ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ag:openssl-1.1.0i
Branches Tags
ag:master ag:tcl ag:tk ag:sqlite ag:libffi ag:openssl-1.1.1 ag:bzip2 ag:openssl-1.0.2 ag:openssl ag:tk85 ag:tcl85 ag:zlib ag:bsddb ag:xz ag:tix
ag:tcl-core-8.6.12.0 ag:tk-8.6.12.0 ag:sqlite-3.36.0.0 ag:libffi-3.4.2 ag:openssl-1.1.1l ag:bzip2-1.0.8 ag:sqlite-3.35.5.0 ag:sqlite-3.35.0.0 ag:tk-8.6.11.1 ag:tk-8.6.11.0 ag:tcl-core-8.6.11.1 ag:tcl-core-8.6.11.0 ag:openssl-1.1.1k ag:sqlite-3.34.0.0 ag:openssl-1.1.1i ag:sqlite-3.33.0.0 ag:tk-8.6.10.0 ag:tk-8.6.10 ag:tcl-core-8.6.10.0 ag:sqlite-3.32.3.0 ag:openssl-1.1.1g ag:sqlite-3.32.2.0 ag:sqlite-3.32.1.0 ag:openssl-1.1.1f ag:sqlite-3.31.1.0 ag:sqlite-3.30.1.0 ag:libffi-3.3.0 ag:openssl-1.0.2t ag:openssl-1.1.0l ag:openssl-1.1.1d ag:sqlite-3.28.0.0 ag:openssl-1.0.2s ag:openssl-1.1.1c ag:openssl-1.1.1b ag:libffi-3.3.0-rc0-r1 ag:openssl-1.1.1a ag:tcl-core-8.6.9.0 ag:tk-8.6.9.0 ag:openssl-1.1.0j ag:openssl-1.0.2q ag:openssl-1.0.2p ag:openssl-1.1.0i ag:openssl-1.1.0h ag:openssl-1.0.2o ag:tcl-core-8.6.8.0 ag:tk-8.6.8.0 ag:tk-8.5.19.0 ag:tcl-8.5.19.0 ag:sqlite-3.21.0.0 ag:openssl-1.1.0f ag:zlib-1.2.11 ag:tk-8.5.15.0 ag:tcl-8.5.15.0 ag:bsddb-4.7.25.0 ag:xz-5.2.2 ag:tix-8.4.3.6 ag:tix-8.4.3.5 ag:sqlite-3.14.2.0 ag:tk-8.6.6.0 ag:tcl-core-8.6.6.0 ag:openssl-1.0.2k ag:bzip2-1.0.6
..
compare: ag:openssl-1.1.0j
Branches Tags
ag:tcl ag:tk ag:sqlite ag:master ag:libffi ag:openssl-1.1.1 ag:bzip2 ag:openssl-1.0.2 ag:openssl ag:tk85 ag:tcl85 ag:zlib ag:bsddb ag:xz ag:tix
ag:tcl-core-8.6.12.0 ag:tk-8.6.12.0 ag:sqlite-3.36.0.0 ag:libffi-3.4.2 ag:openssl-1.1.1l ag:bzip2-1.0.8 ag:sqlite-3.35.5.0 ag:sqlite-3.35.0.0 ag:tk-8.6.11.1 ag:tk-8.6.11.0 ag:tcl-core-8.6.11.1 ag:tcl-core-8.6.11.0 ag:openssl-1.1.1k ag:sqlite-3.34.0.0 ag:openssl-1.1.1i ag:sqlite-3.33.0.0 ag:tk-8.6.10.0 ag:tk-8.6.10 ag:tcl-core-8.6.10.0 ag:sqlite-3.32.3.0 ag:openssl-1.1.1g ag:sqlite-3.32.2.0 ag:sqlite-3.32.1.0 ag:openssl-1.1.1f ag:sqlite-3.31.1.0 ag:sqlite-3.30.1.0 ag:libffi-3.3.0 ag:openssl-1.0.2t ag:openssl-1.1.0l ag:openssl-1.1.1d ag:sqlite-3.28.0.0 ag:openssl-1.0.2s ag:openssl-1.1.1c ag:openssl-1.1.1b ag:libffi-3.3.0-rc0-r1 ag:openssl-1.1.1a ag:tcl-core-8.6.9.0 ag:tk-8.6.9.0 ag:openssl-1.1.0j ag:openssl-1.0.2q ag:openssl-1.0.2p ag:openssl-1.1.0i ag:openssl-1.1.0h ag:openssl-1.0.2o ag:tcl-core-8.6.8.0 ag:tk-8.6.8.0 ag:tk-8.5.19.0 ag:tcl-8.5.19.0 ag:sqlite-3.21.0.0 ag:openssl-1.1.0f ag:zlib-1.2.11 ag:tk-8.5.15.0 ag:tcl-8.5.15.0 ag:bsddb-4.7.25.0 ag:xz-5.2.2 ag:tix-8.4.3.6 ag:tix-8.4.3.5 ag:sqlite-3.14.2.0 ag:tk-8.6.6.0 ag:tcl-core-8.6.6.0 ag:openssl-1.0.2k ag:bzip2-1.0.6

1 Commits
openssl-1. ... openssl-1.

Author SHA1 Message Date
Steve Dower
697f7e1f24 Import OpenSSL 1.1.0j 2018-12-07 11:30:36 -08:00
114 changed files with 9043 additions and 3633 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -52,6 +52,7 @@ Makefile
/test/x509aux /test/x509aux
/test/v3ext /test/v3ext
/test/versions /test/versions
/test/rsa_complex
# Certain files that get created by tests on the fly # Certain files that get created by tests on the fly
/test/test-runs /test/test-runs

27
CHANGES
View File

@@ -7,6 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch. release branch.
Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
[Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
Changes between 1.1.0h and 1.1.0i [14 Aug 2018] Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
*) Client DoS due to large DH parameter *) Client DoS due to large DH parameter

6
Configurations/00-base-templates.conf
View File

@@ -68,6 +68,8 @@
} }
return (); }, return (); },
shared_extension => ".so",
build_scheme => [ "unified", "unix" ], build_scheme => [ "unified", "unix" ],
build_file => "Makefile", build_file => "Makefile",
}, },
@@ -99,6 +101,8 @@
mtinflag => "-manifest ", mtinflag => "-manifest ",
mtoutflag => "-outputresource:", mtoutflag => "-outputresource:",
shared_extension => ".dll",
build_file => "makefile", build_file => "makefile",
build_scheme => [ "unified", "windows" ], build_scheme => [ "unified", "windows" ],
}, },
@@ -107,6 +111,8 @@
inherit_from => [ "BASE_common" ], inherit_from => [ "BASE_common" ],
template => 1, template => 1,
shared_extension => ".exe",
build_file => "descrip.mms", build_file => "descrip.mms",
build_scheme => [ "unified", "VMS" ], build_scheme => [ "unified", "VMS" ],
}, },

55
Configurations/descrip.mms.tmpl
View File

@@ -368,12 +368,10 @@ descrip.mms : FORCE
# Install helper targets ############################################# # Install helper targets #############################################
install_sw : all install_shared _install_dev_ns - install_sw : install_dev install_engines install_runtime -
install_engines _install_runtime_ns -
install_startup install_ivp install_startup install_ivp
uninstall_sw : uninstall_shared _uninstall_dev_ns - uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime -
uninstall_engines _uninstall_runtime_ns -
uninstall_startup uninstall_ivp uninstall_startup uninstall_ivp
install_docs : install_html_docs install_docs : install_html_docs
@@ -396,17 +394,7 @@ install_ssldirs : check_INSTALLTOP
COPY/PROT=W:R {- sourcefile("apps", "openssl-vms.cnf") -} - COPY/PROT=W:R {- sourcefile("apps", "openssl-vms.cnf") -} -
ossl_dataroot:[000000]openssl.cnf ossl_dataroot:[000000]openssl.cnf
install_shared : check_INSTALLTOP install_dev : check_INSTALLTOP install_runtime_libs
@ {- output_off() if $disabled{shared}; "" -} !
@ WRITE SYS$OUTPUT "*** Installing shareable images"
@ ! Install shared (runtime) libraries
- CREATE/DIR ossl_installroot:[LIB.'arch']
{- join("\n ",
map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" }
@install_shlibs) -}
@ {- output_on() if $disabled{shared}; "" -} !
_install_dev_ns : check_INSTALLTOP
@ WRITE SYS$OUTPUT "*** Installing development files" @ WRITE SYS$OUTPUT "*** Installing development files"
@ ! Install header files @ ! Install header files
- CREATE/DIR ossl_installroot:[include.openssl] - CREATE/DIR ossl_installroot:[include.openssl]
@@ -417,20 +405,7 @@ _install_dev_ns : check_INSTALLTOP
map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" } map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" }
@{$unified_info{install}->{libraries}}) -} @{$unified_info{install}->{libraries}}) -}
install_dev : install_shared _install_dev_ns install_engines : check_INSTALLTOP install_runtime_libs build_engines
_install_runtime_ns : check_INSTALLTOP
@ ! Install the main program
- CREATE/DIR ossl_installroot:[EXE.'arch']
COPY/PROT=W:RE [.APPS]openssl.EXE -
ossl_installroot:[EXE.'arch']openssl{- $osslver -}.EXE
@ ! Install scripts
COPY/PROT=W:RE $(BIN_SCRIPTS) ossl_installroot:[EXE]
@ ! {- output_on() if $disabled{apps}; "" -}
install_runtime : install_shared _install_runtime_ns
install_engines : check_INSTALLTOP
@ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} !
@ WRITE SYS$OUTPUT "*** Installing engines" @ WRITE SYS$OUTPUT "*** Installing engines"
- CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size} -}.'arch'] - CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size} -}.'arch']
@@ -439,6 +414,28 @@ install_engines : check_INSTALLTOP
@{$unified_info{install}->{engines}}) -} @{$unified_info{install}->{engines}}) -}
@ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} !
install_runtime : install_programs
install_runtime_libs : check_INSTALLTOP build_libs
@ {- output_off() if $disabled{shared}; "" -} !
@ WRITE SYS$OUTPUT "*** Installing shareable images"
@ ! Install shared (runtime) libraries
- CREATE/DIR ossl_installroot:[LIB.'arch']
{- join("\n ",
map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" }
@install_shlibs) -}
@ {- output_on() if $disabled{shared}; "" -} !
install_programs : check_INSTALLTOP install_runtime_libs build_programs
@ {- output_off() if $disabled{apps}; "" -} !
@ ! Install the main program
- CREATE/DIR ossl_installroot:[EXE.'arch']
COPY/PROT=W:RE [.APPS]openssl.EXE -
ossl_installroot:[EXE.'arch']openssl{- $osslver -}.EXE
@ ! Install scripts
COPY/PROT=W:RE $(BIN_SCRIPTS) ossl_installroot:[EXE]
@ ! {- output_on() if $disabled{apps}; "" -}
install_startup : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com - install_startup : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
[.VMS]openssl_utils.com, check_INSTALLTOP [.VMS]openssl_utils.com, check_INSTALLTOP
- CREATE/DIR ossl_installroot:[SYS$STARTUP] - CREATE/DIR ossl_installroot:[SYS$STARTUP]

27
Configurations/unix-Makefile.tmpl
View File

@@ -323,7 +323,7 @@ depend:
# Install helper targets ############################################# # Install helper targets #############################################
install_sw: all install_dev install_engines install_runtime install_sw: install_dev install_engines install_runtime
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
@@ -355,7 +355,7 @@ install_ssldirs:
chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
fi fi
install_dev: install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@echo "*** Installing development files" @echo "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
@@ -461,7 +461,7 @@ uninstall_dev:
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR) -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
install_engines: install_engines: install_runtime_libs build_engines
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/
@echo "*** Installing engines" @echo "*** Installing engines"
@@ -488,9 +488,10 @@ uninstall_engines:
done done
-$(RMDIR) $(DESTDIR)$(ENGINESDIR) -$(RMDIR) $(DESTDIR)$(ENGINESDIR)
install_runtime: install_runtime: install_programs
install_runtime_libs: build_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
@ : {- output_off() if windowsdll(); "" -} @ : {- output_off() if windowsdll(); "" -}
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
@ : {- output_on() if windowsdll(); "" -} @ : {- output_on() if windowsdll(); "" -}
@@ -512,6 +513,11 @@ install_runtime:
$(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \ $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
: {- output_on() if windowsdll(); "" -}; \ : {- output_on() if windowsdll(); "" -}; \
done done
install_programs: install_runtime_libs build_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
@echo "*** Installing runtime programs"
@set -e; for x in dummy $(INSTALL_PROGRAMS); do \ @set -e; for x in dummy $(INSTALL_PROGRAMS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \ if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \ fn=`basename $$x`; \
@@ -531,8 +537,10 @@ install_runtime:
$(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
done done
uninstall_runtime: uninstall_runtime: uninstall_programs uninstall_runtime_libs
@echo "*** Uninstalling runtime files"
uninstall_programs:
@echo "*** Uninstalling runtime programs"
@set -e; for x in dummy $(INSTALL_PROGRAMS); \ @set -e; for x in dummy $(INSTALL_PROGRAMS); \
do \ do \
if [ "$$x" = "dummy" ]; then continue; fi; \ if [ "$$x" = "dummy" ]; then continue; fi; \
@@ -547,6 +555,10 @@ uninstall_runtime:
echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
done done
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
uninstall_runtime_libs:
@echo "*** Uninstalling runtime libraries"
@ : {- output_off() unless windowsdll(); "" -} @ : {- output_off() unless windowsdll(); "" -}
@set -e; for s in dummy $(INSTALL_SHLIBS); do \ @set -e; for s in dummy $(INSTALL_SHLIBS); do \
if [ "$$s" = "dummy" ]; then continue; fi; \ if [ "$$s" = "dummy" ]; then continue; fi; \
@@ -555,7 +567,6 @@ uninstall_runtime:
$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
done done
@ : {- output_on() unless windowsdll(); "" -} @ : {- output_on() unless windowsdll(); "" -}
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
install_man_docs: install_man_docs:

33
Configurations/windows-makefile.tmpl
View File

@@ -267,7 +267,7 @@ depend:
# Install helper targets ############################################# # Install helper targets #############################################
install_sw: all install_dev install_engines install_runtime install_sw: install_dev install_engines install_runtime
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
@@ -287,7 +287,7 @@ install_ssldirs:
@"$(PERL)" "$(SRCDIR)\util\copy.pl" $(MISC_SCRIPTS) \ @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(MISC_SCRIPTS) \
"$(OPENSSLDIR)\misc" "$(OPENSSLDIR)\misc"
install_dev: install_dev: install_runtime_libs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing development files" @$(ECHO) "*** Installing development files"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
@@ -309,7 +309,7 @@ install_dev:
uninstall_dev: uninstall_dev:
install_engines: install_engines: install_runtime_libs build_engines
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing engines" @$(ECHO) "*** Installing engines"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)"
@@ -320,15 +320,22 @@ install_engines:
uninstall_engines: uninstall_engines:
install_runtime: install_runtime: install_programs
install_runtime_libs: build_libs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing runtime files" @$(ECHO) "*** Installing runtime libraries"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin"
@if not "$(SHLIBS)"=="" \ @if not "$(SHLIBS)"=="" \
"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin"
@if not "$(SHLIBS)"=="" \ @if not "$(SHLIBS)"=="" \
"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
"$(INSTALLTOP)\bin" "$(INSTALLTOP)\bin"
install_programs: install_runtime_libs build_programs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing runtime programs"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin"
@"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMS) \ @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMS) \
"$(INSTALLTOP)\bin" "$(INSTALLTOP)\bin"
@"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMPDBS) \ @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMPDBS) \
@@ -454,22 +461,20 @@ $obj$objext: $deps
\$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs \$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs
EOF EOF
} }
return <<"EOF" if (!$disabled{makedepend}); my $recipe = <<"EOF";
$obj$depext: $deps $obj$objext: $deps
\$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\ \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
EOF
$recipe .= <<"EOF" unless $disabled{makedepend};
\$(CC) $incs \$(CFLAGS) $ecflags /Zs /showIncludes $srcs 2>&1 | \\
"\$(PERL)" -n << > $obj$depext "\$(PERL)" -n << > $obj$depext
chomp; chomp;
s/^Note: including file: *//; s/^Note: including file: *//;
\$\$collect{\$\$_} = 1; \$\$collect{\$\$_} = 1;
END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" } END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" }
<< <<
$obj$objext: $obj$depext
\$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
EOF
return <<"EOF" if ($disabled{makedepend});
$obj$objext: $deps
\$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
EOF EOF
return $recipe;
} }
# On Unix, we build shlibs from static libs, so we're ignoring the # On Unix, we build shlibs from static libs, so we're ignoring the

4
Configure
View File

@@ -1906,8 +1906,8 @@ EOF
next unless defined($unified_info{includes}->{$dest}->{$k}); next unless defined($unified_info{includes}->{$dest}->{$k});
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}}; my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
foreach my $obj (grep /\.o$/, foreach my $obj (grep /\.o$/,
(keys %{$unified_info{sources}->{$dest}}, (keys %{$unified_info{sources}->{$dest} // {}},
keys %{$unified_info{shared_sources}->{$dest}})) { keys %{$unified_info{shared_sources}->{$dest} // {}})) {
foreach my $inc (@incs) { foreach my $inc (@incs) {
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}}; unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};

5
NEWS
View File

@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018]
o Client DoS due to large DH parameter (CVE-2018-0732) o Client DoS due to large DH parameter (CVE-2018-0732)

2
README
View File

@@ -1,5 +1,5 @@
OpenSSL 1.1.0i 14 Aug 2018 OpenSSL 1.1.0j 20 Nov 2018
Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

14
apps/apps.c
View File

@@ -1707,8 +1707,14 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
char *work; char *work;
X509_NAME *n; X509_NAME *n;
if (*cp++ != '/') if (*cp++ != '/') {
BIO_printf(bio_err,
"name is expected to be in the format "
"/type0=value0/type1=value1/type2=... where characters may "
"be escaped by \\. This name is not in that format: '%s'\n",
--cp);
return NULL; return NULL;
}
n = X509_NAME_new(); n = X509_NAME_new();
if (n == NULL) if (n == NULL)
@@ -1764,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
opt_getprog(), typestr); opt_getprog(), typestr);
continue; continue;
} }
if (*valstr == '\0') {
BIO_printf(bio_err,
"%s: No value provided for Subject Attribute %s, skipped\n",
opt_getprog(), typestr);
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype, if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr), valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0)) -1, ismulti ? -1 : 0))

48
apps/pkey.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -141,24 +141,30 @@ int pkey_main(int argc, char **argv)
if (!noout) { if (!noout) {
if (outformat == FORMAT_PEM) { if (outformat == FORMAT_PEM) {
if (pubout) if (pubout) {
PEM_write_bio_PUBKEY(out, pkey); if (!PEM_write_bio_PUBKEY(out, pkey))
else { goto end;
} else {
assert(private); assert(private);
if (traditional) if (traditional) {
PEM_write_bio_PrivateKey_traditional(out, pkey, cipher, if (!PEM_write_bio_PrivateKey_traditional(out, pkey, cipher,
NULL, 0, NULL, NULL, 0, NULL,
passout); passout))
else goto end;
PEM_write_bio_PrivateKey(out, pkey, cipher, } else {
NULL, 0, NULL, passout); if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout))
goto end;
}
} }
} else if (outformat == FORMAT_ASN1) { } else if (outformat == FORMAT_ASN1) {
if (pubout) if (pubout) {
i2d_PUBKEY_bio(out, pkey); if (!i2d_PUBKEY_bio(out, pkey))
else { goto end;
} else {
assert(private); assert(private);
i2d_PrivateKey_bio(out, pkey); if (!i2d_PrivateKey_bio(out, pkey))
goto end;
} }
} else { } else {
BIO_printf(bio_err, "Bad format specified for key\n"); BIO_printf(bio_err, "Bad format specified for key\n");
@@ -168,17 +174,21 @@ int pkey_main(int argc, char **argv)
} }
if (text) { if (text) {
if (pubtext) if (pubtext) {
EVP_PKEY_print_public(out, pkey, 0, NULL); if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
else { goto end;
} else {
assert(private); assert(private);
EVP_PKEY_print_private(out, pkey, 0, NULL); if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)
goto end;
} }
} }
ret = 0; ret = 0;
end: end:
if (ret != 0)
ERR_print_errors(bio_err);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
release_engine(e); release_engine(e);
BIO_free_all(out); BIO_free_all(out);

5
apps/req.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -509,8 +509,7 @@ int req_main(int argc, char **argv)
if (pkey_type == EVP_PKEY_EC) { if (pkey_type == EVP_PKEY_EC) {
BIO_printf(bio_err, "Generating an EC private key\n"); BIO_printf(bio_err, "Generating an EC private key\n");
} else { } else {
BIO_printf(bio_err, "Generating a %ld bit %s private key\n", BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
newkey, keyalgstr);
} }
EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);

8
apps/s_server.c
View File

@@ -2660,8 +2660,10 @@ static int www_body(int s, int stype, unsigned char *context)
if (context if (context
&& !SSL_set_session_id_context(con, context, && !SSL_set_session_id_context(con, context,
strlen((char *)context))) strlen((char *)context))) {
SSL_free(con);
goto err; goto err;
}
sbio = BIO_new_socket(s, BIO_NOCLOSE); sbio = BIO_new_socket(s, BIO_NOCLOSE);
if (s_nbio_test) { if (s_nbio_test) {
@@ -2673,7 +2675,7 @@ static int www_body(int s, int stype, unsigned char *context)
SSL_set_bio(con, sbio, sbio); SSL_set_bio(con, sbio, sbio);
SSL_set_accept_state(con); SSL_set_accept_state(con);
/* SSL_set_fd(con,s); */ /* No need to free |con| after this. Done by BIO_free(ssl_bio) */
BIO_set_ssl(ssl_bio, con, BIO_CLOSE); BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
BIO_push(io, ssl_bio); BIO_push(io, ssl_bio);
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
@@ -3030,6 +3032,7 @@ static int rev_body(int s, int stype, unsigned char *context)
if (context if (context
&& !SSL_set_session_id_context(con, context, && !SSL_set_session_id_context(con, context,
strlen((char *)context))) { strlen((char *)context))) {
SSL_free(con);
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
goto err; goto err;
} }
@@ -3038,6 +3041,7 @@ static int rev_body(int s, int stype, unsigned char *context)
SSL_set_bio(con, sbio, sbio); SSL_set_bio(con, sbio, sbio);
SSL_set_accept_state(con); SSL_set_accept_state(con);
/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
BIO_set_ssl(ssl_bio, con, BIO_CLOSE); BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
BIO_push(io, ssl_bio); BIO_push(io, ssl_bio);
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC

2
apps/speed.c
View File

@@ -2541,7 +2541,7 @@ int speed_main(int argc, char **argv)
if (rsa_count <= 1) { if (rsa_count <= 1) {
/* if longer than 10s, don't do any more */ /* if longer than 10s, don't do any more */
for (testnum++; testnum < EC_NUM; testnum++) for (testnum++; testnum < ECDSA_NUM; testnum++)
ecdsa_doit[testnum] = 0; ecdsa_doit[testnum] = 0;
} }
} }

3
config
View File

@@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. # Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
# #
# Licensed under the OpenSSL license (the "License"). You may not use # Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy # this file except in compliance with the License. You can obtain a copy
@@ -929,5 +929,6 @@ if [ $? = "0" ]; then
fi fi
else else
echo "This system ($OUT) is not supported. See file INSTALL for details." echo "This system ($OUT) is not supported. See file INSTALL for details."
exit 1
fi fi
) )

3
crypto/async/arch/async_posix.h
View File

@@ -17,7 +17,8 @@
# include <unistd.h> # include <unistd.h>
# if _POSIX_VERSION >= 200112L # if _POSIX_VERSION >= 200112L \
&& (_POSIX_VERSION < 200809L || defined(__GLIBC__))
# include <pthread.h> # include <pthread.h>

6
crypto/bio/b_print.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -10,9 +10,9 @@
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include <openssl/bio.h> #include <openssl/bio.h>
#include "internal/cryptlib.h"
#include "internal/numbers.h"
/* /*
* Copyright Patrick Powell 1995 * Copyright Patrick Powell 1995

5
crypto/bio/bss_log.c
View File

@@ -404,4 +404,9 @@ static void xcloselog(BIO *bp)
# endif /* Unix */ # endif /* Unix */
#else /* NO_SYSLOG */
const BIO_METHOD *BIO_s_log(void)
{
return NULL;
}
#endif /* NO_SYSLOG */ #endif /* NO_SYSLOG */

8
crypto/bn/asm/x86_64-gcc.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -64,12 +64,6 @@
* machine. * machine.
*/ */
# if defined(_WIN64) || !defined(__LP64__)
# define BN_ULONG unsigned long long
# else
# define BN_ULONG unsigned long
# endif
# undef mul # undef mul
# undef mul_add # undef mul_add

90
crypto/bn/bn_blind.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -109,10 +109,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
goto err; goto err;
} else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) if (b->m_ctx != NULL) {
goto err; if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
goto err; goto err;
} else {
if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
goto err;
}
} }
ret = 1; ret = 1;
@@ -144,13 +149,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
else if (!BN_BLINDING_update(b, ctx)) else if (!BN_BLINDING_update(b, ctx))
return (0); return (0);
if (r != NULL) { if (r != NULL && (BN_copy(r, b->Ai) == NULL))
if (!BN_copy(r, b->Ai)) return 0;
ret = 0;
}
if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) if (b->m_ctx != NULL)
ret = 0; ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
else
ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
return ret; return ret;
} }
@@ -167,14 +172,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
bn_check_top(n); bn_check_top(n);
if (r != NULL) if (r == NULL && (r = b->Ai) == NULL) {
ret = BN_mod_mul(n, n, r, b->mod, ctx); BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
else { return 0;
if (b->Ai == NULL) { }
BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
return (0); if (b->m_ctx != NULL) {
/* ensure that BN_mod_mul_montgomery takes pre-defined path */
if (n->dmax >= r->top) {
size_t i, rtop = r->top, ntop = n->top;
BN_ULONG mask;
for (i = 0; i < rtop; i++) {
mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1));
n->d[i] &= mask;
}
mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1));
/* always true, if (rtop >= ntop) n->top = r->top; */
n->top = (int)(rtop & ~mask) | (ntop & mask);
n->flags |= (BN_FLG_FIXED_TOP & ~mask);
} }
ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
} else {
ret = BN_mod_mul(n, n, r, b->mod, ctx);
} }
bn_check_top(n); bn_check_top(n);
@@ -253,31 +273,35 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
int rv; int rv;
if (!BN_rand_range(ret->A, ret->mod)) if (!BN_rand_range(ret->A, ret->mod))
goto err; goto err;
if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) { if (int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv))
/*
* this should almost never happen for good RSA keys
*/
if (rv) {
if (retry_counter-- == 0) {
BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
BN_R_TOO_MANY_ITERATIONS);
goto err;
}
} else
goto err;
} else
break; break;
/*
* this should almost never happen for good RSA keys
*/
if (!rv)
goto err;
if (retry_counter-- == 0) {
BNerr(BN_F_BN_BLINDING_CREATE_PARAM, BN_R_TOO_MANY_ITERATIONS);
goto err;
}
} while (1); } while (1);
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
if (!ret->bn_mod_exp if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
goto err; goto err;
} else { } else {
if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
goto err; goto err;
} }
if (ret->m_ctx != NULL) {
if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx)
|| !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx))
goto err;
}
return ret; return ret;
err: err:
if (b == NULL) { if (b == NULL) {

76
crypto/bn/bn_lib.c
View File

@@ -503,26 +503,40 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{ {
int n; int n;
size_t i, inc, lasti, j; size_t i, lasti, j, atop, mask;
BN_ULONG l; BN_ULONG l;
/*
* In case |a| is fixed-top, BN_num_bytes can return bogus length,
* but it's assumed that fixed-top inputs ought to be "nominated"
* even for padded output, so it works out...
*/
n = BN_num_bytes(a); n = BN_num_bytes(a);
if (tolen == -1) if (tolen == -1) {
tolen = n; tolen = n;
else if (tolen < n) } else if (tolen < n) { /* uncommon/unlike case */
return -1; BIGNUM temp = *a;
if (n == 0) { bn_correct_top(&temp);
n = BN_num_bytes(&temp);
if (tolen < n)
return -1;
}
/* Swipe through whole available data and don't give away padded zero. */
atop = a->dmax * BN_BYTES;
if (atop == 0) {
OPENSSL_cleanse(to, tolen); OPENSSL_cleanse(to, tolen);
return tolen; return tolen;
} }
lasti = n - 1; lasti = atop - 1;
for (i = 0, inc = 1, j = tolen; j > 0;) { atop = a->top * BN_BYTES;
for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
l = a->d[i / BN_BYTES]; l = a->d[i / BN_BYTES];
to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
inc = (i - lasti) >> (8 * sizeof(i) - 1); *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
i += inc; /* stay on top limb */ i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
} }
return tolen; return tolen;
@@ -838,26 +852,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
b->neg ^= t; b->neg ^= t;
/*- /*-
* Idea behind BN_FLG_STATIC_DATA is actually to * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
* indicate that data may not be written to. * is actually to treat it as it's read-only data, and some (if not most)
* Intention is actually to treat it as it's * of it does reside in read-only segment. In other words observation of
* read-only data, and some (if not most) of it does * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
* reside in read-only segment. In other words * condition. It would either cause SEGV or effectively cause data
* observation of BN_FLG_STATIC_DATA in * corruption.
* BN_consttime_swap should be treated as fatal *
* condition. It would either cause SEGV or * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
* effectively cause data corruption. * preserved.
* BN_FLG_MALLOCED refers to BN structure itself, *
* and hence must be preserved. Remaining flags are * BN_FLG_SECURE: must be preserved, because it determines how x->d was
* BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be * allocated and hence how to free it.
* preserved, because it determines how x->d was *
* allocated and hence how to free it. This leaves * BN_FLG_CONSTTIME: sufficient to mask and swap
* BN_FLG_CONSTTIME that one can do something about. *
* To summarize it's sufficient to mask and swap * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
* BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should * the data, so the d array may be padded with additional 0 values (i.e.
* be treated as fatal. * top could be greater than the minimal value that it could be). We should
* be swapping it
*/ */
t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
a->flags ^= t; a->flags ^= t;
b->flags ^= t; b->flags ^= t;

67
crypto/bn/bn_mod.c
View File

@@ -58,7 +58,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
if (mtop > sizeof(storage) / sizeof(storage[0]) if (mtop > sizeof(storage) / sizeof(storage[0])
&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
return 0; return 0;
ap = a->d != NULL ? a->d : tp; ap = a->d != NULL ? a->d : tp;
bp = b->d != NULL ? b->d : tp; bp = b->d != NULL ? b->d : tp;
@@ -83,6 +83,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
((volatile BN_ULONG *)tp)[i] = 0; ((volatile BN_ULONG *)tp)[i] = 0;
} }
r->top = mtop; r->top = mtop;
r->flags |= BN_FLG_FIXED_TOP;
r->neg = 0; r->neg = 0;
if (tp != storage) if (tp != storage)
@@ -110,6 +111,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
return BN_nnmod(r, r, m, ctx); return BN_nnmod(r, r, m, ctx);
} }
/*
* BN_mod_sub variant that may be used if both a and b are non-negative,
* a is less than m, while b is of same bit width as m. It's implemented
* as subtraction followed by two conditional additions.
*
* 0 <= a < m
* 0 <= b < 2^w < 2*m
*
* after subtraction
*
* -2*m < r = a - b < m
*
* Thus it takes up to two conditional additions to make |r| positive.
*/
int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m)
{
size_t i, ai, bi, mtop = m->top;
BN_ULONG borrow, carry, ta, tb, mask, *rp;
const BN_ULONG *ap, *bp;
if (bn_wexpand(r, mtop) == NULL)
return 0;
rp = r->d;
ap = a->d != NULL ? a->d : rp;
bp = b->d != NULL ? b->d : rp;
for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) {
mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
ta = ap[ai] & mask;
mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
tb = bp[bi] & mask;
rp[i] = ta - tb - borrow;
if (ta != tb)
borrow = (ta < tb);
i++;
ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
}
ap = m->d;
for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
ta = ((ap[i] & mask) + carry) & BN_MASK2;
carry = (ta < carry);
rp[i] = (rp[i] + ta) & BN_MASK2;
carry += (rp[i] < ta);
}
borrow -= carry;
for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
ta = ((ap[i] & mask) + carry) & BN_MASK2;
carry = (ta < carry);
rp[i] = (rp[i] + ta) & BN_MASK2;
carry += (rp[i] < ta);
}
r->top = mtop;
r->flags |= BN_FLG_FIXED_TOP;
r->neg = 0;
return 1;
}
/* /*
* BN_mod_sub variant that may be used if both a and b are non-negative and * BN_mod_sub variant that may be used if both a and b are non-negative and
* less than m * less than m

27
crypto/bn/bn_mont.c
View File

@@ -64,10 +64,10 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
bn_check_top(tmp); bn_check_top(tmp);
if (a == b) { if (a == b) {
if (!BN_sqr(tmp, a, ctx)) if (!bn_sqr_fixed_top(tmp, a, ctx))
goto err; goto err;
} else { } else {
if (!BN_mul(tmp, a, b, ctx)) if (!bn_mul_fixed_top(tmp, a, b, ctx))
goto err; goto err;
} }
/* reduce from aRR to aR */ /* reduce from aRR to aR */
@@ -90,6 +90,7 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
BIGNUM *n; BIGNUM *n;
BN_ULONG *ap, *np, *rp, n0, v, carry; BN_ULONG *ap, *np, *rp, n0, v, carry;
int nl, max, i; int nl, max, i;
unsigned int rtop;
n = &(mont->N); n = &(mont->N);
nl = n->top; nl = n->top;
@@ -106,10 +107,10 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
np = n->d; np = n->d;
rp = r->d; rp = r->d;
/* clear the top words of T */ for (rtop = r->top, i = 0; i < max; i++) {
i = max - r->top; v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1));
if (i) rp[i] &= v;
memset(&rp[r->top], 0, sizeof(*rp) * i); }
r->top = max; r->top = max;
r->flags |= BN_FLG_FIXED_TOP; r->flags |= BN_FLG_FIXED_TOP;
@@ -159,6 +160,18 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx) BN_CTX *ctx)
{
int retn;
retn = bn_from_mont_fixed_top(ret, a, mont, ctx);
bn_correct_top(ret);
bn_check_top(ret);
return retn;
}
int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx)
{ {
int retn = 0; int retn = 0;
#ifdef MONT_WORD #ifdef MONT_WORD
@@ -167,8 +180,6 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX_start(ctx); BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) { if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
retn = bn_from_montgomery_word(ret, t, mont); retn = bn_from_montgomery_word(ret, t, mont);
bn_correct_top(ret);
bn_check_top(ret);
} }
BN_CTX_end(ctx); BN_CTX_end(ctx);
#else /* !MONT_WORD */ #else /* !MONT_WORD */

14
crypto/bn/bn_mul.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -832,6 +832,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
#endif /* BN_RECURSION */ #endif /* BN_RECURSION */
int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
{
int ret = bn_mul_fixed_top(r, a, b, ctx);
bn_correct_top(r);
bn_check_top(r);
return ret;
}
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
{ {
int ret = 0; int ret = 0;
int top, al, bl; int top, al, bl;
@@ -935,7 +945,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
end: end:
#endif #endif
rr->neg = a->neg ^ b->neg; rr->neg = a->neg ^ b->neg;
bn_correct_top(rr); rr->flags |= BN_FLG_FIXED_TOP;
if (r != rr && BN_copy(r, rr) == NULL) if (r != rr && BN_copy(r, rr) == NULL)
goto err; goto err;

12
crypto/bn/bn_sqr.c
View File

@@ -15,6 +15,16 @@
* I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96 * I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96
*/ */
int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
{
int ret = bn_sqr_fixed_top(r, a, ctx);
bn_correct_top(r);
bn_check_top(r);
return ret;
}
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
{ {
int max, al; int max, al;
int ret = 0; int ret = 0;
@@ -83,7 +93,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
rr->neg = 0; rr->neg = 0;
rr->top = max; rr->top = max;
bn_correct_top(rr); rr->flags |= BN_FLG_FIXED_TOP;
if (r != rr && BN_copy(r, rr) == NULL) if (r != rr && BN_copy(r, rr) == NULL)
goto err; goto err;

6
crypto/bn/bn_x931p.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -184,8 +184,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
for (i = 0; i < 1000; i++) { for (i = 0; i < 1000; i++) {
if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY)) if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
goto err; goto err;
/* Check that |Xp - Xq| > 2^(nbits - 100) */ /* Check that |Xp - Xq| > 2^(nbits - 100) */
BN_sub(t, Xp, Xq); if (!BN_sub(t, Xp, Xq))
goto err;
if (BN_num_bits(t) > (nbits - 100)) if (BN_num_bits(t) > (nbits - 100))
break; break;
} }

2
crypto/build.info
View File

@@ -2,7 +2,7 @@ LIBS=../libcrypto
SOURCE[../libcrypto]=\ SOURCE[../libcrypto]=\
cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c \ ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c \
threads_pthread.c threads_win.c threads_none.c \ threads_pthread.c threads_win.c threads_none.c getenv.c \
o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \ o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
{- $target{uplink_aux_src} -} {- $target{uplink_aux_src} -}
EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \

7
crypto/conf/conf_api.c
View File

@@ -9,11 +9,12 @@
/* Part of the code in here was originally in conf.c, which is now removed */ /* Part of the code in here was originally in conf.c, which is now removed */
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <openssl/conf.h> #include <openssl/conf.h>
#include <openssl/conf_api.h> #include <openssl/conf_api.h>
#include "e_os.h"
static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf); static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf);
static void value_free_stack_doall(CONF_VALUE *a); static void value_free_stack_doall(CONF_VALUE *a);
@@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
if (v != NULL) if (v != NULL)
return (v->value); return (v->value);
if (strcmp(section, "ENV") == 0) { if (strcmp(section, "ENV") == 0) {
p = getenv(name); p = ossl_safe_getenv(name);
if (p != NULL) if (p != NULL)
return (p); return (p);
} }
@@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
else else
return (NULL); return (NULL);
} else } else
return (getenv(name)); return ossl_safe_getenv(name);
} }
static unsigned long conf_value_hash(const CONF_VALUE *v) static unsigned long conf_value_hash(const CONF_VALUE *v)

5
crypto/conf/conf_mod.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -478,8 +478,7 @@ char *CONF_get1_default_config_file(void)
char *file; char *file;
int len; int len;
file = getenv("OPENSSL_CONF"); if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
if (file)
return OPENSSL_strdup(file); return OPENSSL_strdup(file);
len = strlen(X509_get_default_cert_area()); len = strlen(X509_get_default_cert_area());

2
crypto/cryptlib.c
View File

@@ -198,7 +198,7 @@ int OPENSSL_isservice(void)
if (_OPENSSL_isservice.p == NULL) { if (_OPENSSL_isservice.p == NULL) {
HANDLE mod = GetModuleHandle(NULL); HANDLE mod = GetModuleHandle(NULL);
FARPROC f; FARPROC f = NULL;
if (mod != NULL) if (mod != NULL)
f = GetProcAddress(mod, "_OPENSSL_isservice"); f = GetProcAddress(mod, "_OPENSSL_isservice");

4
crypto/ct/ct_log.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *sec
int CTLOG_STORE_load_default_file(CTLOG_STORE *store) int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
{ {
const char *fpath = getenv(CTLOG_FILE_EVP); const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
if (fpath == NULL) if (fpath == NULL)
fpath = CTLOG_FILE; fpath = CTLOG_FILE;

12
crypto/dh/dh_lib.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -82,12 +82,14 @@ DH *DH_new_method(ENGINE *engine)
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL); DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL);
err: goto err;
DH_free(ret);
ret = NULL;
} }
return ret; return ret;
err:
DH_free(ret);
return NULL;
} }
void DH_free(DH *r) void DH_free(DH *r)
@@ -103,7 +105,7 @@ void DH_free(DH *r)
return; return;
REF_ASSERT_ISNT(i < 0); REF_ASSERT_ISNT(i < 0);
if (r->meth->finish) if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r); r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine); ENGINE_finish(r->engine);

12
crypto/dsa/dsa_lib.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -91,12 +91,14 @@ DSA *DSA_new_method(ENGINE *engine)
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_INIT_FAIL); DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_INIT_FAIL);
err: goto err;
DSA_free(ret);
ret = NULL;
} }
return ret; return ret;
err:
DSA_free(ret);
return NULL;
} }
void DSA_free(DSA *r) void DSA_free(DSA *r)
@@ -112,7 +114,7 @@ void DSA_free(DSA *r)
return; return;
REF_ASSERT_ISNT(i < 0); REF_ASSERT_ISNT(i < 0);
if (r->meth->finish) if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r); r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine); ENGINE_finish(r->engine);

61
crypto/dsa/dsa_ossl.c
View File

@@ -11,6 +11,7 @@
#include <stdio.h> #include <stdio.h>
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/sha.h> #include <openssl/sha.h>
#include "dsa_locl.h" #include "dsa_locl.h"
@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa); DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa); static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa); static int dsa_finish(DSA *dsa);
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = { static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method", "OpenSSL DSA method",
@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
{ {
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp; BIGNUM *k, *kinv = NULL, *r = *rp;
BIGNUM *l, *m; BIGNUM *l;
int ret = 0; int ret = 0;
int q_bits; int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) { if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
k = BN_new(); k = BN_new();
l = BN_new(); l = BN_new();
m = BN_new(); if (k == NULL || l == NULL)
if (k == NULL || l == NULL || m == NULL)
goto err; goto err;
if (ctx_in == NULL) { if (ctx_in == NULL) {
@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Preallocate space */ /* Preallocate space */
q_bits = BN_num_bits(dsa->q); q_bits = BN_num_bits(dsa->q);
if (!BN_set_bit(k, q_bits) q_words = bn_get_top(dsa->q);
|| !BN_set_bit(l, q_bits) if (!bn_wexpand(k, q_words + 2)
|| !BN_set_bit(m, q_bits)) || !bn_wexpand(l, q_words + 2))
goto err; goto err;
/* Get random k */ /* Get random k */
@@ -223,6 +225,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} while (BN_is_zero(k)); } while (BN_is_zero(k));
BN_set_flags(k, BN_FLG_CONSTTIME); BN_set_flags(k, BN_FLG_CONSTTIME);
BN_set_flags(l, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@@ -240,14 +243,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* small timing information leakage. We then choose the sum that is * small timing information leakage. We then choose the sum that is
* one bit longer than the modulus. * one bit longer than the modulus.
* *
* TODO: revisit the BN_copy aiming for a memory access agnostic * There are some concerns about the efficacy of doing this. More
* conditional copy. * specificly refer to the discussion starting with:
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
* The fix is to rework BN so these gymnastics aren't required.
*/ */
if (!BN_add(l, k, dsa->q) if (!BN_add(l, k, dsa->q)
|| !BN_add(m, l, dsa->q) || !BN_add(k, l, dsa->q))
|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
goto err; goto err;
BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
if ((dsa)->meth->bn_mod_exp != NULL) { if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p)) dsa->method_mont_p))
@@ -260,8 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
if (!BN_mod(r, r, dsa->q, ctx)) if (!BN_mod(r, r, dsa->q, ctx))
goto err; goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */ /* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err; goto err;
BN_clear_free(*kinvp); BN_clear_free(*kinvp);
@@ -275,7 +281,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
BN_CTX_free(ctx); BN_CTX_free(ctx);
BN_clear_free(k); BN_clear_free(k);
BN_clear_free(l); BN_clear_free(l);
BN_clear_free(m);
return ret; return ret;
} }
@@ -395,3 +400,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p); BN_MONT_CTX_free(dsa->method_mont_p);
return (1); return (1);
} }
/*
* Compute the inverse of k modulo q.
* Since q is prime, Fermat's Little Theorem applies, which reduces this to
* mod-exp operation. Both the exponent and modulus are public information
* so a mod-exp that doesn't leak the base is sufficient. A newly allocated
* BIGNUM is returned which the caller must free.
*/
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx)
{
BIGNUM *res = NULL;
BIGNUM *r, *e;
if ((r = BN_new()) == NULL)
return NULL;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) != NULL
&& BN_set_word(r, 2)
&& BN_sub(e, q, r)
&& BN_mod_exp_mont(r, k, e, q, ctx, NULL))
res = r;
else
BN_free(r);
BN_CTX_end(ctx);
return res;
}

3
crypto/ec/ec2_smpl.c
View File

@@ -83,7 +83,8 @@ const EC_METHOD *EC_GF2m_simple_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
0 /* blind_coordinates */
}; };
return &ret; return &ret;

4
crypto/ec/ec_err.c
View File

@@ -1,6 +1,6 @@
/* /*
* Generated by util/mkerr.pl DO NOT EDIT * Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -97,6 +97,8 @@ static ERR_STRING_DATA EC_str_functs[] = {
{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"}, {ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"},
{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), {ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE),
"ec_GFp_nist_group_set_curve"}, "ec_GFp_nist_group_set_curve"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES),
"ec_GFp_simple_blind_coordinates"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT), {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT),
"ec_GFp_simple_group_check_discriminant"}, "ec_GFp_simple_group_check_discriminant"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE), {ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE),

4
crypto/ec/ec_key.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -55,7 +55,7 @@ void EC_KEY_free(EC_KEY *r)
return; return;
REF_ASSERT_ISNT(i < 0); REF_ASSERT_ISNT(i < 0);
if (r->meth->finish != NULL) if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r); r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE

4
crypto/ec/ec_kmeth.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -119,7 +119,7 @@ EC_KEY *EC_KEY_new_method(ENGINE *engine)
} }
return ret; return ret;
err: err:
EC_KEY_free(ret); EC_KEY_free(ret);
return NULL; return NULL;
} }

5
crypto/ec/ec_lcl.h
View File

@@ -169,6 +169,7 @@ struct ec_method_st {
/* custom ECDH operation */ /* custom ECDH operation */
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
const EC_POINT *pub_key, const EC_KEY *ecdh); const EC_POINT *pub_key, const EC_KEY *ecdh);
int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
}; };
/* /*
@@ -375,6 +376,8 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *); const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *); BN_CTX *);
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx);
/* method functions in ecp_mont.c */ /* method functions in ecp_mont.c */
int ec_GFp_mont_group_init(EC_GROUP *); int ec_GFp_mont_group_init(EC_GROUP *);
@@ -627,3 +630,5 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
const uint8_t peer_public_value[32]); const uint8_t peer_public_value[32]);
void X25519_public_from_private(uint8_t out_public_value[32], void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]); const uint8_t private_key[32]);
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);

28
crypto/ec/ec_lib.c
View File

@@ -756,6 +756,11 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
EC_R_INCOMPATIBLE_OBJECTS); EC_R_INCOMPATIBLE_OBJECTS);
return 0; return 0;
} }
if (EC_POINT_is_at_infinity(group, point)) {
ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,
EC_R_POINT_AT_INFINITY);
return 0;
}
return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
} }
@@ -774,6 +779,11 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
EC_R_INCOMPATIBLE_OBJECTS); EC_R_INCOMPATIBLE_OBJECTS);
return 0; return 0;
} }
if (EC_POINT_is_at_infinity(group, point)) {
ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M,
EC_R_POINT_AT_INFINITY);
return 0;
}
return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
} }
#endif #endif
@@ -1007,3 +1017,21 @@ int ec_group_simple_order_bits(const EC_GROUP *group)
return 0; return 0;
return BN_num_bits(group->order); return BN_num_bits(group->order);
} }
/*-
* Coordinate blinding for EC_POINT.
*
* The underlying EC_METHOD can optionally implement this function:
* underlying implementations should return 0 on errors, or 1 on
* success.
*
* This wrapper returns 1 in case the underlying EC_METHOD does not
* support coordinate blinding.
*/
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
{
if (group->meth->blind_coordinates == NULL)
return 1; /* ignore if not implemented */
return group->meth->blind_coordinates(group, p, ctx);
}

63
crypto/ec/ec_mult.c
View File

@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
*/ */
cardinality_bits = BN_num_bits(cardinality); cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality); group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL) if ((bn_wexpand(k, group_top + 2) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL)) || (bn_wexpand(lambda, group_top + 2) == NULL))
goto err; goto err;
if (!BN_copy(k, scalar)) if (!BN_copy(k, scalar))
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality * k := scalar + 2*cardinality
*/ */
kbit = BN_is_bit_set(lambda, cardinality_bits); kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1); BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field); group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL) if ((bn_wexpand(s->X, group_top) == NULL)
@@ -216,6 +216,17 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
|| (bn_wexpand(r->Z, group_top) == NULL)) || (bn_wexpand(r->Z, group_top) == NULL))
goto err; goto err;
/*-
* Apply coordinate blinding for EC_POINT.
*
* The underlying EC_METHOD can optionally implement this function:
* ec_point_blind_coordinates() returns 0 in case of errors or 1 on
* success or if coordinate blinding is not implemented for this
* group.
*/
if (!ec_point_blind_coordinates(group, s, ctx))
goto err;
/* top bit is a 1, in a fixed pos */ /* top bit is a 1, in a fixed pos */
if (!EC_POINT_copy(r, s)) if (!EC_POINT_copy(r, s))
goto err; goto err;
@@ -382,30 +393,32 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
return EC_POINT_set_to_infinity(group, r); return EC_POINT_set_to_infinity(group, r);
} }
/*- if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {
* Handle the common cases where the scalar is secret, enforcing a constant
* time scalar multiplication algorithm.
*/
if ((scalar != NULL) && (num == 0)) {
/*- /*-
* In this case we want to compute scalar * GeneratorPoint: this * Handle the common cases where the scalar is secret, enforcing a constant
* codepath is reached most prominently by (ephemeral) key generation * time scalar multiplication algorithm.
* of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
* keygen/first half), where the scalar is always secret. This is why
* we ignore if BN_FLG_CONSTTIME is actually set and we always call the
* constant time version.
*/ */
return ec_mul_consttime(group, r, scalar, NULL, ctx); if ((scalar != NULL) && (num == 0)) {
} /*-
if ((scalar == NULL) && (num == 1)) { * In this case we want to compute scalar * GeneratorPoint: this
/*- * codepath is reached most prominently by (ephemeral) key generation
* In this case we want to compute scalar * GenericPoint: this codepath * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
* is reached most prominently by the second half of ECDH, where the * keygen/first half), where the scalar is always secret. This is why
* secret scalar is multiplied by the peer's public point. To protect * we ignore if BN_FLG_CONSTTIME is actually set and we always call the
* the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and * constant time version.
* we always call the constant time version. */
*/ return ec_mul_consttime(group, r, scalar, NULL, ctx);
return ec_mul_consttime(group, r, scalars[0], points[0], ctx); }
if ((scalar == NULL) && (num == 1)) {
/*-
* In this case we want to compute scalar * GenericPoint: this codepath
* is reached most prominently by the second half of ECDH, where the
* secret scalar is multiplied by the peer's public point. To protect
* the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
* we always call the constant time version.
*/
return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
}
} }
for (i = 0; i < num; i++) { for (i = 0; i < num; i++) {

5
crypto/ec/ecp_mont.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -66,7 +66,8 @@ const EC_METHOD *EC_GFp_mont_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
ec_GFp_simple_blind_coordinates
}; };
return &ret; return &ret;

5
crypto/ec/ecp_nist.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -68,7 +68,8 @@ const EC_METHOD *EC_GFp_nist_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
ec_GFp_simple_blind_coordinates
}; };
return &ret; return &ret;

5
crypto/ec/ecp_nistp224.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -290,7 +290,8 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
0 /* blind_coordinates */
}; };
return &ret; return &ret;

5
crypto/ec/ecp_nistp521.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -1642,7 +1642,8 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
0 /* blind_coordinates */
}; };
return &ret; return &ret;

3
crypto/ec/ecp_nistz256.c
View File

@@ -1536,7 +1536,8 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
0 /* blind_coordinates */
}; };
return &ret; return &ret;

57
crypto/ec/ecp_smpl.c
View File

@@ -67,7 +67,8 @@ const EC_METHOD *EC_GFp_simple_method(void)
ec_key_simple_generate_public_key, ec_key_simple_generate_public_key,
0, /* keycopy */ 0, /* keycopy */
0, /* keyfinish */ 0, /* keyfinish */
ecdh_simple_compute_key ecdh_simple_compute_key,
ec_GFp_simple_blind_coordinates
}; };
return &ret; return &ret;
@@ -1368,3 +1369,57 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
{ {
return BN_mod_sqr(r, a, group->field, ctx); return BN_mod_sqr(r, a, group->field, ctx);
} }
/*-
* Apply randomization of EC point projective coordinates:
*
* (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
* lambda = [1,group->field)
*
*/
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx)
{
int ret = 0;
BIGNUM *lambda = NULL;
BIGNUM *temp = NULL;
BN_CTX_start(ctx);
lambda = BN_CTX_get(ctx);
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
goto err;
}
/* make sure lambda is not zero */
do {
if (!BN_rand_range(lambda, group->field)) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
goto err;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
if (group->meth->field_encode != NULL
&& !group->meth->field_encode(group, lambda, lambda, ctx))
goto err;
if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
goto err;
if (!group->meth->field_sqr(group, temp, lambda, ctx))
goto err;
if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
goto err;
if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
goto err;
if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
goto err;
p->Z_is_one = 0;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}

4
crypto/engine/eng_list.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -322,7 +322,7 @@ ENGINE *ENGINE_by_id(const char *id)
* Prevent infinite recursion if we're looking for the dynamic engine. * Prevent infinite recursion if we're looking for the dynamic engine.
*/ */
if (strcmp(id, "dynamic")) { if (strcmp(id, "dynamic")) {
if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR; load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic"); iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||

21
crypto/evp/p_seal.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
{ {
unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char key[EVP_MAX_KEY_LENGTH];
int i; int i;
int rv = 0;
if (type) { if (type) {
EVP_CIPHER_CTX_reset(ctx); EVP_CIPHER_CTX_reset(ctx);
@@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
return 1; return 1;
if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
return 0; return 0;
if (EVP_CIPHER_CTX_iv_length(ctx) if (EVP_CIPHER_CTX_iv_length(ctx)
&& RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
return 0; goto err;
if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
return 0; goto err;
for (i = 0; i < npubk; i++) { for (i = 0; i < npubk; i++) {
ekl[i] = ekl[i] =
EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx),
pubk[i]); pubk[i]);
if (ekl[i] <= 0) if (ekl[i] <= 0) {
return (-1); rv = -1;
goto err;
}
} }
return (npubk); rv = npubk;
err:
OPENSSL_cleanse(key, sizeof(key));
return rv;
} }
/*- MACRO /*- MACRO

31
crypto/getenv.c Normal file
View File

@@ -0,0 +1,31 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <stdlib.h>
#include "internal/cryptlib.h"
char *ossl_safe_getenv(const char *name)
{
#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
# if __GLIBC_PREREQ(2, 17)
# define SECURE_GETENV
return secure_getenv(name);
# endif
#endif
#ifndef SECURE_GETENV
if (OPENSSL_issetugid())
return NULL;
return getenv(name);
#endif
}

6
crypto/include/internal/bn_int.h
View File

@@ -85,8 +85,14 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx); BN_MONT_CTX *mont, BN_CTX *ctx);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx); BN_CTX *ctx);
int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m); const BIGNUM *m);
int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
#ifdef __cplusplus #ifdef __cplusplus
} }

2
crypto/include/internal/cryptlib.h
View File

@@ -67,6 +67,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
extern int OPENSSL_NONPIC_relocated; extern int OPENSSL_NONPIC_relocated;
void crypto_cleanup_all_ex_data_int(void); void crypto_cleanup_all_ex_data_int(void);
char *ossl_safe_getenv(const char *name);
int openssl_strerror_r(int errnum, char *buf, size_t buflen); int openssl_strerror_r(int errnum, char *buf, size_t buflen);
# if !defined(OPENSSL_NO_STDIO) # if !defined(OPENSSL_NO_STDIO)
FILE *openssl_fopen(const char *filename, const char *mode); FILE *openssl_fopen(const char *filename, const char *mode);

15
crypto/include/internal/lhash.h Normal file
View File

@@ -0,0 +1,15 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef INTERNAL_LHASH_H
# define INTERNAL_LHASH_H
unsigned long openssl_lh_strcasehash(const char *);
#endif

19
crypto/init.c
View File

@@ -41,7 +41,10 @@ static int stopped = 0;
* key value and pull NULL past initialization in the first thread that * key value and pull NULL past initialization in the first thread that
* intends to use libcrypto. * intends to use libcrypto.
*/ */
static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; static union {
long sane;
CRYPTO_THREAD_LOCAL value;
} destructor_key = { -1 };
static void ossl_init_thread_stop(struct thread_local_inits_st *locals); static void ossl_init_thread_stop(struct thread_local_inits_st *locals);
@@ -53,17 +56,17 @@ static void ossl_init_thread_destructor(void *local)
static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc)
{ {
struct thread_local_inits_st *local = struct thread_local_inits_st *local =
CRYPTO_THREAD_get_local(&destructor_key); CRYPTO_THREAD_get_local(&destructor_key.value);
if (alloc) { if (alloc) {
if (local == NULL if (local == NULL
&& (local = OPENSSL_zalloc(sizeof(*local))) != NULL && (local = OPENSSL_zalloc(sizeof(*local))) != NULL
&& !CRYPTO_THREAD_set_local(&destructor_key, local)) { && !CRYPTO_THREAD_set_local(&destructor_key.value, local)) {
OPENSSL_free(local); OPENSSL_free(local);
return NULL; return NULL;
} }
} else { } else {
CRYPTO_THREAD_set_local(&destructor_key, NULL); CRYPTO_THREAD_set_local(&destructor_key.value, NULL);
} }
return local; return local;
@@ -97,7 +100,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base)
#endif #endif
OPENSSL_cpuid_setup(); OPENSSL_cpuid_setup();
destructor_key = key; destructor_key.value = key;
base_inited = 1; base_inited = 1;
return 1; return 1;
@@ -396,7 +399,7 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals)
void OPENSSL_thread_stop(void) void OPENSSL_thread_stop(void)
{ {
if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) if (destructor_key.sane != -1)
ossl_init_thread_stop(ossl_init_get_thread_local(0)); ossl_init_thread_stop(ossl_init_get_thread_local(0));
} }
@@ -493,8 +496,8 @@ void OPENSSL_cleanup(void)
err_free_strings_int(); err_free_strings_int();
} }
key = destructor_key; key = destructor_key.value;
destructor_key = (CRYPTO_THREAD_LOCAL)-1; destructor_key.sane = -1;
CRYPTO_THREAD_cleanup_local(&key); CRYPTO_THREAD_cleanup_local(&key);
#ifdef OPENSSL_INIT_DEBUG #ifdef OPENSSL_INIT_DEBUG

10
crypto/kdf/hkdf.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -234,6 +234,7 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
unsigned char *okm, size_t okm_len) unsigned char *okm, size_t okm_len)
{ {
HMAC_CTX *hmac; HMAC_CTX *hmac;
unsigned char *ret = NULL;
unsigned int i; unsigned int i;
@@ -283,11 +284,10 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
done_len += copy_len; done_len += copy_len;
} }
ret = okm;
HMAC_CTX_free(hmac);
return okm;
err: err:
OPENSSL_cleanse(prev, sizeof(prev));
HMAC_CTX_free(hmac); HMAC_CTX_free(hmac);
return NULL; return ret;
} }

25
crypto/lhash/lhash.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -12,6 +12,8 @@
#include <stdlib.h> #include <stdlib.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/lhash.h> #include <openssl/lhash.h>
#include <ctype.h>
#include "internal/lhash.h"
#include "lhash_lcl.h" #include "lhash_lcl.h"
/* /*
@@ -351,6 +353,27 @@ unsigned long OPENSSL_LH_strhash(const char *c)
return ((ret >> 16) ^ ret); return ((ret >> 16) ^ ret);
} }
unsigned long openssl_lh_strcasehash(const char *c)
{
unsigned long ret = 0;
long n;
unsigned long v;
int r;
if (c == NULL || *c == '\0')
return ret;
for (n = 0x100; *c != '\0'; n += 0x100) {
v = n | tolower(*c);
r = (int)((v >> 2) ^ v) & 0x0f;
ret = (ret << r) | (ret >> (32 - r));
ret &= 0xFFFFFFFFL;
ret ^= v * v;
c++;
}
return (ret >> 16) ^ ret;
}
unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh) unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh)
{ {
return lh ? lh->num_items : 0; return lh ? lh->num_items : 0;

16
crypto/mem_sec.c
View File

@@ -134,11 +134,12 @@ void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
void *CRYPTO_secure_zalloc(size_t num, const char *file, int line) void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
{ {
void *ret = CRYPTO_secure_malloc(num, file, line); #ifdef IMPLEMENTED
if (secure_mem_initialized)
if (ret != NULL) /* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
memset(ret, 0, num); return CRYPTO_secure_malloc(num, file, line);
return ret; #endif
return CRYPTO_zalloc(num, file, line);
} }
void CRYPTO_secure_free(void *ptr, const char *file, int line) void CRYPTO_secure_free(void *ptr, const char *file, int line)
@@ -574,6 +575,9 @@ static char *sh_malloc(size_t size)
OPENSSL_assert(WITHIN_ARENA(chunk)); OPENSSL_assert(WITHIN_ARENA(chunk));
/* zero the free list header as a precaution against information leakage */
memset(chunk, 0, sizeof(SH_LIST));
return chunk; return chunk;
} }
@@ -606,6 +610,8 @@ static void sh_free(char *ptr)
list--; list--;
/* Zero the higher addressed block's free list pointers */
memset(ptr > buddy ? ptr : buddy, 0, sizeof(SH_LIST));
if (ptr > buddy) if (ptr > buddy)
ptr = buddy; ptr = buddy;

33
crypto/objects/o_names.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -16,27 +16,26 @@
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/safestack.h> #include <openssl/safestack.h>
#include <openssl/e_os2.h> #include <openssl/e_os2.h>
#include <internal/thread_once.h> #include "internal/thread_once.h"
#include "internal/lhash.h"
#include "obj_lcl.h" #include "obj_lcl.h"
#include "e_os.h"
/* /*
* We define this wrapper for two reasons. Firstly, later versions of * We define this wrapper for two reasons. Firstly, later versions of
* DEC C add linkage information to certain functions, which makes it * DEC C add linkage information to certain functions, which makes it
* tricky to use them as values to regular function pointers. * tricky to use them as values to regular function pointers.
* Secondly, in the EDK2 build environment, the strcmp function is * Secondly, in the EDK2 build environment, the strcasecmp function is
* actually an external function (AsciiStrCmp) with the Microsoft ABI, * actually an external function with the Microsoft ABI, so we can't
* so we can't transparently assign function pointers to it. * transparently assign function pointers to it.
* Arguably the latter is a stupidity of the UEFI environment, but
* since the wrapper solves the DEC C issue too, let's just use the
* same solution.
*/ */
#if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI) #if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI)
static int obj_strcmp(const char *a, const char *b) static int obj_strcasecmp(const char *a, const char *b)
{ {
return strcmp(a, b); return strcasecmp(a, b);
} }
#else #else
#define obj_strcmp strcmp #define obj_strcasecmp strcasecmp
#endif #endif
/* /*
@@ -111,8 +110,8 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *),
ret = 0; ret = 0;
goto out; goto out;
} }
name_funcs->hash_func = OPENSSL_LH_strhash; name_funcs->hash_func = openssl_lh_strcasehash;
name_funcs->cmp_func = obj_strcmp; name_funcs->cmp_func = obj_strcasecmp;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs); push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs);
@@ -149,7 +148,7 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b)
ret = sk_NAME_FUNCS_value(name_funcs_stack, ret = sk_NAME_FUNCS_value(name_funcs_stack,
a->type)->cmp_func(a->name, b->name); a->type)->cmp_func(a->name, b->name);
} else } else
ret = strcmp(a->name, b->name); ret = strcasecmp(a->name, b->name);
} }
return ret; return ret;
} }
@@ -164,7 +163,7 @@ static unsigned long obj_name_hash(const OBJ_NAME *a)
sk_NAME_FUNCS_value(name_funcs_stack, sk_NAME_FUNCS_value(name_funcs_stack,
a->type)->hash_func(a->name); a->type)->hash_func(a->name);
} else { } else {
ret = OPENSSL_LH_strhash(a->name); ret = openssl_lh_strcasehash(a->name);
} }
ret ^= a->type; ret ^= a->type;
return ret; return ret;
@@ -214,8 +213,6 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
if (!OBJ_NAME_init()) if (!OBJ_NAME_init())
return 0; return 0;
CRYPTO_THREAD_write_lock(lock);
alias = type & OBJ_NAME_ALIAS; alias = type & OBJ_NAME_ALIAS;
type &= ~OBJ_NAME_ALIAS; type &= ~OBJ_NAME_ALIAS;
@@ -230,6 +227,8 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
onp->type = type; onp->type = type;
onp->data = data; onp->data = data;
CRYPTO_THREAD_write_lock(lock);
ret = lh_OBJ_NAME_insert(names_lh, onp); ret = lh_OBJ_NAME_insert(names_lh, onp);
if (ret != NULL) { if (ret != NULL) {
/* free things */ /* free things */

12
crypto/ocsp/ocsp_cl.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -166,6 +166,16 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
return bs->signature; return bs->signature;
} }
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
{
return &bs->signatureAlgorithm;
}
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
{
return &bs->tbsResponseData;
}
/* /*
* Return number of OCSP_SINGLERESP responses present in a basic response. * Return number of OCSP_SINGLERESP responses present in a basic response.
*/ */

11
crypto/pem/pvkfmt.c
View File

@@ -675,11 +675,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
const unsigned char *p = *in; const unsigned char *p = *in;
unsigned int magic; unsigned int magic;
unsigned char *enctmp = NULL, *q; unsigned char *enctmp = NULL, *q;
unsigned char keybuf[20];
EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
if (saltlen) { if (saltlen) {
char psbuf[PEM_BUFSIZE]; char psbuf[PEM_BUFSIZE];
unsigned char keybuf[20];
int enctmplen, inlen; int enctmplen, inlen;
if (cb) if (cb)
inlen = cb(psbuf, PEM_BUFSIZE, 0, u); inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
@@ -719,7 +719,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
memset(keybuf + 5, 0, 11); memset(keybuf + 5, 0, 11);
if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
goto err; goto err;
OPENSSL_cleanse(keybuf, 20);
if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
goto err; goto err;
if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
@@ -729,15 +728,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);
goto err; goto err;
} }
} else }
OPENSSL_cleanse(keybuf, 20);
p = enctmp; p = enctmp;
} }
ret = b2i_PrivateKey(&p, keylen); ret = b2i_PrivateKey(&p, keylen);
err: err:
EVP_CIPHER_CTX_free(cctx); EVP_CIPHER_CTX_free(cctx);
OPENSSL_free(enctmp); if (enctmp != NULL) {
OPENSSL_cleanse(keybuf, sizeof(keybuf));
OPENSSL_free(enctmp);
}
return ret; return ret;
} }

5
crypto/pkcs12/p12_init.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -22,7 +22,8 @@ PKCS12 *PKCS12_init(int mode)
PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE); PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
return NULL; return NULL;
} }
ASN1_INTEGER_set(pkcs12->version, 3); if (!ASN1_INTEGER_set(pkcs12->version, 3))
goto err;
pkcs12->authsafes->type = OBJ_nid2obj(mode); pkcs12->authsafes->type = OBJ_nid2obj(mode);
switch (mode) { switch (mode) {
case NID_pkcs7_data: case NID_pkcs7_data:

34
crypto/pkcs12/p12_mutl.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -7,13 +7,13 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
# include <stdio.h> #include <stdio.h>
# include "internal/cryptlib.h" #include "internal/cryptlib.h"
# include <openssl/crypto.h> #include <openssl/crypto.h>
# include <openssl/hmac.h> #include <openssl/hmac.h>
# include <openssl/rand.h> #include <openssl/rand.h>
# include <openssl/pkcs12.h> #include <openssl/pkcs12.h>
# include "p12_lcl.h" #include "p12_lcl.h"
int PKCS12_mac_present(const PKCS12 *p12) int PKCS12_mac_present(const PKCS12 *p12)
{ {
@@ -44,7 +44,7 @@ void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
} }
} }
# define TK26_MAC_KEY_LEN 32 #define TK26_MAC_KEY_LEN 32
static int pkcs12_gen_gost_mac_key(const char *pass, int passlen, static int pkcs12_gen_gost_mac_key(const char *pass, int passlen,
const unsigned char *salt, int saltlen, const unsigned char *salt, int saltlen,
@@ -75,6 +75,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
unsigned char *out, unsigned char *out,
const EVP_MD *md_type)) const EVP_MD *md_type))
{ {
int ret = 0;
const EVP_MD *md_type; const EVP_MD *md_type;
HMAC_CTX *hmac = NULL; HMAC_CTX *hmac = NULL;
unsigned char key[EVP_MAX_MD_SIZE], *salt; unsigned char key[EVP_MAX_MD_SIZE], *salt;
@@ -111,29 +112,32 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
if ((md_type_nid == NID_id_GostR3411_94 if ((md_type_nid == NID_id_GostR3411_94
|| md_type_nid == NID_id_GostR3411_2012_256 || md_type_nid == NID_id_GostR3411_2012_256
|| md_type_nid == NID_id_GostR3411_2012_512) || md_type_nid == NID_id_GostR3411_2012_512)
&& !getenv("LEGACY_GOST_PKCS12")) { && ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) {
md_size = TK26_MAC_KEY_LEN; md_size = TK26_MAC_KEY_LEN;
if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter, if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
md_size, key, md_type)) { md_size, key, md_type)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
return 0; goto err;
} }
} else } else
if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
iter, md_size, key, md_type)) { iter, md_size, key, md_type)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
return 0; goto err;
} }
if ((hmac = HMAC_CTX_new()) == NULL if ((hmac = HMAC_CTX_new()) == NULL
|| !HMAC_Init_ex(hmac, key, md_size, md_type, NULL) || !HMAC_Init_ex(hmac, key, md_size, md_type, NULL)
|| !HMAC_Update(hmac, p12->authsafes->d.data->data, || !HMAC_Update(hmac, p12->authsafes->d.data->data,
p12->authsafes->d.data->length) p12->authsafes->d.data->length)
|| !HMAC_Final(hmac, mac, maclen)) { || !HMAC_Final(hmac, mac, maclen)) {
HMAC_CTX_free(hmac); goto err;
return 0;
} }
ret = 1;
err:
OPENSSL_cleanse(key, sizeof(key));
HMAC_CTX_free(hmac); HMAC_CTX_free(hmac);
return 1; return ret;
} }
int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,

3
crypto/pkcs7/pk7_lib.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -134,7 +134,6 @@ int PKCS7_set_type(PKCS7 *p7, int type)
if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
== NULL) == NULL)
goto err; goto err;
ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1);
if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
goto err; goto err;
p7->d.signed_and_enveloped->enc_data->content_type p7->d.signed_and_enveloped->enc_data->content_type

12
crypto/rand/md_rand.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -275,7 +275,6 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
static volatile int stirred_pool = 0; static volatile int stirred_pool = 0;
int i, j, k; int i, j, k;
size_t num_ceil, st_idx, st_num; size_t num_ceil, st_idx, st_num;
int ok;
long md_c[2]; long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH]; unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX *m; EVP_MD_CTX *m;
@@ -362,14 +361,13 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
if (!initialized) { if (!initialized) {
RAND_poll(); RAND_poll();
initialized = 1; initialized = (entropy >= ENTROPY_NEEDED);
} }
if (!stirred_pool) if (!stirred_pool)
do_stir_pool = 1; do_stir_pool = 1;
ok = (entropy >= ENTROPY_NEEDED); if (!initialized) {
if (!ok) {
/* /*
* If the PRNG state is not yet unpredictable, then seeing the PRNG * If the PRNG state is not yet unpredictable, then seeing the PRNG
* output may help attackers to determine the new state; thus we have * output may help attackers to determine the new state; thus we have
@@ -408,7 +406,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
n -= MD_DIGEST_LENGTH; n -= MD_DIGEST_LENGTH;
} }
if (ok) if (initialized)
stirred_pool = 1; stirred_pool = 1;
} }
@@ -500,7 +498,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
CRYPTO_THREAD_unlock(rand_lock); CRYPTO_THREAD_unlock(rand_lock);
EVP_MD_CTX_free(m); EVP_MD_CTX_free(m);
if (ok) if (initialized)
return (1); return (1);
else if (pseudo) else if (pseudo)
return 0; return 0;

11
crypto/rand/randfile.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -314,14 +314,9 @@ const char *RAND_file_name(char *buf, size_t size)
} }
} }
#else #else
if (OPENSSL_issetugid() != 0) { if ((s = ossl_safe_getenv("RANDFILE")) == NULL || *s == '\0') {
use_randfile = 0; use_randfile = 0;
} else { s = ossl_safe_getenv("HOME");
s = getenv("RANDFILE");
if (s == NULL || *s == '\0') {
use_randfile = 0;
s = getenv("HOME");
}
} }
#endif #endif
#ifdef DEFAULT_HOME #ifdef DEFAULT_HOME

6
crypto/rsa/rsa_lib.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -94,7 +94,7 @@ RSA *RSA_new_method(ENGINE *engine)
return ret; return ret;
err: err:
RSA_free(ret); RSA_free(ret);
return NULL; return NULL;
} }
@@ -112,7 +112,7 @@ void RSA_free(RSA *r)
return; return;
REF_ASSERT_ISNT(i < 0); REF_ASSERT_ISNT(i < 0);
if (r->meth->finish) if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r); r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine); ENGINE_finish(r->engine);

4
crypto/rsa/rsa_meth.c
View File

@@ -163,13 +163,13 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth,
/* Can be null */ /* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)
{ {
return meth->rsa_mod_exp; return meth->rsa_mod_exp;
} }
int RSA_meth_set_mod_exp(RSA_METHOD *meth, int RSA_meth_set_mod_exp(RSA_METHOD *meth,
int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx)) BN_CTX *ctx))
{ {
meth->rsa_mod_exp = mod_exp; meth->rsa_mod_exp = mod_exp;

33
crypto/rsa/rsa_oaep.c
View File

@@ -43,10 +43,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *param, int plen, const unsigned char *param, int plen,
const EVP_MD *md, const EVP_MD *mgf1md) const EVP_MD *md, const EVP_MD *mgf1md)
{ {
int rv = 0;
int i, emlen = tlen - 1; int i, emlen = tlen - 1;
unsigned char *db, *seed; unsigned char *db, *seed;
unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE]; unsigned char *dbmask = NULL;
int mdlen; unsigned char seedmask[EVP_MAX_MD_SIZE];
int mdlen, dbmask_len = 0;
if (md == NULL) if (md == NULL)
md = EVP_sha1(); md = EVP_sha1();
@@ -72,40 +74,41 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
db = to + mdlen + 1; db = to + mdlen + 1;
if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
return 0; goto err;
memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1); memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
db[emlen - flen - mdlen - 1] = 0x01; db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
if (RAND_bytes(seed, mdlen) <= 0) if (RAND_bytes(seed, mdlen) <= 0)
return 0; goto err;
#ifdef PKCS_TESTVECT #ifdef PKCS_TESTVECT
memcpy(seed, memcpy(seed,
"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
20); 20);
#endif #endif
dbmask = OPENSSL_malloc(emlen - mdlen); dbmask_len = emlen - mdlen;
dbmask = OPENSSL_malloc(dbmask_len);
if (dbmask == NULL) { if (dbmask == NULL) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
return 0; goto err;
} }
if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0)
goto err; goto err;
for (i = 0; i < emlen - mdlen; i++) for (i = 0; i < dbmask_len; i++)
db[i] ^= dbmask[i]; db[i] ^= dbmask[i];
if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0)
goto err; goto err;
for (i = 0; i < mdlen; i++) for (i = 0; i < mdlen; i++)
seed[i] ^= seedmask[i]; seed[i] ^= seedmask[i];
rv = 1;
OPENSSL_free(dbmask);
return 1;
err: err:
OPENSSL_free(dbmask); OPENSSL_cleanse(seedmask, sizeof(seedmask));
return 0; OPENSSL_clear_free(dbmask, dbmask_len);
return rv;
} }
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
@@ -247,6 +250,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR); RSA_R_OAEP_DECODING_ERROR);
cleanup: cleanup:
OPENSSL_cleanse(seed, sizeof(seed));
OPENSSL_clear_free(db, dblen); OPENSSL_clear_free(db, dblen);
OPENSSL_clear_free(em, num); OPENSSL_clear_free(em, num);
return mlen; return mlen;
@@ -289,6 +293,7 @@ int PKCS1_MGF1(unsigned char *mask, long len,
} }
rv = 0; rv = 0;
err: err:
OPENSSL_cleanse(md, sizeof(md));
EVP_MD_CTX_free(c); EVP_MD_CTX_free(c);
return rv; return rv;
} }

131
crypto/rsa/rsa_ossl.c
View File

@@ -127,8 +127,8 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
} }
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) rsa->n, ctx))
goto err; goto err;
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
@@ -312,8 +312,8 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { rsa->n, ctx)) {
BN_free(d); BN_free(d);
goto err; goto err;
} }
@@ -435,8 +435,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { rsa->n, ctx)) {
BN_free(d); BN_free(d);
goto err; goto err;
} }
@@ -541,8 +541,8 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
} }
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) rsa->n, ctx))
goto err; goto err;
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
@@ -583,7 +583,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{ {
BIGNUM *r1, *m1, *vrfy; BIGNUM *r1, *m1, *vrfy;
int ret = 0; int ret = 0, smooth = 0;
BN_CTX_start(ctx); BN_CTX_start(ctx);
@@ -593,43 +593,80 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
if (vrfy == NULL) if (vrfy == NULL)
goto err; goto err;
{ if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
BIGNUM *p = BN_new(), *q = BN_new(); BIGNUM *factor = BN_new();
if (factor == NULL)
goto err;
/* /*
* Make sure BN_mod_inverse in Montgomery initialization uses the * Make sure BN_mod_inverse in Montgomery initialization uses the
* BN_FLG_CONSTTIME flag * BN_FLG_CONSTTIME flag
*/ */
if (p == NULL || q == NULL) { if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
BN_free(p); BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
BN_free(q); factor, ctx))
|| !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
factor, ctx))) {
BN_free(factor);
goto err; goto err;
} }
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_p, rsa->lock, p, ctx)
|| !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
rsa->lock, q, ctx)) {
BN_free(p);
BN_free(q);
goto err;
}
}
/* /*
* We MUST free p and q before any further use of rsa->p and rsa->q * We MUST free |factor| before any further use of the prime factors
*/ */
BN_free(p); BN_free(factor);
BN_free(q);
smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
&& (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
} }
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) rsa->n, ctx))
goto err; goto err;
if (smooth) {
/*
* Conversion from Montgomery domain, a.k.a. Montgomery reduction,
* accepts values in [0-m*2^w) range. w is m's bit width rounded up
* to limb width. So that at the very least if |I| is fully reduced,
* i.e. less than p*q, we can count on from-to round to perform
* below modulo operations on |I|. Unlike BN_mod it's constant time.
*/
if (/* m1 = I moq q */
!bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
|| !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
/* m1 = m1^dmq1 mod q */
|| !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
rsa->_method_mod_q)
/* r1 = I mod p */
|| !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
/* r1 = r1^dmp1 mod p */
|| !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
rsa->_method_mod_p)
/* r1 = (r1 - m1) mod p */
/*
* bn_mod_sub_fixed_top is not regular modular subtraction,
* it can tolerate subtrahend to be larger than modulus, but
* not bit-wise wider. This makes up for uncommon q>p case,
* when |m1| can be larger than |rsa->p|.
*/
|| !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
/* r1 = r1 * iqmp mod p */
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
|| !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
ctx)
/* r0 = r1 * q + m1 */
|| !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
|| !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
goto err;
goto tail;
}
/* compute I mod q */ /* compute I mod q */
{ {
BIGNUM *c = BN_new(); BIGNUM *c = BN_new();
@@ -652,7 +689,7 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
/* compute r1^dmq1 mod q */ /* compute r1^dmq1 mod q */
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) { rsa->_method_mod_q)) {
BN_free(c); BN_free(c);
BN_free(dmq1); BN_free(dmq1);
goto err; goto err;
@@ -728,10 +765,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
if (!BN_add(r0, r1, m1)) if (!BN_add(r0, r1, m1))
goto err; goto err;
tail:
if (rsa->e && rsa->n) { if (rsa->e && rsa->n) {
if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
rsa->_method_mod_n)) if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
goto err; rsa->_method_mod_n))
goto err;
} else {
bn_correct_top(r0);
if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
rsa->_method_mod_n))
goto err;
}
/* /*
* If 'I' was greater than (or equal to) rsa->n, the operation will * If 'I' was greater than (or equal to) rsa->n, the operation will
* be equivalent to using 'I mod n'. However, the result of the * be equivalent to using 'I mod n'. However, the result of the
@@ -740,6 +785,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
*/ */
if (!BN_sub(vrfy, vrfy, I)) if (!BN_sub(vrfy, vrfy, I))
goto err; goto err;
if (BN_is_zero(vrfy)) {
bn_correct_top(r0);
ret = 1;
goto err; /* not actually error */
}
if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
goto err; goto err;
if (BN_is_negative(vrfy)) if (BN_is_negative(vrfy))
@@ -766,6 +816,15 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
BN_free(d); BN_free(d);
} }
} }
/*
* It's unfortunate that we have to bn_correct_top(r0). What hopefully
* saves the day is that correction is highly unlike, and private key
* operations are customarily performed on blinded message. Which means
* that attacker won't observe correlation with chosen plaintext.
* Secondly, remaining code would still handle it in same computational
* time and even conceal memory access pattern around corrected top.
*/
bn_correct_top(r0);
ret = 1; ret = 1;
err: err:
BN_CTX_end(ctx); BN_CTX_end(ctx);

4
crypto/rsa/rsa_pss.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -242,7 +242,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
err: err:
EVP_MD_CTX_free(ctx); EVP_MD_CTX_free(ctx);
OPENSSL_free(salt); OPENSSL_clear_free(salt, sLen);
return ret; return ret;

18
crypto/ui/ui_openssl.c
View File

@@ -436,6 +436,24 @@ static int open_console(UI *ui)
is_a_tty = 0; is_a_tty = 0;
else else
# endif # endif
# ifdef ENXIO
/*
* Solaris can return ENXIO.
* This should be ok
*/
if (errno == ENXIO)
is_a_tty = 0;
else
# endif
# ifdef EIO
/*
* Linux can return EIO.
* This should be ok
*/
if (errno == EIO)
is_a_tty = 0;
else
# endif
# ifdef ENODEV # ifdef ENODEV
/* /*
* MacOS X returns ENODEV (Operation not supported by device), * MacOS X returns ENODEV (Operation not supported by device),

3
crypto/x509/by_dir.c
View File

@@ -78,7 +78,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
switch (cmd) { switch (cmd) {
case X509_L_ADD_DIR: case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) { if (argl == X509_FILETYPE_DEFAULT) {
dir = (char *)getenv(X509_get_default_cert_dir_env()); dir = (char *)ossl_safe_getenv(X509_get_default_cert_dir_env());
if (dir) if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
else else

4
crypto/x509/by_file.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -47,7 +47,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
switch (cmd) { switch (cmd) {
case X509_L_FILE_LOAD: case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) { if (argl == X509_FILETYPE_DEFAULT) {
file = getenv(X509_get_default_cert_file_env()); file = ossl_safe_getenv(X509_get_default_cert_file_env());
if (file) if (file)
ok = (X509_load_cert_crl_file(ctx, file, ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0); X509_FILETYPE_PEM) != 0);

4
crypto/x509/x509_meth.c
View File

@@ -58,9 +58,9 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method))
int X509_LOOKUP_meth_set_free( int X509_LOOKUP_meth_set_free(
X509_LOOKUP_METHOD *method, X509_LOOKUP_METHOD *method,
void (*free) (X509_LOOKUP *ctx)) void (*free_fn) (X509_LOOKUP *ctx))
{ {
method->free = free; method->free = free_fn;
return 1; return 1;
} }

11
crypto/x509/x509_vfy.c
View File

@@ -515,15 +515,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */ /* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0; return 0;
/* Check pathlen if not self issued */ /* Check pathlen */
if ((i > 1) && !(x->ex_flags & EXFLAG_SI) if ((i > 1) && (x->ex_pathlen != -1)
&& (x->ex_pathlen != -1) && (plen > (x->ex_pathlen + proxy_path_length))) {
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0; return 0;
} }
/* Increment path length if not self issued */ /* Increment path length if not a self issued intermediate CA */
if (!(x->ex_flags & EXFLAG_SI)) if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
plen++; plen++;
/* /*
* If this certificate is a proxy certificate, the next certificate * If this certificate is a proxy certificate, the next certificate

6
doc/apps/ca.pod
View File

@@ -243,8 +243,10 @@ for all available algorithms.
=item B<-subj arg> =item B<-subj arg>
supersedes subject name given in the request. supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>, The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
characters may be escaped by \ (backslash), no spaces are skipped. Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
=item B<-utf8> =item B<-utf8>

4
doc/apps/crl.pod
View File

@@ -120,7 +120,7 @@ Convert a CRL file from PEM to DER:
Output the text form of a DER encoded certificate: Output the text form of a DER encoded certificate:
openssl crl -in crl.der -text -noout openssl crl -in crl.der -inform DER -text -noout
=head1 BUGS =head1 BUGS
@@ -133,7 +133,7 @@ L<crl2pkcs7(1)>, L<ca(1)>, L<x509(1)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

9
doc/apps/req.pod
View File

@@ -213,8 +213,10 @@ see L<openssl(1)/COMMAND SUMMARY>.
sets subject name for new request or supersedes the subject name sets subject name for new request or supersedes the subject name
when processing a request. when processing a request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>, The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
characters may be escaped by \ (backslash), no spaces are skipped. Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
=item B<-multivalue-rdn> =item B<-multivalue-rdn>
@@ -369,7 +371,6 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option.
This option specifies the digest algorithm to use. This option specifies the digest algorithm to use.
Any digest supported by the OpenSSL B<dgst> command can be used. Any digest supported by the OpenSSL B<dgst> command can be used.
If not present then MD5 is used.
This option can be overridden on the command line. This option can be overridden on the command line.
=item B<string_mask> =item B<string_mask>
@@ -652,7 +653,7 @@ L<x509v3_config(5)>
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

2
doc/crypto/EVP_DigestInit.pod
View File

@@ -223,7 +223,7 @@ EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context
instead of initializing and cleaning it up on each call and allow non default instead of initializing and cleaning it up on each call and allow non default
implementations of digests to be specified. implementations of digests to be specified.
If digest contexts are not cleaned up after use If digest contexts are not cleaned up after use,
memory leaks will occur. memory leaks will occur.
EVP_MD_CTX_size(), EVP_MD_CTX_block_size(), EVP_MD_CTX_type(), EVP_MD_CTX_size(), EVP_MD_CTX_block_size(), EVP_MD_CTX_type(),

18
doc/crypto/EVP_DigestSignInit.pod
View File

@@ -19,14 +19,16 @@ The EVP signature routines are a high level interface to digital signatures.
EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
ENGINE B<impl> and private key B<pkey>. B<ctx> must be created with ENGINE B<impl> and private key B<pkey>. B<ctx> must be created with
EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL the EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the
EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can
be used to set alternative signing options. The digest B<type> may be NULL if be used to set alternative signing options. Note that any existing value in
the signing algorithm supports it. B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed
directly by the application (it will be freed automatically when the EVP_MD_CTX
is freed). The digest B<type> may be NULL if the signing algorithm supports it.
Only EVP_PKEY types that support signing can be used with these functions. This Only EVP_PKEY types that support signing can be used with these functions. This
includes MAC algorithms where the MAC generation is considered as a form of includes MAC algorithms where the MAC generation is considered as a form of
"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, "signing". Built-in EVP_PKEY types supported by these functions are CMAC, DSA,
ECDSA, HMAC and RSA. ECDSA, HMAC and RSA.
Not all digests can be used for all key types. The following combinations apply. Not all digests can be used for all key types. The following combinations apply.
@@ -69,17 +71,17 @@ signature context B<ctx>. This function can be called several times on the
same B<ctx> to include additional data. This function is currently implemented same B<ctx> to include additional data. This function is currently implemented
using a macro. using a macro.
EVP_DigestSignFinal() signs the data in B<ctx> places the signature in B<sig>. EVP_DigestSignFinal() signs the data in B<ctx> and places the signature in B<sig>.
If B<sig> is B<NULL> then the maximum size of the output buffer is written to If B<sig> is B<NULL> then the maximum size of the output buffer is written to
the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
B<siglen> parameter should contain the length of the B<sig> buffer, if the B<siglen> parameter should contain the length of the B<sig> buffer. If the
call is successful the signature is written to B<sig> and the amount of data call is successful the signature is written to B<sig> and the amount of data
written to B<siglen>. written to B<siglen>.
=head1 RETURN VALUES =head1 RETURN VALUES
EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return
1 for success and 0 or a negative value for failure. In particular a return 1 for success and 0 or a negative value for failure. In particular, a return
value of -2 indicates the operation is not supported by the public key value of -2 indicates the operation is not supported by the public key
algorithm. algorithm.
@@ -103,7 +105,7 @@ The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
context. This means that calls to EVP_DigestSignUpdate() and context. This means that calls to EVP_DigestSignUpdate() and
EVP_DigestSignFinal() can be called later to digest and sign additional data. EVP_DigestSignFinal() can be called later to digest and sign additional data.
Since only a copy of the digest context is ever finalized the context must Since only a copy of the digest context is ever finalized, the context must
be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
will occur. will occur.

11
doc/crypto/EVP_DigestVerifyInit.pod
View File

@@ -19,9 +19,12 @@ The EVP signature routines are a high level interface to digital signatures.
EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest
B<type> from ENGINE B<impl> and public key B<pkey>. B<ctx> must be created B<type> from ENGINE B<impl> and public key B<pkey>. B<ctx> must be created
with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL the with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the
EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this
can be used to set alternative verification options. can be used to set alternative verification options. Note that any existing
value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be
freed directly by the application (it will be freed automatically when the
EVP_MD_CTX is freed).
EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
verification context B<ctx>. This function can be called several times on the verification context B<ctx>. This function can be called several times on the
@@ -62,7 +65,7 @@ The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can
be called later to digest and verify additional data. be called later to digest and verify additional data.
Since only a copy of the digest context is ever finalized the context must Since only a copy of the digest context is ever finalized, the context must
be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
will occur. will occur.
@@ -81,7 +84,7 @@ were first added to OpenSSL 1.0.0.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy this file except in compliance with the License. You can obtain a copy

12
doc/crypto/OCSP_resp_find_status.pod
View File

@@ -6,6 +6,9 @@ OCSP_resp_get0_certs,
OCSP_resp_get0_signer, OCSP_resp_get0_signer,
OCSP_resp_get0_id, OCSP_resp_get0_id,
OCSP_resp_get0_produced_at, OCSP_resp_get0_produced_at,
OCSP_resp_get0_signature,
OCSP_resp_get0_tbs_sigalg,
OCSP_resp_get0_respdata,
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
OCSP_single_get0_status, OCSP_check_validity, OCSP_single_get0_status, OCSP_check_validity,
OCSP_basic_verify OCSP_basic_verify
@@ -32,6 +35,9 @@ OCSP_basic_verify
const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
const OCSP_BASICRESP* single); const OCSP_BASICRESP* single);
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
@@ -78,6 +84,12 @@ B<*revtime>, B<*thisupd> and B<*nextupd>.
OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the OCSP_resp_get0_produced_at() extracts the B<producedAt> field from the
single response B<bs>. single response B<bs>.
OCSP_resp_get0_signature() returns the signature from B<bs>.
OCSP_resp_get0_tbs_sigalg() returns the B<signatureAlgorithm> from B<bs>.
OCSP_resp_get0_respdata() returns the B<tbsResponseData> from B<bs>.
OCSP_resp_get0_certs() returns any certificates included in B<bs>. OCSP_resp_get0_certs() returns any certificates included in B<bs>.
OCSP_resp_get0_signer() attempts to retrieve the certificate that directly OCSP_resp_get0_signer() attempts to retrieve the certificate that directly

7
doc/crypto/OPENSSL_VERSION_NUMBER.pod
View File

@@ -2,13 +2,14 @@
=head1 NAME =head1 NAME
OPENSSL_VERSION_NUMBER, OpenSSL_version, OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version,
OpenSSL_version_num - get OpenSSL version number OpenSSL_version_num - get OpenSSL version number
=head1 SYNOPSIS =head1 SYNOPSIS
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
#define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX xxxx"
#include <openssl/crypto.h> #include <openssl/crypto.h>
@@ -45,6 +46,10 @@ Version 0.9.5a had an interim interpretation that is like the current one,
except the patch level got the highest bit set, to keep continuity. The except the patch level got the highest bit set, to keep continuity. The
number was therefore 0x0090581f. number was therefore 0x0090581f.
OPENSSL_VERSION_TEXT is the text variant of the version number and the
release date. For example,
"OpenSSL 1.0.1a 15 Oct 2015".
OpenSSL_version_num() returns the version number. OpenSSL_version_num() returns the version number.
OpenSSL_version() returns different strings depending on B<t>: OpenSSL_version() returns different strings depending on B<t>:

4
doc/crypto/RSA_meth_new.pod
View File

@@ -58,9 +58,9 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen
int padding)); int padding));
/* Can be null */ /* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
int RSA_meth_set_mod_exp(RSA_METHOD *rsa, int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx)); BN_CTX *ctx));
/* Can be null */ /* Can be null */
int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth)) int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))

30
engines/e_capi.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *tmpbuf; unsigned char *tmpbuf;
CAPI_KEY *capi_key; CAPI_KEY *capi_key;
CAPI_CTX *ctx; CAPI_CTX *ctx;
DWORD flags = 0;
DWORD dlen; DWORD dlen;
if (flen <= 0) if (flen <= 0)
@@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
return -1; return -1;
} }
if (padding != RSA_PKCS1_PADDING) { switch (padding) {
char errstr[10]; case RSA_PKCS1_PADDING:
BIO_snprintf(errstr, 10, "%d", padding); /* Nothing to do */
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); break;
ERR_add_error_data(2, "padding=", errstr); #ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK
return -1; case RSA_NO_PADDING:
flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK;
break;
#endif
default:
{
char errstr[10];
BIO_snprintf(errstr, 10, "%d", padding);
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
ERR_add_error_data(2, "padding=", errstr);
return -1;
}
} }
/* Create temp reverse order version of input */ /* Create temp reverse order version of input */
@@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
/* Finally decrypt it */ /* Finally decrypt it */
dlen = flen; dlen = flen;
if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &dlen)) { if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, &dlen)) {
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
capi_addlasterror(); capi_addlasterror();
OPENSSL_cleanse(tmpbuf, dlen);
OPENSSL_free(tmpbuf); OPENSSL_free(tmpbuf);
return -1; return -1;
} else { } else {
memcpy(to, tmpbuf, (flen = (int)dlen)); memcpy(to, tmpbuf, (flen = (int)dlen));
} }
OPENSSL_cleanse(tmpbuf, flen);
OPENSSL_free(tmpbuf); OPENSSL_free(tmpbuf);
return flen; return flen;

10
include/openssl/asn1_mac.h Normal file
View File

@@ -0,0 +1,10 @@
/*
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#error "This file is obsolete; please update your software."

3
include/openssl/ec.h
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -1424,6 +1424,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GFP_NIST_FIELD_MUL 200 # define EC_F_EC_GFP_NIST_FIELD_MUL 200
# define EC_F_EC_GFP_NIST_FIELD_SQR 201 # define EC_F_EC_GFP_NIST_FIELD_SQR 201
# define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202 # define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202
# define EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES 287
# define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 165 # define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 165
# define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 166 # define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 166
# define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102 # define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102

7
include/openssl/ocsp.h
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -92,7 +92,6 @@ typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
# define V_OCSP_RESPID_KEY 1 # define V_OCSP_RESPID_KEY 1
DEFINE_STACK_OF(OCSP_RESPID) DEFINE_STACK_OF(OCSP_RESPID)
DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
@@ -159,8 +158,6 @@ int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it,
int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, ASN1_VALUE **pval, int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, ASN1_VALUE **pval,
const ASN1_ITEM *it); const ASN1_ITEM *it);
BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx); BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx);
int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it,
ASN1_VALUE *val);
int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path); int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path);
int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
@@ -194,6 +191,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
STACK_OF(X509) *extra_certs); STACK_OF(X509) *extra_certs);

6
include/openssl/opensslv.h
View File

@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1010009fL # define OPENSSL_VERSION_NUMBER 0x101000afL
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i-fips 14 Aug 2018" # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0j-fips 20 Nov 2018"
# else # else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i 14 Aug 2018" # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0j 20 Nov 2018"
# endif # endif
/*- /*-

4
include/openssl/rsa.h
View File

@@ -407,9 +407,9 @@ int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
unsigned char *to, RSA *rsa, unsigned char *to, RSA *rsa,
int padding)); int padding));
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
int RSA_meth_set_mod_exp(RSA_METHOD *rsa, int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx)); BN_CTX *ctx));
int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth)) int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

17
include/openssl/symhacks.h
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -28,21 +28,6 @@
# undef i2d_ECPKPARAMETERS # undef i2d_ECPKPARAMETERS
# define i2d_ECPKPARAMETERS i2d_UC_ECPKPARAMETERS # define i2d_ECPKPARAMETERS i2d_UC_ECPKPARAMETERS
/*
* These functions do not seem to exist! However, I'm paranoid... Original
* command in x509v3.h: These functions are being redefined in another
* directory, and clash when the linker is case-insensitive, so let's hide
* them a little, by giving them an extra 'o' at the beginning of the name...
*/
# undef X509v3_cleanup_extensions
# define X509v3_cleanup_extensions oX509v3_cleanup_extensions
# undef X509v3_add_extension
# define X509v3_add_extension oX509v3_add_extension
# undef X509v3_add_netscape_extensions
# define X509v3_add_netscape_extensions oX509v3_add_netscape_extensions
# undef X509v3_add_standard_extensions
# define X509v3_add_standard_extensions oX509v3_add_standard_extensions
/* This one clashes with CMS_data_create */ /* This one clashes with CMS_data_create */
# undef cms_Data_create # undef cms_Data_create
# define cms_Data_create priv_cms_Data_create # define cms_Data_create priv_cms_Data_create

2
include/openssl/x509_vfy.h
View File

@@ -397,7 +397,7 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method))
(X509_LOOKUP *ctx); (X509_LOOKUP *ctx);
int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method,
void (*free) (X509_LOOKUP *ctx)); void (*free_fn) (X509_LOOKUP *ctx));
void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method))
(X509_LOOKUP *ctx); (X509_LOOKUP *ctx);

10
ssl/s3_enc.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -404,13 +404,14 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p)
} }
if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) {
SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR);
return 0; ret = 0;
goto err;
} }
ret = EVP_MD_CTX_size(ctx); ret = EVP_MD_CTX_size(ctx);
if (ret < 0) { if (ret < 0) {
EVP_MD_CTX_reset(ctx); ret = 0;
return 0; goto err;
} }
if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
@@ -422,6 +423,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p)
ret = 0; ret = 0;
} }
err:
EVP_MD_CTX_free(ctx); EVP_MD_CTX_free(ctx);
return ret; return ret;

5
test/build.info
View File

@@ -2,7 +2,7 @@ IF[{- !$disabled{tests} -}]
PROGRAMS_NO_INST=\ PROGRAMS_NO_INST=\
versions \ versions \
aborttest \ aborttest \
sanitytest exdatatest bntest \ sanitytest rsa_complex exdatatest bntest \
ectest ecdsatest gmdifftest pbelutest ideatest \ ectest ecdsatest gmdifftest pbelutest ideatest \
md2test md4test md5test \ md2test md4test md5test \
hmactest wp_test \ hmactest wp_test \
@@ -32,6 +32,9 @@ IF[{- !$disabled{tests} -}]
INCLUDE[sanitytest]=../include INCLUDE[sanitytest]=../include
DEPEND[sanitytest]=../libcrypto DEPEND[sanitytest]=../libcrypto
SOURCE[rsa_complex]=rsa_complex.c
INCLUDE[rsa_complex]=../include
SOURCE[exdatatest]=exdatatest.c SOURCE[exdatatest]=exdatatest.c
INCLUDE[exdatatest]=../include INCLUDE[exdatatest]=../include
DEPEND[exdatatest]=../libcrypto DEPEND[exdatatest]=../libcrypto

6
test/ct_test.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -542,8 +542,8 @@ static int test_default_ct_policy_eval_ctx_time_is_now()
{ {
int success = 0; int success = 0;
CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new(); CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / const time_t default_time =
1000; (time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000);
const time_t time_tolerance = 600; /* 10 minutes */ const time_t time_tolerance = 600; /* 10 minutes */
if (fabs(difftime(time(NULL), default_time)) > time_tolerance) { if (fabs(difftime(time(NULL), default_time)) > time_tolerance) {

48
test/evp_extra_test.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@@ -9,6 +9,7 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h>
#include <openssl/bio.h> #include <openssl/bio.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/err.h> #include <openssl/err.h>
@@ -326,6 +327,46 @@ static int test_d2i_AutoPrivateKey(const unsigned char *input,
return ret; return ret;
} }
static int test_EVP_Enveloped(void)
{
int ret = 0;
EVP_CIPHER_CTX *ctx = NULL;
EVP_PKEY *keypair = NULL;
unsigned char *kek = NULL;
int kek_len;
unsigned char iv[EVP_MAX_IV_LENGTH];
static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
int len, ciphertext_len, plaintext_len;
unsigned char ciphertext[32], plaintext[16];
const EVP_CIPHER *type = EVP_aes_256_cbc();
if ((keypair = load_example_rsa_key()) == NULL
|| (kek = OPENSSL_zalloc(EVP_PKEY_size(keypair))) == NULL
|| (ctx = EVP_CIPHER_CTX_new()) == NULL
|| !EVP_SealInit(ctx, type, &kek, &kek_len, iv, &keypair, 1)
|| !EVP_SealUpdate(ctx, ciphertext, &ciphertext_len,
msg, sizeof(msg))
|| !EVP_SealFinal(ctx, ciphertext + ciphertext_len, &len))
goto err;
ciphertext_len += len;
if (!EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair)
|| !EVP_OpenUpdate(ctx, plaintext, &plaintext_len,
ciphertext, ciphertext_len)
|| !EVP_OpenFinal(ctx, plaintext + plaintext_len, &len)
|| (plaintext_len += len) != sizeof(msg)
|| memcmp(msg, plaintext, sizeof(msg)) != 0)
goto err;
ret = 1;
err:
OPENSSL_free(kek);
EVP_PKEY_free(keypair);
EVP_CIPHER_CTX_free(ctx);
return ret;
}
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
/* Tests loading a bad key in PKCS8 format */ /* Tests loading a bad key in PKCS8 format */
static int test_EVP_PKCS82PKEY(void) static int test_EVP_PKCS82PKEY(void)
@@ -386,6 +427,11 @@ int main(void)
return 1; return 1;
} }
if (!test_EVP_Enveloped()) {
fprintf(stderr, "test_EVP_Enveloped failed\n");
return 1;
}
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER), if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
EVP_PKEY_EC)) { EVP_PKEY_EC)) {

17
test/recipes/30-test_evp.t
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl #! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
# #
# Licensed under the OpenSSL license (the "License"). You may not use # Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy # this file except in compliance with the License. You can obtain a copy
@@ -10,10 +10,17 @@
use strict; use strict;
use warnings; use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/; use OpenSSL::Test qw/:DEFAULT data_file/;
setup("test_evp"); setup("test_evp");
plan tests => 1; my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",
ok(run(test(["evp_test", srctop_file("test", "evptests.txt")])), "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
"running evp_test evptests.txt"); "evpcase.txt" );
plan tests => scalar(@files);
foreach my $f ( @files ) {
ok(run(test(["evp_test", data_file("$f")])),
"running evp_test $f");
}

47
test/recipes/30-test_evp_data/evpcase.txt Normal file
View File

@@ -0,0 +1,47 @@
#
# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
# Tests start with one of these keywords
# Cipher Decrypt Derive Digest Encoding KDF MAC PBE
# PrivPubKeyPair Sign Verify VerifyRecover
# and continue until a blank line. Lines starting with a pound sign,
# like this prolog, are ignored.
# These tests exercise the case insensitive handling of object names.
# They are contrived
# Some name is case insensitive tests
Cipher = Aes-128-eCb
Key = 2B7E151628AED2A6ABF7158809CF4F3C
Plaintext = 6BC1BEE22E409F96E93D7E117393172A
Ciphertext = 3AD77BB40D7A3660A89ECAF32466EF97
Cipher = AeS-128-cbC
Key = 2B7E151628AED2A6ABF7158809CF4F3C
IV = 73BED6B8E3C1743B7116E69E22229516
Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7
Cipher = aES-128-CTR
Key = AE6852F8121067CC4BF7A5765577F39E
IV = 00000030000000000000000000000001
Operation = ENCRYPT
Plaintext = 53696E676C6520626C6F636B206D7367
Ciphertext = E4095D4FB7A7B3792D6175A3261311B8
Cipher = AES-128-GcM
Key = 00000000000000000000000000000000
IV = 000000000000000000000000
AAD =
Tag = ab6e47d42cec13bdf53a67b21257bddf
Plaintext = 00000000000000000000000000000000
Ciphertext = 0388dace60b6a392f328c2b971b2fe78
Digest = shA512
Input = "abc"
Output = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f

2271
test/recipes/30-test_evp_data/evpciph.txt Normal file
View File

File diff suppressed because it is too large Load Diff

225
test/recipes/30-test_evp_data/evpdigest.txt Normal file
View File

@@ -0,0 +1,225 @@
#
# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
# Tests start with one of these keywords
# Cipher Decrypt Derive Digest Encoding KDF MAC PBE
# PrivPubKeyPair Sign Verify VerifyRecover
# and continue until a blank line. Lines starting with a pound sign,
# like this prolog, are ignored.
# BLAKE2 tests, using same inputs as MD5
# There are no official BLAKE2 test vectors we can use since they all use a key
# Which is currently unsupported by OpenSSL. They were generated using the
# reference implementation. RFC7693 also mentions the 616263 / "abc" values.
Digest = BLAKE2s256
Input =
Output = 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9
Digest = BLAKE2s256
Input = 61
Output = 4a0d129873403037c2cd9b9048203687f6233fb6738956e0349bd4320fec3e90
Digest = BLAKE2s256
Input = 616263
Output = 508c5e8c327c14e2e1a72ba34eeb452f37458b209ed63a294d999b4c86675982
Digest = BLAKE2s256
Input = 6d65737361676520646967657374
Output = fa10ab775acf89b7d3c8a6e823d586f6b67bdbac4ce207fe145b7d3ac25cd28c
Digest = BLAKE2s256
Input = 6162636465666768696a6b6c6d6e6f707172737475767778797a
Output = bdf88eb1f86a0cdf0e840ba88fa118508369df186c7355b4b16cf79fa2710a12
Digest = BLAKE2s256
Input = 4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839
Output = c75439ea17e1de6fa4510c335dc3d3f343e6f9e1ce2773e25b4174f1df8b119b
Digest = BLAKE2s256
Input = 3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930
Output = fdaedb290a0d5af9870864fec2e090200989dc9cd53a3c092129e8535e8b4f66
Digest = BLAKE2s256
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
Output = 1FA877DE67259D19863A2A34BCC6962A2B25FCBF5CBECD7EDE8F1FA36688A796
Digest = BLAKE2s256
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
Output = C80ABEEBB669AD5DEEB5F5EC8EA6B7A05DDF7D31EC4C0A2EE20B0B98CAEC6746
Digest = BLAKE2b512
Input =
Output = 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce
Digest = BLAKE2b512
Input = 61
Output = 333fcb4ee1aa7c115355ec66ceac917c8bfd815bf7587d325aec1864edd24e34d5abe2c6b1b5ee3face62fed78dbef802f2a85cb91d455a8f5249d330853cb3c
Digest = BLAKE2b512
Input = 616263
Output = ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d17d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923
Digest = BLAKE2b512
Input = 6d65737361676520646967657374
Output = 3c26ce487b1c0f062363afa3c675ebdbf5f4ef9bdc022cfbef91e3111cdc283840d8331fc30a8a0906cff4bcdbcd230c61aaec60fdfad457ed96b709a382359a
Digest = BLAKE2b512
Input = 6162636465666768696a6b6c6d6e6f707172737475767778797a
Output = c68ede143e416eb7b4aaae0d8e48e55dd529eafed10b1df1a61416953a2b0a5666c761e7d412e6709e31ffe221b7a7a73908cb95a4d120b8b090a87d1fbedb4c
Digest = BLAKE2b512
Input = 4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839
Output = 99964802e5c25e703722905d3fb80046b6bca698ca9e2cc7e49b4fe1fa087c2edf0312dfbb275cf250a1e542fd5dc2edd313f9c491127c2e8c0c9b24168e2d50
Digest = BLAKE2b512
Input = 3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930
Output = 686f41ec5afff6e87e1f076f542aa466466ff5fbde162c48481ba48a748d842799f5b30f5b67fc684771b33b994206d05cc310f31914edd7b97e41860d77d282
Digest = BLAKE2b512
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
Output = 2319E3789C47E2DAA5FE807F61BEC2A1A6537FA03F19FF32E87EECBFD64B7E0E8CCFF439AC333B040F19B0C4DDD11A61E24AC1FE0F10A039806C5DCC0DA3D115
Digest = BLAKE2b512
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
Output = DF0A9D0C212843A6A934E3902B2DD30D17FBA5F969D2030B12A546D8A6A45E80CF5635F071F0452E9C919275DA99BED51EB1173C1AF0518726B75B0EC3BAE2B5
# SHA(1) tests (from shatest.c)
Digest = SHA1
Input = 616263
Output = a9993e364706816aba3e25717850c26c9cd0d89d
# MD5 tests
Digest = MD5
Input =
Output = d41d8cd98f00b204e9800998ecf8427e
Digest = MD5
Input = 61
Output = 0cc175b9c0f1b6a831c399e269772661
Digest = MD5
Input = 616263
Output = 900150983cd24fb0d6963f7d28e17f72
Digest = MD5
Input = 6d65737361676520646967657374
Output = f96b697d7cb7938d525a2f31aaf161d0
Digest = MD5
Input = 6162636465666768696a6b6c6d6e6f707172737475767778797a
Output = c3fcd3d76192e4007dfb496cca67e13b
Digest = MD5
Input = 4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839
Output = d174ab98d277d9f5a5611c2c9f419d9f
Digest = MD5
Input = 3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930
Output = 57edf4a22be3c955ac49da2e2107b67a
# MD4 tests
Digest = MD4
Input = ""
Output = 31d6cfe0d16ae931b73c59d7e0c089c0
Digest = MD4
Input = "a"
Output = bde52cb31de33e46245e05fbdbd6fb24
Digest = MD4
Input = "abc"
Output = a448017aaf21d8525fc10ae87aa6729d
Digest = MD4
Input = "message digest"
Output = d9130a8164549fe818874806e1c7014b
Digest = MD4
Input = "abcdefghijklmnopqrstuvwxyz"
Output = d79e1c308aa5bbcdeea8ed63df412da9
Digest = MD4
Input = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
Output = 043f8582f241db351ce627e153e7f0e4
Digest = MD4
Input = "12345678901234567890123456789012345678901234567890123456789012345678901234567890"
Output = e33b4ddc9c38f2199c3e7b164fcc0536
# RIPEMD160 tests
Digest = RIPEMD160
Input = ""
Output = 9c1185a5c5e9fc54612808977ee8f548b2258d31
Digest = RIPEMD160
Input = "a"
Output = 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe
Digest = RIPEMD160
Input = "abc"
Output = 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc
Digest = RIPEMD160
Input = "message digest"
Output = 5d0689ef49d2fae572b881b123a85ffa21595f36
Digest = RIPEMD160
Input = "abcdefghijklmnopqrstuvwxyz"
Output = f71c27109c692c1b56bbdceb5b9d2865b3708dbc
Digest = RIPEMD160
Input = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
Output = 12a053384a9c0c88e405a06c27dcf49ada62eb2b
Digest = RIPEMD160
Input = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
Output = b0e20b6e3116640286ed3a87a5713079b21f5189
Digest = RIPEMD160
Input = "12345678901234567890123456789012345678901234567890123456789012345678901234567890"
Output = 9b752e45573d4b39f4dbd3323cab82bf63326bfb
# ISO/IEC 10118-3 test vector set
Digest = whirlpool
Input = ""
Output = 19FA61D75522A4669B44E39C1D2E1726C530232130D407F89AFEE0964997F7A73E83BE698B288FEBCF88E3E03C4F0757EA8964E59B63D93708B138CC42A66EB3
Digest = whirlpool
Input = "a"
Output = 8ACA2602792AEC6F11A67206531FB7D7F0DFF59413145E6973C45001D0087B42D11BC645413AEFF63A42391A39145A591A92200D560195E53B478584FDAE231A
Digest = whirlpool
Input = "abc"
Output = 4E2448A4C6F486BB16B6562C73B4020BF3043E3A731BCE721AE1B303D97E6D4C7181EEBDB6C57E277D0E34957114CBD6C797FC9D95D8B582D225292076D4EEF5
Digest = whirlpool
Input = "message digest"
Output = 378C84A4126E2DC6E56DCC7458377AAC838D00032230F53CE1F5700C0FFB4D3B8421557659EF55C106B4B52AC5A4AAA692ED920052838F3362E86DBD37A8903E
Digest = whirlpool
Input = "abcdefghijklmnopqrstuvwxyz"
Output = F1D754662636FFE92C82EBB9212A484A8D38631EAD4238F5442EE13B8054E41B08BF2A9251C30B6A0B8AAE86177AB4A6F68F673E7207865D5D9819A3DBA4EB3B
Digest = whirlpool
Input = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
Output = DC37E008CF9EE69BF11F00ED9ABA26901DD7C28CDEC066CC6AF42E40F82F3A1E08EBA26629129D8FB7CB57211B9281A65517CC879D7B962142C65F5A7AF01467
Digest = whirlpool
Input = "12345678901234567890123456789012345678901234567890123456789012345678901234567890"
Output = 466EF18BABB0154D25B9D38A6414F5C08784372BCCB204D6549C4AFADB6014294D5BD8DF2A6C44E538CD047B2681A51A2C60481E88C5A20B2C2A80CF3A9A083B
Digest = whirlpool
Input = "abcdbcdecdefdefgefghfghighijhijk"
Output = 2A987EA40F917061F5D6F0A0E4644F488A7A5A52DEEE656207C562F988E95C6916BDC8031BC5BE1B7B947639FE050B56939BAAA0ADFF9AE6745B7B181C3BE3FD
Digest = whirlpool
Input = "aaaaaaaaaa"
Count = 100000
Output = 0C99005BEB57EFF50A7CF005560DDF5D29057FD86B20BFD62DECA0F1CCEA4AF51FC15490EDDC47AF32BB2B66C34FF9AD8C6008AD677F77126953B226E4ED8B01

Some files were not shown because too many files have changed in this diff Show More