diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c
--- openssl-1.1.1b/apps/asn1pars.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/apps/asn1pars.c 2019-05-03 08:55:51.532407003 +0200
@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv
if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
goto end;
+ if ((buf = BUF_MEM_new()) == NULL)
+ goto end;
if (strictpem) {
- if (PEM_read_bio(in, &name, &header, &str, &num) !=
- 1) {
+ if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
BIO_printf(bio_err, "Error reading PEM file\n");
ERR_print_errors(bio_err);
goto end;
}
+ buf->data = (char *)str;
+ buf->length = buf->max = num;
} else {
-
- if ((buf = BUF_MEM_new()) == NULL)
- goto end;
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv
BUF_MEM_free(buf);
OPENSSL_free(name);
OPENSSL_free(header);
- if (strictpem)
- OPENSSL_free(str);
ASN1_TYPE_free(at);
sk_OPENSSL_STRING_free(osk);
return ret;
diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl
--- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl 2019-05-03 08:55:51.551406676 +0200
@@ -1829,7 +1829,7 @@ Lctr32_enc8x_three:
stvx_u $out1,$x10,$out
stvx_u $out2,$x20,$out
addi $out,$out,0x30
- b Lcbc_dec8x_done
+ b Lctr32_enc8x_done
.align 5
Lctr32_enc8x_two:
@@ -1841,7 +1841,7 @@ Lctr32_enc8x_two:
stvx_u $out0,$x00,$out
stvx_u $out1,$x10,$out
addi $out,$out,0x20
- b Lcbc_dec8x_done
+ b Lctr32_enc8x_done
.align 5
Lctr32_enc8x_one:
diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c
--- openssl-1.1.1b/crypto/bio/b_addr.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bio/b_addr.c 2019-05-03 08:55:51.555406608 +0200
@@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons
hints.ai_family = family;
hints.ai_socktype = socktype;
hints.ai_protocol = protocol;
+#ifdef AI_ADDRCONFIG
+#ifdef AF_UNSPEC
+ if (family == AF_UNSPEC)
+#endif
+ hints.ai_flags |= AI_ADDRCONFIG;
+#endif
if (lookup_type == BIO_LOOKUP_SERVER)
hints.ai_flags |= AI_PASSIVE;
diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c
--- openssl-1.1.1b/crypto/bio/bss_mem.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bio/bss_mem.c 2019-05-03 08:55:51.556406591 +0200
@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method =
NULL, /* mem_callback_ctrl */
};
-/* BIO memory stores buffer and read pointer */
+/*
+ * BIO memory stores buffer and read pointer
+ * however the roles are different for read only BIOs.
+ * In that case the readp just stores the original state
+ * to be used for reset.
+ */
typedef struct bio_buf_mem_st {
struct buf_mem_st *buf; /* allocated buffer */
struct buf_mem_st *readp; /* read pointer */
@@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i
BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
BUF_MEM *bm = bbm->readp;
+ if (b->flags & BIO_FLAGS_MEM_RDONLY)
+ bm = bbm->buf;
BIO_clear_retry_flags(b);
ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
if ((out != NULL) && (ret > 0)) {
memcpy(out, bm->data, ret);
bm->length -= ret;
+ bm->max -= ret;
bm->data += ret;
} else if (bm->length == 0) {
ret = b->num;
@@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo
BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
BUF_MEM *bm;
+ if (b->flags & BIO_FLAGS_MEM_RDONLY)
+ bm = bbm->buf;
+ else
+ bm = bbm->readp;
+
switch (cmd) {
case BIO_CTRL_RESET:
bm = bbm->buf;
if (bm->data != NULL) {
- /* For read only case reset to the start again */
- if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) {
- bm->length = bm->max;
+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
+ if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
+ bm->length = bm->max;
+ } else {
+ memset(bm->data, 0, bm->max);
+ bm->length = 0;
+ }
+ *bbm->readp = *bbm->buf;
} else {
- memset(bm->data, 0, bm->max);
- bm->length = 0;
+ /* For read only case just reset to the start again */
+ *bbm->buf = *bbm->readp;
}
- *bbm->readp = *bbm->buf;
}
break;
case BIO_CTRL_EOF:
- bm = bbm->readp;
ret = (long)(bm->length == 0);
break;
case BIO_C_SET_BUF_MEM_EOF_RETURN:
b->num = (int)num;
break;
case BIO_CTRL_INFO:
- bm = bbm->readp;
ret = (long)bm->length;
if (ptr != NULL) {
pptr = (char **)ptr;
@@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo
break;
case BIO_C_GET_BUF_MEM_PTR:
if (ptr != NULL) {
- mem_buf_sync(b);
- bm = bbm->readp;
+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY))
+ mem_buf_sync(b);
+ bm = bbm->buf;
pptr = (char **)ptr;
*pptr = (char *)bm;
}
@@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo
ret = 0L;
break;
case BIO_CTRL_PENDING:
- bm = bbm->readp;
ret = (long)bm->length;
break;
case BIO_CTRL_DUP:
@@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf,
BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr;
BUF_MEM *bm = bbm->readp;
+ if (bp->flags & BIO_FLAGS_MEM_RDONLY)
+ bm = bbm->buf;
BIO_clear_retry_flags(bp);
j = bm->length;
if ((size - 1) < j)
diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl
--- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/asm/ppc.pl 2019-05-03 08:55:51.530407037 +0200
@@ -258,6 +258,7 @@ $data=<<EOF;
# .text section
.machine "any"
+ .text
#
# NOTE: The following label name should be changed to
diff -up openssl-1.1.1b/crypto/bn/bn_ctx.c.sync openssl-1.1.1b/crypto/bn/bn_ctx.c
--- openssl-1.1.1b/crypto/bn/bn_ctx.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_ctx.c 2019-05-03 08:55:51.524407140 +0200
@@ -194,6 +194,8 @@ void BN_CTX_start(BN_CTX *ctx)
void BN_CTX_end(BN_CTX *ctx)
{
+ if (ctx == NULL)
+ return;
CTXDBG_ENTRY("BN_CTX_end", ctx);
if (ctx->err_stack)
ctx->err_stack--;
diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c
--- openssl-1.1.1b/crypto/bn/bn_lib.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_lib.c 2019-05-03 08:55:51.525407123 +0200
@@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
void BN_clear(BIGNUM *a)
{
+ if (a == NULL)
+ return;
bn_check_top(a);
if (a->d != NULL)
OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c
--- openssl-1.1.1b/crypto/bn/bn_prime.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_prime.c 2019-05-03 08:55:51.525407123 +0200
@@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in
found = 1;
err:
OPENSSL_free(mods);
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
bn_check_top(ret);
return found;
diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info
--- openssl-1.1.1b/crypto/chacha/build.info.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/chacha/build.info 2019-05-03 08:55:51.538406900 +0200
@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv
INCLUDE[chacha-armv4.o]=..
GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME)
INCLUDE[chacha-armv8.o]=..
+GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME)
+INCLUDE[chacha-s390x.o]=..
BEGINRAW[Makefile(unix)]
##### CHACHA assembler implementations
diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c
--- openssl-1.1.1b/crypto/conf/conf_sap.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/conf/conf_sap.c 2019-05-03 08:55:51.550406694 +0200
@@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname)
memset(&settings, 0, sizeof(settings));
if (appname != NULL)
settings.appname = strdup(appname);
+ settings.flags = DEFAULT_CONF_MFLAGS;
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
}
#endif
diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c
--- openssl-1.1.1b/crypto/dh/dh_check.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/dh/dh_check.c 2019-05-03 08:55:51.525407123 +0200
@@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r
ok = 1;
err:
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
return ok;
}
@@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret)
}
ok = 1;
err:
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
return ok;
}
@@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const
ok = 1;
err:
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
return ok;
}
diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c
--- openssl-1.1.1b/crypto/dh/dh_gen.c.sync 2019-05-03 08:55:45.170516224 +0200
+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-05-03 08:55:51.525407123 +0200
@@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret,
ok = 0;
}
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
return ok;
}
diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c
--- openssl-1.1.1b/crypto/dh/dh_key.c.sync 2019-05-03 08:55:45.170516224 +0200
+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-05-03 08:55:51.526407106 +0200
@@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke
ret = BN_bn2bin(tmp, key);
err:
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
return ret;
}
diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c
--- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync 2019-05-03 08:55:45.171516207 +0200
+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-05-03 08:55:51.526407106 +0200
@@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
if (seed_out)
memcpy(seed_out, seed, qsize);
}
- if (ctx)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_MONT_CTX_free(mont);
return ok;
@@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
OPENSSL_free(seed);
if (seed_out != seed_tmp)
OPENSSL_free(seed_tmp);
- if (ctx)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_MONT_CTX_free(mont);
EVP_MD_CTX_free(mctx);
diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c
--- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync 2019-05-03 08:55:45.171516207 +0200
+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-05-03 08:55:51.556406591 +0200
@@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha
ret = 1;
err:
- EC_POINT_free(tmp);
+ EC_POINT_clear_free(tmp);
if (ctx)
BN_CTX_end(ctx);
BN_CTX_free(ctx);
diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c
--- openssl-1.1.1b/crypto/ec/ec_lib.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ec_lib.c 2019-05-03 08:55:51.527407088 +0200
@@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons
ret = 1;
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c
--- openssl-1.1.1b/crypto/ec/ec_mult.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ec_mult.c 2019-05-03 08:55:51.540406865 +0200
@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP
err:
EC_POINT_free(p);
- EC_POINT_free(s);
+ EC_POINT_clear_free(s);
BN_CTX_end(ctx);
return ret;
@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
* scalar multiplication implementation based on a Montgomery ladder,
* with various timing attack defenses.
*/
- if ((scalar != NULL) && (num == 0)) {
+ if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {
/*-
* In this case we want to compute scalar * GeneratorPoint: this
* codepath is reached most prominently by (ephemeral) key
@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
*/
return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
}
- if ((scalar == NULL) && (num == 1)) {
+ if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {
/*-
* In this case we want to compute scalar * VariablePoint: this
* codepath is reached most prominently by the second half of ECDH,
@@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr
ret = 1;
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
EC_ec_pre_comp_free(pre_comp);
if (points) {
diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c
--- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c 2019-05-03 08:55:51.532407003 +0200
@@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons
static void felem_diff_128_64(largefelem out, const felem in)
{
/*
- * In order to prevent underflow, we add 0 mod p before subtracting.
+ * In order to prevent underflow, we add 64p mod p (which is equivalent
+ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
+ * digit number with all bits set to 1. See "The representation of field
+ * elements" comment above for a description of how limbs are used to
+ * represent a number. 64p is represented with 8 limbs containing a number
+ * with 58 bits set and one limb with a number with 57 bits set.
*/
- static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
- static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
+ static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
+ static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
out[0] += two63m6 - in[0];
out[1] += two63m5 - in[1];
diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c
--- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c 2019-05-03 08:55:51.528407071 +0200
@@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec
ret = 1;
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
EC_nistz256_pre_comp_free(pre_comp);
diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c
--- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync 2019-05-03 08:55:45.152516533 +0200
+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-05-03 08:55:51.528407071 +0200
@@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina
ret = 1;
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
@@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr
ret = 1;
end:
- if (ctx) /* otherwise we already called BN_CTX_end */
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c
--- openssl-1.1.1b/crypto/err/err.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/err/err.c 2019-05-03 08:55:51.548406728 +0200
@@ -523,8 +523,24 @@ static unsigned long get_error_values(in
return ERR_R_INTERNAL_ERROR;
}
+ while (es->bottom != es->top) {
+ if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
+ err_clear(es, es->top);
+ es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
+ continue;
+ }
+ i = (es->bottom + 1) % ERR_NUM_ERRORS;
+ if (es->err_flags[i] & ERR_FLAG_CLEAR) {
+ es->bottom = i;
+ err_clear(es, es->bottom);
+ continue;
+ }
+ break;
+ }
+
if (es->bottom == es->top)
return 0;
+
if (top)
i = es->top; /* last error */
else
@@ -913,25 +929,6 @@ int ERR_clear_last_mark(void)
return 1;
}
-#ifdef UINTPTR_T
-# undef UINTPTR_T
-#endif
-/*
- * uintptr_t is the answer, but unfortunately C89, current "least common
- * denominator" doesn't define it. Most legacy platforms typedef it anyway,
- * so that attempt to fill the gaps means that one would have to identify
- * that track these gaps, which would be undesirable. Macro it is...
- */
-#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
-/*
- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
- * even in 64-bit builds, which means that it won't work as mask.
- */
-# define UINTPTR_T unsigned long long
-#else
-# define UINTPTR_T size_t
-#endif
-
void err_clear_last_constant_time(int clear)
{
ERR_STATE *es;
@@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl
top = es->top;
- es->err_flags[top] &= ~(0 - clear);
- es->err_buffer[top] &= ~(0UL - clear);
- es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
- ~((UINTPTR_T)0 - clear));
- es->err_line[top] |= 0 - clear;
-
- es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+ /*
+ * Flag error as cleared but remove it elsewhere to avoid two errors
+ * accessing the same error stack location, revealing timing information.
+ */
+ clear = constant_time_select_int(constant_time_eq_int(clear, 0),
+ 0, ERR_FLAG_CLEAR);
+ es->err_flags[top] |= clear;
}
diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c
--- openssl-1.1.1b/crypto/evp/digest.c.sync 2019-05-03 08:55:51.553406642 +0200
+++ openssl-1.1.1b/crypto/evp/digest.c 2019-05-03 08:56:40.800561168 +0200
@@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co
#ifdef OPENSSL_FIPS
FIPS_selftest_check();
#endif
+ if (count == 0)
+ return 1;
+
return ctx->update(ctx, data, count);
}
diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c
--- openssl-1.1.1b/crypto/evp/e_aria.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/e_aria.c 2019-05-03 08:55:51.545406779 +0200
@@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT
return 0;
}
+static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx)
+{
+ EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx);
+
+ if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx))
+ OPENSSL_free(gctx->iv);
+
+ return 1;
+}
+
static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
@@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT
}
}
+#define aria_ccm_cleanup NULL
+
#define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
@@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_
ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \
aria_##mode##_init_key, \
aria_##mode##_cipher, \
- NULL, \
+ aria_##mode##_cleanup, \
sizeof(EVP_ARIA_##MODE##_CTX), \
NULL,NULL,aria_##mode##_ctrl,NULL }; \
const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \
diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync 2019-05-03 08:55:45.216515434 +0200
+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-05-03 08:55:51.551406676 +0200
@@ -30,6 +30,8 @@ typedef struct {
#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
+#define CHACHA20_POLY1305_MAX_IVLEN 12
+
static int chacha_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char user_key[CHACHA_KEY_SIZE],
const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
- if (arg <= 0 || arg > CHACHA_CTR_SIZE)
+ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
return 0;
actx->nonce_len = arg;
return 1;
diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c
--- openssl-1.1.1b/crypto/evp/evp_enc.c.sync 2019-05-03 08:55:45.174516155 +0200
+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-03 08:55:51.544406797 +0200
@@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_
bl = ctx->cipher->block_size;
+ if (inl <= 0) {
+ *outl = 0;
+ return inl == 0;
+ }
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
/* If block size > 1 then the cipher will have to do this check */
if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
@@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_
return 1;
}
- if (inl <= 0) {
- *outl = 0;
- return inl == 0;
- }
if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
@@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
cmpl = (cmpl + 7) / 8;
+ if (inl <= 0) {
+ *outl = 0;
+ return inl == 0;
+ }
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
@@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
return 1;
}
- if (inl <= 0) {
- *outl = 0;
- return inl == 0;
- }
-
if (ctx->flags & EVP_CIPH_NO_PADDING)
return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c
--- openssl-1.1.1b/crypto/hmac/hmac.c.sync 2019-05-03 08:55:45.189515898 +0200
+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-05-03 08:55:51.538406900 +0200
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
return 0;
}
+ /*
+ * The HMAC construction is not allowed to be used with the
+ * extendable-output functions (XOF) shake128 and shake256.
+ */
+ if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+ return 0;
+
if (key != NULL) {
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c
--- openssl-1.1.1b/crypto/init.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/init.c 2019-05-03 08:55:51.550406694 +0200
@@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
ret = RUN_ONCE(&config, ossl_init_config);
conf_settings = NULL;
CRYPTO_THREAD_unlock(init_lock);
- if (!ret)
+ if (ret <= 0)
return 0;
}
diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl
--- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl 2019-05-03 08:55:51.534406969 +0200
@@ -1155,6 +1155,7 @@ ___
} else {
$code.=<<___;
jmp .L_init_clmul
+.cfi_endproc
.size gcm_init_avx,.-gcm_init_avx
___
}
@@ -1594,6 +1595,7 @@ ___
} else {
$code.=<<___;
jmp .L_ghash_clmul
+.cfi_endproc
.size gcm_ghash_avx,.-gcm_ghash_avx
___
}
diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c
--- openssl-1.1.1b/crypto/modes/ccm128.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/modes/ccm128.c 2019-05-03 08:55:51.543406814 +0200
@@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT
M *= 2;
M += 2;
- if (len < M)
+ if (len != M)
return 0;
memcpy(tag, ctx->cmac.c, M);
return M;
diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c
--- openssl-1.1.1b/crypto/o_str.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/o_str.c 2019-05-03 08:55:51.550406694 +0200
@@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char
#if defined(_MSC_VER) && _MSC_VER>=1400
return !strerror_s(buf, buflen, errnum);
#elif defined(_GNU_SOURCE)
- return strerror_r(errnum, buf, buflen) != NULL;
+ char *err;
+
+ /*
+ * GNU strerror_r may not actually set buf.
+ * It can return a pointer to some (immutable) static string in which case
+ * buf is left unused.
+ */
+ err = strerror_r(errnum, buf, buflen);
+ if (err == NULL)
+ return 0;
+ /*
+ * If err is statically allocated, err != buf and we need to copy the data.
+ * If err points somewhere inside buf, OPENSSL_strlcpy can handle this,
+ * since src and dest are not annotated with __restrict and the function
+ * reads src byte for byte and writes to dest.
+ * If err == buf we do not have to copy anything.
+ */
+ if (err != buf)
+ OPENSSL_strlcpy(buf, err, buflen);
+ return 1;
#elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \
(defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600)
/*
@@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char
return !strerror_r(errnum, buf, buflen);
#else
char *err;
+
/* Fall back to non-thread safe strerror()...its all we can do */
if (buflen < 2)
return 0;
@@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char
/* Can this ever happen? */
if (err == NULL)
return 0;
- strncpy(buf, err, buflen - 1);
- buf[buflen - 1] = '\0';
+ OPENSSL_strlcpy(buf, err, buflen);
return 1;
#endif
}
diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info
--- openssl-1.1.1b/crypto/poly1305/build.info.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-03 08:55:51.538406900 +0200
@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305-
INCLUDE[poly1305-armv8.o]=..
GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
INCLUDE[poly1305-mips.o]=..
+GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME)
BEGINRAW[Makefile(unix)]
{- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl
diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info
--- openssl-1.1.1b/crypto/rc4/build.info.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rc4/build.info 2019-05-03 08:55:51.538406900 +0200
@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x
GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME)
+GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME)
+
BEGINRAW[Makefile]
# GNU make "catch all"
{- $builddir -}/rc4-%.s: {- $sourcedir -}/asm/rc4-%.pl
diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c
--- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c 2019-05-03 08:55:51.533406986 +0200
@@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV
return NULL;
if (saltlen == -1) {
saltlen = EVP_MD_size(sigmd);
- } else if (saltlen == -2) {
+ } else if (saltlen == -2 || saltlen == -3) {
saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
if ((EVP_PKEY_bits(pk) & 0x7) == 1)
saltlen--;
+ if (saltlen < 0)
+ return NULL;
}
return rsa_pss_params_create(sigmd, mgf1md, saltlen);
diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c
--- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync 2019-05-03 08:55:45.191515864 +0200
+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-05-03 08:55:51.528407071 +0200
@@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa,
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
ok = 0;
}
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ok;
}
diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c
--- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c 2019-05-03 08:55:51.549406711 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
* |num| is the length of the modulus; |flen| is the length of the
* encoded message. Therefore, for any |from| that was obtained by
* decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
- * num < 2 * mdlen + 2 must hold for the modulus irrespective of
+ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
@@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
- good = constant_time_is_zero(from[0]);
+ good = constant_time_is_zero(em[0]);
- maskedseed = from + 1;
- maskeddb = from + 1 + mdlen;
+ maskedseed = em + 1;
+ maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
mlen = dblen - msg_index;
/*
- * For good measure, do this check in constant tine as well.
+ * For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
- msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
- mlen = dblen - msg_index;
- for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= dblen & equals; /* if (i == dblen) rewind */
- mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+ dblen - mdlen - 1, tlen);
+ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
+ for (i = mdlen + 1; i < dblen - msg_index; i++)
+ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
}
/*
diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c
--- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync 2019-05-03 08:55:45.191515864 +0200
+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-05-03 08:55:51.548406728 +0200
@@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f
*/
r = BN_bn2binpad(ret, to, num);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int
*/
r = BN_bn2binpad(res, to, num);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int
goto err;
}
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
- err_clear_last_constant_time(r >= 0);
+ err_clear_last_constant_time(1 & ~constant_time_msb(r));
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
err:
- if (ctx != NULL)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c
--- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c 2019-05-03 08:55:51.549406711 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
- good = constant_time_is_zero(from[0]);
- good &= constant_time_eq(from[1], 2);
+ good = constant_time_is_zero(em[0]);
+ good &= constant_time_eq(em[1], 2);
/* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
- unsigned int equals0 = constant_time_is_zero(from[i]);
+ unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
@@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
- */
- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
- msg_index = constant_time_select_int(good, msg_index, num - tlen);
- mlen = num - msg_index;
- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= tlen & equals; /* if (i == mlen) rewind */
- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
+ */
+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+ num - 11, tlen);
+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+ for (i = 11; i < num - msg_index; i++)
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
OPENSSL_clear_free(em, num);
diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c
--- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-03 08:55:51.543406814 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+#include "internal/constant_time_locl.h"
+
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
@@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX
ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
rctx->pad_mode);
}
- if (ret < 0)
- return ret;
- *outlen = ret;
- return 1;
+ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+ ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+ return ret;
}
static int check_padding_md(const EVP_MD *md, int padding)
diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c
--- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c 2019-05-03 08:55:51.550406694 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
* preserves error code reporting for backward compatibility.
*/
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch
unsigned int good, found_zero_byte, mask, threes_in_row;
int zero_index = 0, msg_index, mlen = -1, err;
- if (flen < 10) {
+ if (tlen <= 0 || flen <= 0)
+ return -1;
+
+ if (flen > num || num < 11) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return -1;
}
@@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
- good = constant_time_is_zero(from[0]);
- good &= constant_time_eq(from[1], 2);
+ good = constant_time_is_zero(em[0]);
+ good &= constant_time_eq(em[1], 2);
err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
mask = ~good;
@@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch
found_zero_byte = 0;
threes_in_row = 0;
for (i = 2; i < num; i++) {
- unsigned int equals0 = constant_time_is_zero(from[i]);
+ unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
found_zero_byte |= equals0;
threes_in_row += 1 & ~found_zero_byte;
- threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
+ threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
- good &= constant_time_lt(threes_in_row, 8);
+ good &= constant_time_ge(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
mask = ~good;
@@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch
err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
- msg_index = constant_time_select_int(good, msg_index, num - tlen);
- mlen = num - msg_index;
- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= tlen & equals; /* if (i == mlen) rewind */
- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+ num - 11, tlen);
+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+ for (i = 11; i < num - msg_index; i++)
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
OPENSSL_clear_free(em, num);
diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c
--- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c 2019-05-03 08:55:51.530407037 +0200
@@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM
ret = 1;
err:
- if (ctx)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
@@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i
ok = 1;
error:
- if (ctx)
- BN_CTX_end(ctx);
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (ok)
diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c
--- openssl-1.1.1b/crypto/x509/x509_lu.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/x509/x509_lu.c 2019-05-03 08:55:51.546406762 +0200
@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S
if (ctx == NULL)
return 0;
+ stmp.type = X509_LU_NONE;
+ stmp.data.ptr = NULL;
+
CRYPTO_THREAD_write_lock(ctx->lock);
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
CRYPTO_THREAD_unlock(ctx->lock);
diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod
--- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man1/pkeyutl.pod 2019-05-03 08:55:51.555406608 +0200
@@ -272,20 +272,19 @@ value less than the minimum restriction.
=head1 DSA ALGORITHM
The DSA algorithm supports signing and verification operations only. Currently
-there are no additional options other than B<digest>. Only the SHA1
-digest can be used and this digest is assumed by default.
+there are no additional B<-pkeyopt> options other than B<digest>. The SHA1
+digest is assumed by default.
=head1 DH ALGORITHM
The DH algorithm only supports the derivation operation and no additional
-options.
+B<-pkeyopt> options.
=head1 EC ALGORITHM
The EC algorithm supports sign, verify and derive operations. The sign and
-verify operations use ECDSA and derive uses ECDH. Currently there are no
-additional options other than B<digest>. Only the SHA1 digest can be used and
-this digest is assumed by default.
+verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for
+the B<-pkeyopt> B<digest> option.
=head1 X25519 and X448 ALGORITHMS
diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod
--- openssl-1.1.1b/doc/man1/ts.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man1/ts.pod 2019-05-03 08:55:51.554406625 +0200
@@ -262,7 +262,7 @@ specified, the argument is given to the
=item B<-I<digest>>
Signing digest to use. Overrides the B<signer_digest> config file
-option. (Optional)
+option. (Mandatory unless specified in the config file)
=item B<-chain> certs_file.pem
@@ -460,7 +460,8 @@ command line option. (Optional)
=item B<signer_digest>
Signing digest to use. The same as the
-B<-I<digest>> command line option. (Optional)
+B<-I<digest>> command line option. (Mandatory unless specified on the command
+line)
=item B<default_policy>
diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod
--- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod 2019-05-03 08:55:51.556406591 +0200
@@ -88,6 +88,22 @@ a buffering BIO to the chain will speed
Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will
give undefined results, including perhaps a program crash.
+Switching the memory BIO from read write to read only is not supported and
+can give undefined results including a program crash. There are two notable
+exceptions to the rule. The first one is to assign a static memory buffer
+immediately after BIO creation and set the BIO as read only.
+
+The other supported sequence is to start with read write BIO then temporarily
+switch it to read only and call BIO_reset() on the read only BIO immediately
+before switching it back to read write. Before the BIO is freed it must be
+switched back to the read write mode.
+
+Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that
+contains only the remaining data to be read. If the close status of the
+BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer
+in it must be set to NULL as the data pointer does not point to an
+allocated memory.
+
=head1 BUGS
There should be an option to set the maximum size of a memory BIO.
diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod
--- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod 2019-05-03 08:55:51.554406625 +0200
@@ -27,6 +27,7 @@ calls must be made before calling any ot
B<ctx> as an argument.
Finally, BN_CTX_end() must be called before returning from the function.
+If B<ctx> is NULL, nothing is done.
When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
BN_CTX_get() become invalid.
diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod
--- openssl-1.1.1b/doc/man3/BN_new.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BN_new.pod 2019-05-03 08:55:51.554406625 +0200
@@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor
BN_clear() is used to destroy sensitive data such as keys when they
are no longer needed. It erases the memory used by B<a> and sets it
to the value 0.
+If B<a> is NULL, nothing is done.
BN_free() frees the components of the B<BIGNUM>, and if it was created
by BN_new(), also the structure itself. BN_clear_free() additionally
diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod
--- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod 2019-05-03 08:55:51.536406934 +0200
@@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP.
=item EVP_chacha20()
-The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long.
+The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
+The first 32 bits consists of a counter in little-endian order followed by a 96
+bit nonce. For example a nonce of:
+
+000000000000000000000002
+
+With an initial counter of 42 (2a in hex) would be expressed as:
+
+2a000000000000000000000000000002
=item EVP_chacha20_poly1305()
diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod
--- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod 2019-05-03 08:55:51.554406625 +0200
@@ -436,7 +436,9 @@ The following I<ctrl>s are supported for
Sets the nonce length. This call can only be made before specifying the nonce.
If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
-nonce length is 16 (B<CHACHA_CTR_SIZE>, i.e. 128-bits).
+nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
+then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
+in length.
=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod
--- openssl-1.1.1b/doc/man3/HMAC.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/HMAC.pod 2019-05-03 08:55:51.539406883 +0200
@@ -63,7 +63,9 @@ If B<md> is NULL, the digest is placed i
the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
value for B<md> to use the static array is not thread safe.
-B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<evp_md> is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does
+not support variable output length digests such as EVP_shake128() and
+EVP_shake256().
HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
--- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod 2019-05-03 08:55:51.555406608 +0200
@@ -5,6 +5,7 @@
RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
padding
@@ -14,35 +15,46 @@ padding
#include <openssl/rsa.h>
int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
- unsigned char *f, int fl);
+ const unsigned char *f, int fl);
int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
+ const unsigned char *f, int fl, int rsa_len);
int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
- unsigned char *f, int fl);
+ const unsigned char *f, int fl);
int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
+ const unsigned char *f, int fl, int rsa_len);
int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
- unsigned char *f, int fl, unsigned char *p, int pl);
+ const unsigned char *f, int fl,
+ const unsigned char *p, int pl);
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len,
- unsigned char *p, int pl);
+ const unsigned char *f, int fl, int rsa_len,
+ const unsigned char *p, int pl);
+
+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ const unsigned char *f, int fl,
+ const unsigned char *p, int pl,
+ const EVP_MD *md, const EVP_MD *mgf1md);
+
+ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ const unsigned char *f, int fl, int rsa_len,
+ const unsigned char *p, int pl,
+ const EVP_MD *md, const EVP_MD *mgf1md);
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
- unsigned char *f, int fl);
+ const unsigned char *f, int fl);
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
+ const unsigned char *f, int fl, int rsa_len);
int RSA_padding_add_none(unsigned char *to, int tlen,
- unsigned char *f, int fl);
+ const unsigned char *f, int fl);
int RSA_padding_check_none(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
+ const unsigned char *f, int fl, int rsa_len);
=head1 DESCRIPTION
@@ -98,6 +110,10 @@ at B<to>.
For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
+For RSA_padding_xxx_OAEP_mgf1(), B<md> points to the md hash,
+if B<md> is B<NULL> that means md=sha1, and B<mgf1md> points to
+the mgf1 hash, if B<mgf1md> is B<NULL> that means mgf1md=md.
+
=head1 RETURN VALUES
The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
@@ -107,15 +123,21 @@ L<ERR_get_error(3)>.
=head1 WARNING
-The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
information which can potentially be used to mount a Bleichenbacher
padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
-be recommended to pass zero-padded B<f>, so that B<fl> equals to
-B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
-expected length. In such case leakage would be minimal, it would
-take attacker's ability to observe memory access pattern with byte
-granilarity as it occurs, post-factum timing analysis won't do.
+v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
+possible, the result of RSA_padding_check_PKCS1_type_2() should be
+checked in constant time if it matches the expected length of the
+plaintext and additionally some application specific consistency
+checks on the plaintext need to be performed in constant time.
+If the plaintext is rejected it must be kept secret which of the
+checks caused the application to reject the message.
+Do not remove the zero-padding from the decrypted raw RSA data
+which was computed by RSA_private_decrypt() with B<RSA_NO_PADDING>,
+as this would create a small timing side channel which could be
+used to mount a Bleichenbacher attack against any padding mode
+including PKCS1_OAEP.
=head1 SEE ALSO
@@ -125,7 +147,7 @@ L<RSA_sign(3)>, L<RSA_verify(3)>
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod
--- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod 2019-05-03 08:55:51.555406608 +0200
@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt
#include <openssl/rsa.h>
- int RSA_public_encrypt(int flen, unsigned char *from,
+ int RSA_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- int RSA_private_decrypt(int flen, unsigned char *from,
+ int RSA_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
=head1 DESCRIPTION
@@ -27,6 +27,8 @@ B<padding> denotes one of the following
=item RSA_PKCS1_PADDING
PKCS #1 v1.5 padding. This currently is the most widely used mode.
+However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in
+new applications. SEE WARNING BELOW.
=item RSA_PKCS1_OAEP_PADDING
@@ -46,23 +48,35 @@ Encrypting user data directly with RSA i
=back
-B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, less than RSA_size(B<rsa>) - 41 for
+B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+based padding modes, not more than RSA_size(B<rsa>) - 42 for
RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-The random number generator must be seeded prior to calling
-RSA_public_encrypt().
+When a padding mode other than RSA_NO_PADDING is in use, then
+RSA_public_encrypt() will include some random bytes into the ciphertext
+and therefore the ciphertext will be different each time, even if the
+plaintext and the public key are exactly identical.
+The returned ciphertext in B<to> will always be zero padded to exactly
+RSA_size(B<rsa>) bytes.
+B<to> and B<from> may overlap.
RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
-private key B<rsa> and stores the plaintext in B<to>. B<to> must point
-to a memory section large enough to hold the decrypted data (which is
-smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
-was used to encrypt the data.
+private key B<rsa> and stores the plaintext in B<to>. B<flen> should
+be equal to RSA_size(B<rsa>) but may be smaller, when leading zero
+bytes are in the ciphertext. Those are not important and may be removed,
+but RSA_public_encrypt() does not do that. B<to> must point
+to a memory section large enough to hold the maximal possible decrypted
+data (which is equal to RSA_size(B<rsa>) for RSA_NO_PADDING,
+RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 based padding modes and
+RSA_size(B<rsa>) - 42 for RSA_PKCS1_OAEP_PADDING).
+B<padding> is the padding mode that was used to encrypt the data.
+B<to> and B<from> may overlap.
=head1 RETURN VALUES
RSA_public_encrypt() returns the size of the encrypted data (i.e.,
RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
-recovered plaintext.
+recovered plaintext. A return value of 0 is not an error and
+means only that the plaintext was empty.
On error, -1 is returned; the error codes can be
obtained by L<ERR_get_error(3)>.
@@ -85,7 +99,7 @@ L<RSA_size(3)>
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod
--- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod 2019-05-03 08:55:51.537406917 +0200
@@ -124,7 +124,10 @@ Textual representation of the cipher nam
=item <protocol version>
-Protocol version, such as B<TLSv1.2>, when the cipher was first defined.
+The minimum protocol version that the ciphersuite supports, such as B<TLSv1.2>.
+Note that this is not always the same as the protocol version in which the
+ciphersuite was first defined because some ciphersuites are backwards compatible
+with earlier protocol versions.
=item Kx=<key exchange>
diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod
--- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod 2019-05-03 08:55:51.534406969 +0200
@@ -65,6 +65,8 @@ both required, and on success the caller
B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers
holding the numerical value of the TLS extension types in the order they appear
in the ClientHello. B<*outlen> contains the number of elements in the array.
+In situations when the ClientHello has no extensions, the function will return
+success with B<*out> set to NULL and B<*outlen> set to 0.
=head1 NOTES
diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h
--- openssl-1.1.1b/include/openssl/err.h.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/include/openssl/err.h 2019-05-03 08:55:51.548406728 +0200
@@ -37,6 +37,7 @@ extern "C" {
# define ERR_TXT_STRING 0x02
# define ERR_FLAG_MARK 0x01
+# define ERR_FLAG_CLEAR 0x02
# define ERR_NUM_ERRORS 16
typedef struct err_state_st {
diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c
--- openssl-1.1.1b/ssl/ssl_lib.c.sync 2019-05-03 08:55:45.196515778 +0200
+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-05-03 08:55:51.535406951 +0200
@@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre
if (ext->present)
num++;
}
+ if (num == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return 1;
+ }
if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT,
ERR_R_MALLOC_FAILURE);
diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h
--- openssl-1.1.1b/ssl/ssl_locl.h.sync 2019-05-03 08:55:45.011518954 +0200
+++ openssl-1.1.1b/ssl/ssl_locl.h 2019-05-03 08:55:51.541406848 +0200
@@ -574,7 +574,6 @@ struct ssl_session_st {
/* Session lifetime hint in seconds */
unsigned long tick_lifetime_hint;
uint32_t tick_age_add;
- int tick_identity;
/* Max number of bytes that can be sent as early data */
uint32_t max_early_data;
/* The ALPN protocol selected for this session */
@@ -1356,6 +1355,13 @@ struct ssl_st {
* as this extension is optional on server side.
*/
uint8_t max_fragment_len_mode;
+
+ /*
+ * On the client side the number of ticket identities we sent in the
+ * ClientHello. On the server side the identity of the ticket we
+ * selected.
+ */
+ int tick_identity;
} ext;
/*
@@ -2052,9 +2058,6 @@ typedef enum downgrade_en {
#define TLSEXT_KEX_MODE_FLAG_KE 1
#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
-/* An invalid index into the TLSv1.3 PSK identities */
-#define TLSEXT_PSK_BAD_IDENTITY -1
-
#define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \
s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c
--- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions_clnt.c 2019-05-03 08:55:51.542406831 +0200
@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
int dores = 0;
- s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
+ s->ext.tick_identity = 0;
/*
* Note: At this stage of the code we only support adding a single
@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
agems += s->session->ext.tick_age_add;
reshashsize = EVP_MD_size(mdres);
+ s->ext.tick_identity++;
dores = 1;
}
@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
+ s->ext.tick_identity++;
}
if (!WPACKET_close(pkt)
@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
return EXT_RETURN_FAIL;
}
- if (dores)
- s->session->ext.tick_identity = 0;
- if (s->psksession != NULL)
- s->psksession->ext.tick_identity = (dores ? 1 : 0);
-
return EXT_RETURN_SENT;
#else
return EXT_RETURN_NOT_SENT;
@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA
}
if (!s->ext.early_data_ok
- || !s->hit
- || s->session->ext.tick_identity != 0) {
+ || !s->hit) {
/*
* If we get here then we didn't send early data, or we didn't resume
* using the first identity, or the SNI/ALPN is not consistent so the
@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
return 0;
}
- if (s->session->ext.tick_identity == (int)identity) {
+ if (identity >= (unsigned int)s->ext.tick_identity) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
+ SSL_R_BAD_PSK_IDENTITY);
+ return 0;
+ }
+
+ /*
+ * Session resumption tickets are always sent before PSK tickets. If the
+ * ticket index is 0 then it must be for a session resumption ticket if we
+ * sent two tickets, or if we didn't send a PSK ticket.
+ */
+ if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
s->hit = 1;
SSL_SESSION_free(s->psksession);
s->psksession = NULL;
return 1;
}
- if (s->psksession == NULL
- || s->psksession->ext.tick_identity != (int)identity) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
- SSL_R_BAD_PSK_IDENTITY);
+ if (s->psksession == NULL) {
+ /* Should never happen */
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
+ ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
s->session = s->psksession;
s->psksession = NULL;
s->hit = 1;
+ /* Early data is only allowed if we used the first ticket */
+ if (identity != 0)
+ s->ext.early_data_ok = 0;
#endif
return 1;
diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c
--- openssl-1.1.1b/ssl/statem/extensions.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions.c 2019-05-03 08:55:51.541406848 +0200
@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns
ss->ext.ticklen = 0;
ss->ext.tick_lifetime_hint = 0;
ss->ext.tick_age_add = 0;
- ss->ext.tick_identity = 0;
if (!ssl_generate_session_id(s, ss)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi
if (s->max_early_data == 0
|| !s->hit
- || s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE
diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c
--- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions_srvr.c 2019-05-03 08:55:51.542406831 +0200
@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p
goto err;
}
- sess->ext.tick_identity = id;
+ s->ext.tick_identity = id;
SSL_SESSION_free(s->session);
s->session = sess;
@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|| !WPACKET_start_sub_packet_u16(pkt)
- || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
+ || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c
--- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/statem_clnt.c 2019-05-03 08:55:51.543406814 +0200
@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he
* so the PAC-based session secret is always preserved. It'll be
* overwritten if the server refuses resumption.
*/
- if (s->session->session_id_length > 0
- || (SSL_IS_TLS13(s)
- && s->session->ext.tick_identity
- != TLSEXT_PSK_BAD_IDENTITY)) {
+ if (s->session->session_id_length > 0) {
tsan_counter(&s->session_ctx->stats.sess_miss);
if (!ssl_get_new_session(s, 0)) {
/* SSLfatal() already called */
diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c
--- openssl-1.1.1b/test/bio_memleak_test.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/bio_memleak_test.c 2019-05-03 08:55:51.556406591 +0200
@@ -18,28 +18,170 @@ static int test_bio_memleak(void)
int ok = 0;
BIO *bio;
BUF_MEM bufmem;
- const char *str = "BIO test\n";
+ static const char str[] = "BIO test\n";
char buf[100];
bio = BIO_new(BIO_s_mem());
- if (bio == NULL)
+ if (!TEST_ptr(bio))
goto finish;
- bufmem.length = strlen(str) + 1;
+ bufmem.length = sizeof(str);
bufmem.data = (char *) str;
bufmem.max = bufmem.length;
BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE);
BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
+ if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str)))
+ goto finish;
+ if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str)))
+ goto finish;
+ ok = 1;
- if (BIO_read(bio, buf, sizeof(buf)) <= 0)
- goto finish;
+finish:
+ BIO_free(bio);
+ return ok;
+}
- ok = strcmp(buf, str) == 0;
+static int test_bio_get_mem(void)
+{
+ int ok = 0;
+ BIO *bio = NULL;
+ BUF_MEM *bufmem = NULL;
+
+ bio = BIO_new(BIO_s_mem());
+ if (!TEST_ptr(bio))
+ goto finish;
+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
+ goto finish;
+ BIO_get_mem_ptr(bio, &bufmem);
+ if (!TEST_ptr(bufmem))
+ goto finish;
+ if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0))
+ goto finish;
+ BIO_free(bio);
+ bio = NULL;
+ if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12))
+ goto finish;
+ ok = 1;
finish:
BIO_free(bio);
+ BUF_MEM_free(bufmem);
return ok;
}
+static int test_bio_new_mem_buf(void)
+{
+ int ok = 0;
+ BIO *bio;
+ BUF_MEM *bufmem;
+ char data[16];
+
+ bio = BIO_new_mem_buf("Hello World\n", 12);
+ if (!TEST_ptr(bio))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
+ goto finish;
+ if (!TEST_mem_eq(data, 5, "Hello", 5))
+ goto finish;
+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
+ goto finish;
+ if (!TEST_int_lt(BIO_write(bio, "test", 4), 0))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio, data, 16), 7))
+ goto finish;
+ if (!TEST_mem_eq(data, 7, " World\n", 7))
+ goto finish;
+ if (!TEST_int_gt(BIO_reset(bio), 0))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
+ goto finish;
+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
+ goto finish;
+ ok = 1;
+
+finish:
+ BIO_free(bio);
+ return ok;
+}
+
+static int test_bio_rdonly_mem_buf(void)
+{
+ int ok = 0;
+ BIO *bio, *bio2 = NULL;
+ BUF_MEM *bufmem;
+ char data[16];
+
+ bio = BIO_new_mem_buf("Hello World\n", 12);
+ if (!TEST_ptr(bio))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
+ goto finish;
+ if (!TEST_mem_eq(data, 5, "Hello", 5))
+ goto finish;
+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
+ goto finish;
+ (void)BIO_set_close(bio, BIO_NOCLOSE);
+
+ bio2 = BIO_new(BIO_s_mem());
+ if (!TEST_ptr(bio2))
+ goto finish;
+ BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE);
+ BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY);
+
+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
+ goto finish;
+ if (!TEST_mem_eq(data, 7, " World\n", 7))
+ goto finish;
+ if (!TEST_int_gt(BIO_reset(bio2), 0))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
+ goto finish;
+ if (!TEST_mem_eq(data, 7, " World\n", 7))
+ goto finish;
+ ok = 1;
+
+finish:
+ BIO_free(bio);
+ BIO_free(bio2);
+ return ok;
+}
+
+static int test_bio_rdwr_rdonly(void)
+{
+ int ok = 0;
+ BIO *bio = NULL;
+ char data[16];
+
+ bio = BIO_new(BIO_s_mem());
+ if (!TEST_ptr(bio))
+ goto finish;
+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
+ goto finish;
+
+ BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
+ goto finish;
+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
+ goto finish;
+ if (!TEST_int_gt(BIO_reset(bio), 0))
+ goto finish;
+
+ BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY);
+ if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4))
+ goto finish;
+ if (!TEST_int_eq(BIO_read(bio, data, 16), 16))
+ goto finish;
+
+ if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16))
+ goto finish;
+
+ ok = 1;
+
+finish:
+ BIO_free(bio);
+ return ok;
+}
+
+
int global_init(void)
{
CRYPTO_set_mem_debug(1);
@@ -50,5 +192,9 @@ int global_init(void)
int setup_tests(void)
{
ADD_TEST(test_bio_memleak);
+ ADD_TEST(test_bio_get_mem);
+ ADD_TEST(test_bio_new_mem_buf);
+ ADD_TEST(test_bio_rdonly_mem_buf);
+ ADD_TEST(test_bio_rdwr_rdonly);
return 1;
}
diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c
--- openssl-1.1.1b/test/ectest.c.sync 2019-05-03 08:55:45.127516962 +0200
+++ openssl-1.1.1b/test/ectest.c 2019-05-03 08:55:51.524407140 +0200
@@ -728,6 +728,74 @@ err:
BN_CTX_free(ctx);
return r;
}
+
+/*
+ * Tests a point known to cause an incorrect underflow in an old version of
+ * ecp_nist521.c
+ */
+static int underflow_test(void)
+{
+ BN_CTX *ctx = NULL;
+ EC_GROUP *grp = NULL;
+ EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+ BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
+ BIGNUM *k = NULL;
+ int testresult = 0;
+ const char *x1str =
+ "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
+ "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
+ const char *p521m1 =
+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
+
+ ctx = BN_CTX_new();
+ if (!TEST_ptr(ctx))
+ return 0;
+
+ BN_CTX_start(ctx);
+ x1 = BN_CTX_get(ctx);
+ y1 = BN_CTX_get(ctx);
+ z1 = BN_CTX_get(ctx);
+ x2 = BN_CTX_get(ctx);
+ y2 = BN_CTX_get(ctx);
+ k = BN_CTX_get(ctx);
+ if (!TEST_ptr(k))
+ goto err;
+
+ grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
+ P = EC_POINT_new(grp);
+ Q = EC_POINT_new(grp);
+ R = EC_POINT_new(grp);
+ if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
+ goto err;
+
+ if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
+ || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
+ || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
+ || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
+ || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
+ y1, z1, ctx))
+ || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
+ || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
+ goto err;
+
+ if (!TEST_int_eq(BN_cmp(x1, x2), 0)
+ || !TEST_int_eq(BN_cmp(y1, y2), 0))
+ goto err;
+
+ testresult = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_GROUP_free(grp);
+ BN_CTX_free(ctx);
+
+ return testresult;
+}
# endif
static const unsigned char p521_named[] = {
@@ -835,6 +903,7 @@ int setup_tests(void)
# endif
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
+ ADD_TEST(underflow_test);
# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-03 08:55:51.552406659 +0200
@@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000
Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd
-Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10
+Title = ARIA GCM test vectors from RFC8269
Cipher = ARIA-128-GCM
Key = e91e5e75da65554a48181f3846349562
@@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48
Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822
+Title = ARIA GCM self-generated test vectors
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Shorter than default IV
+IV = 0001020304
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = ebaa2645bb154542117ee46031aa176e
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Longer than default IV
+IV = 000102030405060708090a0b0c0d0e0f
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = 61f7f44c7da3c60195b29ae0b46051a4
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Extra long IV
+IV = 000102030405060708090a0b0c0d0e0f1011
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = c8b31ab6c2ddccab06b76af4e56e664e
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd
+
+
Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02
# 16-byte Tag
@@ -2357,14 +2387,41 @@ Operation = ENCRYPT
Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7
Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122
-Title = Chacha20
+Title = Chacha20 test vectors from RFC7539
+# A.1 Test Vector 1
Cipher = chacha20
Key = 0000000000000000000000000000000000000000000000000000000000000000
IV = 00000000000000000000000000000000
Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
+# A.1 Test Vector 2
+Cipher = chacha20
+Key = 0000000000000000000000000000000000000000000000000000000000000000
+IV = 01000000000000000000000000000000
+Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f
+
+# A.2 Test Vector 1 is the same as A.1 Test Vector 1
+# A.2 Test Vector 2
+Cipher = chacha20
+Key = 0000000000000000000000000000000000000000000000000000000000000001
+#Counter (first 4 bytes) expressed in little-endian order
+IV = 01000000000000000000000000000002
+Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f
+Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221
+
+# A.2 Test Vector 3
+Cipher = chacha20
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+#Counter (first 4 bytes) expressed in little-endian order
+IV = 2a000000000000000000000000000002
+Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e
+Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1
+
+Title = Chacha20
+
Cipher = chacha20
Key = 0000000000000000000000000000000000000000000000000000000000000001
IV = 00000000000000000000000000000000
@@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91
Tag = e0723bce23528ce6ccb10ff9627038bf
Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+
+Cipher = chacha20-poly1305
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+IV = ff000000000102030405060708
+AAD = f33388860000000000004e91
+Tag = e0723bce23528ce6ccb10ff9627038bf
+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+Result = INVALID_IV_LENGTH
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt 2019-05-03 08:55:51.539406883 +0200
@@ -351,6 +351,14 @@ Input = "Sample message for keylen>block
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687
Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915
+Title = HMAC self generated tests
+
+MAC = HMAC
+Algorithm = SHAKE128
+Input = "Test that SHAKE128 fails"
+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+Result = DIGESTSIGNINIT_ERROR
+
Title = CMAC tests (from FIPS module)
diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t
--- openssl-1.1.1b/test/recipes/80-test_cms.t.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/80-test_cms.t 2019-05-03 08:55:51.533406986 +0200
@@ -308,6 +308,14 @@ my @smime_cms_param_tests = (
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
+ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3",
+ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
+ "-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "PEM",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c
--- openssl-1.1.1b/test/rsa_test.c.sync 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/rsa_test.c 2019-05-03 08:55:51.523407157 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -268,6 +268,36 @@ err:
return ret;
}
+static int test_rsa_sslv23(int idx)
+{
+ int ret = 0;
+ RSA *key;
+ unsigned char ptext[256];
+ unsigned char ctext[256];
+ static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+ unsigned char ctext_ex[256];
+ int plen;
+ int clen = 0;
+ int num;
+
+ plen = sizeof(ptext_ex) - 1;
+ clen = rsa_setkey(&key, ctext_ex, idx);
+
+ num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+ RSA_SSLV23_PADDING);
+ if (!TEST_int_eq(num, clen))
+ goto err;
+
+ num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING);
+ if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
+ goto err;
+
+ ret = 1;
+err:
+ RSA_free(key);
+ return ret;
+}
+
static int test_rsa_oaep(int idx)
{
int ret = 0;
@@ -332,6 +362,7 @@ err:
int setup_tests(void)
{
ADD_ALL_TESTS(test_rsa_pkcs1, 3);
+ ADD_ALL_TESTS(test_rsa_sslv23, 3);
ADD_ALL_TESTS(test_rsa_oaep, 3);
return 1;
}