svn commit: r344604 - in stable/11: crypto/openssl crypto/openssl/crypto crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio crypto/openssl/crypto/bn crypto/openssl/crypto/ec crypto/openssl/crypto...
Jung-uk Kim
jkim at FreeBSD.org
Tue Feb 26 19:37:04 UTC 2019
Author: jkim
Date: Tue Feb 26 19:36:57 2019
New Revision: 344604
URL: https://svnweb.freebsd.org/changeset/base/344604
Log:
Merge OpenSSL 1.0.2r.
Added:
stable/11/crypto/openssl/doc/crypto/X509_cmp_time.pod
- copied unchanged from r344597, vendor-crypto/openssl/dist-1.0.2/doc/crypto/X509_cmp_time.pod
Deleted:
stable/11/crypto/openssl/doc/man3/
Modified:
stable/11/crypto/openssl/CHANGES
stable/11/crypto/openssl/Makefile
stable/11/crypto/openssl/Makefile.org
stable/11/crypto/openssl/NEWS
stable/11/crypto/openssl/README
stable/11/crypto/openssl/crypto/asn1/ameth_lib.c
stable/11/crypto/openssl/crypto/bio/bss_file.c
stable/11/crypto/openssl/crypto/bn/bn_ctx.c
stable/11/crypto/openssl/crypto/bn/bn_lib.c
stable/11/crypto/openssl/crypto/bn/bntest.c
stable/11/crypto/openssl/crypto/constant_time_locl.h
stable/11/crypto/openssl/crypto/ec/ec_ameth.c
stable/11/crypto/openssl/crypto/err/Makefile
stable/11/crypto/openssl/crypto/err/err.c
stable/11/crypto/openssl/crypto/evp/evp.h
stable/11/crypto/openssl/crypto/evp/evp_enc.c
stable/11/crypto/openssl/crypto/evp/evp_err.c
stable/11/crypto/openssl/crypto/evp/evp_test.c
stable/11/crypto/openssl/crypto/opensslv.h
stable/11/crypto/openssl/crypto/rsa/Makefile
stable/11/crypto/openssl/crypto/rsa/rsa_eay.c
stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c
stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c
stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c
stable/11/crypto/openssl/doc/apps/ca.pod
stable/11/crypto/openssl/doc/crypto/PKCS12_parse.pod
stable/11/crypto/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
stable/11/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
stable/11/crypto/openssl/doc/ssl/SSL_get_error.pod
stable/11/crypto/openssl/doc/ssl/SSL_shutdown.pod
stable/11/crypto/openssl/ssl/d1_pkt.c
stable/11/crypto/openssl/ssl/s3_pkt.c
stable/11/crypto/openssl/ssl/t1_lib.c
stable/11/secure/lib/libcrypto/Makefile.inc
stable/11/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
stable/11/secure/lib/libcrypto/man/ASN1_STRING_length.3
stable/11/secure/lib/libcrypto/man/ASN1_STRING_new.3
stable/11/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
stable/11/secure/lib/libcrypto/man/ASN1_TIME_set.3
stable/11/secure/lib/libcrypto/man/ASN1_generate_nconf.3
stable/11/secure/lib/libcrypto/man/BIO_ctrl.3
stable/11/secure/lib/libcrypto/man/BIO_f_base64.3
stable/11/secure/lib/libcrypto/man/BIO_f_buffer.3
stable/11/secure/lib/libcrypto/man/BIO_f_cipher.3
stable/11/secure/lib/libcrypto/man/BIO_f_md.3
stable/11/secure/lib/libcrypto/man/BIO_f_null.3
stable/11/secure/lib/libcrypto/man/BIO_f_ssl.3
stable/11/secure/lib/libcrypto/man/BIO_find_type.3
stable/11/secure/lib/libcrypto/man/BIO_new.3
stable/11/secure/lib/libcrypto/man/BIO_new_CMS.3
stable/11/secure/lib/libcrypto/man/BIO_push.3
stable/11/secure/lib/libcrypto/man/BIO_read.3
stable/11/secure/lib/libcrypto/man/BIO_s_accept.3
stable/11/secure/lib/libcrypto/man/BIO_s_bio.3
stable/11/secure/lib/libcrypto/man/BIO_s_connect.3
stable/11/secure/lib/libcrypto/man/BIO_s_fd.3
stable/11/secure/lib/libcrypto/man/BIO_s_file.3
stable/11/secure/lib/libcrypto/man/BIO_s_mem.3
stable/11/secure/lib/libcrypto/man/BIO_s_null.3
stable/11/secure/lib/libcrypto/man/BIO_s_socket.3
stable/11/secure/lib/libcrypto/man/BIO_set_callback.3
stable/11/secure/lib/libcrypto/man/BIO_should_retry.3
stable/11/secure/lib/libcrypto/man/BN_BLINDING_new.3
stable/11/secure/lib/libcrypto/man/BN_CTX_new.3
stable/11/secure/lib/libcrypto/man/BN_CTX_start.3
stable/11/secure/lib/libcrypto/man/BN_add.3
stable/11/secure/lib/libcrypto/man/BN_add_word.3
stable/11/secure/lib/libcrypto/man/BN_bn2bin.3
stable/11/secure/lib/libcrypto/man/BN_cmp.3
stable/11/secure/lib/libcrypto/man/BN_copy.3
stable/11/secure/lib/libcrypto/man/BN_generate_prime.3
stable/11/secure/lib/libcrypto/man/BN_mod_inverse.3
stable/11/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
stable/11/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
stable/11/secure/lib/libcrypto/man/BN_new.3
stable/11/secure/lib/libcrypto/man/BN_num_bytes.3
stable/11/secure/lib/libcrypto/man/BN_rand.3
stable/11/secure/lib/libcrypto/man/BN_set_bit.3
stable/11/secure/lib/libcrypto/man/BN_swap.3
stable/11/secure/lib/libcrypto/man/BN_zero.3
stable/11/secure/lib/libcrypto/man/CMS_add0_cert.3
stable/11/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
stable/11/secure/lib/libcrypto/man/CMS_add1_signer.3
stable/11/secure/lib/libcrypto/man/CMS_compress.3
stable/11/secure/lib/libcrypto/man/CMS_decrypt.3
stable/11/secure/lib/libcrypto/man/CMS_encrypt.3
stable/11/secure/lib/libcrypto/man/CMS_final.3
stable/11/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
stable/11/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
stable/11/secure/lib/libcrypto/man/CMS_get0_type.3
stable/11/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
stable/11/secure/lib/libcrypto/man/CMS_sign.3
stable/11/secure/lib/libcrypto/man/CMS_sign_receipt.3
stable/11/secure/lib/libcrypto/man/CMS_uncompress.3
stable/11/secure/lib/libcrypto/man/CMS_verify.3
stable/11/secure/lib/libcrypto/man/CMS_verify_receipt.3
stable/11/secure/lib/libcrypto/man/CONF_modules_free.3
stable/11/secure/lib/libcrypto/man/CONF_modules_load_file.3
stable/11/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
stable/11/secure/lib/libcrypto/man/DH_generate_key.3
stable/11/secure/lib/libcrypto/man/DH_generate_parameters.3
stable/11/secure/lib/libcrypto/man/DH_get_ex_new_index.3
stable/11/secure/lib/libcrypto/man/DH_new.3
stable/11/secure/lib/libcrypto/man/DH_set_method.3
stable/11/secure/lib/libcrypto/man/DH_size.3
stable/11/secure/lib/libcrypto/man/DSA_SIG_new.3
stable/11/secure/lib/libcrypto/man/DSA_do_sign.3
stable/11/secure/lib/libcrypto/man/DSA_dup_DH.3
stable/11/secure/lib/libcrypto/man/DSA_generate_key.3
stable/11/secure/lib/libcrypto/man/DSA_generate_parameters.3
stable/11/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
stable/11/secure/lib/libcrypto/man/DSA_new.3
stable/11/secure/lib/libcrypto/man/DSA_set_method.3
stable/11/secure/lib/libcrypto/man/DSA_sign.3
stable/11/secure/lib/libcrypto/man/DSA_size.3
stable/11/secure/lib/libcrypto/man/EC_GFp_simple_method.3
stable/11/secure/lib/libcrypto/man/EC_GROUP_copy.3
stable/11/secure/lib/libcrypto/man/EC_GROUP_new.3
stable/11/secure/lib/libcrypto/man/EC_KEY_new.3
stable/11/secure/lib/libcrypto/man/EC_POINT_add.3
stable/11/secure/lib/libcrypto/man/EC_POINT_new.3
stable/11/secure/lib/libcrypto/man/ERR_GET_LIB.3
stable/11/secure/lib/libcrypto/man/ERR_clear_error.3
stable/11/secure/lib/libcrypto/man/ERR_error_string.3
stable/11/secure/lib/libcrypto/man/ERR_get_error.3
stable/11/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
stable/11/secure/lib/libcrypto/man/ERR_load_strings.3
stable/11/secure/lib/libcrypto/man/ERR_print_errors.3
stable/11/secure/lib/libcrypto/man/ERR_put_error.3
stable/11/secure/lib/libcrypto/man/ERR_remove_state.3
stable/11/secure/lib/libcrypto/man/ERR_set_mark.3
stable/11/secure/lib/libcrypto/man/EVP_BytesToKey.3
stable/11/secure/lib/libcrypto/man/EVP_DigestInit.3
stable/11/secure/lib/libcrypto/man/EVP_DigestSignInit.3
stable/11/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
stable/11/secure/lib/libcrypto/man/EVP_EncodeInit.3
stable/11/secure/lib/libcrypto/man/EVP_EncryptInit.3
stable/11/secure/lib/libcrypto/man/EVP_OpenInit.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_derive.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_new.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_sign.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify.3
stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
stable/11/secure/lib/libcrypto/man/EVP_SealInit.3
stable/11/secure/lib/libcrypto/man/EVP_SignInit.3
stable/11/secure/lib/libcrypto/man/EVP_VerifyInit.3
stable/11/secure/lib/libcrypto/man/OBJ_nid2obj.3
stable/11/secure/lib/libcrypto/man/OPENSSL_Applink.3
stable/11/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
stable/11/secure/lib/libcrypto/man/OPENSSL_config.3
stable/11/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
stable/11/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3
stable/11/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
stable/11/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
stable/11/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
stable/11/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
stable/11/secure/lib/libcrypto/man/PKCS12_create.3
stable/11/secure/lib/libcrypto/man/PKCS12_parse.3
stable/11/secure/lib/libcrypto/man/PKCS7_decrypt.3
stable/11/secure/lib/libcrypto/man/PKCS7_encrypt.3
stable/11/secure/lib/libcrypto/man/PKCS7_sign.3
stable/11/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
stable/11/secure/lib/libcrypto/man/PKCS7_verify.3
stable/11/secure/lib/libcrypto/man/RAND_add.3
stable/11/secure/lib/libcrypto/man/RAND_bytes.3
stable/11/secure/lib/libcrypto/man/RAND_cleanup.3
stable/11/secure/lib/libcrypto/man/RAND_egd.3
stable/11/secure/lib/libcrypto/man/RAND_load_file.3
stable/11/secure/lib/libcrypto/man/RAND_set_rand_method.3
stable/11/secure/lib/libcrypto/man/RSA_blinding_on.3
stable/11/secure/lib/libcrypto/man/RSA_check_key.3
stable/11/secure/lib/libcrypto/man/RSA_generate_key.3
stable/11/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
stable/11/secure/lib/libcrypto/man/RSA_new.3
stable/11/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
stable/11/secure/lib/libcrypto/man/RSA_print.3
stable/11/secure/lib/libcrypto/man/RSA_private_encrypt.3
stable/11/secure/lib/libcrypto/man/RSA_public_encrypt.3
stable/11/secure/lib/libcrypto/man/RSA_set_method.3
stable/11/secure/lib/libcrypto/man/RSA_sign.3
stable/11/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
stable/11/secure/lib/libcrypto/man/RSA_size.3
stable/11/secure/lib/libcrypto/man/SMIME_read_CMS.3
stable/11/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
stable/11/secure/lib/libcrypto/man/SMIME_write_CMS.3
stable/11/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
stable/11/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
stable/11/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
stable/11/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
stable/11/secure/lib/libcrypto/man/X509_NAME_print_ex.3
stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
stable/11/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
stable/11/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
stable/11/secure/lib/libcrypto/man/X509_check_host.3
stable/11/secure/lib/libcrypto/man/X509_check_private_key.3
stable/11/secure/lib/libcrypto/man/X509_cmp_time.3
stable/11/secure/lib/libcrypto/man/X509_new.3
stable/11/secure/lib/libcrypto/man/X509_verify_cert.3
stable/11/secure/lib/libcrypto/man/bio.3
stable/11/secure/lib/libcrypto/man/blowfish.3
stable/11/secure/lib/libcrypto/man/bn.3
stable/11/secure/lib/libcrypto/man/bn_internal.3
stable/11/secure/lib/libcrypto/man/buffer.3
stable/11/secure/lib/libcrypto/man/crypto.3
stable/11/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
stable/11/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3
stable/11/secure/lib/libcrypto/man/d2i_DHparams.3
stable/11/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
stable/11/secure/lib/libcrypto/man/d2i_ECPKParameters.3
stable/11/secure/lib/libcrypto/man/d2i_ECPrivateKey.3
stable/11/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
stable/11/secure/lib/libcrypto/man/d2i_PrivateKey.3
stable/11/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
stable/11/secure/lib/libcrypto/man/d2i_X509.3
stable/11/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
stable/11/secure/lib/libcrypto/man/d2i_X509_CRL.3
stable/11/secure/lib/libcrypto/man/d2i_X509_NAME.3
stable/11/secure/lib/libcrypto/man/d2i_X509_REQ.3
stable/11/secure/lib/libcrypto/man/d2i_X509_SIG.3
stable/11/secure/lib/libcrypto/man/des.3
stable/11/secure/lib/libcrypto/man/dh.3
stable/11/secure/lib/libcrypto/man/dsa.3
stable/11/secure/lib/libcrypto/man/ec.3
stable/11/secure/lib/libcrypto/man/ecdsa.3
stable/11/secure/lib/libcrypto/man/engine.3
stable/11/secure/lib/libcrypto/man/err.3
stable/11/secure/lib/libcrypto/man/evp.3
stable/11/secure/lib/libcrypto/man/hmac.3
stable/11/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
stable/11/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
stable/11/secure/lib/libcrypto/man/lh_stats.3
stable/11/secure/lib/libcrypto/man/lhash.3
stable/11/secure/lib/libcrypto/man/md5.3
stable/11/secure/lib/libcrypto/man/mdc2.3
stable/11/secure/lib/libcrypto/man/pem.3
stable/11/secure/lib/libcrypto/man/rand.3
stable/11/secure/lib/libcrypto/man/rc4.3
stable/11/secure/lib/libcrypto/man/ripemd.3
stable/11/secure/lib/libcrypto/man/rsa.3
stable/11/secure/lib/libcrypto/man/sha.3
stable/11/secure/lib/libcrypto/man/threads.3
stable/11/secure/lib/libcrypto/man/ui.3
stable/11/secure/lib/libcrypto/man/ui_compat.3
stable/11/secure/lib/libcrypto/man/x509.3
stable/11/secure/lib/libssl/man/SSL_CIPHER_get_name.3
stable/11/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
stable/11/secure/lib/libssl/man/SSL_CONF_CTX_new.3
stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3
stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3
stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3
stable/11/secure/lib/libssl/man/SSL_CONF_cmd.3
stable/11/secure/lib/libssl/man/SSL_CONF_cmd_argv.3
stable/11/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3
stable/11/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
stable/11/secure/lib/libssl/man/SSL_CTX_add_session.3
stable/11/secure/lib/libssl/man/SSL_CTX_ctrl.3
stable/11/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
stable/11/secure/lib/libssl/man/SSL_CTX_free.3
stable/11/secure/lib/libssl/man/SSL_CTX_get0_param.3
stable/11/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
stable/11/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
stable/11/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
stable/11/secure/lib/libssl/man/SSL_CTX_new.3
stable/11/secure/lib/libssl/man/SSL_CTX_sess_number.3
stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_sessions.3
stable/11/secure/lib/libssl/man/SSL_CTX_set1_curves.3
stable/11/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_mode.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_options.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_timeout.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
stable/11/secure/lib/libssl/man/SSL_CTX_set_verify.3
stable/11/secure/lib/libssl/man/SSL_CTX_use_certificate.3
stable/11/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
stable/11/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3
stable/11/secure/lib/libssl/man/SSL_SESSION_free.3
stable/11/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
stable/11/secure/lib/libssl/man/SSL_SESSION_get_time.3
stable/11/secure/lib/libssl/man/SSL_accept.3
stable/11/secure/lib/libssl/man/SSL_alert_type_string.3
stable/11/secure/lib/libssl/man/SSL_check_chain.3
stable/11/secure/lib/libssl/man/SSL_clear.3
stable/11/secure/lib/libssl/man/SSL_connect.3
stable/11/secure/lib/libssl/man/SSL_do_handshake.3
stable/11/secure/lib/libssl/man/SSL_export_keying_material.3
stable/11/secure/lib/libssl/man/SSL_free.3
stable/11/secure/lib/libssl/man/SSL_get_SSL_CTX.3
stable/11/secure/lib/libssl/man/SSL_get_ciphers.3
stable/11/secure/lib/libssl/man/SSL_get_client_CA_list.3
stable/11/secure/lib/libssl/man/SSL_get_current_cipher.3
stable/11/secure/lib/libssl/man/SSL_get_default_timeout.3
stable/11/secure/lib/libssl/man/SSL_get_error.3
stable/11/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
stable/11/secure/lib/libssl/man/SSL_get_ex_new_index.3
stable/11/secure/lib/libssl/man/SSL_get_fd.3
stable/11/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
stable/11/secure/lib/libssl/man/SSL_get_peer_certificate.3
stable/11/secure/lib/libssl/man/SSL_get_psk_identity.3
stable/11/secure/lib/libssl/man/SSL_get_rbio.3
stable/11/secure/lib/libssl/man/SSL_get_session.3
stable/11/secure/lib/libssl/man/SSL_get_verify_result.3
stable/11/secure/lib/libssl/man/SSL_get_version.3
stable/11/secure/lib/libssl/man/SSL_library_init.3
stable/11/secure/lib/libssl/man/SSL_load_client_CA_file.3
stable/11/secure/lib/libssl/man/SSL_new.3
stable/11/secure/lib/libssl/man/SSL_pending.3
stable/11/secure/lib/libssl/man/SSL_read.3
stable/11/secure/lib/libssl/man/SSL_rstate_string.3
stable/11/secure/lib/libssl/man/SSL_session_reused.3
stable/11/secure/lib/libssl/man/SSL_set_bio.3
stable/11/secure/lib/libssl/man/SSL_set_connect_state.3
stable/11/secure/lib/libssl/man/SSL_set_fd.3
stable/11/secure/lib/libssl/man/SSL_set_session.3
stable/11/secure/lib/libssl/man/SSL_set_shutdown.3
stable/11/secure/lib/libssl/man/SSL_set_verify_result.3
stable/11/secure/lib/libssl/man/SSL_shutdown.3
stable/11/secure/lib/libssl/man/SSL_state_string.3
stable/11/secure/lib/libssl/man/SSL_want.3
stable/11/secure/lib/libssl/man/SSL_write.3
stable/11/secure/lib/libssl/man/d2i_SSL_SESSION.3
stable/11/secure/lib/libssl/man/ssl.3
stable/11/secure/usr.bin/openssl/man/CA.pl.1
stable/11/secure/usr.bin/openssl/man/asn1parse.1
stable/11/secure/usr.bin/openssl/man/ca.1
stable/11/secure/usr.bin/openssl/man/ciphers.1
stable/11/secure/usr.bin/openssl/man/cms.1
stable/11/secure/usr.bin/openssl/man/crl.1
stable/11/secure/usr.bin/openssl/man/crl2pkcs7.1
stable/11/secure/usr.bin/openssl/man/dgst.1
stable/11/secure/usr.bin/openssl/man/dhparam.1
stable/11/secure/usr.bin/openssl/man/dsa.1
stable/11/secure/usr.bin/openssl/man/dsaparam.1
stable/11/secure/usr.bin/openssl/man/ec.1
stable/11/secure/usr.bin/openssl/man/ecparam.1
stable/11/secure/usr.bin/openssl/man/enc.1
stable/11/secure/usr.bin/openssl/man/errstr.1
stable/11/secure/usr.bin/openssl/man/gendsa.1
stable/11/secure/usr.bin/openssl/man/genpkey.1
stable/11/secure/usr.bin/openssl/man/genrsa.1
stable/11/secure/usr.bin/openssl/man/nseq.1
stable/11/secure/usr.bin/openssl/man/ocsp.1
stable/11/secure/usr.bin/openssl/man/openssl.1
stable/11/secure/usr.bin/openssl/man/passwd.1
stable/11/secure/usr.bin/openssl/man/pkcs12.1
stable/11/secure/usr.bin/openssl/man/pkcs7.1
stable/11/secure/usr.bin/openssl/man/pkcs8.1
stable/11/secure/usr.bin/openssl/man/pkey.1
stable/11/secure/usr.bin/openssl/man/pkeyparam.1
stable/11/secure/usr.bin/openssl/man/pkeyutl.1
stable/11/secure/usr.bin/openssl/man/rand.1
stable/11/secure/usr.bin/openssl/man/req.1
stable/11/secure/usr.bin/openssl/man/rsa.1
stable/11/secure/usr.bin/openssl/man/rsautl.1
stable/11/secure/usr.bin/openssl/man/s_client.1
stable/11/secure/usr.bin/openssl/man/s_server.1
stable/11/secure/usr.bin/openssl/man/s_time.1
stable/11/secure/usr.bin/openssl/man/sess_id.1
stable/11/secure/usr.bin/openssl/man/smime.1
stable/11/secure/usr.bin/openssl/man/speed.1
stable/11/secure/usr.bin/openssl/man/spkac.1
stable/11/secure/usr.bin/openssl/man/ts.1
stable/11/secure/usr.bin/openssl/man/tsget.1
stable/11/secure/usr.bin/openssl/man/verify.1
stable/11/secure/usr.bin/openssl/man/version.1
stable/11/secure/usr.bin/openssl/man/x509.1
stable/11/secure/usr.bin/openssl/man/x509v3_config.1
Modified: stable/11/crypto/openssl/CHANGES
==============================================================================
--- stable/11/crypto/openssl/CHANGES Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/CHANGES Tue Feb 26 19:36:57 2019 (r344604)
@@ -7,6 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
+
+ *) 0-byte record padding oracle
+
+ If an application encounters a fatal protocol error and then calls
+ SSL_shutdown() twice (once to send a close_notify, and once to receive one)
+ then OpenSSL can respond differently to the calling application if a 0 byte
+ record is received with invalid padding compared to if a 0 byte record is
+ received with an invalid MAC. If the application then behaves differently
+ based on that in a way that is detectable to the remote peer, then this
+ amounts to a padding oracle that could be used to decrypt data.
+
+ In order for this to be exploitable "non-stitched" ciphersuites must be in
+ use. Stitched ciphersuites are optimised implementations of certain
+ commonly used ciphersuites. Also the application must call SSL_shutdown()
+ twice even if a protocol error has occurred (applications should not do
+ this but some do anyway).
+
+ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
+ Aviram, with additional investigation by Steven Collison and Andrew
+ Hourselt. It was reported to OpenSSL on 10th December 2018.
+ (CVE-2019-1559)
+ [Matt Caswell]
+
+ *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
+ [Richard Levitte]
+
Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
*) Microarchitecture timing vulnerability in ECC scalar multiplication
Modified: stable/11/crypto/openssl/Makefile
==============================================================================
--- stable/11/crypto/openssl/Makefile Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/Makefile Tue Feb 26 19:36:57 2019 (r344604)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2q
+VERSION=1.0.2r
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -521,7 +521,7 @@ $(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
\( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
- \! -name '.#*' \! -name '*~' \! -type l \
+ \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
| sort > $(TARFILE).list
tar: $(TARFILE).list
Modified: stable/11/crypto/openssl/Makefile.org
==============================================================================
--- stable/11/crypto/openssl/Makefile.org Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/Makefile.org Tue Feb 26 19:36:57 2019 (r344604)
@@ -519,7 +519,7 @@ $(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
\( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
- \! -name '.#*' \! -name '*~' \! -type l \
+ \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
| sort > $(TARFILE).list
tar: $(TARFILE).list
Modified: stable/11/crypto/openssl/NEWS
==============================================================================
--- stable/11/crypto/openssl/NEWS Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/NEWS Tue Feb 26 19:36:57 2019 (r344604)
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
+
+ o 0-byte record padding oracle (CVE-2019-1559)
+
Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Modified: stable/11/crypto/openssl/README
==============================================================================
--- stable/11/crypto/openssl/README Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/README Tue Feb 26 19:36:57 2019 (r344604)
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2q 20 Nov 2018
+ OpenSSL 1.0.2r 26 Feb 2019
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Modified: stable/11/crypto/openssl/crypto/asn1/ameth_lib.c
==============================================================================
--- stable/11/crypto/openssl/crypto/asn1/ameth_lib.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/asn1/ameth_lib.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -234,6 +234,21 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENG
int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
{
+ /*
+ * One of the following must be true:
+ *
+ * pem_str == NULL AND ASN1_PKEY_ALIAS is set
+ * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
+ *
+ * Anything else is an error and may lead to a corrupt ASN1 method table
+ */
+ if (!((ameth->pem_str == NULL
+ && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0)
+ || (ameth->pem_str != NULL
+ && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) {
+ return 0;
+ }
+
if (app_methods == NULL) {
app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
if (!app_methods)
@@ -304,18 +319,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int fl
goto err;
} else
ameth->info = NULL;
-
- /*
- * One of the following must be true:
- *
- * pem_str == NULL AND ASN1_PKEY_ALIAS is set
- * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
- *
- * Anything else is an error and may lead to a corrupt ASN1 method table
- */
- if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
- || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
- goto err;
if (pem_str) {
ameth->pem_str = BUF_strdup(pem_str);
Modified: stable/11/crypto/openssl/crypto/bio/bss_file.c
==============================================================================
--- stable/11/crypto/openssl/crypto/bio/bss_file.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/bio/bss_file.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -361,12 +361,16 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, lon
} else
_setmode(fd, _O_BINARY);
}
-# elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+# elif defined(OPENSSL_SYS_OS2)
int fd = fileno((FILE *)ptr);
if (num & BIO_FP_TEXT)
setmode(fd, O_TEXT);
else
setmode(fd, O_BINARY);
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+ int fd = fileno((FILE *)ptr);
+ if (!(num & BIO_FP_TEXT))
+ setmode(fd, O_BINARY);
# endif
}
break;
@@ -389,11 +393,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, lon
ret = 0;
break;
}
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
if (!(num & BIO_FP_TEXT))
strcat(p, "b");
else
strcat(p, "t");
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+ if (!(num & BIO_FP_TEXT))
+ strcat(p, "b");
# endif
# if defined(OPENSSL_SYS_NETWARE)
if (!(num & BIO_FP_TEXT))
Modified: stable/11/crypto/openssl/crypto/bn/bn_ctx.c
==============================================================================
--- stable/11/crypto/openssl/crypto/bn/bn_ctx.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/bn/bn_ctx.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -1,7 +1,7 @@
/* crypto/bn/bn_ctx.c */
/* Written by Ulf Moeller for the OpenSSL project. */
/* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
+ /* clear BN_FLG_CONSTTIME if leaked from previous frames */
+ ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;
Modified: stable/11/crypto/openssl/crypto/bn/bn_lib.c
==============================================================================
--- stable/11/crypto/openssl/crypto/bn/bn_lib.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/bn/bn_lib.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -836,6 +836,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b,
int i;
BN_ULONG aa, bb;
+ if (n == 0)
+ return 0;
+
aa = a[n - 1];
bb = b[n - 1];
if (aa != bb)
Modified: stable/11/crypto/openssl/crypto/bn/bntest.c
==============================================================================
--- stable/11/crypto/openssl/crypto/bn/bntest.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/bn/bntest.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -89,6 +89,10 @@
#include <openssl/x509.h>
#include <openssl/err.h>
+#ifndef OSSL_NELEM
+# define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0]))
+#endif
+
const int num0 = 100; /* number of tests */
const int num1 = 50; /* additional tests for some functions */
const int num2 = 5; /* number of tests for slow functions */
@@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
int test_kron(BIO *bp, BN_CTX *ctx);
int test_sqrt(BIO *bp, BN_CTX *ctx);
int rand_neg(void);
+static int test_ctx_consttime_flag(void);
static int results = 0;
static unsigned char lst[] =
@@ -330,6 +335,15 @@ int main(int argc, char *argv[])
goto err;
(void)BIO_flush(out);
#endif
+
+ /* silently flush any pre-existing error on the stack */
+ ERR_clear_error();
+
+ message(out, "BN_CTX_get BN_FLG_CONSTTIME");
+ if (!test_ctx_consttime_flag())
+ goto err;
+ (void)BIO_flush(out);
+
BN_CTX_free(ctx);
BIO_free(out);
@@ -2157,4 +2171,91 @@ int rand_neg(void)
static int sign[8] = { 0, 0, 0, 1, 1, 0, 1, 1 };
return (sign[(neg++) % 8]);
+}
+
+static int test_ctx_set_ct_flag(BN_CTX *c)
+{
+ int st = 0;
+ size_t i;
+ BIGNUM *b[15];
+
+ BN_CTX_start(c);
+ for (i = 0; i < OSSL_NELEM(b); i++) {
+ if (NULL == (b[i] = BN_CTX_get(c))) {
+ fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+ goto err;
+ }
+ if (i % 2 == 1)
+ BN_set_flags(b[i], BN_FLG_CONSTTIME);
+ }
+
+ st = 1;
+ err:
+ BN_CTX_end(c);
+ return st;
+}
+
+static int test_ctx_check_ct_flag(BN_CTX *c)
+{
+ int st = 0;
+ size_t i;
+ BIGNUM *b[30];
+
+ BN_CTX_start(c);
+ for (i = 0; i < OSSL_NELEM(b); i++) {
+ if (NULL == (b[i] = BN_CTX_get(c))) {
+ fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+ goto err;
+ }
+ if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) {
+ fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n");
+ goto err;
+ }
+ }
+
+ st = 1;
+ err:
+ BN_CTX_end(c);
+ return st;
+}
+
+static int test_ctx_consttime_flag(void)
+{
+ /*-
+ * The constant-time flag should not "leak" among BN_CTX frames:
+ *
+ * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
+ * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
+ * from the frame before ending it.
+ * - test_ctx_check_ct_flag() then starts a new frame and gets a
+ * number of BIGNUMs from it. In absence of leaks, none of the
+ * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
+ *
+ * In actual BN_CTX usage inside libcrypto the leak could happen at
+ * any depth level in the BN_CTX stack, with varying results
+ * depending on the patterns of sibling trees of nested function
+ * calls sharing the same BN_CTX object, and the effect of
+ * unintended BN_FLG_CONSTTIME on the called BN_* functions.
+ *
+ * This simple unit test abstracts away this complexity and verifies
+ * that the leak does not happen between two sibling functions
+ * sharing the same BN_CTX object at the same level of nesting.
+ *
+ */
+ BN_CTX *c = NULL;
+ int st = 0;
+
+ if (NULL == (c = BN_CTX_new())) {
+ fprintf(stderr, "ERROR: BN_CTX_new() failed.\n");
+ goto err;
+ }
+
+ if (!test_ctx_set_ct_flag(c)
+ || !test_ctx_check_ct_flag(c))
+ goto err;
+
+ st = 1;
+ err:
+ BN_CTX_free(c);
+ return st;
}
Modified: stable/11/crypto/openssl/crypto/constant_time_locl.h
==============================================================================
--- stable/11/crypto/openssl/crypto/constant_time_locl.h Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/constant_time_locl.h Tue Feb 26 19:36:57 2019 (r344604)
@@ -204,6 +204,12 @@ static inline int constant_time_select_int(unsigned in
return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
}
+/*
+ * Expected usage pattern is to unconditionally set error and then
+ * wipe it if there was no actual error. |clear| is 1 or 0.
+ */
+void err_clear_last_constant_time(int clear);
+
#ifdef __cplusplus
}
#endif
Modified: stable/11/crypto/openssl/crypto/ec/ec_ameth.c
==============================================================================
--- stable/11/crypto/openssl/crypto/ec/ec_ameth.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/ec/ec_ameth.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -601,7 +601,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long a
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
- return 2;
+ return 1;
default:
return -2;
Modified: stable/11/crypto/openssl/crypto/err/Makefile
==============================================================================
--- stable/11/crypto/openssl/crypto/err/Makefile Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/err/Makefile Tue Feb 26 19:36:57 2019 (r344604)
@@ -82,7 +82,7 @@ err.o: ../../include/openssl/err.h ../../include/opens
err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err.o: ../cryptlib.h err.c
+err.o: ../constant_time_locl.h ../cryptlib.h err.c
err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
err_all.o: ../../include/openssl/cms.h ../../include/openssl/comp.h
Modified: stable/11/crypto/openssl/crypto/err/err.c
==============================================================================
--- stable/11/crypto/openssl/crypto/err/err.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/err/err.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -118,6 +118,7 @@
#include <openssl/buffer.h>
#include <openssl/bio.h>
#include <openssl/err.h>
+#include "constant_time_locl.h"
DECLARE_LHASH_OF(ERR_STRING_DATA);
DECLARE_LHASH_OF(ERR_STATE);
@@ -1155,4 +1156,41 @@ int ERR_pop_to_mark(void)
return 0;
es->err_flags[es->top] &= ~ERR_FLAG_MARK;
return 1;
+}
+
+#ifdef UINTPTR_T
+# undef UINTPTR_T
+#endif
+/*
+ * uintptr_t is the answer, but unformtunately we can't assume that all
+ * compilers supported by 1.0.2 have it :-(
+ */
+#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
+/*
+ * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
+ * even in 64-bit builds, which means that it won't work as mask.
+ */
+# define UINTPTR_T unsigned long long
+#else
+# define UINTPTR_T size_t
+#endif
+
+void err_clear_last_constant_time(int clear)
+{
+ ERR_STATE *es;
+ int top;
+
+ es = ERR_get_state();
+ if (es == NULL)
+ return;
+
+ top = es->top;
+
+ es->err_flags[top] &= ~(0 - clear);
+ es->err_buffer[top] &= ~(0UL - clear);
+ es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
+ ~((UINTPTR_T)0 - clear));
+ es->err_line[top] |= 0 - clear;
+
+ es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
}
Modified: stable/11/crypto/openssl/crypto/evp/evp.h
==============================================================================
--- stable/11/crypto/openssl/crypto/evp/evp.h Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/evp/evp.h Tue Feb 26 19:36:57 2019 (r344604)
@@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void);
# define EVP_F_EVP_CIPHER_CTX_CTRL 124
# define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
# define EVP_F_EVP_DECRYPTFINAL_EX 101
+# define EVP_F_EVP_DECRYPTUPDATE 181
# define EVP_F_EVP_DIGESTINIT_EX 128
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
+# define EVP_F_EVP_ENCRYPTUPDATE 180
# define EVP_F_EVP_MD_CTX_COPY_EX 110
# define EVP_F_EVP_MD_SIZE 162
# define EVP_F_EVP_OPENINIT 102
Modified: stable/11/crypto/openssl/crypto/evp/evp_enc.c
==============================================================================
--- stable/11/crypto/openssl/crypto/evp/evp_enc.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/evp/evp_enc.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_
return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
}
-int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
- const unsigned char *in, int inl)
+static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
+ unsigned char *out, int *outl,
+ const unsigned char *in, int inl)
{
int i, j, bl;
@@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned ch
return 1;
}
+int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+ const unsigned char *in, int inl)
+{
+ /* Prevent accidental use of decryption context when encrypting */
+ if (!ctx->encrypt) {
+ EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
+ return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
+}
+
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int ret;
@@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned
int n, ret;
unsigned int i, b, bl;
+ /* Prevent accidental use of decryption context when encrypting */
+ if (!ctx->encrypt) {
+ EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
ret = M_do_cipher(ctx, out, NULL, 0);
if (ret < 0)
@@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned ch
int fix_len;
unsigned int b;
+ /* Prevent accidental use of encryption context when decrypting */
+ if (ctx->encrypt) {
+ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
fix_len = M_do_cipher(ctx, out, in, inl);
if (fix_len < 0) {
@@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned ch
}
if (ctx->flags & EVP_CIPH_NO_PADDING)
- return EVP_EncryptUpdate(ctx, out, outl, in, inl);
+ return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
b = ctx->cipher->block_size;
OPENSSL_assert(b <= sizeof(ctx->final));
@@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned ch
} else
fix_len = 0;
- if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
+ if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
return 0;
/*
@@ -494,6 +519,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned
{
int i, n;
unsigned int b;
+
+ /* Prevent accidental use of encryption context when decrypting */
+ if (ctx->encrypt) {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
*outl = 0;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
Modified: stable/11/crypto/openssl/crypto/evp/evp_err.c
==============================================================================
--- stable/11/crypto/openssl/crypto/evp/evp_err.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/evp/evp_err.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */
/* ====================================================================
- * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] = {
{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH),
"EVP_CIPHER_CTX_set_key_length"},
{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
+ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
+ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
Modified: stable/11/crypto/openssl/crypto/evp/evp_test.c
==============================================================================
--- stable/11/crypto/openssl/crypto/evp/evp_test.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/evp/evp_test.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -1,6 +1,6 @@
/* Written by Ben Laurie, 2001 */
/*
- * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2001-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -327,7 +327,7 @@ static void test1(const EVP_CIPHER *c, const unsigned
ERR_print_errors_fp(stderr);
test1_exit(12);
}
- if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) {
+ if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) {
fprintf(stderr, "AAD set failed\n");
ERR_print_errors_fp(stderr);
test1_exit(13);
Modified: stable/11/crypto/openssl/crypto/opensslv.h
==============================================================================
--- stable/11/crypto/openssl/crypto/opensslv.h Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/opensslv.h Tue Feb 26 19:36:57 2019 (r344604)
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1000211fL
+# define OPENSSL_VERSION_NUMBER 0x1000212fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-fips 20 Nov 2018"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-freebsd 20 Nov 2018"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-freebsd 26 Feb 2019"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Modified: stable/11/crypto/openssl/crypto/rsa/Makefile
==============================================================================
--- stable/11/crypto/openssl/crypto/rsa/Makefile Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/rsa/Makefile Tue Feb 26 19:36:57 2019 (r344604)
@@ -153,7 +153,8 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include
rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h
+rsa_eay.o: ../cryptlib.h rsa_eay.c
rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -299,7 +300,8 @@ rsa_ssl.o: ../../include/openssl/lhash.h ../../include
rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
+rsa_ssl.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+rsa_ssl.o: ../cryptlib.h rsa_ssl.c
rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h
rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
Modified: stable/11/crypto/openssl/crypto/rsa/rsa_eay.c
==============================================================================
--- stable/11/crypto/openssl/crypto/rsa/rsa_eay.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/rsa/rsa_eay.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -115,6 +115,7 @@
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include "bn_int.h"
+#include "constant_time_locl.h"
#ifndef RSA_NULL
@@ -397,6 +398,11 @@ static int RSA_eay_private_encrypt(int flen, const uns
goto err;
}
+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
+ rsa->n, ctx))
+ goto err;
+
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
@@ -431,11 +437,6 @@ static int RSA_eay_private_encrypt(int flen, const uns
} else
d = rsa->d;
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
- rsa->n, ctx))
- goto err;
-
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n))
goto err;
@@ -587,8 +588,8 @@ static int RSA_eay_private_decrypt(int flen, const uns
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
- if (r < 0)
- RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+ err_clear_last_constant_time(r >= 0);
err:
if (ctx != NULL) {
Modified: stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c
==============================================================================
--- stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -121,7 +121,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t
const EVP_MD *mgf1md)
{
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
- unsigned int good, found_one_byte;
+ unsigned int good = 0, found_one_byte, mask;
const unsigned char *maskedseed, *maskeddb;
/*
* |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -148,8 +148,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
- if (num < flen || num < 2 * mdlen + 2)
- goto decoding_err;
+ if (num < flen || num < 2 * mdlen + 2) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ RSA_R_OAEP_DECODING_ERROR);
+ return -1;
+ }
dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen);
@@ -158,26 +161,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t
goto cleanup;
}
- if (flen != num) {
- em = OPENSSL_malloc(num);
- if (em == NULL) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
- ERR_R_MALLOC_FAILURE);
- goto cleanup;
- }
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ ERR_R_MALLOC_FAILURE);
+ goto cleanup;
+ }
- /*
- * Caller is encouraged to pass zero-padded message created with
- * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
- * to avoid leaking that information. The copy still leaks some
- * side-channel information, but it's impossible to have a fixed
- * memory access pattern since we can't read out of the bounds of
- * |from|.
- */
- memset(em, 0, num);
- memcpy(em + num - flen, from, flen);
- from = em;
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
}
+ from = em;
/*
* The first byte must be zero, however we must not leak if this is
@@ -224,37 +227,50 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t
* so plaintext-awareness ensures timing side-channels are no longer a
* concern.
*/
- if (!good)
- goto decoding_err;
-
msg_index = one_index + 1;
mlen = dblen - msg_index;
- if (tlen < mlen) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
- mlen = -1;
- } else {
- memcpy(to, db + msg_index, mlen);
- goto cleanup;
+ /*
+ * For good measure, do this check in constant tine as well.
+ */
+ good &= constant_time_ge(tlen, mlen);
+
+ /*
+ * Even though we can't fake result's length, we can pretend copying
+ * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
+ * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+ * where |mlen'| is "saturated" |mlen| value. Deducing information
+ * about failure or |mlen| would take attacker's ability to observe
+ * memory access pattern with byte granularity *as it occurs*. It
+ * should be noted that failure is indistinguishable from normal
+ * operation if |tlen| is fixed by protocol.
+ */
+ tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
+ msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
+ mlen = dblen - msg_index;
+ for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
+ unsigned int equals = constant_time_eq(i, mlen);
+
+ from -= dblen & equals; /* if (i == dblen) rewind */
+ mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
+ to[i] = constant_time_select_8(mask, from[i], to[i]);
}
- decoding_err:
/*
* To avoid chosen ciphertext attacks, the error message should not
* reveal which kind of decoding error happened.
*/
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
+ err_clear_last_constant_time(1 & good);
cleanup:
- if (db != NULL) {
- OPENSSL_cleanse(db, dblen);
- OPENSSL_free(db);
- }
- if (em != NULL) {
- OPENSSL_cleanse(em, num);
- OPENSSL_free(em);
- }
- return mlen;
+ OPENSSL_cleanse(seed, sizeof(seed));
+ OPENSSL_cleanse(db, dblen);
+ OPENSSL_free(db);
+ OPENSSL_cleanse(em, num);
+ OPENSSL_free(em);
+
+ return constant_time_select_int(good, mlen, -1);
}
int PKCS1_MGF1(unsigned char *mask, long len,
Modified: stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c
==============================================================================
--- stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -207,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to,
int i;
/* |em| is the encoded message, zero-padded to exactly |num| bytes */
unsigned char *em = NULL;
- unsigned int good, found_zero_byte;
+ unsigned int good, found_zero_byte, mask;
int zero_index = 0, msg_index, mlen = -1;
if (tlen < 0 || flen < 0)
@@ -218,40 +218,41 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to,
* section 7.2.2.
*/
- if (flen > num)
- goto err;
+ if (flen > num || num < 11) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
+ RSA_R_PKCS_DECODING_ERROR);
+ return -1;
+ }
- if (num < 11)
- goto err;
-
- if (flen != num) {
- em = OPENSSL_malloc(num);
- if (em == NULL) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
- return -1;
- }
- /*
- * Caller is encouraged to pass zero-padded message created with
- * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
- * to avoid leaking that information. The copy still leaks some
- * side-channel information, but it's impossible to have a fixed
- * memory access pattern since we can't read out of the bounds of
- * |from|.
- */
- memset(em, 0, num);
- memcpy(em + num - flen, from, flen);
- from = em;
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
+ return -1;
}
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
+ }
+ from = em;
good = constant_time_is_zero(from[0]);
good &= constant_time_eq(from[1], 2);
+ /* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(from[i]);
- zero_index =
- constant_time_select_int(~found_zero_byte & equals0, i,
- zero_index);
+
+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
+ i, zero_index);
found_zero_byte |= equals0;
}
@@ -260,7 +261,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to,
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
- good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
+ good &= constant_time_ge(zero_index, 2 + 8);
/*
* Skip the zero byte. This is incorrect if we never found a zero-byte
@@ -270,30 +271,35 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to,
mlen = num - msg_index;
/*
- * For good measure, do this check in constant time as well; it could
- * leak something if |tlen| was assuming valid padding.
+ * For good measure, do this check in constant time as well.
*/
- good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
+ good &= constant_time_ge(tlen, mlen);
/*
- * We can't continue in constant-time because we need to copy the result
- * and we cannot fake its length. This unavoidably leaks timing
- * information at the API boundary.
+ * Even though we can't fake result's length, we can pretend copying
+ * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+ * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+ * where |mlen'| is "saturated" |mlen| value. Deducing information
+ * about failure or |mlen| would take attacker's ability to observe
+ * memory access pattern with byte granularity *as it occurs*. It
+ * should be noted that failure is indistinguishable from normal
+ * operation if |tlen| is fixed by protocol.
*/
- if (!good) {
- mlen = -1;
- goto err;
+ tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+ msg_index = constant_time_select_int(good, msg_index, num - tlen);
+ mlen = num - msg_index;
+ for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+ unsigned int equals = constant_time_eq(i, mlen);
+
+ from -= tlen & equals; /* if (i == mlen) rewind */
+ mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
+ to[i] = constant_time_select_8(mask, from[i], to[i]);
}
- memcpy(to, from + msg_index, mlen);
+ OPENSSL_cleanse(em, num);
+ OPENSSL_free(em);
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
+ err_clear_last_constant_time(1 & good);
- err:
- if (em != NULL) {
- OPENSSL_cleanse(em, num);
- OPENSSL_free(em);
- }
- if (mlen == -1)
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
- RSA_R_PKCS_DECODING_ERROR);
- return mlen;
+ return constant_time_select_int(good, mlen, -1);
}
Modified: stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c
==============================================================================
--- stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c Tue Feb 26 19:34:42 2019 (r344603)
+++ stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c Tue Feb 26 19:36:57 2019 (r344604)
@@ -61,6 +61,7 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
+#include "constant_time_locl.h"
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@@ -101,57 +102,116 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen
return (1);
}
+/*
+ * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * preserves error code reporting for backward compatibility.
+ */
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num)
{
- int i, j, k;
- const unsigned char *p;
+ int i;
+ /* |em| is the encoded message, zero-padded to exactly |num| bytes */
+ unsigned char *em = NULL;
+ unsigned int good, found_zero_byte, mask, threes_in_row;
+ int zero_index = 0, msg_index, mlen = -1, err;
- p = from;
if (flen < 10) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return (-1);
}
- /* Accept even zero-padded input */
- if (flen == num) {
- if (*(p++) != 0) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
- return -1;
- }
- flen--;
+
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE);
+ return -1;
}
- if ((num != (flen + 1)) || (*(p++) != 02)) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
- return (-1);
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
}
+ from = em;
+ good = constant_time_is_zero(from[0]);
+ good &= constant_time_eq(from[1], 2);
+ err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
+ mask = ~good;
+
/* scan over padding data */
- j = flen - 1; /* one for type */
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-stable-11
mailing list