diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c --- openssl-1.1.1b/apps/asn1pars.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/apps/asn1pars.c 2019-05-03 08:55:51.532407003 +0200 @@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL) goto end; + if ((buf = BUF_MEM_new()) == NULL) + goto end; if (strictpem) { - if (PEM_read_bio(in, &name, &header, &str, &num) != - 1) { + if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { BIO_printf(bio_err, "Error reading PEM file\n"); ERR_print_errors(bio_err); goto end; } + buf->data = (char *)str; + buf->length = buf->max = num; } else { - - if ((buf = BUF_MEM_new()) == NULL) - goto end; if (!BUF_MEM_grow(buf, BUFSIZ * 8)) goto end; /* Pre-allocate :-) */ @@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv BUF_MEM_free(buf); OPENSSL_free(name); OPENSSL_free(header); - if (strictpem) - OPENSSL_free(str); ASN1_TYPE_free(at); sk_OPENSSL_STRING_free(osk); return ret; diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl --- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl 2019-05-03 08:55:51.551406676 +0200 @@ -1829,7 +1829,7 @@ Lctr32_enc8x_three: stvx_u $out1,$x10,$out stvx_u $out2,$x20,$out addi $out,$out,0x30 - b Lcbc_dec8x_done + b Lctr32_enc8x_done .align 5 Lctr32_enc8x_two: @@ -1841,7 +1841,7 @@ Lctr32_enc8x_two: stvx_u $out0,$x00,$out stvx_u $out1,$x10,$out addi $out,$out,0x20 - b Lcbc_dec8x_done + b Lctr32_enc8x_done .align 5 Lctr32_enc8x_one: diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c --- openssl-1.1.1b/crypto/bio/b_addr.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/bio/b_addr.c 2019-05-03 08:55:51.555406608 +0200 @@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons hints.ai_family = family; hints.ai_socktype = socktype; hints.ai_protocol = protocol; +#ifdef AI_ADDRCONFIG +#ifdef AF_UNSPEC + if (family == AF_UNSPEC) +#endif + hints.ai_flags |= AI_ADDRCONFIG; +#endif if (lookup_type == BIO_LOOKUP_SERVER) hints.ai_flags |= AI_PASSIVE; diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c --- openssl-1.1.1b/crypto/bio/bss_mem.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/bio/bss_mem.c 2019-05-03 08:55:51.556406591 +0200 @@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = NULL, /* mem_callback_ctrl */ }; -/* BIO memory stores buffer and read pointer */ +/* + * BIO memory stores buffer and read pointer + * however the roles are different for read only BIOs. + * In that case the readp just stores the original state + * to be used for reset. + */ typedef struct bio_buf_mem_st { struct buf_mem_st *buf; /* allocated buffer */ struct buf_mem_st *readp; /* read pointer */ @@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; BUF_MEM *bm = bbm->readp; + if (b->flags & BIO_FLAGS_MEM_RDONLY) + bm = bbm->buf; BIO_clear_retry_flags(b); ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl; if ((out != NULL) && (ret > 0)) { memcpy(out, bm->data, ret); bm->length -= ret; + bm->max -= ret; bm->data += ret; } else if (bm->length == 0) { ret = b->num; @@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; BUF_MEM *bm; + if (b->flags & BIO_FLAGS_MEM_RDONLY) + bm = bbm->buf; + else + bm = bbm->readp; + switch (cmd) { case BIO_CTRL_RESET: bm = bbm->buf; if (bm->data != NULL) { - /* For read only case reset to the start again */ - if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) { - bm->length = bm->max; + if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) { + if (b->flags & BIO_FLAGS_NONCLEAR_RST) { + bm->length = bm->max; + } else { + memset(bm->data, 0, bm->max); + bm->length = 0; + } + *bbm->readp = *bbm->buf; } else { - memset(bm->data, 0, bm->max); - bm->length = 0; + /* For read only case just reset to the start again */ + *bbm->buf = *bbm->readp; } - *bbm->readp = *bbm->buf; } break; case BIO_CTRL_EOF: - bm = bbm->readp; ret = (long)(bm->length == 0); break; case BIO_C_SET_BUF_MEM_EOF_RETURN: b->num = (int)num; break; case BIO_CTRL_INFO: - bm = bbm->readp; ret = (long)bm->length; if (ptr != NULL) { pptr = (char **)ptr; @@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo break; case BIO_C_GET_BUF_MEM_PTR: if (ptr != NULL) { - mem_buf_sync(b); - bm = bbm->readp; + if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) + mem_buf_sync(b); + bm = bbm->buf; pptr = (char **)ptr; *pptr = (char *)bm; } @@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo ret = 0L; break; case BIO_CTRL_PENDING: - bm = bbm->readp; ret = (long)bm->length; break; case BIO_CTRL_DUP: @@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf, BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr; BUF_MEM *bm = bbm->readp; + if (bp->flags & BIO_FLAGS_MEM_RDONLY) + bm = bbm->buf; BIO_clear_retry_flags(bp); j = bm->length; if ((size - 1) < j) diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl --- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/bn/asm/ppc.pl 2019-05-03 08:55:51.530407037 +0200 @@ -258,6 +258,7 @@ $data=<err_stack) ctx->err_stack--; diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c --- openssl-1.1.1b/crypto/bn/bn_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/bn/bn_lib.c 2019-05-03 08:55:51.525407123 +0200 @@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) void BN_clear(BIGNUM *a) { + if (a == NULL) + return; bn_check_top(a); if (a->d != NULL) OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c --- openssl-1.1.1b/crypto/bn/bn_prime.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/bn/bn_prime.c 2019-05-03 08:55:51.525407123 +0200 @@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in found = 1; err: OPENSSL_free(mods); - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); bn_check_top(ret); return found; diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info --- openssl-1.1.1b/crypto/chacha/build.info.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/chacha/build.info 2019-05-03 08:55:51.538406900 +0200 @@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv INCLUDE[chacha-armv4.o]=.. GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME) INCLUDE[chacha-armv8.o]=.. +GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME) +INCLUDE[chacha-s390x.o]=.. BEGINRAW[Makefile(unix)] ##### CHACHA assembler implementations diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c --- openssl-1.1.1b/crypto/conf/conf_sap.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/conf/conf_sap.c 2019-05-03 08:55:51.550406694 +0200 @@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname) memset(&settings, 0, sizeof(settings)); if (appname != NULL) settings.appname = strdup(appname); + settings.flags = DEFAULT_CONF_MFLAGS; OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings); } #endif diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c --- openssl-1.1.1b/crypto/dh/dh_check.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_check.c 2019-05-03 08:55:51.525407123 +0200 @@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r ok = 1; err: - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); return ok; } @@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret) } ok = 1; err: - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); return ok; } @@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const ok = 1; err: - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); return ok; } diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c --- openssl-1.1.1b/crypto/dh/dh_gen.c.sync 2019-05-03 08:55:45.170516224 +0200 +++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-05-03 08:55:51.525407123 +0200 @@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret, ok = 0; } - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); return ok; } diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c --- openssl-1.1.1b/crypto/dh/dh_key.c.sync 2019-05-03 08:55:45.170516224 +0200 +++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-05-03 08:55:51.526407106 +0200 @@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke ret = BN_bn2bin(tmp, key); err: - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); return ret; } diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c --- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync 2019-05-03 08:55:45.171516207 +0200 +++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-05-03 08:55:51.526407106 +0200 @@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (seed_out) memcpy(seed_out, seed, qsize); } - if (ctx) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); BN_MONT_CTX_free(mont); return ok; @@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size OPENSSL_free(seed); if (seed_out != seed_tmp) OPENSSL_free(seed_tmp); - if (ctx) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); BN_MONT_CTX_free(mont); EVP_MD_CTX_free(mctx); diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c --- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync 2019-05-03 08:55:45.171516207 +0200 +++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-05-03 08:55:51.556406591 +0200 @@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha ret = 1; err: - EC_POINT_free(tmp); + EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); BN_CTX_free(ctx); diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c --- openssl-1.1.1b/crypto/ec/ec_lib.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ec_lib.c 2019-05-03 08:55:51.527407088 +0200 @@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; } diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c --- openssl-1.1.1b/crypto/ec/ec_mult.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ec_mult.c 2019-05-03 08:55:51.540406865 +0200 @@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP err: EC_POINT_free(p); - EC_POINT_free(s); + EC_POINT_clear_free(s); BN_CTX_end(ctx); return ret; @@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E * scalar multiplication implementation based on a Montgomery ladder, * with various timing attack defenses. */ - if ((scalar != NULL) && (num == 0)) { + if ((scalar != group->order) && (scalar != NULL) && (num == 0)) { /*- * In this case we want to compute scalar * GeneratorPoint: this * codepath is reached most prominently by (ephemeral) key @@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E */ return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx); } - if ((scalar == NULL) && (num == 1)) { + if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) { /*- * In this case we want to compute scalar * VariablePoint: this * codepath is reached most prominently by the second half of ECDH, @@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(new_ctx); EC_ec_pre_comp_free(pre_comp); if (points) { diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c --- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c 2019-05-03 08:55:51.532407003 +0200 @@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons static void felem_diff_128_64(largefelem out, const felem in) { /* - * In order to prevent underflow, we add 0 mod p before subtracting. + * In order to prevent underflow, we add 64p mod p (which is equivalent + * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 + * digit number with all bits set to 1. See "The representation of field + * elements" comment above for a description of how limbs are used to + * represent a number. 64p is represented with 8 limbs containing a number + * with 58 bits set and one limb with a number with 57 bits set. */ - static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); - static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); + static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); + static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); out[0] += two63m6 - in[0]; out[1] += two63m5 - in[1]; diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c --- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c 2019-05-03 08:55:51.528407071 +0200 @@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(new_ctx); EC_nistz256_pre_comp_free(pre_comp); diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c --- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync 2019-05-03 08:55:45.152516533 +0200 +++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-05-03 08:55:51.528407071 +0200 @@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; } @@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr ret = 1; end: - if (ctx) /* otherwise we already called BN_CTX_end */ - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; } diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c --- openssl-1.1.1b/crypto/err/err.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/err/err.c 2019-05-03 08:55:51.548406728 +0200 @@ -523,8 +523,24 @@ static unsigned long get_error_values(in return ERR_R_INTERNAL_ERROR; } + while (es->bottom != es->top) { + if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { + err_clear(es, es->top); + es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; + continue; + } + i = (es->bottom + 1) % ERR_NUM_ERRORS; + if (es->err_flags[i] & ERR_FLAG_CLEAR) { + es->bottom = i; + err_clear(es, es->bottom); + continue; + } + break; + } + if (es->bottom == es->top) return 0; + if (top) i = es->top; /* last error */ else @@ -913,25 +929,6 @@ int ERR_clear_last_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unfortunately C89, current "least common - * denominator" doesn't define it. Most legacy platforms typedef it anyway, - * so that attempt to fill the gaps means that one would have to identify - * that track these gaps, which would be undesirable. Macro it is... - */ -#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl top = es->top; - es->err_flags[top] &= ~(0 - clear); - es->err_buffer[top] &= ~(0UL - clear); - es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); - es->err_line[top] |= 0 - clear; - - es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; + /* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ + clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); + es->err_flags[top] |= clear; } diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c --- openssl-1.1.1b/crypto/evp/digest.c.sync 2019-05-03 08:55:51.553406642 +0200 +++ openssl-1.1.1b/crypto/evp/digest.c 2019-05-03 08:56:40.800561168 +0200 @@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co #ifdef OPENSSL_FIPS FIPS_selftest_check(); #endif + if (count == 0) + return 1; + return ctx->update(ctx, data, count); } diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c --- openssl-1.1.1b/crypto/evp/e_aria.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/e_aria.c 2019-05-03 08:55:51.545406779 +0200 @@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT return 0; } +static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx) +{ + EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); + + if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx)) + OPENSSL_free(gctx->iv); + + return 1; +} + static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { @@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT } } +#define aria_ccm_cleanup NULL + #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ @@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_ ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ aria_##mode##_init_key, \ aria_##mode##_cipher, \ - NULL, \ + aria_##mode##_cleanup, \ sizeof(EVP_ARIA_##MODE##_CTX), \ NULL,NULL,aria_##mode##_ctrl,NULL }; \ const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c --- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync 2019-05-03 08:55:45.216515434 +0200 +++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-05-03 08:55:51.551406676 +0200 @@ -30,6 +30,8 @@ typedef struct { #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) +#define CHACHA20_POLY1305_MAX_IVLEN 12 + static int chacha_init_key(EVP_CIPHER_CTX *ctx, const unsigned char user_key[CHACHA_KEY_SIZE], const unsigned char iv[CHACHA_CTR_SIZE], int enc) @@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI return 1; case EVP_CTRL_AEAD_SET_IVLEN: - if (arg <= 0 || arg > CHACHA_CTR_SIZE) + if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) return 0; actx->nonce_len = arg; return 1; diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c --- openssl-1.1.1b/crypto/evp/evp_enc.c.sync 2019-05-03 08:55:45.174516155 +0200 +++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-03 08:55:51.544406797 +0200 @@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_ bl = ctx->cipher->block_size; + if (inl <= 0) { + *outl = 0; + return inl == 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { /* If block size > 1 then the cipher will have to do this check */ if (bl == 1 && is_partially_overlapping(out, in, cmpl)) { @@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_ return 1; } - if (inl <= 0) { - *outl = 0; - return inl == 0; - } if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) { EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); return 0; @@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) cmpl = (cmpl + 7) / 8; + if (inl <= 0) { + *outl = 0; + return inl == 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { if (b == 1 && is_partially_overlapping(out, in, cmpl)) { EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); @@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct return 1; } - if (inl <= 0) { - *outl = 0; - return inl == 0; - } - if (ctx->flags & EVP_CIPH_NO_PADDING) return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c --- openssl-1.1.1b/crypto/hmac/hmac.c.sync 2019-05-03 08:55:45.189515898 +0200 +++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-05-03 08:55:51.538406900 +0200 @@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; } + /* + * The HMAC construction is not allowed to be used with the + * extendable-output functions (XOF) shake128 and shake256. + */ + if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0) + return 0; + if (key != NULL) { #ifdef OPENSSL_FIPS if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c --- openssl-1.1.1b/crypto/init.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/init.c 2019-05-03 08:55:51.550406694 +0200 @@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c ret = RUN_ONCE(&config, ossl_init_config); conf_settings = NULL; CRYPTO_THREAD_unlock(init_lock); - if (!ret) + if (ret <= 0) return 0; } diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl --- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl 2019-05-03 08:55:51.534406969 +0200 @@ -1155,6 +1155,7 @@ ___ } else { $code.=<<___; jmp .L_init_clmul +.cfi_endproc .size gcm_init_avx,.-gcm_init_avx ___ } @@ -1594,6 +1595,7 @@ ___ } else { $code.=<<___; jmp .L_ghash_clmul +.cfi_endproc .size gcm_ghash_avx,.-gcm_ghash_avx ___ } diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c --- openssl-1.1.1b/crypto/modes/ccm128.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/modes/ccm128.c 2019-05-03 08:55:51.543406814 +0200 @@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT M *= 2; M += 2; - if (len < M) + if (len != M) return 0; memcpy(tag, ctx->cmac.c, M); return M; diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c --- openssl-1.1.1b/crypto/o_str.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/o_str.c 2019-05-03 08:55:51.550406694 +0200 @@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char #if defined(_MSC_VER) && _MSC_VER>=1400 return !strerror_s(buf, buflen, errnum); #elif defined(_GNU_SOURCE) - return strerror_r(errnum, buf, buflen) != NULL; + char *err; + + /* + * GNU strerror_r may not actually set buf. + * It can return a pointer to some (immutable) static string in which case + * buf is left unused. + */ + err = strerror_r(errnum, buf, buflen); + if (err == NULL) + return 0; + /* + * If err is statically allocated, err != buf and we need to copy the data. + * If err points somewhere inside buf, OPENSSL_strlcpy can handle this, + * since src and dest are not annotated with __restrict and the function + * reads src byte for byte and writes to dest. + * If err == buf we do not have to copy anything. + */ + if (err != buf) + OPENSSL_strlcpy(buf, err, buflen); + return 1; #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \ (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600) /* @@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char return !strerror_r(errnum, buf, buflen); #else char *err; + /* Fall back to non-thread safe strerror()...its all we can do */ if (buflen < 2) return 0; @@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char /* Can this ever happen? */ if (err == NULL) return 0; - strncpy(buf, err, buflen - 1); - buf[buflen - 1] = '\0'; + OPENSSL_strlcpy(buf, err, buflen); return 1; #endif } diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info --- openssl-1.1.1b/crypto/poly1305/build.info.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-03 08:55:51.538406900 +0200 @@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305- INCLUDE[poly1305-armv8.o]=.. GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) INCLUDE[poly1305-mips.o]=.. +GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME) BEGINRAW[Makefile(unix)] {- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info --- openssl-1.1.1b/crypto/rc4/build.info.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rc4/build.info 2019-05-03 08:55:51.538406900 +0200 @@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME) +GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME) + BEGINRAW[Makefile] # GNU make "catch all" {- $builddir -}/rc4-%.s: {- $sourcedir -}/asm/rc4-%.pl diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c --- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c 2019-05-03 08:55:51.533406986 +0200 @@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV return NULL; if (saltlen == -1) { saltlen = EVP_MD_size(sigmd); - } else if (saltlen == -2) { + } else if (saltlen == -2 || saltlen == -3) { saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; if ((EVP_PKEY_bits(pk) & 0x7) == 1) saltlen--; + if (saltlen < 0) + return NULL; } return rsa_pss_params_create(sigmd, mgf1md, saltlen); diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c --- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync 2019-05-03 08:55:45.191515864 +0200 +++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-05-03 08:55:51.528407071 +0200 @@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa, RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); ok = 0; } - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); return ok; } diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c --- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c 2019-05-03 08:55:51.549406711 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un * |num| is the length of the modulus; |flen| is the length of the * encoded message. Therefore, for any |from| that was obtained by * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, - * num < 2 * mdlen + 2 must hold for the modulus irrespective of + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ @@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un from -= 1 & mask; *--em = *from & mask; } - from = em; /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(from[0]); + good = constant_time_is_zero(em[0]); - maskedseed = from + 1; - maskeddb = from + 1 + mdlen; + maskedseed = em + 1; + maskeddb = em + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; @@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un mlen = dblen - msg_index; /* - * For good measure, do this check in constant tine as well. + * For good measure, do this check in constant time as well. */ good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); - msg_index = constant_time_select_int(good, msg_index, dblen - tlen); - mlen = dblen - msg_index; - for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= dblen & equals; /* if (i == dblen) rewind */ - mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), + dblen - mdlen - 1, tlen); + for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); + for (i = mdlen + 1; i < dblen - msg_index; i++) + db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c --- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync 2019-05-03 08:55:45.191515864 +0200 +++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-05-03 08:55:51.548406728 +0200 @@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f */ r = BN_bn2binpad(ret, to, num); err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); OPENSSL_clear_free(buf, num); return r; @@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int */ r = BN_bn2binpad(res, to, num); err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); OPENSSL_clear_free(buf, num); return r; @@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int goto err; } RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); - err_clear_last_constant_time(r >= 0); + err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); OPENSSL_clear_free(buf, num); return r; @@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); err: - if (ctx != NULL) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); OPENSSL_clear_free(buf, num); return r; diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c --- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c 2019-05-03 08:55:51.549406711 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. - */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). + */ + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_clear_free(em, num); diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c --- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-03 08:55:51.543406814 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/constant_time_locl.h" + #include #include "internal/cryptlib.h" #include @@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, rctx->pad_mode); } - if (ret < 0) - return ret; - *outlen = ret; - return 1; + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); + return ret; } static int check_padding_md(const EVP_MD *md, int padding) diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c --- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c 2019-05-03 08:55:51.550406694 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch unsigned int good, found_zero_byte, mask, threes_in_row; int zero_index = 0, msg_index, mlen = -1, err; - if (flen < 10) { + if (tlen <= 0 || flen <= 0) + return -1; + + if (flen > num || num < 11) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return -1; } @@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); mask = ~good; @@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch found_zero_byte = 0; threes_in_row = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); found_zero_byte |= equals0; threes_in_row += 1 & ~found_zero_byte; - threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); + threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_lt(threes_in_row, 8); + good &= constant_time_ge(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; @@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_clear_free(em, num); diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c --- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c 2019-05-03 08:55:51.530407037 +0200 @@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM ret = 1; err: - if (ctx) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); BN_CTX_free(ctx2); @@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i ok = 1; error: - if (ctx) - BN_CTX_end(ctx); + BN_CTX_end(ctx); BN_CTX_free(ctx); if (ok) diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c --- openssl-1.1.1b/crypto/x509/x509_lu.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/x509/x509_lu.c 2019-05-03 08:55:51.546406762 +0200 @@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S if (ctx == NULL) return 0; + stmp.type = X509_LU_NONE; + stmp.data.ptr = NULL; + CRYPTO_THREAD_write_lock(ctx->lock); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_THREAD_unlock(ctx->lock); diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod --- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man1/pkeyutl.pod 2019-05-03 08:55:51.555406608 +0200 @@ -272,20 +272,19 @@ value less than the minimum restriction. =head1 DSA ALGORITHM The DSA algorithm supports signing and verification operations only. Currently -there are no additional options other than B. Only the SHA1 -digest can be used and this digest is assumed by default. +there are no additional B<-pkeyopt> options other than B. The SHA1 +digest is assumed by default. =head1 DH ALGORITHM The DH algorithm only supports the derivation operation and no additional -options. +B<-pkeyopt> options. =head1 EC ALGORITHM The EC algorithm supports sign, verify and derive operations. The sign and -verify operations use ECDSA and derive uses ECDH. Currently there are no -additional options other than B. Only the SHA1 digest can be used and -this digest is assumed by default. +verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for +the B<-pkeyopt> B option. =head1 X25519 and X448 ALGORITHMS diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod --- openssl-1.1.1b/doc/man1/ts.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man1/ts.pod 2019-05-03 08:55:51.554406625 +0200 @@ -262,7 +262,7 @@ specified, the argument is given to the =item B<-I> Signing digest to use. Overrides the B config file -option. (Optional) +option. (Mandatory unless specified in the config file) =item B<-chain> certs_file.pem @@ -460,7 +460,8 @@ command line option. (Optional) =item B Signing digest to use. The same as the -B<-I> command line option. (Optional) +B<-I> command line option. (Mandatory unless specified on the command +line) =item B diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod --- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod 2019-05-03 08:55:51.556406591 +0200 @@ -88,6 +88,22 @@ a buffering BIO to the chain will speed Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will give undefined results, including perhaps a program crash. +Switching the memory BIO from read write to read only is not supported and +can give undefined results including a program crash. There are two notable +exceptions to the rule. The first one is to assign a static memory buffer +immediately after BIO creation and set the BIO as read only. + +The other supported sequence is to start with read write BIO then temporarily +switch it to read only and call BIO_reset() on the read only BIO immediately +before switching it back to read write. Before the BIO is freed it must be +switched back to the read write mode. + +Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that +contains only the remaining data to be read. If the close status of the +BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer +in it must be set to NULL as the data pointer does not point to an +allocated memory. + =head1 BUGS There should be an option to set the maximum size of a memory BIO. diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod --- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod 2019-05-03 08:55:51.554406625 +0200 @@ -27,6 +27,7 @@ calls must be made before calling any ot B as an argument. Finally, BN_CTX_end() must be called before returning from the function. +If B is NULL, nothing is done. When BN_CTX_end() is called, the B pointers obtained from BN_CTX_get() become invalid. diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod --- openssl-1.1.1b/doc/man3/BN_new.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/BN_new.pod 2019-05-03 08:55:51.554406625 +0200 @@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor BN_clear() is used to destroy sensitive data such as keys when they are no longer needed. It erases the memory used by B and sets it to the value 0. +If B is NULL, nothing is done. BN_free() frees the components of the B, and if it was created by BN_new(), also the structure itself. BN_clear_free() additionally diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod --- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod 2019-05-03 08:55:51.536406934 +0200 @@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP. =item EVP_chacha20() -The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long. +The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. +The first 32 bits consists of a counter in little-endian order followed by a 96 +bit nonce. For example a nonce of: + +000000000000000000000002 + +With an initial counter of 42 (2a in hex) would be expressed as: + +2a000000000000000000000000000002 =item EVP_chacha20_poly1305() diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod --- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod 2019-05-03 08:55:51.554406625 +0200 @@ -436,7 +436,9 @@ The following Is are supported for Sets the nonce length. This call can only be made before specifying the nonce. If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum -nonce length is 16 (B, i.e. 128-bits). +nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set +then the nonce is automatically padded with leading 0 bytes to make it 12 bytes +in length. =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod --- openssl-1.1.1b/doc/man3/HMAC.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/HMAC.pod 2019-05-03 08:55:51.539406883 +0200 @@ -63,7 +63,9 @@ If B is NULL, the digest is placed i the output is placed in B, unless it is B. Note: passing a NULL value for B to use the static array is not thread safe. -B can be EVP_sha1(), EVP_ripemd160() etc. +B is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does +not support variable output length digests such as EVP_shake128() and +EVP_shake256(). HMAC_CTX_new() creates a new HMAC_CTX in heap memory. diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod --- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod 2019-05-03 08:55:51.555406608 +0200 @@ -5,6 +5,7 @@ RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, +RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption padding @@ -14,35 +15,46 @@ padding #include int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - unsigned char *f, int fl, unsigned char *p, int pl); + const unsigned char *f, int fl, + const unsigned char *p, int pl); int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len, - unsigned char *p, int pl); + const unsigned char *f, int fl, int rsa_len, + const unsigned char *p, int pl); + + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *f, int fl, + const unsigned char *p, int pl, + const EVP_MD *md, const EVP_MD *mgf1md); + + int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *f, int fl, int rsa_len, + const unsigned char *p, int pl, + const EVP_MD *md, const EVP_MD *mgf1md); int RSA_padding_add_SSLv23(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_SSLv23(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_none(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_none(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); =head1 DESCRIPTION @@ -98,6 +110,10 @@ at B. For RSA_padding_xxx_OAEP(), B

points to the encoding parameter of length B. B

may be B if B is 0. +For RSA_padding_xxx_OAEP_mgf1(), B points to the md hash, +if B is B that means md=sha1, and B points to +the mgf1 hash, if B is B that means mgf1md=md. + =head1 RETURN VALUES The RSA_padding_add_xxx() functions return 1 on success, 0 on error. @@ -107,15 +123,21 @@ L. =head1 WARNING -The RSA_padding_check_PKCS1_type_2() padding check leaks timing +The result of RSA_padding_check_PKCS1_type_2() is a very sensitive information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can -be recommended to pass zero-padded B, so that B equals to -B, and if fixed by protocol, B being set to the -expected length. In such case leakage would be minimal, it would -take attacker's ability to observe memory access pattern with byte -granilarity as it occurs, post-factum timing analysis won't do. +v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not +possible, the result of RSA_padding_check_PKCS1_type_2() should be +checked in constant time if it matches the expected length of the +plaintext and additionally some application specific consistency +checks on the plaintext need to be performed in constant time. +If the plaintext is rejected it must be kept secret which of the +checks caused the application to reject the message. +Do not remove the zero-padding from the decrypted raw RSA data +which was computed by RSA_private_decrypt() with B, +as this would create a small timing side channel which could be +used to mount a Bleichenbacher attack against any padding mode +including PKCS1_OAEP. =head1 SEE ALSO @@ -125,7 +147,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod --- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod 2019-05-03 08:55:51.555406608 +0200 @@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt #include - int RSA_public_encrypt(int flen, unsigned char *from, + int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); - int RSA_private_decrypt(int flen, unsigned char *from, + int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); =head1 DESCRIPTION @@ -27,6 +27,8 @@ B denotes one of the following =item RSA_PKCS1_PADDING PKCS #1 v1.5 padding. This currently is the most widely used mode. +However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in +new applications. SEE WARNING BELOW. =item RSA_PKCS1_OAEP_PADDING @@ -46,23 +48,35 @@ Encrypting user data directly with RSA i =back -B must be less than RSA_size(B) - 11 for the PKCS #1 v1.5 -based padding modes, less than RSA_size(B) - 41 for +B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 +based padding modes, not more than RSA_size(B) - 42 for RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. -The random number generator must be seeded prior to calling -RSA_public_encrypt(). +When a padding mode other than RSA_NO_PADDING is in use, then +RSA_public_encrypt() will include some random bytes into the ciphertext +and therefore the ciphertext will be different each time, even if the +plaintext and the public key are exactly identical. +The returned ciphertext in B will always be zero padded to exactly +RSA_size(B) bytes. +B and B may overlap. RSA_private_decrypt() decrypts the B bytes at B using the -private key B and stores the plaintext in B. B must point -to a memory section large enough to hold the decrypted data (which is -smaller than RSA_size(B)). B is the padding mode that -was used to encrypt the data. +private key B and stores the plaintext in B. B should +be equal to RSA_size(B) but may be smaller, when leading zero +bytes are in the ciphertext. Those are not important and may be removed, +but RSA_public_encrypt() does not do that. B must point +to a memory section large enough to hold the maximal possible decrypted +data (which is equal to RSA_size(B) for RSA_NO_PADDING, +RSA_size(B) - 11 for the PKCS #1 v1.5 based padding modes and +RSA_size(B) - 42 for RSA_PKCS1_OAEP_PADDING). +B is the padding mode that was used to encrypt the data. +B and B may overlap. =head1 RETURN VALUES RSA_public_encrypt() returns the size of the encrypted data (i.e., RSA_size(B)). RSA_private_decrypt() returns the size of the -recovered plaintext. +recovered plaintext. A return value of 0 is not an error and +means only that the plaintext was empty. On error, -1 is returned; the error codes can be obtained by L. @@ -85,7 +99,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod --- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod 2019-05-03 08:55:51.537406917 +0200 @@ -124,7 +124,10 @@ Textual representation of the cipher nam =item -Protocol version, such as B, when the cipher was first defined. +The minimum protocol version that the ciphersuite supports, such as B. +Note that this is not always the same as the protocol version in which the +ciphersuite was first defined because some ciphersuites are backwards compatible +with earlier protocol versions. =item Kx= diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod --- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod 2019-05-03 08:55:51.534406969 +0200 @@ -65,6 +65,8 @@ both required, and on success the caller B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers holding the numerical value of the TLS extension types in the order they appear in the ClientHello. B<*outlen> contains the number of elements in the array. +In situations when the ClientHello has no extensions, the function will return +success with B<*out> set to NULL and B<*outlen> set to 0. =head1 NOTES diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h --- openssl-1.1.1b/include/openssl/err.h.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/err.h 2019-05-03 08:55:51.548406728 +0200 @@ -37,6 +37,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c --- openssl-1.1.1b/ssl/ssl_lib.c.sync 2019-05-03 08:55:45.196515778 +0200 +++ openssl-1.1.1b/ssl/ssl_lib.c 2019-05-03 08:55:51.535406951 +0200 @@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre if (ext->present) num++; } + if (num == 0) { + *out = NULL; + *outlen = 0; + return 1; + } if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, ERR_R_MALLOC_FAILURE); diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h --- openssl-1.1.1b/ssl/ssl_locl.h.sync 2019-05-03 08:55:45.011518954 +0200 +++ openssl-1.1.1b/ssl/ssl_locl.h 2019-05-03 08:55:51.541406848 +0200 @@ -574,7 +574,6 @@ struct ssl_session_st { /* Session lifetime hint in seconds */ unsigned long tick_lifetime_hint; uint32_t tick_age_add; - int tick_identity; /* Max number of bytes that can be sent as early data */ uint32_t max_early_data; /* The ALPN protocol selected for this session */ @@ -1356,6 +1355,13 @@ struct ssl_st { * as this extension is optional on server side. */ uint8_t max_fragment_len_mode; + + /* + * On the client side the number of ticket identities we sent in the + * ClientHello. On the server side the identity of the ticket we + * selected. + */ + int tick_identity; } ext; /* @@ -2052,9 +2058,6 @@ typedef enum downgrade_en { #define TLSEXT_KEX_MODE_FLAG_KE 1 #define TLSEXT_KEX_MODE_FLAG_KE_DHE 2 -/* An invalid index into the TLSv1.3 PSK identities */ -#define TLSEXT_PSK_BAD_IDENTITY -1 - #define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \ s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS) diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c --- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/ssl/statem/extensions_clnt.c 2019-05-03 08:55:51.542406831 +0200 @@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; int dores = 0; - s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; + s->ext.tick_identity = 0; /* * Note: At this stage of the code we only support adding a single @@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s agems += s->session->ext.tick_age_add; reshashsize = EVP_MD_size(mdres); + s->ext.tick_identity++; dores = 1; } @@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } + s->ext.tick_identity++; } if (!WPACKET_close(pkt) @@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s return EXT_RETURN_FAIL; } - if (dores) - s->session->ext.tick_identity = 0; - if (s->psksession != NULL) - s->psksession->ext.tick_identity = (dores ? 1 : 0); - return EXT_RETURN_SENT; #else return EXT_RETURN_NOT_SENT; @@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA } if (!s->ext.early_data_ok - || !s->hit - || s->session->ext.tick_identity != 0) { + || !s->hit) { /* * If we get here then we didn't send early data, or we didn't resume * using the first identity, or the SNI/ALPN is not consistent so the @@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p return 0; } - if (s->session->ext.tick_identity == (int)identity) { + if (identity >= (unsigned int)s->ext.tick_identity) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, + SSL_R_BAD_PSK_IDENTITY); + return 0; + } + + /* + * Session resumption tickets are always sent before PSK tickets. If the + * ticket index is 0 then it must be for a session resumption ticket if we + * sent two tickets, or if we didn't send a PSK ticket. + */ + if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { s->hit = 1; SSL_SESSION_free(s->psksession); s->psksession = NULL; return 1; } - if (s->psksession == NULL - || s->psksession->ext.tick_identity != (int)identity) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, - SSL_R_BAD_PSK_IDENTITY); + if (s->psksession == NULL) { + /* Should never happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, + ERR_R_INTERNAL_ERROR); return 0; } @@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p s->session = s->psksession; s->psksession = NULL; s->hit = 1; + /* Early data is only allowed if we used the first ticket */ + if (identity != 0) + s->ext.early_data_ok = 0; #endif return 1; diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c --- openssl-1.1.1b/ssl/statem/extensions.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/ssl/statem/extensions.c 2019-05-03 08:55:51.541406848 +0200 @@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns ss->ext.ticklen = 0; ss->ext.tick_lifetime_hint = 0; ss->ext.tick_age_add = 0; - ss->ext.tick_identity = 0; if (!ssl_generate_session_id(s, ss)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, ERR_R_INTERNAL_ERROR); @@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi if (s->max_early_data == 0 || !s->hit - || s->session->ext.tick_identity != 0 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING || !s->ext.early_data_ok || s->hello_retry_request != SSL_HRR_NONE diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c --- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/ssl/statem/extensions_srvr.c 2019-05-03 08:55:51.542406831 +0200 @@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p goto err; } - sess->ext.tick_identity = id; + s->ext.tick_identity = id; SSL_SESSION_free(s->session); s->session = sess; @@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) || !WPACKET_start_sub_packet_u16(pkt) - || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) + || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c --- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/ssl/statem/statem_clnt.c 2019-05-03 08:55:51.543406814 +0200 @@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he * so the PAC-based session secret is always preserved. It'll be * overwritten if the server refuses resumption. */ - if (s->session->session_id_length > 0 - || (SSL_IS_TLS13(s) - && s->session->ext.tick_identity - != TLSEXT_PSK_BAD_IDENTITY)) { + if (s->session->session_id_length > 0) { tsan_counter(&s->session_ctx->stats.sess_miss); if (!ssl_get_new_session(s, 0)) { /* SSLfatal() already called */ diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c --- openssl-1.1.1b/test/bio_memleak_test.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/bio_memleak_test.c 2019-05-03 08:55:51.556406591 +0200 @@ -18,28 +18,170 @@ static int test_bio_memleak(void) int ok = 0; BIO *bio; BUF_MEM bufmem; - const char *str = "BIO test\n"; + static const char str[] = "BIO test\n"; char buf[100]; bio = BIO_new(BIO_s_mem()); - if (bio == NULL) + if (!TEST_ptr(bio)) goto finish; - bufmem.length = strlen(str) + 1; + bufmem.length = sizeof(str); bufmem.data = (char *) str; bufmem.max = bufmem.length; BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE); BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); + if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str))) + goto finish; + if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str))) + goto finish; + ok = 1; - if (BIO_read(bio, buf, sizeof(buf)) <= 0) - goto finish; +finish: + BIO_free(bio); + return ok; +} - ok = strcmp(buf, str) == 0; +static int test_bio_get_mem(void) +{ + int ok = 0; + BIO *bio = NULL; + BUF_MEM *bufmem = NULL; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto finish; + if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) + goto finish; + BIO_get_mem_ptr(bio, &bufmem); + if (!TEST_ptr(bufmem)) + goto finish; + if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0)) + goto finish; + BIO_free(bio); + bio = NULL; + if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12)) + goto finish; + ok = 1; finish: BIO_free(bio); + BUF_MEM_free(bufmem); return ok; } +static int test_bio_new_mem_buf(void) +{ + int ok = 0; + BIO *bio; + BUF_MEM *bufmem; + char data[16]; + + bio = BIO_new_mem_buf("Hello World\n", 12); + if (!TEST_ptr(bio)) + goto finish; + if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) + goto finish; + if (!TEST_mem_eq(data, 5, "Hello", 5)) + goto finish; + if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) + goto finish; + if (!TEST_int_lt(BIO_write(bio, "test", 4), 0)) + goto finish; + if (!TEST_int_eq(BIO_read(bio, data, 16), 7)) + goto finish; + if (!TEST_mem_eq(data, 7, " World\n", 7)) + goto finish; + if (!TEST_int_gt(BIO_reset(bio), 0)) + goto finish; + if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) + goto finish; + if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) + goto finish; + ok = 1; + +finish: + BIO_free(bio); + return ok; +} + +static int test_bio_rdonly_mem_buf(void) +{ + int ok = 0; + BIO *bio, *bio2 = NULL; + BUF_MEM *bufmem; + char data[16]; + + bio = BIO_new_mem_buf("Hello World\n", 12); + if (!TEST_ptr(bio)) + goto finish; + if (!TEST_int_eq(BIO_read(bio, data, 5), 5)) + goto finish; + if (!TEST_mem_eq(data, 5, "Hello", 5)) + goto finish; + if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0)) + goto finish; + (void)BIO_set_close(bio, BIO_NOCLOSE); + + bio2 = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio2)) + goto finish; + BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE); + BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY); + + if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) + goto finish; + if (!TEST_mem_eq(data, 7, " World\n", 7)) + goto finish; + if (!TEST_int_gt(BIO_reset(bio2), 0)) + goto finish; + if (!TEST_int_eq(BIO_read(bio2, data, 16), 7)) + goto finish; + if (!TEST_mem_eq(data, 7, " World\n", 7)) + goto finish; + ok = 1; + +finish: + BIO_free(bio); + BIO_free(bio2); + return ok; +} + +static int test_bio_rdwr_rdonly(void) +{ + int ok = 0; + BIO *bio = NULL; + char data[16]; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto finish; + if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12)) + goto finish; + + BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); + if (!TEST_int_eq(BIO_read(bio, data, 16), 12)) + goto finish; + if (!TEST_mem_eq(data, 12, "Hello World\n", 12)) + goto finish; + if (!TEST_int_gt(BIO_reset(bio), 0)) + goto finish; + + BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY); + if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4)) + goto finish; + if (!TEST_int_eq(BIO_read(bio, data, 16), 16)) + goto finish; + + if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16)) + goto finish; + + ok = 1; + +finish: + BIO_free(bio); + return ok; +} + + int global_init(void) { CRYPTO_set_mem_debug(1); @@ -50,5 +192,9 @@ int global_init(void) int setup_tests(void) { ADD_TEST(test_bio_memleak); + ADD_TEST(test_bio_get_mem); + ADD_TEST(test_bio_new_mem_buf); + ADD_TEST(test_bio_rdonly_mem_buf); + ADD_TEST(test_bio_rdwr_rdonly); return 1; } diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c --- openssl-1.1.1b/test/ectest.c.sync 2019-05-03 08:55:45.127516962 +0200 +++ openssl-1.1.1b/test/ectest.c 2019-05-03 08:55:51.524407140 +0200 @@ -728,6 +728,74 @@ err: BN_CTX_free(ctx); return r; } + +/* + * Tests a point known to cause an incorrect underflow in an old version of + * ecp_nist521.c + */ +static int underflow_test(void) +{ + BN_CTX *ctx = NULL; + EC_GROUP *grp = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL; + BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; + BIGNUM *k = NULL; + int testresult = 0; + const char *x1str = + "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" + "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; + const char *p521m1 = + "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; + + ctx = BN_CTX_new(); + if (!TEST_ptr(ctx)) + return 0; + + BN_CTX_start(ctx); + x1 = BN_CTX_get(ctx); + y1 = BN_CTX_get(ctx); + z1 = BN_CTX_get(ctx); + x2 = BN_CTX_get(ctx); + y2 = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (!TEST_ptr(k)) + goto err; + + grp = EC_GROUP_new_by_curve_name(NID_secp521r1); + P = EC_POINT_new(grp); + Q = EC_POINT_new(grp); + R = EC_POINT_new(grp); + if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) + goto err; + + if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) + || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) + || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) + || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) + || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, + y1, z1, ctx)) + || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) + || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) + goto err; + + if (!TEST_int_eq(BN_cmp(x1, x2), 0) + || !TEST_int_eq(BN_cmp(y1, y2), 0)) + goto err; + + testresult = 1; + + err: + BN_CTX_end(ctx); + EC_POINT_free(P); + EC_POINT_free(Q); + EC_GROUP_free(grp); + BN_CTX_free(ctx); + + return testresult; +} # endif static const unsigned char p521_named[] = { @@ -835,6 +903,7 @@ int setup_tests(void) # endif # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); + ADD_TEST(underflow_test); # endif ADD_ALL_TESTS(internal_curve_test, crv_len); ADD_ALL_TESTS(internal_curve_test_method, crv_len); diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt --- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-03 08:55:51.552406659 +0200 @@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000 Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd -Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10 +Title = ARIA GCM test vectors from RFC8269 Cipher = ARIA-128-GCM Key = e91e5e75da65554a48181f3846349562 @@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48 Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822 +Title = ARIA GCM self-generated test vectors + +Cipher = ARIA-128-GCM +Key = e91e5e75da65554a48181f3846349562 +# Shorter than default IV +IV = 0001020304 +AAD = 8008315ebf2e6fe020e8f5eb +Tag = ebaa2645bb154542117ee46031aa176e +Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 +Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482 + +Cipher = ARIA-128-GCM +Key = e91e5e75da65554a48181f3846349562 +# Longer than default IV +IV = 000102030405060708090a0b0c0d0e0f +AAD = 8008315ebf2e6fe020e8f5eb +Tag = 61f7f44c7da3c60195b29ae0b46051a4 +Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 +Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f + +Cipher = ARIA-128-GCM +Key = e91e5e75da65554a48181f3846349562 +# Extra long IV +IV = 000102030405060708090a0b0c0d0e0f1011 +AAD = 8008315ebf2e6fe020e8f5eb +Tag = c8b31ab6c2ddccab06b76af4e56e664e +Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5 +Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd + + Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02 # 16-byte Tag @@ -2357,14 +2387,41 @@ Operation = ENCRYPT Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7 Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122 -Title = Chacha20 +Title = Chacha20 test vectors from RFC7539 +# A.1 Test Vector 1 Cipher = chacha20 Key = 0000000000000000000000000000000000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586 +# A.1 Test Vector 2 +Cipher = chacha20 +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 01000000000000000000000000000000 +Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f + +# A.2 Test Vector 1 is the same as A.1 Test Vector 1 +# A.2 Test Vector 2 +Cipher = chacha20 +Key = 0000000000000000000000000000000000000000000000000000000000000001 +#Counter (first 4 bytes) expressed in little-endian order +IV = 01000000000000000000000000000002 +Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f +Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221 + +# A.2 Test Vector 3 +Cipher = chacha20 +Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 +#Counter (first 4 bytes) expressed in little-endian order +IV = 2a000000000000000000000000000002 +Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e +Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1 + +Title = Chacha20 + Cipher = chacha20 Key = 0000000000000000000000000000000000000000000000000000000000000001 IV = 00000000000000000000000000000000 @@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91 Tag = e0723bce23528ce6ccb10ff9627038bf Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 + +Cipher = chacha20-poly1305 +Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 +IV = ff000000000102030405060708 +AAD = f33388860000000000004e91 +Tag = e0723bce23528ce6ccb10ff9627038bf +Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d +Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140 +Result = INVALID_IV_LENGTH diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt --- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt 2019-05-03 08:55:51.539406883 +0200 @@ -351,6 +351,14 @@ Input = "Sample message for keylen>block Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687 Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915 +Title = HMAC self generated tests + +MAC = HMAC +Algorithm = SHAKE128 +Input = "Test that SHAKE128 fails" +Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +Result = DIGESTSIGNINIT_ERROR + Title = CMAC tests (from FIPS module) diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t --- openssl-1.1.1b/test/recipes/80-test_cms.t.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/recipes/80-test_cms.t 2019-05-03 08:55:51.533406986 +0200 @@ -308,6 +308,14 @@ my @smime_cms_param_tests = ( "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] ], + [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr", "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c --- openssl-1.1.1b/test/rsa_test.c.sync 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/rsa_test.c 2019-05-03 08:55:51.523407157 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -268,6 +268,36 @@ err: return ret; } +static int test_rsa_sslv23(int idx) +{ + int ret = 0; + RSA *key; + unsigned char ptext[256]; + unsigned char ctext[256]; + static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; + unsigned char ctext_ex[256]; + int plen; + int clen = 0; + int num; + + plen = sizeof(ptext_ex) - 1; + clen = rsa_setkey(&key, ctext_ex, idx); + + num = RSA_public_encrypt(plen, ptext_ex, ctext, key, + RSA_SSLV23_PADDING); + if (!TEST_int_eq(num, clen)) + goto err; + + num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); + if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) + goto err; + + ret = 1; +err: + RSA_free(key); + return ret; +} + static int test_rsa_oaep(int idx) { int ret = 0; @@ -332,6 +362,7 @@ err: int setup_tests(void) { ADD_ALL_TESTS(test_rsa_pkcs1, 3); + ADD_ALL_TESTS(test_rsa_sslv23, 3); ADD_ALL_TESTS(test_rsa_oaep, 3); return 1; }