Module Name: src
Committed By: christos
Date: Fri Apr 24 19:37:09 UTC 2020
Modified Files:
src/crypto/external/bsd/openssl/dist: CHANGES NEWS README
src/crypto/external/bsd/openssl/dist/apps: ocsp.c s_time.c
src/crypto/external/bsd/openssl/dist/crypto/ec: ec_asn1.c ec_lib.c
ecp_smpl.c
src/crypto/external/bsd/openssl/dist/crypto/evp: e_aes.c
src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c
src/crypto/external/bsd/openssl/dist/ssl: t1_lib.c
Log Message:
merge conflicts
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/external/bsd/openssl/dist/CHANGES \
src/crypto/external/bsd/openssl/dist/NEWS \
src/crypto/external/bsd/openssl/dist/README
cvs rdiff -u -r1.21 -r1.22 src/crypto/external/bsd/openssl/dist/apps/ocsp.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/external/bsd/openssl/dist/apps/s_time.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c
cvs rdiff -u -r1.19 -r1.20 \
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
cvs rdiff -u -r1.31 -r1.32 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssl/dist/CHANGES
diff -u src/crypto/external/bsd/openssl/dist/CHANGES:1.23 src/crypto/external/bsd/openssl/dist/CHANGES:1.24
--- src/crypto/external/bsd/openssl/dist/CHANGES:1.23 Sun Apr 5 17:53:44 2020
+++ src/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 24 15:37:09 2020
@@ -7,6 +7,27 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ *) Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ (CVE-2020-1967)
+ [Benjamin Kaduk]
+
+ *) Added AES consttime code for no-asm configurations
+ an optional constant time support for AES was added
+ when building openssl for no-asm.
+ Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+ At this time this feature is by default disabled.
+ It will be enabled by default in 3.0.
+ [Bernd Edlinger]
+
Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
Index: src/crypto/external/bsd/openssl/dist/NEWS
diff -u src/crypto/external/bsd/openssl/dist/NEWS:1.23 src/crypto/external/bsd/openssl/dist/NEWS:1.24
--- src/crypto/external/bsd/openssl/dist/NEWS:1.23 Sun Apr 5 17:53:44 2020
+++ src/crypto/external/bsd/openssl/dist/NEWS Fri Apr 24 15:37:09 2020
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+ o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
Index: src/crypto/external/bsd/openssl/dist/README
diff -u src/crypto/external/bsd/openssl/dist/README:1.23 src/crypto/external/bsd/openssl/dist/README:1.24
--- src/crypto/external/bsd/openssl/dist/README:1.23 Sun Apr 5 17:53:44 2020
+++ src/crypto/external/bsd/openssl/dist/README Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1f 31 Mar 2020
+ OpenSSL 1.1.1g 21 Apr 2020
Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Index: src/crypto/external/bsd/openssl/dist/apps/ocsp.c
diff -u src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.21 src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.22
--- src/crypto/external/bsd/openssl/dist/apps/ocsp.c:1.21 Sat Mar 21 20:53:02 2020
+++ src/crypto/external/bsd/openssl/dist/apps/ocsp.c Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,65 +9,62 @@
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_OCSP
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# ifdef OPENSSL_SYS_VMS
-# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
+#ifdef OPENSSL_SYS_VMS
+# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
-# endif
+#endif
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
/* Needs to be included before the openssl headers */
-# include "apps.h"
-# include "progs.h"
-# include "internal/sockets.h"
-# include <openssl/e_os2.h>
-# include <openssl/crypto.h>
-# include <openssl/err.h>
-# include <openssl/ssl.h>
-# include <openssl/evp.h>
-# include <openssl/bn.h>
-# include <openssl/x509v3.h>
-# include <openssl/rand.h>
+#include "apps.h"
+#include "progs.h"
+#include "internal/sockets.h"
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
+#include <openssl/rand.h>
#ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
-# define HAVE_FORK 0
-# else
-# define HAVE_FORK 1
-# endif
+#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+#else
+# define HAVE_FORK 1
+#endif
#endif
#if HAVE_FORK
-# undef NO_FORK
+#undef NO_FORK
#else
-# define NO_FORK
+#define NO_FORK
#endif
-# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
-# define OCSP_DAEMON
-# include <sys/types.h>
-# include <sys/wait.h>
-# include <syslog.h>
-# include <signal.h>
-# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
-# else
-# undef LOG_INFO
-# undef LOG_WARNING
-# undef LOG_ERR
-# define LOG_INFO 0
-# define LOG_WARNING 1
-# define LOG_ERR 2
-# endif
+# define OCSP_DAEMON
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <syslog.h>
+# include <signal.h>
+# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
+#else
+# undef LOG_INFO
+# undef LOG_WARNING
+# undef LOG_ERR
+# define LOG_INFO 0
+# define LOG_WARNING 1
+# define LOG_ERR 2
+#endif
-# if defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
/* not supported */
int setpgid(pid_t pid, pid_t pgid)
{
@@ -80,9 +77,9 @@ pid_t fork(void)
errno = ENOSYS;
return (pid_t) -1;
}
-# endif
+#endif
/* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD (5 * 60)
+#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -109,20 +106,20 @@ static void log_message(int level, const
static char *prog;
static int multi = 0;
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
static void socket_timeout(int signum);
-# endif
+#endif
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
-# endif
+#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -160,9 +157,9 @@ const OPTIONS ocsp_options[] = {
"Don't include any certificates in response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
-# endif
+#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
@@ -511,9 +508,9 @@ int ocsp_main(int argc, char **argv)
trailing_md = 1;
break;
case OPT_MULTI:
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
multi = atoi(opt_arg());
-# endif
+#endif
break;
}
}
@@ -593,7 +590,7 @@ int ocsp_main(int argc, char **argv)
}
}
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
@@ -606,7 +603,7 @@ int ocsp_main(int argc, char **argv)
redo_accept:
if (acbio != NULL) {
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL);
@@ -619,7 +616,7 @@ redo_accept:
ridx_filename);
}
}
-# endif
+#endif
req = NULL;
if (!do_responder(&req, &cbio, acbio, req_timeout))
@@ -688,16 +685,16 @@ redo_accept:
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
-# else
+#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n");
goto end;
-# endif
+#endif
} else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL)
@@ -840,7 +837,7 @@ log_message(int level, const char *fmt,
va_list ap;
va_start(ap, fmt);
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi) {
char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
@@ -849,7 +846,7 @@ log_message(int level, const char *fmt,
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
-# endif
+#endif
if (!multi) {
BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap);
@@ -858,7 +855,7 @@ log_message(int level, const char *fmt,
va_end(ap);
}
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static int print_syslog(const char *str, size_t len, void *levPtr)
{
@@ -1011,7 +1008,7 @@ static void spawn_loop(void)
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
-# endif
+#endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -1291,11 +1288,11 @@ static char **lookup_serial(CA_DB *db, A
static BIO *init_responder(const char *port)
{
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err,
"Error setting up accept BIO - sockets not supported.\n");
return NULL;
-# else
+#else
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@@ -1322,10 +1319,10 @@ static BIO *init_responder(const char *p
BIO_free_all(acbio);
BIO_free(bufbio);
return NULL;
-# endif
+#endif
}
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
/*
* Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
*/
@@ -1349,22 +1346,22 @@ static int urldecode(char *p)
*out = '\0';
return (int)(out - save);
}
-# endif
+#endif
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static void socket_timeout(int signum)
{
if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD);
}
-# endif
+#endif
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout)
{
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
return 0;
-# else
+#else
int len;
OCSP_REQUEST *req = NULL;
char inbuf[2048], reqbuf[2048];
@@ -1382,12 +1379,12 @@ static int do_responder(OCSP_REQUEST **p
*pcbio = cbio;
client = BIO_get_peer_name(cbio);
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
if (timeout > 0) {
(void) BIO_get_fd(cbio, &acfd);
alarm(timeout);
}
-# endif
+# endif
/* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@@ -1450,11 +1447,11 @@ static int do_responder(OCSP_REQUEST **p
break;
}
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
/* Clear alarm before we close the client socket */
alarm(0);
timeout = 0;
-# endif
+# endif
/* Try to read OCSP request */
if (getbio != NULL) {
@@ -1470,13 +1467,13 @@ static int do_responder(OCSP_REQUEST **p
*preq = req;
out:
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
if (timeout > 0)
alarm(0);
acfd = (int)INVALID_SOCKET;
-# endif
- return 1;
# endif
+ return 1;
+#endif
}
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
@@ -1492,7 +1489,7 @@ static int send_ocsp_response(BIO *cbio,
return 1;
}
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
@@ -1623,6 +1620,4 @@ OCSP_RESPONSE *process_responder(OCSP_RE
SSL_CTX_free(ctx);
return resp;
}
-# endif
-
#endif
Index: src/crypto/external/bsd/openssl/dist/apps/s_time.c
diff -u src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.10 src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.11
--- src/crypto/external/bsd/openssl/dist/apps/s_time.c:1.10 Sat Mar 21 20:53:02 2020
+++ src/crypto/external/bsd/openssl/dist/apps/s_time.c Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -62,6 +62,7 @@ const OPTIONS s_time_options[] = {
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.9 src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.10
--- src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c:1.9 Sat Mar 21 20:53:05 2020
+++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r)
i = i2d_ASN1_INTEGER(&bs, NULL);
i += i; /* r and s */
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
+ if (ret < 0)
+ return 0;
return ret;
}
Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.8 src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.9
--- src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:1.8 Sat Mar 21 20:53:05 2020
+++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group,
size_t i = 0;
BN_CTX *new_ctx = NULL;
- if ((scalar == NULL) && (num == 0)) {
- return EC_POINT_set_to_infinity(group, r);
- }
-
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
+
+ if (scalar == NULL && num == 0)
+ return EC_POINT_set_to_infinity(group, r);
+
for (i = 0; i < num; i++) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.11 src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.12
--- src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c:1.11 Sat Mar 21 20:53:05 2020
+++ src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c Fri Apr 24 15:37:09 2020
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GRO
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
@@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(cons
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto end;
}
- /* make sure lambda is not zero */
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
do {
- if (!BN_priv_rand_range(lambda, group->field)) {
- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
- goto err;
+ ERR_set_mark();
+ ret = BN_priv_rand_range(lambda, group->field);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
- if (group->meth->field_encode != NULL
- && !group->meth->field_encode(group, lambda, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
- goto err;
- if (!group->meth->field_sqr(group, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
- goto err;
- if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
- goto err;
- p->Z_is_one = 0;
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+ p->Z_is_one = 0;
ret = 1;
- err:
+ end:
BN_CTX_end(ctx);
return ret;
}
/*-
- * Set s := p, r := 2p.
+ * Input:
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
*
* For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
- * multiplication resistant against side channel attacks" appendix, as described
- * at
+ * multiplication resistant against side channel attacks" appendix, described at
* https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
+ * simplified for Z1=1.
*
- * The input point p will be in randomized Jacobian projective coords:
- * x = X/Z**2, y=Y/Z**3
- *
- * The output points p, s, and r are converted to standard (homogeneous)
- * projective coords:
- * x = X/Z, y=Y/Z
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
*/
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
- BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
- t1 = r->Z;
- t2 = r->Y;
+ t1 = s->Z;
+ t2 = r->Z;
t3 = s->X;
t4 = r->X;
t5 = s->Y;
- t6 = s->Z;
- /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */
- if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, t1, p->Z, ctx)
- || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx)
- /* r := 2p */
- || !group->meth->field_sqr(group, t2, p->X, ctx)
- || !group->meth->field_sqr(group, t3, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t3, group->a, ctx)
- || !BN_mod_sub_quick(t5, t2, t4, group->field)
- || !BN_mod_add_quick(t2, t2, t4, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !group->meth->field_mul(group, t6, t3, group->b, ctx)
- || !group->meth->field_mul(group, t1, p->X, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t1, t6, ctx)
- || !BN_mod_lshift_quick(t4, t4, 3, group->field)
+ if (!p->Z_is_one /* r := 2p */
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
+ || !group->meth->field_sqr(group, t4, t4, ctx)
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
/* r->X coord output */
- || !BN_mod_sub_quick(r->X, t5, t4, group->field)
- || !group->meth->field_mul(group, t1, t1, t2, ctx)
- || !group->meth->field_mul(group, t2, t3, t6, ctx)
- || !BN_mod_add_quick(t1, t1, t2, group->field)
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
/* r->Z coord output */
- || !BN_mod_lshift_quick(r->Z, t1, 2, group->field)
- || !EC_POINT_copy(s, p))
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ return 0;
+
+ /* make sure lambda (r->Y here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(r->Y, group->field))
+ return 0;
+ } while (BN_is_zero(r->Y));
+
+ /* make sure lambda (s->Z here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(s->Z, group->field))
+ return 0;
+ } while (BN_is_zero(s->Z));
+
+ /* if field_encode defined convert between representations */
+ if (group->meth->field_encode != NULL
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
+ return 0;
+
+ /* blind r and s independently */
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
return 0;
r->Z_is_one = 0;
s->Z_is_one = 0;
- p->Z_is_one = 0;
return 1;
}
/*-
- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
+ *
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
* "A fast parallel elliptic curve multiplication resistant against side channel
* attacks", as described at
- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
*/
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
int ret = 0;
- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
BN_CTX_start(ctx);
t0 = BN_CTX_get(ctx);
@@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_G
t4 = BN_CTX_get(ctx);
t5 = BN_CTX_get(ctx);
t6 = BN_CTX_get(ctx);
- t7 = BN_CTX_get(ctx);
- if (t7 == NULL
- || !group->meth->field_mul(group, t0, r->X, s->X, ctx)
- || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, r->X, s->Z, ctx)
+ if (t6 == NULL
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
|| !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
- || !group->meth->field_mul(group, t4, group->a, t1, ctx)
- || !BN_mod_add_quick(t0, t0, t4, group->field)
- || !BN_mod_add_quick(t4, t3, t2, group->field)
- || !group->meth->field_mul(group, t0, t4, t0, ctx)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !BN_mod_lshift_quick(t7, group->b, 2, group->field)
- || !group->meth->field_mul(group, t1, t7, t1, ctx)
- || !BN_mod_lshift1_quick(t0, t0, group->field)
- || !BN_mod_add_quick(t0, t1, t0, group->field)
- || !BN_mod_sub_quick(t1, t2, t3, group->field)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !group->meth->field_mul(group, t3, t1, p->X, ctx)
- || !group->meth->field_mul(group, t0, p->Z, t0, ctx)
- /* s->X coord output */
- || !BN_mod_sub_quick(s->X, t0, t3, group->field)
- /* s->Z coord output */
- || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx)
- || !group->meth->field_sqr(group, t3, r->X, ctx)
- || !group->meth->field_sqr(group, t2, r->Z, ctx)
- || !group->meth->field_mul(group, t4, t2, group->a, ctx)
- || !BN_mod_add_quick(t5, r->X, r->Z, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !BN_mod_sub_quick(t5, t5, t3, group->field)
- || !BN_mod_sub_quick(t5, t5, t2, group->field)
- || !BN_mod_sub_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t0, t2, t5, ctx)
- || !group->meth->field_mul(group, t0, t7, t0, ctx)
- /* r->X coord output */
- || !BN_mod_sub_quick(r->X, t6, t0, group->field)
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
|| !BN_mod_add_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t3, t2, ctx)
- || !group->meth->field_mul(group, t7, t3, t7, ctx)
- || !group->meth->field_mul(group, t5, t5, t6, ctx)
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
|| !BN_mod_lshift1_quick(t5, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
+ /* s->Z coord output */
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
+ /* s->X coord output */
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
+ || !group->meth->field_sqr(group, t1, t1, ctx)
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t3, t3, ctx)
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ /* r->X coord output */
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t4, t5, ctx)
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
/* r->Z coord output */
- || !BN_mod_add_quick(r->Z, t7, t5, group->field))
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
goto err;
ret = 1;
@@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_G
}
/*-
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - r := (x,y): affine coordinates
+ *
* Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
- * Elliptic Curves and Side-Channel Attacks", modified to work in projective
- * coordinates and return r in Jacobian projective coordinates.
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
+ * coords, and return r in affine coordinates.
*
- * X4 = two*Y1*X2*Z3*Z2*Z1;
- * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1);
- * Z4 = two*Y1*Z3*SQR(Z2)*Z1;
+ * X4 = two*Y1*X2*Z3*Z2;
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
+ * Z4 = two*Y1*Z3*SQR(Z2);
*
* Z4 != 0 because:
- * - Z1==0 implies p is at infinity, which would have caused an early exit in
- * the caller;
* - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
* - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
* - Y1==0 implies p has order 2, so either r or s are infinity and handled by
@@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_G
return EC_POINT_set_to_infinity(group, r);
if (BN_is_zero(s->Z)) {
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, r->Z, p->Z, ctx)
- || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx)
- || !BN_copy(r->Z, p->Z)
+ if (!EC_POINT_copy(r, p)
|| !EC_POINT_invert(group, r, ctx))
return 0;
return 1;
@@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_G
t6 = BN_CTX_get(ctx);
if (t6 == NULL
- || !BN_mod_lshift1_quick(t0, p->Y, group->field)
- || !group->meth->field_mul(group, t1, r->X, p->Z, ctx)
- || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, t1, t2, ctx)
- || !group->meth->field_mul(group, t3, t2, t0, ctx)
- || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx)
- || !group->meth->field_sqr(group, t4, t2, ctx)
- || !BN_mod_lshift1_quick(t5, group->b, group->field)
- || !group->meth->field_mul(group, t4, t4, t5, ctx)
- || !group->meth->field_mul(group, t6, t2, group->a, ctx)
- || !group->meth->field_mul(group, t5, r->X, p->X, ctx)
- || !BN_mod_add_quick(t5, t6, t5, group->field)
- || !group->meth->field_mul(group, t6, r->Z, p->X, ctx)
- || !BN_mod_add_quick(t2, t6, t1, group->field)
- || !group->meth->field_mul(group, t5, t5, t2, ctx)
- || !BN_mod_sub_quick(t6, t6, t1, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t6, t6, s->X, ctx)
- || !BN_mod_add_quick(t4, t5, t4, group->field)
- || !group->meth->field_mul(group, t4, t4, s->Z, ctx)
- || !BN_mod_sub_quick(t4, t4, t6, group->field)
- || !group->meth->field_sqr(group, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx)
- || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx)
- /* t3 := X, t4 := Y */
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- || !group->meth->field_mul(group, r->X, t3, r->Z, ctx)
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|| !group->meth->field_sqr(group, t3, r->Z, ctx)
- || !group->meth->field_mul(group, r->Y, t4, t3, ctx))
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
+ || (group->meth->field_decode != NULL
+ && !group->meth->field_decode(group, t1, t1, ctx))
+ || !group->meth->field_inv(group, t1, t1, ctx)
+ || (group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, t1, t1, ctx))
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
goto err;
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
+ goto err;
+ } else {
+ if (!BN_one(r->Z))
+ goto err;
+ }
+
+ r->Z_is_one = 1;
ret = 1;
err:
Index: src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.22 src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.23
--- src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.22 Sun Mar 22 16:09:17 2020
+++ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c Fri Apr 24 15:37:09 2020
@@ -130,6 +130,11 @@ void bsaes_xts_decrypt(const unsigned ch
size_t len, const AES_KEY *key1,
const AES_KEY *key2, const unsigned char iv[16]);
#endif
+#if !defined(AES_ASM) && !defined(AES_CTR_ASM) \
+ && defined(OPENSSL_AES_CONST_TIME) \
+ && !defined(OPENSSL_SMALL_FOOTPRINT)
+# define AES_CTR_ASM
+#endif
#ifdef AES_CTR_ASM
void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
size_t blocks, const AES_KEY *key,
Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.19 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.20
--- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.19 Sun Apr 5 17:53:45 2020
+++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Fri Apr 24 15:37:09 2020
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_S
ret = 1;
break;
}
+ if ((x->ex_flags & EXFLAG_CA) == 0
+ && x->ex_pathlen != -1
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
+ ret = 0;
+ }
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.31 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.32
--- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.31 Sat Mar 21 20:53:10 2020
+++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Fri Apr 24 15:37:09 2020
@@ -2130,7 +2130,7 @@ static int tls1_check_sig_alg(SSL *s, X5
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
- if (sig_nid == sigalg->sigandhash)
+ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;
