Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

resolve conflicts

Browse Source
This commit is contained in:
christos 2020-01-23 02:54:53 +00:00
parent 4ce06407d8
commit 403eeac405
57 changed files with 1620 additions and 9575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
crypto/external/bsd/openssl/dist/CHANGES vendored
View File

@ -7,6 +7,101 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
number generator (RNG). This was intended to include protection in the
event of a fork() system call in order to ensure that the parent and child
processes did not share the same RNG state. However this protection was not
being used in the default case.
A partial mitigation for this issue is that the output from a high
precision timer is mixed into the RNG state so the likelihood of a parent
and child process sharing state is significantly reduced.
If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.
(CVE-2019-1549)
[Matthias St. Pierre]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems. The RAND subsystem will wait for
/dev/random to be producing output before seeding from /dev/urandom.
The seeded state is stored for future library initialisations using
a system global shared memory segment. The shared memory identifier
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
the desired value. The default identifier is 114.
[Paul Dale]
*) Correct the extended master secret constant on EBCDIC systems. Without this
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
negotiate EMS will fail. Unfortunately this also means that TLS connections
between EBCDIC systems with this fix, and EBCDIC systems without this
fix will fail if they negotiate EMS.
[Matt Caswell]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
(CVE-2019-1552)
[Richard Levitte]
*) Changed DH_check to accept parameters with order q and 2q subgroups.
With order 2q subgroups the bit 0 of the private key is not secret
but DH_generate_key works around that by clearing bit 0 of the
private key for those. This avoids leaking bit 0 of the private key.
[Bernd Edlinger]
*) Significantly reduce secure memory usage by the randomness pools.
[Paul Dale]
*) Revert the DEVRANDOM_WAIT feature for Linux systems
The DEVRANDOM_WAIT feature added a select() call to wait for the
/dev/random device to become readable before reading from the
/dev/urandom device.
It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.
[Matthias St. Pierre]
Changes between 1.1.1b and 1.1.1c [28 May 2019]
*) Add build tests for C++. These are generated files that only do one
@ -75,6 +170,16 @@
(CVE-2019-1543)
[Matt Caswell]
*) Add DEVRANDOM_WAIT feature for Linux systems
On older Linux systems where the getrandom() system call is not available,
OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
Contrary to getrandom(), the /dev/urandom device will not block during
early boot when the kernel CSPRNG has not been seeded yet.
To mitigate this known weakness, use select() to wait for /dev/random to
become readable before reading from /dev/urandom.
*) Ensure that SM2 only uses SM3 as digest algorithm
[Paul Yang]
@ -322,7 +427,7 @@
SSL_set_ciphersuites()
[Matt Caswell]
*) Memory allocation failures consistenly add an error to the error
*) Memory allocation failures consistently add an error to the error
stack.
[Rich Salz]
@ -6860,7 +6965,7 @@
reason texts, thereby removing some of the footprint that may not
be interesting if those errors aren't displayed anyway.
NOTE: it's still possible for any application or module to have it's
NOTE: it's still possible for any application or module to have its
own set of error texts inserted. The routines are there, just not
used by default when no-err is given.
[Richard Levitte]
@ -8826,7 +8931,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from it's contents. This is done with a counter that will
memory from its contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can

5
crypto/external/bsd/openssl/dist/Configure vendored
View File

@ -87,9 +87,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# linked openssl executable has rather debugging value than
# production quality.
#
# DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
# provided to stack calls. Generates unique stack functions for
# each possible stack type.
# BN_LLONG use the type 'long long' in crypto/bn/bn.h
# RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
# Following are set automatically by this script
@ -145,13 +142,13 @@ my @gcc_devteam_warn = qw(
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my @clang_devteam_warn = qw(
-Wno-unknown-warning-option
-Wswitch-default
-Wno-parentheses-equality
-Wno-language-extension-token
-Wno-extended-offsetof
-Wconditional-uninitialized
-Wincompatible-pointer-types-discards-qualifiers
-Wno-unknown-warning-option
-Wmissing-variable-declarations
);

19
crypto/external/bsd/openssl/dist/NEWS vendored
View File

@ -5,6 +5,23 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
o Fixed a fork protection issue (CVE-2019-1549)
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters
o Compute ECC cofactors if not provided during EC_GROUP construction
(CVE-2019-1547)
o Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems
o Correct the extended master secret constant on EBCDIC systems
o Use Windows installation paths in the mingw builds (CVE-2019-1552)
o Changed DH_check to accept parameters with order q and 2q subgroups
o Significantly reduce secure memory usage by the randomness pools
o Revert the DEVRANDOM_WAIT feature for Linux systems
Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
@ -601,7 +618,7 @@
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
o Give EVP_MAX_MD_SIZE its old value, except for a FIPS build.
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:

2
crypto/external/bsd/openssl/dist/README vendored
View File

@ -1,5 +1,5 @@
OpenSSL 1.1.1c 28 May 2019
OpenSSL 1.1.1d 10 Sep 2019
Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

4
crypto/external/bsd/openssl/dist/apps/ca.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -722,7 +722,7 @@ end_of_options:
/*****************************************************************/
if (req || gencrl) {
if (spkac_file != NULL) {
if (spkac_file != NULL && outfile != NULL) {
output_der = 1;
batch = 1;
}

6
crypto/external/bsd/openssl/dist/apps/ocsp.c vendored
View File

@ -1416,9 +1416,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*q = '\0';
/*
* Skip "GET / HTTP..." requests often used by load-balancers
* Skip "GET / HTTP..." requests often used by load-balancers. Note:
* 'p' was incremented above to point to the first byte *after* the
* leading slash, so with 'GET / ' it is now an empty string.
*/
if (p[1] == '\0')
if (p[0] == '\0')
goto out;
len = urldecode(p);

3
crypto/external/bsd/openssl/dist/apps/openssl.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -22,7 +22,6 @@
# include <openssl/engine.h>
#endif
#include <openssl/err.h>
#include "s_apps.h"
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>

16
crypto/external/bsd/openssl/dist/apps/req.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -881,9 +881,19 @@ int req_main(int argc, char **argv)
if (text) {
if (x509)
X509_print_ex(out, x509ss, get_nameopt(), reqflag);
ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
else
X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
if (ret == 0) {
if (x509)
BIO_printf(bio_err, "Error printing certificate\n");
else
BIO_printf(bio_err, "Error printing certificate request\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (subject) {

2
crypto/external/bsd/openssl/dist/apps/s_client.c vendored
View File

@ -2348,7 +2348,7 @@ int s_client_main(int argc, char **argv)
(void)BIO_flush(fbio);
/*
* The first line is the HTTP response. According to RFC 7230,
* it's formated exactly like this:
* it's formatted exactly like this:
*
* HTTP/d.d ddd Reason text\r\n
*/

2
crypto/external/bsd/openssl/dist/apps/speed.c vendored
View File

@ -1790,7 +1790,7 @@ int speed_main(int argc, char **argv)
}
buflen = lengths[size_num - 1];
if (buflen < 36) /* size of random vector in RSA bencmark */
if (buflen < 36) /* size of random vector in RSA benchmark */
buflen = 36;
buflen += MAX_MISALIGNMENT + 1;
loopargs[i].buf_malloc = app_malloc(buflen, "input buffer");

3000
crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-586.pl vendored
View File

File diff suppressed because it is too large Load Diff

2916
crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-x86_64.pl vendored
View File

File diff suppressed because it is too large Load Diff

3239
crypto/external/bsd/openssl/dist/crypto/aes/asm/bsaes-x86_64.pl vendored
View File

File diff suppressed because it is too large Load Diff

10
crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -15,7 +15,9 @@
int ASN1_TYPE_get(const ASN1_TYPE *a)
{
if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
if (a->type == V_ASN1_BOOLEAN
|| a->type == V_ASN1_NULL
|| a->value.ptr != NULL)
return a->type;
else
return 0;
@ -23,7 +25,9 @@ int ASN1_TYPE_get(const ASN1_TYPE *a)
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
{
if (a->value.ptr != NULL) {
if (a->type != V_ASN1_BOOLEAN
&& a->type != V_ASN1_NULL
&& a->value.ptr != NULL) {
ASN1_TYPE **tmp_a = &a;
asn1_primitive_free((ASN1_VALUE **)tmp_a, NULL, 0);
}

61
crypto/external/bsd/openssl/dist/crypto/bio/bss_file.c vendored
View File

@ -7,10 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_BSS_FILE_C
# define HEADER_BSS_FILE_C
# if defined(__linux) || defined(__sun) || defined(__hpux)
#if defined(__linux) || defined(__sun) || defined(__hpux)
/*
* Following definition aliases fopen to fopen64 on above mentioned
* platforms. This makes it possible to open and sequentially access files
@ -23,17 +20,17 @@
* of 32-bit platforms which allow for sequential access of large files
* without extra "magic" comprise *BSD, Darwin, IRIX...
*/
# ifndef _FILE_OFFSET_BITS
# define _FILE_OFFSET_BITS 64
# endif
# ifndef _FILE_OFFSET_BITS
# define _FILE_OFFSET_BITS 64
# endif
#endif
# include <stdio.h>
# include <errno.h>
# include "bio_lcl.h"
# include <openssl/err.h>
#include <stdio.h>
#include <errno.h>
#include "bio_lcl.h"
#include <openssl/err.h>
# if !defined(OPENSSL_NO_STDIO)
#if !defined(OPENSSL_NO_STDIO)
static int file_write(BIO *h, const char *buf, int num);
static int file_read(BIO *h, char *buf, int size);
@ -72,9 +69,9 @@ BIO *BIO_new_file(const char *filename, const char *mode)
SYSerr(SYS_F_FOPEN, get_last_sys_error());
ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
if (errno == ENOENT
# ifdef ENXIO
#ifdef ENXIO
|| errno == ENXIO
# endif
#endif
)
BIOerr(BIO_F_BIO_NEW_FILE, BIO_R_NO_SUCH_FILE);
else
@ -212,33 +209,33 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
b->shutdown = (int)num & BIO_CLOSE;
b->ptr = ptr;
b->init = 1;
# if BIO_FLAGS_UPLINK!=0
# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
# define _IOB_ENTRIES 20
# endif
# if BIO_FLAGS_UPLINK!=0
# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
# define _IOB_ENTRIES 20
# endif
/* Safety net to catch purely internal BIO_set_fp calls */
# if defined(_MSC_VER) && _MSC_VER>=1900
# if defined(_MSC_VER) && _MSC_VER>=1900
if (ptr == stdin || ptr == stdout || ptr == stderr)
BIO_clear_flags(b, BIO_FLAGS_UPLINK);
# elif defined(_IOB_ENTRIES)
# elif defined(_IOB_ENTRIES)
if ((size_t)ptr >= (size_t)stdin &&
(size_t)ptr < (size_t)(stdin + _IOB_ENTRIES))
BIO_clear_flags(b, BIO_FLAGS_UPLINK);
# endif
# endif
# ifdef UP_fsetmod
# endif
# ifdef UP_fsetmod
if (b->flags & BIO_FLAGS_UPLINK)
UP_fsetmod(b->ptr, (char)((num & BIO_FP_TEXT) ? 't' : 'b'));
else
# endif
# endif
{
# if defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_WINDOWS)
int fd = _fileno((FILE *)ptr);
if (num & BIO_FP_TEXT)
_setmode(fd, _O_TEXT);
else
_setmode(fd, _O_BINARY);
# elif defined(OPENSSL_SYS_MSDOS)
# elif defined(OPENSSL_SYS_MSDOS)
int fd = fileno((FILE *)ptr);
/* Set correct text/binary mode */
if (num & BIO_FP_TEXT)
@ -251,11 +248,11 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
} else
_setmode(fd, _O_BINARY);
}
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
int fd = fileno((FILE *)ptr);
if (!(num & BIO_FP_TEXT))
setmode(fd, O_BINARY);
# endif
# endif
}
break;
case BIO_C_SET_FILENAME:
@ -277,15 +274,15 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
break;
}
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
if (!(num & BIO_FP_TEXT))
OPENSSL_strlcat(p, "b", sizeof(p));
else
OPENSSL_strlcat(p, "t", sizeof(p));
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
if (!(num & BIO_FP_TEXT))
OPENSSL_strlcat(p, "b", sizeof(p));
# endif
# endif
fp = openssl_fopen(ptr, p);
if (fp == NULL) {
SYSerr(SYS_F_FOPEN, get_last_sys_error());
@ -422,6 +419,4 @@ BIO *BIO_new_file(const char *filename, const char *mode)
return NULL;
}
# endif /* OPENSSL_NO_STDIO */
#endif /* HEADER_BSS_FILE_C */
#endif /* OPENSSL_NO_STDIO */

2
crypto/external/bsd/openssl/dist/crypto/bn/asm/mips.pl vendored
View File

@ -802,7 +802,7 @@ $code.=<<___;
#if 0
/*
* The bn_div_3_words entry point is re-used for constant-time interface.
* Implementation is retained as hystorical reference.
* Implementation is retained as historical reference.
*/
.align 5
.globl bn_div_3_words

4
crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -295,7 +295,7 @@ struct bn_gencb_st {
(b) > 23 ? 3 : 1)
/*
* BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
* BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
* line width of the target processor is at least the following value.
*/
# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )

101
crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c vendored
View File

@ -132,20 +132,66 @@ int BN_num_bits_word(BN_ULONG l)
return bits;
}
/*
* This function still leaks `a->dmax`: it's caller's responsibility to
* expand the input `a` in advance to a public length.
*/
static ossl_inline
int bn_num_bits_consttime(const BIGNUM *a)
{
int j, ret;
unsigned int mask, past_i;
int i = a->top - 1;
bn_check_top(a);
for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
ret += BN_BITS2 & (~mask & ~past_i);
ret += BN_num_bits_word(a->d[j]) & mask;
past_i |= mask; /* past_i will become 0xff..ff after i==j */
}
/*
* if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
* final result.
*/
mask = ~(constant_time_eq_int(i, ((int)-1)));
return ret & mask;
}
int BN_num_bits(const BIGNUM *a)
{
int i = a->top - 1;
bn_check_top(a);
if (a->flags & BN_FLG_CONSTTIME) {
/*
* We assume that BIGNUMs flagged as CONSTTIME have also been expanded
* so that a->dmax is not leaking secret information.
*
* In other words, it's the caller's responsibility to ensure `a` has
* been preallocated in advance to a public length if we hit this
* branch.
*
*/
return bn_num_bits_consttime(a);
}
if (BN_is_zero(a))
return 0;
return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
}
static void bn_free_d(BIGNUM *a)
static void bn_free_d(BIGNUM *a, int clear)
{
if (BN_get_flags(a, BN_FLG_SECURE))
OPENSSL_secure_free(a->d);
OPENSSL_secure_clear_free(a->d, a->dmax * sizeof(a->d[0]));
else if (clear != 0)
OPENSSL_clear_free(a->d, a->dmax * sizeof(a->d[0]));
else
OPENSSL_free(a->d);
}
@ -155,10 +201,8 @@ void BN_clear_free(BIGNUM *a)
{
if (a == NULL)
return;
if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
bn_free_d(a);
}
if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA))
bn_free_d(a, 1);
if (BN_get_flags(a, BN_FLG_MALLOCED)) {
OPENSSL_cleanse(a, sizeof(*a));
OPENSSL_free(a);
@ -170,7 +214,7 @@ void BN_free(BIGNUM *a)
if (a == NULL)
return;
if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
bn_free_d(a);
bn_free_d(a, 0);
if (a->flags & BN_FLG_MALLOCED)
OPENSSL_free(a);
}
@ -248,10 +292,8 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
BN_ULONG *a = bn_expand_internal(b, words);
if (!a)
return NULL;
if (b->d) {
OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
bn_free_d(b);
}
if (b->d != NULL)
bn_free_d(b, 1);
b->d = a;
b->dmax = words;
}
@ -416,8 +458,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
return ret;
}
typedef enum {big, little} endianess_t;
/* ignore negative */
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
static
int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
{
int n;
size_t i, lasti, j, atop, mask;
@ -449,10 +494,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
lasti = atop - 1;
atop = a->top * BN_BYTES;
for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
if (endianess == big)
to += tolen; /* start from the end of the buffer */
for (i = 0, j = 0; j < (size_t)tolen; j++) {
unsigned char val;
l = a->d[i / BN_BYTES];
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
*--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
if (endianess == big)
*--to = val;
else
*to++ = val;
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
}
@ -463,12 +515,12 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
if (tolen < 0)
return -1;
return bn2binpad(a, to, tolen);
return bn2binpad(a, to, tolen, big);
}
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
{
return bn2binpad(a, to, -1);
return bn2binpad(a, to, -1, big);
}
BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
@ -520,22 +572,9 @@ BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
{
int i;
BN_ULONG l;
bn_check_top(a);
i = BN_num_bytes(a);
if (tolen < i)
if (tolen < 0)
return -1;
/* Add trailing zeroes if necessary */
if (tolen > i)
memset(to + i, 0, tolen - i);
to += i;
while (i--) {
l = a->d[i / BN_BYTES];
to--;
*to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
}
return tolen;
return bn2binpad(a, to, tolen, little);
}
int BN_ucmp(const BIGNUM *a, const BIGNUM *b)

7
crypto/external/bsd/openssl/dist/crypto/bn/bn_rand.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -225,8 +225,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
goto err;
/* We copy |priv| into a local buffer to avoid exposing its length. */
todo = sizeof(priv->d[0]) * priv->top;
if (todo > sizeof(private_bytes)) {
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
/*
* No reasonable DSA or ECDSA key should have a private key this
* large and we don't handle this case in order to avoid leaking the
@ -235,8 +234,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
memcpy(private_bytes, priv->d, todo);
memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (done = 0; done < num_k_bytes;) {
if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)

6
crypto/external/bsd/openssl/dist/crypto/dh/dh_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -234,11 +234,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
{
if (pub_key != NULL) {
BN_free(dh->pub_key);
BN_clear_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
BN_free(dh->priv_key);
BN_clear_free(dh->priv_key);
dh->priv_key = priv_key;
}

4
crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
return 2;
return 1;
default:
return -2;

5
crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -27,8 +27,7 @@
# endif
# include <dlfcn.h>
# define HAVE_DLINFO 1
# if defined(__CYGWIN__) || \
defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
# if defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
(defined(__osf__) && !defined(RTLD_NEXT)) || \
(defined(__OpenBSD__) && !defined(RTLD_SELF)) || \
defined(__ANDROID__)

73
crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -568,10 +568,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
{
int ok = 0, tmp;
EC_GROUP *ret = NULL;
EC_GROUP *ret = NULL, *dup = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
EC_POINT *point = NULL;
long field_bits;
int curve_name = NID_undef;
BN_CTX *ctx = NULL;
if (!params->fieldID || !params->fieldID->fieldType ||
!params->fieldID->p.ptr) {
@ -789,18 +791,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
goto err;
}
/*
* Check if the explicit parameters group just created matches one of the
* built-in curves.
*
* We create a copy of the group just built, so that we can remove optional
* fields for the lookup: we do this to avoid the possibility that one of
* the optional parameters is used to force the library into using a less
* performant and less secure EC_METHOD instead of the specialized one.
* In any case, `seed` is not really used in any computation, while a
* cofactor different from the one in the built-in table is just
* mathematically wrong anyway and should not be used.
*/
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
goto err;
}
if ((dup = EC_GROUP_dup(ret)) == NULL
|| EC_GROUP_set_seed(dup, NULL, 0) != 1
|| !EC_GROUP_set_generator(dup, point, a, NULL)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
/*
* The input explicit parameters successfully matched one of the
* built-in curves: often for built-in curves we have specialized
* methods with better performance and hardening.
*
* In this case we replace the `EC_GROUP` created through explicit
* parameters with one created from a named group.
*/
EC_GROUP *named_group = NULL;
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
/*
* NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
* the same curve, we prefer the SECP nid when matching explicit
* parameters as that is associated with a specialized EC_METHOD.
*/
if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
curve_name = NID_secp224r1;
#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
EC_GROUP_free(ret);
ret = named_group;
/*
* Set the flag so that EC_GROUPs created from explicit parameters are
* serialized using explicit parameters by default.
*/
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
}
ok = 1;
err:
if (!ok) {
EC_GROUP_clear_free(ret);
EC_GROUP_free(ret);
ret = NULL;
}
EC_GROUP_free(dup);
BN_free(p);
BN_free(a);
BN_free(b);
EC_POINT_free(point);
BN_CTX_free(ctx);
return ret;
}
@ -861,7 +924,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
}
if (a) {
EC_GROUP_clear_free(*a);
EC_GROUP_free(*a);
*a = group;
}
@ -909,7 +972,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
ret = *a;
if (priv_key->parameters) {
EC_GROUP_clear_free(ret->group);
EC_GROUP_free(ret->group);
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
}

4
crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h vendored
View File

@ -154,7 +154,7 @@ struct ec_method_st {
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/*-
* 'field_inv' computes the multipicative inverse of a in the field,
* 'field_inv' computes the multiplicative inverse of a in the field,
* storing the result in r.
*
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
@ -595,6 +595,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey);
int ec_key_simple_generate_public_key(EC_KEY *eckey);
int ec_key_simple_check_key(const EC_KEY *eckey);
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
/* EC_METHOD definitions */
struct ec_key_method_st {

103
crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c vendored
View File

@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
static int ec_precompute_mont_data(EC_GROUP *);
/*-
* Try computing cofactor from the generator order (n) and field cardinality (q).
* This works for all curves of cryptographic interest.
*
* Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
* h_min = (q + 1 - 2*sqrt(q))/n
* h_max = (q + 1 + 2*sqrt(q))/n
* h_max - h_min = 4*sqrt(q)/n
* So if n > 4*sqrt(q) holds, there is only one possible value for h:
* h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
*
* Otherwise, zero cofactor and return success.
*/
static int ec_guess_cofactor(EC_GROUP *group) {
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *q = NULL;
/*-
* If the cofactor is too large, we cannot guess it.
* The RHS of below is a strict overestimate of lg(4 * sqrt(q))
*/
if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
/* default to 0 */
BN_zero(group->cofactor);
/* return success */
return 1;
}
if ((ctx = BN_CTX_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((q = BN_CTX_get(ctx)) == NULL)
goto err;
/* set q = 2**m for binary fields; q = p otherwise */
if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
BN_zero(q);
if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
goto err;
} else {
if (!BN_copy(q, group->field))
goto err;
}
/* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
|| !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
/* q + 1 + n/2 */
|| !BN_add(group->cofactor, group->cofactor, BN_value_one())
/* (q + 1 + n/2)/n */
|| !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor)
{
@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
return 0;
}
/* require group->field >= 1 */
if (group->field == NULL || BN_is_zero(group->field)
|| BN_is_negative(group->field)) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
return 0;
}
/*-
* - require order >= 1
* - enforce upper bound due to Hasse thm: order can be no more than one bit
* longer than field cardinality
*/
if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
|| BN_num_bits(order) > BN_num_bits(group->field) + 1) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
return 0;
}
/*-
* Unfortunately the cofactor is an optional field in many standards.
* Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
* So accept cofactor == NULL or cofactor >= 0.
*/
if (cofactor != NULL && BN_is_negative(cofactor)) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
return 0;
}
if (group->generator == NULL) {
group->generator = EC_POINT_new(group);
if (group->generator == NULL)
@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
if (!EC_POINT_copy(group->generator, generator))
return 0;
if (order != NULL) {
if (!BN_copy(group->order, order))
return 0;
} else
BN_zero(group->order);
if (!BN_copy(group->order, order))
return 0;
if (cofactor != NULL) {
/* Either take the provided positive cofactor, or try to compute it */
if (cofactor != NULL && !BN_is_zero(cofactor)) {
if (!BN_copy(group->cofactor, cofactor))
return 0;
} else
} else if (!ec_guess_cofactor(group)) {
BN_zero(group->cofactor);
return 0;
}
/*
* Some groups have an order with

2
crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c vendored
View File

@ -26,7 +26,7 @@
/* #define ENGINE_DEVCRYPTO_DEBUG */
#ifdef CRYPTO_ALGORITHM_MIN
#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
# define CHECK_BSD_STYLE_MACROS
#endif

91
crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c vendored
View File

@ -176,7 +176,7 @@ static void ctr64_inc(unsigned char *counter)
# define HWAES_xts_decrypt aes_p8_xts_decrypt
#endif
#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
#if !defined(OPENSSL_NO_ASM) && ( \
((defined(__i386) || defined(__i386__) || \
defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
defined(__x86_64) || defined(__x86_64__) || \
@ -383,10 +383,25 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
if (!iv && !key)
return 1;
if (key) {
/* The key is two half length keys in reality */
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
/*
* Verify that the two keys are different.
*
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
/* key_len is two AES keys */
if (enc) {
aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
@ -787,11 +802,26 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
if (!iv && !key)
return 1;
if (key) {
int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
/* The key is two half length keys in reality */
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
const int bits = bytes * 8;
/*
* Verify that the two keys are different.
*
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
xctx->stream = NULL;
/* key_len is two AES keys */
if (enc) {
@ -1578,7 +1608,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
switch (type) {
case EVP_CTRL_INIT:
ivlen = EVP_CIPHER_CTX_iv_length(c);
ivlen = EVP_CIPHER_iv_length(c->cipher);
iv = EVP_CIPHER_CTX_iv_noconst(c);
gctx->key_set = 0;
gctx->iv_set = 0;
@ -1589,6 +1619,10 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
gctx->tls_aad_len = -1;
return 1;
case EVP_CTRL_GET_IVLEN:
*(int *)ptr = gctx->ivlen;
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@ -2299,6 +2333,10 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
cctx->aes.ccm.tls_aad_len = -1;
return 1;
case EVP_CTRL_GET_IVLEN:
*(int *)ptr = 15 - cctx->aes.ccm.l;
return 1;
case EVP_CTRL_AEAD_TLS1_AAD:
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return 0;
@ -2819,13 +2857,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_INIT:
gctx->key_set = 0;
gctx->iv_set = 0;
gctx->ivlen = c->cipher->iv_len;
gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
gctx->iv = c->iv;
gctx->taglen = -1;
gctx->iv_gen = 0;
gctx->tls_aad_len = -1;
return 1;
case EVP_CTRL_GET_IVLEN:
*(int *)ptr = gctx->ivlen;
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@ -3275,7 +3317,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
@ -3286,10 +3328,12 @@ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
if (type == EVP_CTRL_COPY) {
EVP_CIPHER_CTX *out = ptr;
EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
if (xctx->xts.key1) {
if (xctx->xts.key1 != &xctx->ks1)
return 0;
@ -3313,11 +3357,36 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
if (!iv && !key)
return 1;
if (key)
do {
/* The key is two half length keys in reality */
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
/*
* Verify that the two keys are different.
*
* This addresses the vulnerability described in Rogaway's
* September 2004 paper:
*
* "Efficient Instantiations of Tweakable Blockciphers and
* Refinements to Modes OCB and PMAC".
* (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
*
* FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
* that:
* "The check for Key_1 != Key_2 shall be done at any place
* BEFORE using the keys in the XTS-AES algorithm to process
* data with them."
*/
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
#ifdef AES_XTS_ASM
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
#else
@ -3450,7 +3519,9 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
cctx->len_set = 0;
cctx->tls_aad_len = -1;
return 1;
case EVP_CTRL_GET_IVLEN:
*(int *)ptr = 15 - cctx->L;
return 1;
case EVP_CTRL_AEAD_TLS1_AAD:
/* Save the AAD for later use */
if (arg != EVP_AEAD_TLS1_AAD_LEN)
@ -3899,13 +3970,17 @@ static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_INIT:
octx->key_set = 0;
octx->iv_set = 0;
octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
octx->ivlen = EVP_CIPHER_iv_length(c->cipher);
octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
octx->taglen = 16;
octx->data_buf_len = 0;
octx->aad_buf_len = 0;
return 1;
case EVP_CTRL_GET_IVLEN:
*(int *)ptr = octx->ivlen;
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
/* IV len must be 1 to 15 */
if (arg <= 0 || arg > 15)

8
crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -19,14 +19,14 @@
/*
* A hashing implementation that appears to be based on the linear hashing
* alogrithm:
* algorithm:
* https://en.wikipedia.org/wiki/Linear_hashing
*
* Litwin, Witold (1980), "Linear hashing: A new tool for file and table
* addressing", Proc. 6th Conference on Very Large Databases: 212-223
* http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
* https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
*
* From the wikipedia article "Linear hashing is used in the BDB Berkeley
* From the Wikipedia article "Linear hashing is used in the BDB Berkeley
* database system, which in turn is used by many software systems such as
* OpenLDAP, using a C implementation derived from the CACM article and first
* published on the Usenet in 1988 by Esmond Pitt."

14
crypto/external/bsd/openssl/dist/crypto/pkcs7/pk7_doit.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
}
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
size_t fixlen)
{
EVP_PKEY_CTX *pctx = NULL;
unsigned char *ek = NULL;
@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
}
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
ri->enc_key->data, ri->enc_key->length) <= 0) {
ri->enc_key->data, ri->enc_key->length) <= 0
|| eklen == 0
|| (fixlen != 0 && eklen != fixlen)) {
ret = 0;
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
goto err;
@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
EVP_CIPHER_key_length(evp_cipher)) < 0)
goto err;
ERR_clear_error();
}
} else {
/* Only exit on fatal errors, not decrypt failure */
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
goto err;
ERR_clear_error();
}

187
crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c vendored
View File

@ -14,14 +14,19 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/rand.h>
#include <openssl/crypto.h>
#include "rand_lcl.h"
#include "internal/rand_int.h"
#include <stdio.h>
#include "internal/dso.h"
#if defined(__linux)
# include <asm/unistd.h>
#ifdef __linux
# include <sys/syscall.h>
# ifdef DEVRANDOM_WAIT
# include <sys/shm.h>
# include <sys/utsname.h>
# endif
#endif
#if defined(__FreeBSD__)
#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
# include <sys/types.h>
# include <sys/sysctl.h>
# include <sys/param.h>
@ -275,6 +280,17 @@ static ssize_t sysctl_random(char *buf, size_t buflen)
# endif
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
# if defined(__linux) && !defined(__NR_getrandom)
# if defined(__arm__) && defined(__NR_SYSCALL_BASE)
# define __NR_getrandom (__NR_SYSCALL_BASE+384)
# elif defined(__i386__)
# define __NR_getrandom 355
# elif defined(__x86_64__) && !defined(__ILP32__)
# define __NR_getrandom 318
# endif
# endif
/*
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
@ -346,6 +362,91 @@ static struct random_device {
} random_devices[OSSL_NELEM(random_device_paths)];
static int keep_random_devices_open = 1;
# if defined(__linux) && defined(DEVRANDOM_WAIT)
static void *shm_addr;
static void cleanup_shm(void)
{
shmdt(shm_addr);
}
/*
* Ensure that the system randomness source has been adequately seeded.
* This is done by having the first start of libcrypto, wait until the device
* /dev/random becomes able to supply a byte of entropy. Subsequent starts
* of the library and later reseedings do not need to do this.
*/
static int wait_random_seeded(void)
{
static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0;
static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL };
int kernel[2];
int shm_id, fd, r;
char c, *p;
struct utsname un;
fd_set fds;
if (!seeded) {
/* See if anything has created the global seeded indication */
if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) {
/*
* Check the kernel's version and fail if it is too recent.
*
* Linux kernels from 4.8 onwards do not guarantee that
* /dev/urandom is properly seeded when /dev/random becomes
* readable. However, such kernels support the getentropy(2)
* system call and this should always succeed which renders
* this alternative but essentially identical source moot.
*/
if (uname(&un) == 0) {
kernel[0] = atoi(un.release);
p = strchr(un.release, '.');
kernel[1] = p == NULL ? 0 : atoi(p + 1);
if (kernel[0] > kernel_version[0]
|| (kernel[0] == kernel_version[0]
&& kernel[1] >= kernel_version[1])) {
return 0;
}
}
/* Open /dev/random and wait for it to be readable */
if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) {
if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0
&& errno == EINTR);
} else {
while ((r = read(fd, &c, 1)) < 0 && errno == EINTR);
}
close(fd);
if (r == 1) {
seeded = 1;
/* Create the shared memory indicator */
shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1,
IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH);
}
}
}
if (shm_id != -1) {
seeded = 1;
/*
* Map the shared memory to prevent its premature destruction.
* If this call fails, it isn't a big problem.
*/
shm_addr = shmat(shm_id, NULL, SHM_RDONLY);
if (shm_addr != (void *)-1)
OPENSSL_atexit(&cleanup_shm);
}
}
return seeded;
}
# else /* defined __linux */
static int wait_random_seeded(void)
{
return 1;
}
# endif
/*
* Verify that the file descriptor associated with the random source is
* still valid. The rationale for doing this is the fact that it is not
@ -472,12 +573,12 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# if defined(OPENSSL_RAND_SEED_NONE)
return rand_pool_entropy_available(pool);
# else
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{
size_t bytes_needed;
unsigned char *buffer;
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
int attempts = 3;
@ -507,36 +608,16 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# endif
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
{
if (wait_random_seeded()) {
size_t bytes_needed;
unsigned char *buffer;
size_t i;
#ifdef DEVRANDOM_WAIT
static int wait_done = 0;
/*
* On some implementations reading from /dev/urandom is possible
* before it is initialized. Therefore we wait for /dev/random
* to be readable to make sure /dev/urandom is initialized.
*/
if (!wait_done && bytes_needed > 0) {
int f = open(DEVRANDOM_WAIT, O_RDONLY);
if (f >= 0) {
fd_set fds;
FD_ZERO(&fds);
FD_SET(f, &fds);
while (select(f+1, &fds, NULL, NULL, NULL) < 0
&& errno == EINTR);
close(f);
}
wait_done = 1;
}
#endif
for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) {
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths);
i++) {
ssize_t bytes = 0;
/* Maximum allowed number of consecutive unsuccessful attempts */
/* Maximum number of consecutive unsuccessful attempts */
int attempts = 3;
const int fd = get_random_device(i);
@ -550,7 +631,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
attempts = 3; /* reset counter after successful attempt */
attempts = 3; /* reset counter on successful attempt */
} else if (bytes < 0 && errno != EINTR) {
break;
}
@ -558,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
if (bytes < 0 || !keep_random_devices_open)
close_random_device(i);
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
bytes_needed = rand_pool_bytes_needed(pool, 1);
}
entropy_available = rand_pool_entropy_available(pool);
if (entropy_available > 0)
@ -579,26 +660,29 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# endif
# if defined(OPENSSL_RAND_SEED_EGD)
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
if (bytes_needed > 0) {
{
static const char *paths[] = { DEVRANDOM_EGD, NULL };
size_t bytes_needed;
unsigned char *buffer;
int i;
for (i = 0; paths[i] != NULL; i++) {
buffer = rand_pool_add_begin(pool, bytes_needed);
if (buffer != NULL) {
size_t bytes = 0;
int num = RAND_query_egd_bytes(paths[i],
buffer, (int)bytes_needed);
if (num == (int)bytes_needed)
bytes = bytes_needed;
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) {
size_t bytes = 0;
int num;
rand_pool_add_end(pool, bytes, 8 * bytes);
entropy_available = rand_pool_entropy_available(pool);
}
if (entropy_available > 0)
return entropy_available;
buffer = rand_pool_add_begin(pool, bytes_needed);
num = RAND_query_egd_bytes(paths[i],
buffer, (int)bytes_needed);
if (num == (int)bytes_needed)
bytes = bytes_needed;
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed = rand_pool_bytes_needed(pool, 1);
}
entropy_available = rand_pool_entropy_available(pool);
if (entropy_available > 0)
return entropy_available;
}
# endif
@ -632,15 +716,18 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
int rand_pool_add_additional_data(RAND_POOL *pool)
{
struct {
int fork_id;
CRYPTO_THREAD_ID tid;
uint64_t time;
} data = { 0 };
/*
* Add some noise from the thread id and a high resolution timer.
* The fork_id adds some extra fork-safety.
* The thread id adds a little randomness if the drbg is accessed
* concurrently (which is the case for the <master> drbg).
*/
data.fork_id = openssl_get_fork_id();
data.tid = CRYPTO_THREAD_get_current_id();
data.time = get_timer_bits();

4
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_err.c vendored
View File

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -174,6 +174,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MGF1_DIGEST_NOT_ALLOWED),
"mgf1 digest not allowed"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MISSING_PRIVATE_KEY),
"missing private key"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R),
"mp coefficient not inverse of r"},

2
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c vendored
View File

@ -250,7 +250,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
*
* This strategy has the following goals:
*
* 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
* 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
* 2. stay the same logic with normal 2-prime key
*/
bitse -= bitsr[i];

17
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -198,6 +198,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@ -215,10 +216,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@ -237,14 +240,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;
@ -276,12 +282,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
if (pinfo == NULL)
goto err;
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
BN_free(pinfo->r);
BN_free(pinfo->d);
BN_free(pinfo->t);
BN_clear_free(pinfo->r);
BN_clear_free(pinfo->d);
BN_clear_free(pinfo->t);
pinfo->r = primes[i];
pinfo->d = exps[i];
pinfo->t = coeffs[i];
BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
} else {
rsa_multip_info_free(pinfo);
goto err;

12
crypto/external/bsd/openssl/dist/crypto/threads_pthread.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -12,6 +12,11 @@
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_UNIX)
# include <sys/types.h>
# include <unistd.h>
#endif
# ifdef PTHREAD_RWLOCK_INITIALIZER
# define USE_RWLOCK
# endif
@ -196,4 +201,9 @@ int openssl_init_fork_handlers(void)
# endif
return 0;
}
int openssl_get_fork_id(void)
{
return getpid();
}
#endif

4
crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -500,6 +500,7 @@ int UI_process(UI *ui)
if (ui->meth->ui_flush != NULL)
switch (ui->meth->ui_flush(ui)) {
case -1: /* Interrupt/Cancel/something... */
ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
case 0: /* Errors */
@ -517,6 +518,7 @@ int UI_process(UI *ui)
sk_UI_STRING_value(ui->strings,
i))) {
case -1: /* Interrupt/Cancel/something... */
ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
case 0: /* Errors */

2
crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c vendored
View File

@ -79,7 +79,7 @@
* systems that require something different.
*
* Note: we do not use SGTTY unless it's defined by the configuration. We
* may eventually opt to remove it's use entirely.
* may eventually opt to remove its use entirely.
*/
# if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)

20
crypto/external/bsd/openssl/dist/crypto/uid.c vendored
View File

@ -10,22 +10,22 @@
#include <openssl/crypto.h>
#include <openssl/opensslconf.h>
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || defined(__NetBSD__)
# include <unistd.h>
int OPENSSL_issetugid(void)
{
return issetugid();
}
#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
int OPENSSL_issetugid(void)
{
return 0;
}
#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || defined(__NetBSD__)
# include OPENSSL_UNISTD
int OPENSSL_issetugid(void)
{
return issetugid();
}
#else
# include OPENSSL_UNISTD

12
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1788,7 +1788,11 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
ASN1_TIME *asn1_cmp_time = NULL;
int i, day, sec, ret = 0;
#ifdef CHARSET_EBCDIC
const char upper_z = 0x5A;
#else
const char upper_z = 'Z';
#endif
/*
* Note that ASN.1 allows much more slack in the time format than RFC5280.
* In RFC5280, the representation is fixed:
@ -1819,10 +1823,10 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
* Digit and date ranges will be verified in the conversion methods.
*/
for (i = 0; i < ctm->length - 1; i++) {
if (!ossl_isdigit(ctm->data[i]))
if (!ascii_isdigit(ctm->data[i]))
return 0;
}
if (ctm->data[ctm->length - 1] != 'Z')
if (ctm->data[ctm->length - 1] != upper_z)
return 0;
/*

30
crypto/external/bsd/openssl/dist/e_os.h vendored
View File

@ -28,8 +28,34 @@
* default, we will try to read at least one of these files
*/
# define DEVRANDOM "/dev/urandom", "/dev/random", "/dev/hwrng", "/dev/srandom"
# ifdef __linux
# define DEVRANDOM_WAIT "/dev/random"
# if defined(__linux) && !defined(__ANDROID__)
# ifndef DEVRANDOM_WAIT
# define DEVRANDOM_WAIT "/dev/random"
# endif
/*
* Linux kernels 4.8 and later changes how their random device works and there
* is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2)
* should be used instead.
*/
# ifndef DEVRANDOM_SAFE_KERNEL
# define DEVRANDOM_SAFE_KERNEL 4, 8
# endif
/*
* Some operating systems do not permit select(2) on their random devices,
* defining this to zero will force the used of read(2) to extract one byte
* from /dev/random.
*/
# ifndef DEVRANDM_WAIT_USE_SELECT
# define DEVRANDM_WAIT_USE_SELECT 1
# endif
/*
* Define the shared memory identifier used to indicate if the operating
* system has properly seeded the DEVRANDOM source.
*/
# ifndef OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID
# define OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID 114
# endif
# endif
# endif
# if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD)

2
crypto/external/bsd/openssl/dist/include/internal/refcount.h vendored
View File

@ -105,7 +105,7 @@ static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock)
# if _WIN32_WCE >= 0x600
extern long __cdecl _InterlockedExchangeAdd(long volatile*, long);
# else
// under Windows CE we still have old-style Interlocked* functions
/* under Windows CE we still have old-style Interlocked* functions */
extern long __cdecl InterlockedExchangeAdd(long volatile*, long);
# define _InterlockedExchangeAdd InterlockedExchangeAdd
# endif

2
crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h vendored
View File

@ -18,7 +18,7 @@
* if (var == NOT_YET_INITIALIZED)
* var = function_returning_same_value();
*
* This does work provided that loads and stores are single-instuction
* This does work provided that loads and stores are single-instruction
* operations (and integer ones are on *all* supported platforms), but
* it upsets Thread Sanitizer. Suggested solution is
*

14
crypto/external/bsd/openssl/dist/ssl/s3_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -3567,6 +3567,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
ret = 1;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
@ -3601,8 +3602,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
if (!s->session)
return 0;
clist = s->session->ext.supportedgroups;
clistlen = s->session->ext.supportedgroups_len;
clist = s->ext.peer_supportedgroups;
clistlen = s->ext.peer_supportedgroups_len;
if (parg) {
size_t i;
int *cptr = parg;
@ -3716,13 +3717,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
const unsigned char **pformat = parg;
if (sess == NULL || sess->ext.ecpointformats == NULL)
if (s->ext.peer_ecpointformats == NULL)
return 0;
*pformat = sess->ext.ecpointformats;
return (int)sess->ext.ecpointformats_len;
*pformat = s->ext.peer_ecpointformats;
return (int)s->ext.peer_ecpointformats_len;
}
#endif

13
crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c vendored
View File

@ -1377,24 +1377,25 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
{
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
if (ret && ctx->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
if (ret && ctx->cipher_list != NULL)
return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
}
return ret;
}
int SSL_set_ciphersuites(SSL *s, const char *str)
{
STACK_OF(SSL_CIPHER) *cipher_list;
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
if (ret && s->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
if (s->cipher_list == NULL) {
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
}
if (ret && s->cipher_list != NULL)
return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
}
return ret;
}

20
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c vendored
View File

@ -628,6 +628,11 @@ int SSL_clear(SSL *s)
/* Clear the verification result peername */
X509_VERIFY_PARAM_move_peername(s->param, NULL);
/* Clear any shared connection state */
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/*
* Check to see if we were changed into a different method, if so, revert
* back.
@ -867,7 +872,7 @@ int SSL_up_ref(SSL *s)
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
if (sid_ctx_len > sizeof(ctx->sid_ctx)) {
if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
@ -1160,6 +1165,7 @@ void SSL_free(SSL *s)
sk_SSL_CIPHER_free(s->cipher_list);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
sk_SSL_CIPHER_free(s->peer_ciphers);
/* Make the next call work :-) */
if (s->session != NULL) {
@ -1172,13 +1178,16 @@ void SSL_free(SSL *s)
clear_ciphers(s);
ssl_cert_free(s->cert);
OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
OPENSSL_free(s->ext.hostname);
SSL_CTX_free(s->session_ctx);
#ifndef OPENSSL_NO_EC
OPENSSL_free(s->ext.ecpointformats);
OPENSSL_free(s->ext.peer_ecpointformats);
OPENSSL_free(s->ext.supportedgroups);
OPENSSL_free(s->ext.peer_supportedgroups);
#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
@ -2437,9 +2446,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
{
if ((s == NULL) || (s->session == NULL) || !s->server)
if ((s == NULL) || !s->server)
return NULL;
return s->session->ciphers;
return s->peer_ciphers;
}
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
@ -2578,13 +2587,12 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
int i;
if (!s->server
|| s->session == NULL
|| s->session->ciphers == NULL
|| s->peer_ciphers == NULL
|| size < 2)
return NULL;
p = buf;
clntsk = s->session->ciphers;
clntsk = s->peer_ciphers;
srvrsk = SSL_get_ciphers(s);
if (clntsk == NULL || srvrsk == NULL)
return NULL;

37
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h vendored
View File

@ -552,7 +552,6 @@ struct ssl_session_st {
const SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to
* load the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */
CRYPTO_EX_DATA ex_data; /* application specific data */
/*
* These are used to make removal of session-ids more efficient and to
@ -562,13 +561,7 @@ struct ssl_session_st {
struct {
char *hostname;
# ifndef OPENSSL_NO_EC
size_t ecpointformats_len;
unsigned char *ecpointformats; /* peer's list */
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
uint16_t *supportedgroups; /* peer's list */
/* RFC4507 info */
/* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
/* Session lifetime hint in seconds */
@ -1137,6 +1130,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
STACK_OF(SSL_CIPHER) *peer_ciphers;
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@ -1300,10 +1294,19 @@ struct ssl_st {
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
size_t peer_ecpointformats_len;
/* peer's list */
unsigned char *peer_ecpointformats;
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
uint16_t *supportedgroups;
size_t peer_supportedgroups_len;
/* peer's list */
uint16_t *peer_supportedgroups;
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
@ -1459,7 +1462,6 @@ struct ssl_st {
size_t block_padding;
CRYPTO_RWLOCK *lock;
RAND_DRBG *drbg;
/* The number of TLS1.3 tickets to automatically send */
size_t num_tickets;
@ -1471,6 +1473,13 @@ struct ssl_st {
/* Callback to determine if early_data is acceptable or not */
SSL_allow_early_data_cb_fn allow_early_data_cb;
void *allow_early_data_cb_data;
/*
* Signature algorithms shared by client and server: cached because these
* are used most often.
*/
const struct sigalg_lookup_st **shared_sigalgs;
size_t shared_sigalgslen;
};
/*
@ -1904,12 +1913,6 @@ typedef struct cert_st {
uint16_t *client_sigalgs;
/* Size of above array */
size_t client_sigalgslen;
/*
* Signature algorithms shared by client and server: cached because these
* are used most often.
*/
const SIGALG_LOOKUP **shared_sigalgs;
size_t shared_sigalgslen;
/*
* Certificate setup callback: if set is called whenever a certificate
* may be required (client or server). the callback can then examine any
@ -2240,8 +2243,8 @@ static ossl_inline int ssl_has_cert(const SSL *s, int idx)
static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen)
{
*pgroups = s->session->ext.supportedgroups;
*pgroupslen = s->session->ext.supportedgroups_len;
*pgroups = s->ext.peer_supportedgroups;
*pgroupslen = s->ext.peer_supportedgroups_len;
}
# ifndef OPENSSL_UNIT_TEST

39
crypto/external/bsd/openssl/dist/ssl/ssl_sess.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -121,12 +121,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->psk_identity_hint = NULL;
dest->psk_identity = NULL;
#endif
dest->ciphers = NULL;
dest->ext.hostname = NULL;
#ifndef OPENSSL_NO_EC
dest->ext.ecpointformats = NULL;
dest->ext.supportedgroups = NULL;
#endif
dest->ext.tick = NULL;
dest->ext.alpn_selected = NULL;
#ifndef OPENSSL_NO_SRP
@ -176,12 +171,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
}
#endif
if (src->ciphers != NULL) {
dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
if (dest->ciphers == NULL)
goto err;
}
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
&dest->ex_data, &src->ex_data)) {
goto err;
@ -193,23 +182,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
goto err;
}
}
#ifndef OPENSSL_NO_EC
if (src->ext.ecpointformats) {
dest->ext.ecpointformats =
OPENSSL_memdup(src->ext.ecpointformats,
src->ext.ecpointformats_len);
if (dest->ext.ecpointformats == NULL)
goto err;
}
if (src->ext.supportedgroups) {
dest->ext.supportedgroups =
OPENSSL_memdup(src->ext.supportedgroups,
src->ext.supportedgroups_len
* sizeof(*src->ext.supportedgroups));
if (dest->ext.supportedgroups == NULL)
goto err;
}
#endif
if (ticket != 0 && src->ext.tick != NULL) {
dest->ext.tick =
@ -790,17 +762,8 @@ void SSL_SESSION_free(SSL_SESSION *ss)
OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
sk_SSL_CIPHER_free(ss->ciphers);
OPENSSL_free(ss->ext.hostname);
OPENSSL_free(ss->ext.tick);
#ifndef OPENSSL_NO_EC
OPENSSL_free(ss->ext.ecpointformats);
ss->ext.ecpointformats = NULL;
ss->ext.ecpointformats_len = 0;
OPENSSL_free(ss->ext.supportedgroups);
ss->ext.supportedgroups = NULL;
ss->ext.supportedgroups_len = 0;
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_PSK
OPENSSL_free(ss->psk_identity_hint);
OPENSSL_free(ss->psk_identity);

275
crypto/external/bsd/openssl/dist/ssl/t1_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -21,6 +21,8 @@
#include "ssl_locl.h"
#include <openssl/ct.h>
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
tls1_mac,
@ -465,11 +467,11 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
* If point formats extension present check it, otherwise everything is
* supported (see RFC4492).
*/
if (s->session->ext.ecpointformats == NULL)
if (s->ext.peer_ecpointformats == NULL)
return 1;
for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
if (s->session->ext.ecpointformats[i] == comp_id)
for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
if (s->ext.peer_ecpointformats[i] == comp_id)
return 1;
}
return 0;
@ -578,7 +580,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
if (check_ee_md && tls1_suiteb(s)) {
int check_md;
size_t i;
CERT *c = s->cert;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
@ -587,8 +588,8 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
for (i = 0; i < c->shared_sigalgslen; i++) {
if (check_md == c->shared_sigalgs[i]->sigandhash)
for (i = 0; i < s->shared_sigalgslen; i++) {
if (check_md == s->shared_sigalgs[i]->sigandhash)
return 1;;
}
return 0;
@ -1215,9 +1216,9 @@ int tls1_set_server_sigalgs(SSL *s)
size_t i;
/* Clear any shared signature algorithms */
OPENSSL_free(s->cert->shared_sigalgs);
s->cert->shared_sigalgs = NULL;
s->cert->shared_sigalgslen = 0;
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/* Clear certificate validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++)
s->s3->tmp.valid_flags[i] = 0;
@ -1252,7 +1253,7 @@ int tls1_set_server_sigalgs(SSL *s)
SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
return 0;
}
if (s->cert->shared_sigalgs != NULL)
if (s->shared_sigalgs != NULL)
return 1;
/* Fatal error if no shared signature algorithms */
@ -1724,9 +1725,9 @@ static int tls1_set_shared_sigalgs(SSL *s)
CERT *c = s->cert;
unsigned int is_suiteb = tls1_suiteb(s);
OPENSSL_free(c->shared_sigalgs);
c->shared_sigalgs = NULL;
c->shared_sigalgslen = 0;
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
conf = c->client_sigalgs;
@ -1757,8 +1758,8 @@ static int tls1_set_shared_sigalgs(SSL *s)
} else {
salgs = NULL;
}
c->shared_sigalgs = salgs;
c->shared_sigalgslen = nmatch;
s->shared_sigalgs = salgs;
s->shared_sigalgslen = nmatch;
return 1;
}
@ -1819,7 +1820,6 @@ int tls1_process_sigalgs(SSL *s)
{
size_t i;
uint32_t *pvalid = s->s3->tmp.valid_flags;
CERT *c = s->cert;
if (!tls1_set_shared_sigalgs(s))
return 0;
@ -1827,8 +1827,8 @@ int tls1_process_sigalgs(SSL *s)
for (i = 0; i < SSL_PKEY_NUM; i++)
pvalid[i] = 0;
for (i = 0; i < c->shared_sigalgslen; i++) {
const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
for (i = 0; i < s->shared_sigalgslen; i++) {
const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
int idx = sigptr->sig_idx;
/* Ignore PKCS1 based sig algs in TLSv1.3 */
@ -1875,12 +1875,12 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
const SIGALG_LOOKUP *shsigalgs;
if (s->cert->shared_sigalgs == NULL
if (s->shared_sigalgs == NULL
|| idx < 0
|| idx >= (int)s->cert->shared_sigalgslen
|| s->cert->shared_sigalgslen > INT_MAX)
|| idx >= (int)s->shared_sigalgslen
|| s->shared_sigalgslen > INT_MAX)
return 0;
shsigalgs = s->cert->shared_sigalgs[idx];
shsigalgs = s->shared_sigalgs[idx];
if (phash != NULL)
*phash = shsigalgs->hash;
if (psign != NULL)
@ -1891,7 +1891,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
*rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
if (rhash != NULL)
*rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
return (int)s->cert->shared_sigalgslen;
return (int)s->shared_sigalgslen;
}
/* Maximum possible number of unique entries in sigalgs array */
@ -2072,18 +2072,36 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
return 0;
}
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
int sig_nid;
int sig_nid, use_pc_sigalgs = 0;
size_t i;
const SIGALG_LOOKUP *sigalg;
size_t sigalgslen;
if (default_nid == -1)
return 1;
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
for (i = 0; i < c->shared_sigalgslen; i++)
if (sig_nid == c->shared_sigalgs[i]->sigandhash)
if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
/*
* If we're in TLSv1.3 then we only get here if we're checking the
* chain. If the peer has specified peer_cert_sigalgs then we use them
* otherwise we default to normal sigalgs.
*/
sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
use_pc_sigalgs = 1;
} else {
sigalgslen = s->shared_sigalgslen;
}
for (i = 0; i < sigalgslen; i++) {
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
if (sig_nid == sigalg->sigandhash)
return 1;
}
return 0;
}
@ -2240,14 +2258,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
}
}
/* Check signature algorithm of each cert in chain */
if (!tls1_check_sig_alg(c, x, default_nid)) {
if (SSL_IS_TLS13(s)) {
/*
* We only get here if the application has called SSL_check_chain(),
* so check_flags is always set.
*/
if (find_sig_alg(s, x, pk) != NULL)
rv |= CERT_PKEY_EE_SIGNATURE;
} else if (!tls1_check_sig_alg(s, x, default_nid)) {
if (!check_flags)
goto end;
} else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++) {
if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
if (check_flags) {
rv &= ~CERT_PKEY_CA_SIGNATURE;
break;
@ -2528,44 +2553,33 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
}
/*
* Returns true if |s| has a usable certificate configured for use
* with signature scheme |sig|.
* "Usable" includes a check for presence as well as applying
* the signature_algorithm_cert restrictions sent by the peer (if any).
* Returns false if no usable certificate is found.
* Checks the given cert against signature_algorithm_cert restrictions sent by
* the peer (if any) as well as whether the hash from the sigalg is usable with
* the key.
* Returns true if the cert is usable and false otherwise.
*/
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu;
int mdnid, pknid, default_mdnid;
int mandatory_md = 0;
size_t i;
/* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
if (idx == -1)
idx = sig->sig_idx;
if (!ssl_has_cert(s, idx))
return 0;
/* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
ERR_set_mark();
switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
&default_mdnid)) {
case 2:
mandatory_md = 1;
break;
case 1:
break;
default: /* If it didn't report a mandatory NID, for whatever reasons,
* just clear the error and allow all hashes to be used. */
ERR_pop_to_mark();
}
if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
sig->hash != default_mdnid)
return 0;
/* If it didn't report a mandatory NID, for whatever reasons,
* just clear the error and allow all hashes to be used. */
ERR_pop_to_mark();
if (s->s3->tmp.peer_cert_sigalgs != NULL) {
for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
if (lu == NULL
|| !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
&pknid, NULL, NULL)
|| (mandatory_md && mdnid != default_mdnid))
|| !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
continue;
/*
* TODO this does not differentiate between the
@ -2578,7 +2592,104 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
}
return 0;
}
return !mandatory_md || sig->hash == default_mdnid;
return 1;
}
/*
* Returns true if |s| has a usable certificate configured for use
* with signature scheme |sig|.
* "Usable" includes a check for presence as well as applying
* the signature_algorithm_cert restrictions sent by the peer (if any).
* Returns false if no usable certificate is found.
*/
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
{
/* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
if (idx == -1)
idx = sig->sig_idx;
if (!ssl_has_cert(s, idx))
return 0;
return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
s->cert->pkeys[idx].privatekey);
}
/*
* Returns true if the supplied cert |x| and key |pkey| is usable with the
* specified signature scheme |sig|, or false otherwise.
*/
static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
EVP_PKEY *pkey)
{
size_t idx;
if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
return 0;
/* Check the key is consistent with the sig alg */
if ((int)idx != sig->sig_idx)
return 0;
return check_cert_usable(s, sig, x, pkey);
}
/*
* Find a signature scheme that works with the supplied certificate |x| and key
* |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
* available certs/keys to find one that works.
*/
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu = NULL;
size_t i;
#ifndef OPENSSL_NO_EC
int curve = -1;
#endif
EVP_PKEY *tmppkey;
/* Look for a shared sigalgs matching possible certificates */
for (i = 0; i < s->shared_sigalgslen; i++) {
lu = s->shared_sigalgs[i];
/* Skip SHA1, SHA224, DSA and RSA if not PSS */
if (lu->hash == NID_sha1
|| lu->hash == NID_sha224
|| lu->sig == EVP_PKEY_DSA
|| lu->sig == EVP_PKEY_RSA)
continue;
/* Check that we have a cert, and signature_algorithms_cert */
if (!tls1_lookup_md(lu, NULL))
continue;
if ((pkey == NULL && !has_usable_cert(s, lu, -1))
|| (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
continue;
tmppkey = (pkey != NULL) ? pkey
: s->cert->pkeys[lu->sig_idx].privatekey;
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
}
if (lu->curve != NID_undef && curve != lu->curve)
continue;
#else
continue;
#endif
} else if (lu->sig == EVP_PKEY_RSA_PSS) {
/* validate that key is large enough for the signature algorithm */
if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
continue;
}
break;
}
if (i == s->shared_sigalgslen)
return NULL;
return lu;
}
/*
@ -2601,48 +2712,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
s->s3->tmp.sigalg = NULL;
if (SSL_IS_TLS13(s)) {
size_t i;
#ifndef OPENSSL_NO_EC
int curve = -1;
#endif
/* Look for a certificate matching shared sigalgs */
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
sig_idx = -1;
/* Skip SHA1, SHA224, DSA and RSA if not PSS */
if (lu->hash == NID_sha1
|| lu->hash == NID_sha224
|| lu->sig == EVP_PKEY_DSA
|| lu->sig == EVP_PKEY_RSA)
continue;
/* Check that we have a cert, and signature_algorithms_cert */
if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
continue;
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
}
if (lu->curve != NID_undef && curve != lu->curve)
continue;
#else
continue;
#endif
} else if (lu->sig == EVP_PKEY_RSA_PSS) {
/* validate that key is large enough for the signature algorithm */
EVP_PKEY *pkey;
pkey = s->cert->pkeys[lu->sig_idx].privatekey;
if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
continue;
}
break;
}
if (i == s->cert->shared_sigalgslen) {
lu = find_sig_alg(s, NULL, NULL);
if (lu == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
@ -2675,8 +2746,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
* Find highest preference signature algorithm matching
* cert type
*/
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
for (i = 0; i < s->shared_sigalgslen; i++) {
lu = s->shared_sigalgs[i];
if (s->server) {
if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
@ -2703,7 +2774,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
break;
}
if (i == s->cert->shared_sigalgslen) {
if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

47
crypto/external/bsd/openssl/dist/test/bntest.c vendored
View File

@ -2169,18 +2169,50 @@ static int test_expmodone(void)
return ret;
}
static int test_smallprime(void)
static int test_smallprime(int kBits)
{
static const int kBits = 10;
BIGNUM *r;
int st = 0;
if (!TEST_ptr(r = BN_new())
|| !TEST_true(BN_generate_prime_ex(r, (int)kBits, 0,
NULL, NULL, NULL))
|| !TEST_int_eq(BN_num_bits(r), kBits))
if (!TEST_ptr(r = BN_new()))
goto err;
if (kBits <= 1) {
if (!TEST_false(BN_generate_prime_ex(r, kBits, 0,
NULL, NULL, NULL)))
goto err;
} else {
if (!TEST_true(BN_generate_prime_ex(r, kBits, 0,
NULL, NULL, NULL))
|| !TEST_int_eq(BN_num_bits(r), kBits))
goto err;
}
st = 1;
err:
BN_free(r);
return st;
}
static int test_smallsafeprime(int kBits)
{
BIGNUM *r;
int st = 0;
if (!TEST_ptr(r = BN_new()))
goto err;
if (kBits <= 5 && kBits != 3) {
if (!TEST_false(BN_generate_prime_ex(r, kBits, 1,
NULL, NULL, NULL)))
goto err;
} else {
if (!TEST_true(BN_generate_prime_ex(r, kBits, 1,
NULL, NULL, NULL))
|| !TEST_int_eq(BN_num_bits(r), kBits))
goto err;
}
st = 1;
err:
BN_free(r);
@ -2405,7 +2437,8 @@ int setup_tests(void)
ADD_TEST(test_badmod);
ADD_TEST(test_expmodzero);
ADD_TEST(test_expmodone);
ADD_TEST(test_smallprime);
ADD_ALL_TESTS(test_smallprime, 16);
ADD_ALL_TESTS(test_smallsafeprime, 16);
ADD_TEST(test_swap);
ADD_TEST(test_ctx_consttime_flag);
#ifndef OPENSSL_NO_EC2M

77
crypto/external/bsd/openssl/dist/test/dhtest.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -17,6 +17,7 @@
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include "testutil.h"
#ifndef OPENSSL_NO_DH
@ -62,6 +63,17 @@ static int dh_test(void)
|| !TEST_true(DH_set0_pqg(dh, p, q, g)))
goto err1;
if (!DH_check(dh, &i))
goto err2;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|| !TEST_false(i & DH_CHECK_INVALID_Q_VALUE)
|| !TEST_false(i & DH_CHECK_Q_NOT_PRIME)
|| !TEST_false(i & DH_UNABLE_TO_CHECK_GENERATOR)
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR)
|| !TEST_false(i))
goto err2;
/* test the combined getter for p, q, and g */
DH_get0_pqg(dh, &p2, &q2, &g2);
if (!TEST_ptr_eq(p2, p)
@ -130,7 +142,8 @@ static int dh_test(void)
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|| !TEST_false(i & DH_UNABLE_TO_CHECK_GENERATOR)
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR))
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR)
|| !TEST_false(i))
goto err3;
DH_get0_pqg(a, &ap, NULL, &ag);
@ -193,7 +206,7 @@ static int dh_test(void)
BN_free(q);
BN_free(g);
err2:
/* an error occured before priv_key was assigned to dh */
/* an error occurred before priv_key was assigned to dh */
BN_free(priv_key);
err3:
success:
@ -609,6 +622,63 @@ static int rfc5114_test(void)
TEST_error("Test failed RFC5114 set %d\n", i + 1);
return 0;
}
static int rfc7919_test(void)
{
DH *a = NULL, *b = NULL;
const BIGNUM *apub_key = NULL, *bpub_key = NULL;
unsigned char *abuf = NULL;
unsigned char *bbuf = NULL;
int i, alen, blen, aout, bout;
int ret = 0;
if (!TEST_ptr(a = DH_new_by_nid(NID_ffdhe2048)))
goto err;
if (!DH_check(a, &i))
goto err;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|| !TEST_false(i & DH_UNABLE_TO_CHECK_GENERATOR)
|| !TEST_false(i & DH_NOT_SUITABLE_GENERATOR)
|| !TEST_false(i))
goto err;
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, NULL);
/* now create another copy of the DH group for the peer */
if (!TEST_ptr(b = DH_new_by_nid(NID_ffdhe2048)))
goto err;
if (!DH_generate_key(b))
goto err;
DH_get0_key(b, &bpub_key, NULL);
alen = DH_size(a);
if (!TEST_ptr(abuf = OPENSSL_malloc(alen))
|| !TEST_true((aout = DH_compute_key(abuf, bpub_key, a)) != -1))
goto err;
blen = DH_size(b);
if (!TEST_ptr(bbuf = OPENSSL_malloc(blen))
|| !TEST_true((bout = DH_compute_key(bbuf, apub_key, b)) != -1))
goto err;
if (!TEST_true(aout >= 20)
|| !TEST_mem_eq(abuf, aout, bbuf, bout))
goto err;
ret = 1;
err:
OPENSSL_free(abuf);
OPENSSL_free(bbuf);
DH_free(a);
DH_free(b);
return ret;
}
#endif
@ -619,6 +689,7 @@ int setup_tests(void)
#else
ADD_TEST(dh_test);
ADD_TEST(rfc5114_test);
ADD_TEST(rfc7919_test);
#endif
return 1;
}

444
crypto/external/bsd/openssl/dist/test/ectest.c vendored
View File

@ -1519,6 +1519,271 @@ static const unsigned char p521_explicit[] = {
0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
};
/*
* Sometime we cannot compare nids for equality, as the built-in curve table
* includes aliases with different names for the same curve.
*
* This function returns TRUE (1) if the checked nids are identical, or if they
* alias to the same curve. FALSE (0) otherwise.
*/
static ossl_inline
int are_ec_nids_compatible(int n1d, int n2d)
{
int ret = 0;
switch (n1d) {
# ifndef OPENSSL_NO_EC2M
case NID_sect113r1:
case NID_wap_wsg_idm_ecid_wtls4:
ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
break;
case NID_sect163k1:
case NID_wap_wsg_idm_ecid_wtls3:
ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
break;
case NID_sect233k1:
case NID_wap_wsg_idm_ecid_wtls10:
ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
break;
case NID_sect233r1:
case NID_wap_wsg_idm_ecid_wtls11:
ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
break;
case NID_X9_62_c2pnb163v1:
case NID_wap_wsg_idm_ecid_wtls5:
ret = (n2d == NID_X9_62_c2pnb163v1
|| n2d == NID_wap_wsg_idm_ecid_wtls5);
break;
# endif /* OPENSSL_NO_EC2M */
case NID_secp112r1:
case NID_wap_wsg_idm_ecid_wtls6:
ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
break;
case NID_secp160r2:
case NID_wap_wsg_idm_ecid_wtls7:
ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
break;
# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
case NID_secp224r1:
case NID_wap_wsg_idm_ecid_wtls12:
ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
break;
# else
/*
* For SEC P-224 we want to ensure that the SECP nid is returned, as
* that is associated with a specialized method.
*/
case NID_wap_wsg_idm_ecid_wtls12:
ret = (n2d == NID_secp224r1);
break;
# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
default:
ret = (n1d == n2d);
}
return ret;
}
/*
* This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
* EC_GROUP for built-in curves.
*
* Note that it is possible to retrieve an alternative alias that does not match
* the original nid.
*
* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
*/
static int check_named_curve_from_ecparameters(int id)
{
int ret = 0, nid, tnid;
EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
const EC_POINT *group_gen = NULL;
EC_POINT *other_gen = NULL;
BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
const BIGNUM *group_order = NULL;
BIGNUM *other_order = NULL;
BN_CTX *bn_ctx = NULL;
static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
static size_t invalid_seed_len = sizeof(invalid_seed);
ECPARAMETERS *params = NULL, *other_params = NULL;
EC_GROUP *g_ary[8] = {NULL};
EC_GROUP **g_next = &g_ary[0];
ECPARAMETERS *p_ary[8] = {NULL};
ECPARAMETERS **p_next = &p_ary[0];
/* Do some setup */
nid = curves[id].nid;
TEST_note("Curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(bn_ctx = BN_CTX_new()))
return ret;
BN_CTX_start(bn_ctx);
if (/* Allocations */
!TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
/* Generate reference group and params */
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|| !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
|| !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
|| !TEST_ptr(group_order = EC_GROUP_get0_order(group))
|| !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
/* compute `other_*` values */
|| !TEST_ptr(tmpg = EC_GROUP_dup(group))
|| !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
|| !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
|| !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
other_gen_x, other_gen_y, bn_ctx))
|| !TEST_true(BN_copy(other_order, group_order))
|| !TEST_true(BN_add_word(other_order, 1))
|| !TEST_true(BN_copy(other_cofactor, group_cofactor))
|| !TEST_true(BN_add_word(other_cofactor, 1)))
goto err;
EC_POINT_free(other_gen);
other_gen = NULL;
if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
|| !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
other_gen_x, other_gen_y,
bn_ctx)))
goto err;
/*
* ###########################
* # Actual tests start here #
* ###########################
*/
/*
* Creating a group from built-in explicit parameters returns a
* "named" EC_GROUP
*/
if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
goto err;
/*
* We cannot always guarantee the names match, as the built-in table
* contains aliases for the same curve with different names.
*/
if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
goto err;
/*
* An invalid seed in the parameters should be ignored: expect a "named"
* group.
*/
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
invalid_seed_len)
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/*
* A null seed in the parameters should be ignored, as it is optional:
* expect a "named" group.
*/
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/*
* Check that changing any of the generator parameters does not yield a
* match with the built-in curves
*/
if (/* Other gen, same group order & cofactor */
!TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
/* Same gen & cofactor, different order */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
/* The order is not an optional field, so this should fail */
|| !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
group_cofactor))
/* Check that a wrong cofactor is ignored, and we still match */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
other_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)
/* Check that if the cofactor is not set then it still matches */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
NULL))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)
/* check that restoring the generator passes */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE))
goto err;
ret = 1;
err:
for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
EC_GROUP_free(*g_next);
for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
ECPARAMETERS_free(*p_next);
ECPARAMETERS_free(params);
EC_POINT_free(other_gen);
EC_GROUP_free(tmpg);
EC_GROUP_free(group);
BN_CTX_end(bn_ctx);
BN_CTX_free(bn_ctx);
return ret;
}
static int parameter_test(void)
{
EC_GROUP *group = NULL, *group2 = NULL;
@ -1561,6 +1826,179 @@ err:
OPENSSL_free(buf);
return r;
}
/*-
* random 256-bit explicit parameters curve, cofactor absent
* order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
* cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
*/
static const unsigned char params_cf_pass[] = {
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
0x14, 0xa8, 0x2f, 0x4f
};
/*-
* random 256-bit explicit parameters curve, cofactor absent
* order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
* cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
*/
static const unsigned char params_cf_fail[] = {
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
0x34, 0xa2, 0x21, 0x01
};
/*-
* Test two random 256-bit explicit parameters curves with absent cofactor.
* The two curves are chosen to roughly straddle the bounds at which the lib
* can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
*
* - params_cf_pass: order is sufficiently close to p to compute cofactor
* - params_cf_fail: order is too far away from p to compute cofactor
*
* For standards-compliant curves, cofactor is chosen as small as possible.
* So you can see neither of these curves are fit for cryptographic use.
*
* Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
* h <= 2**(t/8) where t is the security level of the curve, for which the lib
* will always succeed in computing the cofactor. Neither of these curves
* conform to that -- this is just robustness testing.
*/
static int cofactor_range_test(void)
{
EC_GROUP *group = NULL;
BIGNUM *cf = NULL;
int ret = 0;
const unsigned char *b1 = (const unsigned char *)params_cf_fail;
const unsigned char *b2 = (const unsigned char *)params_cf_pass;
if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
|| !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
|| !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
sizeof(params_cf_pass)))
|| !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
|| !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
goto err;
ret = 1;
err:
BN_free(cf);
EC_GROUP_free(group);
return ret;
}
/*-
* For named curves, test that:
* - the lib correctly computes the cofactor if passed a NULL or zero cofactor
* - a nonsensical cofactor throws an error (negative test)
* - nonsensical orders throw errors (negative tests)
*/
static int cardinality_test(int n)
{
int ret = 0;
int nid = curves[n].nid;
BN_CTX *ctx = NULL;
EC_GROUP *g1 = NULL, *g2 = NULL;
EC_POINT *g2_gen = NULL;
BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
*g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new())
|| !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
|| !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
EC_GROUP_free(g1);
EC_GROUP_free(g2);
BN_CTX_free(ctx);
return 0;
}
BN_CTX_start(ctx);
g1_p = BN_CTX_get(ctx);
g1_a = BN_CTX_get(ctx);
g1_b = BN_CTX_get(ctx);
g1_x = BN_CTX_get(ctx);
g1_y = BN_CTX_get(ctx);
g1_order = BN_CTX_get(ctx);
g1_cf = BN_CTX_get(ctx);
if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
/* pull out the explicit curve parameters */
|| !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
|| !TEST_true(EC_POINT_get_affine_coordinates(g1,
EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
|| !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
|| !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
/* construct g2 manually with g1 parameters */
|| !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
|| !TEST_ptr(g2_gen = EC_POINT_new(g2))
|| !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
/* pass NULL cofactor: lib should compute it */
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|| !TEST_BN_eq(g1_cf, g2_cf)
/* pass zero cofactor: lib should compute it */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|| !TEST_BN_eq(g1_cf, g2_cf)
/* negative test for invalid cofactor */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
/* negative test for NULL order */
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
/* negative test for zero order */
|| !TEST_true(BN_set_word(g1_order, 0))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
/* negative test for negative order */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
/* negative test for too large order */
|| !TEST_true(BN_lshift(g1_order, g1_p, 2))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
goto err;
ret = 1;
err:
EC_POINT_free(g2_gen);
EC_GROUP_free(g1);
EC_GROUP_free(g2);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
#endif
int setup_tests(void)
@ -1572,6 +2010,8 @@ int setup_tests(void)
return 0;
ADD_TEST(parameter_test);
ADD_TEST(cofactor_range_test);
ADD_ALL_TESTS(cardinality_test, crv_len);
ADD_TEST(prime_field_tests);
# ifndef OPENSSL_NO_EC2M
ADD_TEST(char2_field_tests);
@ -1583,7 +2023,9 @@ int setup_tests(void)
# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
#endif
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}

19
crypto/external/bsd/openssl/dist/test/enginetest.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -120,8 +120,12 @@ static int test_engines(void)
display_engine_list();
/*
* Depending on whether there's any hardware support compiled in, this
* remove may be destined to fail.
* At this point, we should have an empty list, unless some hardware
* support engine got added. However, since we don't allow the config
* file to be loaded and don't otherwise load any built in engines,
* that is unlikely. Still, we check, if for nothing else, then to
* notify that something is a little off (and might mean that |new_h1|
* wasn't unloaded when it should have)
*/
if ((ptr = ENGINE_get_first()) != NULL) {
if (!ENGINE_remove(ptr))
@ -346,6 +350,15 @@ static int test_redirect(void)
}
#endif
int global_init(void)
{
/*
* If the config file gets loaded, the dynamic engine will be loaded,
* and that interferes with our test above.
*/
return OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL);
}
int setup_tests(void)
{
#ifdef OPENSSL_NO_ENGINE

2
crypto/external/bsd/openssl/dist/test/evp_extra_test.c vendored
View File

@ -300,7 +300,7 @@ static const unsigned char kExampleECPubKeyDER[] = {
};
/*
* kExampleBadECKeyDER is a sample EC public key with a wrong OID
* kExampleBadECPubKeyDER is a sample EC public key with a wrong OID
* 1.2.840.10045.2.2 instead of 1.2.840.10045.2.1 - EC Public Key
*/
static const unsigned char kExampleBadECPubKeyDER[] = {

34
crypto/external/bsd/openssl/dist/test/evp_test.c vendored
View File

@ -403,6 +403,28 @@ static int digest_test_run(EVP_TEST *t)
}
if (EVP_MD_flags(expected->digest) & EVP_MD_FLAG_XOF) {
EVP_MD_CTX *mctx_cpy;
char dont[] = "touch";
if (!TEST_ptr(mctx_cpy = EVP_MD_CTX_new())) {
goto err;
}
if (!EVP_MD_CTX_copy(mctx_cpy, mctx)) {
EVP_MD_CTX_free(mctx_cpy);
goto err;
}
if (!EVP_DigestFinalXOF(mctx_cpy, (unsigned char *)dont, 0)) {
EVP_MD_CTX_free(mctx_cpy);
t->err = "DIGESTFINALXOF_ERROR";
goto err;
}
if (!TEST_str_eq(dont, "touch")) {
EVP_MD_CTX_free(mctx_cpy);
t->err = "DIGESTFINALXOF_ERROR";
goto err;
}
EVP_MD_CTX_free(mctx_cpy);
got_len = expected->output_len;
if (!EVP_DigestFinalXOF(mctx, got, got_len)) {
t->err = "DIGESTFINALXOF_ERROR";
@ -532,7 +554,7 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword,
else if (strcmp(value, "FALSE") == 0)
cdat->tag_late = 0;
else
return 0;
return -1;
return 1;
}
}
@ -543,7 +565,7 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword,
else if (strcmp(value, "DECRYPT") == 0)
cdat->enc = 0;
else
return 0;
return -1;
return 1;
}
return 0;
@ -923,7 +945,7 @@ static int mac_test_parse(EVP_TEST *t,
if (strcmp(keyword, "Algorithm") == 0) {
mdata->alg = OPENSSL_strdup(value);
if (!mdata->alg)
return 0;
return -1;
return 1;
}
if (strcmp(keyword, "Input") == 0)
@ -1270,9 +1292,9 @@ static int pderive_test_parse(EVP_TEST *t,
if (strcmp(keyword, "PeerKey") == 0) {
EVP_PKEY *peer;
if (find_key(&peer, value, public_keys) == 0)
return 0;
return -1;
if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0)
return 0;
return -1;
return 1;
}
if (strcmp(keyword, "SharedSecret") == 0)
@ -2120,7 +2142,7 @@ static int digestsigver_test_parse(EVP_TEST *t,
}
if (strcmp(keyword, "Ctrl") == 0) {
if (mdata->pctx == NULL)
return 0;
return -1;
return pkey_test_ctrl(t, mdata->pctx, value);
}
return 0;

26
crypto/external/bsd/openssl/dist/test/testutil/driver.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -112,7 +112,7 @@ void setup_test_framework(void)
seed = (int)time(NULL);
test_printf_stdout("%*s# RAND SEED %d\n", subtest_level(), "", seed);
test_flush_stdout();
srand(seed);
test_random_seed(seed);
}
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
@ -190,7 +190,7 @@ int run_tests(const char *test_prog_name)
permute[i] = i;
if (seed != 0)
for (i = num_tests - 1; i >= 1; i--) {
j = rand() % (1 + i);
j = test_random() % (1 + i);
ii = permute[j];
permute[j] = permute[i];
permute[i] = ii;
@ -228,7 +228,7 @@ int run_tests(const char *test_prog_name)
jstep = 1;
else
do
jstep = rand() % all_tests[i].num;
jstep = test_random() % all_tests[i].num;
while (jstep == 0 || gcd(all_tests[i].num, jstep) != 1);
for (jj = 0; jj < all_tests[i].num; jj++) {
@ -297,3 +297,21 @@ char *glue_strings(const char *list[], size_t *out_len)
return ret;
}
char *test_mk_file_path(const char *dir, const char *file)
{
# ifndef OPENSSL_SYS_VMS
const char *sep = "/";
# else
const char *sep = "";
# endif
size_t len = strlen(dir) + strlen(sep) + strlen(file) + 1;
char *full_file = OPENSSL_zalloc(len);
if (full_file != NULL) {
OPENSSL_strlcpy(full_file, dir, len);
OPENSSL_strlcat(full_file, sep, len);
OPENSSL_strlcat(full_file, file, len);
}
return full_file;
}

4
crypto/external/bsd/openssl/dist/util/mkdef.pl vendored
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -360,7 +360,7 @@ sub do_defs
# params: symbol, alias, platforms, kind
# The reason to put this subroutine in a variable is that
# it will otherwise create it's own, unshared, version of
# it will otherwise create its own, unshared, version of
# %tag and %variant...
my $make_variant = sub
{

23
crypto/external/bsd/openssl/lib/libcrypto/crypto.map vendored
View File

@ -1078,10 +1078,6 @@ OPENSSL_1_1_0 {
ECPKParameters_print_fp;
ECParameters_print;
ECParameters_print_fp;
EC_GFp_nistp224_method;
EC_GFp_nistp256_method;
EC_GFp_nistp521_method;
EC_GFp_nistz256_method;
EC_GF2m_simple_method;
EC_GFp_mont_method;
EC_GFp_nist_method;
@ -4424,7 +4420,24 @@ OPENSSL_1_1_1 {
NAMING_AUTHORITY_it;
PROFESSION_INFO_it;
SCRYPT_PARAMS_it;
local: *;
} OPENSSL_1_1_0j;
OPENSSL_1_1_1b {
global:
OPENSSL_INIT_set_config_file_flags;
OPENSSL_INIT_set_config_filename;
} OPENSSL_1_1_1;
OPENSSL_1_1_1c {
global:
EVP_PKEY_get0_engine;
} OPENSSL_1_1_1b;
OPENSSL_1_1_1d {
global:
X509_get0_authority_issuer;
X509_get0_authority_serial;
local: *;
} OPENSSL_1_1_1c;

7
crypto/external/bsd/openssl/lib/libssl/ssl.map vendored
View File

@ -502,7 +502,12 @@ OPENSSL_1_1_1 {
SSL_verify_client_post_handshake;
SSL_write_early_data;
SSL_write_ex;
local: *;
} OPENSSL_1_1_0d;
OPENSSL_1_1_1a {
global:
SSL_get_signature_type_nid;
local: *;
} OPENSSL_1_1_1;