diff --git a/.gitignore b/.gitignore index d7d7167..f42fbf0 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1c-hobbled.tar.xz /openssl-1.1.1d-hobbled.tar.xz /openssl-1.1.1e-hobbled.tar.xz +/openssl-1.1.1f-hobbled.tar.xz diff --git a/openssl-1.1.1-build.patch b/openssl-1.1.1-build.patch index cfe20f6..c0ef62b 100644 --- a/openssl-1.1.1-build.patch +++ b/openssl-1.1.1-build.patch @@ -1,28 +1,7 @@ -diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200 -+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200 -@@ -680,7 +680,7 @@ uninstall_runtime: - install_man_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) - - uninstall_man_docs: -@@ -692,7 +692,7 @@ uninstall_man_docs: - install_html_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing HTML manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html - - uninstall_html_docs: -diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf ---- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200 -+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200 -@@ -693,6 +693,7 @@ my %targets = ( +diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf +--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200 ++++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200 +@@ -678,6 +678,7 @@ my %targets = ( cxxflags => add("-m64"), lib_cppflags => add("-DL_ENDIAN"), perlasm_scheme => "linux64le", @@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8 }, "linux-armv4" => { -@@ -733,6 +734,7 @@ my %targets = ( +@@ -718,6 +719,7 @@ my %targets = ( "linux-aarch64" => { inherit_from => [ "linux-generic64", asm("aarch64_asm") ], perlasm_scheme => "linux64", @@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8 }, "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32", asm("aarch64_asm") ], +diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200 ++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200 +@@ -823,7 +823,7 @@ uninstall_runtime_libs: + install_man_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) + + uninstall_man_docs: +@@ -835,7 +835,7 @@ uninstall_man_docs: + install_html_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing HTML manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html + + uninstall_html_docs: diff --git a/openssl-1.1.1-eof-error-revert.patch b/openssl-1.1.1-eof-error-revert.patch deleted file mode 100644 index cfb0d6d..0000000 --- a/openssl-1.1.1-eof-error-revert.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -up openssl-1.1.1e/CHANGES.eof-revert openssl-1.1.1e/CHANGES ---- openssl-1.1.1e/CHANGES.eof-revert 2020-03-26 15:07:42.123628736 +0100 -+++ openssl-1.1.1e/CHANGES 2020-03-26 15:10:13.309733024 +0100 -@@ -8,7 +8,8 @@ - release branch. - - Changes between 1.1.1d and 1.1.1e [17 Mar 2020] -- *) Properly detect EOF while reading in libssl. Previously if we hit an EOF -+ *) **** REVERTED on 1.1.1 branch after 1.1.1e release **** -+ Properly detect EOF while reading in libssl. Previously if we hit an EOF - while reading in libssl then we would report an error back to the - application (SSL_ERROR_SYSCALL) but errno would be 0. We now add - an error to the stack (which means we instead return SSL_ERROR_SSL) and -diff -up openssl-1.1.1e/crypto/err/openssl.txt.eof-revert openssl-1.1.1e/crypto/err/openssl.txt ---- openssl-1.1.1e/crypto/err/openssl.txt.eof-revert 2020-03-26 15:07:42.085629464 +0100 -+++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-26 15:07:42.124628717 +0100 -@@ -2901,7 +2901,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:2 - SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines - SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message - SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data --SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading - SSL_R_UNEXPECTED_MESSAGE:244:unexpected message - SSL_R_UNEXPECTED_RECORD:245:unexpected record - SSL_R_UNINITIALIZED:276:uninitialized -diff -up openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert openssl-1.1.1e/doc/man3/SSL_get_error.pod ---- openssl-1.1.1e/doc/man3/SSL_get_error.pod.eof-revert 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/doc/man3/SSL_get_error.pod 2020-03-26 15:07:42.125628698 +0100 -@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not b - - =back - -+=head1 BUGS -+ -+The B with B value of 0 indicates unexpected EOF from -+the peer. This will be properly reported as B with reason -+code B in the OpenSSL 3.0 release because -+it is truly a TLS protocol error to terminate the connection without -+a SSL_shutdown(). -+ -+The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications -+which choose to ignore this protocol error depend on the existing way of -+reporting the error. -+ - =head1 SEE ALSO - - L -diff -up openssl-1.1.1e/include/openssl/sslerr.h.eof-revert openssl-1.1.1e/include/openssl/sslerr.h ---- openssl-1.1.1e/include/openssl/sslerr.h.eof-revert 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/sslerr.h 2020-03-26 15:07:42.125628698 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); - # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 - # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 - # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 --# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 - # define SSL_R_UNEXPECTED_MESSAGE 244 - # define SSL_R_UNEXPECTED_RECORD 245 - # define SSL_R_UNINITIALIZED 276 -diff -up openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert openssl-1.1.1e/ssl/record/rec_layer_s3.c ---- openssl-1.1.1e/ssl/record/rec_layer_s3.c.eof-revert 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/ssl/record/rec_layer_s3.c 2020-03-26 15:07:42.125628698 +0100 -@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t - ret = BIO_read(s->rbio, pkt + len + left, max - left); - if (ret >= 0) - bioread = ret; -- if (ret <= 0 -- && !BIO_should_retry(s->rbio) -- && BIO_eof(s->rbio)) { -- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, -- SSL_R_UNEXPECTED_EOF_WHILE_READING); -- } - } else { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, - SSL_R_READ_BIO_NOT_SET); -diff -up openssl-1.1.1e/ssl/ssl_err.c.eof-revert openssl-1.1.1e/ssl/ssl_err.c ---- openssl-1.1.1e/ssl/ssl_err.c.eof-revert 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/ssl/ssl_err.c 2020-03-26 15:07:42.126628679 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_rea - "unexpected ccs message"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), - "unexpected end of early data"}, -- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), -- "unexpected eof while reading"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, diff --git a/openssl-1.1.1-no-html.patch b/openssl-1.1.1-no-html.patch index 6688d1c..d0e335e 100644 --- a/openssl-1.1.1-no-html.patch +++ b/openssl-1.1.1-no-html.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1d/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html 2019-09-13 15:00:32.976774673 +0200 -+++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl 2019-09-13 15:02:22.283864321 +0200 +diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200 ++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200 @@ -544,7 +544,7 @@ install_sw: install_dev install_engines uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -9,4 +9,4 @@ diff -up openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1d +install_docs: install_man_docs uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) + $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch deleted file mode 100644 index 11099a1..0000000 --- a/openssl-1.1.1-regression-fixes.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c ---- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200 -@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new( - { - OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret)); - -- if (ret != NULL) -- memset(ret, 0, sizeof(*ret)); -+ if (ret == NULL) -+ return NULL; -+ -+ memset(ret, 0, sizeof(*ret)); - ret->flags = DEFAULT_CONF_MFLAGS; - - return ret; diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch new file mode 100644 index 0000000..6904a03 --- /dev/null +++ b/openssl-1.1.1-upstream-sync.patch @@ -0,0 +1,671 @@ +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 336afc989d..831b74ce6c 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r) + i = i2d_ASN1_INTEGER(&bs, NULL); + i += i; /* r and s */ + ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); ++ if (ret < 0) ++ return 0; + return ret; + } +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 3554ada827..22b00e203d 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t i = 0; + BN_CTX *new_ctx = NULL; + +- if ((scalar == NULL) && (num == 0)) { +- return EC_POINT_set_to_infinity(group, r); +- } +- + if (!ec_point_is_compat(r, group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } ++ ++ if (scalar == NULL && num == 0) ++ return EC_POINT_set_to_infinity(group, r); ++ + for (i = 0; i < num; i++) { + if (!ec_point_is_compat(points[i], group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); +diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c +index 7980a67282..d2e4773270 100644 +--- a/crypto/ec/ec_mult.c ++++ b/crypto/ec/ec_mult.c +@@ -260,17 +260,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, + goto err; + } + +- /*- +- * Apply coordinate blinding for EC_POINT. +- * +- * The underlying EC_METHOD can optionally implement this function: +- * ec_point_blind_coordinates() returns 0 in case of errors or 1 on +- * success or if coordinate blinding is not implemented for this +- * group. +- */ +- if (!ec_point_blind_coordinates(group, p, ctx)) { +- ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE); +- goto err; ++ /* ensure input point is in affine coords for ladder step efficiency */ ++ if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) { ++ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB); ++ goto err; + } + + /* Initialize the Montgomery ladder */ +@@ -747,6 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + if (r_is_at_infinity) { + if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) + goto err; ++ ++ /*- ++ * Apply coordinate blinding for EC_POINT. ++ * ++ * The underlying EC_METHOD can optionally implement this function: ++ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on ++ * success or if coordinate blinding is not implemented for this ++ * group. ++ */ ++ if (!ec_point_blind_coordinates(group, r, ctx)) { ++ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE); ++ goto err; ++ } ++ + r_is_at_infinity = 0; + } else { + if (!EC_POINT_add +diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c +index b354bfe9ce..6903db58ff 100644 +--- a/crypto/ec/ecp_smpl.c ++++ b/crypto/ec/ecp_smpl.c +@@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + * Computes the multiplicative inverse of a in GF(p), storing the result in r. + * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. + * Since we don't have a Mont structure here, SCA hardening is with blinding. ++ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) + */ + int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, + BN_CTX *ctx) +@@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, + temp = BN_CTX_get(ctx); + if (temp == NULL) { + ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE); +- goto err; ++ goto end; + } + +- /* make sure lambda is not zero */ ++ /*- ++ * Make sure lambda is not zero. ++ * If the RNG fails, we cannot blind but nevertheless want ++ * code to continue smoothly and not clobber the error stack. ++ */ + do { +- if (!BN_priv_rand_range(lambda, group->field)) { +- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB); +- goto err; ++ ERR_set_mark(); ++ ret = BN_priv_rand_range(lambda, group->field); ++ ERR_pop_to_mark(); ++ if (ret == 0) { ++ ret = 1; ++ goto end; + } + } while (BN_is_zero(lambda)); + + /* if field_encode defined convert between representations */ +- if (group->meth->field_encode != NULL +- && !group->meth->field_encode(group, lambda, lambda, ctx)) +- goto err; +- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)) +- goto err; +- if (!group->meth->field_sqr(group, temp, lambda, ctx)) +- goto err; +- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx)) +- goto err; +- if (!group->meth->field_mul(group, temp, temp, lambda, ctx)) +- goto err; +- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) +- goto err; +- p->Z_is_one = 0; ++ if ((group->meth->field_encode != NULL ++ && !group->meth->field_encode(group, lambda, lambda, ctx)) ++ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx) ++ || !group->meth->field_sqr(group, temp, lambda, ctx) ++ || !group->meth->field_mul(group, p->X, p->X, temp, ctx) ++ || !group->meth->field_mul(group, temp, temp, lambda, ctx) ++ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) ++ goto end; + ++ p->Z_is_one = 0; + ret = 1; + +- err: ++ end: + BN_CTX_end(ctx); + return ret; + } + + /*- +- * Set s := p, r := 2p. ++ * Input: ++ * - p: affine coordinates ++ * ++ * Output: ++ * - s := p, r := 2p: blinded projective (homogeneous) coordinates + * + * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve +- * multiplication resistant against side channel attacks" appendix, as described +- * at ++ * multiplication resistant against side channel attacks" appendix, described at + * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 ++ * simplified for Z1=1. + * +- * The input point p will be in randomized Jacobian projective coords: +- * x = X/Z**2, y=Y/Z**3 +- * +- * The output points p, s, and r are converted to standard (homogeneous) +- * projective coords: +- * x = X/Z, y=Y/Z ++ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z) ++ * for any non-zero \lambda that holds for projective (homogeneous) coords. + */ + int ec_GFp_simple_ladder_pre(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) + { +- BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL; ++ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL; + +- t1 = r->Z; +- t2 = r->Y; ++ t1 = s->Z; ++ t2 = r->Z; + t3 = s->X; + t4 = r->X; + t5 = s->Y; +- t6 = s->Z; +- +- /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */ +- if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx) +- || !group->meth->field_sqr(group, t1, p->Z, ctx) +- || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx) +- /* r := 2p */ +- || !group->meth->field_sqr(group, t2, p->X, ctx) +- || !group->meth->field_sqr(group, t3, p->Z, ctx) +- || !group->meth->field_mul(group, t4, t3, group->a, ctx) +- || !BN_mod_sub_quick(t5, t2, t4, group->field) +- || !BN_mod_add_quick(t2, t2, t4, group->field) +- || !group->meth->field_sqr(group, t5, t5, ctx) +- || !group->meth->field_mul(group, t6, t3, group->b, ctx) +- || !group->meth->field_mul(group, t1, p->X, p->Z, ctx) +- || !group->meth->field_mul(group, t4, t1, t6, ctx) +- || !BN_mod_lshift_quick(t4, t4, 3, group->field) ++ ++ if (!p->Z_is_one /* r := 2p */ ++ || !group->meth->field_sqr(group, t3, p->X, ctx) ++ || !BN_mod_sub_quick(t4, t3, group->a, group->field) ++ || !group->meth->field_sqr(group, t4, t4, ctx) ++ || !group->meth->field_mul(group, t5, p->X, group->b, ctx) ++ || !BN_mod_lshift_quick(t5, t5, 3, group->field) + /* r->X coord output */ +- || !BN_mod_sub_quick(r->X, t5, t4, group->field) +- || !group->meth->field_mul(group, t1, t1, t2, ctx) +- || !group->meth->field_mul(group, t2, t3, t6, ctx) +- || !BN_mod_add_quick(t1, t1, t2, group->field) ++ || !BN_mod_sub_quick(r->X, t4, t5, group->field) ++ || !BN_mod_add_quick(t1, t3, group->a, group->field) ++ || !group->meth->field_mul(group, t2, p->X, t1, ctx) ++ || !BN_mod_add_quick(t2, group->b, t2, group->field) + /* r->Z coord output */ +- || !BN_mod_lshift_quick(r->Z, t1, 2, group->field) +- || !EC_POINT_copy(s, p)) ++ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field)) ++ return 0; ++ ++ /* make sure lambda (r->Y here for storage) is not zero */ ++ do { ++ if (!BN_priv_rand_range(r->Y, group->field)) ++ return 0; ++ } while (BN_is_zero(r->Y)); ++ ++ /* make sure lambda (s->Z here for storage) is not zero */ ++ do { ++ if (!BN_priv_rand_range(s->Z, group->field)) ++ return 0; ++ } while (BN_is_zero(s->Z)); ++ ++ /* if field_encode defined convert between representations */ ++ if (group->meth->field_encode != NULL ++ && (!group->meth->field_encode(group, r->Y, r->Y, ctx) ++ || !group->meth->field_encode(group, s->Z, s->Z, ctx))) ++ return 0; ++ ++ /* blind r and s independently */ ++ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx) ++ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx) ++ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */ + return 0; + + r->Z_is_one = 0; + s->Z_is_one = 0; +- p->Z_is_one = 0; + + return 1; + } + + /*- +- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi ++ * Input: ++ * - s, r: projective (homogeneous) coordinates ++ * - p: affine coordinates ++ * ++ * Output: ++ * - s := r + s, r := 2r: projective (homogeneous) coordinates ++ * ++ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi + * "A fast parallel elliptic curve multiplication resistant against side channel + * attacks", as described at +- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 ++ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4 + */ + int ec_GFp_simple_ladder_step(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) + { + int ret = 0; +- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL; ++ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; + + BN_CTX_start(ctx); + t0 = BN_CTX_get(ctx); +@@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group, + t4 = BN_CTX_get(ctx); + t5 = BN_CTX_get(ctx); + t6 = BN_CTX_get(ctx); +- t7 = BN_CTX_get(ctx); + +- if (t7 == NULL +- || !group->meth->field_mul(group, t0, r->X, s->X, ctx) +- || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx) +- || !group->meth->field_mul(group, t2, r->X, s->Z, ctx) ++ if (t6 == NULL ++ || !group->meth->field_mul(group, t6, r->X, s->X, ctx) ++ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx) ++ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx) + || !group->meth->field_mul(group, t3, r->Z, s->X, ctx) +- || !group->meth->field_mul(group, t4, group->a, t1, ctx) +- || !BN_mod_add_quick(t0, t0, t4, group->field) +- || !BN_mod_add_quick(t4, t3, t2, group->field) +- || !group->meth->field_mul(group, t0, t4, t0, ctx) +- || !group->meth->field_sqr(group, t1, t1, ctx) +- || !BN_mod_lshift_quick(t7, group->b, 2, group->field) +- || !group->meth->field_mul(group, t1, t7, t1, ctx) +- || !BN_mod_lshift1_quick(t0, t0, group->field) +- || !BN_mod_add_quick(t0, t1, t0, group->field) +- || !BN_mod_sub_quick(t1, t2, t3, group->field) +- || !group->meth->field_sqr(group, t1, t1, ctx) +- || !group->meth->field_mul(group, t3, t1, p->X, ctx) +- || !group->meth->field_mul(group, t0, p->Z, t0, ctx) +- /* s->X coord output */ +- || !BN_mod_sub_quick(s->X, t0, t3, group->field) +- /* s->Z coord output */ +- || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx) +- || !group->meth->field_sqr(group, t3, r->X, ctx) +- || !group->meth->field_sqr(group, t2, r->Z, ctx) +- || !group->meth->field_mul(group, t4, t2, group->a, ctx) +- || !BN_mod_add_quick(t5, r->X, r->Z, group->field) +- || !group->meth->field_sqr(group, t5, t5, ctx) +- || !BN_mod_sub_quick(t5, t5, t3, group->field) +- || !BN_mod_sub_quick(t5, t5, t2, group->field) +- || !BN_mod_sub_quick(t6, t3, t4, group->field) +- || !group->meth->field_sqr(group, t6, t6, ctx) +- || !group->meth->field_mul(group, t0, t2, t5, ctx) +- || !group->meth->field_mul(group, t0, t7, t0, ctx) +- /* r->X coord output */ +- || !BN_mod_sub_quick(r->X, t6, t0, group->field) ++ || !group->meth->field_mul(group, t5, group->a, t0, ctx) ++ || !BN_mod_add_quick(t5, t6, t5, group->field) + || !BN_mod_add_quick(t6, t3, t4, group->field) +- || !group->meth->field_sqr(group, t3, t2, ctx) +- || !group->meth->field_mul(group, t7, t3, t7, ctx) +- || !group->meth->field_mul(group, t5, t5, t6, ctx) ++ || !group->meth->field_mul(group, t5, t6, t5, ctx) ++ || !group->meth->field_sqr(group, t0, t0, ctx) ++ || !BN_mod_lshift_quick(t2, group->b, 2, group->field) ++ || !group->meth->field_mul(group, t0, t2, t0, ctx) + || !BN_mod_lshift1_quick(t5, t5, group->field) ++ || !BN_mod_sub_quick(t3, t4, t3, group->field) ++ /* s->Z coord output */ ++ || !group->meth->field_sqr(group, s->Z, t3, ctx) ++ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx) ++ || !BN_mod_add_quick(t0, t0, t5, group->field) ++ /* s->X coord output */ ++ || !BN_mod_sub_quick(s->X, t0, t4, group->field) ++ || !group->meth->field_sqr(group, t4, r->X, ctx) ++ || !group->meth->field_sqr(group, t5, r->Z, ctx) ++ || !group->meth->field_mul(group, t6, t5, group->a, ctx) ++ || !BN_mod_add_quick(t1, r->X, r->Z, group->field) ++ || !group->meth->field_sqr(group, t1, t1, ctx) ++ || !BN_mod_sub_quick(t1, t1, t4, group->field) ++ || !BN_mod_sub_quick(t1, t1, t5, group->field) ++ || !BN_mod_sub_quick(t3, t4, t6, group->field) ++ || !group->meth->field_sqr(group, t3, t3, ctx) ++ || !group->meth->field_mul(group, t0, t5, t1, ctx) ++ || !group->meth->field_mul(group, t0, t2, t0, ctx) ++ /* r->X coord output */ ++ || !BN_mod_sub_quick(r->X, t3, t0, group->field) ++ || !BN_mod_add_quick(t3, t4, t6, group->field) ++ || !group->meth->field_sqr(group, t4, t5, ctx) ++ || !group->meth->field_mul(group, t4, t4, t2, ctx) ++ || !group->meth->field_mul(group, t1, t1, t3, ctx) ++ || !BN_mod_lshift1_quick(t1, t1, group->field) + /* r->Z coord output */ +- || !BN_mod_add_quick(r->Z, t7, t5, group->field)) ++ || !BN_mod_add_quick(r->Z, t4, t1, group->field)) + goto err; + + ret = 1; +@@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group, + } + + /*- ++ * Input: ++ * - s, r: projective (homogeneous) coordinates ++ * - p: affine coordinates ++ * ++ * Output: ++ * - r := (x,y): affine coordinates ++ * + * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass +- * Elliptic Curves and Side-Channel Attacks", modified to work in projective +- * coordinates and return r in Jacobian projective coordinates. ++ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed ++ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous) ++ * coords, and return r in affine coordinates. + * +- * X4 = two*Y1*X2*Z3*Z2*Z1; +- * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1); +- * Z4 = two*Y1*Z3*SQR(Z2)*Z1; ++ * X4 = two*Y1*X2*Z3*Z2; ++ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2); ++ * Z4 = two*Y1*Z3*SQR(Z2); + * + * Z4 != 0 because: +- * - Z1==0 implies p is at infinity, which would have caused an early exit in +- * the caller; + * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch); + * - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch); + * - Y1==0 implies p has order 2, so either r or s are infinity and handled by +@@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group, + return EC_POINT_set_to_infinity(group, r); + + if (BN_is_zero(s->Z)) { +- /* (X,Y,Z) -> (XZ,YZ**2,Z) */ +- if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx) +- || !group->meth->field_sqr(group, r->Z, p->Z, ctx) +- || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx) +- || !BN_copy(r->Z, p->Z) ++ if (!EC_POINT_copy(r, p) + || !EC_POINT_invert(group, r, ctx)) + return 0; + return 1; +@@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group, + t6 = BN_CTX_get(ctx); + + if (t6 == NULL +- || !BN_mod_lshift1_quick(t0, p->Y, group->field) +- || !group->meth->field_mul(group, t1, r->X, p->Z, ctx) +- || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx) +- || !group->meth->field_mul(group, t2, t1, t2, ctx) +- || !group->meth->field_mul(group, t3, t2, t0, ctx) +- || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx) +- || !group->meth->field_sqr(group, t4, t2, ctx) +- || !BN_mod_lshift1_quick(t5, group->b, group->field) +- || !group->meth->field_mul(group, t4, t4, t5, ctx) +- || !group->meth->field_mul(group, t6, t2, group->a, ctx) +- || !group->meth->field_mul(group, t5, r->X, p->X, ctx) +- || !BN_mod_add_quick(t5, t6, t5, group->field) +- || !group->meth->field_mul(group, t6, r->Z, p->X, ctx) +- || !BN_mod_add_quick(t2, t6, t1, group->field) +- || !group->meth->field_mul(group, t5, t5, t2, ctx) +- || !BN_mod_sub_quick(t6, t6, t1, group->field) +- || !group->meth->field_sqr(group, t6, t6, ctx) +- || !group->meth->field_mul(group, t6, t6, s->X, ctx) +- || !BN_mod_add_quick(t4, t5, t4, group->field) +- || !group->meth->field_mul(group, t4, t4, s->Z, ctx) +- || !BN_mod_sub_quick(t4, t4, t6, group->field) +- || !group->meth->field_sqr(group, t5, r->Z, ctx) +- || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx) +- || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx) +- || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx) +- /* t3 := X, t4 := Y */ +- /* (X,Y,Z) -> (XZ,YZ**2,Z) */ +- || !group->meth->field_mul(group, r->X, t3, r->Z, ctx) ++ || !BN_mod_lshift1_quick(t4, p->Y, group->field) ++ || !group->meth->field_mul(group, t6, r->X, t4, ctx) ++ || !group->meth->field_mul(group, t6, s->Z, t6, ctx) ++ || !group->meth->field_mul(group, t5, r->Z, t6, ctx) ++ || !BN_mod_lshift1_quick(t1, group->b, group->field) ++ || !group->meth->field_mul(group, t1, s->Z, t1, ctx) + || !group->meth->field_sqr(group, t3, r->Z, ctx) +- || !group->meth->field_mul(group, r->Y, t4, t3, ctx)) ++ || !group->meth->field_mul(group, t2, t3, t1, ctx) ++ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx) ++ || !group->meth->field_mul(group, t1, p->X, r->X, ctx) ++ || !BN_mod_add_quick(t1, t1, t6, group->field) ++ || !group->meth->field_mul(group, t1, s->Z, t1, ctx) ++ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx) ++ || !BN_mod_add_quick(t6, r->X, t0, group->field) ++ || !group->meth->field_mul(group, t6, t6, t1, ctx) ++ || !BN_mod_add_quick(t6, t6, t2, group->field) ++ || !BN_mod_sub_quick(t0, t0, r->X, group->field) ++ || !group->meth->field_sqr(group, t0, t0, ctx) ++ || !group->meth->field_mul(group, t0, t0, s->X, ctx) ++ || !BN_mod_sub_quick(t0, t6, t0, group->field) ++ || !group->meth->field_mul(group, t1, s->Z, t4, ctx) ++ || !group->meth->field_mul(group, t1, t3, t1, ctx) ++ || (group->meth->field_decode != NULL ++ && !group->meth->field_decode(group, t1, t1, ctx)) ++ || !group->meth->field_inv(group, t1, t1, ctx) ++ || (group->meth->field_encode != NULL ++ && !group->meth->field_encode(group, t1, t1, ctx)) ++ || !group->meth->field_mul(group, r->X, t5, t1, ctx) ++ || !group->meth->field_mul(group, r->Y, t0, t1, ctx)) + goto err; + ++ if (group->meth->field_set_to_one != NULL) { ++ if (!group->meth->field_set_to_one(group, r->Z, ctx)) ++ goto err; ++ } else { ++ if (!BN_one(r->Z)) ++ goto err; ++ } ++ ++ r->Z_is_one = 1; + ret = 1; + + err: +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index f28f2d2610..41625e75ad 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) + ret = 1; + break; + } ++ if ((x->ex_flags & EXFLAG_CA) == 0 ++ && x->ex_pathlen != -1 ++ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { ++ ctx->error = X509_V_ERR_INVALID_EXTENSION; ++ ret = 0; ++ } + if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) + return 0; + /* check_purpose() makes the callback as needed */ +diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c +index 2bc8253d2d..2eaad1a763 100644 +--- a/crypto/x509v3/v3_purp.c ++++ b/crypto/x509v3/v3_purp.c +@@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x) + if (bs->ca) + x->ex_flags |= EXFLAG_CA; + if (bs->pathlen) { +- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) +- || !bs->ca) { ++ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) { + x->ex_flags |= EXFLAG_INVALID; + x->ex_pathlen = 0; +- } else ++ } else { + x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); ++ if (!bs->ca && x->ex_pathlen != 0) { ++ x->ex_flags |= EXFLAG_INVALID; ++ x->ex_pathlen = 0; ++ } ++ } + } else + x->ex_pathlen = -1; + BASIC_CONSTRAINTS_free(bs); +diff --git a/doc/man3/EVP_aes.pod b/doc/man3/EVP_aes.pod +index 4192a9ec36..7db48a427f 100644 +--- a/doc/man3/EVP_aes.pod ++++ b/doc/man3/EVP_aes.pod +@@ -160,6 +160,13 @@ In particular, XTS-AES-128 (B) takes input of a 256-bit key to + achieve AES 128-bit security, and XTS-AES-256 (B) takes input + of a 512-bit key to achieve AES 256-bit security. + ++The XTS implementation in OpenSSL does not support streaming. That is there must ++only be one L call per L call (and ++similarly with the "Decrypt" functions). ++ ++The I parameter to L or L is ++the XTS "tweak" value. ++ + =back + + =head1 RETURN VALUES +diff --git a/test/certs/ee-pathlen.pem b/test/certs/ee-pathlen.pem +new file mode 100644 +index 0000000000..0bcae1d7bd +--- /dev/null ++++ b/test/certs/ee-pathlen.pem +@@ -0,0 +1,17 @@ ++-----BEGIN CERTIFICATE----- ++MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMDA0MDMwODA0MTVaGA8yMTIwMDQwNDA4MDQxNVowGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjEDAOMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcNAQEL ++BQADggEBAApOUnWWd09I0ts3xa1oK7eakc+fKTF4d7pbGznFNONaCR3KFRgnBVlG ++Bm8/oehrrQ28Ad3XPSug34DQQ5kM6JIuaddx50/n4Xkgj8/fgXVA0HXizOJ3QpKC ++IojLVajXlQHhpo72VUQuNOha0UxG9daYjS20iXRhanTm9rUz7qQZEugVQCiR0z/f ++9NgM7FU9UaSidzH3gZu/Ufc4Ggn6nZV7LM9sf4IUV+KszS1VpcK+9phAmsB6BaAi ++cFXvVXZjTNualQgPyPwOD8c+vVCIfIemfF5TZ6fyqpOjprWQAphwrTtfNDSmqRTz ++FRhDf+vJERQclgUtg37EgWGKtnNQeRY= ++-----END CERTIFICATE----- +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index 2d53ea5b08..bbe4842a51 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -154,7 +154,7 @@ openssl x509 -in sca-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem + + # Primary leaf cert: ee-cert +-# ee variants: expired, issuer-key2, issuer-name2 ++# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen + # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth + # purpose variants: client + # +@@ -163,6 +163,8 @@ openssl x509 -in sca-cert.pem -trustout \ + ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2 + ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 + ./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert ++./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ ++ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") + # + openssl x509 -in ee-cert.pem -trustout \ + -addtrust serverAuth -out ee+serverAuth.pem +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index b80a1cde3e..0e0f5dca21 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -27,7 +27,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 135; ++plan tests => 137; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -222,6 +222,10 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), + "accept direct match with client trust"); + ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), + "reject direct match with client mistrust"); ++ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]), ++ "accept non-ca with pathlen:0 by default"); ++ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"), ++ "reject non-ca with pathlen:0 with strict flag"); + + # Proxy certificates + ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), +diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c +index 952f688e8b..f7e4e38d03 100644 +--- a/test/sm2_internal_test.c ++++ b/test/sm2_internal_test.c +@@ -32,17 +32,18 @@ static size_t fake_rand_size = 0; + + static int get_faked_bytes(unsigned char *buf, int num) + { +- int i; +- + if (fake_rand_bytes == NULL) + return saved_rand->bytes(buf, num); + +- if (!TEST_size_t_le(fake_rand_bytes_offset + num, fake_rand_size)) ++ if (!TEST_size_t_gt(fake_rand_size, 0)) + return 0; + +- for (i = 0; i != num; ++i) +- buf[i] = fake_rand_bytes[fake_rand_bytes_offset + i]; +- fake_rand_bytes_offset += num; ++ while (num-- > 0) { ++ if (fake_rand_bytes_offset >= fake_rand_size) ++ fake_rand_bytes_offset = 0; ++ *buf++ = fake_rand_bytes[fake_rand_bytes_offset++]; ++ } ++ + return 1; + } + +@@ -175,8 +176,7 @@ static int test_sm2_crypt(const EC_GROUP *group, + + start_fake_rand(k_hex); + if (!TEST_true(sm2_encrypt(key, digest, (const uint8_t *)message, msg_len, +- ctext, &ctext_len)) +- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) { ++ ctext, &ctext_len))) { + restore_rand(); + goto done; + } +@@ -296,8 +296,7 @@ static int test_sm2_sign(const EC_GROUP *group, + start_fake_rand(k_hex); + sig = sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, strlen(userid), + (const uint8_t *)message, msg_len); +- if (!TEST_ptr(sig) +- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) { ++ if (!TEST_ptr(sig)) { + restore_rand(); + goto done; + } diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 8404d7f..48d25a7 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -1,12 +1,12 @@ -diff -up openssl-1.1.1e/include/openssl/opensslv.h.version-override openssl-1.1.1e/include/openssl/opensslv.h ---- openssl-1.1.1e/include/openssl/opensslv.h.version-override 2020-03-17 18:05:00.750749987 +0100 -+++ openssl-1.1.1e/include/openssl/opensslv.h 2020-03-17 18:05:41.404038619 +0100 +diff -up openssl-1.1.1f/include/openssl/opensslv.h.version-override openssl-1.1.1f/include/openssl/opensslv.h +--- openssl-1.1.1f/include/openssl/opensslv.h.version-override 2020-04-07 16:46:21.792998242 +0200 ++++ openssl-1.1.1f/include/openssl/opensslv.h 2020-04-07 16:47:18.919962564 +0200 @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010105fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1e 17 Mar 2020" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1e FIPS 17 Mar 2020" + # define OPENSSL_VERSION_NUMBER 0x1010106fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f 31 Mar 2020" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f FIPS 31 Mar 2020" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index 06667b6..065432d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,8 +21,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.1e -Release: 2%{?dist} +Version: 1.1.1f +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -68,8 +68,7 @@ Patch65: openssl-1.1.1-fips-drbg-selftest.patch # Backported fixes including security fixes Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch -Patch54: openssl-1.1.1-regression-fixes.patch -Patch55: openssl-1.1.1-eof-error-revert.patch +Patch54: openssl-1.1.1-upstream-sync.patch License: OpenSSL URL: http://www.openssl.org/ @@ -170,11 +169,10 @@ cp %{SOURCE13} test/ %patch50 -p1 -b .ssh-kdf %patch52 -p1 -b .s390x-update %patch53 -p1 -b .crng-test -%patch54 -p1 -b .regression %patch60 -p1 -b .krb5-kdf %patch61 -p1 -b .intel-cet %patch65 -p1 -b .drbg-selftest -%patch55 -p1 -b .eof-revert +%patch54 -p1 -b .upstream-sync %build @@ -461,6 +459,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Tue Apr 7 2020 Tomáš Mráz 1.1.1f-1 +- update to the 1.1.1f release + * Thu Mar 26 2020 Tomáš Mráz 1.1.1e-2 - revert the unexpected EOF error reporting change as it is too disruptive for the stable release branch diff --git a/sources b/sources index 323aa7a..9c30e55 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1e-hobbled.tar.xz) = b0b415b376e12d7a74eeb915315741a9d4d3cef953969edb632d4683ea088e607ebeba37c4be0c781ca839ec20c108166faf5e228d7642217f86f7ab1a3ef15a +SHA512 (openssl-1.1.1f-hobbled.tar.xz) = 551feb19c8606e86d03b05ef47294cc47048e1e2e33e0474b2e309984e034c72e04b120740e3b1aeca275fa4c52138830a724d09a861d51c133b6baa754e23d2