Module Name: src Committed By: christos Date: Sat Dec 8 22:35:45 UTC 2018
Modified Files: src/crypto/external/bsd/openssl/dist: CHANGES Configure NEWS README e_os.h src/crypto/external/bsd/openssl/dist/apps: ca.c ocsp.c openssl.cnf s_server.c speed.c src/crypto/external/bsd/openssl/dist/crypto: cryptlib.c src/crypto/external/bsd/openssl/dist/crypto/bio: bio_lib.c bss_log.c src/crypto/external/bsd/openssl/dist/crypto/bn: bn_exp.c bn_lib.c src/crypto/external/bsd/openssl/dist/crypto/bn/asm: x86_64-gcc.c src/crypto/external/bsd/openssl/dist/crypto/ec: ec_ameth.c src/crypto/external/bsd/openssl/dist/crypto/engine: eng_devcrypto.c src/crypto/external/bsd/openssl/dist/crypto/evp: e_aes.c src/crypto/external/bsd/openssl/dist/crypto/rand: rand_unix.c randfile.c src/crypto/external/bsd/openssl/dist/crypto/rsa: rsa_lib.c src/crypto/external/bsd/openssl/dist/crypto/ui: ui_openssl.c src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c src/crypto/external/bsd/openssl/dist/include/internal: tsan_assist.h src/crypto/external/bsd/openssl/dist/ssl: d1_lib.c s3_cbc.c s3_enc.c s3_lib.c ssl_ciph.c ssl_lib.c ssl_locl.h t1_lib.c src/crypto/external/bsd/openssl/dist/test: ecdsatest.c evp_extra_test.c evp_test.c src/crypto/external/bsd/openssl/dist/util: mkdef.pl src/crypto/external/bsd/openssl/lib/libcrypto: crypto.inc Removed Files: src/crypto/external/bsd/openssl/dist/doc/man3: SSL_CTX_set_client_CA_list.pod SSL_get_client_CA_list.pod SSL_get_server_tmp_key.pod Log Message: Merge conflicts To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/crypto/external/bsd/openssl/dist/CHANGES \ src/crypto/external/bsd/openssl/dist/NEWS \ src/crypto/external/bsd/openssl/dist/README cvs rdiff -u -r1.21 -r1.22 src/crypto/external/bsd/openssl/dist/Configure cvs rdiff -u -r1.11 -r1.12 src/crypto/external/bsd/openssl/dist/e_os.h cvs rdiff -u -r1.17 -r1.18 src/crypto/external/bsd/openssl/dist/apps/ca.c \ src/crypto/external/bsd/openssl/dist/apps/s_server.c cvs rdiff -u -r1.16 -r1.17 src/crypto/external/bsd/openssl/dist/apps/ocsp.c cvs rdiff -u -r1.6 -r1.7 \ src/crypto/external/bsd/openssl/dist/apps/openssl.cnf cvs rdiff -u -r1.15 -r1.16 src/crypto/external/bsd/openssl/dist/apps/speed.c cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c cvs rdiff -u -r1.5 -r1.6 \ src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c cvs rdiff -u -r1.17 -r1.18 \ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c cvs rdiff -u -r1.7 -r1.8 \ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c cvs rdiff -u -r1.2 -r1.3 \ src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c cvs rdiff -u -r1.16 -r1.17 \ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c cvs rdiff -u -r1.10 -r1.11 \ src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c cvs rdiff -u -r1.4 -r1.5 \ src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c cvs rdiff -u -r1.14 -r1.15 \ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c cvs rdiff -u -r1.1.1.1 -r0 \ src/crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_client_CA_list.pod \ src/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_client_CA_list.pod \ src/crypto/external/bsd/openssl/dist/doc/man3/SSL_get_server_tmp_key.pod cvs rdiff -u -r1.2 -r1.3 \ src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h cvs rdiff -u -r1.8 -r1.9 src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c \ src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c cvs rdiff -u -r1.13 -r1.14 src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c \ src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c cvs rdiff -u -r1.22 -r1.23 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c cvs rdiff -u -r1.16 -r1.17 \ src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c cvs rdiff -u -r1.19 -r1.20 \ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h cvs rdiff -u -r1.27 -r1.28 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c cvs rdiff -u -r1.3 -r1.4 \ src/crypto/external/bsd/openssl/dist/test/ecdsatest.c cvs rdiff -u -r1.4 -r1.5 \ src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c \ src/crypto/external/bsd/openssl/dist/test/evp_test.c cvs rdiff -u -r1.9 -r1.10 src/crypto/external/bsd/openssl/dist/util/mkdef.pl cvs rdiff -u -r1.8 -r1.9 \ src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/CHANGES diff -u src/crypto/external/bsd/openssl/dist/CHANGES:1.17 src/crypto/external/bsd/openssl/dist/CHANGES:1.18 --- src/crypto/external/bsd/openssl/dist/CHANGES:1.17 Sun Sep 23 09:32:54 2018 +++ src/crypto/external/bsd/openssl/dist/CHANGES Sat Dec 8 17:35:42 2018 @@ -7,6 +7,42 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] + + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] + + *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for + the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names + are retained for backwards compatibility. + [Antoine Salon] + + *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input + if its length exceeds 4096 bytes. The limit has been raised to a buffer size + of two gigabytes and the error handling improved. + + This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been + categorized as a normal bug, not a security issue, because the DRBG reseeds + automatically and is fully functional even without additional randomness + provided by the application. + Changes between 1.1.0i and 1.1.1 [11 Sep 2018] *) Add a new ClientHello callback. Provides a callback interface that gives @@ -13103,4 +13139,3 @@ des-cbc 3624.96k 5258.21k *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 bytes sent in the client random. [Edward Bishop <ebis...@spyglass.com>] - Index: src/crypto/external/bsd/openssl/dist/NEWS diff -u src/crypto/external/bsd/openssl/dist/NEWS:1.17 src/crypto/external/bsd/openssl/dist/NEWS:1.18 --- src/crypto/external/bsd/openssl/dist/NEWS:1.17 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/NEWS Sat Dec 8 17:35:42 2018 @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] + + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) + Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 Index: src/crypto/external/bsd/openssl/dist/README diff -u src/crypto/external/bsd/openssl/dist/README:1.17 src/crypto/external/bsd/openssl/dist/README:1.18 --- src/crypto/external/bsd/openssl/dist/README:1.17 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/README Sat Dec 8 17:35:42 2018 @@ -1,5 +1,5 @@ - OpenSSL 1.1.1 11 Sep 2018 + OpenSSL 1.1.1a 20 Nov 2018 Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Index: src/crypto/external/bsd/openssl/dist/Configure diff -u src/crypto/external/bsd/openssl/dist/Configure:1.21 src/crypto/external/bsd/openssl/dist/Configure:1.22 --- src/crypto/external/bsd/openssl/dist/Configure:1.21 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/Configure Sat Dec 8 17:35:42 2018 @@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) { if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; warn <<_____ if scalar(@seed_sources) == 1; -You have selected the --with-rand-seed=none option, which effectively disables -automatic reseeding of the OpenSSL random generator. All operations depending -on the random generator such as creating keys will not work unless the random -generator is seeded manually by the application. -Please read the 'Note on random number generation' section in the INSTALL -instructions and the RAND_DRBG(7) manual page for more details. +============================== WARNING =============================== +You have selected the --with-rand-seed=none option, which effectively +disables automatic reseeding of the OpenSSL random generator. +All operations depending on the random generator such as creating keys +will not work unless the random generator is seeded manually by the +application. + +Please read the 'Note on random number generation' section in the +INSTALL instructions and the RAND_DRBG(7) manual page for more details. +============================== WARNING =============================== + _____ } push @{$config{openssl_other_defines}}, @@ -2174,6 +2179,16 @@ EOF # Massage the result + # If the user configured no-shared, we allow no shared sources + if ($disabled{shared}) { + foreach (keys %{$unified_info{shared_sources}}) { + foreach (keys %{$unified_info{shared_sources}->{$_}}) { + delete $unified_info{sources}->{$_}; + } + } + $unified_info{shared_sources} = {}; + } + # If we depend on a header file or a perl module, add an inclusion of # its directory to allow smoothe inclusion foreach my $dest (keys %{$unified_info{depends}}) { @@ -2198,8 +2213,8 @@ EOF next unless defined($unified_info{includes}->{$dest}->{$k}); my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}}; foreach my $obj (grep /\.o$/, - (keys %{$unified_info{sources}->{$dest}}, - keys %{$unified_info{shared_sources}->{$dest}})) { + (keys %{$unified_info{sources}->{$dest} // {}}, + keys %{$unified_info{shared_sources}->{$dest} // {}})) { foreach my $inc (@incs) { unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}}; @@ -2238,6 +2253,42 @@ EOF [ @{$unified_info{includes}->{$dest}->{source}} ]; } } + + # For convenience collect information regarding directories where + # files are generated, those generated files and the end product + # they end up in where applicable. Then, add build rules for those + # directories + my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ], + "dso" => [ @{$unified_info{engines}} ], + "bin" => [ @{$unified_info{programs}} ], + "script" => [ @{$unified_info{scripts}} ] ); + foreach my $type (keys %loopinfo) { + foreach my $product (@{$loopinfo{$type}}) { + my %dirs = (); + my $pd = dirname($product); + + foreach (@{$unified_info{sources}->{$product} // []}, + @{$unified_info{shared_sources}->{$product} // []}) { + my $d = dirname($_); + + # We don't want to create targets for source directories + # when building out of source + next if ($config{sourcedir} ne $config{builddir} + && $d =~ m|^\Q$config{sourcedir}\E|); + # We already have a "test" target, and the current directory + # is just silly to make a target for + next if $d eq "test" || $d eq "."; + + $dirs{$d} = 1; + push @{$unified_info{dirinfo}->{$d}->{deps}}, $_ + if $d ne $pd; + } + foreach (keys %dirs) { + push @{$unified_info{dirinfo}->{$_}->{products}->{$type}}, + $product; + } + } + } } # For the schemes that need it, we provide the old *_obj configs @@ -2712,10 +2763,16 @@ print <<"EOF"; ********************************************************************** *** *** -*** If you want to report a building issue, please include the *** -*** output from this command: *** +*** OpenSSL has been successfully configured *** +*** *** +*** If you encounter a problem while building, please open an *** +*** issue on GitHub <https://github.com/openssl/openssl/issues> *** +*** and include the output from the following command: *** +*** *** +*** perl configdata.pm --dump *** *** *** -*** perl configdata.pm --dump *** +*** (If you are new to OpenSSL, you might want to consult the *** +*** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** EOF Index: src/crypto/external/bsd/openssl/dist/e_os.h diff -u src/crypto/external/bsd/openssl/dist/e_os.h:1.11 src/crypto/external/bsd/openssl/dist/e_os.h:1.12 --- src/crypto/external/bsd/openssl/dist/e_os.h:1.11 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/e_os.h Sat Dec 8 17:35:42 2018 @@ -245,7 +245,7 @@ extern FILE *_imp___iob; Finally, we add the VMS C facility code 0x35a000, because there are some programs, such as Perl, that will reinterpret the code back to something - POSIXly. 'man perlvms' explains it further. + POSIX. 'man perlvms' explains it further. NOTE: the perlvms manual wants to turn all codes 2 to 255 into success codes (status type = 1). I couldn't disagree more. Fortunately, the @@ -317,8 +317,15 @@ struct servent *getservbyname(const char # endif /* end vxworks */ -#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -# define CRYPTO_memcmp memcmp -#endif +# ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +# define CRYPTO_memcmp memcmp +# endif +/* unistd.h defines _POSIX_VERSION */ +# if !defined(OPENSSL_NO_SECURE_MEMORY) && defined(OPENSSL_SYS_UNIX) \ + && ( (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L) \ + || defined(__sun) || defined(__hpux) || defined(__sgi) \ + || defined(__osf__) ) +# define OPENSSL_SECURE_MEMORY /* secure memory is implemented */ +# endif #endif Index: src/crypto/external/bsd/openssl/dist/apps/ca.c diff -u src/crypto/external/bsd/openssl/dist/apps/ca.c:1.17 src/crypto/external/bsd/openssl/dist/apps/ca.c:1.18 --- src/crypto/external/bsd/openssl/dist/apps/ca.c:1.17 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/apps/ca.c Sat Dec 8 17:35:43 2018 @@ -605,7 +605,7 @@ end_of_options: /* * outdir is a directory spec, but access() for VMS demands a * filename. We could use the DEC C routine to convert the - * directory syntax to Unixly, and give that to app_isdir, + * directory syntax to Unix, and give that to app_isdir, * but for now the fopen will catch the error if it's not a * directory */ @@ -976,7 +976,7 @@ end_of_options: BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk)); - if (!rand_ser + if (serialfile != NULL && !save_serial(serialfile, "new", serial, NULL)) goto end; @@ -1044,7 +1044,8 @@ end_of_options: if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ - if (!rotate_serial(serialfile, "new", "old")) + if (serialfile != NULL + && !rotate_serial(serialfile, "new", "old")) goto end; if (!rotate_index(dbfile, "new", "old")) @@ -1177,10 +1178,9 @@ end_of_options: } /* we have a CRL number that need updating */ - if (crlnumberfile != NULL) - if (!rand_ser - && !save_serial(crlnumberfile, "new", crlnumber, NULL)) - goto end; + if (crlnumberfile != NULL + && !save_serial(crlnumberfile, "new", crlnumber, NULL)) + goto end; BN_free(crlnumber); crlnumber = NULL; @@ -1195,9 +1195,10 @@ end_of_options: PEM_write_bio_X509_CRL(Sout, crl); - if (crlnumberfile != NULL) /* Rename the crlnumber file */ - if (!rotate_serial(crlnumberfile, "new", "old")) - goto end; + /* Rename the crlnumber file */ + if (crlnumberfile != NULL + && !rotate_serial(crlnumberfile, "new", "old")) + goto end; } /*****************************************************************/ Index: src/crypto/external/bsd/openssl/dist/apps/s_server.c diff -u src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.17 src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.18 --- src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.17 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/apps/s_server.c Sat Dec 8 17:35:43 2018 @@ -193,9 +193,8 @@ static int psk_find_session_cb(SSL *ssl, if (strlen(psk_identity) != identity_len || memcmp(psk_identity, identity, identity_len) != 0) { - BIO_printf(bio_s_out, - "PSK warning: client identity not what we expected" - " (got '%s' expected '%s')\n", identity, psk_identity); + *sess = NULL; + return 1; } if (psksess != NULL) { @@ -1622,6 +1621,11 @@ int s_server_main(int argc, char *argv[] goto end; } #endif + if (early_data && (www > 0 || rev)) { + BIO_printf(bio_err, + "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n"); + goto end; + } #ifndef OPENSSL_NO_SCTP if (protocol == IPPROTO_SCTP) { Index: src/crypto/external/bsd/openssl/dist/apps/ocsp.c diff -u src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.16 src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.17 --- src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.16 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/apps/ocsp.c Sat Dec 8 17:35:43 2018 @@ -950,6 +950,7 @@ static void spawn_loop(void) sleep(30); break; case 0: /* child */ + OPENSSL_free(kidpids); signal(SIGINT, SIG_DFL); signal(SIGTERM, SIG_DFL); if (termsig) @@ -976,6 +977,7 @@ static void spawn_loop(void) } /* The loop above can only break on termsig */ + OPENSSL_free(kidpids); syslog(LOG_INFO, "terminating on signal: %d", termsig); killall(0, kidpids); } Index: src/crypto/external/bsd/openssl/dist/apps/openssl.cnf diff -u src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.6 src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.7 --- src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.6 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/apps/openssl.cnf Sat Dec 8 17:35:43 2018 @@ -10,7 +10,6 @@ # This definition stops the following lines choking if HOME isn't # defined. HOME = . -RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid @@ -57,7 +56,6 @@ crlnumber = $dir/crlnumber # the current # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert Index: src/crypto/external/bsd/openssl/dist/apps/speed.c diff -u src/crypto/external/bsd/openssl/dist/apps/speed.c:1.15 src/crypto/external/bsd/openssl/dist/apps/speed.c:1.16 --- src/crypto/external/bsd/openssl/dist/apps/speed.c:1.15 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/apps/speed.c Sat Dec 8 17:35:43 2018 @@ -2896,7 +2896,7 @@ int speed_main(int argc, char **argv) if (rsa_count <= 1) { /* if longer than 10s, don't do any more */ - for (testnum++; testnum < EC_NUM; testnum++) + for (testnum++; testnum < ECDSA_NUM; testnum++) ecdsa_doit[testnum] = 0; } } Index: src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c:1.12 src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c:1.13 --- src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c:1.12 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/cryptlib.c Sat Dec 8 17:35:43 2018 @@ -204,7 +204,7 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); - FARPROC f; + FARPROC f = NULL; if (mod != NULL) f = GetProcAddress(mod, "_OPENSSL_isservice"); Index: src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.5 src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.6 --- src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.5 Sun Sep 23 09:32:55 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c Sat Dec 8 17:35:43 2018 @@ -52,7 +52,7 @@ static long bio_call_callback(BIO *b, in argi = (int)len; } - if (inret && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { + if (inret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { if (*processed > INT_MAX) return -1; inret = *processed; @@ -60,7 +60,7 @@ static long bio_call_callback(BIO *b, in ret = b->callback(b, oper, argp, argi, argl, inret); - if (ret >= 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { + if (ret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) { *processed = (size_t)ret; ret = 1; } Index: src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c:1.10 --- src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c:1.9 Sun Sep 23 09:32:56 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c Sat Dec 8 17:35:43 2018 @@ -408,4 +408,9 @@ static void xcloselog(BIO *bp) # endif /* Unix */ +#else /* NO_SYSLOG */ +const BIO_METHOD *BIO_s_log(void) +{ + return NULL; +} #endif /* NO_SYSLOG */ Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c:1.17 src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c:1.18 --- src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c:1.17 Sun Sep 23 09:32:56 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c Sat Dec 8 17:35:43 2018 @@ -1081,7 +1081,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr * is not only slower but also makes each bit vulnerable to * EM (and likely other) side-channel attacks like One&Done * (for details see "One&Done: A Single-Decryption EM-Based - * Attack on OpenSSL’s Constant-Time Blinded RSA" by M. Alam, + * Attack on OpenSSL's Constant-Time Blinded RSA" by M. Alam, * H. Khan, M. Dey, N. Sinha, R. Callan, A. Zajic, and * M. Prvulovic, in USENIX Security'18) */ Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.10 --- src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.9 Sun Sep 23 09:32:56 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c Sat Dec 8 17:35:43 2018 @@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG conditio b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; Index: src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c:1.10 --- src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c:1.9 Sun Sep 23 09:32:56 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c Sat Dec 8 17:35:43 2018 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -64,12 +64,6 @@ * machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c:1.7 src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c:1.8 --- src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c:1.7 Sun Sep 23 09:32:57 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c Sat Dec 8 17:35:43 2018 @@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PK if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) return 0; - if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0) + if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) return 0; kdf_md = EVP_get_digestbynid(kdfmd_nid); @@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_Recipien ecdh_nid = NID_dh_cofactor_kdf; if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { - kdf_type = EVP_PKEY_ECDH_KDF_X9_62; + kdf_type = EVP_PKEY_ECDH_KDF_X9_63; if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) goto err; } else Index: src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c diff -u src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c:1.2 src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c:1.3 --- src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c:1.2 Sat Dec 8 12:07:27 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c Sat Dec 8 17:35:43 2018 @@ -28,6 +28,13 @@ # define CHECK_BSD_STYLE_MACROS #endif +/* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +static int cfd; + /****************************************************************************** * * Ciphers @@ -39,7 +46,6 @@ *****/ struct cipher_ctx { - int cfd; struct session_op sess; /* to pass from init to do_cipher */ @@ -69,7 +75,7 @@ static const struct cipher_data_st { { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, #ifndef OPENSSL_NO_RC4 - { NID_rc4, 1, 16, 0, CRYPTO_ARC4 }, + { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, #endif #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, @@ -135,19 +141,13 @@ static int cipher_init(EVP_CIPHER_CTX *c const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); - if ((cipher_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); cipher_ctx->sess.cipher = cipher_d->devcryptoid; cipher_ctx->sess.keylen = cipher_d->keylen; cipher_ctx->sess.key = (void *)key; cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; - if (ioctl(cipher_ctx->cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(cipher_ctx->cfd); return 0; } @@ -187,7 +187,7 @@ static int cipher_do_cipher(EVP_CIPHER_C cryp.flags = COP_FLAG_WRITE_IV; #endif - if (ioctl(cipher_ctx->cfd, CIOCCRYPT, &cryp) < 0) { + if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -213,14 +213,10 @@ static int cipher_cleanup(EVP_CIPHER_CTX struct cipher_ctx *cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - if (ioctl(cipher_ctx->cfd, CIOCFSESSION, &cipher_ctx->sess) < 0) { + if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } - if (close(cipher_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); - return 0; - } return 1; } @@ -234,14 +230,10 @@ static int known_cipher_nids[OSSL_NELEM( static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -static void prepare_cipher_methods() +static void prepare_cipher_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); sess.key = (void *)"01234567890123456789012345678901234567890123456789"; @@ -256,7 +248,7 @@ static void prepare_cipher_methods() sess.cipher = cipher_data[i].devcryptoid; sess.keylen = cipher_data[i].keylen; if (ioctl(cfd, CIOCGSESSION, &sess) < 0 - || ioctl(cfd, CIOCFSESSION, &sess) < 0) + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) continue; if ((known_cipher_methods[i] = @@ -282,8 +274,6 @@ static void prepare_cipher_methods() cipher_data[i].nid; } } - - close(cfd); } static const EVP_CIPHER *get_cipher_method(int nid) @@ -309,7 +299,7 @@ static void destroy_cipher_method(int ni known_cipher_methods[i] = NULL; } -static void destroy_all_cipher_methods() +static void destroy_all_cipher_methods(void) { size_t i; @@ -330,11 +320,12 @@ static int devcrypto_ciphers(ENGINE *e, /* * We only support digests if the cryptodev implementation supports multiple - * data updates. Otherwise, we would be forced to maintain a cache, which is - * perilous if there's a lot of data coming in (if someone wants to checksum - * an OpenSSL tarball, for example). + * data updates and session copying. Otherwise, we would be forced to maintain + * a cache, which is perilous if there's a lot of data coming in (if someone + * wants to checksum an OpenSSL tarball, for example). */ -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#define IMPLEMENT_DIGEST /****************************************************************************** * @@ -347,7 +338,6 @@ static int devcrypto_ciphers(ENGINE *e, *****/ struct digest_ctx { - int cfd; struct session_op sess; int init; }; @@ -414,19 +404,12 @@ static int digest_init(EVP_MD_CTX *ctx) const struct digest_data_st *digest_d = get_digest_data(EVP_MD_CTX_type(ctx)); - if (digest_ctx->init == 0 - && (digest_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - digest_ctx->init = 1; memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); digest_ctx->sess.mac = digest_d->devcryptoid; - if (ioctl(digest_ctx->cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(digest_ctx->cfd); return 0; } @@ -445,7 +428,7 @@ static int digest_op(struct digest_ctx * cryp.dst = NULL; cryp.mac = res; cryp.flags = flags; - return ioctl(ctx->cfd, CIOCCRYPT, &cryp); + return ioctl(cfd, CIOCCRYPT, &cryp); } static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) @@ -473,7 +456,7 @@ static int digest_final(EVP_MD_CTX *ctx, SYSerr(SYS_F_IOCTL, errno); return 0; } - if (ioctl(digest_ctx->cfd, CIOCFSESSION, &digest_ctx->sess) < 0) { + if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -481,16 +464,38 @@ static int digest_final(EVP_MD_CTX *ctx, return 1; } -static int digest_cleanup(EVP_MD_CTX *ctx) +static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) { - struct digest_ctx *digest_ctx = - (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); + struct digest_ctx *digest_from = + (struct digest_ctx *)EVP_MD_CTX_md_data(from); + struct digest_ctx *digest_to = + (struct digest_ctx *)EVP_MD_CTX_md_data(to); + struct cphash_op cphash; + + if (digest_from == NULL) + return 1; - if (close(digest_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); + if (digest_from->init != 1) { + SYSerr(SYS_F_IOCTL, EINVAL); return 0; } + if (!digest_init(to)) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + + cphash.src_ses = digest_from->sess.ses; + cphash.dst_ses = digest_to->sess.ses; + if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + return 1; +} + +static int digest_cleanup(EVP_MD_CTX *ctx) +{ return 1; } @@ -503,14 +508,10 @@ static int known_digest_nids[OSSL_NELEM( static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -static void prepare_digest_methods() +static void prepare_digest_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); @@ -523,7 +524,7 @@ static void prepare_digest_methods() */ sess.mac = digest_data[i].devcryptoid; if (ioctl(cfd, CIOCGSESSION, &sess) < 0 - || ioctl(cfd, CIOCFSESSION, &sess) < 0) + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) continue; if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, @@ -533,6 +534,7 @@ static void prepare_digest_methods() || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) + || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], sizeof(struct digest_ctx))) { @@ -542,8 +544,6 @@ static void prepare_digest_methods() known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; } } - - close(cfd); } static const EVP_MD *get_digest_method(int nid) @@ -569,7 +569,7 @@ static void destroy_digest_method(int ni known_digest_methods[i] = NULL; } -static void destroy_all_digest_methods() +static void destroy_all_digest_methods(void) { size_t i; @@ -599,9 +599,12 @@ static int devcrypto_digests(ENGINE *e, static int devcrypto_unload(ENGINE *e) { destroy_all_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST destroy_all_digest_methods(); #endif + + close(cfd); + return 1; } /* @@ -612,23 +615,30 @@ void engine_load_devcrypto_int() { ENGINE *e = NULL; - if (access("/dev/crypto", R_OK | W_OK) < 0) { - fprintf(stderr, - "/dev/crypto not present, not enabling devcrypto engine\n"); + if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); return; } prepare_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST prepare_digest_methods(); #endif - if ((e = ENGINE_new()) == NULL) + if ((e = ENGINE_new()) == NULL + || !ENGINE_set_destroy_function(e, devcrypto_unload)) { + ENGINE_free(e); + /* + * We know that devcrypto_unload() won't be called when one of the + * above two calls have failed, so we close cfd explicitly here to + * avoid leaking resources. + */ + close(cfd); return; + } if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") - || !ENGINE_set_destroy_function(e, devcrypto_unload) /* * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD @@ -665,7 +675,7 @@ void engine_load_devcrypto_int() # endif #endif || !ENGINE_set_ciphers(e, devcrypto_ciphers) -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST || !ENGINE_set_digests(e, devcrypto_digests) #endif ) { Index: src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.16 src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.17 --- src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.16 Sun Sep 23 09:32:57 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c Sat Dec 8 17:35:43 2018 @@ -2241,7 +2241,7 @@ static int s390x_aes_ccm_cipher(EVP_CIPH if (!cctx->aes.ccm.len_set) { /*- - * In case message length was not previously set explicitely via + * In case message length was not previously set explicitly via * Update(), set it now. */ ivec = EVP_CIPHER_CTX_iv_noconst(ctx); Index: src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.10 --- src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c:1.9 Sun Sep 23 09:32:58 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c Sat Dec 8 17:35:43 2018 @@ -77,6 +77,17 @@ static uint64_t get_timer_bits(void); # endif #endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ +#if defined(OPENSSL_RAND_SEED_NONE) +/* none means none. this simplifies the following logic */ +# undef OPENSSL_RAND_SEED_OS +# undef OPENSSL_RAND_SEED_GETRANDOM +# undef OPENSSL_RAND_SEED_LIBRANDOM +# undef OPENSSL_RAND_SEED_DEVRANDOM +# undef OPENSSL_RAND_SEED_RDTSC +# undef OPENSSL_RAND_SEED_RDCPU +# undef OPENSSL_RAND_SEED_EGD +#endif + #if (defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)) && \ !defined(OPENSSL_RAND_SEED_NONE) # error "UEFI and VXWorks only support seeding NONE" @@ -86,8 +97,6 @@ static uint64_t get_timer_bits(void); || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ || defined(OPENSSL_SYS_UEFI)) -static ssize_t syscall_random(void *buf, size_t buflen); - # if defined(OPENSSL_SYS_VOS) # ifndef OPENSSL_RAND_SEED_OS @@ -244,6 +253,7 @@ static ssize_t sysctl_random(char *buf, } # endif +# if defined(OPENSSL_RAND_SEED_GETRANDOM) /* * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. @@ -254,7 +264,7 @@ static ssize_t syscall_random(void *buf, * Note: 'buflen' equals the size of the buffer which is used by the * get_entropy() callback of the RAND_DRBG. It is roughly bounded by * - * 2 * DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^13 + * 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14 * * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion * between size_t and ssize_t is safe even without a range check. @@ -302,8 +312,9 @@ static ssize_t syscall_random(void *buf, return -1; # endif } +# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ -#if !defined(OPENSSL_RAND_SEED_NONE) && defined(OPENSSL_RAND_SEED_DEVRANDOM) +# if defined(OPENSSL_RAND_SEED_DEVRANDOM) static const char *random_device_paths[] = { DEVRANDOM }; static struct random_device { int fd; @@ -375,21 +386,13 @@ static void close_random_device(size_t n rd->fd = -1; } -static void open_random_devices(void) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(random_devices); i++) - (void)get_random_device(i); -} - int rand_pool_init(void) { size_t i; for (i = 0; i < OSSL_NELEM(random_devices); i++) random_devices[i].fd = -1; - open_random_devices(); + return 1; } @@ -403,16 +406,13 @@ void rand_pool_cleanup(void) void rand_pool_keep_random_devices_open(int keep) { - if (keep) - open_random_devices(); - else + if (!keep) rand_pool_cleanup(); + keep_random_devices_open = keep; } -# else /* defined(OPENSSL_RAND_SEED_NONE) - * || !defined(OPENSSL_RAND_SEED_DEVRANDOM) - */ +# else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */ int rand_pool_init(void) { @@ -427,9 +427,7 @@ void rand_pool_keep_random_devices_open( { } -# endif /* !defined(OPENSSL_RAND_SEED_NONE) - * && defined(OPENSSL_RAND_SEED_DEVRANDOM) - */ +# endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */ /* * Try the various seeding methods in turn, exit when successful. @@ -450,14 +448,14 @@ void rand_pool_keep_random_devices_open( */ size_t rand_pool_acquire_entropy(RAND_POOL *pool) { -# ifdef OPENSSL_RAND_SEED_NONE +# if defined(OPENSSL_RAND_SEED_NONE) return rand_pool_entropy_available(pool); # else size_t bytes_needed; size_t entropy_available = 0; unsigned char *buffer; -# ifdef OPENSSL_RAND_SEED_GETRANDOM +# if defined(OPENSSL_RAND_SEED_GETRANDOM) { ssize_t bytes; /* Maximum allowed number of consecutive unsuccessful attempts */ @@ -487,7 +485,7 @@ size_t rand_pool_acquire_entropy(RAND_PO } # endif -# ifdef OPENSSL_RAND_SEED_DEVRANDOM +# if defined(OPENSSL_RAND_SEED_DEVRANDOM) bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); { size_t i; @@ -524,19 +522,19 @@ size_t rand_pool_acquire_entropy(RAND_PO } # endif -# ifdef OPENSSL_RAND_SEED_RDTSC +# if defined(OPENSSL_RAND_SEED_RDTSC) entropy_available = rand_acquire_entropy_from_tsc(pool); if (entropy_available > 0) return entropy_available; # endif -# ifdef OPENSSL_RAND_SEED_RDCPU +# if defined(OPENSSL_RAND_SEED_RDCPU) entropy_available = rand_acquire_entropy_from_cpu(pool); if (entropy_available > 0) return entropy_available; # endif -# ifdef OPENSSL_RAND_SEED_EGD +# if defined(OPENSSL_RAND_SEED_EGD) bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); if (bytes_needed > 0) { static const char *paths[] = { DEVRANDOM_EGD, NULL }; @@ -577,7 +575,7 @@ int rand_pool_add_nonce_data(RAND_POOL * /* * Add process id, thread id, and a high resolution timestamp to - * ensure that the nonce is unique whith high probability for + * ensure that the nonce is unique with high probability for * different process instances. */ data.pid = getpid(); Index: src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c:1.10 src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c:1.11 --- src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c:1.10 Sun Sep 23 09:32:58 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/rand/randfile.c Sat Dec 8 17:35:43 2018 @@ -16,6 +16,7 @@ #include <openssl/crypto.h> #include <openssl/rand.h> +#include <openssl/rand_drbg.h> #include <openssl/buffer.h> #ifdef OPENSSL_SYS_VMS @@ -48,7 +49,7 @@ # define S_ISREG(m) ((m) & S_IFREG) # endif -#define RAND_FILE_SIZE 1024 +#define RAND_BUF_SIZE 1024 #define RFILE ".rnd" #ifdef OPENSSL_SYS_VMS @@ -74,7 +75,16 @@ static __FILE_ptr32 (*const vms_fopen)(c */ int RAND_load_file(const char *file, long bytes) { - unsigned char buf[RAND_FILE_SIZE]; + /* + * The load buffer size exceeds the chunk size by the comfortable amount + * of 'RAND_DRBG_STRENGTH' bytes (not bits!). This is done on purpose + * to avoid calling RAND_add() with a small final chunk. Instead, such + * a small final chunk will be added together with the previous chunk + * (unless it's the only one). + */ +#define RAND_LOAD_BUF_SIZE (RAND_BUF_SIZE + RAND_DRBG_STRENGTH) + unsigned char buf[RAND_LOAD_BUF_SIZE]; + #ifndef OPENSSL_NO_POSIX_IO struct stat sb; #endif @@ -98,8 +108,12 @@ int RAND_load_file(const char *file, lon return -1; } - if (!S_ISREG(sb.st_mode) && bytes < 0) - bytes = 256; + if (bytes < 0) { + if (S_ISREG(sb.st_mode)) + bytes = sb.st_size; + else + bytes = RAND_DRBG_STRENGTH; + } #endif /* * On VMS, setbuf() will only take 32-bit pointers, and a compilation @@ -124,9 +138,9 @@ int RAND_load_file(const char *file, lon for ( ; ; ) { if (bytes > 0) - n = (bytes < RAND_FILE_SIZE) ? (int)bytes : RAND_FILE_SIZE; + n = (bytes <= RAND_LOAD_BUF_SIZE) ? (int)bytes : RAND_BUF_SIZE; else - n = RAND_FILE_SIZE; + n = RAND_LOAD_BUF_SIZE; i = fread(buf, 1, n, in); #ifdef EINTR if (ferror(in) && errno == EINTR){ @@ -148,12 +162,18 @@ int RAND_load_file(const char *file, lon OPENSSL_cleanse(buf, sizeof(buf)); fclose(in); + if (!RAND_status()) { + RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_RESEED_ERROR); + ERR_add_error_data(2, "Filename=", file); + return -1; + } + return ret; } int RAND_write_file(const char *file) { - unsigned char buf[RAND_FILE_SIZE]; + unsigned char buf[RAND_BUF_SIZE]; int ret = -1; FILE *out = NULL; #ifndef OPENSSL_NO_POSIX_IO @@ -222,9 +242,9 @@ int RAND_write_file(const char *file) chmod(file, 0600); #endif - ret = fwrite(buf, 1, RAND_FILE_SIZE, out); + ret = fwrite(buf, 1, RAND_BUF_SIZE, out); fclose(out); - OPENSSL_cleanse(buf, RAND_FILE_SIZE); + OPENSSL_cleanse(buf, RAND_BUF_SIZE); return ret; } @@ -262,11 +282,9 @@ const char *RAND_file_name(char *buf, si } } #else - if (OPENSSL_issetugid() != 0) { - use_randfile = 0; - } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') { + if ((s = ossl_safe_getenv("RANDFILE")) == NULL || *s == '\0') { use_randfile = 0; - s = getenv("HOME"); + s = ossl_safe_getenv("HOME"); } #endif Index: src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c:1.5 --- src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c:1.4 Sun Sep 23 09:32:58 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c Sat Dec 8 17:35:44 2018 @@ -125,8 +125,8 @@ void RSA_free(RSA *r) CRYPTO_THREAD_lock_free(r->lock); - BN_clear_free(r->n); - BN_clear_free(r->e); + BN_free(r->n); + BN_free(r->e); BN_clear_free(r->d); BN_clear_free(r->p); BN_clear_free(r->q); @@ -196,7 +196,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGN r->e = e; } if (d != NULL) { - BN_free(r->d); + BN_clear_free(r->d); r->d = d; } @@ -213,11 +213,11 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, return 0; if (p != NULL) { - BN_free(r->p); + BN_clear_free(r->p); r->p = p; } if (q != NULL) { - BN_free(r->q); + BN_clear_free(r->q); r->q = q; } @@ -235,15 +235,15 @@ int RSA_set0_crt_params(RSA *r, BIGNUM * return 0; if (dmp1 != NULL) { - BN_free(r->dmp1); + BN_clear_free(r->dmp1); r->dmp1 = dmp1; } if (dmq1 != NULL) { - BN_free(r->dmq1); + BN_clear_free(r->dmq1); r->dmq1 = dmq1; } if (iqmp != NULL) { - BN_free(r->iqmp); + BN_clear_free(r->iqmp); r->iqmp = iqmp; } Index: src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c:1.12 src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c:1.13 --- src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c:1.12 Sun Sep 23 09:32:59 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c Sat Dec 8 17:35:44 2018 @@ -415,6 +415,24 @@ static int open_console(UI *ui) is_a_tty = 0; else # endif +# ifdef ENXIO + /* + * Solaris can return ENXIO. + * This should be ok + */ + if (errno == ENXIO) + is_a_tty = 0; + else +# endif +# ifdef EIO + /* + * Linux can return EIO. + * This should be ok + */ + if (errno == EIO) + is_a_tty = 0; + else +# endif # ifdef ENODEV /* * MacOS X returns ENODEV (Operation not supported by device), Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.14 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.15 --- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.14 Sun Sep 23 09:32:59 2018 +++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Sat Dec 8 17:35:44 2018 @@ -517,15 +517,14 @@ static int check_chain_extensions(X509_S /* check_purpose() makes the callback as needed */ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } - /* Increment path length if not self issued */ - if (!(x->ex_flags & EXFLAG_SI)) + /* Increment path length if not a self issued intermediate CA */ + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate Index: src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h diff -u src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h:1.2 src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h:1.3 --- src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h:1.2 Sun Sep 23 09:33:02 2018 +++ src/crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h Sat Dec 8 17:35:44 2018 @@ -57,6 +57,7 @@ # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) # define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) +# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,6 +70,7 @@ # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) # define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) +# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,8 +115,11 @@ # pragma intrinsic(_InterlockedExchangeAdd64) # define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ : _InterlockedExchangeAdd((ptr), 1)) +# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ + : _InterlockedExchangeAdd((ptr), -1)) # else # define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) +# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -129,6 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) +# define tsan_decr(ptr) ((*(ptr))--) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be Index: src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.8 src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.9 --- src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.8 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c Sat Dec 8 17:35:44 2018 @@ -1,5 +1,5 @@ /* - * Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -445,15 +445,14 @@ static void get_current_time(struct time #ifndef OPENSSL_NO_SOCK int DTLSv1_listen(SSL *s, BIO_ADDR *client) { - int next, n, ret = 0, clearpkt = 0; + int next, n, ret = 0; unsigned char cookie[DTLS1_COOKIE_LENGTH]; unsigned char seq[SEQ_NUM_SIZE]; const unsigned char *data; - unsigned char *buf; - size_t fragoff, fraglen, msglen; + unsigned char *buf, *wbuf; + size_t fragoff, fraglen, msglen, reclen, align = 0; unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; BIO *rbio, *wbio; - BUF_MEM *bufm; BIO_ADDR *tmpclient = NULL; PACKET pkt, msgpkt, msgpayload, session, cookiepkt; @@ -477,13 +476,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie } /* - * We only peek at incoming ClientHello's until we're sure we are going to - * to respond with a HelloVerifyRequest. If its a ClientHello with a valid - * cookie then we leave it in the BIO for accept to handle. - */ - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL); - - /* * Note: This check deliberately excludes DTLS1_BAD_VER because that version * requires the MAC to be calculated *including* the first ClientHello * (without the cookie). Since DTLSv1_listen is stateless that cannot be @@ -495,35 +487,32 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie return -1; } - if (s->init_buf == NULL) { - if ((bufm = BUF_MEM_new()) == NULL) { - SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE); - return -1; - } - - if (!BUF_MEM_grow(bufm, SSL3_RT_MAX_PLAIN_LENGTH)) { - BUF_MEM_free(bufm); - SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE); - return -1; - } - s->init_buf = bufm; + if (!ssl3_setup_buffers(s)) { + /* SSLerr already called */ + return -1; } - buf = (unsigned char *)s->init_buf->data; + buf = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; + wbuf = RECORD_LAYER_get_wbuf(&s->rlayer)[0].buf; +#if defined(SSL3_ALIGN_PAYLOAD) +# if SSL3_ALIGN_PAYLOAD != 0 + /* + * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for + * consistency with ssl3_read_n. In practice it should make no difference + * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between + * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8 + */ + align = (size_t)buf + SSL3_RT_HEADER_LENGTH; + align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); +# endif +#endif + buf += align; do { /* Get a packet */ clear_sys_error(); - /* - * Technically a ClientHello could be SSL3_RT_MAX_PLAIN_LENGTH - * + DTLS1_RT_HEADER_LENGTH bytes long. Normally init_buf does not store - * the record header as well, but we do here. We've set up init_buf to - * be the standard size for simplicity. In practice we shouldn't ever - * receive a ClientHello as long as this. If we do it will get dropped - * in the record length check below. - */ - n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - + n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH + + DTLS1_RT_HEADER_LENGTH); if (n <= 0) { if (BIO_should_retry(rbio)) { /* Non-blocking IO */ @@ -532,9 +521,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie return -1; } - /* If we hit any problems we need to clear this packet from the BIO */ - clearpkt = 1; - if (!PACKET_buf_init(&pkt, buf, n)) { SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR); return -1; @@ -587,6 +573,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH); goto end; } + reclen = PACKET_remaining(&msgpkt); /* * We allow data remaining at the end of the packet because there could * be a second record (but we ignore it) @@ -706,14 +693,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie * to resend, we just drop it. */ - /* - * Dump the read packet, we don't need it any more. Ignore return - * value - */ - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL); - BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL); - /* Generate the cookie */ if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 || @@ -732,7 +711,11 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie : s->version; /* Construct the record and message headers */ - if (!WPACKET_init(&wpkt, s->init_buf) + if (!WPACKET_init_static_len(&wpkt, + wbuf, + ssl_get_max_send_fragment(s) + + DTLS1_RT_HEADER_LENGTH, + 0) || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE) || !WPACKET_put_bytes_u16(&wpkt, version) /* @@ -790,8 +773,8 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie * plus one byte for the message content type. The source is the * last 3 bytes of the message header */ - memcpy(&buf[DTLS1_RT_HEADER_LENGTH + 1], - &buf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3], + memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1], + &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3], 3); if (s->msg_callback) @@ -815,7 +798,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie tmpclient = NULL; /* TODO(size_t): convert this call */ - if (BIO_write(wbio, buf, wreclen) < (int)wreclen) { + if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) { if (BIO_should_retry(wbio)) { /* * Non-blocking IO...but we're stateless, so we're just @@ -865,15 +848,13 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *clie if (BIO_dgram_get_peer(rbio, client) <= 0) BIO_ADDR_clear(client); + /* Buffer the record in the processed_rcds queue */ + if (!dtls_buffer_listen_record(s, reclen, seq, align)) + return -1; + ret = 1; - clearpkt = 0; end: BIO_ADDR_free(tmpclient); - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL); - if (clearpkt) { - /* Dump this packet. Ignore return value */ - BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - } return ret; } #endif Index: src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c:1.8 src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c:1.9 --- src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c:1.8 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_cbc.c Sat Dec 8 17:35:44 2018 @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -256,12 +256,13 @@ int ssl3_cbc_digest_record(const EVP_MD_ * of hash termination (0x80 + 64-bit length) don't fit in the final * block, we say that the final two blocks can vary based on the padding. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not - * required to be minimal. Therefore we say that the final six blocks can + * required to be minimal. Therefore we say that the final |variance_blocks| + * blocks can * vary based on the padding. Later in the function, if the message is * short and there obviously cannot be this many blocks then * variance_blocks can be reduced. */ - variance_blocks = is_sslv3 ? 2 : 6; + variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1); /* * From now on we're dealing with the MAC, which conceptually has 13 * bytes of `header' before the start of the data (TLS) or 71/75 bytes Index: src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.13 src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.14 --- src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.13 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c Sat Dec 8 17:35:44 2018 @@ -442,15 +442,16 @@ size_t ssl3_final_finish_mac(SSL *s, con if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); - return 0; + ret = 0; + goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); - EVP_MD_CTX_reset(ctx); - return 0; + ret = 0; + goto err; } if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) @@ -463,6 +464,7 @@ size_t ssl3_final_finish_mac(SSL *s, con ret = 0; } + err: EVP_MD_CTX_free(ctx); return ret; Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c:1.13 src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c:1.14 --- src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c:1.13 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c Sat Dec 8 17:35:44 2018 @@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->method = meth; + if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; + } sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, &(ctx->cipher_list), @@ -1192,6 +1196,7 @@ void SSL_free(SSL *s) EVP_MD_CTX_free(s->pha_dgst); sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free); sk_X509_pop_free(s->verified_chain, X509_free); @@ -2951,6 +2956,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) goto err; + if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) + goto err; + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) goto err; @@ -3108,6 +3116,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -3653,10 +3662,38 @@ const char *SSL_get_version(const SSL *s return ssl_protocol_to_string(s->version); } -SSL *SSL_dup(SSL *s) +static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src) { STACK_OF(X509_NAME) *sk; X509_NAME *xn; + int i; + + if (src == NULL) { + *dst = NULL; + return 1; + } + + if ((sk = sk_X509_NAME_new_null()) == NULL) + return 0; + for (i = 0; i < sk_X509_NAME_num(src); i++) { + xn = X509_NAME_dup(sk_X509_NAME_value(src, i)); + if (xn == NULL) { + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + if (sk_X509_NAME_insert(sk, xn, i) == 0) { + X509_NAME_free(xn); + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + } + *dst = sk; + + return 1; +} + +SSL *SSL_dup(SSL *s) +{ SSL *ret; int i; @@ -3761,18 +3798,10 @@ SSL *SSL_dup(SSL *s) goto err; /* Dup the client_CA list */ - if (s->ca_names != NULL) { - if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL) - goto err; - ret->ca_names = sk; - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - xn = sk_X509_NAME_value(sk, i); - if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { - X509_NAME_free(xn); - goto err; - } - } - } + if (!dup_ca_names(&ret->ca_names, s->ca_names) + || !dup_ca_names(&ret->client_ca_names, s->client_ca_names)) + goto err; + return ret; err: @@ -5102,7 +5131,8 @@ static int nss_keylog_int(const char *pr size_t i; size_t prefix_len; - if (ssl->ctx->keylog_callback == NULL) return 1; + if (ssl->ctx->keylog_callback == NULL) + return 1; /* * Our output buffer will contain the following strings, rendered with @@ -5113,7 +5143,7 @@ static int nss_keylog_int(const char *pr * hexadecimal, so we need a buffer that is twice their lengths. */ prefix_len = strlen(prefix); - out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; + out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); @@ -5137,7 +5167,7 @@ static int nss_keylog_int(const char *pr *cursor = '\0'; ssl->ctx->keylog_callback(ssl, (const char *)out); - OPENSSL_free(out); + OPENSSL_clear_free(out, out_len); return 1; } Index: src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.22 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.23 --- src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.22 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Sat Dec 8 17:35:44 2018 @@ -3681,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long lar *(int *)parg = s->s3->tmp.peer_sigalg->hash; return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3->tmp.sigalg == NULL) + return 0; + *(int *)parg = s->s3->tmp.sigalg->hash; + return 1; + + case SSL_CTRL_GET_PEER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3->peer_tmp == NULL) { return 0; } else { EVP_PKEY_up_ref(s->s3->peer_tmp); @@ -3693,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long lar #else return 0; #endif + + case SSL_CTRL_GET_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3->tmp.pkey == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3->tmp.pkey); + *(EVP_PKEY **)parg = s->s3->tmp.pkey; + return 1; + } +#else + return 0; +#endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.16 src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.17 --- src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.16 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c Sat Dec 8 17:35:44 2018 @@ -1301,7 +1301,7 @@ static int ciphersuite_cb(const char *el return 1; } -int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) +static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) { STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.19 src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.20 --- src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.19 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Sat Dec 8 17:35:44 2018 @@ -471,7 +471,11 @@ struct ssl_method_st { long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void)); }; -# define TLS13_MAX_RESUMPTION_PSK_LENGTH 64 +/* + * Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for + * consistency, even in the event of OPENSSL_NO_PSK being defined. + */ +# define TLS13_MAX_RESUMPTION_PSK_LENGTH 256 /*- * Lets make this into an ASN.1 type structure as follows @@ -850,9 +854,11 @@ struct ssl_ctx_st { /* * What we put in certificate_authorities extension for TLS 1.3 * (ClientHello and CertificateRequest) or just client cert requests for - * earlier versions. + * earlier versions. If client_ca_names is populated then it is only used + * for client cert requests, and in preference to ca_names. */ STACK_OF(X509_NAME) *ca_names; + STACK_OF(X509_NAME) *client_ca_names; /* * Default values to use in SSL structures follow (these are copied by @@ -1229,8 +1235,14 @@ struct ssl_st { long verify_result; /* extra application data */ CRYPTO_EX_DATA ex_data; - /* for server side, keep the list of CA_dn we can use */ + /* + * What we put in certificate_authorities extension for TLS 1.3 + * (ClientHello and CertificateRequest) or just client cert requests for + * earlier versions. If client_ca_names is populated then it is only used + * for client cert requests, and in preference to ca_names. + */ STACK_OF(X509_NAME) *ca_names; + STACK_OF(X509_NAME) *client_ca_names; CRYPTO_REF_COUNT references; /* protocol behaviour */ uint32_t options; @@ -2251,7 +2263,6 @@ __owur int ssl_cipher_id_cmp(const SSL_C DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, const SSL_CIPHER *const *bp); -__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str); __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, @@ -2561,6 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s); __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); +# ifndef OPENSSL_NO_EC +__owur int tls_check_sigalg_curve(const SSL *s, int curve); +# endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde); Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.27 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.28 --- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.27 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Sat Dec 8 17:35:44 2018 @@ -343,6 +343,10 @@ int tls1_set_groups(uint16_t **pext, siz */ unsigned long dup_list = 0; + if (ngroups == 0) { + SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + return 0; + } if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); return 0; @@ -945,6 +949,39 @@ size_t tls12_get_psigalgs(SSL *s, int se } } +#ifndef OPENSSL_NO_EC +/* + * Called by servers only. Checks that we have a sig alg that supports the + * specified EC curve. + */ +int tls_check_sigalg_curve(const SSL *s, int curve) +{ + const uint16_t *sigs; + size_t siglen, i; + + if (s->cert->conf_sigalgs) { + sigs = s->cert->conf_sigalgs; + siglen = s->cert->conf_sigalgslen; + } else { + sigs = tls12_sigalgs; + siglen = OSSL_NELEM(tls12_sigalgs); + } + + for (i = 0; i < siglen; i++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); + + if (lu == NULL) + continue; + if (lu->sig == EVP_PKEY_EC + && lu->curve != NID_undef + && curve == lu->curve) + return 1; + } + + return 0; +} +#endif + /* * Check signature algorithm is consistent with sent supported signature * algorithms and if so set relevant digest and signature scheme in @@ -1087,6 +1124,14 @@ int SSL_get_peer_signature_type_nid(cons return 1; } +int SSL_get_signature_type_nid(const SSL *s, int *pnid) +{ + if (s->s3->tmp.sigalg == NULL) + return 0; + *pnid = s->s3->tmp.sigalg->sig; + return 1; +} + /* * Set a mask of disabled algorithms: an algorithm is disabled if it isn't * supported, doesn't appear in supported signature algorithms, isn't supported Index: src/crypto/external/bsd/openssl/dist/test/ecdsatest.c diff -u src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.3 src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.4 --- src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.3 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/test/ecdsatest.c Sat Dec 8 17:35:44 2018 @@ -13,7 +13,7 @@ #include <string.h> #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */ -# include "testutil.h" +#include "testutil.h" #ifndef OPENSSL_NO_EC @@ -25,6 +25,7 @@ # ifndef OPENSSL_NO_ENGINE # include <openssl/engine.h> # endif +# include <openssl/sha.h> # include <openssl/err.h> # include <openssl/rand.h> @@ -103,7 +104,7 @@ static int x9_62_test_internal(int nid, { int ret = 0; const char message[] = "abc"; - unsigned char digest[20]; + unsigned char digest[SHA_DIGEST_LENGTH]; unsigned int dgst_len = 0; EVP_MD_CTX *md_ctx; EC_KEY *key = NULL; @@ -135,7 +136,8 @@ static int x9_62_test_internal(int nid, /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */ if (!TEST_true(ECDSA_sign_setup(key, NULL, &kinv, &rp))) goto x962_int_err; - if (!TEST_ptr(signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key))) + if (!TEST_ptr(signature = + ECDSA_do_sign_ex(digest, SHA_DIGEST_LENGTH, kinv, rp, key))) goto x962_int_err; /* compare the created signature with the expected signature */ @@ -149,7 +151,8 @@ static int x9_62_test_internal(int nid, goto x962_int_err; /* verify the signature */ - if (!TEST_int_eq(ECDSA_do_verify(digest, 20, signature, key), 1)) + if (!TEST_int_eq(ECDSA_do_verify(digest, SHA_DIGEST_LENGTH, + signature, key), 1)) goto x962_int_err; ret = 1; @@ -211,7 +214,8 @@ static int test_builtin(void) EC_KEY *eckey = NULL, *wrong_eckey = NULL; EC_GROUP *group; ECDSA_SIG *ecdsa_sig = NULL, *modified_sig = NULL; - unsigned char digest[20], wrong_digest[20]; + unsigned char digest[SHA512_DIGEST_LENGTH]; + unsigned char wrong_digest[SHA512_DIGEST_LENGTH]; unsigned char *signature = NULL; const unsigned char *sig_ptr; unsigned char *sig_ptr2; @@ -223,8 +227,8 @@ static int test_builtin(void) int nid, ret = 0; /* fill digest values with some random data */ - if (!TEST_true(RAND_bytes(digest, 20)) - || !TEST_true(RAND_bytes(wrong_digest, 20))) + if (!TEST_true(RAND_bytes(digest, SHA512_DIGEST_LENGTH)) + || !TEST_true(RAND_bytes(wrong_digest, SHA512_DIGEST_LENGTH))) goto builtin_err; /* create and verify a ecdsa signature with every available curve */ @@ -239,7 +243,7 @@ static int test_builtin(void) unsigned char dirt, offset; nid = curves[n].nid; - if (nid == NID_ipsec4) + if (nid == NID_ipsec4 || nid == NID_ipsec3) continue; /* create new ecdsa key (== EC_KEY) */ if (!TEST_ptr(eckey = EC_KEY_new()) @@ -248,12 +252,7 @@ static int test_builtin(void) goto builtin_err; EC_GROUP_free(group); degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); - if (degree < 160) { - /* drop the curve */ - EC_KEY_free(eckey); - eckey = NULL; - continue; - } + TEST_info("testing %s", OBJ_nid2sn(nid)); /* create key */ @@ -275,28 +274,32 @@ static int test_builtin(void) /* create signature */ sig_len = ECDSA_size(eckey); if (!TEST_ptr(signature = OPENSSL_malloc(sig_len)) - || !TEST_true(ECDSA_sign(0, digest, 20, signature, &sig_len, - eckey))) + || !TEST_true(ECDSA_sign(0, digest, SHA512_DIGEST_LENGTH, + signature, &sig_len, eckey))) goto builtin_err; /* verify signature */ - if (!TEST_int_eq(ECDSA_verify(0, digest, 20, signature, sig_len, - eckey), 1)) + if (!TEST_int_eq(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, + signature, sig_len, eckey), + 1)) goto builtin_err; /* verify signature with the wrong key */ - if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature, sig_len, - wrong_eckey), 1)) + if (!TEST_int_ne(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, + signature, sig_len, wrong_eckey), + 1)) goto builtin_err; /* wrong digest */ - if (!TEST_int_ne(ECDSA_verify(0, wrong_digest, 20, signature, - sig_len, eckey), 1)) + if (!TEST_int_ne(ECDSA_verify(0, wrong_digest, SHA512_DIGEST_LENGTH, + signature, sig_len, eckey), + 1)) goto builtin_err; /* wrong length */ - if (!TEST_int_ne(ECDSA_verify(0, digest, 20, signature, - sig_len - 1, eckey), 1)) + if (!TEST_int_ne(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, + signature, sig_len - 1, eckey), + 1)) goto builtin_err; /* @@ -342,14 +345,15 @@ static int test_builtin(void) } sig_ptr2 = signature; sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_false(ECDSA_verify(0, digest, 20, signature, sig_len, eckey))) + if (!TEST_false(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, + signature, sig_len, eckey))) goto builtin_err; /* Sanity check: undo the modification and verify signature. */ raw_buf[offset] ^= dirt; if (!TEST_ptr(unmodified_r = BN_bin2bn(raw_buf, bn_len, NULL)) || !TEST_ptr(unmodified_s = BN_bin2bn(raw_buf + bn_len, - bn_len, NULL)) + bn_len, NULL)) || !TEST_true(ECDSA_SIG_set0(modified_sig, unmodified_r, unmodified_s))) { BN_free(unmodified_r); @@ -359,7 +363,8 @@ static int test_builtin(void) sig_ptr2 = signature; sig_len = i2d_ECDSA_SIG(modified_sig, &sig_ptr2); - if (!TEST_true(ECDSA_verify(0, digest, 20, signature, sig_len, eckey))) + if (!TEST_true(ECDSA_verify(0, digest, SHA512_DIGEST_LENGTH, + signature, sig_len, eckey))) goto builtin_err; /* cleanup */ Index: src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c diff -u src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.4 src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.5 --- src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.4 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c Sat Dec 8 17:35:44 2018 @@ -17,6 +17,7 @@ #include <openssl/rsa.h> #include <openssl/x509.h> #include <openssl/pem.h> +#include <openssl/kdf.h> #include "testutil.h" #include "internal/nelem.h" #include "internal/evp_int.h" @@ -918,6 +919,50 @@ static int test_EVP_PKEY_check(int i) return ret; } +static int test_HKDF(void) +{ + EVP_PKEY_CTX *pctx; + unsigned char out[20]; + size_t outlen; + int i, ret = 0; + unsigned char salt[] = "0123456789"; + unsigned char key[] = "012345678901234567890123456789"; + unsigned char info[] = "infostring"; + const unsigned char expected[] = { + 0xe5, 0x07, 0x70, 0x7f, 0xc6, 0x78, 0xd6, 0x54, 0x32, 0x5f, 0x7e, 0xc5, + 0x7b, 0x59, 0x3e, 0xd8, 0x03, 0x6b, 0xed, 0xca + }; + size_t expectedlen = sizeof(expected); + + if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))) + goto done; + + /* We do this twice to test reuse of the EVP_PKEY_CTX */ + for (i = 0; i < 2; i++) { + outlen = sizeof(out); + memset(out, 0, outlen); + + if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) + || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, + sizeof(salt) - 1), 0) + || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, + sizeof(key) - 1), 0) + || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, + sizeof(info) - 1), 0) + || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) + || !TEST_mem_eq(out, outlen, expected, expectedlen)) + goto done; + } + + ret = 1; + + done: + EVP_PKEY_CTX_free(pctx); + + return ret; +} + int setup_tests(void) { ADD_TEST(test_EVP_DigestSignInit); @@ -941,5 +986,6 @@ int setup_tests(void) if (!TEST_int_eq(EVP_PKEY_meth_add0(custom_pmeth), 1)) return 0; ADD_ALL_TESTS(test_EVP_PKEY_check, OSSL_NELEM(keycheckdata)); + ADD_TEST(test_HKDF); return 1; } Index: src/crypto/external/bsd/openssl/dist/test/evp_test.c diff -u src/crypto/external/bsd/openssl/dist/test/evp_test.c:1.4 src/crypto/external/bsd/openssl/dist/test/evp_test.c:1.5 --- src/crypto/external/bsd/openssl/dist/test/evp_test.c:1.4 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/test/evp_test.c Sat Dec 8 17:35:44 2018 @@ -73,8 +73,6 @@ static KEY_LIST *public_keys; static int find_key(EVP_PKEY **ppk, const char *name, KEY_LIST *lst); static int parse_bin(const char *value, unsigned char **buf, size_t *buflen); -static int pkey_test_ctrl(EVP_TEST *t, EVP_PKEY_CTX *pctx, - const char *value); /* * Compare two memory regions for equality, returning zero if they differ. @@ -459,7 +457,7 @@ typedef struct cipher_data_st { size_t plaintext_len; unsigned char *ciphertext; size_t ciphertext_len; - /* GCM, CCM only */ + /* GCM, CCM and OCB only */ unsigned char *aad; size_t aad_len; unsigned char *tag; @@ -487,7 +485,7 @@ static int cipher_test_init(EVP_TEST *t, if (m == EVP_CIPH_GCM_MODE || m == EVP_CIPH_OCB_MODE || m == EVP_CIPH_CCM_MODE) - cdat->aead = EVP_CIPHER_mode(cipher); + cdat->aead = m; else if (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) cdat->aead = -1; else @@ -927,6 +925,28 @@ static int mac_test_parse(EVP_TEST *t, return 0; } +static int mac_test_ctrl_pkey(EVP_TEST *t, EVP_PKEY_CTX *pctx, + const char *value) +{ + int rv; + char *p, *tmpval; + + if (!TEST_ptr(tmpval = OPENSSL_strdup(value))) + return 0; + p = strchr(tmpval, ':'); + if (p != NULL) + *p++ = '\0'; + rv = EVP_PKEY_CTX_ctrl_str(pctx, tmpval, p); + if (rv == -2) + t->err = "PKEY_CTRL_INVALID"; + else if (rv <= 0) + t->err = "PKEY_CTRL_ERROR"; + else + rv = 1; + OPENSSL_free(tmpval); + return rv > 0; +} + static int mac_test_run(EVP_TEST *t) { MAC_DATA *expected = t->data; @@ -972,8 +992,9 @@ static int mac_test_run(EVP_TEST *t) goto err; } for (i = 0; i < sk_OPENSSL_STRING_num(expected->controls); i++) - if (!pkey_test_ctrl(t, pctx, - sk_OPENSSL_STRING_value(expected->controls, i))) { + if (!mac_test_ctrl_pkey(t, pctx, + sk_OPENSSL_STRING_value(expected->controls, + i))) { t->err = "EVPPKEYCTXCTRL_ERROR"; goto err; } @@ -2614,8 +2635,8 @@ top: return 0; } if (rv < 0) { - TEST_info("Line %d: error processing keyword %s\n", - t->s.curr, pp->key); + TEST_info("Line %d: error processing keyword %s = %s\n", + t->s.curr, pp->key, pp->value); return 0; } } Index: src/crypto/external/bsd/openssl/dist/util/mkdef.pl diff -u src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.9 src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.10 --- src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.9 Sun Sep 23 09:33:03 2018 +++ src/crypto/external/bsd/openssl/dist/util/mkdef.pl Sat Dec 8 17:35:44 2018 @@ -247,7 +247,7 @@ $crypto.=" include/internal/o_str.h"; $crypto.=" include/internal/err.h"; $crypto.=" include/internal/sslconf.h"; foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) { - my $fn = "include/openssl/" . lc(basename($f)); + my $fn = "include/openssl/" . basename($f); $crypto .= " $fn" if !defined $skipthese{$fn}; } @@ -936,16 +936,6 @@ sub do_defs } } - # Prune the returned symbols - - delete $syms{"bn_dump1"}; - $platform{"BIO_s_log"} .= ",!WIN32,!macintosh"; - - $platform{"PEM_read_NS_CERT_SEQ"} = "VMS"; - $platform{"PEM_write_NS_CERT_SEQ"} = "VMS"; - $platform{"PEM_read_P8_PRIV_KEY_INFO"} = "VMS"; - $platform{"PEM_write_P8_PRIV_KEY_INFO"} = "VMS"; - # Info we know about push @ret, map { $_."\\".&info_string($_,"EXIST", Index: src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc diff -u src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc:1.8 src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc:1.9 --- src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc:1.8 Sun Sep 23 09:33:04 2018 +++ src/crypto/external/bsd/openssl/lib/libcrypto/crypto.inc Sat Dec 8 17:35:44 2018 @@ -1,4 +1,4 @@ -# $NetBSD: crypto.inc,v 1.8 2018/09/23 13:33:04 christos Exp $ +# $NetBSD: crypto.inc,v 1.9 2018/12/08 22:35:44 christos Exp $ # # @(#) Copyright (c) 1995 Simon J. Gerraty # @@ -15,6 +15,7 @@ ctype.c \ cversion.c \ ebcdic.c \ ex_data.c \ +getenv.c \ init.c \ mem.c \ mem_dbg.c \