Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Nov 2018 19:01:18 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r340692 - in vendor-crypto/openssl/dist-1.0.2: . apps crypto crypto/bio crypto/bn crypto/bn/asm crypto/conf crypto/dsa crypto/ec crypto/engine crypto/pkcs12 crypto/pkcs7 crypto/rand cry...
Message-ID:  <201811201901.wAKJ1IwI061696@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Tue Nov 20 19:01:17 2018
New Revision: 340692
URL: https://svnweb.freebsd.org/changeset/base/340692

Log:
  Import OpenSSL 1.0.2q.

Added:
  vendor-crypto/openssl/dist-1.0.2/crypto/getenv.c   (contents, props changed)
Modified:
  vendor-crypto/openssl/dist-1.0.2/CHANGES
  vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade
  vendor-crypto/openssl/dist-1.0.2/Makefile
  vendor-crypto/openssl/dist-1.0.2/NEWS
  vendor-crypto/openssl/dist-1.0.2/README
  vendor-crypto/openssl/dist-1.0.2/apps/req.c
  vendor-crypto/openssl/dist-1.0.2/config
  vendor-crypto/openssl/dist-1.0.2/crypto/Makefile
  vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c
  vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h
  vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile
  vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c
  vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c
  vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h
  vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c
  vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c
  vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h
  vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c
  vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c
  vendor-crypto/openssl/dist-1.0.2/crypto/engine/eng_list.c
  vendor-crypto/openssl/dist-1.0.2/crypto/opensslconf.h
  vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h
  vendor-crypto/openssl/dist-1.0.2/crypto/pkcs12/p12_init.c
  vendor-crypto/openssl/dist-1.0.2/crypto/pkcs7/pk7_lib.c
  vendor-crypto/openssl/dist-1.0.2/crypto/rand/Makefile
  vendor-crypto/openssl/dist-1.0.2/crypto/rand/md_rand.c
  vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lcl.h
  vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lib.c
  vendor-crypto/openssl/dist-1.0.2/crypto/rand/randfile.c
  vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c
  vendor-crypto/openssl/dist-1.0.2/crypto/ui/ui_openssl.c
  vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_dir.c
  vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_file.c
  vendor-crypto/openssl/dist-1.0.2/crypto/x509/x509_vfy.c
  vendor-crypto/openssl/dist-1.0.2/crypto/x509v3/v3_purp.c
  vendor-crypto/openssl/dist-1.0.2/doc/apps/crl.pod
  vendor-crypto/openssl/dist-1.0.2/doc/apps/req.pod
  vendor-crypto/openssl/dist-1.0.2/doc/apps/s_server.pod
  vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestSignInit.pod
  vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestVerifyInit.pod
  vendor-crypto/openssl/dist-1.0.2/doc/crypto/OPENSSL_VERSION_NUMBER.pod
  vendor-crypto/openssl/dist-1.0.2/engines/e_capi.c
  vendor-crypto/openssl/dist-1.0.2/ssl/d1_pkt.c
  vendor-crypto/openssl/dist-1.0.2/ssl/ssl_ciph.c
  vendor-crypto/openssl/dist-1.0.2/ssl/ssl_lib.c
  vendor-crypto/openssl/dist-1.0.2/ssl/t1_lib.c
  vendor-crypto/openssl/dist-1.0.2/util/domd
  vendor-crypto/openssl/dist-1.0.2/util/libeay.num

Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/CHANGES	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/CHANGES	Tue Nov 20 19:01:17 2018	(r340692)
@@ -7,6 +7,36 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
+
+  *) Microarchitecture timing vulnerability in ECC scalar multiplication
+
+     OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
+     shown to be vulnerable to a microarchitecture timing side channel attack.
+     An attacker with sufficient access to mount local timing attacks during
+     ECDSA signature generation could recover the private key.
+
+     This issue was reported to OpenSSL on 26th October 2018 by Alejandro
+     Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
+     Nicola Tuveri.
+     (CVE-2018-5407)
+     [Billy Brumley]
+
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
+     Module, accidentally introduced while backporting security fixes from the
+     development branch and hindering the use of ECC in FIPS mode.
+     [Nicola Tuveri]
+
  Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
 
   *) Client DoS due to large DH parameter

Modified: vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade	Tue Nov 20 19:01:17 2018	(r340692)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/V
 # Xlist
 setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
 setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2p
-# OSSLTAG format: v1_0_2p
+setenv OSSLVER 1.0.2q
+# OSSLTAG format: v1_0_2q
 
 ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
 

Modified: vendor-crypto/openssl/dist-1.0.2/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/Makefile	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/Makefile	Tue Nov 20 19:01:17 2018	(r340692)
@@ -4,18 +4,18 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2p
+VERSION=1.0.2q
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=1
 SHLIB_MINOR=0.0
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
-CONFIGURE_ARGS=dist
-SHLIB_TARGET=
+SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+PLATFORM=linux-x86_64
+OPTIONS=-Wa,--noexecstack no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
+CONFIGURE_ARGS=linux-x86_64 -Wa,--noexecstack
+SHLIB_TARGET=linux-shared
 
 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
@@ -59,11 +59,11 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 
-CC= cc
-CFLAG= -O
+CC= gcc
+CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
 DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
 PEX_LIBS= 
-EX_LIBS= 
+EX_LIBS= -ldl
 EXE_EXT= 
 ARFLAGS= 
 AR= ar $(ARFLAGS) r
@@ -73,7 +73,7 @@ NM= nm
 PERL= /usr/bin/perl
 TAR= tar
 TARFLAGS= --no-recursion
-MAKEDEPPROG= cc
+MAKEDEPPROG= gcc
 LIBDIR=lib
 
 # We let the C compiler driver to take care of .s files. This is done in
@@ -89,23 +89,23 @@ ASFLAG=$(CFLAG)
 PROCESSOR= 
 
 # CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= mem_clr.o
-BN_ASM= bn_asm.o
-EC_ASM= 
+CPUID_OBJ= x86_64cpuid.o
+BN_ASM= x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
+EC_ASM= ecp_nistz256.o ecp_nistz256-x86_64.o
 DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
+AES_ENC= aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
 BF_ENC= bf_enc.o
 CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o rc4_skey.o
+RC4_ENC= rc4-x86_64.o rc4-md5-x86_64.o
 RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ= 
-SHA1_ASM_OBJ= 
+MD5_ASM_OBJ= md5-x86_64.o
+SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
 RMD160_ASM_OBJ= 
-WP_ASM_OBJ= wp_block.o
-CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o
-MODES_ASM_OBJ= 
+WP_ASM_OBJ= wp-x86_64.o
+CMLL_ENC= cmll-x86_64.o cmll_misc.o
+MODES_ASM_OBJ= ghash-x86_64.o aesni-gcm-x86_64.o
 ENGINES_ASM_OBJ= 
-PERLASM_SCHEME= 
+PERLASM_SCHEME= elf
 
 # KRB5 stuff
 KRB5_INCLUDES=
@@ -177,8 +177,8 @@ LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
+SHARED_LDFLAGS=-m64
 
 GENERAL=        Makefile
 BASENAME=       openssl

Modified: vendor-crypto/openssl/dist-1.0.2/NEWS
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/NEWS	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/NEWS	Tue Nov 20 19:01:17 2018	(r340692)
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
+
+      o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+
   Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
 
       o Client DoS due to large DH parameter (CVE-2018-0732)

Modified: vendor-crypto/openssl/dist-1.0.2/README
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/README	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/README	Tue Nov 20 19:01:17 2018	(r340692)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2p 14 Aug 2018
+ OpenSSL 1.0.2q 20 Nov 2018
 
  Copyright (c) 1998-2018 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: vendor-crypto/openssl/dist-1.0.2/apps/req.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/apps/req.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/apps/req.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -659,8 +659,7 @@ int MAIN(int argc, char **argv)
             }
         }
 
-        BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
-                   newkey, keyalgstr);
+        BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
 
         EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
         EVP_PKEY_CTX_set_app_data(genctx, bio_err);

Modified: vendor-crypto/openssl/dist-1.0.2/config
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/config	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/config	Tue Nov 20 19:01:17 2018	(r340692)
@@ -992,5 +992,6 @@ if [ $? = "0" ]; then
   fi
 else
   echo "This system ($OUT) is not supported. See file INSTALL for details."
+  exit 1
 fi
 )

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/Makefile	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/Makefile	Tue Nov 20 19:01:17 2018	(r340692)
@@ -36,9 +36,11 @@ TEST=constant_time_test.c
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \
+	getenv.c
 LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
-	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
+	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o getenv.o \
+	$(CPUID_OBJ)
 
 SRC= $(LIBSRC)
 
@@ -178,6 +180,13 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/op
 ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 ex_data.o: ex_data.c
 fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c
+getenv.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+getenv.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+getenv.o: ../include/openssl/err.h ../include/openssl/lhash.h
+getenv.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+getenv.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+getenv.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+getenv.o: getenv.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#define _DEFAULT_SOURCE
+#define _BSD_SOURCE
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
@@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT
 static int wsa_init_done = 0;
 # endif
 
+# if defined(__GLIBC__)
+#  define HAVE_GETHOSTBYNAME_R
+#  define GETHOSTNAME_R_BUF     (2 * 1024)
+# endif
+
 /*
  * WSAAPI specifier is required to make indirect calls to run-time
  * linked WinSock 2 functions used in this module, to be specific
@@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip
     int i;
     int err = 1;
     int locked = 0;
-    struct hostent *he;
+    struct hostent *he = NULL;
+# ifdef HAVE_GETHOSTBYNAME_R
+    char buf[GETHOSTNAME_R_BUF];
+    struct hostent hostent;
+    int h_errnop;
+# endif
 
     i = get_ip(str, ip);
     if (i < 0) {
@@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip
     if (i > 0)
         return (1);
 
+    /* if gethostbyname_r is supported, use it. */
+# ifdef HAVE_GETHOSTBYNAME_R
+    memset(&hostent, 0x00, sizeof(hostent));
+    /* gethostbyname_r() sets |he| to NULL on error, we check it further down */
+    gethostbyname_r(str, &hostent, buf, sizeof(buf), &he, &h_errnop);
+# else
     /* do a gethostbyname */
     CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
     locked = 1;
     he = BIO_gethostbyname(str);
+# endif
+
     if (he == NULL) {
         BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP);
         goto err;

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -55,12 +55,6 @@
  *    machine.
  */
 
-# if defined(_WIN64) || !defined(__LP64__)
-#  define BN_ULONG unsigned long long
-# else
-#  define BN_ULONG unsigned long
-# endif
-
 # undef mul
 # undef mul_add
 

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -1,6 +1,6 @@
 /* crypto/bn/bn_blind.c */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
         if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
             goto err;
     } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
-        if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
-            goto err;
-        if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
-            goto err;
+        if (b->m_ctx != NULL) {
+            if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
+                || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
+                goto err;
+        } else {
+            if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
+                || !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
+                goto err;
+        }
     }
 
     ret = 1;
@@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BL
     else if (!BN_BLINDING_update(b, ctx))
         return (0);
 
-    if (r != NULL) {
-        if (!BN_copy(r, b->Ai))
-            ret = 0;
-    }
+    if (r != NULL && (BN_copy(r, b->Ai) == NULL))
+        return 0;
 
-    if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
-        ret = 0;
+    if (b->m_ctx != NULL)
+        ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
+    else
+        ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
 
     return ret;
 }
@@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, 
 
     bn_check_top(n);
 
-    if (r != NULL)
-        ret = BN_mod_mul(n, n, r, b->mod, ctx);
-    else {
-        if (b->Ai == NULL) {
-            BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
-            return (0);
+    if (r == NULL && (r = b->Ai) == NULL) {
+        BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
+        return 0;
+    }
+
+    if (b->m_ctx != NULL) {
+        /* ensure that BN_mod_mul_montgomery takes pre-defined path */
+        if (n->dmax >= r->top) {
+            size_t i, rtop = r->top, ntop = n->top;
+            BN_ULONG mask;
+
+            for (i = 0; i < rtop; i++) {
+                mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1));
+                n->d[i] &= mask;
+            }
+            mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1));
+            /* always true, if (rtop >= ntop) n->top = r->top; */
+            n->top = (int)(rtop & ~mask) | (ntop & mask);
+            n->flags |= (BN_FLG_FIXED_TOP & ~mask);
         }
-        ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
+        ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
+    } else {
+        ret = BN_mod_mul(n, n, r, b->mod, ctx);
     }
 
     bn_check_top(n);
@@ -366,11 +386,16 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
     } while (1);
 
     if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
-        if (!ret->bn_mod_exp
-            (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
+        if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
             goto err;
     } else {
         if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
+            goto err;
+    }
+
+    if (ret->m_ctx != NULL) {
+        if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx)
+            || !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx))
             goto err;
     }
 

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -617,26 +617,40 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIG
 static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
 {
     int n;
-    size_t i, inc, lasti, j;
+    size_t i, lasti, j, atop, mask;
     BN_ULONG l;
 
+    /*
+     * In case |a| is fixed-top, BN_num_bytes can return bogus length,
+     * but it's assumed that fixed-top inputs ought to be "nominated"
+     * even for padded output, so it works out...
+     */
     n = BN_num_bytes(a);
-    if (tolen == -1)
+    if (tolen == -1) {
         tolen = n;
-    else if (tolen < n)
-        return -1;
+    } else if (tolen < n) {     /* uncommon/unlike case */
+        BIGNUM temp = *a;
 
-    if (n == 0) {
+        bn_correct_top(&temp);
+        n = BN_num_bytes(&temp);
+        if (tolen < n)
+            return -1;
+    }
+
+    /* Swipe through whole available data and don't give away padded zero. */
+    atop = a->dmax * BN_BYTES;
+    if (atop == 0) {
         OPENSSL_cleanse(to, tolen);
         return tolen;
     }
 
-    lasti = n - 1;
-    for (i = 0, inc = 1, j = tolen; j > 0;) {
+    lasti = atop - 1;
+    atop = a->top * BN_BYTES;
+    for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
         l = a->d[i / BN_BYTES];
-        to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc));
-        inc = (i - lasti) >> (8 * sizeof(i) - 1);
-        i += inc; /* stay on top limb */
+        mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
+        *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+        i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
     }
 
     return tolen;
@@ -888,6 +902,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, 
     t = (a->top ^ b->top) & condition;
     a->top ^= t;
     b->top ^= t;
+
+    t = (a->neg ^ b->neg) & condition;
+    a->neg ^= t;
+    b->neg ^= t;
+
+    /*-
+     * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
+     * is actually to treat it as it's read-only data, and some (if not most)
+     * of it does reside in read-only segment. In other words observation of
+     * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
+     * condition. It would either cause SEGV or effectively cause data
+     * corruption.
+     *
+     * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
+     * preserved.
+     *
+     * BN_FLG_SECURE: must be preserved, because it determines how x->d was
+     * allocated and hence how to free it.
+     *
+     * BN_FLG_CONSTTIME: sufficient to mask and swap
+     *
+     * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
+     * the data, so the d array may be padded with additional 0 values (i.e.
+     * top could be greater than the minimal value that it could be). We should
+     * be swapping it
+     */
+
+#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
+
+    t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
+    a->flags ^= t;
+    b->flags ^= t;
 
 #define BN_CONSTTIME_SWAP(ind) \
         do { \

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -172,7 +172,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c
 
     if (mtop > sizeof(storage) / sizeof(storage[0])
         && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
-	return 0;
+        return 0;
 
     ap = a->d != NULL ? a->d : tp;
     bp = b->d != NULL ? b->d : tp;
@@ -197,6 +197,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c
         ((volatile BN_ULONG *)tp)[i] = 0;
     }
     r->top = mtop;
+    r->flags |= BN_FLG_FIXED_TOP;
     r->neg = 0;
 
     if (tp != storage)
@@ -222,6 +223,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNU
     if (!BN_sub(r, a, b))
         return 0;
     return BN_nnmod(r, r, m, ctx);
+}
+
+/*
+ * BN_mod_sub variant that may be used if both a and b are non-negative,
+ * a is less than m, while b is of same bit width as m. It's implemented
+ * as subtraction followed by two conditional additions.
+ *
+ * 0 <= a < m
+ * 0 <= b < 2^w < 2*m
+ *
+ * after subtraction
+ *
+ * -2*m < r = a - b < m
+ *
+ * Thus it takes up to two conditional additions to make |r| positive.
+ */
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m)
+{
+    size_t i, ai, bi, mtop = m->top;
+    BN_ULONG borrow, carry, ta, tb, mask, *rp;
+    const BN_ULONG *ap, *bp;
+
+    if (bn_wexpand(r, m->top) == NULL)
+        return 0;
+
+    rp = r->d;
+    ap = a->d != NULL ? a->d : rp;
+    bp = b->d != NULL ? b->d : rp;
+
+    for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) {
+        mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
+        ta = ap[ai] & mask;
+
+        mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
+        tb = bp[bi] & mask;
+        rp[i] = ta - tb - borrow;
+        if (ta != tb)
+            borrow = (ta < tb);
+
+        i++;
+        ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
+        bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
+    }
+    ap = m->d;
+    for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
+        ta = ((ap[i] & mask) + carry) & BN_MASK2;
+        carry = (ta < carry);
+        rp[i] = (rp[i] + ta) & BN_MASK2;
+        carry += (rp[i] < ta);
+    }
+    borrow -= carry;
+    for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
+        ta = ((ap[i] & mask) + carry) & BN_MASK2;
+        carry = (ta < carry);
+        rp[i] = (rp[i] + ta) & BN_MASK2;
+        carry += (rp[i] < ta);
+    }
+
+    r->top = mtop;
+    r->flags |= BN_FLG_FIXED_TOP;
+    r->neg = 0;
+
+    return 1;
 }
 
 /*

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -164,10 +164,10 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, 
 
     bn_check_top(tmp);
     if (a == b) {
-        if (!BN_sqr(tmp, a, ctx))
+        if (!bn_sqr_fixed_top(tmp, a, ctx))
             goto err;
     } else {
-        if (!BN_mul(tmp, a, b, ctx))
+        if (!bn_mul_fixed_top(tmp, a, b, ctx))
             goto err;
     }
     /* reduce from aRR to aR */
@@ -190,6 +190,7 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
     BIGNUM *n;
     BN_ULONG *ap, *np, *rp, n0, v, carry;
     int nl, max, i;
+    unsigned int rtop;
 
     n = &(mont->N);
     nl = n->top;
@@ -207,12 +208,10 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
     rp = r->d;
 
     /* clear the top words of T */
-# if 1
-    for (i = r->top; i < max; i++) /* memset? XXX */
-        rp[i] = 0;
-# else
-    memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
-# endif
+    for (rtop = r->top, i = 0; i < max; i++) {
+        v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1));
+        rp[i] &= v;
+    }
 
     r->top = max;
     r->flags |= BN_FLG_FIXED_TOP;
@@ -263,6 +262,18 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
 int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
                        BN_CTX *ctx)
 {
+    int retn;
+
+    retn = bn_from_mont_fixed_top(ret, a, mont, ctx);
+    bn_correct_top(ret);
+    bn_check_top(ret);
+
+    return retn;
+}
+
+int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
+                           BN_CTX *ctx)
+{
     int retn = 0;
 #ifdef MONT_WORD
     BIGNUM *t;
@@ -270,8 +281,6 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, B
     BN_CTX_start(ctx);
     if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
         retn = bn_from_montgomery_word(ret, t, mont);
-        bn_correct_top(ret);
-        bn_check_top(ret);
     }
     BN_CTX_end(ctx);
 #else                           /* !MONT_WORD */

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -936,6 +936,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b
 
 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 {
+    int ret = bn_mul_fixed_top(r, a, b, ctx);
+
+    bn_correct_top(r);
+    bn_check_top(r);
+
+    return ret;
+}
+
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+{
     int ret = 0;
     int top, al, bl;
     BIGNUM *rr;
@@ -1042,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
  end:
 #endif
-    bn_correct_top(rr);
+    rr->flags |= BN_FLG_FIXED_TOP;
     if (r != rr && BN_copy(r, rr) == NULL)
         goto err;
 

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -66,6 +66,16 @@
  */
 int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 {
+    int ret = bn_sqr_fixed_top(r, a, ctx);
+
+    bn_correct_top(r);
+    bn_check_top(r);
+
+    return ret;
+}
+
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+{
     int max, al;
     int ret = 0;
     BIGNUM *tmp, *rr;
@@ -136,7 +146,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 
     rr->neg = 0;
     rr->top = max;
-    bn_correct_top(rr);
+    rr->flags |= BN_FLG_FIXED_TOP;
     if (r != rr && BN_copy(r, rr) == NULL)
         goto err;
 

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -4,7 +4,7 @@
  * 2005.
  */
 /* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2005-2018 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int n
     for (i = 0; i < 1000; i++) {
         if (!BN_rand(Xq, nbits, 1, 0))
             goto err;
+
         /* Check that |Xp - Xq| > 2^(nbits - 100) */
-        BN_sub(t, Xp, Xq);
+        if (!BN_sub(t, Xp, Xq))
+            goto err;
         if (BN_num_bits(t) > (nbits - 100))
             break;
     }

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h	Tue Nov 20 19:01:17 2018	(r340692)
@@ -7,9 +7,15 @@
  */
 int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                           BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                           BN_CTX *ctx);
 int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
                          BN_CTX *ctx);
 int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                          const BIGNUM *m);
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m);
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 
 int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile	Tue Nov 20 19:01:17 2018	(r340692)
@@ -80,12 +80,13 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 conf_api.o: ../../e_os.h ../../include/openssl/bio.h
-conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_api.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
+conf_api.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 conf_api.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-conf_api.o: ../../include/openssl/symhacks.h conf_api.c
+conf_api.o: ../../include/openssl/symhacks.h ../cryptlib.h conf_api.c
 conf_def.o: ../../e_os.h ../../include/openssl/bio.h
 conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
 conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -66,6 +66,7 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include "e_os.h"
@@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
             if (v != NULL)
                 return (v->value);
             if (strcmp(section, "ENV") == 0) {
-                p = getenv(name);
+                p = ossl_safe_getenv(name);
                 if (p != NULL)
                     return (p);
             }
@@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
         else
             return (NULL);
     } else
-        return (getenv(name));
+        return (ossl_safe_getenv(name));
 }
 
 #if 0                           /* There's no way to provide error checking

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -4,7 +4,7 @@
  * 2001.
  */
 /* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2018 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void)
     char *file;
     int len;
 
-    file = getenv("OPENSSL_CONF");
+    file = ossl_safe_getenv("OPENSSL_CONF");
     if (file)
         return BUF_strdup(file);
 

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h	Tue Nov 20 19:01:17 2018	(r340692)
@@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
 
+char *ossl_safe_getenv(const char *);
+
 #ifdef  __cplusplus
 }
 #endif

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -435,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N
 
     EVP_MD_CTX_init(&mctx);
 
+    /* make sure L > N, otherwise we'll get trapped in an infinite loop */
+    if (L <= N) {
+        DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+        goto err;
+    }
+
     if (evpmd == NULL) {
         if (N == 160)
             evpmd = EVP_sha1();

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, in
                          DSA_SIG *sig, DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx);
 
 static DSA_METHOD openssl_dsa_meth = {
     "OpenSSL DSA method",
@@ -279,7 +281,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
         goto err;
 
     /* Preallocate space */
-    q_bits = BN_num_bits(dsa->q);
+    q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
     if (!BN_set_bit(&k, q_bits)
         || !BN_set_bit(&l, q_bits)
         || !BN_set_bit(&m, q_bits))
@@ -293,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
 
     if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
         BN_set_flags(&k, BN_FLG_CONSTTIME);
+        BN_set_flags(&l, BN_FLG_CONSTTIME);
     }
 
-
     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
                                     CRYPTO_LOCK_DSA, dsa->p, ctx))
@@ -333,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
     if (!BN_mod(r, r, dsa->q, ctx))
         goto err;
 
-    /* Compute  part of 's = inv(k) (m + xr) mod q' */
-    if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL)
+    /* Compute part of 's = inv(k) (m + xr) mod q' */
+    if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL)
         goto err;
 
     if (*kinvp != NULL)
@@ -467,4 +469,32 @@ static int dsa_finish(DSA *dsa)
     if (dsa->method_mont_p)
         BN_MONT_CTX_free(dsa->method_mont_p);
     return (1);
+}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation.  Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx)
+{
+    BIGNUM *res = NULL;
+    BIGNUM *r, e;
+
+    if ((r = BN_new()) == NULL)
+        return NULL;
+
+    BN_init(&e);
+
+    if (BN_set_word(r, 2)
+            && BN_sub(&e, q, r)
+            && BN_mod_exp_mont(r, k, &e, q, ctx, NULL))
+        res = r;
+    else
+        BN_free(r);
+    BN_free(&e);
+    return res;
 }

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h	Tue Nov 20 19:01:17 2018	(r340692)
@@ -3,7 +3,7 @@
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
 /* ====================================================================
- * Copyright (c) 1998-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -214,7 +214,7 @@ struct ec_group_st {
     int asn1_flag;              /* flag to control the asn1 encoding */
     /*
      * Kludge: upper bit of ans1_flag is used to denote structure
-     * version. Is set, then last field is present. This is done
+     * version. If set, then last field is present. This is done
      * for interoperation with FIPS code.
      */
 #define EC_GROUP_ASN1_FLAG_MASK 0x7fffffff
@@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t n
 void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
                                      unsigned char *digit, unsigned char in);
 #endif
-int ec_precompute_mont_data(EC_GROUP *);
 
 #ifdef ECP_NISTZ256_ASM
 /** Returns GFp methods using montgomery multiplication, with x86-64 optimized

Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c	Tue Nov 20 19:00:20 2018	(r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c	Tue Nov 20 19:01:17 2018	(r340692)
@@ -70,6 +70,10 @@
 
 const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
 
+/* local function prototypes */
+
+static int ec_precompute_mont_data(EC_GROUP *group);
+
 /* functions for EC_GROUP objects */
 
 EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
@@ -318,17 +322,25 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P
     } else
         BN_zero(&group->cofactor);
 
-    /*
-     * Some groups have an order with
-     * factors of two, which makes the Montgomery setup fail.
-     * |group->mont_data| will be NULL in this case.
+    /*-
+     * Access to the `mont_data` field of an EC_GROUP struct should always be
+     * guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the
+     * group might come from the FIPS module, which does not define the
+     * `mont_data` field inside the EC_GROUP structure.
      */
-    if (BN_is_odd(&group->order)) {
-        return ec_precompute_mont_data(group);
+    if (EC_GROUP_VERSION(group)) {
+        /*-
+         * Some groups have an order with
+         * factors of two, which makes the Montgomery setup fail.
+         * |group->mont_data| will be NULL in this case.
+         */
+        if (BN_is_odd(&group->order))
+            return ec_precompute_mont_data(group);
+
+        BN_MONT_CTX_free(group->mont_data);
+        group->mont_data = NULL;
     }
 
-    BN_MONT_CTX_free(group->mont_data);
-    group->mont_data = NULL;
     return 1;
 }
 
@@ -1098,17 +1110,22 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *grou
                                  * been performed */
 }
 
-/*
+/*-
  * ec_precompute_mont_data sets |group->mont_data| from |group->order| and
  * returns one on success. On error it returns zero.
+ *

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811201901.wAKJ1IwI061696>