Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Sep 2019 21:14:56 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r352193 - in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/bn crypto/openssl/crypto/cms crypto/openssl/crypto/ec crypto/openssl/crypto/pem cr...
Message-ID:  <201909102114.x8ALEuML088421@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Tue Sep 10 21:14:56 2019
New Revision: 352193
URL: https://svnweb.freebsd.org/changeset/base/352193

Log:
  Merge OpenSSL 1.0.2t.

Modified:
  stable/11/crypto/openssl/CHANGES
  stable/11/crypto/openssl/Configure
  stable/11/crypto/openssl/Makefile
  stable/11/crypto/openssl/NEWS
  stable/11/crypto/openssl/README
  stable/11/crypto/openssl/apps/CA.pl
  stable/11/crypto/openssl/crypto/arm_arch.h
  stable/11/crypto/openssl/crypto/armcap.c
  stable/11/crypto/openssl/crypto/bn/Makefile
  stable/11/crypto/openssl/crypto/bn/bn_lib.c
  stable/11/crypto/openssl/crypto/bn_int.h
  stable/11/crypto/openssl/crypto/cms/cms_env.c
  stable/11/crypto/openssl/crypto/cms/cms_lcl.h
  stable/11/crypto/openssl/crypto/cms/cms_smime.c
  stable/11/crypto/openssl/crypto/constant_time_locl.h
  stable/11/crypto/openssl/crypto/cryptlib.h
  stable/11/crypto/openssl/crypto/ec/Makefile
  stable/11/crypto/openssl/crypto/ec/ec.h
  stable/11/crypto/openssl/crypto/ec/ec_asn1.c
  stable/11/crypto/openssl/crypto/ec/ec_curve.c
  stable/11/crypto/openssl/crypto/ec/ec_err.c
  stable/11/crypto/openssl/crypto/ec/ec_lcl.h
  stable/11/crypto/openssl/crypto/ec/ec_lib.c
  stable/11/crypto/openssl/crypto/ec/ecp_nistp224.c
  stable/11/crypto/openssl/crypto/ec/ecp_nistp256.c
  stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c
  stable/11/crypto/openssl/crypto/opensslv.h
  stable/11/crypto/openssl/crypto/pem/pvkfmt.c
  stable/11/crypto/openssl/crypto/pkcs7/pk7_doit.c
  stable/11/crypto/openssl/crypto/rsa/rsa_chk.c
  stable/11/crypto/openssl/crypto/x509/x509_cmp.c
  stable/11/crypto/openssl/crypto/x509v3/v3_alt.c
  stable/11/crypto/openssl/util/libeay.num
  stable/11/secure/lib/libcrypto/Makefile.inc
  stable/11/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_length.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_new.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  stable/11/secure/lib/libcrypto/man/ASN1_TIME_set.3
  stable/11/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  stable/11/secure/lib/libcrypto/man/BIO_ctrl.3
  stable/11/secure/lib/libcrypto/man/BIO_f_base64.3
  stable/11/secure/lib/libcrypto/man/BIO_f_buffer.3
  stable/11/secure/lib/libcrypto/man/BIO_f_cipher.3
  stable/11/secure/lib/libcrypto/man/BIO_f_md.3
  stable/11/secure/lib/libcrypto/man/BIO_f_null.3
  stable/11/secure/lib/libcrypto/man/BIO_f_ssl.3
  stable/11/secure/lib/libcrypto/man/BIO_find_type.3
  stable/11/secure/lib/libcrypto/man/BIO_new.3
  stable/11/secure/lib/libcrypto/man/BIO_new_CMS.3
  stable/11/secure/lib/libcrypto/man/BIO_push.3
  stable/11/secure/lib/libcrypto/man/BIO_read.3
  stable/11/secure/lib/libcrypto/man/BIO_s_accept.3
  stable/11/secure/lib/libcrypto/man/BIO_s_bio.3
  stable/11/secure/lib/libcrypto/man/BIO_s_connect.3
  stable/11/secure/lib/libcrypto/man/BIO_s_fd.3
  stable/11/secure/lib/libcrypto/man/BIO_s_file.3
  stable/11/secure/lib/libcrypto/man/BIO_s_mem.3
  stable/11/secure/lib/libcrypto/man/BIO_s_null.3
  stable/11/secure/lib/libcrypto/man/BIO_s_socket.3
  stable/11/secure/lib/libcrypto/man/BIO_set_callback.3
  stable/11/secure/lib/libcrypto/man/BIO_should_retry.3
  stable/11/secure/lib/libcrypto/man/BN_BLINDING_new.3
  stable/11/secure/lib/libcrypto/man/BN_CTX_new.3
  stable/11/secure/lib/libcrypto/man/BN_CTX_start.3
  stable/11/secure/lib/libcrypto/man/BN_add.3
  stable/11/secure/lib/libcrypto/man/BN_add_word.3
  stable/11/secure/lib/libcrypto/man/BN_bn2bin.3
  stable/11/secure/lib/libcrypto/man/BN_cmp.3
  stable/11/secure/lib/libcrypto/man/BN_copy.3
  stable/11/secure/lib/libcrypto/man/BN_generate_prime.3
  stable/11/secure/lib/libcrypto/man/BN_mod_inverse.3
  stable/11/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  stable/11/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  stable/11/secure/lib/libcrypto/man/BN_new.3
  stable/11/secure/lib/libcrypto/man/BN_num_bytes.3
  stable/11/secure/lib/libcrypto/man/BN_rand.3
  stable/11/secure/lib/libcrypto/man/BN_set_bit.3
  stable/11/secure/lib/libcrypto/man/BN_swap.3
  stable/11/secure/lib/libcrypto/man/BN_zero.3
  stable/11/secure/lib/libcrypto/man/CMS_add0_cert.3
  stable/11/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
  stable/11/secure/lib/libcrypto/man/CMS_add1_signer.3
  stable/11/secure/lib/libcrypto/man/CMS_compress.3
  stable/11/secure/lib/libcrypto/man/CMS_decrypt.3
  stable/11/secure/lib/libcrypto/man/CMS_encrypt.3
  stable/11/secure/lib/libcrypto/man/CMS_final.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_type.3
  stable/11/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
  stable/11/secure/lib/libcrypto/man/CMS_sign.3
  stable/11/secure/lib/libcrypto/man/CMS_sign_receipt.3
  stable/11/secure/lib/libcrypto/man/CMS_uncompress.3
  stable/11/secure/lib/libcrypto/man/CMS_verify.3
  stable/11/secure/lib/libcrypto/man/CMS_verify_receipt.3
  stable/11/secure/lib/libcrypto/man/CONF_modules_free.3
  stable/11/secure/lib/libcrypto/man/CONF_modules_load_file.3
  stable/11/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  stable/11/secure/lib/libcrypto/man/DH_generate_key.3
  stable/11/secure/lib/libcrypto/man/DH_generate_parameters.3
  stable/11/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/DH_new.3
  stable/11/secure/lib/libcrypto/man/DH_set_method.3
  stable/11/secure/lib/libcrypto/man/DH_size.3
  stable/11/secure/lib/libcrypto/man/DSA_SIG_new.3
  stable/11/secure/lib/libcrypto/man/DSA_do_sign.3
  stable/11/secure/lib/libcrypto/man/DSA_dup_DH.3
  stable/11/secure/lib/libcrypto/man/DSA_generate_key.3
  stable/11/secure/lib/libcrypto/man/DSA_generate_parameters.3
  stable/11/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/DSA_new.3
  stable/11/secure/lib/libcrypto/man/DSA_set_method.3
  stable/11/secure/lib/libcrypto/man/DSA_sign.3
  stable/11/secure/lib/libcrypto/man/DSA_size.3
  stable/11/secure/lib/libcrypto/man/EC_GFp_simple_method.3
  stable/11/secure/lib/libcrypto/man/EC_GROUP_copy.3
  stable/11/secure/lib/libcrypto/man/EC_GROUP_new.3
  stable/11/secure/lib/libcrypto/man/EC_KEY_new.3
  stable/11/secure/lib/libcrypto/man/EC_POINT_add.3
  stable/11/secure/lib/libcrypto/man/EC_POINT_new.3
  stable/11/secure/lib/libcrypto/man/ERR_GET_LIB.3
  stable/11/secure/lib/libcrypto/man/ERR_clear_error.3
  stable/11/secure/lib/libcrypto/man/ERR_error_string.3
  stable/11/secure/lib/libcrypto/man/ERR_get_error.3
  stable/11/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  stable/11/secure/lib/libcrypto/man/ERR_load_strings.3
  stable/11/secure/lib/libcrypto/man/ERR_print_errors.3
  stable/11/secure/lib/libcrypto/man/ERR_put_error.3
  stable/11/secure/lib/libcrypto/man/ERR_remove_state.3
  stable/11/secure/lib/libcrypto/man/ERR_set_mark.3
  stable/11/secure/lib/libcrypto/man/EVP_BytesToKey.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestInit.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestSignInit.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
  stable/11/secure/lib/libcrypto/man/EVP_EncodeInit.3
  stable/11/secure/lib/libcrypto/man/EVP_EncryptInit.3
  stable/11/secure/lib/libcrypto/man/EVP_OpenInit.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_derive.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_new.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_sign.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
  stable/11/secure/lib/libcrypto/man/EVP_SealInit.3
  stable/11/secure/lib/libcrypto/man/EVP_SignInit.3
  stable/11/secure/lib/libcrypto/man/EVP_VerifyInit.3
  stable/11/secure/lib/libcrypto/man/OBJ_nid2obj.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_Applink.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_config.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  stable/11/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  stable/11/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
  stable/11/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
  stable/11/secure/lib/libcrypto/man/PKCS12_create.3
  stable/11/secure/lib/libcrypto/man/PKCS12_parse.3
  stable/11/secure/lib/libcrypto/man/PKCS7_decrypt.3
  stable/11/secure/lib/libcrypto/man/PKCS7_encrypt.3
  stable/11/secure/lib/libcrypto/man/PKCS7_sign.3
  stable/11/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
  stable/11/secure/lib/libcrypto/man/PKCS7_verify.3
  stable/11/secure/lib/libcrypto/man/RAND_add.3
  stable/11/secure/lib/libcrypto/man/RAND_bytes.3
  stable/11/secure/lib/libcrypto/man/RAND_cleanup.3
  stable/11/secure/lib/libcrypto/man/RAND_egd.3
  stable/11/secure/lib/libcrypto/man/RAND_load_file.3
  stable/11/secure/lib/libcrypto/man/RAND_set_rand_method.3
  stable/11/secure/lib/libcrypto/man/RSA_blinding_on.3
  stable/11/secure/lib/libcrypto/man/RSA_check_key.3
  stable/11/secure/lib/libcrypto/man/RSA_generate_key.3
  stable/11/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/RSA_new.3
  stable/11/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  stable/11/secure/lib/libcrypto/man/RSA_print.3
  stable/11/secure/lib/libcrypto/man/RSA_private_encrypt.3
  stable/11/secure/lib/libcrypto/man/RSA_public_encrypt.3
  stable/11/secure/lib/libcrypto/man/RSA_set_method.3
  stable/11/secure/lib/libcrypto/man/RSA_sign.3
  stable/11/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  stable/11/secure/lib/libcrypto/man/RSA_size.3
  stable/11/secure/lib/libcrypto/man/SMIME_read_CMS.3
  stable/11/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  stable/11/secure/lib/libcrypto/man/SMIME_write_CMS.3
  stable/11/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
  stable/11/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
  stable/11/secure/lib/libcrypto/man/X509_check_host.3
  stable/11/secure/lib/libcrypto/man/X509_check_private_key.3
  stable/11/secure/lib/libcrypto/man/X509_cmp_time.3
  stable/11/secure/lib/libcrypto/man/X509_new.3
  stable/11/secure/lib/libcrypto/man/X509_verify_cert.3
  stable/11/secure/lib/libcrypto/man/bio.3
  stable/11/secure/lib/libcrypto/man/blowfish.3
  stable/11/secure/lib/libcrypto/man/bn.3
  stable/11/secure/lib/libcrypto/man/bn_internal.3
  stable/11/secure/lib/libcrypto/man/buffer.3
  stable/11/secure/lib/libcrypto/man/crypto.3
  stable/11/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  stable/11/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3
  stable/11/secure/lib/libcrypto/man/d2i_DHparams.3
  stable/11/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  stable/11/secure/lib/libcrypto/man/d2i_ECPKParameters.3
  stable/11/secure/lib/libcrypto/man/d2i_ECPrivateKey.3
  stable/11/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  stable/11/secure/lib/libcrypto/man/d2i_PrivateKey.3
  stable/11/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  stable/11/secure/lib/libcrypto/man/d2i_X509.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_CRL.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_NAME.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_REQ.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_SIG.3
  stable/11/secure/lib/libcrypto/man/des.3
  stable/11/secure/lib/libcrypto/man/dh.3
  stable/11/secure/lib/libcrypto/man/dsa.3
  stable/11/secure/lib/libcrypto/man/ec.3
  stable/11/secure/lib/libcrypto/man/ecdsa.3
  stable/11/secure/lib/libcrypto/man/engine.3
  stable/11/secure/lib/libcrypto/man/err.3
  stable/11/secure/lib/libcrypto/man/evp.3
  stable/11/secure/lib/libcrypto/man/hmac.3
  stable/11/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
  stable/11/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
  stable/11/secure/lib/libcrypto/man/lh_stats.3
  stable/11/secure/lib/libcrypto/man/lhash.3
  stable/11/secure/lib/libcrypto/man/md5.3
  stable/11/secure/lib/libcrypto/man/mdc2.3
  stable/11/secure/lib/libcrypto/man/pem.3
  stable/11/secure/lib/libcrypto/man/rand.3
  stable/11/secure/lib/libcrypto/man/rc4.3
  stable/11/secure/lib/libcrypto/man/ripemd.3
  stable/11/secure/lib/libcrypto/man/rsa.3
  stable/11/secure/lib/libcrypto/man/sha.3
  stable/11/secure/lib/libcrypto/man/threads.3
  stable/11/secure/lib/libcrypto/man/ui.3
  stable/11/secure/lib/libcrypto/man/ui_compat.3
  stable/11/secure/lib/libcrypto/man/x509.3
  stable/11/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  stable/11/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_new.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3
  stable/11/secure/lib/libssl/man/SSL_CONF_cmd.3
  stable/11/secure/lib/libssl/man/SSL_CONF_cmd_argv.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add_session.3
  stable/11/secure/lib/libssl/man/SSL_CTX_ctrl.3
  stable/11/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  stable/11/secure/lib/libssl/man/SSL_CTX_free.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get0_param.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  stable/11/secure/lib/libssl/man/SSL_CTX_new.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_number.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sessions.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set1_curves.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_options.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_verify.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_free.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_get_time.3
  stable/11/secure/lib/libssl/man/SSL_accept.3
  stable/11/secure/lib/libssl/man/SSL_alert_type_string.3
  stable/11/secure/lib/libssl/man/SSL_check_chain.3
  stable/11/secure/lib/libssl/man/SSL_clear.3
  stable/11/secure/lib/libssl/man/SSL_connect.3
  stable/11/secure/lib/libssl/man/SSL_do_handshake.3
  stable/11/secure/lib/libssl/man/SSL_export_keying_material.3
  stable/11/secure/lib/libssl/man/SSL_free.3
  stable/11/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  stable/11/secure/lib/libssl/man/SSL_get_ciphers.3
  stable/11/secure/lib/libssl/man/SSL_get_client_CA_list.3
  stable/11/secure/lib/libssl/man/SSL_get_current_cipher.3
  stable/11/secure/lib/libssl/man/SSL_get_default_timeout.3
  stable/11/secure/lib/libssl/man/SSL_get_error.3
  stable/11/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  stable/11/secure/lib/libssl/man/SSL_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_get_fd.3
  stable/11/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  stable/11/secure/lib/libssl/man/SSL_get_peer_certificate.3
  stable/11/secure/lib/libssl/man/SSL_get_psk_identity.3
  stable/11/secure/lib/libssl/man/SSL_get_rbio.3
  stable/11/secure/lib/libssl/man/SSL_get_session.3
  stable/11/secure/lib/libssl/man/SSL_get_verify_result.3
  stable/11/secure/lib/libssl/man/SSL_get_version.3
  stable/11/secure/lib/libssl/man/SSL_library_init.3
  stable/11/secure/lib/libssl/man/SSL_load_client_CA_file.3
  stable/11/secure/lib/libssl/man/SSL_new.3
  stable/11/secure/lib/libssl/man/SSL_pending.3
  stable/11/secure/lib/libssl/man/SSL_read.3
  stable/11/secure/lib/libssl/man/SSL_rstate_string.3
  stable/11/secure/lib/libssl/man/SSL_session_reused.3
  stable/11/secure/lib/libssl/man/SSL_set_bio.3
  stable/11/secure/lib/libssl/man/SSL_set_connect_state.3
  stable/11/secure/lib/libssl/man/SSL_set_fd.3
  stable/11/secure/lib/libssl/man/SSL_set_session.3
  stable/11/secure/lib/libssl/man/SSL_set_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_set_verify_result.3
  stable/11/secure/lib/libssl/man/SSL_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_state_string.3
  stable/11/secure/lib/libssl/man/SSL_want.3
  stable/11/secure/lib/libssl/man/SSL_write.3
  stable/11/secure/lib/libssl/man/d2i_SSL_SESSION.3
  stable/11/secure/lib/libssl/man/ssl.3
  stable/11/secure/usr.bin/openssl/man/CA.pl.1
  stable/11/secure/usr.bin/openssl/man/asn1parse.1
  stable/11/secure/usr.bin/openssl/man/ca.1
  stable/11/secure/usr.bin/openssl/man/ciphers.1
  stable/11/secure/usr.bin/openssl/man/cms.1
  stable/11/secure/usr.bin/openssl/man/crl.1
  stable/11/secure/usr.bin/openssl/man/crl2pkcs7.1
  stable/11/secure/usr.bin/openssl/man/dgst.1
  stable/11/secure/usr.bin/openssl/man/dhparam.1
  stable/11/secure/usr.bin/openssl/man/dsa.1
  stable/11/secure/usr.bin/openssl/man/dsaparam.1
  stable/11/secure/usr.bin/openssl/man/ec.1
  stable/11/secure/usr.bin/openssl/man/ecparam.1
  stable/11/secure/usr.bin/openssl/man/enc.1
  stable/11/secure/usr.bin/openssl/man/errstr.1
  stable/11/secure/usr.bin/openssl/man/gendsa.1
  stable/11/secure/usr.bin/openssl/man/genpkey.1
  stable/11/secure/usr.bin/openssl/man/genrsa.1
  stable/11/secure/usr.bin/openssl/man/nseq.1
  stable/11/secure/usr.bin/openssl/man/ocsp.1
  stable/11/secure/usr.bin/openssl/man/openssl.1
  stable/11/secure/usr.bin/openssl/man/passwd.1
  stable/11/secure/usr.bin/openssl/man/pkcs12.1
  stable/11/secure/usr.bin/openssl/man/pkcs7.1
  stable/11/secure/usr.bin/openssl/man/pkcs8.1
  stable/11/secure/usr.bin/openssl/man/pkey.1
  stable/11/secure/usr.bin/openssl/man/pkeyparam.1
  stable/11/secure/usr.bin/openssl/man/pkeyutl.1
  stable/11/secure/usr.bin/openssl/man/rand.1
  stable/11/secure/usr.bin/openssl/man/req.1
  stable/11/secure/usr.bin/openssl/man/rsa.1
  stable/11/secure/usr.bin/openssl/man/rsautl.1
  stable/11/secure/usr.bin/openssl/man/s_client.1
  stable/11/secure/usr.bin/openssl/man/s_server.1
  stable/11/secure/usr.bin/openssl/man/s_time.1
  stable/11/secure/usr.bin/openssl/man/sess_id.1
  stable/11/secure/usr.bin/openssl/man/smime.1
  stable/11/secure/usr.bin/openssl/man/speed.1
  stable/11/secure/usr.bin/openssl/man/spkac.1
  stable/11/secure/usr.bin/openssl/man/ts.1
  stable/11/secure/usr.bin/openssl/man/tsget.1
  stable/11/secure/usr.bin/openssl/man/verify.1
  stable/11/secure/usr.bin/openssl/man/version.1
  stable/11/secure/usr.bin/openssl/man/x509.1
  stable/11/secure/usr.bin/openssl/man/x509v3_config.1

Modified: stable/11/crypto/openssl/CHANGES
==============================================================================
--- stable/11/crypto/openssl/CHANGES	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/CHANGES	Tue Sep 10 21:14:56 2019	(r352193)
@@ -7,6 +7,48 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
+
+   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
+      used even when parsing explicit parameters, when loading a serialized key
+      or calling `EC_GROUP_new_from_ecpkparameters()`/
+      `EC_GROUP_new_from_ecparameters()`.
+      This prevents bypass of security hardening and performance gains,
+      especially for curves with specialized EC_METHODs.
+      By default, if a key encoded with explicit parameters is loaded and later
+      serialized, the output is still encoded with explicit parameters, even if
+      internally a "named" EC_GROUP is used for computation.
+      [Nicola Tuveri]
+
+  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
+     this change, EC_GROUP_set_generator would accept order and/or cofactor as
+     NULL. After this change, only the cofactor parameter can be NULL. It also
+     does some minimal sanity checks on the passed order.
+     (CVE-2019-1547)
+     [Billy Bob Brumley]
+
+  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+     An attack is simple, if the first CMS_recipientInfo is valid but the
+     second CMS_recipientInfo is chosen ciphertext. If the second
+     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+     encryption key will be replaced by garbage, and the message cannot be
+     decoded, but if the RSA decryption fails, the correct encryption key is
+     used and the recipient will not notice the attack.
+     As a work around for this potential attack the length of the decrypted
+     key must be equal to the cipher default key length, in case the
+     certifiate is not given and all recipientInfo are tried out.
+     The old behaviour can be re-enabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag.
+     (CVE-2019-1563)
+     [Bernd Edlinger]
+
+  *) Document issue with installation paths in diverse Windows builds
+
+     '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
+     binaries and run-time config file.
+     (CVE-2019-1552)
+     [Richard Levitte]
+
  Changes between 1.0.2r and 1.0.2s [28 May 2019]
 
   *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.

Modified: stable/11/crypto/openssl/Configure
==============================================================================
--- stable/11/crypto/openssl/Configure	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/Configure	Tue Sep 10 21:14:56 2019	(r352193)
@@ -118,7 +118,7 @@ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wn
 # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align,
 # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token
 # -Wextended-offsetof
-my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token  -Wno-extended-offsetof";
+my $clang_disabled_warnings = "-Wno-unknown-warning-option -Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token  -Wno-extended-offsetof";
 
 # These are used in addition to $gcc_devteam_warn when the compiler is clang.
 # TODO(openssl-team): fix problems and investigate if (at least) the
@@ -128,7 +128,7 @@ my $clang_disabled_warnings = "-Wno-unused-parameter -
 # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align,
 # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token
 # -Wextended-offsetof
-my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
+my $clang_devteam_warn = "-Wno-unknown-warning-option -Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
 
 # Warn that "make depend" should be run?
 my $warn_make_depend = 0;

Modified: stable/11/crypto/openssl/Makefile
==============================================================================
--- stable/11/crypto/openssl/Makefile	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/Makefile	Tue Sep 10 21:14:56 2019	(r352193)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2s
+VERSION=1.0.2t
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0
@@ -70,7 +70,7 @@ AR= ar $(ARFLAGS) r
 RANLIB= /usr/bin/ranlib
 RC= windres
 NM= nm
-PERL= /usr/local/bin/perl
+PERL= /usr/bin/perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG= gcc

Modified: stable/11/crypto/openssl/NEWS
==============================================================================
--- stable/11/crypto/openssl/NEWS	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/NEWS	Tue Sep 10 21:14:56 2019	(r352193)
@@ -5,6 +5,21 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019]
+
+      o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
+        (CVE-2019-1563)
+      o For built-in EC curves, ensure an EC_GROUP built from the curve name is
+        used even when parsing explicit parameters
+      o Compute ECC cofactors if not provided during EC_GROUP construction
+        (CVE-2019-1547)
+      o Document issue with installation paths in diverse Windows builds
+        (CVE-2019-1552)
+
+  Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019]
+
+      o None
+
   Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
 
       o 0-byte record padding oracle (CVE-2019-1559)

Modified: stable/11/crypto/openssl/README
==============================================================================
--- stable/11/crypto/openssl/README	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/README	Tue Sep 10 21:14:56 2019	(r352193)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2s 28 May 2019
+ OpenSSL 1.0.2t 10 Sep 2019
 
  Copyright (c) 1998-2019 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: stable/11/crypto/openssl/apps/CA.pl
==============================================================================
--- stable/11/crypto/openssl/apps/CA.pl	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/apps/CA.pl	Tue Sep 10 21:14:56 2019	(r352193)
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes

Modified: stable/11/crypto/openssl/crypto/arm_arch.h
==============================================================================
--- stable/11/crypto/openssl/crypto/arm_arch.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/arm_arch.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -64,7 +64,7 @@
 #  endif
 # endif
 
-# if !__ASSEMBLER__
+# ifndef __ASSEMBLER__
 extern unsigned int OPENSSL_armcap_P;
 # endif
 

Modified: stable/11/crypto/openssl/crypto/armcap.c
==============================================================================
--- stable/11/crypto/openssl/crypto/armcap.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/armcap.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -5,6 +5,7 @@
 #include <signal.h>
 #include <crypto.h>
 
+#include "cryptlib.h"
 #include "arm_arch.h"
 
 __attribute__ ((visibility("hidden")))

Modified: stable/11/crypto/openssl/crypto/bn/Makefile
==============================================================================
--- stable/11/crypto/openssl/crypto/bn/Makefile	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/bn/Makefile	Tue Sep 10 21:14:56 2019	(r352193)
@@ -297,8 +297,8 @@ bn_lib.o: ../../include/openssl/e_os2.h ../../include/
 bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
-bn_lib.o: bn_lib.c
+bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h
+bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c
 bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

Modified: stable/11/crypto/openssl/crypto/bn/bn_lib.c
==============================================================================
--- stable/11/crypto/openssl/crypto/bn/bn_lib.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/bn/bn_lib.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -66,6 +66,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
+#include "constant_time_locl.h"
 
 const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
 
@@ -187,13 +188,57 @@ int BN_num_bits_word(BN_ULONG l)
     return bits;
 }
 
+/*
+ * This function still leaks `a->dmax`: it's caller's responsibility to
+ * expand the input `a` in advance to a public length.
+ */
+static inline
+int bn_num_bits_consttime(const BIGNUM *a)
+{
+    int j, ret;
+    unsigned int mask, past_i;
+    int i = a->top - 1;
+    bn_check_top(a);
+
+    for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
+        mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
+
+        ret += BN_BITS2 & (~mask & ~past_i);
+        ret += BN_num_bits_word(a->d[j]) & mask;
+
+        past_i |= mask; /* past_i will become 0xff..ff after i==j */
+    }
+
+    /*
+     * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
+     * final result.
+     */
+    mask = ~(constant_time_eq_int(i, ((int)-1)));
+
+    return ret & mask;
+}
+
 int BN_num_bits(const BIGNUM *a)
 {
     int i = a->top - 1;
     bn_check_top(a);
 
+    if (a->flags & BN_FLG_CONSTTIME) {
+        /*
+         * We assume that BIGNUMs flagged as CONSTTIME have also been expanded
+         * so that a->dmax is not leaking secret information.
+         *
+         * In other words, it's the caller's responsibility to ensure `a` has
+         * been preallocated in advance to a public length if we hit this
+         * branch.
+         *
+         */
+        return bn_num_bits_consttime(a);
+    }
+
     if (BN_is_zero(a))
         return 0;
+
     return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
 }
 
@@ -613,8 +658,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIG
     return (ret);
 }
 
+typedef enum {big, little} endianess_t;
+
 /* ignore negative */
-static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
+static
+int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
 {
     int n;
     size_t i, lasti, j, atop, mask;
@@ -646,10 +694,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *t
 
     lasti = atop - 1;
     atop = a->top * BN_BYTES;
-    for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
+    if (endianess == big)
+        to += tolen; /* start from the end of the buffer */
+    for (i = 0, j = 0; j < (size_t)tolen; j++) {
+        unsigned char val;
         l = a->d[i / BN_BYTES];
         mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
-        *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+        val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+        if (endianess == big)
+            *--to = val;
+        else
+            *to++ = val;
         i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
     }
 
@@ -660,21 +715,66 @@ int bn_bn2binpad(const BIGNUM *a, unsigned char *to, i
 {
     if (tolen < 0)
         return -1;
-    return bn2binpad(a, to, tolen);
+    return bn2binpad(a, to, tolen, big);
 }
 
 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
 {
-    int n, i;
+    return bn2binpad(a, to, -1, big);
+}
+
+BIGNUM *bn_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
+{
+    unsigned int i, m;
+    unsigned int n;
     BN_ULONG l;
+    BIGNUM *bn = NULL;
 
-    bn_check_top(a);
-    n = i = BN_num_bytes(a);
-    while (i--) {
-        l = a->d[i / BN_BYTES];
-        *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+    if (ret == NULL)
+        ret = bn = BN_new();
+    if (ret == NULL)
+        return NULL;
+    bn_check_top(ret);
+    s += len;
+    /* Skip trailing zeroes. */
+    for ( ; len > 0 && s[-1] == 0; s--, len--)
+        continue;
+    n = len;
+    if (n == 0) {
+        ret->top = 0;
+        return ret;
     }
-    return (n);
+    i = ((n - 1) / BN_BYTES) + 1;
+    m = ((n - 1) % (BN_BYTES));
+    if (bn_wexpand(ret, (int)i) == NULL) {
+        BN_free(bn);
+        return NULL;
+    }
+    ret->top = i;
+    ret->neg = 0;
+    l = 0;
+    while (n--) {
+        s--;
+        l = (l << 8L) | *s;
+        if (m-- == 0) {
+            ret->d[--i] = l;
+            l = 0;
+            m = BN_BYTES - 1;
+        }
+    }
+    /*
+     * need to call this due to clear byte at top if avoiding having the top
+     * bit set (-ve number)
+     */
+    bn_correct_top(ret);
+    return ret;
+}
+
+int bn_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
+{
+    if (tolen < 0)
+        return -1;
+    return bn2binpad(a, to, tolen, little);
 }
 
 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)

Modified: stable/11/crypto/openssl/crypto/bn_int.h
==============================================================================
--- stable/11/crypto/openssl/crypto/bn_int.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/bn_int.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -19,3 +19,6 @@ int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const
 int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 
 int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
+
+BIGNUM *bn_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
+int bn_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen);

Modified: stable/11/crypto/openssl/crypto/cms/cms_env.c
==============================================================================
--- stable/11/crypto/openssl/crypto/cms/cms_env.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/cms/cms_env.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -4,7 +4,7 @@
  * project.
  */
 /* ====================================================================
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2008-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI
     unsigned char *ek = NULL;
     size_t eklen;
     int ret = 0;
+    size_t fixlen = 0;
     CMS_EncryptedContentInfo *ec;
     ec = cms->d.envelopedData->encryptedContentInfo;
 
@@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI
         return 0;
     }
 
+    if (cms->d.envelopedData->encryptedContentInfo->havenocert
+            && !cms->d.envelopedData->encryptedContentInfo->debug) {
+        X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+        const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+        if (ciph == NULL) {
+            CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+            return 0;
+        }
+
+        fixlen = EVP_CIPHER_key_length(ciph);
+    }
+
     ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
     if (!ktri->pctx)
         return 0;
@@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI
 
     if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
                          ktri->encryptedKey->data,
-                         ktri->encryptedKey->length) <= 0) {
+                         ktri->encryptedKey->length) <= 0
+            || eklen == 0
+            || (fixlen != 0 && eklen != fixlen)) {
         CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
         goto err;
     }

Modified: stable/11/crypto/openssl/crypto/cms/cms_lcl.h
==============================================================================
--- stable/11/crypto/openssl/crypto/cms/cms_lcl.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/cms/cms_lcl.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -4,7 +4,7 @@
  * project.
  */
 /* ====================================================================
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2008-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st {
     size_t keylen;
     /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
     int debug;
+    /* Set to 1 if we have no cert and need extra safety measures for MMA */
+    int havenocert;
 };
 
 struct CMS_RecipientInfo_st {

Modified: stable/11/crypto/openssl/crypto/cms/cms_smime.c
==============================================================================
--- stable/11/crypto/openssl/crypto/cms/cms_smime.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/cms/cms_smime.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -4,7 +4,7 @@
  * project.
  */
 /* ====================================================================
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2008-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -737,6 +737,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X5
         cms->d.envelopedData->encryptedContentInfo->debug = 1;
     else
         cms->d.envelopedData->encryptedContentInfo->debug = 0;
+    if (!cert)
+        cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
+    else
+        cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
     if (!pk && !cert && !dcont && !out)
         return 1;
     if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))

Modified: stable/11/crypto/openssl/crypto/constant_time_locl.h
==============================================================================
--- stable/11/crypto/openssl/crypto/constant_time_locl.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/constant_time_locl.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -6,7 +6,7 @@
  * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
  * (Google).
  * ====================================================================
- * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2014-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -185,11 +185,29 @@ static inline unsigned char constant_time_eq_int_8(int
     return constant_time_eq_8((unsigned)(a), (unsigned)(b));
 }
 
+/*
+ * Returns the value unmodified, but avoids optimizations.
+ * The barriers prevent the compiler from narrowing down the
+ * possible value range of the mask and ~mask in the select
+ * statements, which avoids the recognition of the select
+ * and turning it into a conditional load or branch.
+ */
+static inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    unsigned int r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile unsigned int r = a;
+#endif
+    return r;
+}
+
 static inline unsigned int constant_time_select(unsigned int mask,
                                                 unsigned int a,
                                                 unsigned int b)
 {
-    return (mask & a) | (~mask & b);
+    return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
 }
 
 static inline unsigned char constant_time_select_8(unsigned char mask,

Modified: stable/11/crypto/openssl/crypto/cryptlib.h
==============================================================================
--- stable/11/crypto/openssl/crypto/cryptlib.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/cryptlib.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -106,6 +106,8 @@ extern int OPENSSL_NONPIC_relocated;
 
 char *ossl_safe_getenv(const char *);
 
+unsigned long OPENSSL_rdtsc(void);
+
 #ifdef  __cplusplus
 }
 #endif

Modified: stable/11/crypto/openssl/crypto/ec/Makefile
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/Makefile	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/Makefile	Tue Sep 10 21:14:56 2019	(r352193)
@@ -156,7 +156,7 @@ ec_curve.o: ../../include/openssl/err.h ../../include/
 ec_curve.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
 ec_curve.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ec_curve.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ec_curve.o: ../../include/openssl/symhacks.h ec_curve.c ec_lcl.h
+ec_curve.o: ../../include/openssl/symhacks.h ../bn_int.h ec_curve.c ec_lcl.h
 ec_cvt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ec_cvt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h

Modified: stable/11/crypto/openssl/crypto/ec/ec.h
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -7,7 +7,7 @@
  * \author Originally written by Bodo Moeller for the OpenSSL project
  */
 /* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int o
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+
 void ERR_load_EC_strings(void);
 
 /* Error codes for the EC functions. */
@@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void);
 # define EC_R_SLOT_FULL                                   108
 # define EC_R_UNDEFINED_GENERATOR                         113
 # define EC_R_UNDEFINED_ORDER                             128
+# define EC_R_UNKNOWN_COFACTOR                            152
 # define EC_R_UNKNOWN_GROUP                               129
 # define EC_R_UNKNOWN_ORDER                               114
 # define EC_R_UNSUPPORTED_FIELD                           131
 # define EC_R_WRONG_CURVE_PARAMETERS                      145
 # define EC_R_WRONG_ORDER                                 130
 
-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif

Modified: stable/11/crypto/openssl/crypto/ec/ec_asn1.c
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_asn1.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec_asn1.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -3,7 +3,7 @@
  * Written by Nils Larsch for the OpenSSL project.
  */
 /* ====================================================================
- * Copyright (c) 2000-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -695,10 +695,12 @@ ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GR
 static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
 {
     int ok = 0, tmp;
-    EC_GROUP *ret = NULL;
+    EC_GROUP *ret = NULL, *dup = NULL;
     BIGNUM *p = NULL, *a = NULL, *b = NULL;
     EC_POINT *point = NULL;
     long field_bits;
+    int curve_name = NID_undef;
+    BN_CTX *ctx = NULL;
 
     if (!params->fieldID || !params->fieldID->fieldType ||
         !params->fieldID->p.ptr) {
@@ -914,13 +916,75 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARA
         goto err;
     }
 
+    /*
+     * Check if the explicit parameters group just created matches one of the
+     * built-in curves.
+     *
+     * We create a copy of the group just built, so that we can remove optional
+     * fields for the lookup: we do this to avoid the possibility that one of
+     * the optional parameters is used to force the library into using a less
+     * performant and less secure EC_METHOD instead of the specialized one.
+     * In any case, `seed` is not really used in any computation, while a
+     * cofactor different from the one in the built-in table is just
+     * mathematically wrong anyway and should not be used.
+     */
+    if ((ctx = BN_CTX_new()) == NULL) {
+        ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
+        goto err;
+    }
+    if ((dup = EC_GROUP_dup(ret)) == NULL
+            || EC_GROUP_set_seed(dup, NULL, 0) != 1
+            || !EC_GROUP_set_generator(dup, point, a, NULL)) {
+        ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
+        goto err;
+    }
+    if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
+        /*
+         * The input explicit parameters successfully matched one of the
+         * built-in curves: often for built-in curves we have specialized
+         * methods with better performance and hardening.
+         *
+         * In this case we replace the `EC_GROUP` created through explicit
+         * parameters with one created from a named group.
+         */
+        EC_GROUP *named_group = NULL;
+
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+        /*
+         * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
+         * the same curve, we prefer the SECP nid when matching explicit
+         * parameters as that is associated with a specialized EC_METHOD.
+         */
+        if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
+            curve_name = NID_secp224r1;
+#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+
+        if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
+            ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
+            goto err;
+        }
+        EC_GROUP_free(ret);
+        ret = named_group;
+
+        /*
+         * Set the flag so that EC_GROUPs created from explicit parameters are
+         * serialized using explicit parameters by default.
+         *
+         * 0x0 = OPENSSL_EC_EXPLICIT_CURVE
+         */
+        EC_GROUP_set_asn1_flag(ret, 0x0);
+    }
+
     ok = 1;
 
- err:if (!ok) {
+ err:
+    if (!ok) {
         if (ret)
-            EC_GROUP_clear_free(ret);
+            EC_GROUP_free(ret);
         ret = NULL;
     }
+    if (dup)
+        EC_GROUP_free(dup);
 
     if (p)
         BN_free(p);
@@ -930,6 +994,8 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARA
         BN_free(b);
     if (point)
         EC_POINT_free(point);
+    if (ctx)
+        BN_CTX_free(ctx);
     return (ret);
 }
 
@@ -990,7 +1056,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsig
     }
 
     if (a && *a)
-        EC_GROUP_clear_free(*a);
+        EC_GROUP_free(*a);
     if (a)
         *a = group;
 
@@ -1040,7 +1106,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned ch
 
     if (priv_key->parameters) {
         if (ret->group)
-            EC_GROUP_clear_free(ret->group);
+            EC_GROUP_free(ret->group);
         ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
     }
 

Modified: stable/11/crypto/openssl/crypto/ec/ec_curve.c
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_curve.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec_curve.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -3,7 +3,7 @@
  * Written by Nils Larsch for the OpenSSL project.
  */
 /* ====================================================================
- * Copyright (c) 1998-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -75,6 +75,8 @@
 #include <openssl/obj_mac.h>
 #include <openssl/opensslconf.h>
 
+#include "bn_int.h"
+
 #ifdef OPENSSL_FIPS
 # include <openssl/fips.h>
 #endif
@@ -3245,4 +3247,116 @@ int EC_curve_nist2nid(const char *name)
             return nist_curves[i].nid;
     }
     return NID_undef;
+}
+
+#define NUM_BN_FIELDS 6
+/*
+ * Validates EC domain parameter data for known named curves.
+ * This can be used when a curve is loaded explicitly (without a curve
+ * name) or to validate that domain parameters have not been modified.
+ *
+ * Returns: The nid associated with the found named curve, or NID_undef
+ *          if not found. If there was an error it returns -1.
+ */
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
+{
+    int ret = -1, nid, len, field_type, param_len;
+    size_t i, seed_len;
+    const unsigned char *seed, *params_seed, *params;
+    unsigned char *param_bytes = NULL;
+    const EC_CURVE_DATA *data;
+    const EC_POINT *generator = NULL;
+    const EC_METHOD *meth;
+    const BIGNUM *cofactor = NULL;
+    /* An array of BIGNUMs for (p, a, b, x, y, order) */
+    BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
+
+    meth = EC_GROUP_method_of(group);
+    if (meth == NULL)
+        return -1;
+    /* Use the optional named curve nid as a search field */
+    nid = EC_GROUP_get_curve_name(group);
+    field_type = EC_METHOD_get_field_type(meth);
+    seed_len = EC_GROUP_get_seed_len(group);
+    seed = EC_GROUP_get0_seed(group);
+    cofactor = &group->cofactor;
+
+    BN_CTX_start(ctx);
+
+    /*
+     * The built-in curves contains data fields (p, a, b, x, y, order) that are
+     * all zero-padded to be the same size. The size of the padding is
+     * determined by either the number of bytes in the field modulus (p) or the
+     * EC group order, whichever is larger.
+     */
+    param_len = BN_num_bytes(&group->order);
+    len = BN_num_bytes(&group->field);
+    if (len > param_len)
+        param_len = len;
+
+    /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
+    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
+    if (param_bytes == NULL)
+        goto end;
+
+    /* Create the bignums */
+    for (i = 0; i < NUM_BN_FIELDS; ++i) {
+        if ((bn[i] = BN_CTX_get(ctx)) == NULL)
+            goto end;
+    }
+    /*
+     * Fill in the bn array with the same values as the internal curves
+     * i.e. the values are p, a, b, x, y, order.
+     */
+    /* Get p, a & b */
+    if (!(ec_group_get_curve(group, bn[0], bn[1], bn[2], ctx)
+        && ((generator = EC_GROUP_get0_generator(group)) != NULL)
+        /* Get x & y */
+        && ec_point_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
+        /* Get order */
+        && EC_GROUP_get_order(group, bn[5], ctx)))
+        goto end;
+
+   /*
+     * Convert the bignum array to bytes that are joined together to form
+     * a single buffer that contains data for all fields.
+     * (p, a, b, x, y, order) are all zero padded to be the same size.
+     */
+    for (i = 0; i < NUM_BN_FIELDS; ++i) {
+        if (bn_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
+            goto end;
+    }
+
+    for (i = 0; i < curve_list_length; i++) {
+        const ec_list_element curve = curve_list[i];
+
+        data = curve.data;
+        /* Get the raw order byte data */
+        params_seed = (const unsigned char *)(data + 1); /* skip header */
+        params = params_seed + data->seed_len;
+
+        /* Look for unique fields in the fixed curve data */
+        if (data->field_type == field_type
+            && param_len == data->param_len
+            && (nid <= 0 || nid == curve.nid)
+            /* check the optional cofactor (ignore if its zero) */
+            && (BN_is_zero(cofactor)
+                || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
+            /* Check the optional seed (ignore if its not set) */
+            && (data->seed_len == 0 || seed_len == 0
+                || ((size_t)data->seed_len == seed_len
+                     && memcmp(params_seed, seed, seed_len) == 0))
+            /* Check that the groups params match the built-in curve params */
+            && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
+                             == 0) {
+            ret = curve.nid;
+            goto end;
+        }
+    }
+    /* Gets here if the group was not found */
+    ret = NID_undef;
+end:
+    OPENSSL_free(param_bytes);
+    BN_CTX_end(ctx);
+    return ret;
 }

Modified: stable/11/crypto/openssl/crypto/ec/ec_err.c
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_err.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec_err.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {
     {ERR_REASON(EC_R_SLOT_FULL), "slot full"},
     {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"},
     {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"},
+    {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"},
     {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"},
     {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"},
     {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"},

Modified: stable/11/crypto/openssl/crypto/ec/ec_lcl.h
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_lcl.h	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec_lcl.h	Tue Sep 10 21:14:56 2019	(r352193)
@@ -3,7 +3,7 @@
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
 /* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -565,3 +565,18 @@ EC_GROUP *FIPS_ec_group_new_curve_gf2m(const BIGNUM *p
                                        const BIGNUM *b, BN_CTX *ctx);
 EC_GROUP *FIPS_ec_group_new_by_curve_name(int nid);
 #endif
+
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
+
+/*
+ * The next 2 functions are just internal wrappers around the omonimous
+ * functions with either the `_GFp` or the `_GF2m` suffix.
+ *
+ * They are meant to facilitate backporting of code from newer branches, where
+ * the public API includes a "field agnostic" version of these 2 functions.
+ */
+int ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
+                       BIGNUM *b, BN_CTX *ctx);
+int ec_point_get_affine_coordinates(const EC_GROUP *group,
+                                    const EC_POINT *point, BIGNUM *x,
+                                    BIGNUM *y, BN_CTX *ctx);

Modified: stable/11/crypto/openssl/crypto/ec/ec_lib.c
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_lib.c	Tue Sep 10 21:13:37 2019	(r352192)
+++ stable/11/crypto/openssl/crypto/ec/ec_lib.c	Tue Sep 10 21:14:56 2019	(r352193)
@@ -294,6 +294,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
     return meth->field_type;
 }
 
+/*-
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
+ * This works for all curves of cryptographic interest.
+ *
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
+ * h_min = (q + 1 - 2*sqrt(q))/n
+ * h_max = (q + 1 + 2*sqrt(q))/n
+ * h_max - h_min = 4*sqrt(q)/n
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
+ *
+ * Otherwise, zero cofactor and return success.
+ */
+static int ec_guess_cofactor(EC_GROUP *group) {
+    int ret = 0;
+    BN_CTX *ctx = NULL;
+    BIGNUM *q = NULL;
+
+    /*-
+     * If the cofactor is too large, we cannot guess it.
+     * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
+     */
+    if (BN_num_bits(&group->order) <= (BN_num_bits(&group->field) + 1) / 2 + 3) {
+        /* default to 0 */
+        BN_zero(&group->cofactor);
+        /* return success */
+        return 1;
+    }
+
+    if ((ctx = BN_CTX_new()) == NULL)
+        return 0;
+
+    BN_CTX_start(ctx);
+    if ((q = BN_CTX_get(ctx)) == NULL)
+        goto err;
+
+    /* set q = 2**m for binary fields; q = p otherwise */
+    if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
+        BN_zero(q);
+        if (!BN_set_bit(q, BN_num_bits(&group->field) - 1))
+            goto err;
+    } else {
+        if (!BN_copy(q, &group->field))
+            goto err;
+    }
+
+    /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
+    if (!BN_rshift1(&group->cofactor, &group->order) /* n/2 */
+        || !BN_add(&group->cofactor, &group->cofactor, q) /* q + n/2 */
+        /* q + 1 + n/2 */
+        || !BN_add(&group->cofactor, &group->cofactor, BN_value_one())
+        /* (q + 1 + n/2)/n */
+        || !BN_div(&group->cofactor, NULL, &group->cofactor, &group->order, ctx))
+        goto err;
+    ret = 1;
+ err:
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+    return ret;
+}
+
 int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
                            const BIGNUM *order, const BIGNUM *cofactor)
 {
@@ -302,6 +363,33 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P
         return 0;
     }
 
+    /* require group->field >= 1 */
+    if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) {
+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
+        return 0;
+    }
+
+    /*-
+     * - require order >= 1
+     * - enforce upper bound due to Hasse thm: order can be no more than one bit
+     *   longer than field cardinality
+     */
+    if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
+        || BN_num_bits(order) > BN_num_bits(&group->field) + 1) {
+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
+        return 0;
+    }
+
+    /*-
+     * Unfortunately the cofactor is an optional field in many standards.
+     * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
+     * So accept cofactor == NULL or cofactor >= 0.
+     */
+    if (cofactor != NULL && BN_is_negative(cofactor)) {
+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
+        return 0;
+    }
+
     if (group->generator == NULL) {
         group->generator = EC_POINT_new(group);
         if (group->generator == NULL)
@@ -310,17 +398,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P
     if (!EC_POINT_copy(group->generator, generator))
         return 0;
 
-    if (order != NULL) {
-        if (!BN_copy(&group->order, order))
-            return 0;
-    } else
-        BN_zero(&group->order);
+    if (!BN_copy(&group->order, order))
+        return 0;
 
-    if (cofactor != NULL) {
+    /* Either take the provided positive cofactor, or try to compute it */
+    if (cofactor != NULL && !BN_is_zero(cofactor)) {
         if (!BN_copy(&group->cofactor, cofactor))
             return 0;
-    } else
+    } else if (!ec_guess_cofactor(group)) {
         BN_zero(&group->cofactor);
+        return 0;
+    }
 
     /*-
      * Access to the `mont_data` field of an EC_GROUP struct should always be
@@ -1168,4 +1256,61 @@ int ec_precompute_mont_data(EC_GROUP *group)
     if (ctx)
         BN_CTX_free(ctx);
     return ret;
+}
+
+/*
+ * This is just a wrapper around the public functions
+ *  - EC_GROUP_get_curve_GF2m
+ *  - EC_GROUP_get_curve_GFp
+ *
+ * It is meant to facilitate backporting of code from newer branches, where
+ * the public API includes a "field agnostic" version of it.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909102114.x8ALEuML088421>