public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: update to the 1.1.1c release
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 31d61b19d554907fbc9d34f30c96c68c7e6c8e73
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-05-29T17:23:31+02:00
Stats : +319/-2463 in 12 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/31d61b19d554907fbc9d34f30c96c68c7e6c8e73?branch=rebase_40beta
Log:
update to the 1.1.1c release
---
diff --git a/.gitignore b/.gitignore
index 3b8aa45..a3a6054 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,3 +43,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1-hobbled.tar.xz
/openssl-1.1.1a-hobbled.tar.xz
/openssl-1.1.1b-hobbled.tar.xz
+/openssl-1.1.1c-hobbled.tar.xz
diff --git a/ectest.c b/ectest.c
index 5c20ac3..53adf88 100644
--- a/ectest.c
+++ b/ectest.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -728,6 +728,75 @@ err:
BN_CTX_free(ctx);
return r;
}
+
+/*
+ * Tests a point known to cause an incorrect underflow in an old version of
+ * ecp_nist521.c
+ */
+static int underflow_test(void)
+{
+ BN_CTX *ctx = NULL;
+ EC_GROUP *grp = NULL;
+ EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+ BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
+ BIGNUM *k = NULL;
+ int testresult = 0;
+ const char *x1str =
+ "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
+ "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
+ const char *p521m1 =
+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
+
+ ctx = BN_CTX_new();
+ if (!TEST_ptr(ctx))
+ return 0;
+
+ BN_CTX_start(ctx);
+ x1 = BN_CTX_get(ctx);
+ y1 = BN_CTX_get(ctx);
+ z1 = BN_CTX_get(ctx);
+ x2 = BN_CTX_get(ctx);
+ y2 = BN_CTX_get(ctx);
+ k = BN_CTX_get(ctx);
+ if (!TEST_ptr(k))
+ goto err;
+
+ grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
+ P = EC_POINT_new(grp);
+ Q = EC_POINT_new(grp);
+ R = EC_POINT_new(grp);
+ if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
+ goto err;
+
+ if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
+ || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
+ || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
+ || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
+ || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
+ y1, z1, ctx))
+ || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
+ || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
+ goto err;
+
+ if (!TEST_int_eq(BN_cmp(x1, x2), 0)
+ || !TEST_int_eq(BN_cmp(y1, y2), 0))
+ goto err;
+
+ testresult = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_POINT_free(R);
+ EC_GROUP_free(grp);
+ BN_CTX_free(ctx);
+
+ return testresult;
+}
# endif
static const unsigned char p521_named[] = {
@@ -835,6 +904,7 @@ int setup_tests(void)
# endif
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
+ ADD_TEST(underflow_test);
# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch
index 368f544..a83a331 100644
--- a/openssl-1.1.1-ec-curves.patch
+++ b/openssl-1.1.1-ec-curves.patch
@@ -1,40 +1,38 @@
-diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
---- openssl-1.1.1b/apps/speed.c.curves 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/apps/speed.c 2019-02-28 11:20:42.347170167 +0100
-@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
- static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
+diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
+--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
+@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
#endif /* OPENSSL_NO_RSA */
--#define R_EC_P160 0
--#define R_EC_P192 1
--#define R_EC_P224 2
--#define R_EC_P256 3
--#define R_EC_P384 4
--#define R_EC_P521 5
--#define R_EC_K163 6
--#define R_EC_K233 7
--#define R_EC_K283 8
--#define R_EC_K409 9
--#define R_EC_K571 10
--#define R_EC_B163 11
--#define R_EC_B233 12
--#define R_EC_B283 13
--#define R_EC_B409 14
--#define R_EC_B571 15
--#define R_EC_BRP256R1 16
--#define R_EC_BRP256T1 17
--#define R_EC_BRP384R1 18
--#define R_EC_BRP384T1 19
--#define R_EC_BRP512R1 20
--#define R_EC_BRP512T1 21
--#define R_EC_X25519 22
--#define R_EC_X448 23
-+#define R_EC_P224 0
-+#define R_EC_P256 1
-+#define R_EC_P384 2
-+#define R_EC_P521 3
-+#define R_EC_X25519 4
-+#define R_EC_X448 5
+ enum {
+- R_EC_P160,
+- R_EC_P192,
+ R_EC_P224,
+ R_EC_P256,
+ R_EC_P384,
+ R_EC_P521,
+-#ifndef OPENSSL_NO_EC2M
+- R_EC_K163,
+- R_EC_K233,
+- R_EC_K283,
+- R_EC_K409,
+- R_EC_K571,
+- R_EC_B163,
+- R_EC_B233,
+- R_EC_B283,
+- R_EC_B409,
+- R_EC_B571,
+-#endif
+- R_EC_BRP256R1,
+- R_EC_BRP256T1,
+- R_EC_BRP384R1,
+- R_EC_BRP384T1,
+- R_EC_BRP512R1,
+- R_EC_BRP512T1,
+ R_EC_X25519,
+ R_EC_X448
+ };
+
#ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = {
- {"ecdsap160", R_EC_P160},
@@ -43,6 +41,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
{"ecdsap521", R_EC_P521},
+-# ifndef OPENSSL_NO_EC2M
- {"ecdsak163", R_EC_K163},
- {"ecdsak233", R_EC_K233},
- {"ecdsak283", R_EC_K283},
@@ -53,6 +52,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"ecdsab283", R_EC_B283},
- {"ecdsab409", R_EC_B409},
- {"ecdsab571", R_EC_B571},
+-# endif
- {"ecdsabrp256r1", R_EC_BRP256R1},
- {"ecdsabrp256t1", R_EC_BRP256T1},
- {"ecdsabrp384r1", R_EC_BRP384R1},
@@ -71,6 +71,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
{"ecdhp521", R_EC_P521},
+-# ifndef OPENSSL_NO_EC2M
- {"ecdhk163", R_EC_K163},
- {"ecdhk233", R_EC_K233},
- {"ecdhk283", R_EC_K283},
@@ -81,6 +82,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"ecdhb283", R_EC_B283},
- {"ecdhb409", R_EC_B409},
- {"ecdhb571", R_EC_B571},
+-# endif
- {"ecdhbrp256r1", R_EC_BRP256R1},
- {"ecdhbrp256t1", R_EC_BRP256T1},
- {"ecdhbrp384r1", R_EC_BRP384R1},
@@ -90,7 +92,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448}
};
-@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
+@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
unsigned int bits;
} test_curves[] = {
/* Prime Curves */
@@ -100,6 +102,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
+-# ifndef OPENSSL_NO_EC2M
- /* Binary Curves */
- {"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233},
@@ -111,6 +114,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"nistb283", NID_sect283r1, 283},
- {"nistb409", NID_sect409r1, 409},
- {"nistb571", NID_sect571r1, 571},
+-# endif
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
@@ -120,7 +124,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
-@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
+@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
@@ -133,46 +137,38 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
+@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
}
}
}
-+#if 0
+-# ifndef OPENSSL_NO_EC2M
++# if 0
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
- }
- }
+@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
}
--
+ # endif
+
- ecdh_c[R_EC_P160][0] = count / 1000;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+#endif
+ ecdh_c[R_EC_P224][0] = count / 1000;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
-@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
+@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
}
}
}
-+#if 0
+-# ifndef OPENSSL_NO_EC2M
++# if 0
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
- }
- }
- }
-+#endif
- /* default iteration count for the last two EC Curves */
- ecdh_c[R_EC_X25519][0] = count / 1800;
- ecdh_c[R_EC_X448][0] = count / 7200;
-diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp_smpl.c
---- openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-02-28 11:19:30.628479300 +0100
+diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0;
}
@@ -185,22 +181,30 @@ diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
-diff -up openssl-1.1.1b/test/ecdsatest.c.curves openssl-1.1.1b/test/ecdsatest.c
---- openssl-1.1.1b/test/ecdsatest.c.curves 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/ecdsatest.c 2019-02-28 11:19:30.628479300 +0100
-@@ -176,6 +176,7 @@ static int x9_62_tests(void)
- if (!change_rand())
- goto x962_err;
-
-+#if 0
- if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
- "3342403536405981729393488334694600415596881826869351677613",
- "5735822328888155254683894997897571951568553642892029982342")))
-@@ -186,6 +187,7 @@ static int x9_62_tests(void)
- "3238135532097973577080787768312505059318910517550078427819"
- "78505179448783")))
- goto x962_err;
-+#endif
+diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
+--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
++++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
+@@ -32,23 +32,6 @@ typedef struct {
+ } ecdsa_cavs_kat_t;
- # ifndef OPENSSL_NO_EC2M
- if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,
+ static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
+- /* prime KATs from X9.62 */
+- {NID_X9_62_prime192v1, NID_sha1,
+- "616263", /* "abc" */
+- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
+- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
+- "5ca5c0d69716dfcb3474373902",
+- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
+- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
+- {NID_X9_62_prime239v1, NID_sha1,
+- "616263", /* "abc" */
+- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
+- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
+- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
+- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
+- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
+- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
+ /* prime KATs from NIST CAVP */
+ {NID_secp224r1, NID_sha224,
+ "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch
index cb10eba..6a73a61 100644
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@@ -5221,17 +5221,16 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
+use OpenSSL::Test::Simple;
+
+simple_test("test_evp_kdf", "evp_kdf_test");
-diff -up openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp.t
---- openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp.t 2019-02-28 13:05:05.659521326 +0100
-@@ -15,8 +15,8 @@ use OpenSSL::Test qw/:DEFAULT data_file/
+diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
+--- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200
++++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200
+@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
setup("test_evp");
my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",
- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
-- "evpcase.txt" );
-+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt",
-+ "evppkey_ecc.txt", "evpcase.txt" );
++ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
+ "evpcase.txt", "evpccmcavs.txt" );
plan tests => scalar(@files);
diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch
index 6e714bc..fc60e33 100644
--- a/openssl-1.1.1-fips-post-rand.patch
+++ b/openssl-1.1.1-fips-post-rand.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c
---- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100
-+++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100
+diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
+--- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200
++++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
@@ -51,10 +51,10 @@ diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/
ret = 1;
goto end;
}
-diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h
---- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100
-+++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100
-@@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void);
+diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
+--- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200
++++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200
+@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
@@ -63,9 +63,9 @@ diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openss
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
-diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c
---- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100
-+++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100
+diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
+--- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200
@@ -16,10 +16,12 @@
#include <openssl/rand.h>
#include "rand_lcl.h"
@@ -74,12 +74,13 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
#include <stdio.h>
#include "internal/dso.h"
#if defined(__linux)
- # include <sys/syscall.h>
+-# include <asm/unistd.h>
++# include <sys/syscall.h>
+# include <sys/random.h>
#endif
#if defined(__FreeBSD__)
# include <sys/types.h>
-@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
@@ -88,7 +89,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
-@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf,
+@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
@@ -96,20 +97,21 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf,
+@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
-
+# endif
/* Linux supports this since version 3.17 */
- # if defined(__linux) && defined(SYS_getrandom)
-- return syscall(SYS_getrandom, buf, buflen, 0);
+-# if defined(__linux) && defined(__NR_getrandom)
+- return syscall(__NR_getrandom, buf, buflen, 0);
++# if defined(__linux) && defined(SYS_getrandom)
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
-@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
@@ -121,7 +123,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
{
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
-@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -130,7 +132,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
-@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
@@ -142,7 +144,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
}
}
# endif
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index 09d8692..d59c440 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -1,3 +1,15 @@
+diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c
+--- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200
+@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv)
+ int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
+ int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
+ # ifndef OPENSSL_NO_RC2
+- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
++ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
+ # else
+ int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ # endif
diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200
+++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200
@@ -985,9 +997,9 @@ diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_all
+ }
+#endif
}
-diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/digest.c
---- openssl-1.1.1b/crypto/evp/digest.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/digest.c 2019-02-28 11:30:06.803745726 +0100
+diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c
+--- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200
@@ -14,6 +14,9 @@
#include <openssl/engine.h>
#include "internal/evp_int.h"
@@ -1027,17 +1039,18 @@ diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/diges
if (ctx->digest && ctx->digest->ctx_size) {
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
ctx->md_data = NULL;
-@@ -150,6 +168,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
- return ctx->update(ctx, data, count);
- }
++
+ if (count == 0)
+ return 1;
-@@ -167,6 +188,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
+@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
{
int ret;
@@ -9869,11 +9882,11 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c
+#endif
+ return 0;
+}
-diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac.c
---- openssl-1.1.1b/crypto/hmac/hmac.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-02-28 11:30:06.817745466 +0100
-@@ -36,6 +36,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- }
+diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c
+--- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200
++++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200
+@@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ return 0;
if (key != NULL) {
+#ifdef OPENSSL_FIPS
@@ -11756,13 +11769,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222
-diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num
---- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100
-+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100
-@@ -4579,3 +4579,38 @@ EVP_PKEY_meth_set_digest_custom
- EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION:
+diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num
+--- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200
++++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200
+@@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom
OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO
OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO
+ EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch
index 4e8c388..11099a1 100644
--- a/openssl-1.1.1-regression-fixes.patch
+++ b/openssl-1.1.1-regression-fixes.patch
@@ -14,24 +14,3 @@ diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/
ret->flags = DEFAULT_CONF_MFLAGS;
return ret;
-diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.regression openssl-1.1.1b/crypto/evp/evp_enc.c
---- openssl-1.1.1b/crypto/evp/evp_enc.c.regression 2019-05-07 11:52:35.982596242 +0200
-+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-10 14:30:42.269243383 +0200
-@@ -338,7 +338,7 @@ static int evp_EncryptDecryptUpdate(EVP_
-
- bl = ctx->cipher->block_size;
-
-- if (inl <= 0) {
-+ if (out != NULL && in == NULL && inl <= 0) {
- *outl = 0;
- return inl == 0;
- }
-@@ -491,7 +491,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
- if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
- cmpl = (cmpl + 7) / 8;
-
-- if (inl <= 0) {
-+ if (out != NULL && in == NULL && inl <= 0) {
- *outl = 0;
- return inl == 0;
- }
diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch
index 08ac8e6..a70f20b 100644
--- a/openssl-1.1.1-system-cipherlist.patch
+++ b/openssl-1.1.1-system-cipherlist.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-08-22 12:15:54.520742678 +0200
-+++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl 2018-08-22 12:15:54.554743511 +0200
+diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200
++++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200
@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@@ -20,15 +20,15 @@ diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure
---- openssl-1.1.1-pre9/Configure.system-cipherlist 2018-08-21 14:14:11.000000000 +0200
-+++ openssl-1.1.1-pre9/Configure 2018-08-22 12:16:46.600018343 +0200
+diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
+--- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200
@@ -24,7 +24,7 @@ use OpenSSL::Glob;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
# Options:
#
@@ -50,18 +50,18 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
-@@ -817,6 +821,10 @@ while (@argvcopy)
- push @seed_sources, $x;
- }
+@@ -824,6 +828,10 @@ while (@argvcopy)
+ push @seed_sources, $x;
+ }
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $config{system_ciphers_file}=$1;
+ }
- elsif (/^--cross-compile-prefix=(.*)$/)
- {
- $user{CROSS_COMPILE}=$1;
-@@ -1003,6 +1011,8 @@ if ($target eq "HASH") {
+ elsif (/^--cross-compile-prefix=(.*)$/)
+ {
+ $user{CROSS_COMPILE}=$1;
+@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
exit 0;
}
@@ -70,9 +70,9 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
print "for $target\n";
-diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod
---- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist 2018-08-21 14:14:13.000000000 +0200
-+++ openssl-1.1.1-pre9/doc/man1/ciphers.pod 2018-08-22 12:15:54.555743536 +0200
+diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
+--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200
@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h
---- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/include/openssl/ssl.h 2018-08-22 12:15:54.557743585 +0200
+diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
+--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200
@@ -186,6 +186,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
-diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c
---- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:15:54.557743585 +0200
+diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
+--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200
@@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html
*/
@@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
-@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
@@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
@@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
#endif
/*
-@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
}
/*
-@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
-@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
}
/*
-@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
sk_SSL_CIPHER_free(cipherstack);
return NULL;
}
-@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
@@ -274,10 +274,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c
---- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist 2018-08-22 12:15:54.552743462 +0200
-+++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:15:54.558743609 +0200
-@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
+--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200
++++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200
+@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
-@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (!ssl_create_cipher_list(ret->method,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@@ -295,9 +295,9 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
-diff -up openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist openssl-1.1.1b/test/cipherlist_test.c
---- openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist 2019-02-28 11:27:15.181936081 +0100
-+++ openssl-1.1.1b/test/cipherlist_test.c 2019-02-28 11:28:53.357111055 +0100
+diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
+--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200
@@ -251,7 +251,9 @@ end:
int setup_tests(void)
diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch
index 2cf849f..6735e6a 100644
--- a/openssl-1.1.1-upstream-sync.patch
+++ b/openssl-1.1.1-upstream-sync.patch
@@ -1,2282 +1,67 @@
-diff -up openssl-1.1.1b/apps/asn1pars.c.sync openssl-1.1.1b/apps/asn1pars.c
---- openssl-1.1.1b/apps/asn1pars.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/apps/asn1pars.c 2019-05-03 08:55:51.532407003 +0200
-@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv
- if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
- goto end;
-
-+ if ((buf = BUF_MEM_new()) == NULL)
-+ goto end;
- if (strictpem) {
-- if (PEM_read_bio(in, &name, &header, &str, &num) !=
-- 1) {
-+ if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
- BIO_printf(bio_err, "Error reading PEM file\n");
- ERR_print_errors(bio_err);
- goto end;
- }
-+ buf->data = (char *)str;
-+ buf->length = buf->max = num;
- } else {
--
-- if ((buf = BUF_MEM_new()) == NULL)
-- goto end;
- if (!BUF_MEM_grow(buf, BUFSIZ * 8))
- goto end; /* Pre-allocate :-) */
-
-@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv
- BUF_MEM_free(buf);
- OPENSSL_free(name);
- OPENSSL_free(header);
-- if (strictpem)
-- OPENSSL_free(str);
- ASN1_TYPE_free(at);
- sk_OPENSSL_STRING_free(osk);
- return ret;
-diff -up openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl
---- openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/aes/asm/aesp8-ppc.pl 2019-05-03 08:55:51.551406676 +0200
-@@ -1829,7 +1829,7 @@ Lctr32_enc8x_three:
- stvx_u $out1,$x10,$out
- stvx_u $out2,$x20,$out
- addi $out,$out,0x30
-- b Lcbc_dec8x_done
-+ b Lctr32_enc8x_done
-
- .align 5
- Lctr32_enc8x_two:
-@@ -1841,7 +1841,7 @@ Lctr32_enc8x_two:
- stvx_u $out0,$x00,$out
- stvx_u $out1,$x10,$out
- addi $out,$out,0x20
-- b Lcbc_dec8x_done
-+ b Lctr32_enc8x_done
-
- .align 5
- Lctr32_enc8x_one:
-diff -up openssl-1.1.1b/crypto/bio/b_addr.c.sync openssl-1.1.1b/crypto/bio/b_addr.c
---- openssl-1.1.1b/crypto/bio/b_addr.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bio/b_addr.c 2019-05-03 08:55:51.555406608 +0200
-@@ -683,6 +683,12 @@ int BIO_lookup_ex(const char *host, cons
- hints.ai_family = family;
- hints.ai_socktype = socktype;
- hints.ai_protocol = protocol;
-+#ifdef AI_ADDRCONFIG
-+#ifdef AF_UNSPEC
-+ if (family == AF_UNSPEC)
-+#endif
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif
-
- if (lookup_type == BIO_LOOKUP_SERVER)
- hints.ai_flags |= AI_PASSIVE;
-diff -up openssl-1.1.1b/crypto/bio/bss_mem.c.sync openssl-1.1.1b/crypto/bio/bss_mem.c
---- openssl-1.1.1b/crypto/bio/bss_mem.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bio/bss_mem.c 2019-05-03 08:55:51.556406591 +0200
-@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method =
- NULL, /* mem_callback_ctrl */
- };
-
--/* BIO memory stores buffer and read pointer */
-+/*
-+ * BIO memory stores buffer and read pointer
-+ * however the roles are different for read only BIOs.
-+ * In that case the readp just stores the original state
-+ * to be used for reset.
-+ */
- typedef struct bio_buf_mem_st {
- struct buf_mem_st *buf; /* allocated buffer */
- struct buf_mem_st *readp; /* read pointer */
-@@ -192,11 +197,14 @@ static int mem_read(BIO *b, char *out, i
- BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
- BUF_MEM *bm = bbm->readp;
-
-+ if (b->flags & BIO_FLAGS_MEM_RDONLY)
-+ bm = bbm->buf;
- BIO_clear_retry_flags(b);
- ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
- if ((out != NULL) && (ret > 0)) {
- memcpy(out, bm->data, ret);
- bm->length -= ret;
-+ bm->max -= ret;
- bm->data += ret;
- } else if (bm->length == 0) {
- ret = b->num;
-@@ -241,29 +249,36 @@ static long mem_ctrl(BIO *b, int cmd, lo
- BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
- BUF_MEM *bm;
-
-+ if (b->flags & BIO_FLAGS_MEM_RDONLY)
-+ bm = bbm->buf;
-+ else
-+ bm = bbm->readp;
-+
- switch (cmd) {
- case BIO_CTRL_RESET:
- bm = bbm->buf;
- if (bm->data != NULL) {
-- /* For read only case reset to the start again */
-- if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) {
-- bm->length = bm->max;
-+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
-+ if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
-+ bm->length = bm->max;
-+ } else {
-+ memset(bm->data, 0, bm->max);
-+ bm->length = 0;
-+ }
-+ *bbm->readp = *bbm->buf;
- } else {
-- memset(bm->data, 0, bm->max);
-- bm->length = 0;
-+ /* For read only case just reset to the start again */
-+ *bbm->buf = *bbm->readp;
- }
-- *bbm->readp = *bbm->buf;
- }
- break;
- case BIO_CTRL_EOF:
-- bm = bbm->readp;
- ret = (long)(bm->length == 0);
- break;
- case BIO_C_SET_BUF_MEM_EOF_RETURN:
- b->num = (int)num;
- break;
- case BIO_CTRL_INFO:
-- bm = bbm->readp;
- ret = (long)bm->length;
- if (ptr != NULL) {
- pptr = (char **)ptr;
-@@ -278,8 +293,9 @@ static long mem_ctrl(BIO *b, int cmd, lo
- break;
- case BIO_C_GET_BUF_MEM_PTR:
- if (ptr != NULL) {
-- mem_buf_sync(b);
-- bm = bbm->readp;
-+ if (!(b->flags & BIO_FLAGS_MEM_RDONLY))
-+ mem_buf_sync(b);
-+ bm = bbm->buf;
- pptr = (char **)ptr;
- *pptr = (char *)bm;
- }
-@@ -294,7 +310,6 @@ static long mem_ctrl(BIO *b, int cmd, lo
- ret = 0L;
- break;
- case BIO_CTRL_PENDING:
-- bm = bbm->readp;
- ret = (long)bm->length;
- break;
- case BIO_CTRL_DUP:
-@@ -318,6 +333,8 @@ static int mem_gets(BIO *bp, char *buf,
- BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr;
- BUF_MEM *bm = bbm->readp;
-
-+ if (bp->flags & BIO_FLAGS_MEM_RDONLY)
-+ bm = bbm->buf;
- BIO_clear_retry_flags(bp);
- j = bm->length;
- if ((size - 1) < j)
-diff -up openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync openssl-1.1.1b/crypto/bn/asm/ppc.pl
---- openssl-1.1.1b/crypto/bn/asm/ppc.pl.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bn/asm/ppc.pl 2019-05-03 08:55:51.530407037 +0200
-@@ -258,6 +258,7 @@ $data=<<EOF;
- # .text section
-
- .machine "any"
-+ .text
-
- #
- # NOTE: The following label name should be changed to
-diff -up openssl-1.1.1b/crypto/bn/bn_ctx.c.sync openssl-1.1.1b/crypto/bn/bn_ctx.c
---- openssl-1.1.1b/crypto/bn/bn_ctx.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bn/bn_ctx.c 2019-05-03 08:55:51.524407140 +0200
-@@ -194,6 +194,8 @@ void BN_CTX_start(BN_CTX *ctx)
-
- void BN_CTX_end(BN_CTX *ctx)
- {
-+ if (ctx == NULL)
-+ return;
- CTXDBG_ENTRY("BN_CTX_end", ctx);
- if (ctx->err_stack)
- ctx->err_stack--;
-diff -up openssl-1.1.1b/crypto/bn/bn_lib.c.sync openssl-1.1.1b/crypto/bn/bn_lib.c
---- openssl-1.1.1b/crypto/bn/bn_lib.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bn/bn_lib.c 2019-05-03 08:55:51.525407123 +0200
-@@ -338,6 +338,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
-
- void BN_clear(BIGNUM *a)
- {
-+ if (a == NULL)
-+ return;
- bn_check_top(a);
- if (a->d != NULL)
- OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
-diff -up openssl-1.1.1b/crypto/bn/bn_prime.c.sync openssl-1.1.1b/crypto/bn/bn_prime.c
---- openssl-1.1.1b/crypto/bn/bn_prime.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/bn/bn_prime.c 2019-05-03 08:55:51.525407123 +0200
-@@ -135,8 +135,7 @@ int BN_generate_prime_ex(BIGNUM *ret, in
- found = 1;
- err:
- OPENSSL_free(mods);
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- bn_check_top(ret);
- return found;
-diff -up openssl-1.1.1b/crypto/chacha/build.info.sync openssl-1.1.1b/crypto/chacha/build.info
---- openssl-1.1.1b/crypto/chacha/build.info.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/chacha/build.info 2019-05-03 08:55:51.538406900 +0200
-@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv
- INCLUDE[chacha-armv4.o]=..
- GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME)
- INCLUDE[chacha-armv8.o]=..
-+GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME)
-+INCLUDE[chacha-s390x.o]=..
-
- BEGINRAW[Makefile(unix)]
- ##### CHACHA assembler implementations
-diff -up openssl-1.1.1b/crypto/conf/conf_sap.c.sync openssl-1.1.1b/crypto/conf/conf_sap.c
---- openssl-1.1.1b/crypto/conf/conf_sap.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/conf/conf_sap.c 2019-05-03 08:55:51.550406694 +0200
-@@ -35,6 +35,7 @@ void OPENSSL_config(const char *appname)
- memset(&settings, 0, sizeof(settings));
- if (appname != NULL)
- settings.appname = strdup(appname);
-+ settings.flags = DEFAULT_CONF_MFLAGS;
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
- }
- #endif
-diff -up openssl-1.1.1b/crypto/dh/dh_check.c.sync openssl-1.1.1b/crypto/dh/dh_check.c
---- openssl-1.1.1b/crypto/dh/dh_check.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dh/dh_check.c 2019-05-03 08:55:51.525407123 +0200
-@@ -58,10 +58,8 @@ int DH_check_params(const DH *dh, int *r
-
- ok = 1;
- err:
-- if (ctx != NULL) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
-- }
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
- return ok;
- }
-
-@@ -171,10 +169,8 @@ int DH_check(const DH *dh, int *ret)
- }
- ok = 1;
- err:
-- if (ctx != NULL) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
-- }
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
- return ok;
- }
-
-@@ -225,9 +221,7 @@ int DH_check_pub_key(const DH *dh, const
-
- ok = 1;
- err:
-- if (ctx != NULL) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
-- }
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
- return ok;
- }
-diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.sync openssl-1.1.1b/crypto/dh/dh_gen.c
---- openssl-1.1.1b/crypto/dh/dh_gen.c.sync 2019-05-03 08:55:45.170516224 +0200
-+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-05-03 08:55:51.525407123 +0200
-@@ -144,9 +144,7 @@ static int dh_builtin_genparams(DH *ret,
- ok = 0;
- }
-
-- if (ctx != NULL) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
-- }
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
- return ok;
- }
-diff -up openssl-1.1.1b/crypto/dh/dh_key.c.sync openssl-1.1.1b/crypto/dh/dh_key.c
---- openssl-1.1.1b/crypto/dh/dh_key.c.sync 2019-05-03 08:55:45.170516224 +0200
-+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-05-03 08:55:51.526407106 +0200
-@@ -237,10 +237,8 @@ static int compute_key(unsigned char *ke
-
- ret = BN_bn2bin(tmp, key);
- err:
-- if (ctx != NULL) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
-- }
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
- return ret;
- }
-
-diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync openssl-1.1.1b/crypto/dsa/dsa_gen.c
---- openssl-1.1.1b/crypto/dsa/dsa_gen.c.sync 2019-05-03 08:55:45.171516207 +0200
-+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-05-03 08:55:51.526407106 +0200
-@@ -308,8 +308,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (seed_out)
- memcpy(seed_out, seed, qsize);
- }
-- if (ctx)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- BN_MONT_CTX_free(mont);
- return ok;
-@@ -641,8 +640,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
- OPENSSL_free(seed);
- if (seed_out != seed_tmp)
- OPENSSL_free(seed_tmp);
-- if (ctx)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- BN_MONT_CTX_free(mont);
- EVP_MD_CTX_free(mctx);
-diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync openssl-1.1.1b/crypto/ec/ecdh_ossl.c
---- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.sync 2019-05-03 08:55:45.171516207 +0200
-+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-05-03 08:55:51.556406591 +0200
-@@ -123,7 +123,7 @@ int ecdh_simple_compute_key(unsigned cha
- ret = 1;
-
- err:
-- EC_POINT_free(tmp);
-+ EC_POINT_clear_free(tmp);
- if (ctx)
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
-diff -up openssl-1.1.1b/crypto/ec/ec_lib.c.sync openssl-1.1.1b/crypto/ec/ec_lib.c
---- openssl-1.1.1b/crypto/ec/ec_lib.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ec_lib.c 2019-05-03 08:55:51.527407088 +0200
-@@ -1074,8 +1074,7 @@ static int ec_field_inverse_mod_ord(cons
- ret = 1;
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(new_ctx);
- return ret;
- }
-diff -up openssl-1.1.1b/crypto/ec/ec_mult.c.sync openssl-1.1.1b/crypto/ec/ec_mult.c
---- openssl-1.1.1b/crypto/ec/ec_mult.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ec_mult.c 2019-05-03 08:55:51.540406865 +0200
-@@ -378,7 +378,7 @@ int ec_scalar_mul_ladder(const EC_GROUP
-
- err:
- EC_POINT_free(p);
-- EC_POINT_free(s);
-+ EC_POINT_clear_free(s);
- BN_CTX_end(ctx);
-
- return ret;
-@@ -441,7 +441,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
- * scalar multiplication implementation based on a Montgomery ladder,
- * with various timing attack defenses.
- */
-- if ((scalar != NULL) && (num == 0)) {
-+ if ((scalar != group->order) && (scalar != NULL) && (num == 0)) {
- /*-
- * In this case we want to compute scalar * GeneratorPoint: this
- * codepath is reached most prominently by (ephemeral) key
-@@ -452,7 +452,7 @@ int ec_wNAF_mul(const EC_GROUP *group, E
- */
- return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
- }
-- if ((scalar == NULL) && (num == 1)) {
-+ if ((scalar == NULL) && (num == 1) && (scalars[0] != group->order)) {
- /*-
- * In this case we want to compute scalar * VariablePoint: this
- * codepath is reached most prominently by the second half of ECDH,
-@@ -948,8 +948,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *gr
- ret = 1;
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(new_ctx);
- EC_ec_pre_comp_free(pre_comp);
- if (points) {
-diff -up openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync openssl-1.1.1b/crypto/ec/ecp_nistp521.c
---- openssl-1.1.1b/crypto/ec/ecp_nistp521.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ecp_nistp521.c 2019-05-03 08:55:51.532407003 +0200
-@@ -357,10 +357,15 @@ static void felem_diff64(felem out, cons
- static void felem_diff_128_64(largefelem out, const felem in)
- {
- /*
-- * In order to prevent underflow, we add 0 mod p before subtracting.
-+ * In order to prevent underflow, we add 64p mod p (which is equivalent
-+ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
-+ * digit number with all bits set to 1. See "The representation of field
-+ * elements" comment above for a description of how limbs are used to
-+ * represent a number. 64p is represented with 8 limbs containing a number
-+ * with 58 bits set and one limb with a number with 57 bits set.
- */
-- static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
-- static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
-+ static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
-+ static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
-
- out[0] += two63m6 - in[0];
- out[1] += two63m5 - in[1];
-diff -up openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync openssl-1.1.1b/crypto/ec/ecp_nistz256.c
---- openssl-1.1.1b/crypto/ec/ecp_nistz256.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ecp_nistz256.c 2019-05-03 08:55:51.528407071 +0200
-@@ -888,8 +888,7 @@ __owur static int ecp_nistz256_mult_prec
- ret = 1;
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(new_ctx);
-
- EC_nistz256_pre_comp_free(pre_comp);
-diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync openssl-1.1.1b/crypto/ec/ecp_smpl.c
---- openssl-1.1.1b/crypto/ec/ecp_smpl.c.sync 2019-05-03 08:55:45.152516533 +0200
-+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-05-03 08:55:51.528407071 +0200
-@@ -312,8 +312,7 @@ int ec_GFp_simple_group_check_discrimina
- ret = 1;
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(new_ctx);
- return ret;
- }
-@@ -792,8 +791,7 @@ int ec_GFp_simple_add(const EC_GROUP *gr
- ret = 1;
-
- end:
-- if (ctx) /* otherwise we already called BN_CTX_end */
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(new_ctx);
- return ret;
- }
-diff -up openssl-1.1.1b/crypto/err/err.c.sync openssl-1.1.1b/crypto/err/err.c
---- openssl-1.1.1b/crypto/err/err.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/err/err.c 2019-05-03 08:55:51.548406728 +0200
-@@ -523,8 +523,24 @@ static unsigned long get_error_values(in
- return ERR_R_INTERNAL_ERROR;
- }
-
-+ while (es->bottom != es->top) {
-+ if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
-+ err_clear(es, es->top);
-+ es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
-+ continue;
-+ }
-+ i = (es->bottom + 1) % ERR_NUM_ERRORS;
-+ if (es->err_flags[i] & ERR_FLAG_CLEAR) {
-+ es->bottom = i;
-+ err_clear(es, es->bottom);
-+ continue;
-+ }
-+ break;
-+ }
-+
- if (es->bottom == es->top)
- return 0;
-+
- if (top)
- i = es->top; /* last error */
- else
-@@ -913,25 +929,6 @@ int ERR_clear_last_mark(void)
- return 1;
- }
-
--#ifdef UINTPTR_T
--# undef UINTPTR_T
--#endif
--/*
-- * uintptr_t is the answer, but unfortunately C89, current "least common
-- * denominator" doesn't define it. Most legacy platforms typedef it anyway,
-- * so that attempt to fill the gaps means that one would have to identify
-- * that track these gaps, which would be undesirable. Macro it is...
-- */
--#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
--/*
-- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
-- * even in 64-bit builds, which means that it won't work as mask.
-- */
--# define UINTPTR_T unsigned long long
--#else
--# define UINTPTR_T size_t
--#endif
--
- void err_clear_last_constant_time(int clear)
- {
- ERR_STATE *es;
-@@ -943,11 +940,11 @@ void err_clear_last_constant_time(int cl
-
- top = es->top;
-
-- es->err_flags[top] &= ~(0 - clear);
-- es->err_buffer[top] &= ~(0UL - clear);
-- es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
-- ~((UINTPTR_T)0 - clear));
-- es->err_line[top] |= 0 - clear;
--
-- es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
-+ /*
-+ * Flag error as cleared but remove it elsewhere to avoid two errors
-+ * accessing the same error stack location, revealing timing information.
-+ */
-+ clear = constant_time_select_int(constant_time_eq_int(clear, 0),
-+ 0, ERR_FLAG_CLEAR);
-+ es->err_flags[top] |= clear;
- }
-diff -up openssl-1.1.1b/crypto/evp/digest.c.sync openssl-1.1.1b/crypto/evp/digest.c
---- openssl-1.1.1b/crypto/evp/digest.c.sync 2019-05-03 08:55:51.553406642 +0200
-+++ openssl-1.1.1b/crypto/evp/digest.c 2019-05-03 08:56:40.800561168 +0200
-@@ -171,6 +171,9 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, co
- #ifdef OPENSSL_FIPS
- FIPS_selftest_check();
- #endif
-+ if (count == 0)
+diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
+--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200
+@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
+
+ case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+ *(int *)arg2 = NID_sha256;
+- return 2;
+ return 1;
-+
- return ctx->update(ctx, data, count);
- }
-
-diff -up openssl-1.1.1b/crypto/evp/e_aria.c.sync openssl-1.1.1b/crypto/evp/e_aria.c
---- openssl-1.1.1b/crypto/evp/e_aria.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_aria.c 2019-05-03 08:55:51.545406779 +0200
-@@ -486,6 +486,16 @@ static int aria_gcm_cipher(EVP_CIPHER_CT
- return 0;
- }
-
-+static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx)
-+{
-+ EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx);
-+
-+ if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(ctx))
-+ OPENSSL_free(gctx->iv);
-+
-+ return 1;
-+}
-+
- static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv, int enc)
- {
-@@ -727,6 +737,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CT
- }
- }
-
-+#define aria_ccm_cleanup NULL
-+
- #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
- | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
- | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
-@@ -739,7 +751,7 @@ static const EVP_CIPHER aria_##keylen##_
- ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \
- aria_##mode##_init_key, \
- aria_##mode##_cipher, \
-- NULL, \
-+ aria_##mode##_cleanup, \
- sizeof(EVP_ARIA_##MODE##_CTX), \
- NULL,NULL,aria_##mode##_ctrl,NULL }; \
- const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \
-diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
---- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.sync 2019-05-03 08:55:45.216515434 +0200
-+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-05-03 08:55:51.551406676 +0200
-@@ -30,6 +30,8 @@ typedef struct {
-
- #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
-
-+#define CHACHA20_POLY1305_MAX_IVLEN 12
-+
- static int chacha_init_key(EVP_CIPHER_CTX *ctx,
- const unsigned char user_key[CHACHA_KEY_SIZE],
- const unsigned char iv[CHACHA_CTR_SIZE], int enc)
-@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CI
- return 1;
-
- case EVP_CTRL_AEAD_SET_IVLEN:
-- if (arg <= 0 || arg > CHACHA_CTR_SIZE)
-+ if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
- return 0;
- actx->nonce_len = arg;
- return 1;
-diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.sync openssl-1.1.1b/crypto/evp/evp_enc.c
---- openssl-1.1.1b/crypto/evp/evp_enc.c.sync 2019-05-03 08:55:45.174516155 +0200
-+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-03 08:55:51.544406797 +0200
-@@ -338,6 +338,11 @@ static int evp_EncryptDecryptUpdate(EVP_
-
- bl = ctx->cipher->block_size;
-
-+ if (inl <= 0) {
-+ *outl = 0;
-+ return inl == 0;
-+ }
-+
- if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
- /* If block size > 1 then the cipher will have to do this check */
- if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
-@@ -353,10 +358,6 @@ static int evp_EncryptDecryptUpdate(EVP_
- return 1;
- }
-
-- if (inl <= 0) {
-- *outl = 0;
-- return inl == 0;
-- }
- if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
- EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
- return 0;
-@@ -490,6 +491,11 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
- if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
- cmpl = (cmpl + 7) / 8;
-
-+ if (inl <= 0) {
-+ *outl = 0;
-+ return inl == 0;
-+ }
-+
- if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
- if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
- EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
-@@ -505,11 +511,6 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
- return 1;
- }
-
-- if (inl <= 0) {
-- *outl = 0;
-- return inl == 0;
-- }
--
- if (ctx->flags & EVP_CIPH_NO_PADDING)
- return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
-
-diff -up openssl-1.1.1b/crypto/hmac/hmac.c.sync openssl-1.1.1b/crypto/hmac/hmac.c
---- openssl-1.1.1b/crypto/hmac/hmac.c.sync 2019-05-03 08:55:45.189515898 +0200
-+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-05-03 08:55:51.538406900 +0200
-@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- return 0;
- }
-
-+ /*
-+ * The HMAC construction is not allowed to be used with the
-+ * extendable-output functions (XOF) shake128 and shake256.
-+ */
-+ if ((EVP_MD_meth_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
-+ return 0;
-+
- if (key != NULL) {
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
-diff -up openssl-1.1.1b/crypto/init.c.sync openssl-1.1.1b/crypto/init.c
---- openssl-1.1.1b/crypto/init.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/init.c 2019-05-03 08:55:51.550406694 +0200
-@@ -702,7 +702,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
- ret = RUN_ONCE(&config, ossl_init_config);
- conf_settings = NULL;
- CRYPTO_THREAD_unlock(init_lock);
-- if (!ret)
-+ if (ret <= 0)
- return 0;
- }
-
-diff -up openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl
---- openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/modes/asm/ghash-x86_64.pl 2019-05-03 08:55:51.534406969 +0200
-@@ -1155,6 +1155,7 @@ ___
- } else {
- $code.=<<___;
- jmp .L_init_clmul
-+.cfi_endproc
- .size gcm_init_avx,.-gcm_init_avx
- ___
- }
-@@ -1594,6 +1595,7 @@ ___
- } else {
- $code.=<<___;
- jmp .L_ghash_clmul
-+.cfi_endproc
- .size gcm_ghash_avx,.-gcm_ghash_avx
- ___
- }
-diff -up openssl-1.1.1b/crypto/modes/ccm128.c.sync openssl-1.1.1b/crypto/modes/ccm128.c
---- openssl-1.1.1b/crypto/modes/ccm128.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/modes/ccm128.c 2019-05-03 08:55:51.543406814 +0200
-@@ -425,7 +425,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT
- M *= 2;
- M += 2;
-- if (len < M)
-+ if (len != M)
- return 0;
- memcpy(tag, ctx->cmac.c, M);
- return M;
-diff -up openssl-1.1.1b/crypto/o_str.c.sync openssl-1.1.1b/crypto/o_str.c
---- openssl-1.1.1b/crypto/o_str.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/o_str.c 2019-05-03 08:55:51.550406694 +0200
-@@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char
- #if defined(_MSC_VER) && _MSC_VER>=1400
- return !strerror_s(buf, buflen, errnum);
- #elif defined(_GNU_SOURCE)
-- return strerror_r(errnum, buf, buflen) != NULL;
-+ char *err;
-+
-+ /*
-+ * GNU strerror_r may not actually set buf.
-+ * It can return a pointer to some (immutable) static string in which case
-+ * buf is left unused.
-+ */
-+ err = strerror_r(errnum, buf, buflen);
-+ if (err == NULL)
-+ return 0;
-+ /*
-+ * If err is statically allocated, err != buf and we need to copy the data.
-+ * If err points somewhere inside buf, OPENSSL_strlcpy can handle this,
-+ * since src and dest are not annotated with __restrict and the function
-+ * reads src byte for byte and writes to dest.
-+ * If err == buf we do not have to copy anything.
-+ */
-+ if (err != buf)
-+ OPENSSL_strlcpy(buf, err, buflen);
-+ return 1;
- #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \
- (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600)
- /*
-@@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char
- return !strerror_r(errnum, buf, buflen);
- #else
- char *err;
-+
- /* Fall back to non-thread safe strerror()...its all we can do */
- if (buflen < 2)
- return 0;
-@@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char
- /* Can this ever happen? */
- if (err == NULL)
- return 0;
-- strncpy(buf, err, buflen - 1);
-- buf[buflen - 1] = '\0';
-+ OPENSSL_strlcpy(buf, err, buflen);
- return 1;
- #endif
+ default:
+ return -2;
+diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
+--- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200
+@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
}
-diff -up openssl-1.1.1b/crypto/poly1305/build.info.sync openssl-1.1.1b/crypto/poly1305/build.info
---- openssl-1.1.1b/crypto/poly1305/build.info.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-03 08:55:51.538406900 +0200
-@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305-
- INCLUDE[poly1305-armv8.o]=..
- GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
- INCLUDE[poly1305-mips.o]=..
-+GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME)
-
- BEGINRAW[Makefile(unix)]
- {- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl
-diff -up openssl-1.1.1b/crypto/rc4/build.info.sync openssl-1.1.1b/crypto/rc4/build.info
---- openssl-1.1.1b/crypto/rc4/build.info.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rc4/build.info 2019-05-03 08:55:51.538406900 +0200
-@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x
-
- GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME)
-
-+GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME)
-+
- BEGINRAW[Makefile]
- # GNU make "catch all"
- {- $builddir -}/rc4-%.s: {- $sourcedir -}/asm/rc4-%.pl
-diff -up openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync openssl-1.1.1b/crypto/rsa/rsa_ameth.c
---- openssl-1.1.1b/crypto/rsa/rsa_ameth.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_ameth.c 2019-05-03 08:55:51.533406986 +0200
-@@ -583,10 +583,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EV
- return NULL;
- if (saltlen == -1) {
- saltlen = EVP_MD_size(sigmd);
-- } else if (saltlen == -2) {
-+ } else if (saltlen == -2 || saltlen == -3) {
- saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
- if ((EVP_PKEY_bits(pk) & 0x7) == 1)
- saltlen--;
-+ if (saltlen < 0)
-+ return NULL;
- }
-
- return rsa_pss_params_create(sigmd, mgf1md, saltlen);
-diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync openssl-1.1.1b/crypto/rsa/rsa_gen.c
---- openssl-1.1.1b/crypto/rsa/rsa_gen.c.sync 2019-05-03 08:55:45.191515864 +0200
-+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-05-03 08:55:51.528407071 +0200
-@@ -746,8 +746,7 @@ static int rsa_builtin_keygen(RSA *rsa,
- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
- ok = 0;
- }
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- return ok;
- }
-diff -up openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync openssl-1.1.1b/crypto/rsa/rsa_oaep.c
---- openssl-1.1.1b/crypto/rsa/rsa_oaep.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_oaep.c 2019-05-03 08:55:51.549406711 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
- * |num| is the length of the modulus; |flen| is the length of the
- * encoded message. Therefore, for any |from| that was obtained by
- * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
-- * num < 2 * mdlen + 2 must hold for the modulus irrespective of
-+ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
- * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
- * This does not leak any side-channel information.
- */
-@@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
- from -= 1 & mask;
- *--em = *from & mask;
- }
-- from = em;
-
- /*
- * The first byte must be zero, however we must not leak if this is
- * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
- * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
- */
-- good = constant_time_is_zero(from[0]);
-+ good = constant_time_is_zero(em[0]);
-
-- maskedseed = from + 1;
-- maskeddb = from + 1 + mdlen;
-+ maskedseed = em + 1;
-+ maskeddb = em + 1 + mdlen;
-
- if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
- goto cleanup;
-@@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
- mlen = dblen - msg_index;
-
- /*
-- * For good measure, do this check in constant tine as well.
-+ * For good measure, do this check in constant time as well.
- */
- good &= constant_time_ge(tlen, mlen);
-
- /*
-- * Even though we can't fake result's length, we can pretend copying
-- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
-- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-- * where |mlen'| is "saturated" |mlen| value. Deducing information
-- * about failure or |mlen| would take attacker's ability to observe
-- * memory access pattern with byte granularity *as it occurs*. It
-- * should be noted that failure is indistinguishable from normal
-- * operation if |tlen| is fixed by protocol.
-+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
-+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
-+ * Otherwise leave |to| unchanged.
-+ * Copy the memory back in a way that does not reveal the size of
-+ * the data being copied via a timing side channel. This requires copying
-+ * parts of the buffer multiple times based on the bits set in the real
-+ * length. Clear bits do a non-copy with identical access pattern.
-+ * The loop below has overall complexity of O(N*log(N)).
- */
-- tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
-- msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
-- mlen = dblen - msg_index;
-- for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
-- unsigned int equals = constant_time_eq(i, mlen);
--
-- from -= dblen & equals; /* if (i == dblen) rewind */
-- mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
-- to[i] = constant_time_select_8(mask, from[i], to[i]);
-+ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
-+ dblen - mdlen - 1, tlen);
-+ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
-+ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
-+ for (i = mdlen + 1; i < dblen - msg_index; i++)
-+ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
-+ }
-+ for (i = 0; i < tlen; i++) {
-+ mask = good & constant_time_lt(i, mlen);
-+ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
- }
-
- /*
-diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ossl.c
---- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.sync 2019-05-03 08:55:45.191515864 +0200
-+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-05-03 08:55:51.548406728 +0200
-@@ -174,8 +174,7 @@ static int rsa_ossl_public_encrypt(int f
- */
- r = BN_bn2binpad(ret, to, num);
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- OPENSSL_clear_free(buf, num);
- return r;
-@@ -396,8 +395,7 @@ static int rsa_ossl_private_encrypt(int
- */
- r = BN_bn2binpad(res, to, num);
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- OPENSSL_clear_free(buf, num);
- return r;
-@@ -539,11 +537,10 @@ static int rsa_ossl_private_decrypt(int
- goto err;
- }
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
-- err_clear_last_constant_time(r >= 0);
-+ err_clear_last_constant_time(1 & ~constant_time_msb(r));
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- OPENSSL_clear_free(buf, num);
- return r;
-@@ -655,8 +652,7 @@ static int rsa_ossl_public_decrypt(int f
- RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
-
- err:
-- if (ctx != NULL)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- OPENSSL_clear_free(buf, num);
- return r;
-diff -up openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync openssl-1.1.1b/crypto/rsa/rsa_pk1.c
---- openssl-1.1.1b/crypto/rsa/rsa_pk1.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_pk1.c 2019-05-03 08:55:51.549406711 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsig
- from -= 1 & mask;
- *--em = *from & mask;
- }
-- from = em;
-
-- good = constant_time_is_zero(from[0]);
-- good &= constant_time_eq(from[1], 2);
-+ good = constant_time_is_zero(em[0]);
-+ good &= constant_time_eq(em[1], 2);
-
- /* scan over padding data */
- found_zero_byte = 0;
- for (i = 2; i < num; i++) {
-- unsigned int equals0 = constant_time_is_zero(from[i]);
-+ unsigned int equals0 = constant_time_is_zero(em[i]);
-
- zero_index = constant_time_select_int(~found_zero_byte & equals0,
- i, zero_index);
-@@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig
- }
-
- /*
-- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
-+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
- * If we never found a 0-byte, then |zero_index| is 0 and the check
- * also fails.
- */
-@@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsig
- good &= constant_time_ge(tlen, mlen);
-
- /*
-- * Even though we can't fake result's length, we can pretend copying
-- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
-- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-- * where |mlen'| is "saturated" |mlen| value. Deducing information
-- * about failure or |mlen| would take attacker's ability to observe
-- * memory access pattern with byte granularity *as it occurs*. It
-- * should be noted that failure is indistinguishable from normal
-- * operation if |tlen| is fixed by protocol.
-- */
-- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
-- msg_index = constant_time_select_int(good, msg_index, num - tlen);
-- mlen = num - msg_index;
-- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
-- unsigned int equals = constant_time_eq(i, mlen);
--
-- from -= tlen & equals; /* if (i == mlen) rewind */
-- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
-- to[i] = constant_time_select_8(mask, from[i], to[i]);
-+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
-+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
-+ * Otherwise leave |to| unchanged.
-+ * Copy the memory back in a way that does not reveal the size of
-+ * the data being copied via a timing side channel. This requires copying
-+ * parts of the buffer multiple times based on the bits set in the real
-+ * length. Clear bits do a non-copy with identical access pattern.
-+ * The loop below has overall complexity of O(N*log(N)).
-+ */
-+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
-+ num - 11, tlen);
-+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
-+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
-+ for (i = 11; i < num - msg_index; i++)
-+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
-+ }
-+ for (i = 0; i < tlen; i++) {
-+ mask = good & constant_time_lt(i, mlen);
-+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
- }
-
- OPENSSL_clear_free(em, num);
-diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync openssl-1.1.1b/crypto/rsa/rsa_pmeth.c
---- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-03 08:55:51.543406814 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+#include "internal/constant_time_locl.h"
-+
- #include <stdio.h>
- #include "internal/cryptlib.h"
- #include <openssl/asn1t.h>
-@@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX
- ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
- rctx->pad_mode);
- }
-- if (ret < 0)
-- return ret;
-- *outlen = ret;
-- return 1;
-+ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
-+ ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
-+ return ret;
- }
-
- static int check_padding_md(const EVP_MD *md, int padding)
-diff -up openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync openssl-1.1.1b/crypto/rsa/rsa_ssl.c
---- openssl-1.1.1b/crypto/rsa/rsa_ssl.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_ssl.c 2019-05-03 08:55:51.550406694 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char
-
- /*
- * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
-- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
-+ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
- * preserves error code reporting for backward compatibility.
- */
- int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-@@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned ch
- unsigned int good, found_zero_byte, mask, threes_in_row;
- int zero_index = 0, msg_index, mlen = -1, err;
-
-- if (flen < 10) {
-+ if (tlen <= 0 || flen <= 0)
-+ return -1;
-+
-+ if (flen > num || num < 11) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
- return -1;
- }
-@@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned ch
- from -= 1 & mask;
- *--em = *from & mask;
- }
-- from = em;
-
-- good = constant_time_is_zero(from[0]);
-- good &= constant_time_eq(from[1], 2);
-+ good = constant_time_is_zero(em[0]);
-+ good &= constant_time_eq(em[1], 2);
- err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
- mask = ~good;
-
-@@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned ch
- found_zero_byte = 0;
- threes_in_row = 0;
- for (i = 2; i < num; i++) {
-- unsigned int equals0 = constant_time_is_zero(from[i]);
-+ unsigned int equals0 = constant_time_is_zero(em[i]);
-
- zero_index = constant_time_select_int(~found_zero_byte & equals0,
- i, zero_index);
- found_zero_byte |= equals0;
-
- threes_in_row += 1 & ~found_zero_byte;
-- threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
-+ threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
- }
-
- /*
-- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
-+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
- * If we never found a 0-byte, then |zero_index| is 0 and the check
- * also fails.
- */
-@@ -120,7 +122,7 @@ int RSA_padding_check_SSLv23(unsigned ch
- RSA_R_NULL_BEFORE_BLOCK_MISSING);
- mask = ~good;
-
-- good &= constant_time_lt(threes_in_row, 8);
-+ good &= constant_time_ge(threes_in_row, 8);
- err = constant_time_select_int(mask | good, err,
- RSA_R_SSLV3_ROLLBACK_ATTACK);
- mask = ~good;
-@@ -139,24 +141,25 @@ int RSA_padding_check_SSLv23(unsigned ch
- err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
-
- /*
-- * Even though we can't fake result's length, we can pretend copying
-- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
-- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
-- * where |mlen'| is "saturated" |mlen| value. Deducing information
-- * about failure or |mlen| would take attacker's ability to observe
-- * memory access pattern with byte granularity *as it occurs*. It
-- * should be noted that failure is indistinguishable from normal
-- * operation if |tlen| is fixed by protocol.
-+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
-+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
-+ * Otherwise leave |to| unchanged.
-+ * Copy the memory back in a way that does not reveal the size of
-+ * the data being copied via a timing side channel. This requires copying
-+ * parts of the buffer multiple times based on the bits set in the real
-+ * length. Clear bits do a non-copy with identical access pattern.
-+ * The loop below has overall complexity of O(N*log(N)).
- */
-- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
-- msg_index = constant_time_select_int(good, msg_index, num - tlen);
-- mlen = num - msg_index;
-- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
-- unsigned int equals = constant_time_eq(i, mlen);
--
-- from -= tlen & equals; /* if (i == mlen) rewind */
-- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
-- to[i] = constant_time_select_8(mask, from[i], to[i]);
-+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
-+ num - 11, tlen);
-+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
-+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
-+ for (i = 11; i < num - msg_index; i++)
-+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
-+ }
-+ for (i = 0; i < tlen; i++) {
-+ mask = good & constant_time_lt(i, mlen);
-+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
- }
-
- OPENSSL_clear_free(em, num);
-diff -up openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync openssl-1.1.1b/crypto/rsa/rsa_x931g.c
---- openssl-1.1.1b/crypto/rsa/rsa_x931g.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_x931g.c 2019-05-03 08:55:51.530407037 +0200
-@@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM
-
- ret = 1;
- err:
-- if (ctx)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- BN_CTX_free(ctx2);
-
-@@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, i
- ok = 1;
-
- error:
-- if (ctx)
-- BN_CTX_end(ctx);
-+ BN_CTX_end(ctx);
- BN_CTX_free(ctx);
-
- if (ok)
-diff -up openssl-1.1.1b/crypto/x509/x509_lu.c.sync openssl-1.1.1b/crypto/x509/x509_lu.c
---- openssl-1.1.1b/crypto/x509/x509_lu.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/x509/x509_lu.c 2019-05-03 08:55:51.546406762 +0200
-@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_S
- if (ctx == NULL)
- return 0;
-
-+ stmp.type = X509_LU_NONE;
-+ stmp.data.ptr = NULL;
-+
- CRYPTO_THREAD_write_lock(ctx->lock);
- tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
- CRYPTO_THREAD_unlock(ctx->lock);
-diff -up openssl-1.1.1b/doc/man1/pkeyutl.pod.sync openssl-1.1.1b/doc/man1/pkeyutl.pod
---- openssl-1.1.1b/doc/man1/pkeyutl.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man1/pkeyutl.pod 2019-05-03 08:55:51.555406608 +0200
-@@ -272,20 +272,19 @@ value less than the minimum restriction.
- =head1 DSA ALGORITHM
-
- The DSA algorithm supports signing and verification operations only. Currently
--there are no additional options other than B<digest>. Only the SHA1
--digest can be used and this digest is assumed by default.
-+there are no additional B<-pkeyopt> options other than B<digest>. The SHA1
-+digest is assumed by default.
-
- =head1 DH ALGORITHM
-
- The DH algorithm only supports the derivation operation and no additional
--options.
-+B<-pkeyopt> options.
- =head1 EC ALGORITHM
+ #ifndef OPENSSL_NO_ERR
+-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
+-# define SPACE_SYS_STR_REASONS 4 * 1024
++/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
++# define SPACE_SYS_STR_REASONS 8 * 1024
+ # define NUM_SYS_STR_REASONS 127
- The EC algorithm supports sign, verify and derive operations. The sign and
--verify operations use ECDSA and derive uses ECDH. Currently there are no
--additional options other than B<digest>. Only the SHA1 digest can be used and
--this digest is assumed by default.
-+verify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for
-+the B<-pkeyopt> B<digest> option.
+ static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
+@@ -219,26 +219,30 @@ static void build_SYS_str_reasons(void)
+ ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
- =head1 X25519 and X448 ALGORITHMS
-
-diff -up openssl-1.1.1b/doc/man1/ts.pod.sync openssl-1.1.1b/doc/man1/ts.pod
---- openssl-1.1.1b/doc/man1/ts.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man1/ts.pod 2019-05-03 08:55:51.554406625 +0200
-@@ -262,7 +262,7 @@ specified, the argument is given to the
- =item B<-I<digest>>
-
- Signing digest to use. Overrides the B<signer_digest> config file
--option. (Optional)
-+option. (Mandatory unless specified in the config file)
-
- =item B<-chain> certs_file.pem
-
-@@ -460,7 +460,8 @@ command line option. (Optional)
- =item B<signer_digest>
-
- Signing digest to use. The same as the
--B<-I<digest>> command line option. (Optional)
-+B<-I<digest>> command line option. (Mandatory unless specified on the command
-+line)
-
- =item B<default_policy>
-
-diff -up openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync openssl-1.1.1b/doc/man3/BIO_s_mem.pod
---- openssl-1.1.1b/doc/man3/BIO_s_mem.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/BIO_s_mem.pod 2019-05-03 08:55:51.556406591 +0200
-@@ -88,6 +88,22 @@ a buffering BIO to the chain will speed
- Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will
- give undefined results, including perhaps a program crash.
-
-+Switching the memory BIO from read write to read only is not supported and
-+can give undefined results including a program crash. There are two notable
-+exceptions to the rule. The first one is to assign a static memory buffer
-+immediately after BIO creation and set the BIO as read only.
-+
-+The other supported sequence is to start with read write BIO then temporarily
-+switch it to read only and call BIO_reset() on the read only BIO immediately
-+before switching it back to read write. Before the BIO is freed it must be
-+switched back to the read write mode.
-+
-+Calling BIO_get_mem_ptr() on read only BIO will return a BUF_MEM that
-+contains only the remaining data to be read. If the close status of the
-+BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer
-+in it must be set to NULL as the data pointer does not point to an
-+allocated memory.
-+
- =head1 BUGS
-
- There should be an option to set the maximum size of a memory BIO.
-diff -up openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync openssl-1.1.1b/doc/man3/BN_CTX_start.pod
---- openssl-1.1.1b/doc/man3/BN_CTX_start.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/BN_CTX_start.pod 2019-05-03 08:55:51.554406625 +0200
-@@ -27,6 +27,7 @@ calls must be made before calling any ot
- B<ctx> as an argument.
-
- Finally, BN_CTX_end() must be called before returning from the function.
-+If B<ctx> is NULL, nothing is done.
- When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
- BN_CTX_get() become invalid.
-
-diff -up openssl-1.1.1b/doc/man3/BN_new.pod.sync openssl-1.1.1b/doc/man3/BN_new.pod
---- openssl-1.1.1b/doc/man3/BN_new.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/BN_new.pod 2019-05-03 08:55:51.554406625 +0200
-@@ -27,6 +27,7 @@ OPENSSL_secure_malloc(3) is used to stor
- BN_clear() is used to destroy sensitive data such as keys when they
- are no longer needed. It erases the memory used by B<a> and sets it
- to the value 0.
-+If B<a> is NULL, nothing is done.
-
- BN_free() frees the components of the B<BIGNUM>, and if it was created
- by BN_new(), also the structure itself. BN_clear_free() additionally
-diff -up openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync openssl-1.1.1b/doc/man3/EVP_chacha20.pod
---- openssl-1.1.1b/doc/man3/EVP_chacha20.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/EVP_chacha20.pod 2019-05-03 08:55:51.536406934 +0200
-@@ -21,7 +21,15 @@ The ChaCha20 stream cipher for EVP.
-
- =item EVP_chacha20()
-
--The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long.
-+The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
-+The first 32 bits consists of a counter in little-endian order followed by a 96
-+bit nonce. For example a nonce of:
-+
-+000000000000000000000002
-+
-+With an initial counter of 42 (2a in hex) would be expressed as:
-+
-+2a000000000000000000000000000002
-
- =item EVP_chacha20_poly1305()
-
-diff -up openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod
---- openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/EVP_EncryptInit.pod 2019-05-03 08:55:51.554406625 +0200
-@@ -436,7 +436,9 @@ The following I<ctrl>s are supported for
-
- Sets the nonce length. This call can only be made before specifying the nonce.
- If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
--nonce length is 16 (B<CHACHA_CTR_SIZE>, i.e. 128-bits).
-+nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
-+then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
-+in length.
-
- =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
-
-diff -up openssl-1.1.1b/doc/man3/HMAC.pod.sync openssl-1.1.1b/doc/man3/HMAC.pod
---- openssl-1.1.1b/doc/man3/HMAC.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/HMAC.pod 2019-05-03 08:55:51.539406883 +0200
-@@ -63,7 +63,9 @@ If B<md> is NULL, the digest is placed i
- the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
- value for B<md> to use the static array is not thread safe.
-
--B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
-+B<evp_md> is a message digest such as EVP_sha1(), EVP_ripemd160() etc. HMAC does
-+not support variable output length digests such as EVP_shake128() and
-+EVP_shake256().
-
- HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
-
-diff -up openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
---- openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/RSA_padding_add_PKCS1_type_1.pod 2019-05-03 08:55:51.555406608 +0200
-@@ -5,6 +5,7 @@
- RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
- RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
- RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
-+RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
- RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
- RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
- padding
-@@ -14,35 +15,46 @@ padding
- #include <openssl/rsa.h>
-
- int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-- unsigned char *f, int fl);
-+ const unsigned char *f, int fl);
-
- int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-- unsigned char *f, int fl, int rsa_len);
-+ const unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-- unsigned char *f, int fl);
-+ const unsigned char *f, int fl);
-
- int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-- unsigned char *f, int fl, int rsa_len);
-+ const unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-- unsigned char *f, int fl, unsigned char *p, int pl);
-+ const unsigned char *f, int fl,
-+ const unsigned char *p, int pl);
-
- int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-- unsigned char *f, int fl, int rsa_len,
-- unsigned char *p, int pl);
-+ const unsigned char *f, int fl, int rsa_len,
-+ const unsigned char *p, int pl);
-+
-+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
-+ const unsigned char *f, int fl,
-+ const unsigned char *p, int pl,
-+ const EVP_MD *md, const EVP_MD *mgf1md);
-+
-+ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
-+ const unsigned char *f, int fl, int rsa_len,
-+ const unsigned char *p, int pl,
-+ const EVP_MD *md, const EVP_MD *mgf1md);
-
- int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
-- unsigned char *f, int fl);
-+ const unsigned char *f, int fl);
-
- int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-- unsigned char *f, int fl, int rsa_len);
-+ const unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_none(unsigned char *to, int tlen,
-- unsigned char *f, int fl);
-+ const unsigned char *f, int fl);
-
- int RSA_padding_check_none(unsigned char *to, int tlen,
-- unsigned char *f, int fl, int rsa_len);
-+ const unsigned char *f, int fl, int rsa_len);
-
- =head1 DESCRIPTION
-
-@@ -98,6 +110,10 @@ at B<to>.
- For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
- of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
-
-+For RSA_padding_xxx_OAEP_mgf1(), B<md> points to the md hash,
-+if B<md> is B<NULL> that means md=sha1, and B<mgf1md> points to
-+the mgf1 hash, if B<mgf1md> is B<NULL> that means mgf1md=md.
-+
- =head1 RETURN VALUES
-
- The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
-@@ -107,15 +123,21 @@ L<ERR_get_error(3)>.
-
- =head1 WARNING
-
--The RSA_padding_check_PKCS1_type_2() padding check leaks timing
-+The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
- information which can potentially be used to mount a Bleichenbacher
- padding oracle attack. This is an inherent weakness in the PKCS #1
--v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
--be recommended to pass zero-padded B<f>, so that B<fl> equals to
--B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
--expected length. In such case leakage would be minimal, it would
--take attacker's ability to observe memory access pattern with byte
--granilarity as it occurs, post-factum timing analysis won't do.
-+v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
-+possible, the result of RSA_padding_check_PKCS1_type_2() should be
-+checked in constant time if it matches the expected length of the
-+plaintext and additionally some application specific consistency
-+checks on the plaintext need to be performed in constant time.
-+If the plaintext is rejected it must be kept secret which of the
-+checks caused the application to reject the message.
-+Do not remove the zero-padding from the decrypted raw RSA data
-+which was computed by RSA_private_decrypt() with B<RSA_NO_PADDING>,
-+as this would create a small timing side channel which could be
-+used to mount a Bleichenbacher attack against any padding mode
-+including PKCS1_OAEP.
-
- =head1 SEE ALSO
-
-@@ -125,7 +147,7 @@ L<RSA_sign(3)>, L<RSA_verify(3)>
-
- =head1 COPYRIGHT
-
--Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
-+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
- Licensed under the OpenSSL license (the "License"). You may not use
- this file except in compliance with the License. You can obtain a copy
-diff -up openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod
---- openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/RSA_public_encrypt.pod 2019-05-03 08:55:51.555406608 +0200
-@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt
-
- #include <openssl/rsa.h>
-
-- int RSA_public_encrypt(int flen, unsigned char *from,
-+ int RSA_public_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
-- int RSA_private_decrypt(int flen, unsigned char *from,
-+ int RSA_private_decrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- =head1 DESCRIPTION
-@@ -27,6 +27,8 @@ B<padding> denotes one of the following
- =item RSA_PKCS1_PADDING
-
- PKCS #1 v1.5 padding. This currently is the most widely used mode.
-+However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in
-+new applications. SEE WARNING BELOW.
-
- =item RSA_PKCS1_OAEP_PADDING
-
-@@ -46,23 +48,35 @@ Encrypting user data directly with RSA i
-
- =back
-
--B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
--based padding modes, less than RSA_size(B<rsa>) - 41 for
-+B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-+based padding modes, not more than RSA_size(B<rsa>) - 42 for
- RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
--The random number generator must be seeded prior to calling
--RSA_public_encrypt().
-+When a padding mode other than RSA_NO_PADDING is in use, then
-+RSA_public_encrypt() will include some random bytes into the ciphertext
-+and therefore the ciphertext will be different each time, even if the
-+plaintext and the public key are exactly identical.
-+The returned ciphertext in B<to> will always be zero padded to exactly
-+RSA_size(B<rsa>) bytes.
-+B<to> and B<from> may overlap.
-
- RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
--private key B<rsa> and stores the plaintext in B<to>. B<to> must point
--to a memory section large enough to hold the decrypted data (which is
--smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
--was used to encrypt the data.
-+private key B<rsa> and stores the plaintext in B<to>. B<flen> should
-+be equal to RSA_size(B<rsa>) but may be smaller, when leading zero
-+bytes are in the ciphertext. Those are not important and may be removed,
-+but RSA_public_encrypt() does not do that. B<to> must point
-+to a memory section large enough to hold the maximal possible decrypted
-+data (which is equal to RSA_size(B<rsa>) for RSA_NO_PADDING,
-+RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 based padding modes and
-+RSA_size(B<rsa>) - 42 for RSA_PKCS1_OAEP_PADDING).
-+B<padding> is the padding mode that was used to encrypt the data.
-+B<to> and B<from> may overlap.
-
- =head1 RETURN VALUES
-
- RSA_public_encrypt() returns the size of the encrypted data (i.e.,
- RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
--recovered plaintext.
-+recovered plaintext. A return value of 0 is not an error and
-+means only that the plaintext was empty.
-
- On error, -1 is returned; the error codes can be
- obtained by L<ERR_get_error(3)>.
-@@ -85,7 +99,7 @@ L<RSA_size(3)>
-
- =head1 COPYRIGHT
-
--Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
-+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
- Licensed under the OpenSSL license (the "License"). You may not use
- this file except in compliance with the License. You can obtain a copy
-diff -up openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod
---- openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/SSL_CIPHER_get_name.pod 2019-05-03 08:55:51.537406917 +0200
-@@ -124,7 +124,10 @@ Textual representation of the cipher nam
-
- =item <protocol version>
-
--Protocol version, such as B<TLSv1.2>, when the cipher was first defined.
-+The minimum protocol version that the ciphersuite supports, such as B<TLSv1.2>.
-+Note that this is not always the same as the protocol version in which the
-+ciphersuite was first defined because some ciphersuites are backwards compatible
-+with earlier protocol versions.
-
- =item Kx=<key exchange>
-
-diff -up openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod
---- openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/SSL_CTX_set_client_hello_cb.pod 2019-05-03 08:55:51.534406969 +0200
-@@ -65,6 +65,8 @@ both required, and on success the caller
- B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers
- holding the numerical value of the TLS extension types in the order they appear
- in the ClientHello. B<*outlen> contains the number of elements in the array.
-+In situations when the ClientHello has no extensions, the function will return
-+success with B<*out> set to NULL and B<*outlen> set to 0.
-
- =head1 NOTES
-
-diff -up openssl-1.1.1b/include/openssl/err.h.sync openssl-1.1.1b/include/openssl/err.h
---- openssl-1.1.1b/include/openssl/err.h.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/err.h 2019-05-03 08:55:51.548406728 +0200
-@@ -37,6 +37,7 @@ extern "C" {
- # define ERR_TXT_STRING 0x02
-
- # define ERR_FLAG_MARK 0x01
-+# define ERR_FLAG_CLEAR 0x02
-
- # define ERR_NUM_ERRORS 16
- typedef struct err_state_st {
-diff -up openssl-1.1.1b/ssl/ssl_lib.c.sync openssl-1.1.1b/ssl/ssl_lib.c
---- openssl-1.1.1b/ssl/ssl_lib.c.sync 2019-05-03 08:55:45.196515778 +0200
-+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-05-03 08:55:51.535406951 +0200
-@@ -5089,6 +5089,11 @@ int SSL_client_hello_get1_extensions_pre
- if (ext->present)
- num++;
- }
-+ if (num == 0) {
-+ *out = NULL;
-+ *outlen = 0;
-+ return 1;
-+ }
- if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
- SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT,
- ERR_R_MALLOC_FAILURE);
-diff -up openssl-1.1.1b/ssl/ssl_locl.h.sync openssl-1.1.1b/ssl/ssl_locl.h
---- openssl-1.1.1b/ssl/ssl_locl.h.sync 2019-05-03 08:55:45.011518954 +0200
-+++ openssl-1.1.1b/ssl/ssl_locl.h 2019-05-03 08:55:51.541406848 +0200
-@@ -574,7 +574,6 @@ struct ssl_session_st {
- /* Session lifetime hint in seconds */
- unsigned long tick_lifetime_hint;
- uint32_t tick_age_add;
-- int tick_identity;
- /* Max number of bytes that can be sent as early data */
- uint32_t max_early_data;
- /* The ALPN protocol selected for this session */
-@@ -1356,6 +1355,13 @@ struct ssl_st {
- * as this extension is optional on server side.
- */
- uint8_t max_fragment_len_mode;
-+
+ str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
+- if (str->string == NULL) {
+ /*
-+ * On the client side the number of ticket identities we sent in the
-+ * ClientHello. On the server side the identity of the ticket we
-+ * selected.
++ * If we have used up all the space in strerror_pool,
++ * there's no point in calling openssl_strerror_r()
+ */
-+ int tick_identity;
- } ext;
-
- /*
-@@ -2052,9 +2058,6 @@ typedef enum downgrade_en {
- #define TLSEXT_KEX_MODE_FLAG_KE 1
- #define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
-
--/* An invalid index into the TLSv1.3 PSK identities */
--#define TLSEXT_PSK_BAD_IDENTITY -1
--
- #define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \
- s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
-
-diff -up openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync openssl-1.1.1b/ssl/statem/extensions_clnt.c
---- openssl-1.1.1b/ssl/statem/extensions_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/ssl/statem/extensions_clnt.c 2019-05-03 08:55:51.542406831 +0200
-@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
- const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
- int dores = 0;
-
-- s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
-+ s->ext.tick_identity = 0;
-
- /*
- * Note: At this stage of the code we only support adding a single
-@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
- agems += s->session->ext.tick_age_add;
-
- reshashsize = EVP_MD_size(mdres);
-+ s->ext.tick_identity++;
- dores = 1;
- }
-
-@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
- ERR_R_INTERNAL_ERROR);
- return EXT_RETURN_FAIL;
++ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
+ if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
+- size_t l = strlen(cur);
++ size_t l = strlen(cur) + 1;
+
+ str->string = cur;
+ cnt += l;
+- if (cnt > sizeof(strerror_pool))
+- cnt = sizeof(strerror_pool);
+ cur += l;
+
+ /*
+ * VMS has an unusual quirk of adding spaces at the end of
+- * some (most? all?) messages. Lets trim them off.
++ * some (most? all?) messages. Lets trim them off.
+ */
+- while (ossl_isspace(cur[-1])) {
+- cur--;
+- cnt--;
++ if (cur > strerror_pool && ossl_isspace(cur[-1])) {
++ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
++ cur--;
++ cnt--;
++ }
++ *cur++ = '\0';
++ cnt++;
+ }
+- *cur++ = '\0';
+- cnt++;
+ }
}
-+ s->ext.tick_identity++;
- }
-
- if (!WPACKET_close(pkt)
-@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s
- return EXT_RETURN_FAIL;
- }
-
-- if (dores)
-- s->session->ext.tick_identity = 0;
-- if (s->psksession != NULL)
-- s->psksession->ext.tick_identity = (dores ? 1 : 0);
--
- return EXT_RETURN_SENT;
- #else
- return EXT_RETURN_NOT_SENT;
-@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PA
- }
-
- if (!s->ext.early_data_ok
-- || !s->hit
-- || s->session->ext.tick_identity != 0) {
-+ || !s->hit) {
- /*
- * If we get here then we didn't send early data, or we didn't resume
- * using the first identity, or the SNI/ALPN is not consistent so the
-@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
- return 0;
- }
-
-- if (s->session->ext.tick_identity == (int)identity) {
-+ if (identity >= (unsigned int)s->ext.tick_identity) {
-+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
-+ SSL_R_BAD_PSK_IDENTITY);
-+ return 0;
-+ }
-+
-+ /*
-+ * Session resumption tickets are always sent before PSK tickets. If the
-+ * ticket index is 0 then it must be for a session resumption ticket if we
-+ * sent two tickets, or if we didn't send a PSK ticket.
-+ */
-+ if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
- s->hit = 1;
- SSL_SESSION_free(s->psksession);
- s->psksession = NULL;
- return 1;
- }
-
-- if (s->psksession == NULL
-- || s->psksession->ext.tick_identity != (int)identity) {
-- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
-- SSL_R_BAD_PSK_IDENTITY);
-+ if (s->psksession == NULL) {
-+ /* Should never happen */
-+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
-+ ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
-@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
- s->session = s->psksession;
- s->psksession = NULL;
- s->hit = 1;
-+ /* Early data is only allowed if we used the first ticket */
-+ if (identity != 0)
-+ s->ext.early_data_ok = 0;
- #endif
-
- return 1;
-diff -up openssl-1.1.1b/ssl/statem/extensions.c.sync openssl-1.1.1b/ssl/statem/extensions.c
---- openssl-1.1.1b/ssl/statem/extensions.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/ssl/statem/extensions.c 2019-05-03 08:55:51.541406848 +0200
-@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, uns
- ss->ext.ticklen = 0;
- ss->ext.tick_lifetime_hint = 0;
- ss->ext.tick_age_add = 0;
-- ss->ext.tick_identity = 0;
- if (!ssl_generate_session_id(s, ss)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
- ERR_R_INTERNAL_ERROR);
-@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsi
-
- if (s->max_early_data == 0
- || !s->hit
-- || s->session->ext.tick_identity != 0
- || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
- || !s->ext.early_data_ok
- || s->hello_retry_request != SSL_HRR_NONE
-diff -up openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync openssl-1.1.1b/ssl/statem/extensions_srvr.c
---- openssl-1.1.1b/ssl/statem/extensions_srvr.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/ssl/statem/extensions_srvr.c 2019-05-03 08:55:51.542406831 +0200
-@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *p
- goto err;
- }
-
-- sess->ext.tick_identity = id;
-+ s->ext.tick_identity = id;
-
- SSL_SESSION_free(s->session);
- s->session = sess;
-@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
-
- if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
- || !WPACKET_start_sub_packet_u16(pkt)
-- || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
-+ || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
- || !WPACKET_close(pkt)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
-diff -up openssl-1.1.1b/ssl/statem/statem_clnt.c.sync openssl-1.1.1b/ssl/statem/statem_clnt.c
---- openssl-1.1.1b/ssl/statem/statem_clnt.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/ssl/statem/statem_clnt.c 2019-05-03 08:55:51.543406814 +0200
-@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_he
- * so the PAC-based session secret is always preserved. It'll be
- * overwritten if the server refuses resumption.
- */
-- if (s->session->session_id_length > 0
-- || (SSL_IS_TLS13(s)
-- && s->session->ext.tick_identity
-- != TLSEXT_PSK_BAD_IDENTITY)) {
-+ if (s->session->session_id_length > 0) {
- tsan_counter(&s->session_ctx->stats.sess_miss);
- if (!ssl_get_new_session(s, 0)) {
- /* SSLfatal() already called */
-diff -up openssl-1.1.1b/test/bio_memleak_test.c.sync openssl-1.1.1b/test/bio_memleak_test.c
---- openssl-1.1.1b/test/bio_memleak_test.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/bio_memleak_test.c 2019-05-03 08:55:51.556406591 +0200
-@@ -18,28 +18,170 @@ static int test_bio_memleak(void)
- int ok = 0;
- BIO *bio;
- BUF_MEM bufmem;
-- const char *str = "BIO test\n";
-+ static const char str[] = "BIO test\n";
- char buf[100];
-
- bio = BIO_new(BIO_s_mem());
-- if (bio == NULL)
-+ if (!TEST_ptr(bio))
- goto finish;
-- bufmem.length = strlen(str) + 1;
-+ bufmem.length = sizeof(str);
- bufmem.data = (char *) str;
- bufmem.max = bufmem.length;
- BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE);
- BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
-+ if (!TEST_int_eq(BIO_read(bio, buf, sizeof(buf)), sizeof(str)))
-+ goto finish;
-+ if (!TEST_mem_eq(buf, sizeof(str), str, sizeof(str)))
-+ goto finish;
-+ ok = 1;
-
-- if (BIO_read(bio, buf, sizeof(buf)) <= 0)
-- goto finish;
-+finish:
-+ BIO_free(bio);
-+ return ok;
-+}
-
-- ok = strcmp(buf, str) == 0;
-+static int test_bio_get_mem(void)
-+{
-+ int ok = 0;
-+ BIO *bio = NULL;
-+ BUF_MEM *bufmem = NULL;
-+
-+ bio = BIO_new(BIO_s_mem());
-+ if (!TEST_ptr(bio))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
-+ goto finish;
-+ BIO_get_mem_ptr(bio, &bufmem);
-+ if (!TEST_ptr(bufmem))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_set_close(bio, BIO_NOCLOSE), 0))
-+ goto finish;
-+ BIO_free(bio);
-+ bio = NULL;
-+ if (!TEST_mem_eq(bufmem->data, bufmem->length, "Hello World\n", 12))
-+ goto finish;
-+ ok = 1;
-
- finish:
- BIO_free(bio);
-+ BUF_MEM_free(bufmem);
- return ok;
- }
-
-+static int test_bio_new_mem_buf(void)
-+{
-+ int ok = 0;
-+ BIO *bio;
-+ BUF_MEM *bufmem;
-+ char data[16];
-+
-+ bio = BIO_new_mem_buf("Hello World\n", 12);
-+ if (!TEST_ptr(bio))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 5, "Hello", 5))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
-+ goto finish;
-+ if (!TEST_int_lt(BIO_write(bio, "test", 4), 0))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio, data, 16), 7))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 7, " World\n", 7))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_reset(bio), 0))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
-+ goto finish;
-+ ok = 1;
-+
-+finish:
-+ BIO_free(bio);
-+ return ok;
-+}
-+
-+static int test_bio_rdonly_mem_buf(void)
-+{
-+ int ok = 0;
-+ BIO *bio, *bio2 = NULL;
-+ BUF_MEM *bufmem;
-+ char data[16];
-+
-+ bio = BIO_new_mem_buf("Hello World\n", 12);
-+ if (!TEST_ptr(bio))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio, data, 5), 5))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 5, "Hello", 5))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_get_mem_ptr(bio, &bufmem), 0))
-+ goto finish;
-+ (void)BIO_set_close(bio, BIO_NOCLOSE);
-+
-+ bio2 = BIO_new(BIO_s_mem());
-+ if (!TEST_ptr(bio2))
-+ goto finish;
-+ BIO_set_mem_buf(bio2, bufmem, BIO_CLOSE);
-+ BIO_set_flags(bio2, BIO_FLAGS_MEM_RDONLY);
-+
-+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 7, " World\n", 7))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_reset(bio2), 0))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio2, data, 16), 7))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 7, " World\n", 7))
-+ goto finish;
-+ ok = 1;
-+
-+finish:
-+ BIO_free(bio);
-+ BIO_free(bio2);
-+ return ok;
-+}
-+
-+static int test_bio_rdwr_rdonly(void)
-+{
-+ int ok = 0;
-+ BIO *bio = NULL;
-+ char data[16];
-+
-+ bio = BIO_new(BIO_s_mem());
-+ if (!TEST_ptr(bio))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_puts(bio, "Hello World\n"), 12))
-+ goto finish;
-+
-+ BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY);
-+ if (!TEST_int_eq(BIO_read(bio, data, 16), 12))
-+ goto finish;
-+ if (!TEST_mem_eq(data, 12, "Hello World\n", 12))
-+ goto finish;
-+ if (!TEST_int_gt(BIO_reset(bio), 0))
-+ goto finish;
-+
-+ BIO_clear_flags(bio, BIO_FLAGS_MEM_RDONLY);
-+ if (!TEST_int_eq(BIO_puts(bio, "Hi!\n"), 4))
-+ goto finish;
-+ if (!TEST_int_eq(BIO_read(bio, data, 16), 16))
-+ goto finish;
-+
-+ if (!TEST_mem_eq(data, 16, "Hello World\nHi!\n", 16))
-+ goto finish;
-+
-+ ok = 1;
-+
-+finish:
-+ BIO_free(bio);
-+ return ok;
-+}
-+
-+
- int global_init(void)
- {
- CRYPTO_set_mem_debug(1);
-@@ -50,5 +192,9 @@ int global_init(void)
- int setup_tests(void)
- {
- ADD_TEST(test_bio_memleak);
-+ ADD_TEST(test_bio_get_mem);
-+ ADD_TEST(test_bio_new_mem_buf);
-+ ADD_TEST(test_bio_rdonly_mem_buf);
-+ ADD_TEST(test_bio_rdwr_rdonly);
- return 1;
- }
-diff -up openssl-1.1.1b/test/ectest.c.sync openssl-1.1.1b/test/ectest.c
---- openssl-1.1.1b/test/ectest.c.sync 2019-05-03 08:55:45.127516962 +0200
-+++ openssl-1.1.1b/test/ectest.c 2019-05-03 08:55:51.524407140 +0200
-@@ -728,6 +728,74 @@ err:
- BN_CTX_free(ctx);
- return r;
- }
-+
-+/*
-+ * Tests a point known to cause an incorrect underflow in an old version of
-+ * ecp_nist521.c
-+ */
-+static int underflow_test(void)
-+{
-+ BN_CTX *ctx = NULL;
-+ EC_GROUP *grp = NULL;
-+ EC_POINT *P = NULL, *Q = NULL, *R = NULL;
-+ BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
-+ BIGNUM *k = NULL;
-+ int testresult = 0;
-+ const char *x1str =
-+ "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
-+ "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
-+ const char *p521m1 =
-+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
-+
-+ ctx = BN_CTX_new();
-+ if (!TEST_ptr(ctx))
-+ return 0;
-+
-+ BN_CTX_start(ctx);
-+ x1 = BN_CTX_get(ctx);
-+ y1 = BN_CTX_get(ctx);
-+ z1 = BN_CTX_get(ctx);
-+ x2 = BN_CTX_get(ctx);
-+ y2 = BN_CTX_get(ctx);
-+ k = BN_CTX_get(ctx);
-+ if (!TEST_ptr(k))
-+ goto err;
-+
-+ grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
-+ P = EC_POINT_new(grp);
-+ Q = EC_POINT_new(grp);
-+ R = EC_POINT_new(grp);
-+ if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
-+ goto err;
-+
-+ if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
-+ || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
-+ || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
-+ || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
-+ || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
-+ y1, z1, ctx))
-+ || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
-+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
-+ || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
-+ || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
-+ goto err;
-+
-+ if (!TEST_int_eq(BN_cmp(x1, x2), 0)
-+ || !TEST_int_eq(BN_cmp(y1, y2), 0))
-+ goto err;
-+
-+ testresult = 1;
-+
-+ err:
-+ BN_CTX_end(ctx);
-+ EC_POINT_free(P);
-+ EC_POINT_free(Q);
-+ EC_GROUP_free(grp);
-+ BN_CTX_free(ctx);
-+
-+ return testresult;
-+}
- # endif
-
- static const unsigned char p521_named[] = {
-@@ -835,6 +903,7 @@ int setup_tests(void)
- # endif
- # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
-+ ADD_TEST(underflow_test);
- # endif
- ADD_ALL_TESTS(internal_curve_test, crv_len);
- ADD_ALL_TESTS(internal_curve_test_method, crv_len);
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt
---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-03 08:55:51.552406659 +0200
-@@ -2232,7 +2232,7 @@ IV = 00000000000000000000000000000000
- Plaintext = 11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd
- Ciphertext = 30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd
-
--Title = ARIA GCM test vectors from IETF draft-ietf-avtcore-aria-srtp-10
-+Title = ARIA GCM test vectors from RFC8269
-
- Cipher = ARIA-128-GCM
- Key = e91e5e75da65554a48181f3846349562
-@@ -2250,6 +2250,36 @@ Tag = e210d6ced2cf430ff841472915e7ef48
- Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
- Ciphertext = 6f9e4bcbc8c85fc0128fb1e4a0a20cb9932ff74581f54fc013dd054b19f99371425b352d97d3f337b90b63d1b082adeeea9d2d7391897d591b985e55fb50cb5350cf7d38dc27dda127c078a149c8eb98083d66363a46e3726af217d3a00275ad5bf772c7610ea4c23006878f0ee69a8397703169a419303f40b72e4573714d19e2697df61e7c7252e5abc6bade876ac4961bfac4d5e867afca351a48aed52822
-
-+Title = ARIA GCM self-generated test vectors
-+
-+Cipher = ARIA-128-GCM
-+Key = e91e5e75da65554a48181f3846349562
-+# Shorter than default IV
-+IV = 0001020304
-+AAD = 8008315ebf2e6fe020e8f5eb
-+Tag = ebaa2645bb154542117ee46031aa176e
-+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
-+Ciphertext = 1723ccfc0ed44a12520473cfeb63bc933cd450a943f5f1cba78e19d72f80cc102acc51f2459a06cf6435182b8ddd451f83e13479efe5ec7dfbf16229f4017920fb41457a9b6fe1a401b30b2f332d827ae2f86e962326927c1ed8bfedac1f7a00ddde63bd392a8f28a488ba5974689f8d15b9b1739fb50aae0ff244026ec72064003c621b33ffc8086b0a97eefb70604a2826f6499f6eb12d67a0da03fc8e1482
-+
-+Cipher = ARIA-128-GCM
-+Key = e91e5e75da65554a48181f3846349562
-+# Longer than default IV
-+IV = 000102030405060708090a0b0c0d0e0f
-+AAD = 8008315ebf2e6fe020e8f5eb
-+Tag = 61f7f44c7da3c60195b29ae0b46051a4
-+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
-+Ciphertext = 0d3e98fcaf7a2c4fe9198d66add90d113e5e0ff47598c40a4bf501960d935a4156c9a4d46c9358a608e10a16479a4247c9ab9bb4a02809e3eac3571b832590fe2ca3e2d545741e36282d96c041fc7d39a46ed60214c2c0ec70f27768dfea4f9563b5d5c2ac33b1368a78f2908f5daf942433fec6ab588f09e908e95cc8dfa85d1a0dfd5835dc14e148323230c63eedc99a9ce942214cb3768b97b821d613629f
-+
-+Cipher = ARIA-128-GCM
-+Key = e91e5e75da65554a48181f3846349562
-+# Extra long IV
-+IV = 000102030405060708090a0b0c0d0e0f1011
-+AAD = 8008315ebf2e6fe020e8f5eb
-+Tag = c8b31ab6c2ddccab06b76af4e56e664e
-+Plaintext = f57af5fd4ae19562976ec57a5a7ad55a5af5c5e5c5fdf5c55ad57a4a7272d57262e9729566ed66e97ac54a4a5a7ad5e15ae5fdd5fd5ac5d56ae56ad5c572d54ae54ac55a956afd6aed5a4ac562957a9516991691d572fd14e97ae962ed7a9f4a955af572e162f57a956666e17ae1f54a95f566d54a66e16e4afd6a9f7ae1c5c55ae5d56afde916c5e94a6ec56695e14afde1148416e94ad57ac5146ed59d1cc5
-+Ciphertext = 616a7bce24206501082cef7267c09a4affa54f8f82eb7fb2cdebdcaab4b6ab05c37e891c2d0fc90d15c5fb684247625c8bc0befad86896ae1c8f5a8506954caba4e13df0a0eb23853d4474e7f3b2c57bb398456a24d198e14566bce8a5f8d3bcdb12994d2fdc0f5cf19aeff990c1fe119e01f9fcc86757b1d43a9accf7b2f913c2208a46c1967f403867f89b46ffe96864c63f042265806ea5270e0dddd0e8dd
-+
-+
- Title = ARIA CCM test vectors from IETF draft-ietf-avtcore-aria-srtp-02
-
- # 16-byte Tag
-@@ -2357,14 +2387,41 @@ Operation = ENCRYPT
- Plaintext = B41E6BE2EBA84A148E2EED84593C5EC7
- Ciphertext = 9B9B7BFCD1813CB95D0B3618F40F5122
-
--Title = Chacha20
-+Title = Chacha20 test vectors from RFC7539
-
-+# A.1 Test Vector 1
- Cipher = chacha20
- Key = 0000000000000000000000000000000000000000000000000000000000000000
- IV = 00000000000000000000000000000000
- Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- Ciphertext = 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
-
-+# A.1 Test Vector 2
-+Cipher = chacha20
-+Key = 0000000000000000000000000000000000000000000000000000000000000000
-+IV = 01000000000000000000000000000000
-+Plaintext = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-+Ciphertext = 9f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f
-+
-+# A.2 Test Vector 1 is the same as A.1 Test Vector 1
-+# A.2 Test Vector 2
-+Cipher = chacha20
-+Key = 0000000000000000000000000000000000000000000000000000000000000001
-+#Counter (first 4 bytes) expressed in little-endian order
-+IV = 01000000000000000000000000000002
-+Plaintext = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f
-+Ciphertext = a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221
-+
-+# A.2 Test Vector 3
-+Cipher = chacha20
-+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
-+#Counter (first 4 bytes) expressed in little-endian order
-+IV = 2a000000000000000000000000000002
-+Plaintext = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e
-+Ciphertext = 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1
-+
-+Title = Chacha20
-+
- Cipher = chacha20
- Key = 0000000000000000000000000000000000000000000000000000000000000001
- IV = 00000000000000000000000000000000
-@@ -2506,3 +2563,12 @@ AAD = f33388860000000000004e91
- Tag = e0723bce23528ce6ccb10ff9627038bf
- Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
- Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
-+
-+Cipher = chacha20-poly1305
-+Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
-+IV = ff000000000102030405060708
-+AAD = f33388860000000000004e91
-+Tag = e0723bce23528ce6ccb10ff9627038bf
-+Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
-+Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
-+Result = INVALID_IV_LENGTH
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt
---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpmac.txt 2019-05-03 08:55:51.539406883 +0200
-@@ -351,6 +351,14 @@ Input = "Sample message for keylen>block
- Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687
- Output = 5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915
-
-+Title = HMAC self generated tests
-+
-+MAC = HMAC
-+Algorithm = SHAKE128
-+Input = "Test that SHAKE128 fails"
-+Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
-+Result = DIGESTSIGNINIT_ERROR
-+
-
- Title = CMAC tests (from FIPS module)
-
-diff -up openssl-1.1.1b/test/recipes/80-test_cms.t.sync openssl-1.1.1b/test/recipes/80-test_cms.t
---- openssl-1.1.1b/test/recipes/80-test_cms.t.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/recipes/80-test_cms.t 2019-05-03 08:55:51.533406986 +0200
-@@ -308,6 +308,14 @@ my @smime_cms_param_tests = (
- "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
- ],
-
-+ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=-3",
-+ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
-+ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
-+ "-keyopt", "rsa_pss_saltlen:-3", "-out", "test.cms" ],
-+ [ "-verify", "-in", "test.cms", "-inform", "PEM",
-+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
-+ ],
-+
- [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
- [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
- "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
-diff -up openssl-1.1.1b/test/rsa_test.c.sync openssl-1.1.1b/test/rsa_test.c
---- openssl-1.1.1b/test/rsa_test.c.sync 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/rsa_test.c 2019-05-03 08:55:51.523407157 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -268,6 +268,36 @@ err:
- return ret;
- }
-
-+static int test_rsa_sslv23(int idx)
-+{
-+ int ret = 0;
-+ RSA *key;
-+ unsigned char ptext[256];
-+ unsigned char ctext[256];
-+ static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
-+ unsigned char ctext_ex[256];
-+ int plen;
-+ int clen = 0;
-+ int num;
-+
-+ plen = sizeof(ptext_ex) - 1;
-+ clen = rsa_setkey(&key, ctext_ex, idx);
-+
-+ num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
-+ RSA_SSLV23_PADDING);
-+ if (!TEST_int_eq(num, clen))
-+ goto err;
-+
-+ num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING);
-+ if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
-+ goto err;
-+
-+ ret = 1;
-+err:
-+ RSA_free(key);
-+ return ret;
-+}
-+
- static int test_rsa_oaep(int idx)
- {
- int ret = 0;
-@@ -332,6 +362,7 @@ err:
- int setup_tests(void)
- {
- ADD_ALL_TESTS(test_rsa_pkcs1, 3);
-+ ADD_ALL_TESTS(test_rsa_sslv23, 3);
- ADD_ALL_TESTS(test_rsa_oaep, 3);
- return 1;
- }
+ if (str->string == NULL)
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
index 2d1df0a..7970b84 100644
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@@ -1,12 +1,12 @@
-diff -up openssl-1.1.1b/include/openssl/opensslv.h.version-override openssl-1.1.1b/include/openssl/opensslv.h
---- openssl-1.1.1b/include/openssl/opensslv.h.version-override 2019-02-28 11:34:56.427361796 +0100
-+++ openssl-1.1.1b/include/openssl/opensslv.h 2019-02-28 11:35:40.487542747 +0100
+diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
+--- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200
++++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
- # define OPENSSL_VERSION_NUMBER 0x1010102fL
--# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b 26 Feb 2019"
-+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b FIPS 26 Feb 2019"
+ # define OPENSSL_VERSION_NUMBER 0x1010103fL
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019"
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index 04bb83f..4de014a 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.1.1b
-Release: 10%{?dist}
+Version: 1.1.1c
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -454,6 +454,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Wed May 29 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
+- update to the 1.1.1c release
+
* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-10
- Another attempt at the AES-CCM regression fix
diff --git a/sources b/sources
index 6456faf..1c013a4 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1
+SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: update to the 1.1.1c release Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox