Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Nov 2018 18:59:42 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r340690 - in vendor-crypto/openssl/dist: . apps crypto crypto/async/arch crypto/bio crypto/bn crypto/bn/asm crypto/conf crypto/ct crypto/dsa crypto/ec crypto/engine crypto/err crypto/ev...
Message-ID:  <201811201859.wAKIxgXI060663@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Tue Nov 20 18:59:41 2018
New Revision: 340690
URL: https://svnweb.freebsd.org/changeset/base/340690

Log:
  Import OpenSSL 1.1.1a.

Added:
  vendor-crypto/openssl/dist/crypto/getenv.c   (contents, props changed)
  vendor-crypto/openssl/dist/doc/man3/SSL_get_peer_tmp_key.pod
Deleted:
  vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set_client_CA_list.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_get_client_CA_list.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_get_server_tmp_key.pod
Modified:
  vendor-crypto/openssl/dist/CHANGES
  vendor-crypto/openssl/dist/Configure
  vendor-crypto/openssl/dist/INSTALL
  vendor-crypto/openssl/dist/NEWS
  vendor-crypto/openssl/dist/README
  vendor-crypto/openssl/dist/apps/app_rand.c
  vendor-crypto/openssl/dist/apps/apps.c
  vendor-crypto/openssl/dist/apps/apps.h
  vendor-crypto/openssl/dist/apps/ca.c
  vendor-crypto/openssl/dist/apps/ocsp.c
  vendor-crypto/openssl/dist/apps/openssl.cnf
  vendor-crypto/openssl/dist/apps/opt.c
  vendor-crypto/openssl/dist/apps/rehash.c
  vendor-crypto/openssl/dist/apps/rsa.c
  vendor-crypto/openssl/dist/apps/s_cb.c
  vendor-crypto/openssl/dist/apps/s_server.c
  vendor-crypto/openssl/dist/apps/speed.c
  vendor-crypto/openssl/dist/apps/x509.c
  vendor-crypto/openssl/dist/crypto/LPdir_unix.c
  vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h
  vendor-crypto/openssl/dist/crypto/bio/b_sock2.c
  vendor-crypto/openssl/dist/crypto/bio/bio_lib.c
  vendor-crypto/openssl/dist/crypto/bio/bss_log.c
  vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c
  vendor-crypto/openssl/dist/crypto/bn/bn_exp.c
  vendor-crypto/openssl/dist/crypto/bn/bn_lib.c
  vendor-crypto/openssl/dist/crypto/build.info
  vendor-crypto/openssl/dist/crypto/conf/conf_api.c
  vendor-crypto/openssl/dist/crypto/conf/conf_mod.c
  vendor-crypto/openssl/dist/crypto/cryptlib.c
  vendor-crypto/openssl/dist/crypto/ct/ct_log.c
  vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c
  vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c
  vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c
  vendor-crypto/openssl/dist/crypto/ec/ec_mult.c
  vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c
  vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c
  vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c
  vendor-crypto/openssl/dist/crypto/engine/eng_list.c
  vendor-crypto/openssl/dist/crypto/err/openssl.txt
  vendor-crypto/openssl/dist/crypto/evp/e_aes.c
  vendor-crypto/openssl/dist/crypto/evp/e_rc2.c
  vendor-crypto/openssl/dist/crypto/evp/pmeth_lib.c
  vendor-crypto/openssl/dist/crypto/include/internal/ec_int.h
  vendor-crypto/openssl/dist/crypto/include/internal/rand_int.h
  vendor-crypto/openssl/dist/crypto/kdf/hkdf.c
  vendor-crypto/openssl/dist/crypto/mem_sec.c
  vendor-crypto/openssl/dist/crypto/o_fopen.c
  vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c
  vendor-crypto/openssl/dist/crypto/poly1305/poly1305_ieee754.c
  vendor-crypto/openssl/dist/crypto/rand/drbg_ctr.c
  vendor-crypto/openssl/dist/crypto/rand/drbg_lib.c
  vendor-crypto/openssl/dist/crypto/rand/rand_err.c
  vendor-crypto/openssl/dist/crypto/rand/rand_lcl.h
  vendor-crypto/openssl/dist/crypto/rand/rand_lib.c
  vendor-crypto/openssl/dist/crypto/rand/rand_unix.c
  vendor-crypto/openssl/dist/crypto/rand/randfile.c
  vendor-crypto/openssl/dist/crypto/rsa/rsa_lib.c
  vendor-crypto/openssl/dist/crypto/rsa/rsa_meth.c
  vendor-crypto/openssl/dist/crypto/rsa/rsa_ossl.c
  vendor-crypto/openssl/dist/crypto/sha/asm/keccak1600-s390x.pl
  vendor-crypto/openssl/dist/crypto/sha/asm/sha512p8-ppc.pl
  vendor-crypto/openssl/dist/crypto/siphash/siphash.c
  vendor-crypto/openssl/dist/crypto/sm2/sm2_crypt.c
  vendor-crypto/openssl/dist/crypto/sm2/sm2_sign.c
  vendor-crypto/openssl/dist/crypto/ui/ui_openssl.c
  vendor-crypto/openssl/dist/crypto/x509/by_dir.c
  vendor-crypto/openssl/dist/crypto/x509/by_file.c
  vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c
  vendor-crypto/openssl/dist/doc/man1/ca.pod
  vendor-crypto/openssl/dist/doc/man1/enc.pod
  vendor-crypto/openssl/dist/doc/man1/openssl.pod
  vendor-crypto/openssl/dist/doc/man1/req.pod
  vendor-crypto/openssl/dist/doc/man1/rsa.pod
  vendor-crypto/openssl/dist/doc/man1/s_server.pod
  vendor-crypto/openssl/dist/doc/man1/storeutl.pod
  vendor-crypto/openssl/dist/doc/man1/x509.pod
  vendor-crypto/openssl/dist/doc/man3/DES_random_key.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_DigestInit.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_ctrl.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_set1_RSA.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_aes.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_aria.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_bf_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_camellia.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_cast5_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_des.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_idea_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_md5.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_rc2_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_rc5_32_12_16_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_seed_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/EVP_sm4_cbc.pod
  vendor-crypto/openssl/dist/doc/man3/OPENSSL_VERSION_NUMBER.pod
  vendor-crypto/openssl/dist/doc/man3/RSA_meth_new.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set0_CA_list.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set1_curves.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set_quiet_shutdown.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_get_error.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_get_peer_signature_nid.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_set_bio.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_set_shutdown.pod
  vendor-crypto/openssl/dist/doc/man3/SSL_shutdown.pod
  vendor-crypto/openssl/dist/doc/man7/RAND_DRBG.pod
  vendor-crypto/openssl/dist/e_os.h
  vendor-crypto/openssl/dist/include/internal/cryptlib.h
  vendor-crypto/openssl/dist/include/internal/tsan_assist.h
  vendor-crypto/openssl/dist/include/openssl/cryptoerr.h
  vendor-crypto/openssl/dist/include/openssl/ec.h
  vendor-crypto/openssl/dist/include/openssl/ocsp.h
  vendor-crypto/openssl/dist/include/openssl/opensslv.h
  vendor-crypto/openssl/dist/include/openssl/rand_drbg.h
  vendor-crypto/openssl/dist/include/openssl/randerr.h
  vendor-crypto/openssl/dist/include/openssl/rsa.h
  vendor-crypto/openssl/dist/include/openssl/ssl.h
  vendor-crypto/openssl/dist/include/openssl/symhacks.h
  vendor-crypto/openssl/dist/include/openssl/tls1.h
  vendor-crypto/openssl/dist/ssl/d1_lib.c
  vendor-crypto/openssl/dist/ssl/record/rec_layer_d1.c
  vendor-crypto/openssl/dist/ssl/record/record.h
  vendor-crypto/openssl/dist/ssl/record/record_locl.h
  vendor-crypto/openssl/dist/ssl/record/ssl3_record.c
  vendor-crypto/openssl/dist/ssl/s3_cbc.c
  vendor-crypto/openssl/dist/ssl/s3_enc.c
  vendor-crypto/openssl/dist/ssl/s3_lib.c
  vendor-crypto/openssl/dist/ssl/ssl_cert.c
  vendor-crypto/openssl/dist/ssl/ssl_ciph.c
  vendor-crypto/openssl/dist/ssl/ssl_lib.c
  vendor-crypto/openssl/dist/ssl/ssl_locl.h
  vendor-crypto/openssl/dist/ssl/statem/extensions.c
  vendor-crypto/openssl/dist/ssl/statem/extensions_clnt.c
  vendor-crypto/openssl/dist/ssl/statem/statem.c
  vendor-crypto/openssl/dist/ssl/statem/statem_clnt.c
  vendor-crypto/openssl/dist/ssl/statem/statem_lib.c
  vendor-crypto/openssl/dist/ssl/statem/statem_locl.h
  vendor-crypto/openssl/dist/ssl/statem/statem_srvr.c
  vendor-crypto/openssl/dist/ssl/t1_lib.c
  vendor-crypto/openssl/dist/ssl/tls13_enc.c

Modified: vendor-crypto/openssl/dist/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist/CHANGES	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/CHANGES	Tue Nov 20 18:59:41 2018	(r340690)
@@ -7,6 +7,42 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Timing vulnerability in ECDSA signature generation
+
+     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+     (CVE-2018-0735)
+     [Paul Dale]
+
+  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+     are retained for backwards compatibility.
+     [Antoine Salon]
+
+  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+     of two gigabytes and the error handling improved.
+
+     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+     categorized as a normal bug, not a security issue, because the DRBG reseeds
+     automatically and is fully functional even without additional randomness
+     provided by the application.
+
  Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
 
   *) Add a new ClientHello callback. Provides a callback interface that gives
@@ -13103,4 +13139,3 @@ des-cbc           3624.96k     5258.21k     5530.91k  
   *) A minor bug in ssl/s3_clnt.c where there would always be 4 0
      bytes sent in the client random.
      [Edward Bishop <ebishop@spyglass.com>]
-

Modified: vendor-crypto/openssl/dist/Configure
==============================================================================
--- vendor-crypto/openssl/dist/Configure	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/Configure	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) {
 if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
     warn <<_____ if scalar(@seed_sources) == 1;
-You have selected the --with-rand-seed=none option, which effectively disables
-automatic reseeding of the OpenSSL random generator. All operations depending
-on the random generator such as creating keys will not work unless the random
-generator is seeded manually by the application.
 
-Please read the 'Note on random number generation' section in the INSTALL
-instructions and the RAND_DRBG(7) manual page for more details.
+============================== WARNING ===============================
+You have selected the --with-rand-seed=none option, which effectively
+disables automatic reseeding of the OpenSSL random generator.
+All operations depending on the random generator such as creating keys
+will not work unless the random generator is seeded manually by the
+application.
+
+Please read the 'Note on random number generation' section in the
+INSTALL instructions and the RAND_DRBG(7) manual page for more details.
+============================== WARNING ===============================
+
 _____
 }
 push @{$config{openssl_other_defines}},
@@ -2174,6 +2179,16 @@ EOF
 
     # Massage the result
 
+    # If the user configured no-shared, we allow no shared sources
+    if ($disabled{shared}) {
+        foreach (keys %{$unified_info{shared_sources}}) {
+            foreach (keys %{$unified_info{shared_sources}->{$_}}) {
+                delete $unified_info{sources}->{$_};
+            }
+        }
+        $unified_info{shared_sources} = {};
+    }
+
     # If we depend on a header file or a perl module, add an inclusion of
     # its directory to allow smoothe inclusion
     foreach my $dest (keys %{$unified_info{depends}}) {
@@ -2198,8 +2213,8 @@ EOF
             next unless defined($unified_info{includes}->{$dest}->{$k});
             my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
             foreach my $obj (grep /\.o$/,
-                             (keys %{$unified_info{sources}->{$dest}},
-                              keys %{$unified_info{shared_sources}->{$dest}})) {
+                             (keys %{$unified_info{sources}->{$dest} // {}},
+                              keys %{$unified_info{shared_sources}->{$dest} // {}})) {
                 foreach my $inc (@incs) {
                     unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
                         unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
@@ -2238,6 +2253,42 @@ EOF
                 [ @{$unified_info{includes}->{$dest}->{source}} ];
         }
     }
+
+    # For convenience collect information regarding directories where
+    # files are generated, those generated files and the end product
+    # they end up in where applicable.  Then, add build rules for those
+    # directories
+    my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
+                     "dso" => [ @{$unified_info{engines}} ],
+                     "bin" => [ @{$unified_info{programs}} ],
+                     "script" => [ @{$unified_info{scripts}} ] );
+    foreach my $type (keys %loopinfo) {
+        foreach my $product (@{$loopinfo{$type}}) {
+            my %dirs = ();
+            my $pd = dirname($product);
+
+            foreach (@{$unified_info{sources}->{$product} // []},
+                     @{$unified_info{shared_sources}->{$product} // []}) {
+                my $d = dirname($_);
+
+                # We don't want to create targets for source directories
+                # when building out of source
+                next if ($config{sourcedir} ne $config{builddir}
+                             && $d =~ m|^\Q$config{sourcedir}\E|);
+                # We already have a "test" target, and the current directory
+                # is just silly to make a target for
+                next if $d eq "test" || $d eq ".";
+
+                $dirs{$d} = 1;
+                push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+                    if $d ne $pd;
+            }
+            foreach (keys %dirs) {
+                push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+                    $product;
+            }
+        }
+    }
 }
 
 # For the schemes that need it, we provide the old *_obj configs
@@ -2712,10 +2763,16 @@ print <<"EOF";
 
 **********************************************************************
 ***                                                                ***
-***   If you want to report a building issue, please include the   ***
-***   output from this command:                                    ***
+***   OpenSSL has been successfully configured                     ***
 ***                                                                ***
-***     perl configdata.pm --dump                                  ***
+***   If you encounter a problem while building, please open an    ***
+***   issue on GitHub <https://github.com/openssl/openssl/issues>;  ***
+***   and include the output from the following command:           ***
+***                                                                ***
+***       perl configdata.pm --dump                                ***
+***                                                                ***
+***   (If you are new to OpenSSL, you might want to consult the    ***
+***   'Troubleshooting' section in the INSTALL file first)         ***
 ***                                                                ***
 **********************************************************************
 EOF

Modified: vendor-crypto/openssl/dist/INSTALL
==============================================================================
--- vendor-crypto/openssl/dist/INSTALL	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/INSTALL	Tue Nov 20 18:59:41 2018	(r340690)
@@ -614,8 +614,8 @@
                                    Windows, and as a comma separated list of
                                    libraries on VMS.
                    RANLIB          The library archive indexer.
-                   RC              The Windows resources manipulator.
-                   RCFLAGS         Flags for the Windows reources manipulator.
+                   RC              The Windows resource compiler.
+                   RCFLAGS         Flags for the Windows resource compiler.
                    RM              The command to remove files and directories.
 
                    These cannot be mixed with compiling / linking flags given
@@ -969,7 +969,7 @@
 
  BUILDFILE
                 Use a different build file name than the platform default
-                ("Makefile" on Unixly platforms, "makefile" on native Windows,
+                ("Makefile" on Unix-like platforms, "makefile" on native Windows,
                 "descrip.mms" on OpenVMS).  This requires that there is a
                 corresponding build file template.  See Configurations/README
                 for further information.
@@ -1171,7 +1171,7 @@
  part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of
  the name.
 
- On most POSIXly platforms, shared libraries are named libcrypto.so.1.1
+ On most POSIX platforms, shared libraries are named libcrypto.so.1.1
  and libssl.so.1.1.
 
  on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll
@@ -1202,7 +1202,7 @@
  The seeding method can be configured using the --with-rand-seed option,
  which can be used to specify a comma separated list of seed methods.
  However in most cases OpenSSL will choose a suitable default method,
- so it is not necessary to explicitely provide this option. Note also
+ so it is not necessary to explicitly provide this option. Note also
  that not all methods are available on all platforms.
 
  I) On operating systems which provide a suitable randomness source (in

Modified: vendor-crypto/openssl/dist/NEWS
==============================================================================
--- vendor-crypto/openssl/dist/NEWS	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/NEWS	Tue Nov 20 18:59:41 2018	(r340690)
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
+
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+      o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+
   Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
 
       o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3

Modified: vendor-crypto/openssl/dist/README
==============================================================================
--- vendor-crypto/openssl/dist/README	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/README	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1 11 Sep 2018
+ OpenSSL 1.1.1a 20 Nov 2018
 
  Copyright (c) 1998-2018 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: vendor-crypto/openssl/dist/apps/app_rand.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/app_rand.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/app_rand.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -26,7 +26,6 @@ void app_RAND_load_conf(CONF *c, const char *section)
     if (RAND_load_file(randfile, -1) < 0) {
         BIO_printf(bio_err, "Can't load %s into RNG\n", randfile);
         ERR_print_errors(bio_err);
-        return;
     }
     if (save_rand_file == NULL)
         save_rand_file = OPENSSL_strdup(randfile);

Modified: vendor-crypto/openssl/dist/apps/apps.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/apps.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/apps.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int
                       opt_getprog(), typestr);
             continue;
         }
+        if (*valstr == '\0') {
+            BIO_printf(bio_err,
+                       "%s: No value provided for Subject Attribute %s, skipped\n",
+                       opt_getprog(), typestr);
+            continue;
+        }
         if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
                                         valstr, strlen((char *)valstr),
                                         -1, ismulti ? -1 : 0))

Modified: vendor-crypto/openssl/dist/apps/apps.h
==============================================================================
--- vendor-crypto/openssl/dist/apps/apps.h	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/apps.h	Tue Nov 20 18:59:41 2018	(r340690)
@@ -369,7 +369,7 @@ typedef struct string_int_pair_st {
 # define OPT_FMT_SMIME           (1L <<  3)
 # define OPT_FMT_ENGINE          (1L <<  4)
 # define OPT_FMT_MSBLOB          (1L <<  5)
-# define OPT_FMT_NETSCAPE        (1L <<  6)
+/* (1L <<  6) was OPT_FMT_NETSCAPE, but wasn't used */
 # define OPT_FMT_NSS             (1L <<  7)
 # define OPT_FMT_TEXT            (1L <<  8)
 # define OPT_FMT_HTTP            (1L <<  9)
@@ -378,8 +378,8 @@ typedef struct string_int_pair_st {
 # define OPT_FMT_PDS     (OPT_FMT_PEMDER | OPT_FMT_SMIME)
 # define OPT_FMT_ANY     ( \
         OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
-        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
-        OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
+        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS   | \
+        OPT_FMT_TEXT   | OPT_FMT_HTTP   | OPT_FMT_PVK)
 
 char *opt_progname(const char *argv0);
 char *opt_getprog(void);

Modified: vendor-crypto/openssl/dist/apps/ca.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/ca.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/ca.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -605,7 +605,7 @@ end_of_options:
         /*
          * outdir is a directory spec, but access() for VMS demands a
          * filename.  We could use the DEC C routine to convert the
-         * directory syntax to Unixly, and give that to app_isdir,
+         * directory syntax to Unix, and give that to app_isdir,
          * but for now the fopen will catch the error if it's not a
          * directory
          */
@@ -976,7 +976,7 @@ end_of_options:
             BIO_printf(bio_err, "Write out database with %d new entries\n",
                        sk_X509_num(cert_sk));
 
-            if (!rand_ser
+            if (serialfile != NULL
                     && !save_serial(serialfile, "new", serial, NULL))
                 goto end;
 
@@ -1044,7 +1044,8 @@ end_of_options:
 
         if (sk_X509_num(cert_sk)) {
             /* Rename the database and the serial file */
-            if (!rotate_serial(serialfile, "new", "old"))
+            if (serialfile != NULL
+                    && !rotate_serial(serialfile, "new", "old"))
                 goto end;
 
             if (!rotate_index(dbfile, "new", "old"))
@@ -1177,10 +1178,9 @@ end_of_options:
         }
 
         /* we have a CRL number that need updating */
-        if (crlnumberfile != NULL)
-            if (!rand_ser
-                    && !save_serial(crlnumberfile, "new", crlnumber, NULL))
-                goto end;
+        if (crlnumberfile != NULL
+                && !save_serial(crlnumberfile, "new", crlnumber, NULL))
+            goto end;
 
         BN_free(crlnumber);
         crlnumber = NULL;
@@ -1195,9 +1195,10 @@ end_of_options:
 
         PEM_write_bio_X509_CRL(Sout, crl);
 
-        if (crlnumberfile != NULL) /* Rename the crlnumber file */
-            if (!rotate_serial(crlnumberfile, "new", "old"))
-                goto end;
+        /* Rename the crlnumber file */
+        if (crlnumberfile != NULL
+                && !rotate_serial(crlnumberfile, "new", "old"))
+            goto end;
 
     }
     /*****************************************************************/

Modified: vendor-crypto/openssl/dist/apps/ocsp.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/ocsp.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/ocsp.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -950,6 +950,7 @@ static void spawn_loop(void)
             sleep(30);
             break;
         case 0:             /* child */
+            OPENSSL_free(kidpids);
             signal(SIGINT, SIG_DFL);
             signal(SIGTERM, SIG_DFL);
             if (termsig)
@@ -976,6 +977,7 @@ static void spawn_loop(void)
     }
 
     /* The loop above can only break on termsig */
+    OPENSSL_free(kidpids);
     syslog(LOG_INFO, "terminating on signal: %d", termsig);
     killall(0, kidpids);
 }

Modified: vendor-crypto/openssl/dist/apps/openssl.cnf
==============================================================================
--- vendor-crypto/openssl/dist/apps/openssl.cnf	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/openssl.cnf	Tue Nov 20 18:59:41 2018	(r340690)
@@ -10,7 +10,6 @@
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
 
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
@@ -57,7 +56,6 @@ crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= usr_cert		# The extensions to add to the cert
 

Modified: vendor-crypto/openssl/dist/apps/opt.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/opt.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/opt.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -168,7 +168,6 @@ static OPT_PAIR formats[] = {
     {"smime", OPT_FMT_SMIME},
     {"engine", OPT_FMT_ENGINE},
     {"msblob", OPT_FMT_MSBLOB},
-    {"netscape", OPT_FMT_NETSCAPE},
     {"nss", OPT_FMT_NSS},
     {"text", OPT_FMT_TEXT},
     {"http", OPT_FMT_HTTP},

Modified: vendor-crypto/openssl/dist/apps/rehash.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/rehash.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/rehash.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1,6 +1,6 @@
 /*
  * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
+ * Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

Modified: vendor-crypto/openssl/dist/apps/rsa.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/rsa.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/rsa.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -38,8 +38,8 @@ typedef enum OPTION_choice {
 
 const OPTIONS rsa_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
-    {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
-    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
+    {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
+    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
     {"in", OPT_IN, 's', "Input file"},
     {"out", OPT_OUT, '>', "Output file"},
     {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
@@ -269,6 +269,9 @@ int rsa_main(int argc, char **argv)
     } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
         EVP_PKEY *pk;
         pk = EVP_PKEY_new();
+        if (pk == NULL)
+            goto end;
+
         EVP_PKEY_set1_RSA(pk, rsa);
         if (outformat == FORMAT_PVK) {
             if (pubin) {

Modified: vendor-crypto/openssl/dist/apps/s_cb.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/s_cb.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/s_cb.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
 int ssl_print_tmp_key(BIO *out, SSL *s)
 {
     EVP_PKEY *key;
-    if (!SSL_get_server_tmp_key(s, &key))
+
+    if (!SSL_get_peer_tmp_key(s, &key))
         return 1;
     BIO_puts(out, "Server Temp Key: ");
     switch (EVP_PKEY_id(key)) {

Modified: vendor-crypto/openssl/dist/apps/s_server.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/s_server.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/s_server.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -193,9 +193,8 @@ static int psk_find_session_cb(SSL *ssl, const unsigne
 
     if (strlen(psk_identity) != identity_len
             || memcmp(psk_identity, identity, identity_len) != 0) {
-        BIO_printf(bio_s_out,
-                   "PSK warning: client identity not what we expected"
-                   " (got '%s' expected '%s')\n", identity, psk_identity);
+        *sess = NULL;
+        return 1;
     }
 
     if (psksess != NULL) {
@@ -1622,6 +1621,11 @@ int s_server_main(int argc, char *argv[])
         goto end;
     }
 #endif
+    if (early_data && (www > 0 || rev)) {
+        BIO_printf(bio_err,
+                   "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
+        goto end;
+    }
 
 #ifndef OPENSSL_NO_SCTP
     if (protocol == IPPROTO_SCTP) {

Modified: vendor-crypto/openssl/dist/apps/speed.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/speed.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/speed.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -2896,7 +2896,7 @@ int speed_main(int argc, char **argv)
 
             if (rsa_count <= 1) {
                 /* if longer than 10s, don't do any more */
-                for (testnum++; testnum < EC_NUM; testnum++)
+                for (testnum++; testnum < ECDSA_NUM; testnum++)
                     ecdsa_doit[testnum] = 0;
             }
         }

Modified: vendor-crypto/openssl/dist/apps/x509.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/x509.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/apps/x509.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -67,10 +67,10 @@ typedef enum OPTION_choice {
 const OPTIONS x509_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"inform", OPT_INFORM, 'f',
-     "Input format - default PEM (one of DER, NET or PEM)"},
+     "Input format - default PEM (one of DER or PEM)"},
     {"in", OPT_IN, '<', "Input file - default stdin"},
     {"outform", OPT_OUTFORM, 'f',
-     "Output format - default PEM (one of DER, NET or PEM)"},
+     "Output format - default PEM (one of DER or PEM)"},
     {"out", OPT_OUT, '>', "Output file - default stdout"},
     {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
     {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},

Modified: vendor-crypto/openssl/dist/crypto/LPdir_unix.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/LPdir_unix.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/LPdir_unix.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -51,7 +51,7 @@
 #endif
 
 /*
- * The POSIXly macro for the maximum number of characters in a file path is
+ * The POSIX macro for the maximum number of characters in a file path is
  * NAME_MAX.  However, some operating systems use PATH_MAX instead.
  * Therefore, it seems natural to first check for PATH_MAX and use that, and
  * if it doesn't exist, use NAME_MAX.

Modified: vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h
==============================================================================
--- vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h	Tue Nov 20 18:59:41 2018	(r340690)
@@ -17,7 +17,8 @@
 
 # include <unistd.h>
 
-# if _POSIX_VERSION >= 200112L
+# if _POSIX_VERSION >= 200112L \
+     && (_POSIX_VERSION < 200809L || defined(__GLIBC__))
 
 # include <pthread.h>
 

Modified: vendor-crypto/openssl/dist/crypto/bio/b_sock2.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bio/b_sock2.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bio/b_sock2.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -133,7 +133,9 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int op
  */
 int BIO_bind(int sock, const BIO_ADDR *addr, int options)
 {
+# ifndef OPENSSL_SYS_WINDOWS
     int on = 1;
+# endif
 
     if (sock == -1) {
         BIOerr(BIO_F_BIO_BIND, BIO_R_INVALID_SOCKET);

Modified: vendor-crypto/openssl/dist/crypto/bio/bio_lib.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bio/bio_lib.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bio/bio_lib.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -52,7 +52,7 @@ static long bio_call_callback(BIO *b, int oper, const 
         argi = (int)len;
     }
 
-    if (inret && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
+    if (inret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
         if (*processed > INT_MAX)
             return -1;
         inret = *processed;
@@ -60,7 +60,7 @@ static long bio_call_callback(BIO *b, int oper, const 
 
     ret = b->callback(b, oper, argp, argi, argl, inret);
 
-    if (ret >= 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
+    if (ret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
         *processed = (size_t)ret;
         ret = 1;
     }

Modified: vendor-crypto/openssl/dist/crypto/bio/bss_log.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bio/bss_log.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bio/bss_log.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -408,4 +408,9 @@ static void xcloselog(BIO *bp)
 
 # endif                         /* Unix */
 
+#else                           /* NO_SYSLOG */
+const BIO_METHOD *BIO_s_log(void)
+{
+    return NULL;
+}
 #endif                          /* NO_SYSLOG */

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -63,12 +63,6 @@
  *    very much like 64-bit code compiled with no-asm on the same
  *    machine.
  */
-
-# if defined(_WIN64) || !defined(__LP64__)
-#  define BN_ULONG unsigned long long
-# else
-#  define BN_ULONG unsigned long
-# endif
 
 # undef mul
 # undef mul_add

Modified: vendor-crypto/openssl/dist/crypto/bn/bn_exp.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_exp.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_exp.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1077,7 +1077,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM
              * is not only slower but also makes each bit vulnerable to
              * EM (and likely other) side-channel attacks like One&Done
              * (for details see "One&Done: A Single-Decryption EM-Based
-             *  Attack on OpenSSL’s Constant-Time Blinded RSA" by M. Alam,
+             *  Attack on OpenSSL's Constant-Time Blinded RSA" by M. Alam,
              *  H. Khan, M. Dey, N. Sinha, R. Callan, A. Zajic, and
              *  M. Prvulovic, in USENIX Security'18)
              */

Modified: vendor-crypto/openssl/dist/crypto/bn/bn_lib.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_lib.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_lib.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, 
     b->neg ^= t;
 
     /*-
-     * Idea behind BN_FLG_STATIC_DATA is actually to
-     * indicate that data may not be written to.
-     * Intention is actually to treat it as it's
-     * read-only data, and some (if not most) of it does
-     * reside in read-only segment. In other words
-     * observation of BN_FLG_STATIC_DATA in
-     * BN_consttime_swap should be treated as fatal
-     * condition. It would either cause SEGV or
-     * effectively cause data corruption.
-     * BN_FLG_MALLOCED refers to BN structure itself,
-     * and hence must be preserved. Remaining flags are
-     * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be
-     * preserved, because it determines how x->d was
-     * allocated and hence how to free it. This leaves
-     * BN_FLG_CONSTTIME that one can do something about.
-     * To summarize it's sufficient to mask and swap
-     * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should
-     * be treated as fatal.
+     * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
+     * is actually to treat it as it's read-only data, and some (if not most)
+     * of it does reside in read-only segment. In other words observation of
+     * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
+     * condition. It would either cause SEGV or effectively cause data
+     * corruption.
+     *
+     * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
+     * preserved.
+     *
+     * BN_FLG_SECURE: must be preserved, because it determines how x->d was
+     * allocated and hence how to free it.
+     *
+     * BN_FLG_CONSTTIME: sufficient to mask and swap
+     *
+     * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
+     * the data, so the d array may be padded with additional 0 values (i.e.
+     * top could be greater than the minimal value that it could be). We should
+     * be swapping it
      */
-    t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
+
+#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
+
+    t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
     a->flags ^= t;
     b->flags ^= t;
 

Modified: vendor-crypto/openssl/dist/crypto/build.info
==============================================================================
--- vendor-crypto/openssl/dist/crypto/build.info	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/build.info	Tue Nov 20 18:59:41 2018	(r340690)
@@ -2,7 +2,7 @@ LIBS=../libcrypto
 SOURCE[../libcrypto]=\
         cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
         ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c ctype.c \
-        threads_pthread.c threads_win.c threads_none.c \
+        threads_pthread.c threads_win.c threads_none.c getenv.c \
         o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
         {- $target{uplink_aux_src} -}
 EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \

Modified: vendor-crypto/openssl/dist/crypto/conf/conf_api.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/conf/conf_api.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/conf/conf_api.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -10,6 +10,7 @@
 /* Part of the code in here was originally in conf.c, which is now removed */
 
 #include "e_os.h"
+#include "internal/cryptlib.h"
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
@@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
             if (v != NULL)
                 return v->value;
             if (strcmp(section, "ENV") == 0) {
-                p = getenv(name);
+                p = ossl_safe_getenv(name);
                 if (p != NULL)
                     return p;
             }
@@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
         else
             return NULL;
     } else
-        return getenv(name);
+        return ossl_safe_getenv(name);
 }
 
 static unsigned long conf_value_hash(const CONF_VALUE *v)

Modified: vendor-crypto/openssl/dist/crypto/conf/conf_mod.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/conf/conf_mod.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/conf/conf_mod.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -480,11 +480,8 @@ char *CONF_get1_default_config_file(void)
     char *file, *sep = "";
     int len;
 
-    if (!OPENSSL_issetugid()) {
-        file = getenv("OPENSSL_CONF");
-        if (file)
-            return OPENSSL_strdup(file);
-    }
+    if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
+        return OPENSSL_strdup(file);
 
     len = strlen(X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS

Modified: vendor-crypto/openssl/dist/crypto/cryptlib.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/cryptlib.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/cryptlib.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -204,7 +204,7 @@ int OPENSSL_isservice(void)
 
     if (_OPENSSL_isservice.p == NULL) {
         HANDLE mod = GetModuleHandle(NULL);
-        FARPROC f;
+        FARPROC f = NULL;
 
         if (mod != NULL)
             f = GetProcAddress(mod, "_OPENSSL_isservice");

Modified: vendor-crypto/openssl/dist/crypto/ct/ct_log.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/ct/ct_log.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/ct/ct_log.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const C
 
 int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
 {
-    const char *fpath = getenv(CTLOG_FILE_EVP);
+    const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
 
     if (fpath == NULL)
       fpath = CTLOG_FILE;

Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N
     if (mctx == NULL)
         goto err;
 
+    /* make sure L > N, otherwise we'll get trapped in an infinite loop */
+    if (L <= N) {
+        DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+        goto err;
+    }
+
     if (evpmd == NULL) {
         if (N == 160)
             evpmd = EVP_sha1();

Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -9,6 +9,7 @@
 
 #include <stdio.h>
 #include "internal/cryptlib.h"
+#include "internal/bn_int.h"
 #include <openssl/bn.h>
 #include <openssl/sha.h>
 #include "dsa_locl.h"
@@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, in
                          DSA_SIG *sig, DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx);
 
 static DSA_METHOD openssl_dsa_meth = {
     "OpenSSL DSA method",
@@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 {
     BN_CTX *ctx = NULL;
     BIGNUM *k, *kinv = NULL, *r = *rp;
-    BIGNUM *l, *m;
+    BIGNUM *l;
     int ret = 0;
-    int q_bits;
+    int q_bits, q_words;
 
     if (!dsa->p || !dsa->q || !dsa->g) {
         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 
     k = BN_new();
     l = BN_new();
-    m = BN_new();
-    if (k == NULL || l == NULL || m == NULL)
+    if (k == NULL || l == NULL)
         goto err;
 
     if (ctx_in == NULL) {
@@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 
     /* Preallocate space */
     q_bits = BN_num_bits(dsa->q);
-    if (!BN_set_bit(k, q_bits)
-        || !BN_set_bit(l, q_bits)
-        || !BN_set_bit(m, q_bits))
+    q_words = bn_get_top(dsa->q);
+    if (!bn_wexpand(k, q_words + 2)
+        || !bn_wexpand(l, q_words + 2))
         goto err;
 
     /* Get random k */
@@ -221,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
     } while (BN_is_zero(k));
 
     BN_set_flags(k, BN_FLG_CONSTTIME);
+    BN_set_flags(l, BN_FLG_CONSTTIME);
 
     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@@ -238,14 +241,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
      * small timing information leakage.  We then choose the sum that is
      * one bit longer than the modulus.
      *
-     * TODO: revisit the BN_copy aiming for a memory access agnostic
-     * conditional copy.
+     * There are some concerns about the efficacy of doing this.  More
+     * specificly refer to the discussion starting with:
+     *     https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+     * The fix is to rework BN so these gymnastics aren't required.
      */
     if (!BN_add(l, k, dsa->q)
-        || !BN_add(m, l, dsa->q)
-        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+        || !BN_add(k, l, dsa->q))
         goto err;
 
+    BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
     if ((dsa)->meth->bn_mod_exp != NULL) {
             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
                                        dsa->method_mont_p))
@@ -258,8 +264,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
     if (!BN_mod(r, r, dsa->q, ctx))
         goto err;
 
-    /* Compute  part of 's = inv(k) (m + xr) mod q' */
-    if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+    /* Compute part of 's = inv(k) (m + xr) mod q' */
+    if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
         goto err;
 
     BN_clear_free(*kinvp);
@@ -273,7 +279,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
         BN_CTX_free(ctx);
     BN_clear_free(k);
     BN_clear_free(l);
-    BN_clear_free(m);
     return ret;
 }
 
@@ -392,4 +397,32 @@ static int dsa_finish(DSA *dsa)
 {
     BN_MONT_CTX_free(dsa->method_mont_p);
     return 1;
+}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation.  Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx)
+{
+    BIGNUM *res = NULL;
+    BIGNUM *r, *e;
+
+    if ((r = BN_new()) == NULL)
+        return NULL;
+
+    BN_CTX_start(ctx);
+    if ((e = BN_CTX_get(ctx)) != NULL
+            && BN_set_word(r, 2)
+            && BN_sub(e, q, r)
+            && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+        res = r;
+    else
+        BN_free(r);
+    BN_CTX_end(ctx);
+    return res;
 }

Modified: vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, 
     if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
         return 0;
 
-    if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0)
+    if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
         return 0;
 
     kdf_md = EVP_get_digestbynid(kdfmd_nid);
@@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
         ecdh_nid = NID_dh_cofactor_kdf;
 
     if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
-        kdf_type = EVP_PKEY_ECDH_KDF_X9_62;
+        kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
         if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
             goto err;
     } else

Modified: vendor-crypto/openssl/dist/crypto/ec/ec_mult.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec_mult.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/ec/ec_mult.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POI
      */
     cardinality_bits = BN_num_bits(cardinality);
     group_top = bn_get_top(cardinality);
-    if ((bn_wexpand(k, group_top + 1) == NULL)
-        || (bn_wexpand(lambda, group_top + 1) == NULL)) {
+    if ((bn_wexpand(k, group_top + 2) == NULL)
+        || (bn_wexpand(lambda, group_top + 2) == NULL)) {
         ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
         goto err;
     }
@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POI
      * k := scalar + 2*cardinality
      */
     kbit = BN_is_bit_set(lambda, cardinality_bits);
-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
+    BN_consttime_swap(kbit, k, lambda, group_top + 2);
 
     group_top = bn_get_top(group->field);
     if ((bn_wexpand(s->X, group_top) == NULL)

Modified: vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
     if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
         goto err;
     /* Do KDF stuff */
-    if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
+    if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
                         dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
         goto err;
     rv = 1;
@@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, i
     case EVP_PKEY_CTRL_EC_KDF_TYPE:
         if (p1 == -2)
             return dctx->kdf_type;
-        if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
+        if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
             return -2;
         dctx->kdf_type = p1;
         return 1;

Modified: vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,12 +10,13 @@
 #include <string.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include "ec_lcl.h"
 
-/* Key derivation function from X9.62/SECG */
+/* Key derivation function from X9.63/SECG */
 /* Way more than we will ever need */
 #define ECDH_KDF_MAX    (1 << 30)
 
-int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
+int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
                    const unsigned char *Z, size_t Zlen,
                    const unsigned char *sinfo, size_t sinfolen,
                    const EVP_MD *md)
@@ -65,4 +66,16 @@ int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
  err:
     EVP_MD_CTX_free(mctx);
     return rv;
+}
+
+/*-
+ * The old name for ecdh_KDF_X9_63
+ * Retained for ABI compatibility
+ */
+int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
+                   const unsigned char *Z, size_t Zlen,
+                   const unsigned char *sinfo, size_t sinfolen,
+                   const EVP_MD *md)
+{
+    return ecdh_KDF_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md);
 }

Modified: vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c	Tue Nov 20 18:38:28 2018	(r340689)
+++ vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c	Tue Nov 20 18:59:41 2018	(r340690)
@@ -28,6 +28,13 @@
 # define CHECK_BSD_STYLE_MACROS
 #endif
 
+/*
+ * ONE global file descriptor for all sessions.  This allows operations
+ * such as digest session data copying (see digest_copy()), but is also
+ * saner...  why re-open /dev/crypto for every session?
+ */
+static int cfd;
+
 /******************************************************************************
  *
  * Ciphers
@@ -39,7 +46,6 @@
  *****/
 
 struct cipher_ctx {
-    int cfd;
     struct session_op sess;
 
     /* to pass from init to do_cipher */
@@ -69,7 +75,7 @@ static const struct cipher_data_st {
     { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
     { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
 #ifndef OPENSSL_NO_RC4
-    { NID_rc4, 1, 16, 0, CRYPTO_ARC4 },
+    { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811201859.wAKIxgXI060663>