Date: Tue, 20 Nov 2018 18:59:42 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r340690 - in vendor-crypto/openssl/dist: . apps crypto crypto/async/arch crypto/bio crypto/bn crypto/bn/asm crypto/conf crypto/ct crypto/dsa crypto/ec crypto/engine crypto/err crypto/ev... Message-ID: <201811201859.wAKIxgXI060663@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Tue Nov 20 18:59:41 2018 New Revision: 340690 URL: https://svnweb.freebsd.org/changeset/base/340690 Log: Import OpenSSL 1.1.1a. Added: vendor-crypto/openssl/dist/crypto/getenv.c (contents, props changed) vendor-crypto/openssl/dist/doc/man3/SSL_get_peer_tmp_key.pod Deleted: vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set_client_CA_list.pod vendor-crypto/openssl/dist/doc/man3/SSL_get_client_CA_list.pod vendor-crypto/openssl/dist/doc/man3/SSL_get_server_tmp_key.pod Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/Configure vendor-crypto/openssl/dist/INSTALL vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/app_rand.c vendor-crypto/openssl/dist/apps/apps.c vendor-crypto/openssl/dist/apps/apps.h vendor-crypto/openssl/dist/apps/ca.c vendor-crypto/openssl/dist/apps/ocsp.c vendor-crypto/openssl/dist/apps/openssl.cnf vendor-crypto/openssl/dist/apps/opt.c vendor-crypto/openssl/dist/apps/rehash.c vendor-crypto/openssl/dist/apps/rsa.c vendor-crypto/openssl/dist/apps/s_cb.c vendor-crypto/openssl/dist/apps/s_server.c vendor-crypto/openssl/dist/apps/speed.c vendor-crypto/openssl/dist/apps/x509.c vendor-crypto/openssl/dist/crypto/LPdir_unix.c vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h vendor-crypto/openssl/dist/crypto/bio/b_sock2.c vendor-crypto/openssl/dist/crypto/bio/bio_lib.c vendor-crypto/openssl/dist/crypto/bio/bss_log.c vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c vendor-crypto/openssl/dist/crypto/bn/bn_exp.c vendor-crypto/openssl/dist/crypto/bn/bn_lib.c vendor-crypto/openssl/dist/crypto/build.info vendor-crypto/openssl/dist/crypto/conf/conf_api.c vendor-crypto/openssl/dist/crypto/conf/conf_mod.c vendor-crypto/openssl/dist/crypto/cryptlib.c vendor-crypto/openssl/dist/crypto/ct/ct_log.c vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c vendor-crypto/openssl/dist/crypto/ec/ec_mult.c vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c vendor-crypto/openssl/dist/crypto/engine/eng_list.c vendor-crypto/openssl/dist/crypto/err/openssl.txt vendor-crypto/openssl/dist/crypto/evp/e_aes.c vendor-crypto/openssl/dist/crypto/evp/e_rc2.c vendor-crypto/openssl/dist/crypto/evp/pmeth_lib.c vendor-crypto/openssl/dist/crypto/include/internal/ec_int.h vendor-crypto/openssl/dist/crypto/include/internal/rand_int.h vendor-crypto/openssl/dist/crypto/kdf/hkdf.c vendor-crypto/openssl/dist/crypto/mem_sec.c vendor-crypto/openssl/dist/crypto/o_fopen.c vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c vendor-crypto/openssl/dist/crypto/poly1305/poly1305_ieee754.c vendor-crypto/openssl/dist/crypto/rand/drbg_ctr.c vendor-crypto/openssl/dist/crypto/rand/drbg_lib.c vendor-crypto/openssl/dist/crypto/rand/rand_err.c vendor-crypto/openssl/dist/crypto/rand/rand_lcl.h vendor-crypto/openssl/dist/crypto/rand/rand_lib.c vendor-crypto/openssl/dist/crypto/rand/rand_unix.c vendor-crypto/openssl/dist/crypto/rand/randfile.c vendor-crypto/openssl/dist/crypto/rsa/rsa_lib.c vendor-crypto/openssl/dist/crypto/rsa/rsa_meth.c vendor-crypto/openssl/dist/crypto/rsa/rsa_ossl.c vendor-crypto/openssl/dist/crypto/sha/asm/keccak1600-s390x.pl vendor-crypto/openssl/dist/crypto/sha/asm/sha512p8-ppc.pl vendor-crypto/openssl/dist/crypto/siphash/siphash.c vendor-crypto/openssl/dist/crypto/sm2/sm2_crypt.c vendor-crypto/openssl/dist/crypto/sm2/sm2_sign.c vendor-crypto/openssl/dist/crypto/ui/ui_openssl.c vendor-crypto/openssl/dist/crypto/x509/by_dir.c vendor-crypto/openssl/dist/crypto/x509/by_file.c vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist/doc/man1/ca.pod vendor-crypto/openssl/dist/doc/man1/enc.pod vendor-crypto/openssl/dist/doc/man1/openssl.pod vendor-crypto/openssl/dist/doc/man1/req.pod vendor-crypto/openssl/dist/doc/man1/rsa.pod vendor-crypto/openssl/dist/doc/man1/s_server.pod vendor-crypto/openssl/dist/doc/man1/storeutl.pod vendor-crypto/openssl/dist/doc/man1/x509.pod vendor-crypto/openssl/dist/doc/man3/DES_random_key.pod vendor-crypto/openssl/dist/doc/man3/EVP_DigestInit.pod vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_ctrl.pod vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod vendor-crypto/openssl/dist/doc/man3/EVP_PKEY_set1_RSA.pod vendor-crypto/openssl/dist/doc/man3/EVP_aes.pod vendor-crypto/openssl/dist/doc/man3/EVP_aria.pod vendor-crypto/openssl/dist/doc/man3/EVP_bf_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_camellia.pod vendor-crypto/openssl/dist/doc/man3/EVP_cast5_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_des.pod vendor-crypto/openssl/dist/doc/man3/EVP_idea_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_md5.pod vendor-crypto/openssl/dist/doc/man3/EVP_rc2_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_rc5_32_12_16_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_seed_cbc.pod vendor-crypto/openssl/dist/doc/man3/EVP_sm4_cbc.pod vendor-crypto/openssl/dist/doc/man3/OPENSSL_VERSION_NUMBER.pod vendor-crypto/openssl/dist/doc/man3/RSA_meth_new.pod vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set0_CA_list.pod vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set1_curves.pod vendor-crypto/openssl/dist/doc/man3/SSL_CTX_set_quiet_shutdown.pod vendor-crypto/openssl/dist/doc/man3/SSL_get_error.pod vendor-crypto/openssl/dist/doc/man3/SSL_get_peer_signature_nid.pod vendor-crypto/openssl/dist/doc/man3/SSL_set_bio.pod vendor-crypto/openssl/dist/doc/man3/SSL_set_shutdown.pod vendor-crypto/openssl/dist/doc/man3/SSL_shutdown.pod vendor-crypto/openssl/dist/doc/man7/RAND_DRBG.pod vendor-crypto/openssl/dist/e_os.h vendor-crypto/openssl/dist/include/internal/cryptlib.h vendor-crypto/openssl/dist/include/internal/tsan_assist.h vendor-crypto/openssl/dist/include/openssl/cryptoerr.h vendor-crypto/openssl/dist/include/openssl/ec.h vendor-crypto/openssl/dist/include/openssl/ocsp.h vendor-crypto/openssl/dist/include/openssl/opensslv.h vendor-crypto/openssl/dist/include/openssl/rand_drbg.h vendor-crypto/openssl/dist/include/openssl/randerr.h vendor-crypto/openssl/dist/include/openssl/rsa.h vendor-crypto/openssl/dist/include/openssl/ssl.h vendor-crypto/openssl/dist/include/openssl/symhacks.h vendor-crypto/openssl/dist/include/openssl/tls1.h vendor-crypto/openssl/dist/ssl/d1_lib.c vendor-crypto/openssl/dist/ssl/record/rec_layer_d1.c vendor-crypto/openssl/dist/ssl/record/record.h vendor-crypto/openssl/dist/ssl/record/record_locl.h vendor-crypto/openssl/dist/ssl/record/ssl3_record.c vendor-crypto/openssl/dist/ssl/s3_cbc.c vendor-crypto/openssl/dist/ssl/s3_enc.c vendor-crypto/openssl/dist/ssl/s3_lib.c vendor-crypto/openssl/dist/ssl/ssl_cert.c vendor-crypto/openssl/dist/ssl/ssl_ciph.c vendor-crypto/openssl/dist/ssl/ssl_lib.c vendor-crypto/openssl/dist/ssl/ssl_locl.h vendor-crypto/openssl/dist/ssl/statem/extensions.c vendor-crypto/openssl/dist/ssl/statem/extensions_clnt.c vendor-crypto/openssl/dist/ssl/statem/statem.c vendor-crypto/openssl/dist/ssl/statem/statem_clnt.c vendor-crypto/openssl/dist/ssl/statem/statem_lib.c vendor-crypto/openssl/dist/ssl/statem/statem_locl.h vendor-crypto/openssl/dist/ssl/statem/statem_srvr.c vendor-crypto/openssl/dist/ssl/t1_lib.c vendor-crypto/openssl/dist/ssl/tls13_enc.c Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/CHANGES Tue Nov 20 18:59:41 2018 (r340690) @@ -7,6 +7,42 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] + + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] + + *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for + the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names + are retained for backwards compatibility. + [Antoine Salon] + + *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input + if its length exceeds 4096 bytes. The limit has been raised to a buffer size + of two gigabytes and the error handling improved. + + This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been + categorized as a normal bug, not a security issue, because the DRBG reseeds + automatically and is fully functional even without additional randomness + provided by the application. + Changes between 1.1.0i and 1.1.1 [11 Sep 2018] *) Add a new ClientHello callback. Provides a callback interface that gives @@ -13103,4 +13139,3 @@ des-cbc 3624.96k 5258.21k 5530.91k *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 bytes sent in the client random. [Edward Bishop <ebishop@spyglass.com>] - Modified: vendor-crypto/openssl/dist/Configure ============================================================================== --- vendor-crypto/openssl/dist/Configure Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/Configure Tue Nov 20 18:59:41 2018 (r340690) @@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) { if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; warn <<_____ if scalar(@seed_sources) == 1; -You have selected the --with-rand-seed=none option, which effectively disables -automatic reseeding of the OpenSSL random generator. All operations depending -on the random generator such as creating keys will not work unless the random -generator is seeded manually by the application. -Please read the 'Note on random number generation' section in the INSTALL -instructions and the RAND_DRBG(7) manual page for more details. +============================== WARNING =============================== +You have selected the --with-rand-seed=none option, which effectively +disables automatic reseeding of the OpenSSL random generator. +All operations depending on the random generator such as creating keys +will not work unless the random generator is seeded manually by the +application. + +Please read the 'Note on random number generation' section in the +INSTALL instructions and the RAND_DRBG(7) manual page for more details. +============================== WARNING =============================== + _____ } push @{$config{openssl_other_defines}}, @@ -2174,6 +2179,16 @@ EOF # Massage the result + # If the user configured no-shared, we allow no shared sources + if ($disabled{shared}) { + foreach (keys %{$unified_info{shared_sources}}) { + foreach (keys %{$unified_info{shared_sources}->{$_}}) { + delete $unified_info{sources}->{$_}; + } + } + $unified_info{shared_sources} = {}; + } + # If we depend on a header file or a perl module, add an inclusion of # its directory to allow smoothe inclusion foreach my $dest (keys %{$unified_info{depends}}) { @@ -2198,8 +2213,8 @@ EOF next unless defined($unified_info{includes}->{$dest}->{$k}); my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}}; foreach my $obj (grep /\.o$/, - (keys %{$unified_info{sources}->{$dest}}, - keys %{$unified_info{shared_sources}->{$dest}})) { + (keys %{$unified_info{sources}->{$dest} // {}}, + keys %{$unified_info{shared_sources}->{$dest} // {}})) { foreach my $inc (@incs) { unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}}; @@ -2238,6 +2253,42 @@ EOF [ @{$unified_info{includes}->{$dest}->{source}} ]; } } + + # For convenience collect information regarding directories where + # files are generated, those generated files and the end product + # they end up in where applicable. Then, add build rules for those + # directories + my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ], + "dso" => [ @{$unified_info{engines}} ], + "bin" => [ @{$unified_info{programs}} ], + "script" => [ @{$unified_info{scripts}} ] ); + foreach my $type (keys %loopinfo) { + foreach my $product (@{$loopinfo{$type}}) { + my %dirs = (); + my $pd = dirname($product); + + foreach (@{$unified_info{sources}->{$product} // []}, + @{$unified_info{shared_sources}->{$product} // []}) { + my $d = dirname($_); + + # We don't want to create targets for source directories + # when building out of source + next if ($config{sourcedir} ne $config{builddir} + && $d =~ m|^\Q$config{sourcedir}\E|); + # We already have a "test" target, and the current directory + # is just silly to make a target for + next if $d eq "test" || $d eq "."; + + $dirs{$d} = 1; + push @{$unified_info{dirinfo}->{$d}->{deps}}, $_ + if $d ne $pd; + } + foreach (keys %dirs) { + push @{$unified_info{dirinfo}->{$_}->{products}->{$type}}, + $product; + } + } + } } # For the schemes that need it, we provide the old *_obj configs @@ -2712,10 +2763,16 @@ print <<"EOF"; ********************************************************************** *** *** -*** If you want to report a building issue, please include the *** -*** output from this command: *** +*** OpenSSL has been successfully configured *** *** *** -*** perl configdata.pm --dump *** +*** If you encounter a problem while building, please open an *** +*** issue on GitHub <https://github.com/openssl/openssl/issues> *** +*** and include the output from the following command: *** +*** *** +*** perl configdata.pm --dump *** +*** *** +*** (If you are new to OpenSSL, you might want to consult the *** +*** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** EOF Modified: vendor-crypto/openssl/dist/INSTALL ============================================================================== --- vendor-crypto/openssl/dist/INSTALL Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/INSTALL Tue Nov 20 18:59:41 2018 (r340690) @@ -614,8 +614,8 @@ Windows, and as a comma separated list of libraries on VMS. RANLIB The library archive indexer. - RC The Windows resources manipulator. - RCFLAGS Flags for the Windows reources manipulator. + RC The Windows resource compiler. + RCFLAGS Flags for the Windows resource compiler. RM The command to remove files and directories. These cannot be mixed with compiling / linking flags given @@ -969,7 +969,7 @@ BUILDFILE Use a different build file name than the platform default - ("Makefile" on Unixly platforms, "makefile" on native Windows, + ("Makefile" on Unix-like platforms, "makefile" on native Windows, "descrip.mms" on OpenVMS). This requires that there is a corresponding build file template. See Configurations/README for further information. @@ -1171,7 +1171,7 @@ part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of the name. - On most POSIXly platforms, shared libraries are named libcrypto.so.1.1 + On most POSIX platforms, shared libraries are named libcrypto.so.1.1 and libssl.so.1.1. on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll @@ -1202,7 +1202,7 @@ The seeding method can be configured using the --with-rand-seed option, which can be used to specify a comma separated list of seed methods. However in most cases OpenSSL will choose a suitable default method, - so it is not necessary to explicitely provide this option. Note also + so it is not necessary to explicitly provide this option. Note also that not all methods are available on all platforms. I) On operating systems which provide a suitable randomness source (in Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/NEWS Tue Nov 20 18:59:41 2018 (r340690) @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] + + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) + Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/README Tue Nov 20 18:59:41 2018 (r340690) @@ -1,5 +1,5 @@ - OpenSSL 1.1.1 11 Sep 2018 + OpenSSL 1.1.1a 20 Nov 2018 Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/apps/app_rand.c ============================================================================== --- vendor-crypto/openssl/dist/apps/app_rand.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/app_rand.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,6 @@ void app_RAND_load_conf(CONF *c, const char *section) if (RAND_load_file(randfile, -1) < 0) { BIO_printf(bio_err, "Can't load %s into RNG\n", randfile); ERR_print_errors(bio_err); - return; } if (save_rand_file == NULL) save_rand_file = OPENSSL_strdup(randfile); Modified: vendor-crypto/openssl/dist/apps/apps.c ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/apps.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int opt_getprog(), typestr); continue; } + if (*valstr == '\0') { + BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); + continue; + } if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) Modified: vendor-crypto/openssl/dist/apps/apps.h ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.h Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/apps.h Tue Nov 20 18:59:41 2018 (r340690) @@ -369,7 +369,7 @@ typedef struct string_int_pair_st { # define OPT_FMT_SMIME (1L << 3) # define OPT_FMT_ENGINE (1L << 4) # define OPT_FMT_MSBLOB (1L << 5) -# define OPT_FMT_NETSCAPE (1L << 6) +/* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */ # define OPT_FMT_NSS (1L << 7) # define OPT_FMT_TEXT (1L << 8) # define OPT_FMT_HTTP (1L << 9) @@ -378,8 +378,8 @@ typedef struct string_int_pair_st { # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) # define OPT_FMT_ANY ( \ OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ - OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \ - OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) + OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \ + OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) char *opt_progname(const char *argv0); char *opt_getprog(void); Modified: vendor-crypto/openssl/dist/apps/ca.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ca.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/ca.c Tue Nov 20 18:59:41 2018 (r340690) @@ -605,7 +605,7 @@ end_of_options: /* * outdir is a directory spec, but access() for VMS demands a * filename. We could use the DEC C routine to convert the - * directory syntax to Unixly, and give that to app_isdir, + * directory syntax to Unix, and give that to app_isdir, * but for now the fopen will catch the error if it's not a * directory */ @@ -976,7 +976,7 @@ end_of_options: BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk)); - if (!rand_ser + if (serialfile != NULL && !save_serial(serialfile, "new", serial, NULL)) goto end; @@ -1044,7 +1044,8 @@ end_of_options: if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ - if (!rotate_serial(serialfile, "new", "old")) + if (serialfile != NULL + && !rotate_serial(serialfile, "new", "old")) goto end; if (!rotate_index(dbfile, "new", "old")) @@ -1177,10 +1178,9 @@ end_of_options: } /* we have a CRL number that need updating */ - if (crlnumberfile != NULL) - if (!rand_ser - && !save_serial(crlnumberfile, "new", crlnumber, NULL)) - goto end; + if (crlnumberfile != NULL + && !save_serial(crlnumberfile, "new", crlnumber, NULL)) + goto end; BN_free(crlnumber); crlnumber = NULL; @@ -1195,9 +1195,10 @@ end_of_options: PEM_write_bio_X509_CRL(Sout, crl); - if (crlnumberfile != NULL) /* Rename the crlnumber file */ - if (!rotate_serial(crlnumberfile, "new", "old")) - goto end; + /* Rename the crlnumber file */ + if (crlnumberfile != NULL + && !rotate_serial(crlnumberfile, "new", "old")) + goto end; } /*****************************************************************/ Modified: vendor-crypto/openssl/dist/apps/ocsp.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ocsp.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/ocsp.c Tue Nov 20 18:59:41 2018 (r340690) @@ -950,6 +950,7 @@ static void spawn_loop(void) sleep(30); break; case 0: /* child */ + OPENSSL_free(kidpids); signal(SIGINT, SIG_DFL); signal(SIGTERM, SIG_DFL); if (termsig) @@ -976,6 +977,7 @@ static void spawn_loop(void) } /* The loop above can only break on termsig */ + OPENSSL_free(kidpids); syslog(LOG_INFO, "terminating on signal: %d", termsig); killall(0, kidpids); } Modified: vendor-crypto/openssl/dist/apps/openssl.cnf ============================================================================== --- vendor-crypto/openssl/dist/apps/openssl.cnf Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/openssl.cnf Tue Nov 20 18:59:41 2018 (r340690) @@ -10,7 +10,6 @@ # This definition stops the following lines choking if HOME isn't # defined. HOME = . -RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid @@ -57,7 +56,6 @@ crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert Modified: vendor-crypto/openssl/dist/apps/opt.c ============================================================================== --- vendor-crypto/openssl/dist/apps/opt.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/opt.c Tue Nov 20 18:59:41 2018 (r340690) @@ -168,7 +168,6 @@ static OPT_PAIR formats[] = { {"smime", OPT_FMT_SMIME}, {"engine", OPT_FMT_ENGINE}, {"msblob", OPT_FMT_MSBLOB}, - {"netscape", OPT_FMT_NETSCAPE}, {"nss", OPT_FMT_NSS}, {"text", OPT_FMT_TEXT}, {"http", OPT_FMT_HTTP}, Modified: vendor-crypto/openssl/dist/apps/rehash.c ============================================================================== --- vendor-crypto/openssl/dist/apps/rehash.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/rehash.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1,6 +1,6 @@ /* * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com> + * Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com> * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy Modified: vendor-crypto/openssl/dist/apps/rsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/rsa.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/rsa.c Tue Nov 20 18:59:41 2018 (r340690) @@ -38,8 +38,8 @@ typedef enum OPTION_choice { const OPTIONS rsa_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"}, - {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"}, {"in", OPT_IN, 's', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, @@ -269,6 +269,9 @@ int rsa_main(int argc, char **argv) } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { EVP_PKEY *pk; pk = EVP_PKEY_new(); + if (pk == NULL) + goto end; + EVP_PKEY_set1_RSA(pk, rsa); if (outformat == FORMAT_PVK) { if (pubin) { Modified: vendor-crypto/openssl/dist/apps/s_cb.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_cb.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/s_cb.c Tue Nov 20 18:59:41 2018 (r340690) @@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) int ssl_print_tmp_key(BIO *out, SSL *s) { EVP_PKEY *key; - if (!SSL_get_server_tmp_key(s, &key)) + + if (!SSL_get_peer_tmp_key(s, &key)) return 1; BIO_puts(out, "Server Temp Key: "); switch (EVP_PKEY_id(key)) { Modified: vendor-crypto/openssl/dist/apps/s_server.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_server.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/s_server.c Tue Nov 20 18:59:41 2018 (r340690) @@ -193,9 +193,8 @@ static int psk_find_session_cb(SSL *ssl, const unsigne if (strlen(psk_identity) != identity_len || memcmp(psk_identity, identity, identity_len) != 0) { - BIO_printf(bio_s_out, - "PSK warning: client identity not what we expected" - " (got '%s' expected '%s')\n", identity, psk_identity); + *sess = NULL; + return 1; } if (psksess != NULL) { @@ -1622,6 +1621,11 @@ int s_server_main(int argc, char *argv[]) goto end; } #endif + if (early_data && (www > 0 || rev)) { + BIO_printf(bio_err, + "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n"); + goto end; + } #ifndef OPENSSL_NO_SCTP if (protocol == IPPROTO_SCTP) { Modified: vendor-crypto/openssl/dist/apps/speed.c ============================================================================== --- vendor-crypto/openssl/dist/apps/speed.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/speed.c Tue Nov 20 18:59:41 2018 (r340690) @@ -2896,7 +2896,7 @@ int speed_main(int argc, char **argv) if (rsa_count <= 1) { /* if longer than 10s, don't do any more */ - for (testnum++; testnum < EC_NUM; testnum++) + for (testnum++; testnum < ECDSA_NUM; testnum++) ecdsa_doit[testnum] = 0; } } Modified: vendor-crypto/openssl/dist/apps/x509.c ============================================================================== --- vendor-crypto/openssl/dist/apps/x509.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/apps/x509.c Tue Nov 20 18:59:41 2018 (r340690) @@ -67,10 +67,10 @@ typedef enum OPTION_choice { const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'f', - "Input format - default PEM (one of DER, NET or PEM)"}, + "Input format - default PEM (one of DER or PEM)"}, {"in", OPT_IN, '<', "Input file - default stdin"}, {"outform", OPT_OUTFORM, 'f', - "Output format - default PEM (one of DER, NET or PEM)"}, + "Output format - default PEM (one of DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, Modified: vendor-crypto/openssl/dist/crypto/LPdir_unix.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/LPdir_unix.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/LPdir_unix.c Tue Nov 20 18:59:41 2018 (r340690) @@ -51,7 +51,7 @@ #endif /* - * The POSIXly macro for the maximum number of characters in a file path is + * The POSIX macro for the maximum number of characters in a file path is * NAME_MAX. However, some operating systems use PATH_MAX instead. * Therefore, it seems natural to first check for PATH_MAX and use that, and * if it doesn't exist, use NAME_MAX. Modified: vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h ============================================================================== --- vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/async/arch/async_posix.h Tue Nov 20 18:59:41 2018 (r340690) @@ -17,7 +17,8 @@ # include <unistd.h> -# if _POSIX_VERSION >= 200112L +# if _POSIX_VERSION >= 200112L \ + && (_POSIX_VERSION < 200809L || defined(__GLIBC__)) # include <pthread.h> Modified: vendor-crypto/openssl/dist/crypto/bio/b_sock2.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bio/b_sock2.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bio/b_sock2.c Tue Nov 20 18:59:41 2018 (r340690) @@ -133,7 +133,9 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int op */ int BIO_bind(int sock, const BIO_ADDR *addr, int options) { +# ifndef OPENSSL_SYS_WINDOWS int on = 1; +# endif if (sock == -1) { BIOerr(BIO_F_BIO_BIND, BIO_R_INVALID_SOCKET); Modified: vendor-crypto/openssl/dist/crypto/bio/bio_lib.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bio/bio_lib.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bio/bio_lib.c Tue Nov 20 18:59:41 2018 (r340690) @@ -52,7 +52,7 @@ static long bio_call_callback(BIO *b, int oper, const argi = (int)len; } - if (inret && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { + if (inret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { if (*processed > INT_MAX) return -1; inret = *processed; @@ -60,7 +60,7 @@ static long bio_call_callback(BIO *b, int oper, const ret = b->callback(b, oper, argp, argi, argl, inret); - if (ret >= 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { + if (ret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { *processed = (size_t)ret; ret = 1; } Modified: vendor-crypto/openssl/dist/crypto/bio/bss_log.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bio/bss_log.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bio/bss_log.c Tue Nov 20 18:59:41 2018 (r340690) @@ -408,4 +408,9 @@ static void xcloselog(BIO *bp) # endif /* Unix */ +#else /* NO_SYSLOG */ +const BIO_METHOD *BIO_s_log(void) +{ + return NULL; +} #endif /* NO_SYSLOG */ Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,12 +63,6 @@ * very much like 64-bit code compiled with no-asm on the same * machine. */ - -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif # undef mul # undef mul_add Modified: vendor-crypto/openssl/dist/crypto/bn/bn_exp.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/bn_exp.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bn/bn_exp.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1077,7 +1077,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM * is not only slower but also makes each bit vulnerable to * EM (and likely other) side-channel attacks like One&Done * (for details see "One&Done: A Single-Decryption EM-Based - * Attack on OpenSSL’s Constant-Time Blinded RSA" by M. Alam, + * Attack on OpenSSL's Constant-Time Blinded RSA" by M. Alam, * H. Khan, M. Dey, N. Sinha, R. Callan, A. Zajic, and * M. Prvulovic, in USENIX Security'18) */ Modified: vendor-crypto/openssl/dist/crypto/bn/bn_lib.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/bn_lib.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/bn/bn_lib.c Tue Nov 20 18:59:41 2018 (r340690) @@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; Modified: vendor-crypto/openssl/dist/crypto/build.info ============================================================================== --- vendor-crypto/openssl/dist/crypto/build.info Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/build.info Tue Nov 20 18:59:41 2018 (r340690) @@ -2,7 +2,7 @@ LIBS=../libcrypto SOURCE[../libcrypto]=\ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c ctype.c \ - threads_pthread.c threads_win.c threads_none.c \ + threads_pthread.c threads_win.c threads_none.c getenv.c \ o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \ {- $target{uplink_aux_src} -} EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ Modified: vendor-crypto/openssl/dist/crypto/conf/conf_api.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/conf/conf_api.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/conf/conf_api.c Tue Nov 20 18:59:41 2018 (r340690) @@ -10,6 +10,7 @@ /* Part of the code in here was originally in conf.c, which is now removed */ #include "e_os.h" +#include "internal/cryptlib.h" #include <stdlib.h> #include <string.h> #include <openssl/conf.h> @@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *s if (v != NULL) return v->value; if (strcmp(section, "ENV") == 0) { - p = getenv(name); + p = ossl_safe_getenv(name); if (p != NULL) return p; } @@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *s else return NULL; } else - return getenv(name); + return ossl_safe_getenv(name); } static unsigned long conf_value_hash(const CONF_VALUE *v) Modified: vendor-crypto/openssl/dist/crypto/conf/conf_mod.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/conf/conf_mod.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/conf/conf_mod.c Tue Nov 20 18:59:41 2018 (r340690) @@ -480,11 +480,8 @@ char *CONF_get1_default_config_file(void) char *file, *sep = ""; int len; - if (!OPENSSL_issetugid()) { - file = getenv("OPENSSL_CONF"); - if (file) - return OPENSSL_strdup(file); - } + if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL) + return OPENSSL_strdup(file); len = strlen(X509_get_default_cert_area()); #ifndef OPENSSL_SYS_VMS Modified: vendor-crypto/openssl/dist/crypto/cryptlib.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/cryptlib.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/cryptlib.c Tue Nov 20 18:59:41 2018 (r340690) @@ -204,7 +204,7 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); - FARPROC f; + FARPROC f = NULL; if (mod != NULL) f = GetProcAddress(mod, "_OPENSSL_isservice"); Modified: vendor-crypto/openssl/dist/crypto/ct/ct_log.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/ct/ct_log.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/ct/ct_log.c Tue Nov 20 18:59:41 2018 (r340690) @@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const C int CTLOG_STORE_load_default_file(CTLOG_STORE *store) { - const char *fpath = getenv(CTLOG_FILE_EVP); + const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); if (fpath == NULL) fpath = CTLOG_FILE; Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c Tue Nov 20 18:59:41 2018 (r340690) @@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N if (mctx == NULL) goto err; + /* make sure L > N, otherwise we'll get trapped in an infinite loop */ + if (L <= N) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); + goto err; + } + if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c Tue Nov 20 18:59:41 2018 (r340690) @@ -9,6 +9,7 @@ #include <stdio.h> #include "internal/cryptlib.h" +#include "internal/bn_int.h" #include <openssl/bn.h> #include <openssl/sha.h> #include "dsa_locl.h" @@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, in DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, { BN_CTX *ctx = NULL; BIGNUM *k, *kinv = NULL, *r = *rp; - BIGNUM *l, *m; + BIGNUM *l; int ret = 0; - int q_bits; + int q_bits, q_words; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); @@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, k = BN_new(); l = BN_new(); - m = BN_new(); - if (k == NULL || l == NULL || m == NULL) + if (k == NULL || l == NULL) goto err; if (ctx_in == NULL) { @@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->q); - if (!BN_set_bit(k, q_bits) - || !BN_set_bit(l, q_bits) - || !BN_set_bit(m, q_bits)) + q_words = bn_get_top(dsa->q); + if (!bn_wexpand(k, q_words + 2) + || !bn_wexpand(l, q_words + 2)) goto err; /* Get random k */ @@ -221,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); + BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, @@ -238,14 +241,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic - * conditional copy. + * There are some concerns about the efficacy of doing this. More + * specificly refer to the discussion starting with: + * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 + * The fix is to rework BN so these gymnastics aren't required. */ if (!BN_add(l, k, dsa->q) - || !BN_add(m, l, dsa->q) - || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) + || !BN_add(k, l, dsa->q)) goto err; + BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); + if ((dsa)->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) @@ -258,8 +264,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_mod(r, r, dsa->q, ctx)) goto err; - /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) + /* Compute part of 's = inv(k) (m + xr) mod q' */ + if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -273,7 +279,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BN_CTX_free(ctx); BN_clear_free(k); BN_clear_free(l); - BN_clear_free(m); return ret; } @@ -392,4 +397,32 @@ static int dsa_finish(DSA *dsa) { BN_MONT_CTX_free(dsa->method_mont_p); return 1; +} + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ + BIGNUM *res = NULL; + BIGNUM *r, *e; + + if ((r = BN_new()) == NULL) + return NULL; + + BN_CTX_start(ctx); + if ((e = BN_CTX_get(ctx)) != NULL + && BN_set_word(r, 2) + && BN_sub(e, q, r) + && BN_mod_exp_mont(r, k, e, q, ctx, NULL)) + res = r; + else + BN_free(r); + BN_CTX_end(ctx); + return res; } Modified: vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c Tue Nov 20 18:59:41 2018 (r340690) @@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) return 0; - if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0) + if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) return 0; kdf_md = EVP_get_digestbynid(kdfmd_nid); @@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) ecdh_nid = NID_dh_cofactor_kdf; if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { - kdf_type = EVP_PKEY_ECDH_KDF_X9_62; + kdf_type = EVP_PKEY_ECDH_KDF_X9_63; if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) goto err; } else Modified: vendor-crypto/openssl/dist/crypto/ec/ec_mult.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/ec/ec_mult.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/ec/ec_mult.c Tue Nov 20 18:59:41 2018 (r340690) @@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POI */ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); - if ((bn_wexpand(k, group_top + 1) == NULL) - || (bn_wexpand(lambda, group_top + 1) == NULL)) { + if ((bn_wexpand(k, group_top + 2) == NULL) + || (bn_wexpand(lambda, group_top + 2) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } @@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POI * k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); - BN_consttime_swap(kbit, k, lambda, group_top + 1); + BN_consttime_swap(kbit, k, lambda, group_top + 2); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL) Modified: vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c Tue Nov 20 18:59:41 2018 (r340690) @@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) goto err; /* Do KDF stuff */ - if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen, + if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) goto err; rv = 1; @@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, i case EVP_PKEY_CTRL_EC_KDF_TYPE: if (p1 == -2) return dctx->kdf_type; - if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62) + if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63) return -2; dctx->kdf_type = p1; return 1; Modified: vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/ec/ecdh_kdf.c Tue Nov 20 18:59:41 2018 (r340690) @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,12 +10,13 @@ #include <string.h> #include <openssl/ec.h> #include <openssl/evp.h> +#include "ec_lcl.h" -/* Key derivation function from X9.62/SECG */ +/* Key derivation function from X9.63/SECG */ /* Way more than we will ever need */ #define ECDH_KDF_MAX (1 << 30) -int ECDH_KDF_X9_62(unsigned char *out, size_t outlen, +int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z, size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md) @@ -65,4 +66,16 @@ int ECDH_KDF_X9_62(unsigned char *out, size_t outlen, err: EVP_MD_CTX_free(mctx); return rv; +} + +/*- + * The old name for ecdh_KDF_X9_63 + * Retained for ABI compatibility + */ +int ECDH_KDF_X9_62(unsigned char *out, size_t outlen, + const unsigned char *Z, size_t Zlen, + const unsigned char *sinfo, size_t sinfolen, + const EVP_MD *md) +{ + return ecdh_KDF_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md); } Modified: vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c Tue Nov 20 18:38:28 2018 (r340689) +++ vendor-crypto/openssl/dist/crypto/engine/eng_devcrypto.c Tue Nov 20 18:59:41 2018 (r340690) @@ -28,6 +28,13 @@ # define CHECK_BSD_STYLE_MACROS #endif +/* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +static int cfd; + /****************************************************************************** * * Ciphers @@ -39,7 +46,6 @@ *****/ struct cipher_ctx { - int cfd; struct session_op sess; /* to pass from init to do_cipher */ @@ -69,7 +75,7 @@ static const struct cipher_data_st { { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, #ifndef OPENSSL_NO_RC4 - { NID_rc4, 1, 16, 0, CRYPTO_ARC4 }, + { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811201859.wAKIxgXI060663>