Module Name: src Committed By: christos Date: Fri Apr 24 19:37:09 UTC 2020
Modified Files: src/crypto/external/bsd/openssl/dist: CHANGES NEWS README src/crypto/external/bsd/openssl/dist/apps: ocsp.c s_time.c src/crypto/external/bsd/openssl/dist/crypto/ec: ec_asn1.c ec_lib.c ecp_smpl.c src/crypto/external/bsd/openssl/dist/crypto/evp: e_aes.c src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c src/crypto/external/bsd/openssl/dist/ssl: t1_lib.c Log Message: merge conflicts To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/crypto/external/bsd/openssl/dist/CHANGES \ src/crypto/external/bsd/openssl/dist/NEWS \ src/crypto/external/bsd/openssl/dist/README cvs rdiff -u -r1.21 -r1.22 src/crypto/external/bsd/openssl/dist/apps/ocsp.c cvs rdiff -u -r1.10 -r1.11 src/crypto/external/bsd/openssl/dist/apps/s_time.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c cvs rdiff -u -r1.8 -r1.9 \ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c cvs rdiff -u -r1.11 -r1.12 \ src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c cvs rdiff -u -r1.22 -r1.23 \ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c cvs rdiff -u -r1.19 -r1.20 \ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c cvs rdiff -u -r1.31 -r1.32 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/CHANGES diff -u src/crypto/external/bsd/openssl/dist/CHANGES:1.23 src/crypto/external/bsd/openssl/dist/CHANGES:1.24 --- src/crypto/external/bsd/openssl/dist/CHANGES:1.23 Sun Apr 5 17:53:44 2020 +++ src/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 24 15:37:09 2020 @@ -7,6 +7,27 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1f and 1.1.1g [21 Apr 2020] + + *) Fixed segmentation fault in SSL_check_chain() + Server or client applications that call the SSL_check_chain() function + during or after a TLS 1.3 handshake may crash due to a NULL pointer + dereference as a result of incorrect handling of the + "signature_algorithms_cert" TLS extension. The crash occurs if an invalid + or unrecognised signature algorithm is received from the peer. This could + be exploited by a malicious peer in a Denial of Service attack. + (CVE-2020-1967) + [Benjamin Kaduk] + + *) Added AES consttime code for no-asm configurations + an optional constant time support for AES was added + when building openssl for no-asm. + Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME + Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME + At this time this feature is by default disabled. + It will be enabled by default in 3.0. + [Bernd Edlinger] + Changes between 1.1.1e and 1.1.1f [31 Mar 2020] *) Revert the change of EOF detection while reading in libssl to avoid Index: src/crypto/external/bsd/openssl/dist/NEWS diff -u src/crypto/external/bsd/openssl/dist/NEWS:1.23 src/crypto/external/bsd/openssl/dist/NEWS:1.24 --- src/crypto/external/bsd/openssl/dist/NEWS:1.23 Sun Apr 5 17:53:44 2020 +++ src/crypto/external/bsd/openssl/dist/NEWS Fri Apr 24 15:37:09 2020 @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] + + o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967) + Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] o Revert the unexpected EOF reporting via SSL_ERROR_SSL Index: src/crypto/external/bsd/openssl/dist/README diff -u src/crypto/external/bsd/openssl/dist/README:1.23 src/crypto/external/bsd/openssl/dist/README:1.24 --- src/crypto/external/bsd/openssl/dist/README:1.23 Sun Apr 5 17:53:44 2020 +++ src/crypto/external/bsd/openssl/dist/README Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ - OpenSSL 1.1.1f 31 Mar 2020 + OpenSSL 1.1.1g 21 Apr 2020 Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Index: src/crypto/external/bsd/openssl/dist/apps/ocsp.c diff -u src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.21 src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.22 --- src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.21 Sat Mar 21 20:53:02 2020 +++ src/crypto/external/bsd/openssl/dist/apps/ocsp.c Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,65 +9,62 @@ #include <openssl/opensslconf.h> -#ifdef OPENSSL_NO_OCSP -NON_EMPTY_TRANSLATION_UNIT -#else -# ifdef OPENSSL_SYS_VMS -# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined +#ifdef OPENSSL_SYS_VMS +# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined * on OpenVMS */ -# endif +#endif -# include <stdio.h> -# include <stdlib.h> -# include <string.h> -# include <time.h> -# include <ctype.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <time.h> +#include <ctype.h> /* Needs to be included before the openssl headers */ -# include "apps.h" -# include "progs.h" -# include "internal/sockets.h" -# include <openssl/e_os2.h> -# include <openssl/crypto.h> -# include <openssl/err.h> -# include <openssl/ssl.h> -# include <openssl/evp.h> -# include <openssl/bn.h> -# include <openssl/x509v3.h> -# include <openssl/rand.h> +#include "apps.h" +#include "progs.h" +#include "internal/sockets.h" +#include <openssl/e_os2.h> +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/ssl.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/x509v3.h> +#include <openssl/rand.h> #ifndef HAVE_FORK -# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) -# define HAVE_FORK 0 -# else -# define HAVE_FORK 1 -# endif +#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) +# define HAVE_FORK 0 +#else +# define HAVE_FORK 1 +#endif #endif #if HAVE_FORK -# undef NO_FORK +#undef NO_FORK #else -# define NO_FORK +#define NO_FORK #endif -# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ +#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ && !defined(OPENSSL_NO_POSIX_IO) -# define OCSP_DAEMON -# include <sys/types.h> -# include <sys/wait.h> -# include <syslog.h> -# include <signal.h> -# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ -# else -# undef LOG_INFO -# undef LOG_WARNING -# undef LOG_ERR -# define LOG_INFO 0 -# define LOG_WARNING 1 -# define LOG_ERR 2 -# endif +# define OCSP_DAEMON +# include <sys/types.h> +# include <sys/wait.h> +# include <syslog.h> +# include <signal.h> +# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ +#else +# undef LOG_INFO +# undef LOG_WARNING +# undef LOG_ERR +# define LOG_INFO 0 +# define LOG_WARNING 1 +# define LOG_ERR 2 +#endif -# if defined(OPENSSL_SYS_VXWORKS) +#if defined(OPENSSL_SYS_VXWORKS) /* not supported */ int setpgid(pid_t pid, pid_t pgid) { @@ -80,9 +77,9 @@ pid_t fork(void) errno = ENOSYS; return (pid_t) -1; } -# endif +#endif /* Maximum leeway in validity period: default 5 minutes */ -# define MAX_VALIDITY_PERIOD (5 * 60) +#define MAX_VALIDITY_PERIOD (5 * 60) static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, @@ -109,20 +106,20 @@ static void log_message(int level, const static char *prog; static int multi = 0; -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON static int acfd = (int) INVALID_SOCKET; static int index_changed(CA_DB *); static void spawn_loop(void); static int print_syslog(const char *str, size_t len, void *levPtr); static void socket_timeout(int signum); -# endif +#endif -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, const char *path, const STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); -# endif +#endif typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -160,9 +157,9 @@ const OPTIONS ocsp_options[] = { "Don't include any certificates in response"}, {"resp_key_id", OPT_RESP_KEY_ID, '-', "Identify response by signing certificate key ID"}, -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, -# endif +#endif {"no_certs", OPT_NO_CERTS, '-', "Don't include any certificates in signed request"}, {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', @@ -511,9 +508,9 @@ int ocsp_main(int argc, char **argv) trailing_md = 1; break; case OPT_MULTI: -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON multi = atoi(opt_arg()); -# endif +#endif break; } } @@ -593,7 +590,7 @@ int ocsp_main(int argc, char **argv) } } -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (multi && acbio != NULL) spawn_loop(); if (acbio != NULL && req_timeout > 0) @@ -606,7 +603,7 @@ int ocsp_main(int argc, char **argv) redo_accept: if (acbio != NULL) { -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (index_changed(rdb)) { CA_DB *newrdb = load_index(ridx_filename, NULL); @@ -619,7 +616,7 @@ redo_accept: ridx_filename); } } -# endif +#endif req = NULL; if (!do_responder(&req, &cbio, acbio, req_timeout)) @@ -688,16 +685,16 @@ redo_accept: if (cbio != NULL) send_ocsp_response(cbio, resp); } else if (host != NULL) { -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK resp = process_responder(req, host, path, port, use_ssl, headers, req_timeout); if (resp == NULL) goto end; -# else +#else BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); goto end; -# endif +#endif } else if (respin != NULL) { derbio = bio_open_default(respin, 'r', FORMAT_ASN1); if (derbio == NULL) @@ -840,7 +837,7 @@ log_message(int level, const char *fmt, va_list ap; va_start(ap, fmt); -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (multi) { char buf[1024]; if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) { @@ -849,7 +846,7 @@ log_message(int level, const char *fmt, if (level >= LOG_ERR) ERR_print_errors_cb(print_syslog, &level); } -# endif +#endif if (!multi) { BIO_printf(bio_err, "%s: ", prog); BIO_vprintf(bio_err, fmt, ap); @@ -858,7 +855,7 @@ log_message(int level, const char *fmt, va_end(ap); } -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON static int print_syslog(const char *str, size_t len, void *levPtr) { @@ -1011,7 +1008,7 @@ static void spawn_loop(void) syslog(LOG_INFO, "terminating on signal: %d", termsig); killall(0, kidpids); } -# endif +#endif static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, @@ -1291,11 +1288,11 @@ static char **lookup_serial(CA_DB *db, A static BIO *init_responder(const char *port) { -# ifdef OPENSSL_NO_SOCK +#ifdef OPENSSL_NO_SOCK BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n"); return NULL; -# else +#else BIO *acbio = NULL, *bufbio = NULL; bufbio = BIO_new(BIO_f_buffer()); @@ -1322,10 +1319,10 @@ static BIO *init_responder(const char *p BIO_free_all(acbio); BIO_free(bufbio); return NULL; -# endif +#endif } -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK /* * Decode %xx URL-decoding in-place. Ignores mal-formed sequences. */ @@ -1349,22 +1346,22 @@ static int urldecode(char *p) *out = '\0'; return (int)(out - save); } -# endif +#endif -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON static void socket_timeout(int signum) { if (acfd != (int)INVALID_SOCKET) (void)shutdown(acfd, SHUT_RD); } -# endif +#endif static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, int timeout) { -# ifdef OPENSSL_NO_SOCK +#ifdef OPENSSL_NO_SOCK return 0; -# else +#else int len; OCSP_REQUEST *req = NULL; char inbuf[2048], reqbuf[2048]; @@ -1382,12 +1379,12 @@ static int do_responder(OCSP_REQUEST **p *pcbio = cbio; client = BIO_get_peer_name(cbio); -# ifdef OCSP_DAEMON +# ifdef OCSP_DAEMON if (timeout > 0) { (void) BIO_get_fd(cbio, &acfd); alarm(timeout); } -# endif +# endif /* Read the request line. */ len = BIO_gets(cbio, reqbuf, sizeof(reqbuf)); @@ -1450,11 +1447,11 @@ static int do_responder(OCSP_REQUEST **p break; } -# ifdef OCSP_DAEMON +# ifdef OCSP_DAEMON /* Clear alarm before we close the client socket */ alarm(0); timeout = 0; -# endif +# endif /* Try to read OCSP request */ if (getbio != NULL) { @@ -1470,13 +1467,13 @@ static int do_responder(OCSP_REQUEST **p *preq = req; out: -# ifdef OCSP_DAEMON +# ifdef OCSP_DAEMON if (timeout > 0) alarm(0); acfd = (int)INVALID_SOCKET; -# endif - return 1; # endif + return 1; +#endif } static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) @@ -1492,7 +1489,7 @@ static int send_ocsp_response(BIO *cbio, return 1; } -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, const char *path, const STACK_OF(CONF_VALUE) *headers, @@ -1623,6 +1620,4 @@ OCSP_RESPONSE *process_responder(OCSP_RE SSL_CTX_free(ctx); return resp; } -# endif - #endif Index: src/crypto/external/bsd/openssl/dist/apps/s_time.c diff -u src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.10 src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.11 --- src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.10 Sat Mar 21 20:53:02 2020 +++ src/crypto/external/bsd/openssl/dist/apps/s_time.c Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -62,6 +62,7 @@ const OPTIONS s_time_options[] = { {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, {"no-CAfile", OPT_NOCAFILE, '-', "Do not load the default certificates file"}, {"no-CApath", OPT_NOCAPATH, '-', Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.10 --- src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.9 Sat Mar 21 20:53:05 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r) i = i2d_ASN1_INTEGER(&bs, NULL); i += i; /* r and s */ ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); + if (ret < 0) + return 0; return ret; } Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.8 src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.9 --- src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.8 Sat Mar 21 20:53:05 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, size_t i = 0; BN_CTX *new_ctx = NULL; - if ((scalar == NULL) && (num == 0)) { - return EC_POINT_set_to_infinity(group, r); - } - if (!ec_point_is_compat(r, group)) { ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } + + if (scalar == NULL && num == 0) + return EC_POINT_set_to_infinity(group, r); + for (i = 0; i < num; i++) { if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.11 src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.12 --- src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.11 Sat Mar 21 20:53:05 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c Fri Apr 24 15:37:09 2020 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GRO * Computes the multiplicative inverse of a in GF(p), storing the result in r. * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. * Since we don't have a Mont structure here, SCA hardening is with blinding. + * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) */ int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) @@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(cons temp = BN_CTX_get(ctx); if (temp == NULL) { ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE); - goto err; + goto end; } - /* make sure lambda is not zero */ + /*- + * Make sure lambda is not zero. + * If the RNG fails, we cannot blind but nevertheless want + * code to continue smoothly and not clobber the error stack. + */ do { - if (!BN_priv_rand_range(lambda, group->field)) { - ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB); - goto err; + ERR_set_mark(); + ret = BN_priv_rand_range(lambda, group->field); + ERR_pop_to_mark(); + if (ret == 0) { + ret = 1; + goto end; } } while (BN_is_zero(lambda)); /* if field_encode defined convert between representations */ - if (group->meth->field_encode != NULL - && !group->meth->field_encode(group, lambda, lambda, ctx)) - goto err; - if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)) - goto err; - if (!group->meth->field_sqr(group, temp, lambda, ctx)) - goto err; - if (!group->meth->field_mul(group, p->X, p->X, temp, ctx)) - goto err; - if (!group->meth->field_mul(group, temp, temp, lambda, ctx)) - goto err; - if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) - goto err; - p->Z_is_one = 0; + if ((group->meth->field_encode != NULL + && !group->meth->field_encode(group, lambda, lambda, ctx)) + || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx) + || !group->meth->field_sqr(group, temp, lambda, ctx) + || !group->meth->field_mul(group, p->X, p->X, temp, ctx) + || !group->meth->field_mul(group, temp, temp, lambda, ctx) + || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx)) + goto end; + p->Z_is_one = 0; ret = 1; - err: + end: BN_CTX_end(ctx); return ret; } /*- - * Set s := p, r := 2p. + * Input: + * - p: affine coordinates + * + * Output: + * - s := p, r := 2p: blinded projective (homogeneous) coordinates * * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve - * multiplication resistant against side channel attacks" appendix, as described - * at + * multiplication resistant against side channel attacks" appendix, described at * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 + * simplified for Z1=1. * - * The input point p will be in randomized Jacobian projective coords: - * x = X/Z**2, y=Y/Z**3 - * - * The output points p, s, and r are converted to standard (homogeneous) - * projective coords: - * x = X/Z, y=Y/Z + * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z) + * for any non-zero \lambda that holds for projective (homogeneous) coords. */ int ec_GFp_simple_ladder_pre(const EC_GROUP *group, EC_POINT *r, EC_POINT *s, EC_POINT *p, BN_CTX *ctx) { - BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL; + BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL; - t1 = r->Z; - t2 = r->Y; + t1 = s->Z; + t2 = r->Z; t3 = s->X; t4 = r->X; t5 = s->Y; - t6 = s->Z; - /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */ - if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx) - || !group->meth->field_sqr(group, t1, p->Z, ctx) - || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx) - /* r := 2p */ - || !group->meth->field_sqr(group, t2, p->X, ctx) - || !group->meth->field_sqr(group, t3, p->Z, ctx) - || !group->meth->field_mul(group, t4, t3, group->a, ctx) - || !BN_mod_sub_quick(t5, t2, t4, group->field) - || !BN_mod_add_quick(t2, t2, t4, group->field) - || !group->meth->field_sqr(group, t5, t5, ctx) - || !group->meth->field_mul(group, t6, t3, group->b, ctx) - || !group->meth->field_mul(group, t1, p->X, p->Z, ctx) - || !group->meth->field_mul(group, t4, t1, t6, ctx) - || !BN_mod_lshift_quick(t4, t4, 3, group->field) + if (!p->Z_is_one /* r := 2p */ + || !group->meth->field_sqr(group, t3, p->X, ctx) + || !BN_mod_sub_quick(t4, t3, group->a, group->field) + || !group->meth->field_sqr(group, t4, t4, ctx) + || !group->meth->field_mul(group, t5, p->X, group->b, ctx) + || !BN_mod_lshift_quick(t5, t5, 3, group->field) /* r->X coord output */ - || !BN_mod_sub_quick(r->X, t5, t4, group->field) - || !group->meth->field_mul(group, t1, t1, t2, ctx) - || !group->meth->field_mul(group, t2, t3, t6, ctx) - || !BN_mod_add_quick(t1, t1, t2, group->field) + || !BN_mod_sub_quick(r->X, t4, t5, group->field) + || !BN_mod_add_quick(t1, t3, group->a, group->field) + || !group->meth->field_mul(group, t2, p->X, t1, ctx) + || !BN_mod_add_quick(t2, group->b, t2, group->field) /* r->Z coord output */ - || !BN_mod_lshift_quick(r->Z, t1, 2, group->field) - || !EC_POINT_copy(s, p)) + || !BN_mod_lshift_quick(r->Z, t2, 2, group->field)) + return 0; + + /* make sure lambda (r->Y here for storage) is not zero */ + do { + if (!BN_priv_rand_range(r->Y, group->field)) + return 0; + } while (BN_is_zero(r->Y)); + + /* make sure lambda (s->Z here for storage) is not zero */ + do { + if (!BN_priv_rand_range(s->Z, group->field)) + return 0; + } while (BN_is_zero(s->Z)); + + /* if field_encode defined convert between representations */ + if (group->meth->field_encode != NULL + && (!group->meth->field_encode(group, r->Y, r->Y, ctx) + || !group->meth->field_encode(group, s->Z, s->Z, ctx))) + return 0; + + /* blind r and s independently */ + if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx) + || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx) + || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */ return 0; r->Z_is_one = 0; s->Z_is_one = 0; - p->Z_is_one = 0; return 1; } /*- - * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi + * Input: + * - s, r: projective (homogeneous) coordinates + * - p: affine coordinates + * + * Output: + * - s := r + s, r := 2r: projective (homogeneous) coordinates + * + * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi * "A fast parallel elliptic curve multiplication resistant against side channel * attacks", as described at - * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 + * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4 */ int ec_GFp_simple_ladder_step(const EC_GROUP *group, EC_POINT *r, EC_POINT *s, EC_POINT *p, BN_CTX *ctx) { int ret = 0; - BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL; + BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL; BN_CTX_start(ctx); t0 = BN_CTX_get(ctx); @@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_G t4 = BN_CTX_get(ctx); t5 = BN_CTX_get(ctx); t6 = BN_CTX_get(ctx); - t7 = BN_CTX_get(ctx); - if (t7 == NULL - || !group->meth->field_mul(group, t0, r->X, s->X, ctx) - || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx) - || !group->meth->field_mul(group, t2, r->X, s->Z, ctx) + if (t6 == NULL + || !group->meth->field_mul(group, t6, r->X, s->X, ctx) + || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx) + || !group->meth->field_mul(group, t4, r->X, s->Z, ctx) || !group->meth->field_mul(group, t3, r->Z, s->X, ctx) - || !group->meth->field_mul(group, t4, group->a, t1, ctx) - || !BN_mod_add_quick(t0, t0, t4, group->field) - || !BN_mod_add_quick(t4, t3, t2, group->field) - || !group->meth->field_mul(group, t0, t4, t0, ctx) - || !group->meth->field_sqr(group, t1, t1, ctx) - || !BN_mod_lshift_quick(t7, group->b, 2, group->field) - || !group->meth->field_mul(group, t1, t7, t1, ctx) - || !BN_mod_lshift1_quick(t0, t0, group->field) - || !BN_mod_add_quick(t0, t1, t0, group->field) - || !BN_mod_sub_quick(t1, t2, t3, group->field) - || !group->meth->field_sqr(group, t1, t1, ctx) - || !group->meth->field_mul(group, t3, t1, p->X, ctx) - || !group->meth->field_mul(group, t0, p->Z, t0, ctx) - /* s->X coord output */ - || !BN_mod_sub_quick(s->X, t0, t3, group->field) - /* s->Z coord output */ - || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx) - || !group->meth->field_sqr(group, t3, r->X, ctx) - || !group->meth->field_sqr(group, t2, r->Z, ctx) - || !group->meth->field_mul(group, t4, t2, group->a, ctx) - || !BN_mod_add_quick(t5, r->X, r->Z, group->field) - || !group->meth->field_sqr(group, t5, t5, ctx) - || !BN_mod_sub_quick(t5, t5, t3, group->field) - || !BN_mod_sub_quick(t5, t5, t2, group->field) - || !BN_mod_sub_quick(t6, t3, t4, group->field) - || !group->meth->field_sqr(group, t6, t6, ctx) - || !group->meth->field_mul(group, t0, t2, t5, ctx) - || !group->meth->field_mul(group, t0, t7, t0, ctx) - /* r->X coord output */ - || !BN_mod_sub_quick(r->X, t6, t0, group->field) + || !group->meth->field_mul(group, t5, group->a, t0, ctx) + || !BN_mod_add_quick(t5, t6, t5, group->field) || !BN_mod_add_quick(t6, t3, t4, group->field) - || !group->meth->field_sqr(group, t3, t2, ctx) - || !group->meth->field_mul(group, t7, t3, t7, ctx) - || !group->meth->field_mul(group, t5, t5, t6, ctx) + || !group->meth->field_mul(group, t5, t6, t5, ctx) + || !group->meth->field_sqr(group, t0, t0, ctx) + || !BN_mod_lshift_quick(t2, group->b, 2, group->field) + || !group->meth->field_mul(group, t0, t2, t0, ctx) || !BN_mod_lshift1_quick(t5, t5, group->field) + || !BN_mod_sub_quick(t3, t4, t3, group->field) + /* s->Z coord output */ + || !group->meth->field_sqr(group, s->Z, t3, ctx) + || !group->meth->field_mul(group, t4, s->Z, p->X, ctx) + || !BN_mod_add_quick(t0, t0, t5, group->field) + /* s->X coord output */ + || !BN_mod_sub_quick(s->X, t0, t4, group->field) + || !group->meth->field_sqr(group, t4, r->X, ctx) + || !group->meth->field_sqr(group, t5, r->Z, ctx) + || !group->meth->field_mul(group, t6, t5, group->a, ctx) + || !BN_mod_add_quick(t1, r->X, r->Z, group->field) + || !group->meth->field_sqr(group, t1, t1, ctx) + || !BN_mod_sub_quick(t1, t1, t4, group->field) + || !BN_mod_sub_quick(t1, t1, t5, group->field) + || !BN_mod_sub_quick(t3, t4, t6, group->field) + || !group->meth->field_sqr(group, t3, t3, ctx) + || !group->meth->field_mul(group, t0, t5, t1, ctx) + || !group->meth->field_mul(group, t0, t2, t0, ctx) + /* r->X coord output */ + || !BN_mod_sub_quick(r->X, t3, t0, group->field) + || !BN_mod_add_quick(t3, t4, t6, group->field) + || !group->meth->field_sqr(group, t4, t5, ctx) + || !group->meth->field_mul(group, t4, t4, t2, ctx) + || !group->meth->field_mul(group, t1, t1, t3, ctx) + || !BN_mod_lshift1_quick(t1, t1, group->field) /* r->Z coord output */ - || !BN_mod_add_quick(r->Z, t7, t5, group->field)) + || !BN_mod_add_quick(r->Z, t4, t1, group->field)) goto err; ret = 1; @@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_G } /*- + * Input: + * - s, r: projective (homogeneous) coordinates + * - p: affine coordinates + * + * Output: + * - r := (x,y): affine coordinates + * * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass - * Elliptic Curves and Side-Channel Attacks", modified to work in projective - * coordinates and return r in Jacobian projective coordinates. + * Elliptic Curves and Side-Channel Attacks", modified to work in mixed + * projective coords, i.e. p is affine and (r,s) in projective (homogeneous) + * coords, and return r in affine coordinates. * - * X4 = two*Y1*X2*Z3*Z2*Z1; - * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1); - * Z4 = two*Y1*Z3*SQR(Z2)*Z1; + * X4 = two*Y1*X2*Z3*Z2; + * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2); + * Z4 = two*Y1*Z3*SQR(Z2); * * Z4 != 0 because: - * - Z1==0 implies p is at infinity, which would have caused an early exit in - * the caller; * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch); * - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch); * - Y1==0 implies p has order 2, so either r or s are infinity and handled by @@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_G return EC_POINT_set_to_infinity(group, r); if (BN_is_zero(s->Z)) { - /* (X,Y,Z) -> (XZ,YZ**2,Z) */ - if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx) - || !group->meth->field_sqr(group, r->Z, p->Z, ctx) - || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx) - || !BN_copy(r->Z, p->Z) + if (!EC_POINT_copy(r, p) || !EC_POINT_invert(group, r, ctx)) return 0; return 1; @@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_G t6 = BN_CTX_get(ctx); if (t6 == NULL - || !BN_mod_lshift1_quick(t0, p->Y, group->field) - || !group->meth->field_mul(group, t1, r->X, p->Z, ctx) - || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx) - || !group->meth->field_mul(group, t2, t1, t2, ctx) - || !group->meth->field_mul(group, t3, t2, t0, ctx) - || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx) - || !group->meth->field_sqr(group, t4, t2, ctx) - || !BN_mod_lshift1_quick(t5, group->b, group->field) - || !group->meth->field_mul(group, t4, t4, t5, ctx) - || !group->meth->field_mul(group, t6, t2, group->a, ctx) - || !group->meth->field_mul(group, t5, r->X, p->X, ctx) - || !BN_mod_add_quick(t5, t6, t5, group->field) - || !group->meth->field_mul(group, t6, r->Z, p->X, ctx) - || !BN_mod_add_quick(t2, t6, t1, group->field) - || !group->meth->field_mul(group, t5, t5, t2, ctx) - || !BN_mod_sub_quick(t6, t6, t1, group->field) - || !group->meth->field_sqr(group, t6, t6, ctx) - || !group->meth->field_mul(group, t6, t6, s->X, ctx) - || !BN_mod_add_quick(t4, t5, t4, group->field) - || !group->meth->field_mul(group, t4, t4, s->Z, ctx) - || !BN_mod_sub_quick(t4, t4, t6, group->field) - || !group->meth->field_sqr(group, t5, r->Z, ctx) - || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx) - || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx) - || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx) - /* t3 := X, t4 := Y */ - /* (X,Y,Z) -> (XZ,YZ**2,Z) */ - || !group->meth->field_mul(group, r->X, t3, r->Z, ctx) + || !BN_mod_lshift1_quick(t4, p->Y, group->field) + || !group->meth->field_mul(group, t6, r->X, t4, ctx) + || !group->meth->field_mul(group, t6, s->Z, t6, ctx) + || !group->meth->field_mul(group, t5, r->Z, t6, ctx) + || !BN_mod_lshift1_quick(t1, group->b, group->field) + || !group->meth->field_mul(group, t1, s->Z, t1, ctx) || !group->meth->field_sqr(group, t3, r->Z, ctx) - || !group->meth->field_mul(group, r->Y, t4, t3, ctx)) + || !group->meth->field_mul(group, t2, t3, t1, ctx) + || !group->meth->field_mul(group, t6, r->Z, group->a, ctx) + || !group->meth->field_mul(group, t1, p->X, r->X, ctx) + || !BN_mod_add_quick(t1, t1, t6, group->field) + || !group->meth->field_mul(group, t1, s->Z, t1, ctx) + || !group->meth->field_mul(group, t0, p->X, r->Z, ctx) + || !BN_mod_add_quick(t6, r->X, t0, group->field) + || !group->meth->field_mul(group, t6, t6, t1, ctx) + || !BN_mod_add_quick(t6, t6, t2, group->field) + || !BN_mod_sub_quick(t0, t0, r->X, group->field) + || !group->meth->field_sqr(group, t0, t0, ctx) + || !group->meth->field_mul(group, t0, t0, s->X, ctx) + || !BN_mod_sub_quick(t0, t6, t0, group->field) + || !group->meth->field_mul(group, t1, s->Z, t4, ctx) + || !group->meth->field_mul(group, t1, t3, t1, ctx) + || (group->meth->field_decode != NULL + && !group->meth->field_decode(group, t1, t1, ctx)) + || !group->meth->field_inv(group, t1, t1, ctx) + || (group->meth->field_encode != NULL + && !group->meth->field_encode(group, t1, t1, ctx)) + || !group->meth->field_mul(group, r->X, t5, t1, ctx) + || !group->meth->field_mul(group, r->Y, t0, t1, ctx)) goto err; + if (group->meth->field_set_to_one != NULL) { + if (!group->meth->field_set_to_one(group, r->Z, ctx)) + goto err; + } else { + if (!BN_one(r->Z)) + goto err; + } + + r->Z_is_one = 1; ret = 1; err: Index: src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.22 src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.23 --- src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.22 Sun Mar 22 16:09:17 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c Fri Apr 24 15:37:09 2020 @@ -130,6 +130,11 @@ void bsaes_xts_decrypt(const unsigned ch size_t len, const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]); #endif +#if !defined(AES_ASM) && !defined(AES_CTR_ASM) \ + && defined(OPENSSL_AES_CONST_TIME) \ + && !defined(OPENSSL_SMALL_FOOTPRINT) +# define AES_CTR_ASM +#endif #ifdef AES_CTR_ASM void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, size_t blocks, const AES_KEY *key, Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.19 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.20 --- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.19 Sun Apr 5 17:53:45 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Fri Apr 24 15:37:09 2020 @@ -508,6 +508,12 @@ static int check_chain_extensions(X509_S ret = 1; break; } + if ((x->ex_flags & EXFLAG_CA) == 0 + && x->ex_pathlen != -1 + && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + ret = 0; + } if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) return 0; /* check_purpose() makes the callback as needed */ Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.31 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.32 --- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.31 Sat Mar 21 20:53:10 2020 +++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Fri Apr 24 15:37:09 2020 @@ -2130,7 +2130,7 @@ static int tls1_check_sig_alg(SSL *s, X5 sigalg = use_pc_sigalgs ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) : s->shared_sigalgs[i]; - if (sig_nid == sigalg->sigandhash) + if (sigalg != NULL && sig_nid == sigalg->sigandhash) return 1; } return 0;