Blob Blame Raw
diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c
--- openssl-1.1.1b/apps/asn1pars.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/apps/asn1pars.c	2019-05-03 08:55:51.532407003 +0200
@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv
     if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
         goto end;
 
+    if ((buf = BUF_MEM_new()) == NULL)
+        goto end;
     if (strictpem) {
-        if (PEM_read_bio(in, &name, &header, &str, &num) !=
-            1) {
+        if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
             BIO_printf(bio_err, "Error reading PEM file\n");
             ERR_print_errors(bio_err);
             goto end;
         }
+        buf->data = (char *)str;
+        buf->length = buf->max = num;
     } else {
-
-        if ((buf = BUF_MEM_new()) == NULL)
-            goto end;
         if (!BUF_MEM_grow(buf, BUFSIZ * 8))
             goto end;           /* Pre-allocate :-) */
 
@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv
     BUF_MEM_free(buf);
     OPENSSL_free(name);
     OPENSSL_free(header);
-    if (strictpem)
-        OPENSSL_free(str);
     ASN1_TYPE_free(at);
     sk_OPENSSL_STRING_free(osk);
     return ret;
diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl
--- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl	2019-05-03 08:55:51.551406676 +0200
@@ -1829,7 +1829,7 @@ Lctr32_enc8x_three:
 	stvx_u		$out1,$x10,$out
 	stvx_u		$out2,$x20,$out
 	addi		$out,$out,0x30
-	b		Lcbc_dec8x_done
+	b		Lctr32_enc8x_done
 
 .align	5
 Lctr32_enc8x_two:
@@ -1841,7 +1841,7 @@ Lctr32_enc8x_two:
 	stvx_u		$out0,$x00,$out
 	stvx_u		$out1,$x10,$out
 	addi		$out,$out,0x20
-	b		Lcbc_dec8x_done
+	b		Lctr32_enc8x_done
 
 .align	5
 Lctr32_enc8x_one:
diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c
--- openssl-1.1.1b/crypto/bio/b_addr.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bio/b_addr.c	2019-05-03 08:55:51.555406608 +0200
@@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons
         hints.ai_family = family;
         hints.ai_socktype = socktype;
         hints.ai_protocol = protocol;
+#ifdef AI_ADDRCONFIG
+#ifdef AF_UNSPEC
+        if (family == AF_UNSPEC)
+#endif
+            hints.ai_flags |= AI_ADDRCONFIG;
+#endif
 
         if (lookup_type == BIO_LOOKUP_SERVER)
             hints.ai_flags |= AI_PASSIVE;
diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c
--- openssl-1.1.1b/crypto/bio/bss_mem.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bio/bss_mem.c	2019-05-03 08:55:51.556406591 +0200
@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method =
     NULL,                      /* mem_callback_ctrl */
 };
 
-/* BIO memory stores buffer and read pointer  */
+/*
+ * BIO memory stores buffer and read pointer
+ * however the roles are different for read only BIOs.
+ * In that case the readp just stores the original state
+ * to be used for reset.
+ */
 typedef struct bio_buf_mem_st {
     struct buf_mem_st *buf;   /* allocated buffer */
     struct buf_mem_st *readp; /* read pointer */
@@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i
     BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
     BUF_MEM *bm = bbm->readp;
 
+    if (b->flags & BIO_FLAGS_MEM_RDONLY)
+        bm = bbm->buf;
     BIO_clear_retry_flags(b);
     ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
     if ((out != NULL) && (ret > 0)) {
         memcpy(out, bm->data, ret);
         bm->length -= ret;
+        bm->max -= ret;
         bm->data += ret;
     } else if (bm->length == 0) {
         ret = b->num;
@@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo
     BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
     BUF_MEM *bm;
 
+    if (b->flags & BIO_FLAGS_MEM_RDONLY)
+        bm = bbm->buf;
+    else
+        bm = bbm->readp;
+
     switch (cmd) {
     case BIO_CTRL_RESET:
         bm = bbm->buf;
         if (bm->data != NULL) {
-            /* For read only case reset to the start again */
-            if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) {
-                bm->length = bm->max;
+            if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
+                if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
+                    bm->length = bm->max;
+                } else {
+                    memset(bm->data, 0, bm->max);
+                    bm->length = 0;
+                }
+                *bbm->readp = *bbm->buf;
             } else {
-                memset(bm->data, 0, bm->max);
-                bm->length = 0;
+                /* For read only case just reset to the start again */
+                *bbm->buf = *bbm->readp;
             }
-            *bbm->readp = *bbm->buf;
         }
         break;
     case BIO_CTRL_EOF:
-        bm = bbm->readp;
         ret = (long)(bm->length == 0);
         break;
     case BIO_C_SET_BUF_MEM_EOF_RETURN:
         b->num = (int)num;
         break;
     case BIO_CTRL_INFO:
-        bm = bbm->readp;
         ret = (long)bm->length;
         if (ptr != NULL) {
             pptr = (char **)ptr;
@@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo
         break;
     case BIO_C_GET_BUF_MEM_PTR:
         if (ptr != NULL) {
-            mem_buf_sync(b);
-            bm = bbm->readp;
+            if (!(b->flags & BIO_FLAGS_MEM_RDONLY))
+                mem_buf_sync(b);
+            bm = bbm->buf;
             pptr = (char **)ptr;
             *pptr = (char *)bm;
         }
@@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo
         ret = 0L;
         break;
     case BIO_CTRL_PENDING:
-        bm = bbm->readp;
         ret = (long)bm->length;
         break;
     case BIO_CTRL_DUP:
@@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf,
     BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr;
     BUF_MEM *bm = bbm->readp;
 
+    if (bp->flags & BIO_FLAGS_MEM_RDONLY)
+        bm = bbm->buf;
     BIO_clear_retry_flags(bp);
     j = bm->length;
     if ((size - 1) < j)
diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl
--- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/asm/ppc.pl	2019-05-03 08:55:51.530407037 +0200
@@ -258,6 +258,7 @@ $data=<<EOF;
 # .text section
 
 	.machine	"any"
+	.text
 
 #
 #	NOTE:	The following label name should be changed to
diff -up openssl-1.1.1b/crypto/bn/bn_ctx.c.sync openssl-1.1.1b/crypto/bn/bn_ctx.c
--- openssl-1.1.1b/crypto/bn/bn_ctx.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_ctx.c	2019-05-03 08:55:51.524407140 +0200
@@ -194,6 +194,8 @@ void BN_CTX_start(BN_CTX *ctx)
 
 void BN_CTX_end(BN_CTX *ctx)
 {
+    if (ctx == NULL)
+        return;
     CTXDBG_ENTRY("BN_CTX_end", ctx);
     if (ctx->err_stack)
         ctx->err_stack--;
diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c
--- openssl-1.1.1b/crypto/bn/bn_lib.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_lib.c	2019-05-03 08:55:51.525407123 +0200
@@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
 
 void BN_clear(BIGNUM *a)
 {
+    if (a == NULL)
+        return;
     bn_check_top(a);
     if (a->d != NULL)
         OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c
--- openssl-1.1.1b/crypto/bn/bn_prime.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/bn/bn_prime.c	2019-05-03 08:55:51.525407123 +0200
@@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in
     found = 1;
  err:
     OPENSSL_free(mods);
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     bn_check_top(ret);
     return found;
diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info
--- openssl-1.1.1b/crypto/chacha/build.info.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/chacha/build.info	2019-05-03 08:55:51.538406900 +0200
@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv
 INCLUDE[chacha-armv4.o]=..
 GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME)
 INCLUDE[chacha-armv8.o]=..
+GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME)
+INCLUDE[chacha-s390x.o]=..
 
 BEGINRAW[Makefile(unix)]
 ##### CHACHA assembler implementations
diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c
--- openssl-1.1.1b/crypto/conf/conf_sap.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/conf/conf_sap.c	2019-05-03 08:55:51.550406694 +0200
@@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname)
     memset(&settings, 0, sizeof(settings));
     if (appname != NULL)
         settings.appname = strdup(appname);
+    settings.flags = DEFAULT_CONF_MFLAGS;
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
 }
 #endif
diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c
--- openssl-1.1.1b/crypto/dh/dh_check.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/dh/dh_check.c	2019-05-03 08:55:51.525407123 +0200
@@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r
 
     ok = 1;
  err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
     return ok;
 }
 
@@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret)
     }
     ok = 1;
  err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
     return ok;
 }
 
@@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const
 
     ok = 1;
  err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
     return ok;
 }
diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c
--- openssl-1.1.1b/crypto/dh/dh_gen.c.sync	2019-05-03 08:55:45.170516224 +0200
+++ openssl-1.1.1b/crypto/dh/dh_gen.c	2019-05-03 08:55:51.525407123 +0200
@@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret,
         ok = 0;
     }
 
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
     return ok;
 }
diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c
--- openssl-1.1.1b/crypto/dh/dh_key.c.sync	2019-05-03 08:55:45.170516224 +0200
+++ openssl-1.1.1b/crypto/dh/dh_key.c	2019-05-03 08:55:51.526407106 +0200
@@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke
 
     ret = BN_bn2bin(tmp, key);
  err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
     return ret;
 }
 
diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c
--- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync	2019-05-03 08:55:45.171516207 +0200
+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c	2019-05-03 08:55:51.526407106 +0200
@@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
         if (seed_out)
             memcpy(seed_out, seed, qsize);
     }
-    if (ctx)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     BN_MONT_CTX_free(mont);
     return ok;
@@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
     OPENSSL_free(seed);
     if (seed_out != seed_tmp)
         OPENSSL_free(seed_tmp);
-    if (ctx)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     BN_MONT_CTX_free(mont);
     EVP_MD_CTX_free(mctx);
diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c
--- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync	2019-05-03 08:55:45.171516207 +0200
+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c	2019-05-03 08:55:51.556406591 +0200
@@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha
     ret = 1;
 
  err:
-    EC_POINT_free(tmp);
+    EC_POINT_clear_free(tmp);
     if (ctx)
         BN_CTX_end(ctx);
     BN_CTX_free(ctx);
diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c
--- openssl-1.1.1b/crypto/ec/ec_lib.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ec_lib.c	2019-05-03 08:55:51.527407088 +0200
@@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons
     ret = 1;
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     return ret;
 }
diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c
--- openssl-1.1.1b/crypto/ec/ec_mult.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ec_mult.c	2019-05-03 08:55:51.540406865 +0200
@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP
 
  err:
     EC_POINT_free(p);
-    EC_POINT_free(s);
+    EC_POINT_clear_free(s);
     BN_CTX_end(ctx);
 
     return ret;
@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
          * scalar multiplication implementation based on a Montgomery ladder,
          * with various timing attack defenses.
          */
-        if ((scalar != NULL) && (num == 0)) {
+        if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {
             /*-
              * In this case we want to compute scalar * GeneratorPoint: this
              * codepath is reached most prominently by (ephemeral) key
@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
              */
             return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
         }
-        if ((scalar == NULL) && (num == 1)) {
+        if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {
             /*-
              * In this case we want to compute scalar * VariablePoint: this
              * codepath is reached most prominently by the second half of ECDH,
@@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr
     ret = 1;
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     EC_ec_pre_comp_free(pre_comp);
     if (points) {
diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c
--- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c	2019-05-03 08:55:51.532407003 +0200
@@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons
 static void felem_diff_128_64(largefelem out, const felem in)
 {
     /*
-     * In order to prevent underflow, we add 0 mod p before subtracting.
+     * In order to prevent underflow, we add 64p mod p (which is equivalent
+     * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
+     * digit number with all bits set to 1. See "The representation of field
+     * elements" comment above for a description of how limbs are used to
+     * represent a number. 64p is represented with 8 limbs containing a number
+     * with 58 bits set and one limb with a number with 57 bits set.
      */
-    static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
-    static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
+    static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
+    static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
 
     out[0] += two63m6 - in[0];
     out[1] += two63m5 - in[1];
diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c
--- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c	2019-05-03 08:55:51.528407071 +0200
@@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec
     ret = 1;
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
 
     EC_nistz256_pre_comp_free(pre_comp);
diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c
--- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync	2019-05-03 08:55:45.152516533 +0200
+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c	2019-05-03 08:55:51.528407071 +0200
@@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina
     ret = 1;
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     return ret;
 }
@@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr
     ret = 1;
 
  end:
-    if (ctx)                    /* otherwise we already called BN_CTX_end */
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     return ret;
 }
diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c
--- openssl-1.1.1b/crypto/err/err.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/err/err.c	2019-05-03 08:55:51.548406728 +0200
@@ -523,8 +523,24 @@ static unsigned long get_error_values(in
         return ERR_R_INTERNAL_ERROR;
     }
 
+    while (es->bottom != es->top) {
+        if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
+            err_clear(es, es->top);
+            es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
+            continue;
+        }
+        i = (es->bottom + 1) % ERR_NUM_ERRORS;
+        if (es->err_flags[i] & ERR_FLAG_CLEAR) {
+            es->bottom = i;
+            err_clear(es, es->bottom);
+            continue;
+        }
+        break;
+    }
+
     if (es->bottom == es->top)
         return 0;
+
     if (top)
         i = es->top;            /* last error */
     else
@@ -913,25 +929,6 @@ int ERR_clear_last_mark(void)
     return 1;
 }
 
-#ifdef UINTPTR_T
-# undef UINTPTR_T
-#endif
-/*
- * uintptr_t is the answer, but unfortunately C89, current "least common
- * denominator" doesn't define it. Most legacy platforms typedef it anyway,
- * so that attempt to fill the gaps means that one would have to identify
- * that track these gaps, which would be undesirable. Macro it is...
- */
-#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
-/*
- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
- * even in 64-bit builds, which means that it won't work as mask.
- */
-# define UINTPTR_T unsigned long long
-#else
-# define UINTPTR_T size_t
-#endif
-
 void err_clear_last_constant_time(int clear)
 {
     ERR_STATE *es;
@@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl
 
     top = es->top;
 
-    es->err_flags[top] &= ~(0 - clear);
-    es->err_buffer[top] &= ~(0UL - clear);
-    es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
-                                       ~((UINTPTR_T)0 - clear));
-    es->err_line[top] |= 0 - clear;
-
-    es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+    /*
+     * Flag error as cleared but remove it elsewhere to avoid two errors
+     * accessing the same error stack location, revealing timing information.
+     */
+    clear = constant_time_select_int(constant_time_eq_int(clear, 0),
+                                     0, ERR_FLAG_CLEAR);
+    es->err_flags[top] |= clear;
 }
diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c
--- openssl-1.1.1b/crypto/evp/digest.c.sync	2019-05-03 08:55:51.553406642 +0200
+++ openssl-1.1.1b/crypto/evp/digest.c	2019-05-03 08:56:40.800561168 +0200
@@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co
 #ifdef OPENSSL_FIPS
     FIPS_selftest_check();
 #endif
+    if (count == 0)
+        return 1;
+
     return ctx->update(ctx, data, count);
 }
 
diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c
--- openssl-1.1.1b/crypto/evp/e_aria.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/e_aria.c	2019-05-03 08:55:51.545406779 +0200
@@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT
     return 0;
 }
 
+static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx)
+{
+    EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx);
+
+    if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx))
+        OPENSSL_free(gctx->iv);
+
+    return 1;
+}
+
 static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
 {
@@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT
     }
 }
 
+#define aria_ccm_cleanup    NULL
+
 #define ARIA_AUTH_FLAGS  (EVP_CIPH_FLAG_DEFAULT_ASN1 \
                           | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
                           | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
@@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_
         ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE,    \
         aria_##mode##_init_key,                    \
         aria_##mode##_cipher,                      \
-        NULL,                                      \
+        aria_##mode##_cleanup,                     \
         sizeof(EVP_ARIA_##MODE##_CTX),             \
         NULL,NULL,aria_##mode##_ctrl,NULL };       \
 const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \
diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync	2019-05-03 08:55:45.216515434 +0200
+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c	2019-05-03 08:55:51.551406676 +0200
@@ -30,6 +30,8 @@ typedef struct {
 
 #define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
 
+#define CHACHA20_POLY1305_MAX_IVLEN     12
+
 static int chacha_init_key(EVP_CIPHER_CTX *ctx,
                            const unsigned char user_key[CHACHA_KEY_SIZE],
                            const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
-        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
+        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
             return 0;
         actx->nonce_len = arg;
         return 1;
diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c
--- openssl-1.1.1b/crypto/evp/evp_enc.c.sync	2019-05-03 08:55:45.174516155 +0200
+++ openssl-1.1.1b/crypto/evp/evp_enc.c	2019-05-03 08:55:51.544406797 +0200
@@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_
 
     bl = ctx->cipher->block_size;
 
+    if (inl <= 0) {
+        *outl = 0;
+        return inl == 0;
+    }
+
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
         /* If block size > 1 then the cipher will have to do this check */
         if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
@@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_
         return 1;
     }
 
-    if (inl <= 0) {
-        *outl = 0;
-        return inl == 0;
-    }
     if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
         EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
         return 0;
@@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
     if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
         cmpl = (cmpl + 7) / 8;
 
+    if (inl <= 0) {
+        *outl = 0;
+        return inl == 0;
+    }
+
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
         if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
             EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
@@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
         return 1;
     }
 
-    if (inl <= 0) {
-        *outl = 0;
-        return inl == 0;
-    }
-
     if (ctx->flags & EVP_CIPH_NO_PADDING)
         return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
 
diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c
--- openssl-1.1.1b/crypto/hmac/hmac.c.sync	2019-05-03 08:55:45.189515898 +0200
+++ openssl-1.1.1b/crypto/hmac/hmac.c	2019-05-03 08:55:51.538406900 +0200
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
         return 0;
     }
 
+    /*
+     * The HMAC construction is not allowed  to be used with the
+     * extendable-output functions (XOF) shake128 and shake256.
+     */
+    if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+        return 0;
+
     if (key != NULL) {
 #ifdef OPENSSL_FIPS
         if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c
--- openssl-1.1.1b/crypto/init.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/init.c	2019-05-03 08:55:51.550406694 +0200
@@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
         ret = RUN_ONCE(&config, ossl_init_config);
         conf_settings = NULL;
         CRYPTO_THREAD_unlock(init_lock);
-        if (!ret)
+        if (ret <= 0)
             return 0;
     }
 
diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl
--- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl	2019-05-03 08:55:51.534406969 +0200
@@ -1155,6 +1155,7 @@ ___
 } else {
 $code.=<<___;
 	jmp	.L_init_clmul
+.cfi_endproc
 .size	gcm_init_avx,.-gcm_init_avx
 ___
 }
@@ -1594,6 +1595,7 @@ ___
 } else {
 $code.=<<___;
 	jmp	.L_ghash_clmul
+.cfi_endproc
 .size	gcm_ghash_avx,.-gcm_ghash_avx
 ___
 }
diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c
--- openssl-1.1.1b/crypto/modes/ccm128.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/modes/ccm128.c	2019-05-03 08:55:51.543406814 +0200
@@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT
 
     M *= 2;
     M += 2;
-    if (len < M)
+    if (len != M)
         return 0;
     memcpy(tag, ctx->cmac.c, M);
     return M;
diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c
--- openssl-1.1.1b/crypto/o_str.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/o_str.c	2019-05-03 08:55:51.550406694 +0200
@@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char
 #if defined(_MSC_VER) && _MSC_VER>=1400
     return !strerror_s(buf, buflen, errnum);
 #elif defined(_GNU_SOURCE)
-    return strerror_r(errnum, buf, buflen) != NULL;
+    char *err;
+
+    /*
+     * GNU strerror_r may not actually set buf.
+     * It can return a pointer to some (immutable) static string in which case
+     * buf is left unused.
+     */
+    err = strerror_r(errnum, buf, buflen);
+    if (err == NULL)
+        return 0;
+    /*
+     * If err is statically allocated, err != buf and we need to copy the data.
+     * If err points somewhere inside buf, OPENSSL_strlcpy can handle this,
+     * since src and dest are not annotated with __restrict and the function
+     * reads src byte for byte and writes to dest.
+     * If err == buf we do not have to copy anything.
+     */
+    if (err != buf)
+        OPENSSL_strlcpy(buf, err, buflen);
+    return 1;
 #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \
       (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600)
     /*
@@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char
     return !strerror_r(errnum, buf, buflen);
 #else
     char *err;
+
     /* Fall back to non-thread safe strerror()...its all we can do */
     if (buflen < 2)
         return 0;
@@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char
     /* Can this ever happen? */
     if (err == NULL)
         return 0;
-    strncpy(buf, err, buflen - 1);
-    buf[buflen - 1] = '\0';
+    OPENSSL_strlcpy(buf, err, buflen);
     return 1;
 #endif
 }
diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info
--- openssl-1.1.1b/crypto/poly1305/build.info.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/poly1305/build.info	2019-05-03 08:55:51.538406900 +0200
@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305-
 INCLUDE[poly1305-armv8.o]=..
 GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
 INCLUDE[poly1305-mips.o]=..
+GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME)
 
 BEGINRAW[Makefile(unix)]
 {- $builddir -}/poly1305-%.S:	{- $sourcedir -}/asm/poly1305-%.pl
diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info
--- openssl-1.1.1b/crypto/rc4/build.info.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rc4/build.info	2019-05-03 08:55:51.538406900 +0200
@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x
 
 GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME)
 
+GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME)
+
 BEGINRAW[Makefile]
 # GNU make "catch all"
 {- $builddir -}/rc4-%.s:	{- $sourcedir -}/asm/rc4-%.pl
diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c
--- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c	2019-05-03 08:55:51.533406986 +0200
@@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV
         return NULL;
     if (saltlen == -1) {
         saltlen = EVP_MD_size(sigmd);
-    } else if (saltlen == -2) {
+    } else if (saltlen == -2 || saltlen == -3) {
         saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
         if ((EVP_PKEY_bits(pk) & 0x7) == 1)
             saltlen--;
+        if (saltlen < 0)
+            return NULL;
     }
 
     return rsa_pss_params_create(sigmd, mgf1md, saltlen);
diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c
--- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync	2019-05-03 08:55:45.191515864 +0200
+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c	2019-05-03 08:55:51.528407071 +0200
@@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa,
         RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
         ok = 0;
     }
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     return ok;
 }
diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c
--- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c	2019-05-03 08:55:51.549406711 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
      * |num| is the length of the modulus; |flen| is the length of the
      * encoded message. Therefore, for any |from| that was obtained by
      * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
-     * num < 2 * mdlen + 2 must hold for the modulus irrespective of
+     * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
      * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
      * This does not leak any side-channel information.
      */
@@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
         from -= 1 & mask;
         *--em = *from & mask;
     }
-    from = em;
 
     /*
      * The first byte must be zero, however we must not leak if this is
      * true. See James H. Manger, "A Chosen Ciphertext  Attack on RSA
      * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
      */
-    good = constant_time_is_zero(from[0]);
+    good = constant_time_is_zero(em[0]);
 
-    maskedseed = from + 1;
-    maskeddb = from + 1 + mdlen;
+    maskedseed = em + 1;
+    maskeddb = em + 1 + mdlen;
 
     if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
         goto cleanup;
@@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
     mlen = dblen - msg_index;
 
     /*
-     * For good measure, do this check in constant tine as well.
+     * For good measure, do this check in constant time as well.
      */
     good &= constant_time_ge(tlen, mlen);
 
     /*
-     * Even though we can't fake result's length, we can pretend copying
-     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
-     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-     * where |mlen'| is "saturated" |mlen| value. Deducing information
-     * about failure or |mlen| would take attacker's ability to observe
-     * memory access pattern with byte granularity *as it occurs*. It
-     * should be noted that failure is indistinguishable from normal
-     * operation if |tlen| is fixed by protocol.
+     * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
+     * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
+     * Otherwise leave |to| unchanged.
+     * Copy the memory back in a way that does not reveal the size of
+     * the data being copied via a timing side channel. This requires copying
+     * parts of the buffer multiple times based on the bits set in the real
+     * length. Clear bits do a non-copy with identical access pattern.
+     * The loop below has overall complexity of O(N*log(N)).
      */
-    tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
-    msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
-    mlen = dblen - msg_index;
-    for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
-        unsigned int equals = constant_time_eq(i, mlen);
-
-        from -= dblen & equals; /* if (i == dblen) rewind   */
-        mask &= mask ^ equals;  /* if (i == dblen) mask = 0 */
-        to[i] = constant_time_select_8(mask, from[i], to[i]);
+    tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+                                    dblen - mdlen - 1, tlen);
+    for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
+        mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
+        for (i = mdlen + 1; i < dblen - msg_index; i++)
+            db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
+    }
+    for (i = 0; i < tlen; i++) {
+        mask = good & constant_time_lt(i, mlen);
+        to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
     }
 
     /*
diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c
--- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync	2019-05-03 08:55:45.191515864 +0200
+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c	2019-05-03 08:55:51.548406728 +0200
@@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f
      */
     r = BN_bn2binpad(ret, to, num);
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_clear_free(buf, num);
     return r;
@@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int
      */
     r = BN_bn2binpad(res, to, num);
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_clear_free(buf, num);
     return r;
@@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int
         goto err;
     }
     RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
-    err_clear_last_constant_time(r >= 0);
+    err_clear_last_constant_time(1 & ~constant_time_msb(r));
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_clear_free(buf, num);
     return r;
@@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f
         RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
 
  err:
-    if (ctx != NULL)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_clear_free(buf, num);
     return r;
diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c
--- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c	2019-05-03 08:55:51.549406711 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig
         from -= 1 & mask;
         *--em = *from & mask;
     }
-    from = em;
 
-    good = constant_time_is_zero(from[0]);
-    good &= constant_time_eq(from[1], 2);
+    good = constant_time_is_zero(em[0]);
+    good &= constant_time_eq(em[1], 2);
 
     /* scan over padding data */
     found_zero_byte = 0;
     for (i = 2; i < num; i++) {
-        unsigned int equals0 = constant_time_is_zero(from[i]);
+        unsigned int equals0 = constant_time_is_zero(em[i]);
 
         zero_index = constant_time_select_int(~found_zero_byte & equals0,
                                               i, zero_index);
@@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig
     }
 
     /*
-     * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+     * PS must be at least 8 bytes long, and it starts two bytes into |em|.
      * If we never found a 0-byte, then |zero_index| is 0 and the check
      * also fails.
      */
@@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig
     good &= constant_time_ge(tlen, mlen);
 
     /*
-     * Even though we can't fake result's length, we can pretend copying
-     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
-     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-     * where |mlen'| is "saturated" |mlen| value. Deducing information
-     * about failure or |mlen| would take attacker's ability to observe
-     * memory access pattern with byte granularity *as it occurs*. It
-     * should be noted that failure is indistinguishable from normal
-     * operation if |tlen| is fixed by protocol.
-     */
-    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
-    msg_index = constant_time_select_int(good, msg_index, num - tlen);
-    mlen = num - msg_index;
-    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
-        unsigned int equals = constant_time_eq(i, mlen);
-
-        from -= tlen & equals;  /* if (i == mlen) rewind   */
-        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
-        to[i] = constant_time_select_8(mask, from[i], to[i]);
+     * Move the result in-place by |num|-11-|mlen| bytes to the left.
+     * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+     * Otherwise leave |to| unchanged.
+     * Copy the memory back in a way that does not reveal the size of
+     * the data being copied via a timing side channel. This requires copying
+     * parts of the buffer multiple times based on the bits set in the real
+     * length. Clear bits do a non-copy with identical access pattern.
+     * The loop below has overall complexity of O(N*log(N)).
+     */
+    tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+                                    num - 11, tlen);
+    for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+        mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+        for (i = 11; i < num - msg_index; i++)
+            em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+    }
+    for (i = 0; i < tlen; i++) {
+        mask = good & constant_time_lt(i, mlen);
+        to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
     }
 
     OPENSSL_clear_free(em, num);
diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c
--- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c	2019-05-03 08:55:51.543406814 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/constant_time_locl.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
@@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX
         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
                                   rctx->pad_mode);
     }
-    if (ret < 0)
-        return ret;
-    *outlen = ret;
-    return 1;
+    *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+    ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+    return ret;
 }
 
 static int check_padding_md(const EVP_MD *md, int padding)
diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c
--- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c	2019-05-03 08:55:51.550406694 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char
 
 /*
  * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
  * preserves error code reporting for backward compatibility.
  */
 int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch
     unsigned int good, found_zero_byte, mask, threes_in_row;
     int zero_index = 0, msg_index, mlen = -1, err;
 
-    if (flen < 10) {
+    if (tlen <= 0 || flen <= 0)
+        return -1;
+
+    if (flen > num || num < 11) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
         return -1;
     }
@@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch
         from -= 1 & mask;
         *--em = *from & mask;
     }
-    from = em;
 
-    good = constant_time_is_zero(from[0]);
-    good &= constant_time_eq(from[1], 2);
+    good = constant_time_is_zero(em[0]);
+    good &= constant_time_eq(em[1], 2);
     err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
     mask = ~good;
 
@@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch
     found_zero_byte = 0;
     threes_in_row = 0;
     for (i = 2; i < num; i++) {
-        unsigned int equals0 = constant_time_is_zero(from[i]);
+        unsigned int equals0 = constant_time_is_zero(em[i]);
 
         zero_index = constant_time_select_int(~found_zero_byte & equals0,
                                               i, zero_index);
         found_zero_byte |= equals0;
 
         threes_in_row += 1 & ~found_zero_byte;
-        threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
+        threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
     }
 
     /*
-     * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+     * PS must be at least 8 bytes long, and it starts two bytes into |em|.
      * If we never found a 0-byte, then |zero_index| is 0 and the check
      * also fails.
      */
@@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch
                                    RSA_R_NULL_BEFORE_BLOCK_MISSING);
     mask = ~good;
 
-    good &= constant_time_lt(threes_in_row, 8);
+    good &= constant_time_ge(threes_in_row, 8);
     err = constant_time_select_int(mask | good, err,
                                    RSA_R_SSLV3_ROLLBACK_ATTACK);
     mask = ~good;
@@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch
     err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
 
     /*
-     * Even though we can't fake result's length, we can pretend copying
-     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
-     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-     * where |mlen'| is "saturated" |mlen| value. Deducing information
-     * about failure or |mlen| would take attacker's ability to observe
-     * memory access pattern with byte granularity *as it occurs*. It
-     * should be noted that failure is indistinguishable from normal
-     * operation if |tlen| is fixed by protocol.
+     * Move the result in-place by |num|-11-|mlen| bytes to the left.
+     * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+     * Otherwise leave |to| unchanged.
+     * Copy the memory back in a way that does not reveal the size of
+     * the data being copied via a timing side channel. This requires copying
+     * parts of the buffer multiple times based on the bits set in the real
+     * length. Clear bits do a non-copy with identical access pattern.
+     * The loop below has overall complexity of O(N*log(N)).
      */
-    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
-    msg_index = constant_time_select_int(good, msg_index, num - tlen);
-    mlen = num - msg_index;
-    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
-        unsigned int equals = constant_time_eq(i, mlen);
-
-        from -= tlen & equals;  /* if (i == mlen) rewind   */
-        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
-        to[i] = constant_time_select_8(mask, from[i], to[i]);
+    tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+                                    num - 11, tlen);
+    for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+        mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+        for (i = 11; i < num - msg_index; i++)
+            em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+    }
+    for (i = 0; i < tlen; i++) {
+        mask = good & constant_time_lt(i, mlen);
+        to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
     }
 
     OPENSSL_clear_free(em, num);
diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c
--- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c	2019-05-03 08:55:51.530407037 +0200
@@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM
 
     ret = 1;
  err:
-    if (ctx)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     BN_CTX_free(ctx2);
 
@@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i
     ok = 1;
 
  error:
-    if (ctx)
-        BN_CTX_end(ctx);
+    BN_CTX_end(ctx);
     BN_CTX_free(ctx);
 
     if (ok)
diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c
--- openssl-1.1.1b/crypto/x509/x509_lu.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/x509/x509_lu.c	2019-05-03 08:55:51.546406762 +0200
@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S
     if (ctx == NULL)
         return 0;
 
+    stmp.type = X509_LU_NONE;
+    stmp.data.ptr = NULL;
+
     CRYPTO_THREAD_write_lock(ctx->lock);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
     CRYPTO_THREAD_unlock(ctx->lock);
diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod
--- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man1/pkeyutl.pod	2019-05-03 08:55:51.555406608 +0200
@@ -272,20 +272,19 @@ value less than the minimum restriction.
 =head1 DSA ALGORITHM
 
 The DSA algorithm supports signing and verification operations only. Currently
-there are no additional options other than B<digest>. Only the SHA1
-digest can be used and this digest is assumed by default.
+there are no additional B<-pkeyopt> options other than B<digest>. The SHA1
+digest is assumed by default.
 
 =head1 DH ALGORITHM
 
 The DH algorithm only supports the derivation operation and no additional
-options.
+B<-pkeyopt> options.
 
 =head1 EC ALGORITHM
 
 The EC algorithm supports sign, verify and derive operations. The sign and
-verify operations use ECDSA and derive uses ECDH. Currently there are no
-additional options other than B<digest>. Only the SHA1 digest can be used and
-this digest is assumed by default.
+verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for
+the B<-pkeyopt> B<digest> option.
 
 =head1 X25519 and X448 ALGORITHMS
 
diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod
--- openssl-1.1.1b/doc/man1/ts.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man1/ts.pod	2019-05-03 08:55:51.554406625 +0200
@@ -262,7 +262,7 @@ specified, the argument is given to the
 =item B<-I<digest>>
 
 Signing digest to use. Overrides the B<signer_digest> config file
-option. (Optional)
+option. (Mandatory unless specified in the config file)
 
 =item B<-chain> certs_file.pem
 
@@ -460,7 +460,8 @@ command line option. (Optional)
 =item B<signer_digest>
 
 Signing digest to use. The same as the
-B<-I<digest>> command line option. (Optional)
+B<-I<digest>> command line option. (Mandatory unless specified on the command
+line)
 
 =item B<default_policy>
 
diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod
--- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod	2019-05-03 08:55:51.556406591 +0200
@@ -88,6 +88,22 @@ a buffering BIO to the chain will speed
 Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will
 give undefined results, including perhaps a program crash.
 
+Switching the memory BIO from read write to read only is not supported and
+can give undefined results including a program crash. There are two notable
+exceptions to the rule. The first one is to assign a static memory buffer
+immediately after BIO creation and set the BIO as read only.
+
+The other supported sequence is to start with read write BIO then temporarily
+switch it to read only and call BIO_reset() on the read only BIO immediately
+before switching it back to read write. Before the BIO is freed it must be
+switched back to the read write mode.
+
+Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that
+contains only the remaining data to be read. If the close status of the
+BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer
+in it must be set to NULL as the data pointer does not point to an
+allocated memory.
+
 =head1 BUGS
 
 There should be an option to set the maximum size of a memory BIO.
diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod
--- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod	2019-05-03 08:55:51.554406625 +0200
@@ -27,6 +27,7 @@ calls must be made before calling any ot
 B<ctx> as an argument.
 
 Finally, BN_CTX_end() must be called before returning from the function.
+If B<ctx> is NULL, nothing is done.
 When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
 BN_CTX_get() become invalid.
 
diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod
--- openssl-1.1.1b/doc/man3/BN_new.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/BN_new.pod	2019-05-03 08:55:51.554406625 +0200
@@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor
 BN_clear() is used to destroy sensitive data such as keys when they
 are no longer needed. It erases the memory used by B<a> and sets it
 to the value 0.
+If B<a> is NULL, nothing is done.
 
 BN_free() frees the components of the B<BIGNUM>, and if it was created
 by BN_new(), also the structure itself. BN_clear_free() additionally
diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod
--- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod	2019-05-03 08:55:51.536406934 +0200
@@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP.
 
 =item EVP_chacha20()
 
-The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long.
+The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
+The first 32 bits consists of a counter in little-endian order followed by a 96
+bit nonce. For example a nonce of:
+
+000000000000000000000002
+
+With an initial counter of 42 (2a in hex) would be expressed as:
+
+2a000000000000000000000000000002
 
 =item EVP_chacha20_poly1305()
 
diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod
--- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod	2019-05-03 08:55:51.554406625 +0200
@@ -436,7 +436,9 @@ The following I<ctrl>s are supported for
 
 Sets the nonce length. This call can only be made before specifying the nonce.
 If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
-nonce length is 16 (B<CHACHA_CTR_SIZE>, i.e. 128-bits).
+nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
+then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
+in length.
 
 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
 
diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod
--- openssl-1.1.1b/doc/man3/HMAC.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/HMAC.pod	2019-05-03 08:55:51.539406883 +0200
@@ -63,7 +63,9 @@ If B<md> is NULL, the digest is placed i
 the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
 value for B<md>  to use the static array is not thread safe.
 
-B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<evp_md> is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does
+not support variable output length digests such as EVP_shake128() and
+EVP_shake256().
 
 HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
 
diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
--- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod	2019-05-03 08:55:51.555406608 +0200
@@ -5,6 +5,7 @@
 RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
 RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
 RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
 RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
 RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
 padding
@@ -14,35 +15,46 @@ padding
  #include <openssl/rsa.h>
 
  int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-                                  unsigned char *f, int fl);
+                                  const unsigned char *f, int fl);
 
  int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-                                    unsigned char *f, int fl, int rsa_len);
+                                    const unsigned char *f, int fl, int rsa_len);
 
  int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-                                  unsigned char *f, int fl);
+                                  const unsigned char *f, int fl);
 
  int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-                                    unsigned char *f, int fl, int rsa_len);
+                                    const unsigned char *f, int fl, int rsa_len);
 
  int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-                                unsigned char *f, int fl, unsigned char *p, int pl);
+                                const unsigned char *f, int fl,
+                                const unsigned char *p, int pl);
 
  int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-                                  unsigned char *f, int fl, int rsa_len,
-                                  unsigned char *p, int pl);
+                                  const unsigned char *f, int fl, int rsa_len,
+                                  const unsigned char *p, int pl);
+
+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                     const unsigned char *f, int fl,
+                                     const unsigned char *p, int pl,
+                                     const EVP_MD *md, const EVP_MD *mgf1md);
+
+ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                       const unsigned char *f, int fl, int rsa_len,
+                                       const unsigned char *p, int pl,
+                                       const EVP_MD *md, const EVP_MD *mgf1md);
 
  int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
-                            unsigned char *f, int fl);
+                            const unsigned char *f, int fl);
 
  int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-                              unsigned char *f, int fl, int rsa_len);
+                              const unsigned char *f, int fl, int rsa_len);
 
  int RSA_padding_add_none(unsigned char *to, int tlen,
-                          unsigned char *f, int fl);
+                          const unsigned char *f, int fl);
 
  int RSA_padding_check_none(unsigned char *to, int tlen,
-                            unsigned char *f, int fl, int rsa_len);
+                            const unsigned char *f, int fl, int rsa_len);
 
 =head1 DESCRIPTION
 
@@ -98,6 +110,10 @@ at B<to>.
 For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
 of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
 
+For RSA_padding_xxx_OAEP_mgf1(), B<md> points to the md hash,
+if B<md> is B<NULL> that means md=sha1, and B<mgf1md> points to
+the mgf1 hash, if B<mgf1md> is B<NULL> that means mgf1md=md.
+
 =head1 RETURN VALUES
 
 The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
@@ -107,15 +123,21 @@ L<ERR_get_error(3)>.
 
 =head1 WARNING
 
-The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
 information which can potentially be used to mount a Bleichenbacher
 padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
-be recommended to pass zero-padded B<f>, so that B<fl> equals to
-B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
-expected length. In such case leakage would be minimal, it would
-take attacker's ability to observe memory access pattern with byte
-granilarity as it occurs, post-factum timing analysis won't do.
+v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
+possible, the result of RSA_padding_check_PKCS1_type_2() should be
+checked in constant time if it matches the expected length of the
+plaintext and additionally some application specific consistency
+checks on the plaintext need to be performed in constant time.
+If the plaintext is rejected it must be kept secret which of the
+checks caused the application to reject the message.
+Do not remove the zero-padding from the decrypted raw RSA data
+which was computed by RSA_private_decrypt() with B<RSA_NO_PADDING>,
+as this would create a small timing side channel which could be
+used to mount a Bleichenbacher attack against any padding mode
+including PKCS1_OAEP.
 
 =head1 SEE ALSO
 
@@ -125,7 +147,7 @@ L<RSA_sign(3)>, L<RSA_verify(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod
--- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod	2019-05-03 08:55:51.555406608 +0200
@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt
 
  #include <openssl/rsa.h>
 
- int RSA_public_encrypt(int flen, unsigned char *from,
+ int RSA_public_encrypt(int flen, const unsigned char *from,
                         unsigned char *to, RSA *rsa, int padding);
 
- int RSA_private_decrypt(int flen, unsigned char *from,
+ int RSA_private_decrypt(int flen, const unsigned char *from,
                          unsigned char *to, RSA *rsa, int padding);
 
 =head1 DESCRIPTION
@@ -27,6 +27,8 @@ B<padding> denotes one of the following
 =item RSA_PKCS1_PADDING
 
 PKCS #1 v1.5 padding. This currently is the most widely used mode.
+However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in
+new applications. SEE WARNING BELOW.
 
 =item RSA_PKCS1_OAEP_PADDING
 
@@ -46,23 +48,35 @@ Encrypting user data directly with RSA i
 
 =back
 
-B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, less than RSA_size(B<rsa>) - 41 for
+B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+based padding modes, not more than RSA_size(B<rsa>) - 42 for
 RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-The random number generator must be seeded prior to calling
-RSA_public_encrypt().
+When a padding mode other than RSA_NO_PADDING is in use, then
+RSA_public_encrypt() will include some random bytes into the ciphertext
+and therefore the ciphertext will be different each time, even if the
+plaintext and the public key are exactly identical.
+The returned ciphertext in B<to> will always be zero padded to exactly
+RSA_size(B<rsa>) bytes.
+B<to> and B<from> may overlap.
 
 RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
-private key B<rsa> and stores the plaintext in B<to>. B<to> must point
-to a memory section large enough to hold the decrypted data (which is
-smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
-was used to encrypt the data.
+private key B<rsa> and stores the plaintext in B<to>. B<flen> should
+be equal to RSA_size(B<rsa>) but may be smaller, when leading zero
+bytes are in the ciphertext. Those are not important and may be removed,
+but RSA_public_encrypt() does not do that. B<to> must point
+to a memory section large enough to hold the maximal possible decrypted
+data (which is equal to RSA_size(B<rsa>) for RSA_NO_PADDING,
+RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 based padding modes and
+RSA_size(B<rsa>) - 42 for RSA_PKCS1_OAEP_PADDING).
+B<padding> is the padding mode that was used to encrypt the data.
+B<to> and B<from> may overlap.
 
 =head1 RETURN VALUES
 
 RSA_public_encrypt() returns the size of the encrypted data (i.e.,
 RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
-recovered plaintext.
+recovered plaintext. A return value of 0 is not an error and
+means only that the plaintext was empty.
 
 On error, -1 is returned; the error codes can be
 obtained by L<ERR_get_error(3)>.
@@ -85,7 +99,7 @@ L<RSA_size(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod
--- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod	2019-05-03 08:55:51.537406917 +0200
@@ -124,7 +124,10 @@ Textual representation of the cipher nam
 
 =item <protocol version>
 
-Protocol version, such as B<TLSv1.2>, when the cipher was first defined.
+The minimum protocol version that the ciphersuite supports, such as B<TLSv1.2>.
+Note that this is not always the same as the protocol version in which the
+ciphersuite was first defined because some ciphersuites are backwards compatible
+with earlier protocol versions.
 
 =item Kx=<key exchange>
 
diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod
--- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod	2019-05-03 08:55:51.534406969 +0200
@@ -65,6 +65,8 @@ both required, and on success the caller
 B<*out> using OPENSSL_free().  The contents of B<*out> is an array of integers
 holding the numerical value of the TLS extension types in the order they appear
 in the ClientHello.  B<*outlen> contains the number of elements in the array.
+In situations when the ClientHello has no extensions, the function will return
+success with B<*out> set to NULL and B<*outlen> set to 0.
 
 =head1 NOTES
 
diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h
--- openssl-1.1.1b/include/openssl/err.h.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/include/openssl/err.h	2019-05-03 08:55:51.548406728 +0200
@@ -37,6 +37,7 @@ extern "C" {
 # define ERR_TXT_STRING          0x02
 
 # define ERR_FLAG_MARK           0x01
+# define ERR_FLAG_CLEAR          0x02
 
 # define ERR_NUM_ERRORS  16
 typedef struct err_state_st {
diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c
--- openssl-1.1.1b/ssl/ssl_lib.c.sync	2019-05-03 08:55:45.196515778 +0200
+++ openssl-1.1.1b/ssl/ssl_lib.c	2019-05-03 08:55:51.535406951 +0200
@@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre
         if (ext->present)
             num++;
     }
+    if (num == 0) {
+        *out = NULL;
+        *outlen = 0;
+        return 1;
+    }
     if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
         SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT,
                ERR_R_MALLOC_FAILURE);
diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h
--- openssl-1.1.1b/ssl/ssl_locl.h.sync	2019-05-03 08:55:45.011518954 +0200
+++ openssl-1.1.1b/ssl/ssl_locl.h	2019-05-03 08:55:51.541406848 +0200
@@ -574,7 +574,6 @@ struct ssl_session_st {
         /* Session lifetime hint in seconds */
         unsigned long tick_lifetime_hint;
         uint32_t tick_age_add;
-        int tick_identity;
         /* Max number of bytes that can be sent as early data */
         uint32_t max_early_data;
         /* The ALPN protocol selected for this session */
@@ -1356,6 +1355,13 @@ struct ssl_st {
          * as this extension is optional on server side.
          */
         uint8_t max_fragment_len_mode;
+
+        /*
+         * On the client side the number of ticket identities we sent in the
+         * ClientHello. On the server side the identity of the ticket we
+         * selected.
+         */
+        int tick_identity;
     } ext;
 
     /*
@@ -2052,9 +2058,6 @@ typedef enum downgrade_en {
 #define TLSEXT_KEX_MODE_FLAG_KE                                 1
 #define TLSEXT_KEX_MODE_FLAG_KE_DHE                             2
 
-/* An invalid index into the TLSv1.3 PSK identities */
-#define TLSEXT_PSK_BAD_IDENTITY                                 -1
-
 #define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \
                         s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
 
diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c
--- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions_clnt.c	2019-05-03 08:55:51.542406831 +0200
@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
     const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
     int dores = 0;
 
-    s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
+    s->ext.tick_identity = 0;
 
     /*
      * Note: At this stage of the code we only support adding a single
@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
         agems += s->session->ext.tick_age_add;
 
         reshashsize = EVP_MD_size(mdres);
+        s->ext.tick_identity++;
         dores = 1;
     }
 
@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
                      ERR_R_INTERNAL_ERROR);
             return EXT_RETURN_FAIL;
         }
+        s->ext.tick_identity++;
     }
 
     if (!WPACKET_close(pkt)
@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
         return EXT_RETURN_FAIL;
     }
 
-    if (dores)
-        s->session->ext.tick_identity = 0;
-    if (s->psksession != NULL)
-        s->psksession->ext.tick_identity = (dores ? 1 : 0);
-
     return EXT_RETURN_SENT;
 #else
     return EXT_RETURN_NOT_SENT;
@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA
     }
 
     if (!s->ext.early_data_ok
-            || !s->hit
-            || s->session->ext.tick_identity != 0) {
+            || !s->hit) {
         /*
          * If we get here then we didn't send early data, or we didn't resume
          * using the first identity, or the SNI/ALPN is not consistent so the
@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
         return 0;
     }
 
-    if (s->session->ext.tick_identity == (int)identity) {
+    if (identity >= (unsigned int)s->ext.tick_identity) {
+        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
+                 SSL_R_BAD_PSK_IDENTITY);
+        return 0;
+    }
+
+    /*
+     * Session resumption tickets are always sent before PSK tickets. If the
+     * ticket index is 0 then it must be for a session resumption ticket if we
+     * sent two tickets, or if we didn't send a PSK ticket.
+     */
+    if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
         s->hit = 1;
         SSL_SESSION_free(s->psksession);
         s->psksession = NULL;
         return 1;
     }
 
-    if (s->psksession == NULL
-            || s->psksession->ext.tick_identity != (int)identity) {
-        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
-                 SSL_R_BAD_PSK_IDENTITY);
+    if (s->psksession == NULL) {
+        /* Should never happen */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
+                 ERR_R_INTERNAL_ERROR);
         return 0;
     }
 
@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
     s->session = s->psksession;
     s->psksession = NULL;
     s->hit = 1;
+    /* Early data is only allowed if we used the first ticket */
+    if (identity != 0)
+        s->ext.early_data_ok = 0;
 #endif
 
     return 1;
diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c
--- openssl-1.1.1b/ssl/statem/extensions.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions.c	2019-05-03 08:55:51.541406848 +0200
@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns
                 ss->ext.ticklen = 0;
                 ss->ext.tick_lifetime_hint = 0;
                 ss->ext.tick_age_add = 0;
-                ss->ext.tick_identity = 0;
                 if (!ssl_generate_session_id(s, ss)) {
                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
                              ERR_R_INTERNAL_ERROR);
@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi
 
     if (s->max_early_data == 0
             || !s->hit
-            || s->session->ext.tick_identity != 0
             || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
             || !s->ext.early_data_ok
             || s->hello_retry_request != SSL_HRR_NONE
diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c
--- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/extensions_srvr.c	2019-05-03 08:55:51.542406831 +0200
@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p
         goto err;
     }
 
-    sess->ext.tick_identity = id;
+    s->ext.tick_identity = id;
 
     SSL_SESSION_free(s->session);
     s->session = sess;
@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
             || !WPACKET_start_sub_packet_u16(pkt)
-            || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
+            || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
             || !WPACKET_close(pkt)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                  SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c
--- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/ssl/statem/statem_clnt.c	2019-05-03 08:55:51.543406814 +0200
@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he
          * so the PAC-based session secret is always preserved. It'll be
          * overwritten if the server refuses resumption.
          */
-        if (s->session->session_id_length > 0
-                || (SSL_IS_TLS13(s)
-                    && s->session->ext.tick_identity
-                       != TLSEXT_PSK_BAD_IDENTITY)) {
+        if (s->session->session_id_length > 0) {
             tsan_counter(&s->session_ctx->stats.sess_miss);
             if (!ssl_get_new_session(s, 0)) {
                 /* SSLfatal() already called */
diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c
--- openssl-1.1.1b/test/bio_memleak_test.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/bio_memleak_test.c	2019-05-03 08:55:51.556406591 +0200
@@ -18,28 +18,170 @@ static int test_bio_memleak(void)
     int ok = 0;
     BIO *bio;
     BUF_MEM bufmem;
-    const char *str = "BIO test\n";
+    static const char str[] = "BIO test\n";
     char buf[100];
 
     bio = BIO_new(BIO_s_mem());
-    if (bio == NULL)
+    if (!TEST_ptr(bio))
         goto finish;
-    bufmem.length = strlen(str) + 1;
+    bufmem.length = sizeof(str);
     bufmem.data = (char *) str;
     bufmem.max = bufmem.length;
     BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE);
     BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
+    if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str)))
+        goto finish;
+    if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str)))
+        goto finish;
+    ok = 1;
 
-    if (BIO_read(bio, buf, sizeof(buf)) <= 0)
-	goto finish;
+finish:
+    BIO_free(bio);
+    return ok;
+}
 
-    ok = strcmp(buf, str) == 0;
+static int test_bio_get_mem(void)
+{
+    int ok = 0;
+    BIO *bio = NULL;
+    BUF_MEM *bufmem = NULL;
+
+    bio = BIO_new(BIO_s_mem());
+    if (!TEST_ptr(bio))
+        goto finish;
+    if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
+        goto finish;
+    BIO_get_mem_ptr(bio, &bufmem);
+    if (!TEST_ptr(bufmem))
+        goto finish;
+    if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0))
+        goto finish;
+    BIO_free(bio);
+    bio = NULL;
+    if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12))
+        goto finish;
+    ok = 1;
 
 finish:
     BIO_free(bio);
+    BUF_MEM_free(bufmem);
     return ok;
 }
 
+static int test_bio_new_mem_buf(void)
+{
+    int ok = 0;
+    BIO *bio;
+    BUF_MEM *bufmem;
+    char data[16];
+
+    bio = BIO_new_mem_buf("Hello World\n", 12);
+    if (!TEST_ptr(bio))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
+        goto finish;
+    if (!TEST_mem_eq(data, 5, "Hello", 5))
+        goto finish;
+    if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
+        goto finish;
+    if (!TEST_int_lt(BIO_write(bio, "test", 4), 0))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio, data, 16), 7))
+        goto finish;
+    if (!TEST_mem_eq(data, 7, " World\n", 7))
+        goto finish;
+    if (!TEST_int_gt(BIO_reset(bio), 0))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
+        goto finish;
+    if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
+        goto finish;
+    ok = 1;
+
+finish:
+    BIO_free(bio);
+    return ok;
+}
+
+static int test_bio_rdonly_mem_buf(void)
+{
+    int ok = 0;
+    BIO *bio, *bio2 = NULL;
+    BUF_MEM *bufmem;
+    char data[16];
+
+    bio = BIO_new_mem_buf("Hello World\n", 12);
+    if (!TEST_ptr(bio))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
+        goto finish;
+    if (!TEST_mem_eq(data, 5, "Hello", 5))
+        goto finish;
+    if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
+        goto finish;
+    (void)BIO_set_close(bio, BIO_NOCLOSE);
+
+    bio2 = BIO_new(BIO_s_mem());
+    if (!TEST_ptr(bio2))
+        goto finish;
+    BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE);
+    BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY);
+
+    if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
+        goto finish;
+    if (!TEST_mem_eq(data, 7, " World\n", 7))
+        goto finish;
+    if (!TEST_int_gt(BIO_reset(bio2), 0))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
+        goto finish;
+    if (!TEST_mem_eq(data, 7, " World\n", 7))
+        goto finish;
+    ok = 1;
+
+finish:
+    BIO_free(bio);
+    BIO_free(bio2);
+    return ok;
+}
+
+static int test_bio_rdwr_rdonly(void)
+{
+    int ok = 0;
+    BIO *bio = NULL;
+    char data[16];
+
+    bio = BIO_new(BIO_s_mem());
+    if (!TEST_ptr(bio))
+        goto finish;
+    if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
+        goto finish;
+
+    BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
+    if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
+        goto finish;
+    if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
+        goto finish;
+    if (!TEST_int_gt(BIO_reset(bio), 0))
+        goto finish;
+
+    BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY);
+    if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4))
+        goto finish;
+    if (!TEST_int_eq(BIO_read(bio, data, 16), 16))
+        goto finish;
+
+    if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16))
+        goto finish;
+
+    ok = 1;
+
+finish:
+    BIO_free(bio);
+    return ok;
+}
+
+
 int global_init(void)
 {
     CRYPTO_set_mem_debug(1);
@@ -50,5 +192,9 @@ int global_init(void)
 int setup_tests(void)
 {
     ADD_TEST(test_bio_memleak);
+    ADD_TEST(test_bio_get_mem);
+    ADD_TEST(test_bio_new_mem_buf);
+    ADD_TEST(test_bio_rdonly_mem_buf);
+    ADD_TEST(test_bio_rdwr_rdonly);
     return 1;
 }
diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c
--- openssl-1.1.1b/test/ectest.c.sync	2019-05-03 08:55:45.127516962 +0200
+++ openssl-1.1.1b/test/ectest.c	2019-05-03 08:55:51.524407140 +0200
@@ -728,6 +728,74 @@ err:
     BN_CTX_free(ctx);
     return r;
 }
+
+/*
+ * Tests a point known to cause an incorrect underflow in an old version of
+ * ecp_nist521.c
+ */
+static int underflow_test(void)
+{
+    BN_CTX *ctx = NULL;
+    EC_GROUP *grp = NULL;
+    EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+    BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
+    BIGNUM *k = NULL;
+    int testresult = 0;
+    const char *x1str =
+        "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
+        "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
+    const char *p521m1 =
+        "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
+
+    ctx = BN_CTX_new();
+    if (!TEST_ptr(ctx))
+        return 0;
+
+    BN_CTX_start(ctx);
+    x1 = BN_CTX_get(ctx);
+    y1 = BN_CTX_get(ctx);
+    z1 = BN_CTX_get(ctx);
+    x2 = BN_CTX_get(ctx);
+    y2 = BN_CTX_get(ctx);
+    k = BN_CTX_get(ctx);
+    if (!TEST_ptr(k))
+        goto err;
+
+    grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
+    P = EC_POINT_new(grp);
+    Q = EC_POINT_new(grp);
+    R = EC_POINT_new(grp);
+    if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
+        goto err;
+
+    if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
+            || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
+            || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
+            || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
+            || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
+                                                                   y1, z1, ctx))
+            || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
+            || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
+            || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
+            || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
+        goto err;
+
+    if (!TEST_int_eq(BN_cmp(x1, x2), 0)
+            || !TEST_int_eq(BN_cmp(y1, y2), 0))
+        goto err;
+
+    testresult = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    EC_POINT_free(P);
+    EC_POINT_free(Q);
+    EC_GROUP_free(grp);
+    BN_CTX_free(ctx);
+
+    return testresult;
+}
 # endif
 
 static const unsigned char p521_named[] = {
@@ -835,6 +903,7 @@ int setup_tests(void)
 # endif
 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
     ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
+    ADD_TEST(underflow_test);
 # endif
     ADD_ALL_TESTS(internal_curve_test, crv_len);
     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt	2019-05-03 08:55:51.552406659 +0200
@@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000
 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
 Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd
 
-Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10
+Title = ARIA GCM test vectors from RFC8269
 
 Cipher = ARIA-128-GCM
 Key = e91e5e75da65554a48181f3846349562
@@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48
 Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
 Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822
 
+Title = ARIA GCM self-generated test vectors
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Shorter than default IV
+IV = 0001020304
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = ebaa2645bb154542117ee46031aa176e
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Longer than default IV
+IV = 000102030405060708090a0b0c0d0e0f
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = 61f7f44c7da3c60195b29ae0b46051a4
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f
+
+Cipher = ARIA-128-GCM
+Key = e91e5e75da65554a48181f3846349562
+# Extra long IV
+IV = 000102030405060708090a0b0c0d0e0f1011
+AAD = 8008315ebf2e6fe020e8f5eb
+Tag = c8b31ab6c2ddccab06b76af4e56e664e
+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
+Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd
+
+
 Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02
 
 # 16-byte Tag
@@ -2357,14 +2387,41 @@ Operation = ENCRYPT
 Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7
 Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122
 
-Title = Chacha20
+Title = Chacha20 test vectors from RFC7539
 
+# A.1 Test Vector 1
 Cipher = chacha20
 Key = 0000000000000000000000000000000000000000000000000000000000000000
 IV = 00000000000000000000000000000000
 Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
 
+# A.1 Test Vector 2
+Cipher = chacha20
+Key = 0000000000000000000000000000000000000000000000000000000000000000
+IV = 01000000000000000000000000000000
+Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f
+
+# A.2 Test Vector 1 is the same as A.1 Test Vector 1
+# A.2 Test Vector 2
+Cipher = chacha20
+Key = 0000000000000000000000000000000000000000000000000000000000000001
+#Counter (first 4 bytes) expressed in little-endian order
+IV = 01000000000000000000000000000002
+Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f
+Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221
+
+# A.2 Test Vector 3
+Cipher = chacha20
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+#Counter (first 4 bytes) expressed in little-endian order
+IV = 2a000000000000000000000000000002
+Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e
+Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1
+
+Title = Chacha20
+
 Cipher = chacha20
 Key = 0000000000000000000000000000000000000000000000000000000000000001
 IV = 00000000000000000000000000000000
@@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91
 Tag = e0723bce23528ce6ccb10ff9627038bf
 Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
 Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+
+Cipher = chacha20-poly1305
+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
+IV = ff000000000102030405060708
+AAD = f33388860000000000004e91
+Tag = e0723bce23528ce6ccb10ff9627038bf
+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
+Result = INVALID_IV_LENGTH
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt	2019-05-03 08:55:51.539406883 +0200
@@ -351,6 +351,14 @@ Input = "Sample message for keylen>block
 Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687
 Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915
 
+Title = HMAC self generated tests
+
+MAC = HMAC
+Algorithm = SHAKE128
+Input = "Test that SHAKE128 fails"
+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+Result = DIGESTSIGNINIT_ERROR
+
 
 Title = CMAC tests (from FIPS module)
 
diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t
--- openssl-1.1.1b/test/recipes/80-test_cms.t.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/80-test_cms.t	2019-05-03 08:55:51.533406986 +0200
@@ -308,6 +308,14 @@ my @smime_cms_param_tests = (
 	"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
     ],
 
+    [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3",
+      [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+	"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
+	"-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ],
+      [ "-verify", "-in", "test.cms", "-inform", "PEM",
+	"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+    ],
+
     [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
       [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
 	"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c
--- openssl-1.1.1b/test/rsa_test.c.sync	2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/rsa_test.c	2019-05-03 08:55:51.523407157 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -268,6 +268,36 @@ err:
     return ret;
 }
 
+static int test_rsa_sslv23(int idx)
+{
+    int ret = 0;
+    RSA *key;
+    unsigned char ptext[256];
+    unsigned char ctext[256];
+    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+    unsigned char ctext_ex[256];
+    int plen;
+    int clen = 0;
+    int num;
+
+    plen = sizeof(ptext_ex) - 1;
+    clen = rsa_setkey(&key, ctext_ex, idx);
+
+    num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+                             RSA_SSLV23_PADDING);
+    if (!TEST_int_eq(num, clen))
+        goto err;
+
+    num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING);
+    if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
+        goto err;
+
+    ret = 1;
+err:
+    RSA_free(key);
+    return ret;
+}
+
 static int test_rsa_oaep(int idx)
 {
     int ret = 0;
@@ -332,6 +362,7 @@ err:
 int setup_tests(void)
 {
     ADD_ALL_TESTS(test_rsa_pkcs1, 3);
+    ADD_ALL_TESTS(test_rsa_sslv23, 3);
     ADD_ALL_TESTS(test_rsa_oaep, 3);
     return 1;
 }