =item B<-chain> certs_file.pem - -@@ -460,7 +460,8 @@ command line option. (Optional) - =item B - - Signing digest to use. The same as the --B<-I> command line option. (Optional) -+B<-I> command line option. (Mandatory unless specified on the command -+line) - - =item B - -diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod ---- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod 2019-05-03 08:55:51.556406591 +0200 -@@ -88,6 +88,22 @@ a buffering BIO to the chain will speed - Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will - give undefined results, including perhaps a program crash. - -+Switching the memory BIO from read write to read only is not supported and -+can give undefined results including a program crash. There are two notable -+exceptions to the rule. The first one is to assign a static memory buffer -+immediately after BIO creation and set the BIO as read only. -+ -+The other supported sequence is to start with read write BIO then temporarily -+switch it to read only and call BIO_reset() on the read only BIO immediately -+before switching it back to read write. Before the BIO is freed it must be -+switched back to the read write mode. -+ -+Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that -+contains only the remaining data to be read. If the close status of the -+BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer -+in it must be set to NULL as the data pointer does not point to an -+allocated memory. -+ - =head1 BUGS - - There should be an option to set the maximum size of a memory BIO. -diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod ---- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod 2019-05-03 08:55:51.554406625 +0200 -@@ -27,6 +27,7 @@ calls must be made before calling any ot - B as an argument. - - Finally, BN_CTX_end() must be called before returning from the function. -+If B is NULL, nothing is done. - When BN_CTX_end() is called, the B pointers obtained from - BN_CTX_get() become invalid. - -diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod ---- openssl-1.1.1b/doc/man3/BN_new.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/BN_new.pod 2019-05-03 08:55:51.554406625 +0200 -@@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor - BN_clear() is used to destroy sensitive data such as keys when they - are no longer needed. It erases the memory used by B and sets it - to the value 0. -+If B is NULL, nothing is done. - - BN_free() frees the components of the B, and if it was created - by BN_new(), also the structure itself. BN_clear_free() additionally -diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod ---- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod 2019-05-03 08:55:51.536406934 +0200 -@@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP. - - =item EVP_chacha20() - --The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long. -+The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. -+The first 32 bits consists of a counter in little-endian order followed by a 96 -+bit nonce. For example a nonce of: -+ -+000000000000000000000002 -+ -+With an initial counter of 42 (2a in hex) would be expressed as: -+ -+2a000000000000000000000000000002 - - =item EVP_chacha20_poly1305() - -diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod ---- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod 2019-05-03 08:55:51.554406625 +0200 -@@ -436,7 +436,9 @@ The following Is are supported for - - Sets the nonce length. This call can only be made before specifying the nonce. - If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum --nonce length is 16 (B, i.e. 128-bits). -+nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set -+then the nonce is automatically padded with leading 0 bytes to make it 12 bytes -+in length. - - =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) - -diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod ---- openssl-1.1.1b/doc/man3/HMAC.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/HMAC.pod 2019-05-03 08:55:51.539406883 +0200 -@@ -63,7 +63,9 @@ If B is NULL, the digest is placed i - the output is placed in B, unless it is B. Note: passing a NULL - value for B to use the static array is not thread safe. - --B can be EVP_sha1(), EVP_ripemd160() etc. -+B is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does -+not support variable output length digests such as EVP_shake128() and -+EVP_shake256(). - - HMAC_CTX_new() creates a new HMAC_CTX in heap memory. - -diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod ---- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod 2019-05-03 08:55:51.555406608 +0200 -@@ -5,6 +5,7 @@ - RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, - RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, - RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, -+RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, - RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, - RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption - padding -@@ -14,35 +15,46 @@ padding - #include - - int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, -- unsigned char *f, int fl); -+ const unsigned char *f, int fl); - - int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, -- unsigned char *f, int fl, int rsa_len); -+ const unsigned char *f, int fl, int rsa_len); - - int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, -- unsigned char *f, int fl); -+ const unsigned char *f, int fl); - - int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, -- unsigned char *f, int fl, int rsa_len); -+ const unsigned char *f, int fl, int rsa_len); - - int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, -- unsigned char *f, int fl, unsigned char *p, int pl); -+ const unsigned char *f, int fl, -+ const unsigned char *p, int pl); - - int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, -- unsigned char *f, int fl, int rsa_len, -- unsigned char *p, int pl); -+ const unsigned char *f, int fl, int rsa_len, -+ const unsigned char *p, int pl); -+ -+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, -+ const unsigned char *f, int fl, -+ const unsigned char *p, int pl, -+ const EVP_MD *md, const EVP_MD *mgf1md); -+ -+ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, -+ const unsigned char *f, int fl, int rsa_len, -+ const unsigned char *p, int pl, -+ const EVP_MD *md, const EVP_MD *mgf1md); - - int RSA_padding_add_SSLv23(unsigned char *to, int tlen, -- unsigned char *f, int fl); -+ const unsigned char *f, int fl); - - int RSA_padding_check_SSLv23(unsigned char *to, int tlen, -- unsigned char *f, int fl, int rsa_len); -+ const unsigned char *f, int fl, int rsa_len); - - int RSA_padding_add_none(unsigned char *to, int tlen, -- unsigned char *f, int fl); -+ const unsigned char *f, int fl); - - int RSA_padding_check_none(unsigned char *to, int tlen, -- unsigned char *f, int fl, int rsa_len); -+ const unsigned char *f, int fl, int rsa_len); - - =head1 DESCRIPTION - -@@ -98,6 +110,10 @@ at B. - For RSA_padding_xxx_OAEP(), B

points to the encoding parameter - of length B. B

may be B if B is 0. - -+For RSA_padding_xxx_OAEP_mgf1(), B points to the md hash, -+if B is B that means md=sha1, and B points to -+the mgf1 hash, if B is B that means mgf1md=md. -+ - =head1 RETURN VALUES - - The RSA_padding_add_xxx() functions return 1 on success, 0 on error. -@@ -107,15 +123,21 @@ L. - - =head1 WARNING - --The RSA_padding_check_PKCS1_type_2() padding check leaks timing -+The result of RSA_padding_check_PKCS1_type_2() is a very sensitive - information which can potentially be used to mount a Bleichenbacher - padding oracle attack. This is an inherent weakness in the PKCS #1 --v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can --be recommended to pass zero-padded B, so that B equals to --B, and if fixed by protocol, B being set to the --expected length. In such case leakage would be minimal, it would --take attacker's ability to observe memory access pattern with byte --granilarity as it occurs, post-factum timing analysis won't do. -+v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not -+possible, the result of RSA_padding_check_PKCS1_type_2() should be -+checked in constant time if it matches the expected length of the -+plaintext and additionally some application specific consistency -+checks on the plaintext need to be performed in constant time. -+If the plaintext is rejected it must be kept secret which of the -+checks caused the application to reject the message. -+Do not remove the zero-padding from the decrypted raw RSA data -+which was computed by RSA_private_decrypt() with B, -+as this would create a small timing side channel which could be -+used to mount a Bleichenbacher attack against any padding mode -+including PKCS1_OAEP. - - =head1 SEE ALSO - -@@ -125,7 +147,7 @@ L, L - - =head1 COPYRIGHT - --Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. - - Licensed under the OpenSSL license (the "License"). You may not use - this file except in compliance with the License. You can obtain a copy -diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod ---- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod 2019-05-03 08:55:51.555406608 +0200 -@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt - - #include - -- int RSA_public_encrypt(int flen, unsigned char *from, -+ int RSA_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - -- int RSA_private_decrypt(int flen, unsigned char *from, -+ int RSA_private_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - - =head1 DESCRIPTION -@@ -27,6 +27,8 @@ B denotes one of the following - =item RSA_PKCS1_PADDING - - PKCS #1 v1.5 padding. This currently is the most widely used mode. -+However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in -+new applications. SEE WARNING BELOW. - - =item RSA_PKCS1_OAEP_PADDING - -@@ -46,23 +48,35 @@ Encrypting user data directly with RSA i - - =back - --B must be less than RSA_size(B) - 11 for the PKCS #1 v1.5 --based padding modes, less than RSA_size(B) - 41 for -+B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 -+based padding modes, not more than RSA_size(B) - 42 for - RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. --The random number generator must be seeded prior to calling --RSA_public_encrypt(). -+When a padding mode other than RSA_NO_PADDING is in use, then -+RSA_public_encrypt() will include some random bytes into the ciphertext -+and therefore the ciphertext will be different each time, even if the -+plaintext and the public key are exactly identical. -+The returned ciphertext in B will always be zero padded to exactly -+RSA_size(B) bytes. -+B and B may overlap. - - RSA_private_decrypt() decrypts the B bytes at B using the --private key B and stores the plaintext in B. B must point --to a memory section large enough to hold the decrypted data (which is --smaller than RSA_size(B)). B is the padding mode that --was used to encrypt the data. -+private key B and stores the plaintext in B. B should -+be equal to RSA_size(B) but may be smaller, when leading zero -+bytes are in the ciphertext. Those are not important and may be removed, -+but RSA_public_encrypt() does not do that. B must point -+to a memory section large enough to hold the maximal possible decrypted -+data (which is equal to RSA_size(B) for RSA_NO_PADDING, -+RSA_size(B) - 11 for the PKCS #1 v1.5 based padding modes and -+RSA_size(B) - 42 for RSA_PKCS1_OAEP_PADDING). -+B is the padding mode that was used to encrypt the data. -+B and B may overlap. - - =head1 RETURN VALUES - - RSA_public_encrypt() returns the size of the encrypted data (i.e., - RSA_size(B)). RSA_private_decrypt() returns the size of the --recovered plaintext. -+recovered plaintext. A return value of 0 is not an error and -+means only that the plaintext was empty. - - On error, -1 is returned; the error codes can be - obtained by L. -@@ -85,7 +99,7 @@ L - - =head1 COPYRIGHT - --Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. -+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. - - Licensed under the OpenSSL license (the "License"). You may not use - this file except in compliance with the License. You can obtain a copy -diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod ---- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod 2019-05-03 08:55:51.537406917 +0200 -@@ -124,7 +124,10 @@ Textual representation of the cipher nam - - =item - --Protocol version, such as B, when the cipher was first defined. -+The minimum protocol version that the ciphersuite supports, such as B. -+Note that this is not always the same as the protocol version in which the -+ciphersuite was first defined because some ciphersuites are backwards compatible -+with earlier protocol versions. - - =item Kx= - -diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod ---- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod 2019-05-03 08:55:51.534406969 +0200 -@@ -65,6 +65,8 @@ both required, and on success the caller - B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers - holding the numerical value of the TLS extension types in the order they appear - in the ClientHello. B<*outlen> contains the number of elements in the array. -+In situations when the ClientHello has no extensions, the function will return -+success with B<*out> set to NULL and B<*outlen> set to 0. - - =head1 NOTES - -diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h ---- openssl-1.1.1b/include/openssl/err.h.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/err.h 2019-05-03 08:55:51.548406728 +0200 -@@ -37,6 +37,7 @@ extern "C" { - # define ERR_TXT_STRING 0x02 - - # define ERR_FLAG_MARK 0x01 -+# define ERR_FLAG_CLEAR 0x02 - - # define ERR_NUM_ERRORS 16 - typedef struct err_state_st { -diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c ---- openssl-1.1.1b/ssl/ssl_lib.c.sync 2019-05-03 08:55:45.196515778 +0200 -+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-05-03 08:55:51.535406951 +0200 -@@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre - if (ext->present) - num++; - } -+ if (num == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return 1; -+ } - if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { - SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, - ERR_R_MALLOC_FAILURE); -diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h ---- openssl-1.1.1b/ssl/ssl_locl.h.sync 2019-05-03 08:55:45.011518954 +0200 -+++ openssl-1.1.1b/ssl/ssl_locl.h 2019-05-03 08:55:51.541406848 +0200 -@@ -574,7 +574,6 @@ struct ssl_session_st { - /* Session lifetime hint in seconds */ - unsigned long tick_lifetime_hint; - uint32_t tick_age_add; -- int tick_identity; - /* Max number of bytes that can be sent as early data */ - uint32_t max_early_data; - /* The ALPN protocol selected for this session */ -@@ -1356,6 +1355,13 @@ struct ssl_st { - * as this extension is optional on server side. - */ - uint8_t max_fragment_len_mode; -+ + #ifndef OPENSSL_NO_ERR +-/* A measurement on Linux 2018-11-21 showed about 3.5kib */ +-# define SPACE_SYS_STR_REASONS 4 * 1024 ++/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ ++# define SPACE_SYS_STR_REASONS 8 * 1024 + # define NUM_SYS_STR_REASONS 127 + + static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; +@@ -219,26 +219,30 @@ static void build_SYS_str_reasons(void) + ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; + + str->error = ERR_PACK(ERR_LIB_SYS, 0, i); +- if (str->string == NULL) { + /* -+ * On the client side the number of ticket identities we sent in the -+ * ClientHello. On the server side the identity of the ticket we -+ * selected. ++ * If we have used up all the space in strerror_pool, ++ * there's no point in calling openssl_strerror_r() + */ -+ int tick_identity; - } ext; ++ if (str->string == NULL && cnt < sizeof(strerror_pool)) { + if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) { +- size_t l = strlen(cur); ++ size_t l = strlen(cur) + 1; - /* -@@ -2052,9 +2058,6 @@ typedef enum downgrade_en { - #define TLSEXT_KEX_MODE_FLAG_KE 1 - #define TLSEXT_KEX_MODE_FLAG_KE_DHE 2 + str->string = cur; + cnt += l; +- if (cnt > sizeof(strerror_pool)) +- cnt = sizeof(strerror_pool); + cur += l; --/* An invalid index into the TLSv1.3 PSK identities */ --#define TLSEXT_PSK_BAD_IDENTITY -1 -- - #define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \ - s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS) - -diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c ---- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/statem/extensions_clnt.c 2019-05-03 08:55:51.542406831 +0200 -@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s - const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; - int dores = 0; - -- s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; -+ s->ext.tick_identity = 0; - - /* - * Note: At this stage of the code we only support adding a single -@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s - agems += s->session->ext.tick_age_add; - - reshashsize = EVP_MD_size(mdres); -+ s->ext.tick_identity++; - dores = 1; - } - -@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s - ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; + /* + * VMS has an unusual quirk of adding spaces at the end of +- * some (most? all?) messages. Lets trim them off. ++ * some (most? all?) messages. Lets trim them off. + */ +- while (ossl_isspace(cur[-1])) { +- cur--; +- cnt--; ++ if (cur > strerror_pool && ossl_isspace(cur[-1])) { ++ while (cur > strerror_pool && ossl_isspace(cur[-1])) { ++ cur--; ++ cnt--; ++ } ++ *cur++ = '\0'; ++ cnt++; + } +- *cur++ = '\0'; +- cnt++; + } } -+ s->ext.tick_identity++; - } - - if (!WPACKET_close(pkt) -@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s - return EXT_RETURN_FAIL; - } - -- if (dores) -- s->session->ext.tick_identity = 0; -- if (s->psksession != NULL) -- s->psksession->ext.tick_identity = (dores ? 1 : 0); -- - return EXT_RETURN_SENT; - #else - return EXT_RETURN_NOT_SENT; -@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA - } - - if (!s->ext.early_data_ok -- || !s->hit -- || s->session->ext.tick_identity != 0) { -+ || !s->hit) { - /* - * If we get here then we didn't send early data, or we didn't resume - * using the first identity, or the SNI/ALPN is not consistent so the -@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p - return 0; - } - -- if (s->session->ext.tick_identity == (int)identity) { -+ if (identity >= (unsigned int)s->ext.tick_identity) { -+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, -+ SSL_R_BAD_PSK_IDENTITY); -+ return 0; -+ } -+ -+ /* -+ * Session resumption tickets are always sent before PSK tickets. If the -+ * ticket index is 0 then it must be for a session resumption ticket if we -+ * sent two tickets, or if we didn't send a PSK ticket. -+ */ -+ if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { - s->hit = 1; - SSL_SESSION_free(s->psksession); - s->psksession = NULL; - return 1; - } - -- if (s->psksession == NULL -- || s->psksession->ext.tick_identity != (int)identity) { -- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, -- SSL_R_BAD_PSK_IDENTITY); -+ if (s->psksession == NULL) { -+ /* Should never happen */ -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, -+ ERR_R_INTERNAL_ERROR); - return 0; - } - -@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p - s->session = s->psksession; - s->psksession = NULL; - s->hit = 1; -+ /* Early data is only allowed if we used the first ticket */ -+ if (identity != 0) -+ s->ext.early_data_ok = 0; - #endif - - return 1; -diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c ---- openssl-1.1.1b/ssl/statem/extensions.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/statem/extensions.c 2019-05-03 08:55:51.541406848 +0200 -@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns - ss->ext.ticklen = 0; - ss->ext.tick_lifetime_hint = 0; - ss->ext.tick_age_add = 0; -- ss->ext.tick_identity = 0; - if (!ssl_generate_session_id(s, ss)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, - ERR_R_INTERNAL_ERROR); -@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi - - if (s->max_early_data == 0 - || !s->hit -- || s->session->ext.tick_identity != 0 - || s->early_data_state != SSL_EARLY_DATA_ACCEPTING - || !s->ext.early_data_ok - || s->hello_retry_request != SSL_HRR_NONE -diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c ---- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/statem/extensions_srvr.c 2019-05-03 08:55:51.542406831 +0200 -@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p - goto err; - } - -- sess->ext.tick_identity = id; -+ s->ext.tick_identity = id; - - SSL_SESSION_free(s->session); - s->session = sess; -@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s - - if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) - || !WPACKET_start_sub_packet_u16(pkt) -- || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) -+ || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity) - || !WPACKET_close(pkt)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); -diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c ---- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/statem/statem_clnt.c 2019-05-03 08:55:51.543406814 +0200 -@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he - * so the PAC-based session secret is always preserved. It'll be - * overwritten if the server refuses resumption. - */ -- if (s->session->session_id_length > 0 -- || (SSL_IS_TLS13(s) -- && s->session->ext.tick_identity -- != TLSEXT_PSK_BAD_IDENTITY)) { -+ if (s->session->session_id_length > 0) { - tsan_counter(&s->session_ctx->stats.sess_miss); - if (!ssl_get_new_session(s, 0)) { - /* SSLfatal() already called */ -diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c ---- openssl-1.1.1b/test/bio_memleak_test.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/bio_memleak_test.c 2019-05-03 08:55:51.556406591 +0200 -@@ -18,28 +18,170 @@ static int test_bio_memleak(void) - int ok = 0; - BIO *bio; - BUF_MEM bufmem; -- const char *str = "BIO test\n"; -+ static const char str[] = "BIO test\n"; - char buf[100]; - - bio = BIO_new(BIO_s_mem()); -- if (bio == NULL) -+ if (!TEST_ptr(bio)) - goto finish; -- bufmem.length = strlen(str) + 1; -+ bufmem.length = sizeof(str); - bufmem.data = (char *) str; - bufmem.max = bufmem.length; - BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE); - BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); -+ if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str))) -+ goto finish; -+ if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str))) -+ goto finish; -+ ok = 1; - -- if (BIO_read(bio, buf, sizeof(buf)) <= 0) -- goto finish; -+finish: -+ BIO_free(bio); -+ return ok; -+} - -- ok = strcmp(buf, str) == 0; -+static int test_bio_get_mem(void) -+{ -+ int ok = 0; -+ BIO *bio = NULL; -+ BUF_MEM *bufmem = NULL; -+ -+ bio = BIO_new(BIO_s_mem()); -+ if (!TEST_ptr(bio)) -+ goto finish; -+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) -+ goto finish; -+ BIO_get_mem_ptr(bio, &bufmem); -+ if (!TEST_ptr(bufmem)) -+ goto finish; -+ if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0)) -+ goto finish; -+ BIO_free(bio); -+ bio = NULL; -+ if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12)) -+ goto finish; -+ ok = 1; - - finish: - BIO_free(bio); -+ BUF_MEM_free(bufmem); - return ok; - } - -+static int test_bio_new_mem_buf(void) -+{ -+ int ok = 0; -+ BIO *bio; -+ BUF_MEM *bufmem; -+ char data[16]; -+ -+ bio = BIO_new_mem_buf("Hello World\n", 12); -+ if (!TEST_ptr(bio)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) -+ goto finish; -+ if (!TEST_mem_eq(data, 5, "Hello", 5)) -+ goto finish; -+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) -+ goto finish; -+ if (!TEST_int_lt(BIO_write(bio, "test", 4), 0)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio, data, 16), 7)) -+ goto finish; -+ if (!TEST_mem_eq(data, 7, " World\n", 7)) -+ goto finish; -+ if (!TEST_int_gt(BIO_reset(bio), 0)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) -+ goto finish; -+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) -+ goto finish; -+ ok = 1; -+ -+finish: -+ BIO_free(bio); -+ return ok; -+} -+ -+static int test_bio_rdonly_mem_buf(void) -+{ -+ int ok = 0; -+ BIO *bio, *bio2 = NULL; -+ BUF_MEM *bufmem; -+ char data[16]; -+ -+ bio = BIO_new_mem_buf("Hello World\n", 12); -+ if (!TEST_ptr(bio)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) -+ goto finish; -+ if (!TEST_mem_eq(data, 5, "Hello", 5)) -+ goto finish; -+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) -+ goto finish; -+ (void)BIO_set_close(bio, BIO_NOCLOSE); -+ -+ bio2 = BIO_new(BIO_s_mem()); -+ if (!TEST_ptr(bio2)) -+ goto finish; -+ BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE); -+ BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY); -+ -+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) -+ goto finish; -+ if (!TEST_mem_eq(data, 7, " World\n", 7)) -+ goto finish; -+ if (!TEST_int_gt(BIO_reset(bio2), 0)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) -+ goto finish; -+ if (!TEST_mem_eq(data, 7, " World\n", 7)) -+ goto finish; -+ ok = 1; -+ -+finish: -+ BIO_free(bio); -+ BIO_free(bio2); -+ return ok; -+} -+ -+static int test_bio_rdwr_rdonly(void) -+{ -+ int ok = 0; -+ BIO *bio = NULL; -+ char data[16]; -+ -+ bio = BIO_new(BIO_s_mem()); -+ if (!TEST_ptr(bio)) -+ goto finish; -+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) -+ goto finish; -+ -+ BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); -+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) -+ goto finish; -+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) -+ goto finish; -+ if (!TEST_int_gt(BIO_reset(bio), 0)) -+ goto finish; -+ -+ BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY); -+ if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4)) -+ goto finish; -+ if (!TEST_int_eq(BIO_read(bio, data, 16), 16)) -+ goto finish; -+ -+ if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16)) -+ goto finish; -+ -+ ok = 1; -+ -+finish: -+ BIO_free(bio); -+ return ok; -+} -+ -+ - int global_init(void) - { - CRYPTO_set_mem_debug(1); -@@ -50,5 +192,9 @@ int global_init(void) - int setup_tests(void) - { - ADD_TEST(test_bio_memleak); -+ ADD_TEST(test_bio_get_mem); -+ ADD_TEST(test_bio_new_mem_buf); -+ ADD_TEST(test_bio_rdonly_mem_buf); -+ ADD_TEST(test_bio_rdwr_rdonly); - return 1; - } -diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c ---- openssl-1.1.1b/test/ectest.c.sync 2019-05-03 08:55:45.127516962 +0200 -+++ openssl-1.1.1b/test/ectest.c 2019-05-03 08:55:51.524407140 +0200 -@@ -728,6 +728,74 @@ err: - BN_CTX_free(ctx); - return r; - } -+ -+/* -+ * Tests a point known to cause an incorrect underflow in an old version of -+ * ecp_nist521.c -+ */ -+static int underflow_test(void) -+{ -+ BN_CTX *ctx = NULL; -+ EC_GROUP *grp = NULL; -+ EC_POINT *P = NULL, *Q = NULL, *R = NULL; -+ BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; -+ BIGNUM *k = NULL; -+ int testresult = 0; -+ const char *x1str = -+ "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" -+ "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; -+ const char *p521m1 = -+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" -+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; -+ -+ ctx = BN_CTX_new(); -+ if (!TEST_ptr(ctx)) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ x1 = BN_CTX_get(ctx); -+ y1 = BN_CTX_get(ctx); -+ z1 = BN_CTX_get(ctx); -+ x2 = BN_CTX_get(ctx); -+ y2 = BN_CTX_get(ctx); -+ k = BN_CTX_get(ctx); -+ if (!TEST_ptr(k)) -+ goto err; -+ -+ grp = EC_GROUP_new_by_curve_name(NID_secp521r1); -+ P = EC_POINT_new(grp); -+ Q = EC_POINT_new(grp); -+ R = EC_POINT_new(grp); -+ if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) -+ goto err; -+ -+ if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) -+ || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) -+ || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) -+ || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) -+ || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, -+ y1, z1, ctx)) -+ || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) -+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) -+ || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) -+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) -+ goto err; -+ -+ if (!TEST_int_eq(BN_cmp(x1, x2), 0) -+ || !TEST_int_eq(BN_cmp(y1, y2), 0)) -+ goto err; -+ -+ testresult = 1; -+ -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(P); -+ EC_POINT_free(Q); -+ EC_GROUP_free(grp); -+ BN_CTX_free(ctx); -+ -+ return testresult; -+} - # endif - - static const unsigned char p521_named[] = { -@@ -835,6 +903,7 @@ int setup_tests(void) - # endif - # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); -+ ADD_TEST(underflow_test); - # endif - ADD_ALL_TESTS(internal_curve_test, crv_len); - ADD_ALL_TESTS(internal_curve_test_method, crv_len); -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-03 08:55:51.552406659 +0200 -@@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000 - Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd - Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd - --Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10 -+Title = ARIA GCM test vectors from RFC8269 - - Cipher = ARIA-128-GCM - Key = e91e5e75da65554a48181f3846349562 -@@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48 - Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 - Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822 - -+Title = ARIA GCM self-generated test vectors -+ -+Cipher = ARIA-128-GCM -+Key = e91e5e75da65554a48181f3846349562 -+# Shorter than default IV -+IV = 0001020304 -+AAD = 8008315ebf2e6fe020e8f5eb -+Tag = ebaa2645bb154542117ee46031aa176e -+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 -+Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482 -+ -+Cipher = ARIA-128-GCM -+Key = e91e5e75da65554a48181f3846349562 -+# Longer than default IV -+IV = 000102030405060708090a0b0c0d0e0f -+AAD = 8008315ebf2e6fe020e8f5eb -+Tag = 61f7f44c7da3c60195b29ae0b46051a4 -+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 -+Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f -+ -+Cipher = ARIA-128-GCM -+Key = e91e5e75da65554a48181f3846349562 -+# Extra long IV -+IV = 000102030405060708090a0b0c0d0e0f1011 -+AAD = 8008315ebf2e6fe020e8f5eb -+Tag = c8b31ab6c2ddccab06b76af4e56e664e -+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 -+Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd -+ -+ - Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02 - - # 16-byte Tag -@@ -2357,14 +2387,41 @@ Operation = ENCRYPT - Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7 - Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122 - --Title = Chacha20 -+Title = Chacha20 test vectors from RFC7539 - -+# A.1 Test Vector 1 - Cipher = chacha20 - Key = 0000000000000000000000000000000000000000000000000000000000000000 - IV = 00000000000000000000000000000000 - Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 - Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586 - -+# A.1 Test Vector 2 -+Cipher = chacha20 -+Key = 0000000000000000000000000000000000000000000000000000000000000000 -+IV = 01000000000000000000000000000000 -+Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -+Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f -+ -+# A.2 Test Vector 1 is the same as A.1 Test Vector 1 -+# A.2 Test Vector 2 -+Cipher = chacha20 -+Key = 0000000000000000000000000000000000000000000000000000000000000001 -+#Counter (first 4 bytes) expressed in little-endian order -+IV = 01000000000000000000000000000002 -+Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f -+Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221 -+ -+# A.2 Test Vector 3 -+Cipher = chacha20 -+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 -+#Counter (first 4 bytes) expressed in little-endian order -+IV = 2a000000000000000000000000000002 -+Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e -+Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1 -+ -+Title = Chacha20 -+ - Cipher = chacha20 - Key = 0000000000000000000000000000000000000000000000000000000000000001 - IV = 00000000000000000000000000000000 -@@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91 - Tag = e0723bce23528ce6ccb10ff9627038bf - Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d - Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 -+ -+Cipher = chacha20-poly1305 -+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 -+IV = ff000000000102030405060708 -+AAD = f33388860000000000004e91 -+Tag = e0723bce23528ce6ccb10ff9627038bf -+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d -+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 -+Result = INVALID_IV_LENGTH -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt 2019-05-03 08:55:51.539406883 +0200 -@@ -351,6 +351,14 @@ Input = "Sample message for keylen>block - Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687 - Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915 - -+Title = HMAC self generated tests -+ -+MAC = HMAC -+Algorithm = SHAKE128 -+Input = "Test that SHAKE128 fails" -+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f -+Result = DIGESTSIGNINIT_ERROR -+ - - Title = CMAC tests (from FIPS module) - -diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t ---- openssl-1.1.1b/test/recipes/80-test_cms.t.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/80-test_cms.t 2019-05-03 08:55:51.533406986 +0200 -@@ -308,6 +308,14 @@ my @smime_cms_param_tests = ( - "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] - ], - -+ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3", -+ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", -+ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", -+ "-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ], -+ [ "-verify", "-in", "test.cms", "-inform", "PEM", -+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] -+ ], -+ - [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", - [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr", - "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", -diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c ---- openssl-1.1.1b/test/rsa_test.c.sync 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/rsa_test.c 2019-05-03 08:55:51.523407157 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -268,6 +268,36 @@ err: - return ret; - } - -+static int test_rsa_sslv23(int idx) -+{ -+ int ret = 0; -+ RSA *key; -+ unsigned char ptext[256]; -+ unsigned char ctext[256]; -+ static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; -+ unsigned char ctext_ex[256]; -+ int plen; -+ int clen = 0; -+ int num; -+ -+ plen = sizeof(ptext_ex) - 1; -+ clen = rsa_setkey(&key, ctext_ex, idx); -+ -+ num = RSA_public_encrypt(plen, ptext_ex, ctext, key, -+ RSA_SSLV23_PADDING); -+ if (!TEST_int_eq(num, clen)) -+ goto err; -+ -+ num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); -+ if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) -+ goto err; -+ -+ ret = 1; -+err: -+ RSA_free(key); -+ return ret; -+} -+ - static int test_rsa_oaep(int idx) - { - int ret = 0; -@@ -332,6 +362,7 @@ err: - int setup_tests(void) - { - ADD_ALL_TESTS(test_rsa_pkcs1, 3); -+ ADD_ALL_TESTS(test_rsa_sslv23, 3); - ADD_ALL_TESTS(test_rsa_oaep, 3); - return 1; - } + if (str->string == NULL) diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 2d1df0a..7970b84 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -1,12 +1,12 @@ -diff -up openssl-1.1.1b/include/openssl/opensslv.h.version-override openssl-1.1.1b/include/openssl/opensslv.h ---- openssl-1.1.1b/include/openssl/opensslv.h.version-override 2019-02-28 11:34:56.427361796 +0100 -+++ openssl-1.1.1b/include/openssl/opensslv.h 2019-02-28 11:35:40.487542747 +0100 +diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h +--- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200 ++++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200 @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010102fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b 26 Feb 2019" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b FIPS 26 Feb 2019" + # define OPENSSL_VERSION_NUMBER 0x1010103fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index 04bb83f..4de014a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,8 +21,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.1b -Release: 10%{?dist} +Version: 1.1.1c +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -454,6 +454,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Wed May 29 2019 Tomáš Mráz 1.1.1c-1 +- update to the 1.1.1c release + * Fri May 10 2019 Tomáš Mráz 1.1.1b-10 - Another attempt at the AES-CCM regression fix diff --git a/sources b/sources index 6456faf..1c013a4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1 +SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db