diff --git a/openssl-1.1.1-ssh-kdf.patch b/openssl-1.1.1-ssh-kdf.patch index 9e23443..08f02ac 100644 --- a/openssl-1.1.1-ssh-kdf.patch +++ b/openssl-1.1.1-ssh-kdf.patch @@ -5580,3 +5580,33 @@ index 285c4311a6..7f2dcd2291 100644 +Ctrl.type = type:A +Output = FF +Result = KDF_MISMATCH +From 148cc5ee246e108b1e7332035037bab53574b0a9 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 18 Apr 2019 08:26:29 -0400 +Subject: [PATCH] Change the digest string from "md" to "digest" + +Conform to other modules which were changed at the last minute and this +discrepancy was not noticed. +Retain "md" as an alias so not to break 3rd party backports/tests scripts. + +Signed-off-by: Simo Sorce +--- + crypto/kdf/sshkdf.c | 3 +++ + test/recipes/20-test_kdf.t | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + mode change 100644 => 100755 test/recipes/20-test_kdf.t + +diff --git a/crypto/kdf/sshkdf.c b/crypto/kdf/sshkdf.c +index 300e1adbb23..f585e8a0d6d 100644 +--- a/crypto/kdf/sshkdf.c ++++ b/crypto/kdf/sshkdf.c +@@ -125,6 +125,9 @@ static int kdf_sshkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, + return 0; + } + ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ /* alias, for historical reasons */ + if (strcmp(type, "md") == 0) + return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); + diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch new file mode 100644 index 0000000..2cf849f --- /dev/null +++ b/openssl-1.1.1-upstream-sync.patch @@ -0,0 +1,2282 @@ +diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c +--- openssl-1.1.1b/apps/asn1pars.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/apps/asn1pars.c 2019-05-03 08:55:51.532407003 +0200 +@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv + if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL) + goto end; + ++ if ((buf = BUF_MEM_new()) == NULL) ++ goto end; + if (strictpem) { +- if (PEM_read_bio(in, &name, &header, &str, &num) != +- 1) { ++ if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { + BIO_printf(bio_err, "Error reading PEM file\n"); + ERR_print_errors(bio_err); + goto end; + } ++ buf->data = (char *)str; ++ buf->length = buf->max = num; + } else { +- +- if ((buf = BUF_MEM_new()) == NULL) +- goto end; + if (!BUF_MEM_grow(buf, BUFSIZ * 8)) + goto end; /* Pre-allocate :-) */ + +@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv + BUF_MEM_free(buf); + OPENSSL_free(name); + OPENSSL_free(header); +- if (strictpem) +- OPENSSL_free(str); + ASN1_TYPE_free(at); + sk_OPENSSL_STRING_free(osk); + return ret; +diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl +--- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl 2019-05-03 08:55:51.551406676 +0200 +@@ -1829,7 +1829,7 @@ Lctr32_enc8x_three: + stvx_u $out1,$x10,$out + stvx_u $out2,$x20,$out + addi $out,$out,0x30 +- b Lcbc_dec8x_done ++ b Lctr32_enc8x_done + + .align 5 + Lctr32_enc8x_two: +@@ -1841,7 +1841,7 @@ Lctr32_enc8x_two: + stvx_u $out0,$x00,$out + stvx_u $out1,$x10,$out + addi $out,$out,0x20 +- b Lcbc_dec8x_done ++ b Lctr32_enc8x_done + + .align 5 + Lctr32_enc8x_one: +diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c +--- openssl-1.1.1b/crypto/bio/b_addr.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/bio/b_addr.c 2019-05-03 08:55:51.555406608 +0200 +@@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons + hints.ai_family = family; + hints.ai_socktype = socktype; + hints.ai_protocol = protocol; ++#ifdef AI_ADDRCONFIG ++#ifdef AF_UNSPEC ++ if (family == AF_UNSPEC) ++#endif ++ hints.ai_flags |= AI_ADDRCONFIG; ++#endif + + if (lookup_type == BIO_LOOKUP_SERVER) + hints.ai_flags |= AI_PASSIVE; +diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c +--- openssl-1.1.1b/crypto/bio/bss_mem.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/bio/bss_mem.c 2019-05-03 08:55:51.556406591 +0200 +@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = + NULL, /* mem_callback_ctrl */ + }; + +-/* BIO memory stores buffer and read pointer */ ++/* ++ * BIO memory stores buffer and read pointer ++ * however the roles are different for read only BIOs. ++ * In that case the readp just stores the original state ++ * to be used for reset. ++ */ + typedef struct bio_buf_mem_st { + struct buf_mem_st *buf; /* allocated buffer */ + struct buf_mem_st *readp; /* read pointer */ +@@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm = bbm->readp; + ++ if (b->flags & BIO_FLAGS_MEM_RDONLY) ++ bm = bbm->buf; + BIO_clear_retry_flags(b); + ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl; + if ((out != NULL) && (ret > 0)) { + memcpy(out, bm->data, ret); + bm->length -= ret; ++ bm->max -= ret; + bm->data += ret; + } else if (bm->length == 0) { + ret = b->num; +@@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm; + ++ if (b->flags & BIO_FLAGS_MEM_RDONLY) ++ bm = bbm->buf; ++ else ++ bm = bbm->readp; ++ + switch (cmd) { + case BIO_CTRL_RESET: + bm = bbm->buf; + if (bm->data != NULL) { +- /* For read only case reset to the start again */ +- if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) { +- bm->length = bm->max; ++ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) { ++ if (b->flags & BIO_FLAGS_NONCLEAR_RST) { ++ bm->length = bm->max; ++ } else { ++ memset(bm->data, 0, bm->max); ++ bm->length = 0; ++ } ++ *bbm->readp = *bbm->buf; + } else { +- memset(bm->data, 0, bm->max); +- bm->length = 0; ++ /* For read only case just reset to the start again */ ++ *bbm->buf = *bbm->readp; + } +- *bbm->readp = *bbm->buf; + } + break; + case BIO_CTRL_EOF: +- bm = bbm->readp; + ret = (long)(bm->length == 0); + break; + case BIO_C_SET_BUF_MEM_EOF_RETURN: + b->num = (int)num; + break; + case BIO_CTRL_INFO: +- bm = bbm->readp; + ret = (long)bm->length; + if (ptr != NULL) { + pptr = (char **)ptr; +@@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo + break; + case BIO_C_GET_BUF_MEM_PTR: + if (ptr != NULL) { +- mem_buf_sync(b); +- bm = bbm->readp; ++ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) ++ mem_buf_sync(b); ++ bm = bbm->buf; + pptr = (char **)ptr; + *pptr = (char *)bm; + } +@@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo + ret = 0L; + break; + case BIO_CTRL_PENDING: +- bm = bbm->readp; + ret = (long)bm->length; + break; + case BIO_CTRL_DUP: +@@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf, + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr; + BUF_MEM *bm = bbm->readp; + ++ if (bp->flags & BIO_FLAGS_MEM_RDONLY) ++ bm = bbm->buf; + BIO_clear_retry_flags(bp); + j = bm->length; + if ((size - 1) < j) +diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl +--- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/bn/asm/ppc.pl 2019-05-03 08:55:51.530407037 +0200 +@@ -258,6 +258,7 @@ $data=<err_stack) + ctx->err_stack--; +diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c +--- openssl-1.1.1b/crypto/bn/bn_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/bn/bn_lib.c 2019-05-03 08:55:51.525407123 +0200 +@@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) + + void BN_clear(BIGNUM *a) + { ++ if (a == NULL) ++ return; + bn_check_top(a); + if (a->d != NULL) + OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); +diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c +--- openssl-1.1.1b/crypto/bn/bn_prime.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/bn/bn_prime.c 2019-05-03 08:55:51.525407123 +0200 +@@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in + found = 1; + err: + OPENSSL_free(mods); +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + bn_check_top(ret); + return found; +diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info +--- openssl-1.1.1b/crypto/chacha/build.info.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/chacha/build.info 2019-05-03 08:55:51.538406900 +0200 +@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv + INCLUDE[chacha-armv4.o]=.. + GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME) + INCLUDE[chacha-armv8.o]=.. ++GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME) ++INCLUDE[chacha-s390x.o]=.. + + BEGINRAW[Makefile(unix)] + ##### CHACHA assembler implementations +diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c +--- openssl-1.1.1b/crypto/conf/conf_sap.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/conf/conf_sap.c 2019-05-03 08:55:51.550406694 +0200 +@@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname) + memset(&settings, 0, sizeof(settings)); + if (appname != NULL) + settings.appname = strdup(appname); ++ settings.flags = DEFAULT_CONF_MFLAGS; + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings); + } + #endif +diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c +--- openssl-1.1.1b/crypto/dh/dh_check.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/dh/dh_check.c 2019-05-03 08:55:51.525407123 +0200 +@@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r + + ok = 1; + err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); + return ok; + } + +@@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret) + } + ok = 1; + err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); + return ok; + } + +@@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const + + ok = 1; + err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); + return ok; + } +diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c +--- openssl-1.1.1b/crypto/dh/dh_gen.c.sync 2019-05-03 08:55:45.170516224 +0200 ++++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-05-03 08:55:51.525407123 +0200 +@@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret, + ok = 0; + } + +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); + return ok; + } +diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c +--- openssl-1.1.1b/crypto/dh/dh_key.c.sync 2019-05-03 08:55:45.170516224 +0200 ++++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-05-03 08:55:51.526407106 +0200 +@@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke + + ret = BN_bn2bin(tmp, key); + err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); + return ret; + } + +diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c +--- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync 2019-05-03 08:55:45.171516207 +0200 ++++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-05-03 08:55:51.526407106 +0200 +@@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_ + if (seed_out) + memcpy(seed_out, seed, qsize); + } +- if (ctx) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_MONT_CTX_free(mont); + return ok; +@@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size + OPENSSL_free(seed); + if (seed_out != seed_tmp) + OPENSSL_free(seed_tmp); +- if (ctx) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_MONT_CTX_free(mont); + EVP_MD_CTX_free(mctx); +diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c +--- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync 2019-05-03 08:55:45.171516207 +0200 ++++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-05-03 08:55:51.556406591 +0200 +@@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha + ret = 1; + + err: +- EC_POINT_free(tmp); ++ EC_POINT_clear_free(tmp); + if (ctx) + BN_CTX_end(ctx); + BN_CTX_free(ctx); +diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c +--- openssl-1.1.1b/crypto/ec/ec_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/ec/ec_lib.c 2019-05-03 08:55:51.527407088 +0200 +@@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons + ret = 1; + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + return ret; + } +diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c +--- openssl-1.1.1b/crypto/ec/ec_mult.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/ec/ec_mult.c 2019-05-03 08:55:51.540406865 +0200 +@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP + + err: + EC_POINT_free(p); +- EC_POINT_free(s); ++ EC_POINT_clear_free(s); + BN_CTX_end(ctx); + + return ret; +@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E + * scalar multiplication implementation based on a Montgomery ladder, + * with various timing attack defenses. + */ +- if ((scalar != NULL) && (num == 0)) { ++ if ((scalar != group->order) && (scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key +@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E + */ + return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); + } +- if ((scalar == NULL) && (num == 1)) { ++ if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) { + /*- + * In this case we want to compute scalar * VariablePoint: this + * codepath is reached most prominently by the second half of ECDH, +@@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr + ret = 1; + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + EC_ec_pre_comp_free(pre_comp); + if (points) { +diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c +--- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c 2019-05-03 08:55:51.532407003 +0200 +@@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons + static void felem_diff_128_64(largefelem out, const felem in) + { + /* +- * In order to prevent underflow, we add 0 mod p before subtracting. ++ * In order to prevent underflow, we add 64p mod p (which is equivalent ++ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 ++ * digit number with all bits set to 1. See "The representation of field ++ * elements" comment above for a description of how limbs are used to ++ * represent a number. 64p is represented with 8 limbs containing a number ++ * with 58 bits set and one limb with a number with 57 bits set. + */ +- static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); +- static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); ++ static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); ++ static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); + + out[0] += two63m6 - in[0]; + out[1] += two63m5 - in[1]; +diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c +--- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c 2019-05-03 08:55:51.528407071 +0200 +@@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec + ret = 1; + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + EC_nistz256_pre_comp_free(pre_comp); +diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c +--- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync 2019-05-03 08:55:45.152516533 +0200 ++++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-05-03 08:55:51.528407071 +0200 +@@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina + ret = 1; + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + return ret; + } +@@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr + ret = 1; + + end: +- if (ctx) /* otherwise we already called BN_CTX_end */ +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + return ret; + } +diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c +--- openssl-1.1.1b/crypto/err/err.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/err/err.c 2019-05-03 08:55:51.548406728 +0200 +@@ -523,8 +523,24 @@ static unsigned long get_error_values(in + return ERR_R_INTERNAL_ERROR; + } + ++ while (es->bottom != es->top) { ++ if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { ++ err_clear(es, es->top); ++ es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; ++ continue; ++ } ++ i = (es->bottom + 1) % ERR_NUM_ERRORS; ++ if (es->err_flags[i] & ERR_FLAG_CLEAR) { ++ es->bottom = i; ++ err_clear(es, es->bottom); ++ continue; ++ } ++ break; ++ } ++ + if (es->bottom == es->top) + return 0; ++ + if (top) + i = es->top; /* last error */ + else +@@ -913,25 +929,6 @@ int ERR_clear_last_mark(void) + return 1; + } + +-#ifdef UINTPTR_T +-# undef UINTPTR_T +-#endif +-/* +- * uintptr_t is the answer, but unfortunately C89, current "least common +- * denominator" doesn't define it. Most legacy platforms typedef it anyway, +- * so that attempt to fill the gaps means that one would have to identify +- * that track these gaps, which would be undesirable. Macro it is... +- */ +-#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 +-/* +- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 +- * even in 64-bit builds, which means that it won't work as mask. +- */ +-# define UINTPTR_T unsigned long long +-#else +-# define UINTPTR_T size_t +-#endif +- + void err_clear_last_constant_time(int clear) + { + ERR_STATE *es; +@@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl + + top = es->top; + +- es->err_flags[top] &= ~(0 - clear); +- es->err_buffer[top] &= ~(0UL - clear); +- es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & +- ~((UINTPTR_T)0 - clear)); +- es->err_line[top] |= 0 - clear; +- +- es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; ++ /* ++ * Flag error as cleared but remove it elsewhere to avoid two errors ++ * accessing the same error stack location, revealing timing information. ++ */ ++ clear = constant_time_select_int(constant_time_eq_int(clear, 0), ++ 0, ERR_FLAG_CLEAR); ++ es->err_flags[top] |= clear; + } +diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c +--- openssl-1.1.1b/crypto/evp/digest.c.sync 2019-05-03 08:55:51.553406642 +0200 ++++ openssl-1.1.1b/crypto/evp/digest.c 2019-05-03 08:56:40.800561168 +0200 +@@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co + #ifdef OPENSSL_FIPS + FIPS_selftest_check(); + #endif ++ if (count == 0) ++ return 1; ++ + return ctx->update(ctx, data, count); + } + +diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c +--- openssl-1.1.1b/crypto/evp/e_aria.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/evp/e_aria.c 2019-05-03 08:55:51.545406779 +0200 +@@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT + return 0; + } + ++static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx) ++{ ++ EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); ++ ++ if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx)) ++ OPENSSL_free(gctx->iv); ++ ++ return 1; ++} ++ + static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) + { +@@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT + } + } + ++#define aria_ccm_cleanup NULL ++ + #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ + | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ + | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ +@@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_ + ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ + aria_##mode##_init_key, \ + aria_##mode##_cipher, \ +- NULL, \ ++ aria_##mode##_cleanup, \ + sizeof(EVP_ARIA_##MODE##_CTX), \ + NULL,NULL,aria_##mode##_ctrl,NULL }; \ + const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ +diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c +--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync 2019-05-03 08:55:45.216515434 +0200 ++++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-05-03 08:55:51.551406676 +0200 +@@ -30,6 +30,8 @@ typedef struct { + + #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) + ++#define CHACHA20_POLY1305_MAX_IVLEN 12 ++ + static int chacha_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char user_key[CHACHA_KEY_SIZE], + const unsigned char iv[CHACHA_CTR_SIZE], int enc) +@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: +- if (arg <= 0 || arg > CHACHA_CTR_SIZE) ++ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) + return 0; + actx->nonce_len = arg; + return 1; +diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c +--- openssl-1.1.1b/crypto/evp/evp_enc.c.sync 2019-05-03 08:55:45.174516155 +0200 ++++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-03 08:55:51.544406797 +0200 +@@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_ + + bl = ctx->cipher->block_size; + ++ if (inl <= 0) { ++ *outl = 0; ++ return inl == 0; ++ } ++ + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { + /* If block size > 1 then the cipher will have to do this check */ + if (bl == 1 && is_partially_overlapping(out, in, cmpl)) { +@@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_ + return 1; + } + +- if (inl <= 0) { +- *outl = 0; +- return inl == 0; +- } + if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) { + EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); + return 0; +@@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) + cmpl = (cmpl + 7) / 8; + ++ if (inl <= 0) { ++ *outl = 0; ++ return inl == 0; ++ } ++ + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { + if (b == 1 && is_partially_overlapping(out, in, cmpl)) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); +@@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + return 1; + } + +- if (inl <= 0) { +- *outl = 0; +- return inl == 0; +- } +- + if (ctx->flags & EVP_CIPH_NO_PADDING) + return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); + +diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c +--- openssl-1.1.1b/crypto/hmac/hmac.c.sync 2019-05-03 08:55:45.189515898 +0200 ++++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-05-03 08:55:51.538406900 +0200 +@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + return 0; + } + ++ /* ++ * The HMAC construction is not allowed to be used with the ++ * extendable-output functions (XOF) shake128 and shake256. ++ */ ++ if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0) ++ return 0; ++ + if (key != NULL) { + #ifdef OPENSSL_FIPS + if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) +diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c +--- openssl-1.1.1b/crypto/init.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/init.c 2019-05-03 08:55:51.550406694 +0200 +@@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c + ret = RUN_ONCE(&config, ossl_init_config); + conf_settings = NULL; + CRYPTO_THREAD_unlock(init_lock); +- if (!ret) ++ if (ret <= 0) + return 0; + } + +diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl +--- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl 2019-05-03 08:55:51.534406969 +0200 +@@ -1155,6 +1155,7 @@ ___ + } else { + $code.=<<___; + jmp .L_init_clmul ++.cfi_endproc + .size gcm_init_avx,.-gcm_init_avx + ___ + } +@@ -1594,6 +1595,7 @@ ___ + } else { + $code.=<<___; + jmp .L_ghash_clmul ++.cfi_endproc + .size gcm_ghash_avx,.-gcm_ghash_avx + ___ + } +diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c +--- openssl-1.1.1b/crypto/modes/ccm128.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/modes/ccm128.c 2019-05-03 08:55:51.543406814 +0200 +@@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT + + M *= 2; + M += 2; +- if (len < M) ++ if (len != M) + return 0; + memcpy(tag, ctx->cmac.c, M); + return M; +diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c +--- openssl-1.1.1b/crypto/o_str.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/o_str.c 2019-05-03 08:55:51.550406694 +0200 +@@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char + #if defined(_MSC_VER) && _MSC_VER>=1400 + return !strerror_s(buf, buflen, errnum); + #elif defined(_GNU_SOURCE) +- return strerror_r(errnum, buf, buflen) != NULL; ++ char *err; ++ ++ /* ++ * GNU strerror_r may not actually set buf. ++ * It can return a pointer to some (immutable) static string in which case ++ * buf is left unused. ++ */ ++ err = strerror_r(errnum, buf, buflen); ++ if (err == NULL) ++ return 0; ++ /* ++ * If err is statically allocated, err != buf and we need to copy the data. ++ * If err points somewhere inside buf, OPENSSL_strlcpy can handle this, ++ * since src and dest are not annotated with __restrict and the function ++ * reads src byte for byte and writes to dest. ++ * If err == buf we do not have to copy anything. ++ */ ++ if (err != buf) ++ OPENSSL_strlcpy(buf, err, buflen); ++ return 1; + #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \ + (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600) + /* +@@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char + return !strerror_r(errnum, buf, buflen); + #else + char *err; ++ + /* Fall back to non-thread safe strerror()...its all we can do */ + if (buflen < 2) + return 0; +@@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char + /* Can this ever happen? */ + if (err == NULL) + return 0; +- strncpy(buf, err, buflen - 1); +- buf[buflen - 1] = '\0'; ++ OPENSSL_strlcpy(buf, err, buflen); + return 1; + #endif + } +diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info +--- openssl-1.1.1b/crypto/poly1305/build.info.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-03 08:55:51.538406900 +0200 +@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305- + INCLUDE[poly1305-armv8.o]=.. + GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) + INCLUDE[poly1305-mips.o]=.. ++GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME) + + BEGINRAW[Makefile(unix)] + {- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl +diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info +--- openssl-1.1.1b/crypto/rc4/build.info.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rc4/build.info 2019-05-03 08:55:51.538406900 +0200 +@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x + + GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME) + ++GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME) ++ + BEGINRAW[Makefile] + # GNU make "catch all" + {- $builddir -}/rc4-%.s: {- $sourcedir -}/asm/rc4-%.pl +diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c +--- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c 2019-05-03 08:55:51.533406986 +0200 +@@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV + return NULL; + if (saltlen == -1) { + saltlen = EVP_MD_size(sigmd); +- } else if (saltlen == -2) { ++ } else if (saltlen == -2 || saltlen == -3) { + saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; + if ((EVP_PKEY_bits(pk) & 0x7) == 1) + saltlen--; ++ if (saltlen < 0) ++ return NULL; + } + + return rsa_pss_params_create(sigmd, mgf1md, saltlen); +diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c +--- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync 2019-05-03 08:55:45.191515864 +0200 ++++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-05-03 08:55:51.528407071 +0200 +@@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa, + RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); + ok = 0; + } +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ok; + } +diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c +--- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c 2019-05-03 08:55:51.549406711 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un + * |num| is the length of the modulus; |flen| is the length of the + * encoded message. Therefore, for any |from| that was obtained by + * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, +- * num < 2 * mdlen + 2 must hold for the modulus irrespective of ++ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of + * the ciphertext, see PKCS #1 v2.2, section 7.1.2. + * This does not leak any side-channel information. + */ +@@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un + from -= 1 & mask; + *--em = *from & mask; + } +- from = em; + + /* + * The first byte must be zero, however we must not leak if this is + * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA + * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). + */ +- good = constant_time_is_zero(from[0]); ++ good = constant_time_is_zero(em[0]); + +- maskedseed = from + 1; +- maskeddb = from + 1 + mdlen; ++ maskedseed = em + 1; ++ maskeddb = em + 1 + mdlen; + + if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) + goto cleanup; +@@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un + mlen = dblen - msg_index; + + /* +- * For good measure, do this check in constant tine as well. ++ * For good measure, do this check in constant time as well. + */ + good &= constant_time_ge(tlen, mlen); + + /* +- * Even though we can't fake result's length, we can pretend copying +- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| +- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, +- * where |mlen'| is "saturated" |mlen| value. Deducing information +- * about failure or |mlen| would take attacker's ability to observe +- * memory access pattern with byte granularity *as it occurs*. It +- * should be noted that failure is indistinguishable from normal +- * operation if |tlen| is fixed by protocol. ++ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. ++ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. ++ * Otherwise leave |to| unchanged. ++ * Copy the memory back in a way that does not reveal the size of ++ * the data being copied via a timing side channel. This requires copying ++ * parts of the buffer multiple times based on the bits set in the real ++ * length. Clear bits do a non-copy with identical access pattern. ++ * The loop below has overall complexity of O(N*log(N)). + */ +- tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); +- msg_index = constant_time_select_int(good, msg_index, dblen - tlen); +- mlen = dblen - msg_index; +- for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { +- unsigned int equals = constant_time_eq(i, mlen); +- +- from -= dblen & equals; /* if (i == dblen) rewind */ +- mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ +- to[i] = constant_time_select_8(mask, from[i], to[i]); ++ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), ++ dblen - mdlen - 1, tlen); ++ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { ++ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); ++ for (i = mdlen + 1; i < dblen - msg_index; i++) ++ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); ++ } ++ for (i = 0; i < tlen; i++) { ++ mask = good & constant_time_lt(i, mlen); ++ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); + } + + /* +diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c +--- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync 2019-05-03 08:55:45.191515864 +0200 ++++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-05-03 08:55:51.548406728 +0200 +@@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f + */ + r = BN_bn2binpad(ret, to, num); + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); + return r; +@@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int + */ + r = BN_bn2binpad(res, to, num); + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); + return r; +@@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int + goto err; + } + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); +- err_clear_last_constant_time(r >= 0); ++ err_clear_last_constant_time(1 & ~constant_time_msb(r)); + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); + return r; +@@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f + RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); + + err: +- if (ctx != NULL) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); + return r; +diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c +--- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c 2019-05-03 08:55:51.549406711 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig + from -= 1 & mask; + *--em = *from & mask; + } +- from = em; + +- good = constant_time_is_zero(from[0]); +- good &= constant_time_eq(from[1], 2); ++ good = constant_time_is_zero(em[0]); ++ good &= constant_time_eq(em[1], 2); + + /* scan over padding data */ + found_zero_byte = 0; + for (i = 2; i < num; i++) { +- unsigned int equals0 = constant_time_is_zero(from[i]); ++ unsigned int equals0 = constant_time_is_zero(em[i]); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); +@@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig + } + + /* +- * PS must be at least 8 bytes long, and it starts two bytes into |from|. ++ * PS must be at least 8 bytes long, and it starts two bytes into |em|. + * If we never found a 0-byte, then |zero_index| is 0 and the check + * also fails. + */ +@@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig + good &= constant_time_ge(tlen, mlen); + + /* +- * Even though we can't fake result's length, we can pretend copying +- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| +- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, +- * where |mlen'| is "saturated" |mlen| value. Deducing information +- * about failure or |mlen| would take attacker's ability to observe +- * memory access pattern with byte granularity *as it occurs*. It +- * should be noted that failure is indistinguishable from normal +- * operation if |tlen| is fixed by protocol. +- */ +- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); +- msg_index = constant_time_select_int(good, msg_index, num - tlen); +- mlen = num - msg_index; +- for (from += msg_index, mask = good, i = 0; i < tlen; i++) { +- unsigned int equals = constant_time_eq(i, mlen); +- +- from -= tlen & equals; /* if (i == mlen) rewind */ +- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ +- to[i] = constant_time_select_8(mask, from[i], to[i]); ++ * Move the result in-place by |num|-11-|mlen| bytes to the left. ++ * Then if |good| move |mlen| bytes from |em|+11 to |to|. ++ * Otherwise leave |to| unchanged. ++ * Copy the memory back in a way that does not reveal the size of ++ * the data being copied via a timing side channel. This requires copying ++ * parts of the buffer multiple times based on the bits set in the real ++ * length. Clear bits do a non-copy with identical access pattern. ++ * The loop below has overall complexity of O(N*log(N)). ++ */ ++ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), ++ num - 11, tlen); ++ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { ++ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); ++ for (i = 11; i < num - msg_index; i++) ++ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); ++ } ++ for (i = 0; i < tlen; i++) { ++ mask = good & constant_time_lt(i, mlen); ++ to[i] = constant_time_select_8(mask, em[i + 11], to[i]); + } + + OPENSSL_clear_free(em, num); +diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-03 08:55:51.543406814 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++#include "internal/constant_time_locl.h" ++ + #include + #include "internal/cryptlib.h" + #include +@@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } +- if (ret < 0) +- return ret; +- *outlen = ret; +- return 1; ++ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); ++ ret = constant_time_select_int(constant_time_msb(ret), ret, 1); ++ return ret; + } + + static int check_padding_md(const EVP_MD *md, int padding) +diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c +--- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c 2019-05-03 08:55:51.550406694 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char + + /* + * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding +- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also ++ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also + * preserves error code reporting for backward compatibility. + */ + int RSA_padding_check_SSLv23(unsigned char *to, int tlen, +@@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch + unsigned int good, found_zero_byte, mask, threes_in_row; + int zero_index = 0, msg_index, mlen = -1, err; + +- if (flen < 10) { ++ if (tlen <= 0 || flen <= 0) ++ return -1; ++ ++ if (flen > num || num < 11) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); + return -1; + } +@@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch + from -= 1 & mask; + *--em = *from & mask; + } +- from = em; + +- good = constant_time_is_zero(from[0]); +- good &= constant_time_eq(from[1], 2); ++ good = constant_time_is_zero(em[0]); ++ good &= constant_time_eq(em[1], 2); + err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); + mask = ~good; + +@@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch + found_zero_byte = 0; + threes_in_row = 0; + for (i = 2; i < num; i++) { +- unsigned int equals0 = constant_time_is_zero(from[i]); ++ unsigned int equals0 = constant_time_is_zero(em[i]); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); + found_zero_byte |= equals0; + + threes_in_row += 1 & ~found_zero_byte; +- threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); ++ threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); + } + + /* +- * PS must be at least 8 bytes long, and it starts two bytes into |from|. ++ * PS must be at least 8 bytes long, and it starts two bytes into |em|. + * If we never found a 0-byte, then |zero_index| is 0 and the check + * also fails. + */ +@@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch + RSA_R_NULL_BEFORE_BLOCK_MISSING); + mask = ~good; + +- good &= constant_time_lt(threes_in_row, 8); ++ good &= constant_time_ge(threes_in_row, 8); + err = constant_time_select_int(mask | good, err, + RSA_R_SSLV3_ROLLBACK_ATTACK); + mask = ~good; +@@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch + err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); + + /* +- * Even though we can't fake result's length, we can pretend copying +- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| +- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, +- * where |mlen'| is "saturated" |mlen| value. Deducing information +- * about failure or |mlen| would take attacker's ability to observe +- * memory access pattern with byte granularity *as it occurs*. It +- * should be noted that failure is indistinguishable from normal +- * operation if |tlen| is fixed by protocol. ++ * Move the result in-place by |num|-11-|mlen| bytes to the left. ++ * Then if |good| move |mlen| bytes from |em|+11 to |to|. ++ * Otherwise leave |to| unchanged. ++ * Copy the memory back in a way that does not reveal the size of ++ * the data being copied via a timing side channel. This requires copying ++ * parts of the buffer multiple times based on the bits set in the real ++ * length. Clear bits do a non-copy with identical access pattern. ++ * The loop below has overall complexity of O(N*log(N)). + */ +- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); +- msg_index = constant_time_select_int(good, msg_index, num - tlen); +- mlen = num - msg_index; +- for (from += msg_index, mask = good, i = 0; i < tlen; i++) { +- unsigned int equals = constant_time_eq(i, mlen); +- +- from -= tlen & equals; /* if (i == mlen) rewind */ +- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ +- to[i] = constant_time_select_8(mask, from[i], to[i]); ++ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), ++ num - 11, tlen); ++ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { ++ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); ++ for (i = 11; i < num - msg_index; i++) ++ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); ++ } ++ for (i = 0; i < tlen; i++) { ++ mask = good & constant_time_lt(i, mlen); ++ to[i] = constant_time_select_8(mask, em[i + 11], to[i]); + } + + OPENSSL_clear_free(em, num); +diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c +--- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c 2019-05-03 08:55:51.530407037 +0200 +@@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM + + ret = 1; + err: +- if (ctx) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_CTX_free(ctx2); + +@@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i + ok = 1; + + error: +- if (ctx) +- BN_CTX_end(ctx); ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); + + if (ok) +diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c +--- openssl-1.1.1b/crypto/x509/x509_lu.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/x509/x509_lu.c 2019-05-03 08:55:51.546406762 +0200 +@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S + if (ctx == NULL) + return 0; + ++ stmp.type = X509_LU_NONE; ++ stmp.data.ptr = NULL; ++ + CRYPTO_THREAD_write_lock(ctx->lock); + tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); + CRYPTO_THREAD_unlock(ctx->lock); +diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod +--- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man1/pkeyutl.pod 2019-05-03 08:55:51.555406608 +0200 +@@ -272,20 +272,19 @@ value less than the minimum restriction. + =head1 DSA ALGORITHM + + The DSA algorithm supports signing and verification operations only. Currently +-there are no additional options other than B. Only the SHA1 +-digest can be used and this digest is assumed by default. ++there are no additional B<-pkeyopt> options other than B. The SHA1 ++digest is assumed by default. + + =head1 DH ALGORITHM + + The DH algorithm only supports the derivation operation and no additional +-options. ++B<-pkeyopt> options. + + =head1 EC ALGORITHM + + The EC algorithm supports sign, verify and derive operations. The sign and +-verify operations use ECDSA and derive uses ECDH. Currently there are no +-additional options other than B. Only the SHA1 digest can be used and +-this digest is assumed by default. ++verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for ++the B<-pkeyopt> B option. + + =head1 X25519 and X448 ALGORITHMS + +diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod +--- openssl-1.1.1b/doc/man1/ts.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man1/ts.pod 2019-05-03 08:55:51.554406625 +0200 +@@ -262,7 +262,7 @@ specified, the argument is given to the + =item B<-I> + + Signing digest to use. Overrides the B config file +-option. (Optional) ++option. (Mandatory unless specified in the config file) + + =item B<-chain> certs_file.pem + +@@ -460,7 +460,8 @@ command line option. (Optional) + =item B + + Signing digest to use. The same as the +-B<-I> command line option. (Optional) ++B<-I> command line option. (Mandatory unless specified on the command ++line) + + =item B + +diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod +--- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod 2019-05-03 08:55:51.556406591 +0200 +@@ -88,6 +88,22 @@ a buffering BIO to the chain will speed + Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will + give undefined results, including perhaps a program crash. + ++Switching the memory BIO from read write to read only is not supported and ++can give undefined results including a program crash. There are two notable ++exceptions to the rule. The first one is to assign a static memory buffer ++immediately after BIO creation and set the BIO as read only. ++ ++The other supported sequence is to start with read write BIO then temporarily ++switch it to read only and call BIO_reset() on the read only BIO immediately ++before switching it back to read write. Before the BIO is freed it must be ++switched back to the read write mode. ++ ++Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that ++contains only the remaining data to be read. If the close status of the ++BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer ++in it must be set to NULL as the data pointer does not point to an ++allocated memory. ++ + =head1 BUGS + + There should be an option to set the maximum size of a memory BIO. +diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod +--- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod 2019-05-03 08:55:51.554406625 +0200 +@@ -27,6 +27,7 @@ calls must be made before calling any ot + B as an argument. + + Finally, BN_CTX_end() must be called before returning from the function. ++If B is NULL, nothing is done. + When BN_CTX_end() is called, the B pointers obtained from + BN_CTX_get() become invalid. + +diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod +--- openssl-1.1.1b/doc/man3/BN_new.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/BN_new.pod 2019-05-03 08:55:51.554406625 +0200 +@@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor + BN_clear() is used to destroy sensitive data such as keys when they + are no longer needed. It erases the memory used by B and sets it + to the value 0. ++If B is NULL, nothing is done. + + BN_free() frees the components of the B, and if it was created + by BN_new(), also the structure itself. BN_clear_free() additionally +diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod +--- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod 2019-05-03 08:55:51.536406934 +0200 +@@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP. + + =item EVP_chacha20() + +-The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long. ++The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. ++The first 32 bits consists of a counter in little-endian order followed by a 96 ++bit nonce. For example a nonce of: ++ ++000000000000000000000002 ++ ++With an initial counter of 42 (2a in hex) would be expressed as: ++ ++2a000000000000000000000000000002 + + =item EVP_chacha20_poly1305() + +diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod +--- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod 2019-05-03 08:55:51.554406625 +0200 +@@ -436,7 +436,9 @@ The following Is are supported for + + Sets the nonce length. This call can only be made before specifying the nonce. + If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum +-nonce length is 16 (B, i.e. 128-bits). ++nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set ++then the nonce is automatically padded with leading 0 bytes to make it 12 bytes ++in length. + + =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) + +diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod +--- openssl-1.1.1b/doc/man3/HMAC.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/HMAC.pod 2019-05-03 08:55:51.539406883 +0200 +@@ -63,7 +63,9 @@ If B is NULL, the digest is placed i + the output is placed in B, unless it is B. Note: passing a NULL + value for B to use the static array is not thread safe. + +-B can be EVP_sha1(), EVP_ripemd160() etc. ++B is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does ++not support variable output length digests such as EVP_shake128() and ++EVP_shake256(). + + HMAC_CTX_new() creates a new HMAC_CTX in heap memory. + +diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +--- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod 2019-05-03 08:55:51.555406608 +0200 +@@ -5,6 +5,7 @@ + RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, + RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, + RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, ++RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, + RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, + RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption + padding +@@ -14,35 +15,46 @@ padding + #include + + int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, +- unsigned char *f, int fl); ++ const unsigned char *f, int fl); + + int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, +- unsigned char *f, int fl, int rsa_len); ++ const unsigned char *f, int fl, int rsa_len); + + int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, +- unsigned char *f, int fl); ++ const unsigned char *f, int fl); + + int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, +- unsigned char *f, int fl, int rsa_len); ++ const unsigned char *f, int fl, int rsa_len); + + int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, +- unsigned char *f, int fl, unsigned char *p, int pl); ++ const unsigned char *f, int fl, ++ const unsigned char *p, int pl); + + int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, +- unsigned char *f, int fl, int rsa_len, +- unsigned char *p, int pl); ++ const unsigned char *f, int fl, int rsa_len, ++ const unsigned char *p, int pl); ++ ++ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, ++ const unsigned char *f, int fl, ++ const unsigned char *p, int pl, ++ const EVP_MD *md, const EVP_MD *mgf1md); ++ ++ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, ++ const unsigned char *f, int fl, int rsa_len, ++ const unsigned char *p, int pl, ++ const EVP_MD *md, const EVP_MD *mgf1md); + + int RSA_padding_add_SSLv23(unsigned char *to, int tlen, +- unsigned char *f, int fl); ++ const unsigned char *f, int fl); + + int RSA_padding_check_SSLv23(unsigned char *to, int tlen, +- unsigned char *f, int fl, int rsa_len); ++ const unsigned char *f, int fl, int rsa_len); + + int RSA_padding_add_none(unsigned char *to, int tlen, +- unsigned char *f, int fl); ++ const unsigned char *f, int fl); + + int RSA_padding_check_none(unsigned char *to, int tlen, +- unsigned char *f, int fl, int rsa_len); ++ const unsigned char *f, int fl, int rsa_len); + + =head1 DESCRIPTION + +@@ -98,6 +110,10 @@ at B. + For RSA_padding_xxx_OAEP(), B

points to the encoding parameter + of length B. B

may be B if B is 0. + ++For RSA_padding_xxx_OAEP_mgf1(), B points to the md hash, ++if B is B that means md=sha1, and B points to ++the mgf1 hash, if B is B that means mgf1md=md. ++ + =head1 RETURN VALUES + + The RSA_padding_add_xxx() functions return 1 on success, 0 on error. +@@ -107,15 +123,21 @@ L. + + =head1 WARNING + +-The RSA_padding_check_PKCS1_type_2() padding check leaks timing ++The result of RSA_padding_check_PKCS1_type_2() is a very sensitive + information which can potentially be used to mount a Bleichenbacher + padding oracle attack. This is an inherent weakness in the PKCS #1 +-v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +-be recommended to pass zero-padded B, so that B equals to +-B, and if fixed by protocol, B being set to the +-expected length. In such case leakage would be minimal, it would +-take attacker's ability to observe memory access pattern with byte +-granilarity as it occurs, post-factum timing analysis won't do. ++v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not ++possible, the result of RSA_padding_check_PKCS1_type_2() should be ++checked in constant time if it matches the expected length of the ++plaintext and additionally some application specific consistency ++checks on the plaintext need to be performed in constant time. ++If the plaintext is rejected it must be kept secret which of the ++checks caused the application to reject the message. ++Do not remove the zero-padding from the decrypted raw RSA data ++which was computed by RSA_private_decrypt() with B, ++as this would create a small timing side channel which could be ++used to mount a Bleichenbacher attack against any padding mode ++including PKCS1_OAEP. + + =head1 SEE ALSO + +@@ -125,7 +147,7 @@ L, L + + =head1 COPYRIGHT + +-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the OpenSSL license (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod +--- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod 2019-05-03 08:55:51.555406608 +0200 +@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt + + #include + +- int RSA_public_encrypt(int flen, unsigned char *from, ++ int RSA_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); + +- int RSA_private_decrypt(int flen, unsigned char *from, ++ int RSA_private_decrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); + + =head1 DESCRIPTION +@@ -27,6 +27,8 @@ B denotes one of the following + =item RSA_PKCS1_PADDING + + PKCS #1 v1.5 padding. This currently is the most widely used mode. ++However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in ++new applications. SEE WARNING BELOW. + + =item RSA_PKCS1_OAEP_PADDING + +@@ -46,23 +48,35 @@ Encrypting user data directly with RSA i + + =back + +-B must be less than RSA_size(B) - 11 for the PKCS #1 v1.5 +-based padding modes, less than RSA_size(B) - 41 for ++B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 ++based padding modes, not more than RSA_size(B) - 42 for + RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. +-The random number generator must be seeded prior to calling +-RSA_public_encrypt(). ++When a padding mode other than RSA_NO_PADDING is in use, then ++RSA_public_encrypt() will include some random bytes into the ciphertext ++and therefore the ciphertext will be different each time, even if the ++plaintext and the public key are exactly identical. ++The returned ciphertext in B will always be zero padded to exactly ++RSA_size(B) bytes. ++B and B may overlap. + + RSA_private_decrypt() decrypts the B bytes at B using the +-private key B and stores the plaintext in B. B must point +-to a memory section large enough to hold the decrypted data (which is +-smaller than RSA_size(B)). B is the padding mode that +-was used to encrypt the data. ++private key B and stores the plaintext in B. B should ++be equal to RSA_size(B) but may be smaller, when leading zero ++bytes are in the ciphertext. Those are not important and may be removed, ++but RSA_public_encrypt() does not do that. B must point ++to a memory section large enough to hold the maximal possible decrypted ++data (which is equal to RSA_size(B) for RSA_NO_PADDING, ++RSA_size(B) - 11 for the PKCS #1 v1.5 based padding modes and ++RSA_size(B) - 42 for RSA_PKCS1_OAEP_PADDING). ++B is the padding mode that was used to encrypt the data. ++B and B may overlap. + + =head1 RETURN VALUES + + RSA_public_encrypt() returns the size of the encrypted data (i.e., + RSA_size(B)). RSA_private_decrypt() returns the size of the +-recovered plaintext. ++recovered plaintext. A return value of 0 is not an error and ++means only that the plaintext was empty. + + On error, -1 is returned; the error codes can be + obtained by L. +@@ -85,7 +99,7 @@ L + + =head1 COPYRIGHT + +-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the OpenSSL license (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod +--- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod 2019-05-03 08:55:51.537406917 +0200 +@@ -124,7 +124,10 @@ Textual representation of the cipher nam + + =item + +-Protocol version, such as B, when the cipher was first defined. ++The minimum protocol version that the ciphersuite supports, such as B. ++Note that this is not always the same as the protocol version in which the ++ciphersuite was first defined because some ciphersuites are backwards compatible ++with earlier protocol versions. + + =item Kx= + +diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod +--- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod 2019-05-03 08:55:51.534406969 +0200 +@@ -65,6 +65,8 @@ both required, and on success the caller + B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers + holding the numerical value of the TLS extension types in the order they appear + in the ClientHello. B<*outlen> contains the number of elements in the array. ++In situations when the ClientHello has no extensions, the function will return ++success with B<*out> set to NULL and B<*outlen> set to 0. + + =head1 NOTES + +diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h +--- openssl-1.1.1b/include/openssl/err.h.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/include/openssl/err.h 2019-05-03 08:55:51.548406728 +0200 +@@ -37,6 +37,7 @@ extern "C" { + # define ERR_TXT_STRING 0x02 + + # define ERR_FLAG_MARK 0x01 ++# define ERR_FLAG_CLEAR 0x02 + + # define ERR_NUM_ERRORS 16 + typedef struct err_state_st { +diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c +--- openssl-1.1.1b/ssl/ssl_lib.c.sync 2019-05-03 08:55:45.196515778 +0200 ++++ openssl-1.1.1b/ssl/ssl_lib.c 2019-05-03 08:55:51.535406951 +0200 +@@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre + if (ext->present) + num++; + } ++ if (num == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return 1; ++ } + if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { + SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, + ERR_R_MALLOC_FAILURE); +diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h +--- openssl-1.1.1b/ssl/ssl_locl.h.sync 2019-05-03 08:55:45.011518954 +0200 ++++ openssl-1.1.1b/ssl/ssl_locl.h 2019-05-03 08:55:51.541406848 +0200 +@@ -574,7 +574,6 @@ struct ssl_session_st { + /* Session lifetime hint in seconds */ + unsigned long tick_lifetime_hint; + uint32_t tick_age_add; +- int tick_identity; + /* Max number of bytes that can be sent as early data */ + uint32_t max_early_data; + /* The ALPN protocol selected for this session */ +@@ -1356,6 +1355,13 @@ struct ssl_st { + * as this extension is optional on server side. + */ + uint8_t max_fragment_len_mode; ++ ++ /* ++ * On the client side the number of ticket identities we sent in the ++ * ClientHello. On the server side the identity of the ticket we ++ * selected. ++ */ ++ int tick_identity; + } ext; + + /* +@@ -2052,9 +2058,6 @@ typedef enum downgrade_en { + #define TLSEXT_KEX_MODE_FLAG_KE 1 + #define TLSEXT_KEX_MODE_FLAG_KE_DHE 2 + +-/* An invalid index into the TLSv1.3 PSK identities */ +-#define TLSEXT_PSK_BAD_IDENTITY -1 +- + #define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \ + s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS) + +diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c +--- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/ssl/statem/extensions_clnt.c 2019-05-03 08:55:51.542406831 +0200 +@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s + const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; + int dores = 0; + +- s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; ++ s->ext.tick_identity = 0; + + /* + * Note: At this stage of the code we only support adding a single +@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s + agems += s->session->ext.tick_age_add; + + reshashsize = EVP_MD_size(mdres); ++ s->ext.tick_identity++; + dores = 1; + } + +@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } ++ s->ext.tick_identity++; + } + + if (!WPACKET_close(pkt) +@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s + return EXT_RETURN_FAIL; + } + +- if (dores) +- s->session->ext.tick_identity = 0; +- if (s->psksession != NULL) +- s->psksession->ext.tick_identity = (dores ? 1 : 0); +- + return EXT_RETURN_SENT; + #else + return EXT_RETURN_NOT_SENT; +@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA + } + + if (!s->ext.early_data_ok +- || !s->hit +- || s->session->ext.tick_identity != 0) { ++ || !s->hit) { + /* + * If we get here then we didn't send early data, or we didn't resume + * using the first identity, or the SNI/ALPN is not consistent so the +@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p + return 0; + } + +- if (s->session->ext.tick_identity == (int)identity) { ++ if (identity >= (unsigned int)s->ext.tick_identity) { ++ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, ++ SSL_R_BAD_PSK_IDENTITY); ++ return 0; ++ } ++ ++ /* ++ * Session resumption tickets are always sent before PSK tickets. If the ++ * ticket index is 0 then it must be for a session resumption ticket if we ++ * sent two tickets, or if we didn't send a PSK ticket. ++ */ ++ if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { + s->hit = 1; + SSL_SESSION_free(s->psksession); + s->psksession = NULL; + return 1; + } + +- if (s->psksession == NULL +- || s->psksession->ext.tick_identity != (int)identity) { +- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, +- SSL_R_BAD_PSK_IDENTITY); ++ if (s->psksession == NULL) { ++ /* Should never happen */ ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, ++ ERR_R_INTERNAL_ERROR); + return 0; + } + +@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p + s->session = s->psksession; + s->psksession = NULL; + s->hit = 1; ++ /* Early data is only allowed if we used the first ticket */ ++ if (identity != 0) ++ s->ext.early_data_ok = 0; + #endif + + return 1; +diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c +--- openssl-1.1.1b/ssl/statem/extensions.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/ssl/statem/extensions.c 2019-05-03 08:55:51.541406848 +0200 +@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns + ss->ext.ticklen = 0; + ss->ext.tick_lifetime_hint = 0; + ss->ext.tick_age_add = 0; +- ss->ext.tick_identity = 0; + if (!ssl_generate_session_id(s, ss)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, + ERR_R_INTERNAL_ERROR); +@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi + + if (s->max_early_data == 0 + || !s->hit +- || s->session->ext.tick_identity != 0 + || s->early_data_state != SSL_EARLY_DATA_ACCEPTING + || !s->ext.early_data_ok + || s->hello_retry_request != SSL_HRR_NONE +diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c +--- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/ssl/statem/extensions_srvr.c 2019-05-03 08:55:51.542406831 +0200 +@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p + goto err; + } + +- sess->ext.tick_identity = id; ++ s->ext.tick_identity = id; + + SSL_SESSION_free(s->session); + s->session = sess; +@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) + || !WPACKET_start_sub_packet_u16(pkt) +- || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) ++ || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); +diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c +--- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/ssl/statem/statem_clnt.c 2019-05-03 08:55:51.543406814 +0200 +@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. + */ +- if (s->session->session_id_length > 0 +- || (SSL_IS_TLS13(s) +- && s->session->ext.tick_identity +- != TLSEXT_PSK_BAD_IDENTITY)) { ++ if (s->session->session_id_length > 0) { + tsan_counter(&s->session_ctx->stats.sess_miss); + if (!ssl_get_new_session(s, 0)) { + /* SSLfatal() already called */ +diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c +--- openssl-1.1.1b/test/bio_memleak_test.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/bio_memleak_test.c 2019-05-03 08:55:51.556406591 +0200 +@@ -18,28 +18,170 @@ static int test_bio_memleak(void) + int ok = 0; + BIO *bio; + BUF_MEM bufmem; +- const char *str = "BIO test\n"; ++ static const char str[] = "BIO test\n"; + char buf[100]; + + bio = BIO_new(BIO_s_mem()); +- if (bio == NULL) ++ if (!TEST_ptr(bio)) + goto finish; +- bufmem.length = strlen(str) + 1; ++ bufmem.length = sizeof(str); + bufmem.data = (char *) str; + bufmem.max = bufmem.length; + BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE); + BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); ++ if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str))) ++ goto finish; ++ if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str))) ++ goto finish; ++ ok = 1; + +- if (BIO_read(bio, buf, sizeof(buf)) <= 0) +- goto finish; ++finish: ++ BIO_free(bio); ++ return ok; ++} + +- ok = strcmp(buf, str) == 0; ++static int test_bio_get_mem(void) ++{ ++ int ok = 0; ++ BIO *bio = NULL; ++ BUF_MEM *bufmem = NULL; ++ ++ bio = BIO_new(BIO_s_mem()); ++ if (!TEST_ptr(bio)) ++ goto finish; ++ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) ++ goto finish; ++ BIO_get_mem_ptr(bio, &bufmem); ++ if (!TEST_ptr(bufmem)) ++ goto finish; ++ if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0)) ++ goto finish; ++ BIO_free(bio); ++ bio = NULL; ++ if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12)) ++ goto finish; ++ ok = 1; + + finish: + BIO_free(bio); ++ BUF_MEM_free(bufmem); + return ok; + } + ++static int test_bio_new_mem_buf(void) ++{ ++ int ok = 0; ++ BIO *bio; ++ BUF_MEM *bufmem; ++ char data[16]; ++ ++ bio = BIO_new_mem_buf("Hello World\n", 12); ++ if (!TEST_ptr(bio)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) ++ goto finish; ++ if (!TEST_mem_eq(data, 5, "Hello", 5)) ++ goto finish; ++ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) ++ goto finish; ++ if (!TEST_int_lt(BIO_write(bio, "test", 4), 0)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio, data, 16), 7)) ++ goto finish; ++ if (!TEST_mem_eq(data, 7, " World\n", 7)) ++ goto finish; ++ if (!TEST_int_gt(BIO_reset(bio), 0)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) ++ goto finish; ++ if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) ++ goto finish; ++ ok = 1; ++ ++finish: ++ BIO_free(bio); ++ return ok; ++} ++ ++static int test_bio_rdonly_mem_buf(void) ++{ ++ int ok = 0; ++ BIO *bio, *bio2 = NULL; ++ BUF_MEM *bufmem; ++ char data[16]; ++ ++ bio = BIO_new_mem_buf("Hello World\n", 12); ++ if (!TEST_ptr(bio)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) ++ goto finish; ++ if (!TEST_mem_eq(data, 5, "Hello", 5)) ++ goto finish; ++ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) ++ goto finish; ++ (void)BIO_set_close(bio, BIO_NOCLOSE); ++ ++ bio2 = BIO_new(BIO_s_mem()); ++ if (!TEST_ptr(bio2)) ++ goto finish; ++ BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE); ++ BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY); ++ ++ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) ++ goto finish; ++ if (!TEST_mem_eq(data, 7, " World\n", 7)) ++ goto finish; ++ if (!TEST_int_gt(BIO_reset(bio2), 0)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) ++ goto finish; ++ if (!TEST_mem_eq(data, 7, " World\n", 7)) ++ goto finish; ++ ok = 1; ++ ++finish: ++ BIO_free(bio); ++ BIO_free(bio2); ++ return ok; ++} ++ ++static int test_bio_rdwr_rdonly(void) ++{ ++ int ok = 0; ++ BIO *bio = NULL; ++ char data[16]; ++ ++ bio = BIO_new(BIO_s_mem()); ++ if (!TEST_ptr(bio)) ++ goto finish; ++ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) ++ goto finish; ++ ++ BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); ++ if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) ++ goto finish; ++ if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) ++ goto finish; ++ if (!TEST_int_gt(BIO_reset(bio), 0)) ++ goto finish; ++ ++ BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY); ++ if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4)) ++ goto finish; ++ if (!TEST_int_eq(BIO_read(bio, data, 16), 16)) ++ goto finish; ++ ++ if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16)) ++ goto finish; ++ ++ ok = 1; ++ ++finish: ++ BIO_free(bio); ++ return ok; ++} ++ ++ + int global_init(void) + { + CRYPTO_set_mem_debug(1); +@@ -50,5 +192,9 @@ int global_init(void) + int setup_tests(void) + { + ADD_TEST(test_bio_memleak); ++ ADD_TEST(test_bio_get_mem); ++ ADD_TEST(test_bio_new_mem_buf); ++ ADD_TEST(test_bio_rdonly_mem_buf); ++ ADD_TEST(test_bio_rdwr_rdonly); + return 1; + } +diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c +--- openssl-1.1.1b/test/ectest.c.sync 2019-05-03 08:55:45.127516962 +0200 ++++ openssl-1.1.1b/test/ectest.c 2019-05-03 08:55:51.524407140 +0200 +@@ -728,6 +728,74 @@ err: + BN_CTX_free(ctx); + return r; + } ++ ++/* ++ * Tests a point known to cause an incorrect underflow in an old version of ++ * ecp_nist521.c ++ */ ++static int underflow_test(void) ++{ ++ BN_CTX *ctx = NULL; ++ EC_GROUP *grp = NULL; ++ EC_POINT *P = NULL, *Q = NULL, *R = NULL; ++ BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; ++ BIGNUM *k = NULL; ++ int testresult = 0; ++ const char *x1str = ++ "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" ++ "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; ++ const char *p521m1 = ++ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" ++ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; ++ ++ ctx = BN_CTX_new(); ++ if (!TEST_ptr(ctx)) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ x1 = BN_CTX_get(ctx); ++ y1 = BN_CTX_get(ctx); ++ z1 = BN_CTX_get(ctx); ++ x2 = BN_CTX_get(ctx); ++ y2 = BN_CTX_get(ctx); ++ k = BN_CTX_get(ctx); ++ if (!TEST_ptr(k)) ++ goto err; ++ ++ grp = EC_GROUP_new_by_curve_name(NID_secp521r1); ++ P = EC_POINT_new(grp); ++ Q = EC_POINT_new(grp); ++ R = EC_POINT_new(grp); ++ if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) ++ goto err; ++ ++ if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) ++ || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) ++ || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) ++ || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) ++ || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, ++ y1, z1, ctx)) ++ || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) ++ || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) ++ || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) ++ || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) ++ goto err; ++ ++ if (!TEST_int_eq(BN_cmp(x1, x2), 0) ++ || !TEST_int_eq(BN_cmp(y1, y2), 0)) ++ goto err; ++ ++ testresult = 1; ++ ++ err: ++ BN_CTX_end(ctx); ++ EC_POINT_free(P); ++ EC_POINT_free(Q); ++ EC_GROUP_free(grp); ++ BN_CTX_free(ctx); ++ ++ return testresult; ++} + # endif + + static const unsigned char p521_named[] = { +@@ -835,6 +903,7 @@ int setup_tests(void) + # endif + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); ++ ADD_TEST(underflow_test); + # endif + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); +diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt +--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-03 08:55:51.552406659 +0200 +@@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000 + Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd + Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd + +-Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10 ++Title = ARIA GCM test vectors from RFC8269 + + Cipher = ARIA-128-GCM + Key = e91e5e75da65554a48181f3846349562 +@@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48 + Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 + Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822 + ++Title = ARIA GCM self-generated test vectors ++ ++Cipher = ARIA-128-GCM ++Key = e91e5e75da65554a48181f3846349562 ++# Shorter than default IV ++IV = 0001020304 ++AAD = 8008315ebf2e6fe020e8f5eb ++Tag = ebaa2645bb154542117ee46031aa176e ++Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 ++Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482 ++ ++Cipher = ARIA-128-GCM ++Key = e91e5e75da65554a48181f3846349562 ++# Longer than default IV ++IV = 000102030405060708090a0b0c0d0e0f ++AAD = 8008315ebf2e6fe020e8f5eb ++Tag = 61f7f44c7da3c60195b29ae0b46051a4 ++Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 ++Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f ++ ++Cipher = ARIA-128-GCM ++Key = e91e5e75da65554a48181f3846349562 ++# Extra long IV ++IV = 000102030405060708090a0b0c0d0e0f1011 ++AAD = 8008315ebf2e6fe020e8f5eb ++Tag = c8b31ab6c2ddccab06b76af4e56e664e ++Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 ++Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd ++ ++ + Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02 + + # 16-byte Tag +@@ -2357,14 +2387,41 @@ Operation = ENCRYPT + Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7 + Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122 + +-Title = Chacha20 ++Title = Chacha20 test vectors from RFC7539 + ++# A.1 Test Vector 1 + Cipher = chacha20 + Key = 0000000000000000000000000000000000000000000000000000000000000000 + IV = 00000000000000000000000000000000 + Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586 + ++# A.1 Test Vector 2 ++Cipher = chacha20 ++Key = 0000000000000000000000000000000000000000000000000000000000000000 ++IV = 01000000000000000000000000000000 ++Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f ++ ++# A.2 Test Vector 1 is the same as A.1 Test Vector 1 ++# A.2 Test Vector 2 ++Cipher = chacha20 ++Key = 0000000000000000000000000000000000000000000000000000000000000001 ++#Counter (first 4 bytes) expressed in little-endian order ++IV = 01000000000000000000000000000002 ++Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f ++Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221 ++ ++# A.2 Test Vector 3 ++Cipher = chacha20 ++Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 ++#Counter (first 4 bytes) expressed in little-endian order ++IV = 2a000000000000000000000000000002 ++Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e ++Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1 ++ ++Title = Chacha20 ++ + Cipher = chacha20 + Key = 0000000000000000000000000000000000000000000000000000000000000001 + IV = 00000000000000000000000000000000 +@@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91 + Tag = e0723bce23528ce6ccb10ff9627038bf + Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d + Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 ++ ++Cipher = chacha20-poly1305 ++Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 ++IV = ff000000000102030405060708 ++AAD = f33388860000000000004e91 ++Tag = e0723bce23528ce6ccb10ff9627038bf ++Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d ++Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 ++Result = INVALID_IV_LENGTH +diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt +--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt 2019-05-03 08:55:51.539406883 +0200 +@@ -351,6 +351,14 @@ Input = "Sample message for keylen>block + Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687 + Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915 + ++Title = HMAC self generated tests ++ ++MAC = HMAC ++Algorithm = SHAKE128 ++Input = "Test that SHAKE128 fails" ++Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f ++Result = DIGESTSIGNINIT_ERROR ++ + + Title = CMAC tests (from FIPS module) + +diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t +--- openssl-1.1.1b/test/recipes/80-test_cms.t.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/recipes/80-test_cms.t 2019-05-03 08:55:51.533406986 +0200 +@@ -308,6 +308,14 @@ my @smime_cms_param_tests = ( + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + ++ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3", ++ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", ++ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", ++ "-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ], ++ [ "-verify", "-in", "test.cms", "-inform", "PEM", ++ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] ++ ], ++ + [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", +diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c +--- openssl-1.1.1b/test/rsa_test.c.sync 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/rsa_test.c 2019-05-03 08:55:51.523407157 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -268,6 +268,36 @@ err: + return ret; + } + ++static int test_rsa_sslv23(int idx) ++{ ++ int ret = 0; ++ RSA *key; ++ unsigned char ptext[256]; ++ unsigned char ctext[256]; ++ static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; ++ unsigned char ctext_ex[256]; ++ int plen; ++ int clen = 0; ++ int num; ++ ++ plen = sizeof(ptext_ex) - 1; ++ clen = rsa_setkey(&key, ctext_ex, idx); ++ ++ num = RSA_public_encrypt(plen, ptext_ex, ctext, key, ++ RSA_SSLV23_PADDING); ++ if (!TEST_int_eq(num, clen)) ++ goto err; ++ ++ num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); ++ if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) ++ goto err; ++ ++ ret = 1; ++err: ++ RSA_free(key); ++ return ret; ++} ++ + static int test_rsa_oaep(int idx) + { + int ret = 0; +@@ -332,6 +362,7 @@ err: + int setup_tests(void) + { + ADD_ALL_TESTS(test_rsa_pkcs1, 3); ++ ADD_ALL_TESTS(test_rsa_sslv23, 3); + ADD_ALL_TESTS(test_rsa_oaep, 3); + return 1; + } diff --git a/openssl.spec b/openssl.spec index ff4fa05..5c0c014 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1b -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -62,7 +62,7 @@ Patch48: openssl-1.1.1-fips-post-rand.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch # Backported fixes including security fixes -Patch51: openssl-1.1.1-bio-mem-ptr.patch +Patch51: openssl-1.1.1-upstream-sync.patch License: OpenSSL URL: http://www.openssl.org/ @@ -159,7 +159,7 @@ cp %{SOURCE13} test/ %patch48 -p1 -b .fips-post-rand %patch49 -p1 -b .evp-kdf %patch50 -p1 -b .ssh-kdf -%patch51 -p1 -b .bio-mem-ptr +%patch51 -p1 -b .upstream-sync %build @@ -446,6 +446,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri May 3 2019 Tomáš Mráz 1.1.1b-6 +- apply new bugfixes from upstream 1.1.1 branch + * Tue Apr 16 2019 Tomáš Mráz 1.1.1b-5 - fix for BIO_get_mem_ptr() regression in 1.1.1b (#1691853)