From owner-svn-src-stable-11@freebsd.org Tue Sep 10 21:15:01 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7E0A1E4BD3; Tue, 10 Sep 2019 21:15:01 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Sd8j3YPNz432g; Tue, 10 Sep 2019 21:15:01 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5D7EA2C183; Tue, 10 Sep 2019 21:15:01 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x8ALF10s088461; Tue, 10 Sep 2019 21:15:01 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x8ALEuML088421; Tue, 10 Sep 2019 21:14:56 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201909102114.x8ALEuML088421@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 10 Sep 2019 21:14:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r352193 - in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/bn crypto/openssl/crypto/cms crypto/openssl/crypto/ec crypto/openssl/crypto/pem cr... X-SVN-Group: stable-11 X-SVN-Commit-Author: jkim X-SVN-Commit-Paths: in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/bn crypto/openssl/crypto/cms crypto/openssl/crypto/ec crypto/openssl/crypto/pem crypto/openssl/crypto/pkcs7... X-SVN-Commit-Revision: 352193 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 21:15:01 -0000 Author: jkim Date: Tue Sep 10 21:14:56 2019 New Revision: 352193 URL: https://svnweb.freebsd.org/changeset/base/352193 Log: Merge OpenSSL 1.0.2t. Modified: stable/11/crypto/openssl/CHANGES stable/11/crypto/openssl/Configure stable/11/crypto/openssl/Makefile stable/11/crypto/openssl/NEWS stable/11/crypto/openssl/README stable/11/crypto/openssl/apps/CA.pl stable/11/crypto/openssl/crypto/arm_arch.h stable/11/crypto/openssl/crypto/armcap.c stable/11/crypto/openssl/crypto/bn/Makefile stable/11/crypto/openssl/crypto/bn/bn_lib.c stable/11/crypto/openssl/crypto/bn_int.h stable/11/crypto/openssl/crypto/cms/cms_env.c stable/11/crypto/openssl/crypto/cms/cms_lcl.h stable/11/crypto/openssl/crypto/cms/cms_smime.c stable/11/crypto/openssl/crypto/constant_time_locl.h stable/11/crypto/openssl/crypto/cryptlib.h stable/11/crypto/openssl/crypto/ec/Makefile stable/11/crypto/openssl/crypto/ec/ec.h stable/11/crypto/openssl/crypto/ec/ec_asn1.c stable/11/crypto/openssl/crypto/ec/ec_curve.c stable/11/crypto/openssl/crypto/ec/ec_err.c stable/11/crypto/openssl/crypto/ec/ec_lcl.h stable/11/crypto/openssl/crypto/ec/ec_lib.c stable/11/crypto/openssl/crypto/ec/ecp_nistp224.c stable/11/crypto/openssl/crypto/ec/ecp_nistp256.c stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c stable/11/crypto/openssl/crypto/opensslv.h stable/11/crypto/openssl/crypto/pem/pvkfmt.c stable/11/crypto/openssl/crypto/pkcs7/pk7_doit.c stable/11/crypto/openssl/crypto/rsa/rsa_chk.c stable/11/crypto/openssl/crypto/x509/x509_cmp.c stable/11/crypto/openssl/crypto/x509v3/v3_alt.c stable/11/crypto/openssl/util/libeay.num stable/11/secure/lib/libcrypto/Makefile.inc stable/11/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_length.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_new.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 stable/11/secure/lib/libcrypto/man/ASN1_TIME_set.3 stable/11/secure/lib/libcrypto/man/ASN1_generate_nconf.3 stable/11/secure/lib/libcrypto/man/BIO_ctrl.3 stable/11/secure/lib/libcrypto/man/BIO_f_base64.3 stable/11/secure/lib/libcrypto/man/BIO_f_buffer.3 stable/11/secure/lib/libcrypto/man/BIO_f_cipher.3 stable/11/secure/lib/libcrypto/man/BIO_f_md.3 stable/11/secure/lib/libcrypto/man/BIO_f_null.3 stable/11/secure/lib/libcrypto/man/BIO_f_ssl.3 stable/11/secure/lib/libcrypto/man/BIO_find_type.3 stable/11/secure/lib/libcrypto/man/BIO_new.3 stable/11/secure/lib/libcrypto/man/BIO_new_CMS.3 stable/11/secure/lib/libcrypto/man/BIO_push.3 stable/11/secure/lib/libcrypto/man/BIO_read.3 stable/11/secure/lib/libcrypto/man/BIO_s_accept.3 stable/11/secure/lib/libcrypto/man/BIO_s_bio.3 stable/11/secure/lib/libcrypto/man/BIO_s_connect.3 stable/11/secure/lib/libcrypto/man/BIO_s_fd.3 stable/11/secure/lib/libcrypto/man/BIO_s_file.3 stable/11/secure/lib/libcrypto/man/BIO_s_mem.3 stable/11/secure/lib/libcrypto/man/BIO_s_null.3 stable/11/secure/lib/libcrypto/man/BIO_s_socket.3 stable/11/secure/lib/libcrypto/man/BIO_set_callback.3 stable/11/secure/lib/libcrypto/man/BIO_should_retry.3 stable/11/secure/lib/libcrypto/man/BN_BLINDING_new.3 stable/11/secure/lib/libcrypto/man/BN_CTX_new.3 stable/11/secure/lib/libcrypto/man/BN_CTX_start.3 stable/11/secure/lib/libcrypto/man/BN_add.3 stable/11/secure/lib/libcrypto/man/BN_add_word.3 stable/11/secure/lib/libcrypto/man/BN_bn2bin.3 stable/11/secure/lib/libcrypto/man/BN_cmp.3 stable/11/secure/lib/libcrypto/man/BN_copy.3 stable/11/secure/lib/libcrypto/man/BN_generate_prime.3 stable/11/secure/lib/libcrypto/man/BN_mod_inverse.3 stable/11/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 stable/11/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 stable/11/secure/lib/libcrypto/man/BN_new.3 stable/11/secure/lib/libcrypto/man/BN_num_bytes.3 stable/11/secure/lib/libcrypto/man/BN_rand.3 stable/11/secure/lib/libcrypto/man/BN_set_bit.3 stable/11/secure/lib/libcrypto/man/BN_swap.3 stable/11/secure/lib/libcrypto/man/BN_zero.3 stable/11/secure/lib/libcrypto/man/CMS_add0_cert.3 stable/11/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 stable/11/secure/lib/libcrypto/man/CMS_add1_signer.3 stable/11/secure/lib/libcrypto/man/CMS_compress.3 stable/11/secure/lib/libcrypto/man/CMS_decrypt.3 stable/11/secure/lib/libcrypto/man/CMS_encrypt.3 stable/11/secure/lib/libcrypto/man/CMS_final.3 stable/11/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 stable/11/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 stable/11/secure/lib/libcrypto/man/CMS_get0_type.3 stable/11/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 stable/11/secure/lib/libcrypto/man/CMS_sign.3 stable/11/secure/lib/libcrypto/man/CMS_sign_receipt.3 stable/11/secure/lib/libcrypto/man/CMS_uncompress.3 stable/11/secure/lib/libcrypto/man/CMS_verify.3 stable/11/secure/lib/libcrypto/man/CMS_verify_receipt.3 stable/11/secure/lib/libcrypto/man/CONF_modules_free.3 stable/11/secure/lib/libcrypto/man/CONF_modules_load_file.3 stable/11/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 stable/11/secure/lib/libcrypto/man/DH_generate_key.3 stable/11/secure/lib/libcrypto/man/DH_generate_parameters.3 stable/11/secure/lib/libcrypto/man/DH_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/DH_new.3 stable/11/secure/lib/libcrypto/man/DH_set_method.3 stable/11/secure/lib/libcrypto/man/DH_size.3 stable/11/secure/lib/libcrypto/man/DSA_SIG_new.3 stable/11/secure/lib/libcrypto/man/DSA_do_sign.3 stable/11/secure/lib/libcrypto/man/DSA_dup_DH.3 stable/11/secure/lib/libcrypto/man/DSA_generate_key.3 stable/11/secure/lib/libcrypto/man/DSA_generate_parameters.3 stable/11/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/DSA_new.3 stable/11/secure/lib/libcrypto/man/DSA_set_method.3 stable/11/secure/lib/libcrypto/man/DSA_sign.3 stable/11/secure/lib/libcrypto/man/DSA_size.3 stable/11/secure/lib/libcrypto/man/EC_GFp_simple_method.3 stable/11/secure/lib/libcrypto/man/EC_GROUP_copy.3 stable/11/secure/lib/libcrypto/man/EC_GROUP_new.3 stable/11/secure/lib/libcrypto/man/EC_KEY_new.3 stable/11/secure/lib/libcrypto/man/EC_POINT_add.3 stable/11/secure/lib/libcrypto/man/EC_POINT_new.3 stable/11/secure/lib/libcrypto/man/ERR_GET_LIB.3 stable/11/secure/lib/libcrypto/man/ERR_clear_error.3 stable/11/secure/lib/libcrypto/man/ERR_error_string.3 stable/11/secure/lib/libcrypto/man/ERR_get_error.3 stable/11/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 stable/11/secure/lib/libcrypto/man/ERR_load_strings.3 stable/11/secure/lib/libcrypto/man/ERR_print_errors.3 stable/11/secure/lib/libcrypto/man/ERR_put_error.3 stable/11/secure/lib/libcrypto/man/ERR_remove_state.3 stable/11/secure/lib/libcrypto/man/ERR_set_mark.3 stable/11/secure/lib/libcrypto/man/EVP_BytesToKey.3 stable/11/secure/lib/libcrypto/man/EVP_DigestInit.3 stable/11/secure/lib/libcrypto/man/EVP_DigestSignInit.3 stable/11/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 stable/11/secure/lib/libcrypto/man/EVP_EncodeInit.3 stable/11/secure/lib/libcrypto/man/EVP_EncryptInit.3 stable/11/secure/lib/libcrypto/man/EVP_OpenInit.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_derive.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_sign.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 stable/11/secure/lib/libcrypto/man/EVP_SealInit.3 stable/11/secure/lib/libcrypto/man/EVP_SignInit.3 stable/11/secure/lib/libcrypto/man/EVP_VerifyInit.3 stable/11/secure/lib/libcrypto/man/OBJ_nid2obj.3 stable/11/secure/lib/libcrypto/man/OPENSSL_Applink.3 stable/11/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 stable/11/secure/lib/libcrypto/man/OPENSSL_config.3 stable/11/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 stable/11/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 stable/11/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 stable/11/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 stable/11/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 stable/11/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 stable/11/secure/lib/libcrypto/man/PKCS12_create.3 stable/11/secure/lib/libcrypto/man/PKCS12_parse.3 stable/11/secure/lib/libcrypto/man/PKCS7_decrypt.3 stable/11/secure/lib/libcrypto/man/PKCS7_encrypt.3 stable/11/secure/lib/libcrypto/man/PKCS7_sign.3 stable/11/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 stable/11/secure/lib/libcrypto/man/PKCS7_verify.3 stable/11/secure/lib/libcrypto/man/RAND_add.3 stable/11/secure/lib/libcrypto/man/RAND_bytes.3 stable/11/secure/lib/libcrypto/man/RAND_cleanup.3 stable/11/secure/lib/libcrypto/man/RAND_egd.3 stable/11/secure/lib/libcrypto/man/RAND_load_file.3 stable/11/secure/lib/libcrypto/man/RAND_set_rand_method.3 stable/11/secure/lib/libcrypto/man/RSA_blinding_on.3 stable/11/secure/lib/libcrypto/man/RSA_check_key.3 stable/11/secure/lib/libcrypto/man/RSA_generate_key.3 stable/11/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/RSA_new.3 stable/11/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 stable/11/secure/lib/libcrypto/man/RSA_print.3 stable/11/secure/lib/libcrypto/man/RSA_private_encrypt.3 stable/11/secure/lib/libcrypto/man/RSA_public_encrypt.3 stable/11/secure/lib/libcrypto/man/RSA_set_method.3 stable/11/secure/lib/libcrypto/man/RSA_sign.3 stable/11/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 stable/11/secure/lib/libcrypto/man/RSA_size.3 stable/11/secure/lib/libcrypto/man/SMIME_read_CMS.3 stable/11/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 stable/11/secure/lib/libcrypto/man/SMIME_write_CMS.3 stable/11/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 stable/11/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 stable/11/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 stable/11/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 stable/11/secure/lib/libcrypto/man/X509_NAME_print_ex.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 stable/11/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 stable/11/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 stable/11/secure/lib/libcrypto/man/X509_check_host.3 stable/11/secure/lib/libcrypto/man/X509_check_private_key.3 stable/11/secure/lib/libcrypto/man/X509_cmp_time.3 stable/11/secure/lib/libcrypto/man/X509_new.3 stable/11/secure/lib/libcrypto/man/X509_verify_cert.3 stable/11/secure/lib/libcrypto/man/bio.3 stable/11/secure/lib/libcrypto/man/blowfish.3 stable/11/secure/lib/libcrypto/man/bn.3 stable/11/secure/lib/libcrypto/man/bn_internal.3 stable/11/secure/lib/libcrypto/man/buffer.3 stable/11/secure/lib/libcrypto/man/crypto.3 stable/11/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 stable/11/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 stable/11/secure/lib/libcrypto/man/d2i_DHparams.3 stable/11/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 stable/11/secure/lib/libcrypto/man/d2i_ECPKParameters.3 stable/11/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_PrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 stable/11/secure/lib/libcrypto/man/d2i_X509.3 stable/11/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 stable/11/secure/lib/libcrypto/man/d2i_X509_CRL.3 stable/11/secure/lib/libcrypto/man/d2i_X509_NAME.3 stable/11/secure/lib/libcrypto/man/d2i_X509_REQ.3 stable/11/secure/lib/libcrypto/man/d2i_X509_SIG.3 stable/11/secure/lib/libcrypto/man/des.3 stable/11/secure/lib/libcrypto/man/dh.3 stable/11/secure/lib/libcrypto/man/dsa.3 stable/11/secure/lib/libcrypto/man/ec.3 stable/11/secure/lib/libcrypto/man/ecdsa.3 stable/11/secure/lib/libcrypto/man/engine.3 stable/11/secure/lib/libcrypto/man/err.3 stable/11/secure/lib/libcrypto/man/evp.3 stable/11/secure/lib/libcrypto/man/hmac.3 stable/11/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 stable/11/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 stable/11/secure/lib/libcrypto/man/lh_stats.3 stable/11/secure/lib/libcrypto/man/lhash.3 stable/11/secure/lib/libcrypto/man/md5.3 stable/11/secure/lib/libcrypto/man/mdc2.3 stable/11/secure/lib/libcrypto/man/pem.3 stable/11/secure/lib/libcrypto/man/rand.3 stable/11/secure/lib/libcrypto/man/rc4.3 stable/11/secure/lib/libcrypto/man/ripemd.3 stable/11/secure/lib/libcrypto/man/rsa.3 stable/11/secure/lib/libcrypto/man/sha.3 stable/11/secure/lib/libcrypto/man/threads.3 stable/11/secure/lib/libcrypto/man/ui.3 stable/11/secure/lib/libcrypto/man/ui_compat.3 stable/11/secure/lib/libcrypto/man/x509.3 stable/11/secure/lib/libssl/man/SSL_CIPHER_get_name.3 stable/11/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_new.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 stable/11/secure/lib/libssl/man/SSL_CONF_cmd.3 stable/11/secure/lib/libssl/man/SSL_CONF_cmd_argv.3 stable/11/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 stable/11/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 stable/11/secure/lib/libssl/man/SSL_CTX_add_session.3 stable/11/secure/lib/libssl/man/SSL_CTX_ctrl.3 stable/11/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 stable/11/secure/lib/libssl/man/SSL_CTX_free.3 stable/11/secure/lib/libssl/man/SSL_CTX_get0_param.3 stable/11/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 stable/11/secure/lib/libssl/man/SSL_CTX_new.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_number.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_sessions.3 stable/11/secure/lib/libssl/man/SSL_CTX_set1_curves.3 stable/11/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_options.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_timeout.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_verify.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_certificate.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 stable/11/secure/lib/libssl/man/SSL_SESSION_free.3 stable/11/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_SESSION_get_time.3 stable/11/secure/lib/libssl/man/SSL_accept.3 stable/11/secure/lib/libssl/man/SSL_alert_type_string.3 stable/11/secure/lib/libssl/man/SSL_check_chain.3 stable/11/secure/lib/libssl/man/SSL_clear.3 stable/11/secure/lib/libssl/man/SSL_connect.3 stable/11/secure/lib/libssl/man/SSL_do_handshake.3 stable/11/secure/lib/libssl/man/SSL_export_keying_material.3 stable/11/secure/lib/libssl/man/SSL_free.3 stable/11/secure/lib/libssl/man/SSL_get_SSL_CTX.3 stable/11/secure/lib/libssl/man/SSL_get_ciphers.3 stable/11/secure/lib/libssl/man/SSL_get_client_CA_list.3 stable/11/secure/lib/libssl/man/SSL_get_current_cipher.3 stable/11/secure/lib/libssl/man/SSL_get_default_timeout.3 stable/11/secure/lib/libssl/man/SSL_get_error.3 stable/11/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 stable/11/secure/lib/libssl/man/SSL_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_get_fd.3 stable/11/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 stable/11/secure/lib/libssl/man/SSL_get_peer_certificate.3 stable/11/secure/lib/libssl/man/SSL_get_psk_identity.3 stable/11/secure/lib/libssl/man/SSL_get_rbio.3 stable/11/secure/lib/libssl/man/SSL_get_session.3 stable/11/secure/lib/libssl/man/SSL_get_verify_result.3 stable/11/secure/lib/libssl/man/SSL_get_version.3 stable/11/secure/lib/libssl/man/SSL_library_init.3 stable/11/secure/lib/libssl/man/SSL_load_client_CA_file.3 stable/11/secure/lib/libssl/man/SSL_new.3 stable/11/secure/lib/libssl/man/SSL_pending.3 stable/11/secure/lib/libssl/man/SSL_read.3 stable/11/secure/lib/libssl/man/SSL_rstate_string.3 stable/11/secure/lib/libssl/man/SSL_session_reused.3 stable/11/secure/lib/libssl/man/SSL_set_bio.3 stable/11/secure/lib/libssl/man/SSL_set_connect_state.3 stable/11/secure/lib/libssl/man/SSL_set_fd.3 stable/11/secure/lib/libssl/man/SSL_set_session.3 stable/11/secure/lib/libssl/man/SSL_set_shutdown.3 stable/11/secure/lib/libssl/man/SSL_set_verify_result.3 stable/11/secure/lib/libssl/man/SSL_shutdown.3 stable/11/secure/lib/libssl/man/SSL_state_string.3 stable/11/secure/lib/libssl/man/SSL_want.3 stable/11/secure/lib/libssl/man/SSL_write.3 stable/11/secure/lib/libssl/man/d2i_SSL_SESSION.3 stable/11/secure/lib/libssl/man/ssl.3 stable/11/secure/usr.bin/openssl/man/CA.pl.1 stable/11/secure/usr.bin/openssl/man/asn1parse.1 stable/11/secure/usr.bin/openssl/man/ca.1 stable/11/secure/usr.bin/openssl/man/ciphers.1 stable/11/secure/usr.bin/openssl/man/cms.1 stable/11/secure/usr.bin/openssl/man/crl.1 stable/11/secure/usr.bin/openssl/man/crl2pkcs7.1 stable/11/secure/usr.bin/openssl/man/dgst.1 stable/11/secure/usr.bin/openssl/man/dhparam.1 stable/11/secure/usr.bin/openssl/man/dsa.1 stable/11/secure/usr.bin/openssl/man/dsaparam.1 stable/11/secure/usr.bin/openssl/man/ec.1 stable/11/secure/usr.bin/openssl/man/ecparam.1 stable/11/secure/usr.bin/openssl/man/enc.1 stable/11/secure/usr.bin/openssl/man/errstr.1 stable/11/secure/usr.bin/openssl/man/gendsa.1 stable/11/secure/usr.bin/openssl/man/genpkey.1 stable/11/secure/usr.bin/openssl/man/genrsa.1 stable/11/secure/usr.bin/openssl/man/nseq.1 stable/11/secure/usr.bin/openssl/man/ocsp.1 stable/11/secure/usr.bin/openssl/man/openssl.1 stable/11/secure/usr.bin/openssl/man/passwd.1 stable/11/secure/usr.bin/openssl/man/pkcs12.1 stable/11/secure/usr.bin/openssl/man/pkcs7.1 stable/11/secure/usr.bin/openssl/man/pkcs8.1 stable/11/secure/usr.bin/openssl/man/pkey.1 stable/11/secure/usr.bin/openssl/man/pkeyparam.1 stable/11/secure/usr.bin/openssl/man/pkeyutl.1 stable/11/secure/usr.bin/openssl/man/rand.1 stable/11/secure/usr.bin/openssl/man/req.1 stable/11/secure/usr.bin/openssl/man/rsa.1 stable/11/secure/usr.bin/openssl/man/rsautl.1 stable/11/secure/usr.bin/openssl/man/s_client.1 stable/11/secure/usr.bin/openssl/man/s_server.1 stable/11/secure/usr.bin/openssl/man/s_time.1 stable/11/secure/usr.bin/openssl/man/sess_id.1 stable/11/secure/usr.bin/openssl/man/smime.1 stable/11/secure/usr.bin/openssl/man/speed.1 stable/11/secure/usr.bin/openssl/man/spkac.1 stable/11/secure/usr.bin/openssl/man/ts.1 stable/11/secure/usr.bin/openssl/man/tsget.1 stable/11/secure/usr.bin/openssl/man/verify.1 stable/11/secure/usr.bin/openssl/man/version.1 stable/11/secure/usr.bin/openssl/man/x509.1 stable/11/secure/usr.bin/openssl/man/x509v3_config.1 Modified: stable/11/crypto/openssl/CHANGES ============================================================================== --- stable/11/crypto/openssl/CHANGES Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/CHANGES Tue Sep 10 21:14:56 2019 (r352193) @@ -7,6 +7,48 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2s and 1.0.2t [10 Sep 2019] + + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters, when loading a serialized key + or calling `EC_GROUP_new_from_ecpkparameters()`/ + `EC_GROUP_new_from_ecparameters()`. + This prevents bypass of security hardening and performance gains, + especially for curves with specialized EC_METHODs. + By default, if a key encoded with explicit parameters is loaded and later + serialized, the output is still encoded with explicit parameters, even if + internally a "named" EC_GROUP is used for computation. + [Nicola Tuveri] + + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + + *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + An attack is simple, if the first CMS_recipientInfo is valid but the + second CMS_recipientInfo is chosen ciphertext. If the second + recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct + encryption key will be replaced by garbage, and the message cannot be + decoded, but if the RSA decryption fails, the correct encryption key is + used and the recipient will not notice the attack. + As a work around for this potential attack the length of the decrypted + key must be equal to the cipher default key length, in case the + certifiate is not given and all recipientInfo are tried out. + The old behaviour can be re-enabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag. + (CVE-2019-1563) + [Bernd Edlinger] + + *) Document issue with installation paths in diverse Windows builds + + '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL + binaries and run-time config file. + (CVE-2019-1552) + [Richard Levitte] + Changes between 1.0.2r and 1.0.2s [28 May 2019] *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. Modified: stable/11/crypto/openssl/Configure ============================================================================== --- stable/11/crypto/openssl/Configure Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/Configure Tue Sep 10 21:14:56 2019 (r352193) @@ -118,7 +118,7 @@ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wn # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align, # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token # -Wextended-offsetof -my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof"; +my $clang_disabled_warnings = "-Wno-unknown-warning-option -Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof"; # These are used in addition to $gcc_devteam_warn when the compiler is clang. # TODO(openssl-team): fix problems and investigate if (at least) the @@ -128,7 +128,7 @@ my $clang_disabled_warnings = "-Wno-unused-parameter - # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align, # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token # -Wextended-offsetof -my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments"; +my $clang_devteam_warn = "-Wno-unknown-warning-option -Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments"; # Warn that "make depend" should be run? my $warn_make_depend = 0; Modified: stable/11/crypto/openssl/Makefile ============================================================================== --- stable/11/crypto/openssl/Makefile Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/Makefile Tue Sep 10 21:14:56 2019 (r352193) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2s +VERSION=1.0.2t MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -70,7 +70,7 @@ AR= ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib RC= windres NM= nm -PERL= /usr/local/bin/perl +PERL= /usr/bin/perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG= gcc Modified: stable/11/crypto/openssl/NEWS ============================================================================== --- stable/11/crypto/openssl/NEWS Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/NEWS Tue Sep 10 21:14:56 2019 (r352193) @@ -5,6 +5,21 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] + + o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey + (CVE-2019-1563) + o For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters + o Compute ECC cofactors if not provided during EC_GROUP construction + (CVE-2019-1547) + o Document issue with installation paths in diverse Windows builds + (CVE-2019-1552) + + Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] + + o None + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] o 0-byte record padding oracle (CVE-2019-1559) Modified: stable/11/crypto/openssl/README ============================================================================== --- stable/11/crypto/openssl/README Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/README Tue Sep 10 21:14:56 2019 (r352193) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2s 28 May 2019 + OpenSSL 1.0.2t 10 Sep 2019 Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: stable/11/crypto/openssl/apps/CA.pl ============================================================================== --- stable/11/crypto/openssl/apps/CA.pl Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/apps/CA.pl Tue Sep 10 21:14:56 2019 (r352193) @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes Modified: stable/11/crypto/openssl/crypto/arm_arch.h ============================================================================== --- stable/11/crypto/openssl/crypto/arm_arch.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/arm_arch.h Tue Sep 10 21:14:56 2019 (r352193) @@ -64,7 +64,7 @@ # endif # endif -# if !__ASSEMBLER__ +# ifndef __ASSEMBLER__ extern unsigned int OPENSSL_armcap_P; # endif Modified: stable/11/crypto/openssl/crypto/armcap.c ============================================================================== --- stable/11/crypto/openssl/crypto/armcap.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/armcap.c Tue Sep 10 21:14:56 2019 (r352193) @@ -5,6 +5,7 @@ #include #include +#include "cryptlib.h" #include "arm_arch.h" __attribute__ ((visibility("hidden"))) Modified: stable/11/crypto/openssl/crypto/bn/Makefile ============================================================================== --- stable/11/crypto/openssl/crypto/bn/Makefile Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/bn/Makefile Tue Sep 10 21:14:56 2019 (r352193) @@ -297,8 +297,8 @@ bn_lib.o: ../../include/openssl/e_os2.h ../../include/ bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h -bn_lib.o: bn_lib.c +bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h +bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h Modified: stable/11/crypto/openssl/crypto/bn/bn_lib.c ============================================================================== --- stable/11/crypto/openssl/crypto/bn/bn_lib.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/bn/bn_lib.c Tue Sep 10 21:14:56 2019 (r352193) @@ -66,6 +66,7 @@ #include #include "cryptlib.h" #include "bn_lcl.h" +#include "constant_time_locl.h" const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT; @@ -187,13 +188,57 @@ int BN_num_bits_word(BN_ULONG l) return bits; } +/* + * This function still leaks `a->dmax`: it's caller's responsibility to + * expand the input `a` in advance to a public length. + */ +static inline +int bn_num_bits_consttime(const BIGNUM *a) +{ + int j, ret; + unsigned int mask, past_i; + int i = a->top - 1; + bn_check_top(a); + + for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) { + mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */ + + ret += BN_BITS2 & (~mask & ~past_i); + ret += BN_num_bits_word(a->d[j]) & mask; + + past_i |= mask; /* past_i will become 0xff..ff after i==j */ + } + + /* + * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the + * final result. + */ + mask = ~(constant_time_eq_int(i, ((int)-1))); + + return ret & mask; +} + int BN_num_bits(const BIGNUM *a) { int i = a->top - 1; bn_check_top(a); + if (a->flags & BN_FLG_CONSTTIME) { + /* + * We assume that BIGNUMs flagged as CONSTTIME have also been expanded + * so that a->dmax is not leaking secret information. + * + * In other words, it's the caller's responsibility to ensure `a` has + * been preallocated in advance to a public length if we hit this + * branch. + * + */ + return bn_num_bits_consttime(a); + } + if (BN_is_zero(a)) return 0; + return ((i * BN_BITS2) + BN_num_bits_word(a->d[i])); } @@ -613,8 +658,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIG return (ret); } +typedef enum {big, little} endianess_t; + /* ignore negative */ -static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +static +int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess) { int n; size_t i, lasti, j, atop, mask; @@ -646,10 +694,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *t lasti = atop - 1; atop = a->top * BN_BYTES; - for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) { + if (endianess == big) + to += tolen; /* start from the end of the buffer */ + for (i = 0, j = 0; j < (size_t)tolen; j++) { + unsigned char val; l = a->d[i / BN_BYTES]; mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); - *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + if (endianess == big) + *--to = val; + else + *to++ = val; i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ } @@ -660,21 +715,66 @@ int bn_bn2binpad(const BIGNUM *a, unsigned char *to, i { if (tolen < 0) return -1; - return bn2binpad(a, to, tolen); + return bn2binpad(a, to, tolen, big); } int BN_bn2bin(const BIGNUM *a, unsigned char *to) { - int n, i; + return bn2binpad(a, to, -1, big); +} + +BIGNUM *bn_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) +{ + unsigned int i, m; + unsigned int n; BN_ULONG l; + BIGNUM *bn = NULL; - bn_check_top(a); - n = i = BN_num_bytes(a); - while (i--) { - l = a->d[i / BN_BYTES]; - *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; + if (ret == NULL) + ret = bn = BN_new(); + if (ret == NULL) + return NULL; + bn_check_top(ret); + s += len; + /* Skip trailing zeroes. */ + for ( ; len > 0 && s[-1] == 0; s--, len--) + continue; + n = len; + if (n == 0) { + ret->top = 0; + return ret; } - return (n); + i = ((n - 1) / BN_BYTES) + 1; + m = ((n - 1) % (BN_BYTES)); + if (bn_wexpand(ret, (int)i) == NULL) { + BN_free(bn); + return NULL; + } + ret->top = i; + ret->neg = 0; + l = 0; + while (n--) { + s--; + l = (l << 8L) | *s; + if (m-- == 0) { + ret->d[--i] = l; + l = 0; + m = BN_BYTES - 1; + } + } + /* + * need to call this due to clear byte at top if avoiding having the top + * bit set (-ve number) + */ + bn_correct_top(ret); + return ret; +} + +int bn_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + return bn2binpad(a, to, tolen, little); } int BN_ucmp(const BIGNUM *a, const BIGNUM *b) Modified: stable/11/crypto/openssl/crypto/bn_int.h ============================================================================== --- stable/11/crypto/openssl/crypto/bn_int.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/bn_int.h Tue Sep 10 21:14:56 2019 (r352193) @@ -19,3 +19,6 @@ int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); + +BIGNUM *bn_lebin2bn(const unsigned char *s, int len, BIGNUM *ret); +int bn_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen); Modified: stable/11/crypto/openssl/crypto/cms/cms_env.c ============================================================================== --- stable/11/crypto/openssl/crypto/cms/cms_env.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/cms/cms_env.c Tue Sep 10 21:14:56 2019 (r352193) @@ -4,7 +4,7 @@ * project. */ /* ==================================================================== - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI unsigned char *ek = NULL; size_t eklen; int ret = 0; + size_t fixlen = 0; CMS_EncryptedContentInfo *ec; ec = cms->d.envelopedData->encryptedContentInfo; @@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI return 0; } + if (cms->d.envelopedData->encryptedContentInfo->havenocert + && !cms->d.envelopedData->encryptedContentInfo->debug) { + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); + + if (ciph == NULL) { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); + return 0; + } + + fixlen = EVP_CIPHER_key_length(ciph); + } + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); if (!ktri->pctx) return 0; @@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentI if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) { + ktri->encryptedKey->length) <= 0 + || eklen == 0 + || (fixlen != 0 && eklen != fixlen)) { CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); goto err; } Modified: stable/11/crypto/openssl/crypto/cms/cms_lcl.h ============================================================================== --- stable/11/crypto/openssl/crypto/cms/cms_lcl.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/cms/cms_lcl.h Tue Sep 10 21:14:56 2019 (r352193) @@ -4,7 +4,7 @@ * project. */ /* ==================================================================== - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st { size_t keylen; /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ int debug; + /* Set to 1 if we have no cert and need extra safety measures for MMA */ + int havenocert; }; struct CMS_RecipientInfo_st { Modified: stable/11/crypto/openssl/crypto/cms/cms_smime.c ============================================================================== --- stable/11/crypto/openssl/crypto/cms/cms_smime.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/cms/cms_smime.c Tue Sep 10 21:14:56 2019 (r352193) @@ -4,7 +4,7 @@ * project. */ /* ==================================================================== - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -737,6 +737,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X5 cms->d.envelopedData->encryptedContentInfo->debug = 1; else cms->d.envelopedData->encryptedContentInfo->debug = 0; + if (!cert) + cms->d.envelopedData->encryptedContentInfo->havenocert = 1; + else + cms->d.envelopedData->encryptedContentInfo->havenocert = 0; if (!pk && !cert && !dcont && !out) return 1; if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) Modified: stable/11/crypto/openssl/crypto/constant_time_locl.h ============================================================================== --- stable/11/crypto/openssl/crypto/constant_time_locl.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/constant_time_locl.h Tue Sep 10 21:14:56 2019 (r352193) @@ -6,7 +6,7 @@ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley * (Google). * ==================================================================== - * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 2014-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -185,11 +185,29 @@ static inline unsigned char constant_time_eq_int_8(int return constant_time_eq_8((unsigned)(a), (unsigned)(b)); } +/* + * Returns the value unmodified, but avoids optimizations. + * The barriers prevent the compiler from narrowing down the + * possible value range of the mask and ~mask in the select + * statements, which avoids the recognition of the select + * and turning it into a conditional load or branch. + */ +static inline unsigned int value_barrier(unsigned int a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) + unsigned int r; + __asm__("" : "=r"(r) : "0"(a)); +#else + volatile unsigned int r = a; +#endif + return r; +} + static inline unsigned int constant_time_select(unsigned int mask, unsigned int a, unsigned int b) { - return (mask & a) | (~mask & b); + return (value_barrier(mask) & a) | (value_barrier(~mask) & b); } static inline unsigned char constant_time_select_8(unsigned char mask, Modified: stable/11/crypto/openssl/crypto/cryptlib.h ============================================================================== --- stable/11/crypto/openssl/crypto/cryptlib.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/cryptlib.h Tue Sep 10 21:14:56 2019 (r352193) @@ -106,6 +106,8 @@ extern int OPENSSL_NONPIC_relocated; char *ossl_safe_getenv(const char *); +unsigned long OPENSSL_rdtsc(void); + #ifdef __cplusplus } #endif Modified: stable/11/crypto/openssl/crypto/ec/Makefile ============================================================================== --- stable/11/crypto/openssl/crypto/ec/Makefile Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/Makefile Tue Sep 10 21:14:56 2019 (r352193) @@ -156,7 +156,7 @@ ec_curve.o: ../../include/openssl/err.h ../../include/ ec_curve.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h ec_curve.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ec_curve.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -ec_curve.o: ../../include/openssl/symhacks.h ec_curve.c ec_lcl.h +ec_curve.o: ../../include/openssl/symhacks.h ../bn_int.h ec_curve.c ec_lcl.h ec_cvt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h ec_cvt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h Modified: stable/11/crypto/openssl/crypto/ec/ec.h ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec.h Tue Sep 10 21:14:56 2019 (r352193) @@ -7,7 +7,7 @@ * \author Originally written by Bodo Moeller for the OpenSSL project */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int o * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ + void ERR_load_EC_strings(void); /* Error codes for the EC functions. */ @@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void); # define EC_R_SLOT_FULL 108 # define EC_R_UNDEFINED_GENERATOR 113 # define EC_R_UNDEFINED_ORDER 128 +# define EC_R_UNKNOWN_COFACTOR 152 # define EC_R_UNKNOWN_GROUP 129 # define EC_R_UNKNOWN_ORDER 114 # define EC_R_UNSUPPORTED_FIELD 131 # define EC_R_WRONG_CURVE_PARAMETERS 145 # define EC_R_WRONG_ORDER 130 -#ifdef __cplusplus +# ifdef __cplusplus } -#endif +# endif #endif Modified: stable/11/crypto/openssl/crypto/ec/ec_asn1.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_asn1.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec_asn1.c Tue Sep 10 21:14:56 2019 (r352193) @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -695,10 +695,12 @@ ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GR static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) { int ok = 0, tmp; - EC_GROUP *ret = NULL; + EC_GROUP *ret = NULL, *dup = NULL; BIGNUM *p = NULL, *a = NULL, *b = NULL; EC_POINT *point = NULL; long field_bits; + int curve_name = NID_undef; + BN_CTX *ctx = NULL; if (!params->fieldID || !params->fieldID->fieldType || !params->fieldID->p.ptr) { @@ -914,13 +916,75 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARA goto err; } + /* + * Check if the explicit parameters group just created matches one of the + * built-in curves. + * + * We create a copy of the group just built, so that we can remove optional + * fields for the lookup: we do this to avoid the possibility that one of + * the optional parameters is used to force the library into using a less + * performant and less secure EC_METHOD instead of the specialized one. + * In any case, `seed` is not really used in any computation, while a + * cofactor different from the one in the built-in table is just + * mathematically wrong anyway and should not be used. + */ + if ((ctx = BN_CTX_new()) == NULL) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB); + goto err; + } + if ((dup = EC_GROUP_dup(ret)) == NULL + || EC_GROUP_set_seed(dup, NULL, 0) != 1 + || !EC_GROUP_set_generator(dup, point, a, NULL)) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); + goto err; + } + if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) { + /* + * The input explicit parameters successfully matched one of the + * built-in curves: often for built-in curves we have specialized + * methods with better performance and hardening. + * + * In this case we replace the `EC_GROUP` created through explicit + * parameters with one created from a named group. + */ + EC_GROUP *named_group = NULL; + +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for + * the same curve, we prefer the SECP nid when matching explicit + * parameters as that is associated with a specialized EC_METHOD. + */ + if (curve_name == NID_wap_wsg_idm_ecid_wtls12) + curve_name = NID_secp224r1; +#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); + goto err; + } + EC_GROUP_free(ret); + ret = named_group; + + /* + * Set the flag so that EC_GROUPs created from explicit parameters are + * serialized using explicit parameters by default. + * + * 0x0 = OPENSSL_EC_EXPLICIT_CURVE + */ + EC_GROUP_set_asn1_flag(ret, 0x0); + } + ok = 1; - err:if (!ok) { + err: + if (!ok) { if (ret) - EC_GROUP_clear_free(ret); + EC_GROUP_free(ret); ret = NULL; } + if (dup) + EC_GROUP_free(dup); if (p) BN_free(p); @@ -930,6 +994,8 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARA BN_free(b); if (point) EC_POINT_free(point); + if (ctx) + BN_CTX_free(ctx); return (ret); } @@ -990,7 +1056,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsig } if (a && *a) - EC_GROUP_clear_free(*a); + EC_GROUP_free(*a); if (a) *a = group; @@ -1040,7 +1106,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned ch if (priv_key->parameters) { if (ret->group) - EC_GROUP_clear_free(ret->group); + EC_GROUP_free(ret->group); ret->group = ec_asn1_pkparameters2group(priv_key->parameters); } Modified: stable/11/crypto/openssl/crypto/ec/ec_curve.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_curve.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec_curve.c Tue Sep 10 21:14:56 2019 (r352193) @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -75,6 +75,8 @@ #include #include +#include "bn_int.h" + #ifdef OPENSSL_FIPS # include #endif @@ -3245,4 +3247,116 @@ int EC_curve_nist2nid(const char *name) return nist_curves[i].nid; } return NID_undef; +} + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const EC_METHOD *meth; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + meth = EC_GROUP_method_of(group); + if (meth == NULL) + return -1; + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_METHOD_get_field_type(meth); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = &group->cofactor; + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(&group->order); + len = BN_num_bytes(&group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(ec_group_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && ec_point_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (bn_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; } Modified: stable/11/crypto/openssl/crypto/ec/ec_err.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_err.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec_err.c Tue Sep 10 21:14:56 2019 (r352193) @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* ==================================================================== - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] = { {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, + {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, Modified: stable/11/crypto/openssl/crypto/ec/ec_lcl.h ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_lcl.h Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec_lcl.h Tue Sep 10 21:14:56 2019 (r352193) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -565,3 +565,18 @@ EC_GROUP *FIPS_ec_group_new_curve_gf2m(const BIGNUM *p const BIGNUM *b, BN_CTX *ctx); EC_GROUP *FIPS_ec_group_new_by_curve_name(int nid); #endif + +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + +/* + * The next 2 functions are just internal wrappers around the omonimous + * functions with either the `_GFp` or the `_GF2m` suffix. + * + * They are meant to facilitate backporting of code from newer branches, where + * the public API includes a "field agnostic" version of these 2 functions. + */ +int ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *ctx); +int ec_point_get_affine_coordinates(const EC_GROUP *group, + const EC_POINT *point, BIGNUM *x, + BIGNUM *y, BN_CTX *ctx); Modified: stable/11/crypto/openssl/crypto/ec/ec_lib.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_lib.c Tue Sep 10 21:13:37 2019 (r352192) +++ stable/11/crypto/openssl/crypto/ec/ec_lib.c Tue Sep 10 21:14:56 2019 (r352193) @@ -294,6 +294,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth) return meth->field_type; } +/*- + * Try computing cofactor from the generator order (n) and field cardinality (q). + * This works for all curves of cryptographic interest. + * + * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) + * h_min = (q + 1 - 2*sqrt(q))/n + * h_max = (q + 1 + 2*sqrt(q))/n + * h_max - h_min = 4*sqrt(q)/n + * So if n > 4*sqrt(q) holds, there is only one possible value for h: + * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil + * + * Otherwise, zero cofactor and return success. + */ +static int ec_guess_cofactor(EC_GROUP *group) { + int ret = 0; + BN_CTX *ctx = NULL; + BIGNUM *q = NULL; + + /*- + * If the cofactor is too large, we cannot guess it. + * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) + */ + if (BN_num_bits(&group->order) <= (BN_num_bits(&group->field) + 1) / 2 + 3) { + /* default to 0 */ + BN_zero(&group->cofactor); + /* return success */ + return 1; + } + + if ((ctx = BN_CTX_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + if ((q = BN_CTX_get(ctx)) == NULL) + goto err; + + /* set q = 2**m for binary fields; q = p otherwise */ + if (group->meth->field_type == NID_X9_62_characteristic_two_field) { + BN_zero(q); + if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) + goto err; + } else { + if (!BN_copy(q, &group->field)) + goto err; + } + + /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ + if (!BN_rshift1(&group->cofactor, &group->order) /* n/2 */ + || !BN_add(&group->cofactor, &group->cofactor, q) /* q + n/2 */ + /* q + 1 + n/2 */ + || !BN_add(&group->cofactor, &group->cofactor, BN_value_one()) + /* (q + 1 + n/2)/n */ + || !BN_div(&group->cofactor, NULL, &group->cofactor, &group->order, ctx)) + goto err; + ret = 1; + err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} + int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) { @@ -302,6 +363,33 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P return 0; } + /* require group->field >= 1 */ + if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); + return 0; + } + + /*- + * - require order >= 1 + * - enforce upper bound due to Hasse thm: order can be no more than one bit + * longer than field cardinality + */ + if (order == NULL || BN_is_zero(order) || BN_is_negative(order) + || BN_num_bits(order) > BN_num_bits(&group->field) + 1) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); + return 0; + } + + /*- + * Unfortunately the cofactor is an optional field in many standards. + * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". + * So accept cofactor == NULL or cofactor >= 0. + */ + if (cofactor != NULL && BN_is_negative(cofactor)) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); + return 0; + } + if (group->generator == NULL) { group->generator = EC_POINT_new(group); if (group->generator == NULL) @@ -310,17 +398,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P if (!EC_POINT_copy(group->generator, generator)) return 0; - if (order != NULL) { - if (!BN_copy(&group->order, order)) - return 0; - } else - BN_zero(&group->order); + if (!BN_copy(&group->order, order)) + return 0; - if (cofactor != NULL) { + /* Either take the provided positive cofactor, or try to compute it */ + if (cofactor != NULL && !BN_is_zero(cofactor)) { if (!BN_copy(&group->cofactor, cofactor)) return 0; - } else + } else if (!ec_guess_cofactor(group)) { BN_zero(&group->cofactor); + return 0; + } /*- * Access to the `mont_data` field of an EC_GROUP struct should always be @@ -1168,4 +1256,61 @@ int ec_precompute_mont_data(EC_GROUP *group) if (ctx) BN_CTX_free(ctx); return ret; +} + +/* + * This is just a wrapper around the public functions + * - EC_GROUP_get_curve_GF2m + * - EC_GROUP_get_curve_GFp + * + * It is meant to facilitate backporting of code from newer branches, where + * the public API includes a "field agnostic" version of it. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***