From a68659eb19724700e86ec86ae85860c93d85836e Mon Sep 17 00:00:00 2001 From: christos Date: Sat, 18 Aug 2018 08:30:43 +0000 Subject: [PATCH] Changes between 1.1.0h and 1.1.0i [14 Aug 2018] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit *) Client DoS due to large DH parameter During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken (CVE-2018-0732) [Guido Vranken] *) Cache timing vulnerability in RSA Key Generation The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. (CVE-2018-0737) [Billy Brumley] *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. [Richard Levitte] *) Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov] *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. [Kurt Roeckx, Annie Yousar] *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. [Kurt Roeckx] *) Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell] *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. [Richard Levitte] *) Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. [Emilia Käsper] *) Fixed a text canonicalisation bug in CMS Where a CMS detached signature is used with text content the text goes through a canonicalisation process first prior to signing or verifying a signature. This process strips trailing space at the end of lines, converts line terminators to CRLF and removes additional trailing line terminators at the end of a file. A bug in the canonicalisation process meant that some characters, such as form-feed, were incorrectly treated as whitespace and removed. This is contrary to the specification (RFC5485). This fix could mean that detached text data signed with an earlier version of OpenSSL 1.1.0 may fail to verify using the fixed version, or text data signed with a fixed OpenSSL may fail to verify with an earlier version of OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data and use the "-binary" flag (for the "cms" command line application) or set the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). [Matt Caswell] --- crypto/external/bsd/openssl/dist/.gitignore | 1 + crypto/external/bsd/openssl/dist/.travis.yml | 12 +- crypto/external/bsd/openssl/dist/CHANGES | 75 ++++++ crypto/external/bsd/openssl/dist/CONTRIBUTING | 67 +++-- .../openssl/dist/Configurations/10-main.conf | 53 ++-- .../bsd/openssl/dist/Configurations/dist.conf | 12 + .../dist/Configurations/unix-Makefile.tmpl | 6 +- .../dist/Configurations/windows-checker.pm | 2 +- .../dist/Configurations/windows-makefile.tmpl | 76 +++--- crypto/external/bsd/openssl/dist/Configure | 60 +++-- crypto/external/bsd/openssl/dist/INSTALL | 5 +- crypto/external/bsd/openssl/dist/Makefile | 108 +++++++- crypto/external/bsd/openssl/dist/NEWS | 5 + crypto/external/bsd/openssl/dist/README | 4 +- crypto/external/bsd/openssl/dist/apps/apps.c | 5 +- .../external/bsd/openssl/dist/apps/asn1pars.c | 22 +- crypto/external/bsd/openssl/dist/apps/ca.c | 29 +- .../external/bsd/openssl/dist/apps/dhparam.c | 11 +- .../external/bsd/openssl/dist/apps/dsaparam.c | 29 +- crypto/external/bsd/openssl/dist/apps/ocsp.c | 3 +- .../external/bsd/openssl/dist/apps/rehash.c | 20 +- .../external/bsd/openssl/dist/apps/s_client.c | 10 +- .../external/bsd/openssl/dist/apps/s_server.c | 17 +- crypto/external/bsd/openssl/dist/apps/speed.c | 227 ++++++++-------- .../external/bsd/openssl/dist/apps/verify.c | 3 +- crypto/external/bsd/openssl/dist/appveyor.yml | 2 +- .../external/bsd/openssl/dist/configdata.pm | 115 +++++++- .../bsd/openssl/dist/crypto/arm_arch.h | 4 +- .../external/bsd/openssl/dist/crypto/armcap.c | 3 +- .../bsd/openssl/dist/crypto/armv4cpuid.pl | 4 +- .../bsd/openssl/dist/crypto/asn1/a_object.c | 23 +- .../bsd/openssl/dist/crypto/asn1/a_strex.c | 77 ++---- .../bsd/openssl/dist/crypto/asn1/ameth_lib.c | 12 + .../bsd/openssl/dist/crypto/asn1/asn1_err.c | 2 + .../bsd/openssl/dist/crypto/asn1/asn_mime.c | 8 +- .../bsd/openssl/dist/crypto/asn1/p5_scrypt.c | 4 +- .../bsd/openssl/dist/crypto/asn1/tasn_enc.c | 4 +- .../bsd/openssl/dist/crypto/asn1/tasn_utl.c | 4 +- .../bsd/openssl/dist/crypto/async/async.c | 80 +++--- .../bsd/openssl/dist/crypto/bio/b_addr.c | 11 +- .../bsd/openssl/dist/crypto/bio/b_sock.c | 6 +- .../bsd/openssl/dist/crypto/bio/bio_meth.c | 17 +- .../bsd/openssl/dist/crypto/bio/bss_log.c | 4 +- .../bsd/openssl/dist/crypto/bio/bss_mem.c | 4 +- .../openssl/dist/crypto/bn/asm/alpha-mont.pl | 11 +- .../openssl/dist/crypto/bn/asm/armv4-mont.pl | 17 +- .../openssl/dist/crypto/bn/asm/ia64-mont.pl | 20 +- .../openssl/dist/crypto/bn/asm/mips-mont.pl | 14 +- .../openssl/dist/crypto/bn/asm/parisc-mont.pl | 30 +-- .../openssl/dist/crypto/bn/asm/ppc-mont.pl | 15 +- .../openssl/dist/crypto/bn/asm/ppc64-mont.pl | 43 ++- .../openssl/dist/crypto/bn/asm/rsaz-avx2.pl | 4 +- .../openssl/dist/crypto/bn/asm/s390x-mont.pl | 16 +- .../dist/crypto/bn/asm/sparct4-mont.pl | 26 +- .../dist/crypto/bn/asm/sparcv9-mont.pl | 15 +- .../openssl/dist/crypto/bn/asm/via-mont.pl | 15 +- .../openssl/dist/crypto/bn/asm/vis3-mont.pl | 18 +- .../openssl/dist/crypto/bn/asm/x86-mont.pl | 20 +- .../openssl/dist/crypto/bn/asm/x86_64-mont.pl | 83 +++--- .../dist/crypto/bn/asm/x86_64-mont5.pl | 21 +- .../bsd/openssl/dist/crypto/bn/bn_div.c | 3 +- .../bsd/openssl/dist/crypto/bn/bn_exp.c | 69 ++--- .../bsd/openssl/dist/crypto/bn/bn_gcd.c | 11 +- .../bsd/openssl/dist/crypto/bn/bn_gf2m.c | 34 +-- .../bsd/openssl/dist/crypto/bn/bn_intern.c | 12 +- .../bsd/openssl/dist/crypto/bn/bn_lcl.h | 23 +- .../bsd/openssl/dist/crypto/bn/bn_lib.c | 85 ++++-- .../bsd/openssl/dist/crypto/bn/bn_mod.c | 69 ++++- .../bsd/openssl/dist/crypto/bn/bn_mont.c | 69 +++-- .../bsd/openssl/dist/crypto/bn/bn_sqr.c | 12 +- .../bsd/openssl/dist/crypto/build.info | 1 - .../dist/crypto/chacha/asm/chacha-x86.pl | 4 +- .../bsd/openssl/dist/crypto/cms/cms_env.c | 3 +- .../bsd/openssl/dist/crypto/cms/cms_smime.c | 3 +- .../bsd/openssl/dist/crypto/conf/build.info | 2 +- .../bsd/openssl/dist/crypto/conf/conf_api.c | 6 +- .../bsd/openssl/dist/crypto/conf/conf_err.c | 9 +- .../bsd/openssl/dist/crypto/conf/conf_lcl.h | 11 + .../bsd/openssl/dist/crypto/conf/conf_mall.c | 4 +- .../bsd/openssl/dist/crypto/conf/conf_ssl.c | 178 +++++++++++++ .../bsd/openssl/dist/crypto/cryptlib.c | 112 ++++++-- .../bsd/openssl/dist/crypto/dh/dh_key.c | 9 +- .../bsd/openssl/dist/crypto/dh/dh_meth.c | 4 +- .../bsd/openssl/dist/crypto/dsa/dsa_err.c | 3 +- .../bsd/openssl/dist/crypto/dsa/dsa_gen.c | 15 +- .../bsd/openssl/dist/crypto/dsa/dsa_meth.c | 4 +- .../bsd/openssl/dist/crypto/dsa/dsa_ossl.c | 68 +++-- .../bsd/openssl/dist/crypto/dsa/dsa_pmeth.c | 28 +- .../bsd/openssl/dist/crypto/dso/dso_dlfcn.c | 83 +++++- .../dist/crypto/ec/asm/ecp_nistz256-armv4.pl | 12 +- .../dist/crypto/ec/asm/ecp_nistz256-armv8.pl | 18 +- .../dist/crypto/ec/asm/ecp_nistz256-avx2.pl | 4 +- .../crypto/ec/asm/ecp_nistz256-sparcv9.pl | 10 +- .../dist/crypto/ec/asm/ecp_nistz256-x86.pl | 4 +- .../bsd/openssl/dist/crypto/ec/ec2_smpl.c | 3 +- .../bsd/openssl/dist/crypto/ec/ec_ameth.c | 13 +- .../bsd/openssl/dist/crypto/ec/ec_curve.c | 6 +- .../bsd/openssl/dist/crypto/ec/ec_lcl.h | 18 +- .../bsd/openssl/dist/crypto/ec/ec_lib.c | 41 +-- .../bsd/openssl/dist/crypto/ec/ec_mult.c | 250 +++++++++++++++++- .../bsd/openssl/dist/crypto/ec/ec_oct.c | 10 +- .../bsd/openssl/dist/crypto/ec/ecdsa_ossl.c | 80 +++--- .../bsd/openssl/dist/crypto/ec/ecp_nistz256.c | 34 +-- .../bsd/openssl/dist/crypto/ec/ecp_smpl.c | 3 +- .../bsd/openssl/dist/crypto/engine/eng_lib.c | 11 +- .../openssl/dist/crypto/engine/tb_asnmth.c | 5 +- .../bsd/openssl/dist/crypto/err/err.c | 63 +++-- .../bsd/openssl/dist/crypto/evp/evp_err.c | 3 + .../bsd/openssl/dist/crypto/evp/pmeth_lib.c | 46 ++-- .../bsd/openssl/dist/crypto/evp/scrypt.c | 25 +- .../bsd/openssl/dist/crypto/ex_data.c | 5 +- .../internal/__DECC_INCLUDE_EPILOGUE.H | 16 ++ .../internal/__DECC_INCLUDE_PROLOGUE.H | 20 ++ .../dist/crypto/include/internal/asn1_int.h | 4 +- .../dist/crypto/include/internal/async.h | 3 +- .../dist/crypto/include/internal/bn_int.h | 19 +- .../dist/crypto/include/internal/cryptlib.h | 4 +- .../crypto/include/internal/cryptlib_int.h | 3 +- .../dist/crypto/include/internal/err_int.h | 4 +- .../dist/crypto/include/internal/x509_int.h | 3 +- .../external/bsd/openssl/dist/crypto/init.c | 138 ++++++---- .../dist/crypto/modes/asm/ghash-armv4.pl | 9 +- .../dist/crypto/modes/asm/ghashv8-armx.pl | 4 +- .../bsd/openssl/dist/crypto/modes/modes_lcl.h | 17 +- .../bsd/openssl/dist/crypto/modes/ocb128.c | 133 +++++----- .../bsd/openssl/dist/crypto/o_fopen.c | 20 +- .../external/bsd/openssl/dist/crypto/o_time.c | 6 +- .../bsd/openssl/dist/crypto/pem/pem_lib.c | 55 ++-- .../bsd/openssl/dist/crypto/pem/pem_pk8.c | 4 +- .../bsd/openssl/dist/crypto/pem/pem_pkey.c | 4 +- .../bsd/openssl/dist/crypto/pem/pvkfmt.c | 2 +- .../bsd/openssl/dist/crypto/pkcs12/p12_asn.c | 4 +- .../crypto/poly1305/asm/poly1305-armv4.pl | 5 +- .../dist/crypto/poly1305/asm/poly1305-x86.pl | 4 +- .../bsd/openssl/dist/crypto/rsa/rsa_gen.c | 2 + .../bsd/openssl/dist/crypto/rsa/rsa_meth.c | 4 +- .../bsd/openssl/dist/crypto/rsa/rsa_oaep.c | 40 +-- .../bsd/openssl/dist/crypto/rsa/rsa_ossl.c | 43 ++- .../bsd/openssl/dist/crypto/rsa/rsa_pk1.c | 41 +-- .../bsd/openssl/dist/crypto/rsa/rsa_ssl.c | 10 +- .../openssl/dist/crypto/sha/asm/sha1-586.pl | 4 +- .../openssl/dist/crypto/sha/asm/sha256-586.pl | 4 +- .../dist/crypto/sha/asm/sha256-armv4.pl | 4 +- .../dist/crypto/sha/asm/sha512-armv4.pl | 6 +- .../bsd/openssl/dist/crypto/threads_win.c | 23 +- .../bsd/openssl/dist/crypto/ts/ts_lib.c | 5 +- .../bsd/openssl/dist/crypto/ts/ts_rsp_sign.c | 7 +- .../bsd/openssl/dist/crypto/ui/ui_openssl.c | 9 +- .../bsd/openssl/dist/crypto/x509/build.info | 2 +- .../bsd/openssl/dist/crypto/x509/by_dir.c | 4 +- .../bsd/openssl/dist/crypto/x509/x509_cmp.c | 4 +- .../bsd/openssl/dist/crypto/x509/x509_err.c | 3 +- .../bsd/openssl/dist/crypto/x509/x509_lcl.h | 6 +- .../bsd/openssl/dist/crypto/x509/x509_lu.c | 128 ++++++--- .../bsd/openssl/dist/crypto/x509/x509_meth.c | 166 ++++++++++++ .../bsd/openssl/dist/crypto/x509/x509_vfy.c | 183 ++++++------- .../bsd/openssl/dist/crypto/x509/x509_vpm.c | 7 +- .../bsd/openssl/dist/crypto/x509/x509name.c | 10 +- .../bsd/openssl/dist/crypto/x509/x_name.c | 4 +- .../bsd/openssl/dist/crypto/x509v3/v3_ncons.c | 137 ++++++++-- .../bsd/openssl/dist/crypto/x509v3/v3_purp.c | 34 ++- .../bsd/openssl/dist/crypto/x509v3/v3_tlsf.c | 9 +- .../bsd/openssl/dist/doc/apps/cms.pod | 18 +- .../bsd/openssl/dist/doc/apps/config.pod | 4 +- .../bsd/openssl/dist/doc/apps/genpkey.pod | 177 +++++++------ .../bsd/openssl/dist/doc/apps/rehash.pod | 8 +- .../bsd/openssl/dist/doc/apps/s_client.pod | 10 +- .../doc/crypto/ASN1_INTEGER_get_int64.pod | 6 +- .../openssl/dist/doc/crypto/BIO_meth_new.pod | 18 +- .../bsd/openssl/dist/doc/crypto/BN_add.pod | 6 +- .../bsd/openssl/dist/doc/crypto/BN_bn2bin.pod | 6 +- .../dist/doc/crypto/BN_generate_prime.pod | 14 +- .../openssl/dist/doc/crypto/CMS_encrypt.pod | 7 +- .../dist/doc/crypto/CMS_get0_SignerInfos.pod | 4 +- .../doc/crypto/CMS_get1_ReceiptRequest.pod | 4 +- .../openssl/dist/doc/crypto/DH_meth_new.pod | 4 +- .../openssl/dist/doc/crypto/DSA_meth_new.pod | 4 +- .../bsd/openssl/dist/doc/crypto/DSA_sign.pod | 15 +- .../openssl/dist/doc/crypto/ECDSA_SIG_new.pod | 4 +- .../dist/doc/crypto/EVP_DigestInit.pod | 51 +++- .../dist/doc/crypto/EVP_DigestSignInit.pod | 45 +++- .../doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod | 4 +- .../crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod | 4 +- .../openssl/dist/doc/crypto/OBJ_nid2obj.pod | 4 +- .../dist/doc/crypto/OCSP_resp_find_status.pod | 32 ++- .../doc/crypto/OPENSSL_VERSION_NUMBER.pod | 5 - .../dist/doc/crypto/OPENSSL_init_crypto.pod | 10 +- .../dist/doc/crypto/OPENSSL_malloc.pod | 6 +- .../doc/crypto/PEM_read_bio_PrivateKey.pod | 15 +- .../openssl/dist/doc/crypto/RSA_meth_new.pod | 4 +- .../dist/doc/crypto/SMIME_read_PKCS7.pod | 4 +- .../dist/doc/crypto/X509_LOOKUP_hash_dir.pod | 3 +- .../dist/doc/crypto/X509_LOOKUP_meth_new.pod | 189 +++++++++++++ .../crypto/X509_VERIFY_PARAM_set_flags.pod | 33 ++- .../dist/doc/crypto/X509_check_host.pod | 9 +- .../openssl/dist/doc/crypto/X509_cmp_time.pod | 39 +++ .../bsd/openssl/dist/doc/fingerprints.txt | 5 +- .../bsd/openssl/dist/doc/openssl-c-indent.el | 1 + .../bsd/openssl/dist/doc/ssl/SSL_CONF_cmd.pod | 4 - .../dist/doc/ssl/SSL_CTX_use_certificate.pod | 9 +- .../openssl/dist/doc/ssl/SSL_get_ciphers.pod | 36 ++- .../openssl/dist/doc/ssl/SSL_get_session.pod | 7 +- .../openssl/dist/doc/ssl/SSL_get_version.pod | 8 +- .../openssl/dist/doc/ssl/SSL_set1_host.pod | 4 +- .../external/bsd/openssl/dist/doc/ssl/ssl.pod | 8 +- .../external/perl/transfer/Text/Template.pm | 5 +- .../bsd/openssl/dist/fuzz/test-corpus.c | 85 ++++-- .../internal/__DECC_INCLUDE_EPILOGUE.H | 16 ++ .../internal/__DECC_INCLUDE_PROLOGUE.H | 20 ++ .../openssl/dist/include/internal/sslconf.h | 20 ++ .../bsd/openssl/dist/include/openssl/asn1.h | 2 + .../bsd/openssl/dist/include/openssl/bio.h | 16 +- .../bsd/openssl/dist/include/openssl/bn.h | 89 +++++-- .../bsd/openssl/dist/include/openssl/conf.h | 7 +- .../bsd/openssl/dist/include/openssl/crypto.h | 6 +- .../bsd/openssl/dist/include/openssl/dh.h | 4 +- .../bsd/openssl/dist/include/openssl/dsa.h | 13 +- .../bsd/openssl/dist/include/openssl/evp.h | 31 ++- .../bsd/openssl/dist/include/openssl/lhash.h | 4 +- .../dist/include/openssl/opensslconf.h.in | 18 +- .../openssl/dist/include/openssl/opensslv.h | 11 +- .../bsd/openssl/dist/include/openssl/pem.h | 5 +- .../bsd/openssl/dist/include/openssl/rsa.h | 4 +- .../bsd/openssl/dist/include/openssl/ssl.h | 4 +- .../bsd/openssl/dist/include/openssl/ssl3.h | 12 +- .../bsd/openssl/dist/include/openssl/tls1.h | 10 +- .../bsd/openssl/dist/include/openssl/x509.h | 3 +- .../openssl/dist/include/openssl/x509_vfy.h | 78 +++++- .../bsd/openssl/dist/ms/uplink-x86.pl | 4 +- .../openssl/dist/ssl/record/rec_layer_d1.c | 64 ++++- .../bsd/openssl/dist/ssl/record/ssl3_record.c | 14 +- .../external/bsd/openssl/dist/ssl/ssl_ciph.c | 5 +- .../external/bsd/openssl/dist/ssl/ssl_conf.c | 5 +- .../external/bsd/openssl/dist/ssl/ssl_init.c | 13 +- .../external/bsd/openssl/dist/ssl/ssl_lib.c | 47 ++-- .../external/bsd/openssl/dist/ssl/ssl_locl.h | 9 +- .../external/bsd/openssl/dist/ssl/ssl_mcnf.c | 142 ++-------- .../external/bsd/openssl/dist/ssl/ssl_sess.c | 8 +- .../external/bsd/openssl/dist/ssl/ssl_txt.c | 16 +- .../bsd/openssl/dist/ssl/statem/statem.c | 4 +- .../bsd/openssl/dist/ssl/statem/statem_clnt.c | 17 +- .../bsd/openssl/dist/ssl/statem/statem_dtls.c | 3 +- .../bsd/openssl/dist/ssl/statem/statem_lib.c | 25 ++ .../bsd/openssl/dist/ssl/statem/statem_srvr.c | 45 +++- crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 50 +++- .../external/bsd/openssl/dist/ssl/t1_trce.c | 17 +- .../external/bsd/openssl/dist/test/build.info | 19 +- .../bsd/openssl/dist/test/certs/alt1-cert.pem | 39 ++- .../bsd/openssl/dist/test/certs/alt1-key.pem | 52 ++-- .../openssl/dist/test/certs/badalt6-cert.pem | 35 ++- .../openssl/dist/test/certs/badalt6-key.pem | 52 ++-- .../openssl/dist/test/certs/badalt7-cert.pem | 33 ++- .../openssl/dist/test/certs/badalt7-key.pem | 52 ++-- .../openssl/dist/test/certs/badcn1-cert.pem | 20 ++ .../openssl/dist/test/certs/badcn1-key.pem | 28 ++ .../openssl/dist/test/certs/goodcn1-cert.pem | 22 ++ .../openssl/dist/test/certs/goodcn1-key.pem | 28 ++ .../bsd/openssl/dist/test/certs/setup.sh | 25 +- .../external/bsd/openssl/dist/test/errtest.c | 40 +++ .../external/bsd/openssl/dist/test/evp_test.c | 10 +- .../bsd/openssl/dist/test/evptests.txt | 31 ++- .../openssl/dist/test/recipes/04-test_err.t | 12 + .../dist/test/recipes/15-test_genrsa.t | 39 ++- .../dist/test/recipes/25-test_verify.t | 10 +- .../dist/test/recipes/60-test_x509_dup_cert.t | 19 ++ .../dist/test/recipes/60-test_x509_time.t | 12 + .../dist/test/recipes/80-test_cipherlist.t | 9 +- .../openssl/dist/test/recipes/90-test_fuzz.t | 12 +- .../dist/test/recipes/90-test_shlibload.t | 6 +- .../bsd/openssl/dist/test/shlibloadtest.c | 58 +++- .../bsd/openssl/dist/test/sslapitest.c | 56 ++++ .../bsd/openssl/dist/test/verify_extra_test.c | 44 ++- .../external/bsd/openssl/dist/test/versions.c | 20 ++ .../openssl/dist/test/x509_dup_cert_test.c | 70 +++++ .../bsd/openssl/dist/test/x509_time_test.c | 212 +++++++++++++++ crypto/external/bsd/openssl/dist/util/copy.pl | 12 +- .../external/bsd/openssl/dist/util/dofile.pl | 6 +- crypto/external/bsd/openssl/dist/util/echo.pl | 12 + .../bsd/openssl/dist/util/libcrypto.num | 29 ++ .../external/bsd/openssl/dist/util/mkdef.pl | 3 +- .../openssl/dist/util/perl/OpenSSL/Test.pm | 29 +- .../openssl/dist/util/perl/with_fallback.pm | 8 +- .../bsd/openssl/dist/util/process_docs.pl | 32 ++- 283 files changed, 5422 insertions(+), 2165 deletions(-) create mode 100644 crypto/external/bsd/openssl/dist/Configurations/dist.conf create mode 100644 crypto/external/bsd/openssl/dist/crypto/conf/conf_lcl.h create mode 100644 crypto/external/bsd/openssl/dist/crypto/conf/conf_ssl.c create mode 100644 crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H create mode 100644 crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H create mode 100644 crypto/external/bsd/openssl/dist/crypto/x509/x509_meth.c create mode 100644 crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_meth_new.pod create mode 100644 crypto/external/bsd/openssl/dist/doc/crypto/X509_cmp_time.pod create mode 100644 crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_EPILOGUE.H create mode 100644 crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_PROLOGUE.H create mode 100644 crypto/external/bsd/openssl/dist/include/internal/sslconf.h create mode 100644 crypto/external/bsd/openssl/dist/test/certs/badcn1-cert.pem create mode 100644 crypto/external/bsd/openssl/dist/test/certs/badcn1-key.pem create mode 100644 crypto/external/bsd/openssl/dist/test/certs/goodcn1-cert.pem create mode 100644 crypto/external/bsd/openssl/dist/test/certs/goodcn1-key.pem create mode 100644 crypto/external/bsd/openssl/dist/test/errtest.c create mode 100644 crypto/external/bsd/openssl/dist/test/recipes/04-test_err.t create mode 100644 crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_dup_cert.t create mode 100644 crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_time.t create mode 100644 crypto/external/bsd/openssl/dist/test/versions.c create mode 100644 crypto/external/bsd/openssl/dist/test/x509_dup_cert_test.c create mode 100644 crypto/external/bsd/openssl/dist/test/x509_time_test.c create mode 100644 crypto/external/bsd/openssl/dist/util/echo.pl diff --git a/crypto/external/bsd/openssl/dist/.gitignore b/crypto/external/bsd/openssl/dist/.gitignore index 7324bda1b0ec..3dee3922a74e 100644 --- a/crypto/external/bsd/openssl/dist/.gitignore +++ b/crypto/external/bsd/openssl/dist/.gitignore @@ -51,6 +51,7 @@ Makefile /test/ssltest_old /test/x509aux /test/v3ext +/test/versions # Certain files that get created by tests on the fly /test/test-runs diff --git a/crypto/external/bsd/openssl/dist/.travis.yml b/crypto/external/bsd/openssl/dist/.travis.yml index b5fc44318110..1c1db2b73dad 100644 --- a/crypto/external/bsd/openssl/dist/.travis.yml +++ b/crypto/external/bsd/openssl/dist/.travis.yml @@ -61,7 +61,7 @@ matrix: sources: - ubuntu-toolchain-r-test compiler: gcc-5 - env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC" + env: UBUNTU_GCC_HACK="yes" CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC" - os: linux addons: apt: @@ -69,7 +69,7 @@ matrix: - binutils-mingw-w64 - gcc-mingw-w64 compiler: i686-w64-mingw32-gcc - env: CONFIG_OPTS="no-pic" TESTS="-test_fuzz" + env: CONFIG_OPTS="no-pic" - os: linux addons: apt: @@ -85,7 +85,7 @@ matrix: - binutils-mingw-w64 - gcc-mingw-w64 compiler: x86_64-w64-mingw32-gcc - env: CONFIG_OPTS="no-pic" TESTS="-test_fuzz" + env: CONFIG_OPTS="no-pic" - os: linux addons: apt: @@ -112,6 +112,10 @@ before_script: srcdir=.; top=.; fi + - if [ -n "$UBUNTU_GCC_HACK" ]; then + $CC -dumpspecs | sed "s/--push-state//g; s/--pop-state/--as-needed/g" > gcc-specs.txt; + CC="$CC -specs=gcc-specs.txt"; + fi - if [ "$CC" == i686-w64-mingw32-gcc ]; then export CROSS_COMPILE=${CC%%gcc}; unset CC; $srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format; @@ -186,7 +190,7 @@ script: fi - if [ -n "$DESTDIR" ]; then mkdir "../$DESTDIR"; - if $make install install_docs DESTDIR="../$DESTDIR"; then + if $make install DESTDIR="../$DESTDIR"; then echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS OK'; else echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS FAILED'; false; diff --git a/crypto/external/bsd/openssl/dist/CHANGES b/crypto/external/bsd/openssl/dist/CHANGES index 0ea1ad555fa6..9f0b94743bff 100644 --- a/crypto/external/bsd/openssl/dist/CHANGES +++ b/crypto/external/bsd/openssl/dist/CHANGES @@ -7,6 +7,81 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.0h and 1.1.0i [14 Aug 2018] + + *) Client DoS due to large DH parameter + + During key agreement in a TLS handshake using a DH(E) based ciphersuite a + malicious server can send a very large prime value to the client. This will + cause the client to spend an unreasonably long period of time generating a + key for this prime resulting in a hang until the client has finished. This + could be exploited in a Denial Of Service attack. + + This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken + (CVE-2018-0732) + [Guido Vranken] + + *) Cache timing vulnerability in RSA Key Generation + + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to + a cache timing side channel attack. An attacker with sufficient access to + mount cache timing attacks during the RSA key generation process could + recover the private key. + + This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera + Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. + (CVE-2018-0737) + [Billy Brumley] + + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str + parameter is no longer accepted, as it leads to a corrupt table. NULL + pem_str is reserved for alias entries only. + [Richard Levitte] + + *) Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + [Andy Polyakov] + + *) Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + For larger primes this will result in more rounds of Miller-Rabin. + The maximal error rate for primes with more than 1080 bits is lowered + to 2^-128. + [Kurt Roeckx, Annie Yousar] + + *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. + [Kurt Roeckx] + + *) Add blinding to ECDSA and DSA signatures to protect against side channel + attacks discovered by Keegan Ryan (NCC Group). + [Matt Caswell] + + *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we + now allow empty (zero character) pass phrases. + [Richard Levitte] + + *) Certificate time validation (X509_cmp_time) enforces stricter + compliance with RFC 5280. Fractional seconds and timezone offsets + are no longer allowed. + [Emilia Käsper] + + *) Fixed a text canonicalisation bug in CMS + + Where a CMS detached signature is used with text content the text goes + through a canonicalisation process first prior to signing or verifying a + signature. This process strips trailing space at the end of lines, converts + line terminators to CRLF and removes additional trailing line terminators + at the end of a file. A bug in the canonicalisation process meant that + some characters, such as form-feed, were incorrectly treated as whitespace + and removed. This is contrary to the specification (RFC5485). This fix + could mean that detached text data signed with an earlier version of + OpenSSL 1.1.0 may fail to verify using the fixed version, or text data + signed with a fixed OpenSSL may fail to verify with an earlier version of + OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data + and use the "-binary" flag (for the "cms" command line application) or set + the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). + [Matt Caswell] + Changes between 1.1.0g and 1.1.0h [27 Mar 2018] *) Constructed ASN.1 types with a recursive definition could exceed the stack diff --git a/crypto/external/bsd/openssl/dist/CONTRIBUTING b/crypto/external/bsd/openssl/dist/CONTRIBUTING index 1eebaf37ec60..a6977b8117fe 100644 --- a/crypto/external/bsd/openssl/dist/CONTRIBUTING +++ b/crypto/external/bsd/openssl/dist/CONTRIBUTING @@ -1,26 +1,26 @@ -HOW TO CONTRIBUTE PATCHES TO OpenSSL ------------------------------------- +HOW TO CONTRIBUTE TO OpenSSL +---------------------------- (Please visit https://www.openssl.org/community/getting-started.html for other ideas about how to contribute.) -Development is coordinated on the openssl-dev mailing list (see the -above link or https://mta.openssl.org for information on subscribing). -If you are unsure as to whether a feature will be useful for the general -OpenSSL community you might want to discuss it on the openssl-dev mailing -list first. Someone may be already working on the same thing or there -may be a good reason as to why that feature isn't implemented. +Development is done on GitHub, https://github.com/openssl/openssl. -To submit a patch, make a pull request on GitHub. If you think the patch -could use feedback from the community, please start a thread on openssl-dev -to discuss it. +To request new features or report bugs, please open an issue on GitHub -Having addressed the following items before the PR will help make the -acceptance and review process faster: +To submit a patch, please open a pull request on GitHub. If you are thinking +of making a large contribution, open an issue for it before starting work, +to get comments from the community. Someone may be already working on +the same thing or there may be reasons why that feature isn't implemented. - 1. Anything other than trivial contributions will require a contributor - licensing agreement, giving us permission to use your code. See - https://www.openssl.org/policies/cla.html for details. +To make it easier to review and accept your pull request, please follow these +guidelines: + + 1. Anything other than a trivial contribution requires a Contributor + License Agreement (CLA), giving us permission to use your code. See + https://www.openssl.org/policies/cla.html for details. If your + contribution is too small to require a CLA, put "CLA: trivial" on a + line by itself in your commit message body. 2. All source files should start with the following text (with appropriate comment characters at the start of each line and the @@ -34,21 +34,38 @@ acceptance and review process faster: https://www.openssl.org/source/license.html 3. Patches should be as current as possible; expect to have to rebase - often. We do not accept merge commits; You will be asked to remove - them before a patch is considered acceptable. + often. We do not accept merge commits, you will have to remove them + (usually by rebasing) before it will be acceptable. 4. Patches should follow our coding style (see - https://www.openssl.org/policies/codingstyle.html) and compile without - warnings. Where gcc or clang is available you should use the + https://www.openssl.org/policies/codingstyle.html) and compile + without warnings. Where gcc or clang is available you should use the --strict-warnings Configure option. OpenSSL compiles on many varied - platforms: try to ensure you only use portable features. - Clean builds via Travis and AppVeyor are expected, and done whenever - a PR is created or updated. + platforms: try to ensure you only use portable features. Clean builds + via Travis and AppVeyor are required, and they are started automatically + whenever a PR is created or updated. 5. When at all possible, patches should include tests. These can either be added to an existing test, or completely new. Please see test/README for information on the test framework. 6. New features or changed functionality must include - documentation. Please look at the "pod" files in doc/apps, doc/crypto - and doc/ssl for examples of our style. + documentation. Please look at the "pod" files in doc for + examples of our style. + + 7. For user visible changes (API changes, behaviour changes, ...), + consider adding a note in CHANGES. This could be a summarising + description of the change, and could explain the grander details. + Have a look through existing entries for inspiration. + Please note that this is NOT simply a copy of git-log oneliners. + Also note that security fixes get an entry in CHANGES. + This file helps users get more in depth information of what comes + with a specific release without having to sift through the higher + noise ratio in git-log. + + 8. For larger or more important user visible changes, as well as + security fixes, please add a line in NEWS. On exception, it might be + worth adding a multi-line entry (such as the entry that announces all + the types that became opaque with OpenSSL 1.1.0). + This file helps users get a very quick summary of what comes with a + specific release, to see if an upgrade is worth the effort. diff --git a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf index b49f04b5d7c5..6c05c2809f18 100644 --- a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf +++ b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf @@ -14,7 +14,7 @@ sub vc_win64a_info { asflags => "/c /Cp /Cx /Zi", asoutflag => "/Fo" }; } else { - $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win64a_info = { as => "{unknown}", asflags => "", asoutflag => "" }; @@ -39,7 +39,7 @@ sub vc_win32_info { asoutflag => "/Fo", perlasm_scheme => "win32" }; } else { - $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win32_info = { as => "{unknown}", asflags => "", asoutflag => "", @@ -428,8 +428,17 @@ sub vms_info { # even PA-RISC 2.0-specific code paths, which are chosen at run-time, # thus adequate performance is provided even with PA-RISC 1.1 build. # - "hpux-parisc-gcc" => { + "hpux-common" => { inherit_from => [ "BASE_unix" ], + template => 1, + defines => add("_XOPEN_SOURCE", "_XOPEN_SOURCE_EXTENDED", + "_HPUX_ALT_XOPEN_SOCKET_API"), + thread_scheme => "pthreads", + dso_scheme => "dlfcn", # overridden in 32-bit PA-RISC builds + shared_target => "hpux-shared", + }, + "hpux-parisc-gcc" => { + inherit_from => [ "hpux-common" ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN -DBN_DIV2W", debug => "-O0 -g", @@ -437,9 +446,7 @@ sub vms_info { threads("-pthread")), ex_libs => add("-Wl,+s -ldld", threads("-pthread")), bn_ops => "BN_LLONG", - thread_scheme => "pthreads", dso_scheme => "dl", - shared_target => "hpux-shared", shared_cflag => "-fPIC", shared_ldflag => "-shared", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -449,7 +456,7 @@ sub vms_info { multilib => "/pa1.1", }, "hpux64-parisc2-gcc" => { - inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + inherit_from => [ "hpux-common", asm("parisc20_64_asm") ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN", debug => "-O0 -g", @@ -457,9 +464,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl"), bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-shared", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -471,7 +475,7 @@ sub vms_info { # Chris Ruemmler # Kevin Steves "hpux-parisc-cc" => { - inherit_from => [ "BASE_unix" ], + inherit_from => [ "hpux-common" ], cc => "cc", cflags => combine(picker(default => "+Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY", debug => "+O0 +d -g", @@ -479,9 +483,7 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-Wl,+s -ldld",threads("-lpthread")), bn_ops => "RC4_CHAR", - thread_scheme => "pthreads", dso_scheme => "dl", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "-b", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -492,7 +494,7 @@ sub vms_info { multilib => "/pa1.1", }, "hpux64-parisc2-cc" => { - inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + inherit_from => [ "hpux-common", asm("parisc20_64_asm") ], cc => "cc", cflags => combine(picker(default => "+DD64 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY", debug => "+O0 +d -g", @@ -500,9 +502,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl",threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD64 -b", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -511,7 +510,7 @@ sub vms_info { # HP/UX IA-64 targets "hpux-ia64-cc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "cc", cflags => combine(picker(default => "-Ae +DD32 +Olit=all -z -DB_ENDIAN", debug => "+O0 +d -g", @@ -519,9 +518,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl",threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD32 -b", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -530,7 +526,7 @@ sub vms_info { # Frank Geurts has patiently assisted # with debugging of the following config. "hpux64-ia64-cc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "cc", cflags => combine(picker(default => "-Ae +DD64 +Olit=all -z -DB_ENDIAN", debug => "+O0 +d -g", @@ -538,9 +534,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl", threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD64 -b", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -548,7 +541,7 @@ sub vms_info { }, # GCC builds... "hpux-ia64-gcc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN", debug => "-O0 -g", @@ -556,16 +549,13 @@ sub vms_info { threads("-pthread")), ex_libs => add("-ldl", threads("-pthread")), bn_ops => "SIXTY_FOUR_BIT", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-shared", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", multilib => "/hpux32", }, "hpux64-ia64-gcc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "gcc", cflags => combine(picker(default => "-mlp64 -DB_ENDIAN", debug => "-O0 -g", @@ -573,9 +563,6 @@ sub vms_info { threads("-pthread")), ex_libs => add("-ldl", threads("-pthread")), bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-mlp64 -shared", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -1223,6 +1210,7 @@ sub vms_info { perlasm_scheme => "aix32", dso_scheme => "dlfcn", shared_target => "aix-shared", + shared_cflag => "-qpic", shared_ldflag => "-q32 -G", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", arflags => "-X 32", @@ -1241,6 +1229,7 @@ sub vms_info { perlasm_scheme => "aix64", dso_scheme => "dlfcn", shared_target => "aix-shared", + shared_cflag => "-qpic", shared_ldflag => "-q64 -G", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", arflags => "-X 64", diff --git a/crypto/external/bsd/openssl/dist/Configurations/dist.conf b/crypto/external/bsd/openssl/dist/Configurations/dist.conf new file mode 100644 index 000000000000..4f58dad9141a --- /dev/null +++ b/crypto/external/bsd/openssl/dist/Configurations/dist.conf @@ -0,0 +1,12 @@ +## -*- mode: perl; -*- +## Build configuration targets for openssl-team members + +# This is to support 'make dist' +%targets = ( + "dist" => { + inherit_from => [ 'BASE_unix' ], + cc => "cc", + cflags => "-O", + thread_scheme => "(unknown)", + }, +); diff --git a/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl b/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl index 40cf2c3df430..034d93e653d2 100644 --- a/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl +++ b/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl @@ -664,8 +664,10 @@ tar: DISTDIR=$(NAME); \ mkdir -p $$TMPDIR/$$DISTDIR; \ (cd $(SRCDIR); \ + excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \ + echo "$$excl_re"; \ git ls-tree -r --name-only --full-tree HEAD \ - | grep -v '^fuzz/corpora' \ + | egrep -v "$$excl_re" \ | while read F; do \ mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \ cp $$F $$TMPDIR/$$DISTDIR/$$F; \ @@ -848,7 +850,7 @@ EOF $recipe .= <<"EOF"; $obj$objext: $deps ( trap "rm -f \$@.*" INT 0; \\ - \$(CPP) $incs \$(CFLAGS) $ecflags $srcs | \\ + \$(CC) $incs \$(CFLAGS) $ecflags -E $srcs | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\ \$(CC) \$(CFLAGS) $ecflags -c -o \$\@ \$@.s ) EOF diff --git a/crypto/external/bsd/openssl/dist/Configurations/windows-checker.pm b/crypto/external/bsd/openssl/dist/Configurations/windows-checker.pm index de46fbc1dfc5..4b7105df33cb 100644 --- a/crypto/external/bsd/openssl/dist/Configurations/windows-checker.pm +++ b/crypto/external/bsd/openssl/dist/Configurations/windows-checker.pm @@ -6,7 +6,7 @@ use Config; # we expect for the platform use File::Spec::Functions qw(:DEFAULT rel2abs); -if (rel2abs('.') !~ m|\\|) { +if (!$ENV{CONFIGURE_INSIST} && rel2abs('.') !~ m|\\|) { die <{libraries}}) -} -INSTALL_SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{install}->{libraries}}) -} -INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; shlib($_) } @{$unified_info{install}->{libraries}}) -} -INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -} -INSTALL_ENGINEPDBS={- join(" ", map { local $dsoext = ".pdb"; dso($_) } @{$unified_info{install}->{engines}}) -} -INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} -INSTALL_PROGRAMPDBS={- join(" ", map { $_.".pdb" } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} +INSTALL_LIBS={- join(" ", map { quotify1($_.$libext) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBS={- join(" ", map { quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_ENGINES={- join(" ", map { quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} +INSTALL_ENGINEPDBS={- join(" ", map { local $dsoext = ".pdb"; quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} +INSTALL_PROGRAMS={- join(" ", map { quotify1($_.$exeext) } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} +INSTALL_PROGRAMPDBS={- join(" ", map { quotify1($_.".pdb") } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} {- output_off() if $disabled{apps}; "" -} -BIN_SCRIPTS=$(BLDDIR)\tools\c_rehash.pl -MISC_SCRIPTS=$(BLDDIR)\apps\CA.pl $(BLDDIR)\apps\tsget.pl +BIN_SCRIPTS="$(BLDDIR)\tools\c_rehash.pl" +MISC_SCRIPTS="$(BLDDIR)\apps\CA.pl" "$(BLDDIR)\apps\tsget.pl" {- output_on() if $disabled{apps}; "" -} APPS_OPENSSL={- use File::Spec::Functions; - catfile("apps","openssl") -} + "\"".catfile("apps","openssl")."\"" -} # Do not edit these manually. Use Configure with --prefix or --openssldir # to change this! Short explanation in the top comment in Configure @@ -182,6 +182,9 @@ MTOUTFLAG={- $target{mtoutflag} || "-outputresource:" -}$(OSSL_EMPTY) AS={- $target{as} -} ASFLAGS={- $target{asflags} -} ASOUTFLAG={- $target{asoutflag} -}$(OSSL_EMPTY) + +ECHO="$(PERL)" "$(SRCDIR)\util\echo.pl" + PERLASM_SCHEME= {- $target{perlasm_scheme} -} PROCESSOR= {- $config{processor} -} @@ -207,7 +210,7 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) test: tests {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep - @rem {- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "" -} -mkdir $(BLDDIR)\test\test-runs set SRCTOP=$(SRCDIR) set BLDTOP=$(BLDDIR) @@ -216,17 +219,17 @@ test: tests set OPENSSL_ENGINES=$(MAKEDIR)\engines set OPENSSL_DEBUG_MEMORY=on "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS) - @rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} - @echo "Tests are not supported with your chosen Configure options" - @rem {- output_on() if !$disabled{tests}; "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @$(ECHO) "Tests are not supported with your chosen Configure options" + @{- output_on() if !$disabled{tests}; "" -} list-tests: - @rem {- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "" -} @set SRCTOP=$(SRCDIR) @"$(PERL)" "$(SRCDIR)\test\run_tests.pl" list - @rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} - @echo "Tests are not supported with your chosen Configure options" - @rem {- output_on() if !$disabled{tests}; "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @$(ECHO) "Tests are not supported with your chosen Configure options" + @{- output_on() if !$disabled{tests}; "" -} install: install_sw install_ssldirs install_docs @@ -285,16 +288,17 @@ install_ssldirs: "$(OPENSSLDIR)\misc" install_dev: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing development files + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @rem {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} + @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @rem {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} - @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\include\openssl\*.h" \ + @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} + @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ + "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" - @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(BLDDIR)\include\openssl\*.h \ + @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(BLDDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\$(LIBDIR)" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_LIBS) \ @@ -306,8 +310,8 @@ install_dev: uninstall_dev: install_engines: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing engines + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing engines" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @if not "$(ENGINES)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_ENGINES) "$(ENGINESDIR)" @@ -317,8 +321,8 @@ install_engines: uninstall_engines: install_runtime: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing runtime files + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" @@ -343,14 +347,14 @@ uninstall_html_docs: # Building targets ################################################### configdata.pm: "$(SRCDIR)\Configure" {- join(" ", map { '"'.$_.'"' } @{$config{build_file_templates}}, @{$config{build_infos}}, @{$config{conf_files}}) -} - @echo "Detected changed: $?" - @echo "Reconfiguring..." + @$(ECHO) "Detected changed: $?" + @$(ECHO) "Reconfiguring..." "$(PERL)" "$(SRCDIR)\Configure" reconf - @echo "**************************************************" - @echo "*** ***" - @echo "*** Please run the same make command again ***" - @echo "*** ***" - @echo "**************************************************" + @$(ECHO) "**************************************************" + @$(ECHO) "*** ***" + @$(ECHO) "*** Please run the same make command again ***" + @$(ECHO) "*** ***" + @$(ECHO) "**************************************************" @exit 1 {- @@ -604,8 +608,6 @@ EOF foreach my $prod (@{$unified_info{dirinfo}->{$dir}->{products}->{$type}}) { if (dirname($prod) eq $dir) { push @deps, $prod.$extinfo{$type}; - } else { - push @actions, "\t@rem No support to produce $type ".join(", ", @{$unified_info{dirinfo}->{$dir}->{products}->{$type}}); } } } diff --git a/crypto/external/bsd/openssl/dist/Configure b/crypto/external/bsd/openssl/dist/Configure index c0033643c61d..d85ff6aa4da9 100755 --- a/crypto/external/bsd/openssl/dist/Configure +++ b/crypto/external/bsd/openssl/dist/Configure @@ -20,6 +20,9 @@ use OpenSSL::Glob; # see INSTALL for instructions. +my $orig_death_handler = $SIG{__DIE__}; +$SIG{__DIE__} = \&death_handler; + my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; # Options: @@ -756,21 +759,21 @@ while (@argvcopy) else { $config{options} .= " ".$_; } } + } - if (defined($config{api}) && !exists $apitable->{$config{api}}) { - die "***** Unsupported api compatibility level: $config{api}\n", - } +if (defined($config{api}) && !exists $apitable->{$config{api}}) { + die "***** Unsupported api compatibility level: $config{api}\n", +} - if (keys %deprecated_options) - { - warn "***** Deprecated options: ", - join(", ", keys %deprecated_options), "\n"; - } - if (keys %unsupported_options) - { - die "***** Unsupported options: ", - join(", ", keys %unsupported_options), "\n"; - } +if (keys %deprecated_options) + { + warn "***** Deprecated options: ", + join(", ", keys %deprecated_options), "\n"; + } +if (keys %unsupported_options) + { + die "***** Unsupported options: ", + join(", ", keys %unsupported_options), "\n"; } if ($libs =~ /(^|\s)-Wl,-rpath,/ @@ -908,11 +911,12 @@ if ($d) { $target = $t; } } + +&usage if !$table{$target} || $table{$target}->{template}; + $config{target} = $target; my %target = resolve_config($target); -&usage if (!%target || $target{template}); - my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}}); $config{conf_files} = [ sort keys %conf_files ]; %target = ( %{$table{DEFAULTS}}, %target ); @@ -1215,8 +1219,10 @@ if ($^O ne "VMS") { if (!$disabled{makedepend}) { # We know that GNU C version 3 and up as well as all clang - # versions support dependency generation - if ($predefined{__GNUC__} >= 3) { + # versions support dependency generation, but Xcode did not + # handle $cc -M before clang support (but claims __GNUC__ = 3) + if (($predefined{__GNUC__} // -1) >= 3 + && !($predefined{__APPLE_CC__} && !$predefined{__clang__})) { $config{makedepprog} = $cc; } else { $config{makedepprog} = which('makedepend'); @@ -2125,6 +2131,8 @@ my %builders = ( $builders{$builder}->($builder_platform, @builder_opts); +$SIG{__DIE__} = $orig_death_handler; + print <<"EOF"; Configured for $target. @@ -2153,6 +2161,24 @@ exit(0); # Helpers and utility functions # +# Death handler, to print a helpful message in case of failure ####### +# +sub death_handler { + die @_ if $^S; # To prevent the added message in eval blocks + my $build_file = $target{build_file} // "build file"; + my @message = ( <<"_____", @_ ); + +Failure! $build_file wasn't produced. +Please read INSTALL and associated NOTES files. You may also have to look over +your available compiler tool chain or change your configuration. + +_____ + + # Dying is terminal, so it's ok to reset the signal handler here. + $SIG{__DIE__} = $orig_death_handler; + die @message; +} + # Configuration file reading ######################################### # Note: All of the helper functions are for lazy evaluation. They all diff --git a/crypto/external/bsd/openssl/dist/INSTALL b/crypto/external/bsd/openssl/dist/INSTALL index 3e21cc29d16e..5a98d1da83fb 100644 --- a/crypto/external/bsd/openssl/dist/INSTALL +++ b/crypto/external/bsd/openssl/dist/INSTALL @@ -3,7 +3,8 @@ -------------------- This document describes installation on all supported operating - systems (the Linux/Unix family, OpenVMS and Windows) + systems (the Unix/Linux family (which includes Mac OS/X), OpenVMS, + and Windows). To install OpenSSL, you will need: @@ -76,7 +77,7 @@ If you want to just get on with it, do: - on Unix: + on Unix (again, this includes Mac OS/X): $ ./config $ make diff --git a/crypto/external/bsd/openssl/dist/Makefile b/crypto/external/bsd/openssl/dist/Makefile index b83ed2db365c..2a0ab45db203 100644 --- a/crypto/external/bsd/openssl/dist/Makefile +++ b/crypto/external/bsd/openssl/dist/Makefile @@ -6,11 +6,11 @@ PLATFORM=dist OPTIONS= no-asan no-crypto-mdebug no-crypto-mdebug-backtrace no-ec_nistp_64_gcc_128 no-egd no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic -CONFIGURE_ARGS=(dist) +CONFIGURE_ARGS=("dist") SRCDIR=. BLDDIR=. -VERSION=1.1.0h +VERSION=1.1.0i MAJOR=1 MINOR=1.0 SHLIB_VERSION_NUMBER=1.1 @@ -23,13 +23,13 @@ LIBS=libcrypto.a libssl.a SHLIBS= SHLIB_INFO=";" ";" ENGINES= -PROGRAMS=apps/openssl fuzz/asn1-test fuzz/asn1parse-test fuzz/bignum-test fuzz/bndiv-test fuzz/cms-test fuzz/conf-test fuzz/crl-test fuzz/ct-test fuzz/server-test fuzz/x509-test test/aborttest test/afalgtest test/asynciotest test/asynctest test/bad_dtls_test test/bftest test/bio_enc_test test/bioprinttest test/bntest test/buildtest_aes test/buildtest_asn1 test/buildtest_asn1t test/buildtest_async test/buildtest_bio test/buildtest_blowfish test/buildtest_bn test/buildtest_buffer test/buildtest_camellia test/buildtest_cast test/buildtest_cmac test/buildtest_cms test/buildtest_comp test/buildtest_conf test/buildtest_conf_api test/buildtest_crypto test/buildtest_ct test/buildtest_des test/buildtest_dh test/buildtest_dsa test/buildtest_dtls1 test/buildtest_e_os2 test/buildtest_ebcdic test/buildtest_ec test/buildtest_ecdh test/buildtest_ecdsa test/buildtest_engine test/buildtest_err test/buildtest_evp test/buildtest_hmac test/buildtest_idea test/buildtest_kdf test/buildtest_lhash test/buildtest_md4 test/buildtest_md5 test/buildtest_mdc2 test/buildtest_modes test/buildtest_obj_mac test/buildtest_objects test/buildtest_ocsp test/buildtest_opensslv test/buildtest_ossl_typ test/buildtest_pem test/buildtest_pem2 test/buildtest_pkcs12 test/buildtest_pkcs7 test/buildtest_rand test/buildtest_rc2 test/buildtest_rc4 test/buildtest_ripemd test/buildtest_rsa test/buildtest_safestack test/buildtest_seed test/buildtest_sha test/buildtest_srp test/buildtest_srtp test/buildtest_ssl test/buildtest_ssl2 test/buildtest_stack test/buildtest_symhacks test/buildtest_tls1 test/buildtest_ts test/buildtest_txt_db test/buildtest_ui test/buildtest_whrlpool test/buildtest_x509 test/buildtest_x509_vfy test/buildtest_x509v3 test/casttest test/cipherlist_test test/clienthellotest test/constant_time_test test/crltest test/ct_test test/d2i_test test/danetest test/destest test/dhtest test/dsatest test/dtlstest test/dtlsv1listentest test/ecdsatest test/ectest test/enginetest test/evp_extra_test test/evp_test test/exdatatest test/exptest test/fatalerrtest test/gmdifftest test/heartbeat_test test/hmactest test/ideatest test/igetest test/md2test test/md4test test/md5test test/mdc2test test/memleaktest test/ocspapitest test/p5_crpt2_test test/packettest test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test test/sanitytest test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest test/ssl_test test/ssl_test_ctx_test test/sslapitest test/sslcorrupttest test/ssltest_old test/threadstest test/v3ext test/v3nametest test/verify_extra_test test/wp_test test/x509aux +PROGRAMS=apps/openssl fuzz/asn1-test fuzz/asn1parse-test fuzz/bignum-test fuzz/bndiv-test fuzz/cms-test fuzz/conf-test fuzz/crl-test fuzz/ct-test fuzz/server-test fuzz/x509-test test/aborttest test/afalgtest test/asynciotest test/asynctest test/bad_dtls_test test/bftest test/bio_enc_test test/bioprinttest test/bntest test/buildtest_aes test/buildtest_asn1 test/buildtest_asn1t test/buildtest_async test/buildtest_bio test/buildtest_blowfish test/buildtest_bn test/buildtest_buffer test/buildtest_camellia test/buildtest_cast test/buildtest_cmac test/buildtest_cms test/buildtest_comp test/buildtest_conf test/buildtest_conf_api test/buildtest_crypto test/buildtest_ct test/buildtest_des test/buildtest_dh test/buildtest_dsa test/buildtest_dtls1 test/buildtest_e_os2 test/buildtest_ebcdic test/buildtest_ec test/buildtest_ecdh test/buildtest_ecdsa test/buildtest_engine test/buildtest_err test/buildtest_evp test/buildtest_hmac test/buildtest_idea test/buildtest_kdf test/buildtest_lhash test/buildtest_md4 test/buildtest_md5 test/buildtest_mdc2 test/buildtest_modes test/buildtest_obj_mac test/buildtest_objects test/buildtest_ocsp test/buildtest_opensslv test/buildtest_ossl_typ test/buildtest_pem test/buildtest_pem2 test/buildtest_pkcs12 test/buildtest_pkcs7 test/buildtest_rand test/buildtest_rc2 test/buildtest_rc4 test/buildtest_ripemd test/buildtest_rsa test/buildtest_safestack test/buildtest_seed test/buildtest_sha test/buildtest_srp test/buildtest_srtp test/buildtest_ssl test/buildtest_ssl2 test/buildtest_stack test/buildtest_symhacks test/buildtest_tls1 test/buildtest_ts test/buildtest_txt_db test/buildtest_ui test/buildtest_whrlpool test/buildtest_x509 test/buildtest_x509_vfy test/buildtest_x509v3 test/casttest test/cipherlist_test test/clienthellotest test/constant_time_test test/crltest test/ct_test test/d2i_test test/danetest test/destest test/dhtest test/dsatest test/dtlstest test/dtlsv1listentest test/ecdsatest test/ectest test/enginetest test/errtest test/evp_extra_test test/evp_test test/exdatatest test/exptest test/fatalerrtest test/gmdifftest test/heartbeat_test test/hmactest test/ideatest test/igetest test/md2test test/md4test test/md5test test/mdc2test test/memleaktest test/ocspapitest test/p5_crpt2_test test/packettest test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test test/sanitytest test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest test/ssl_test test/ssl_test_ctx_test test/sslapitest test/sslcorrupttest test/ssltest_old test/threadstest test/v3ext test/v3nametest test/verify_extra_test test/versions test/wp_test test/x509_dup_cert_test test/x509_time_test test/x509aux SCRIPTS=apps/CA.pl apps/tsget tools/c_rehash util/shlib_wrap.sh -DEPS=crypto/asn1/asn_mime.d crypto/pkcs12/p12_sbag.d apps/sess_id.d apps/apps.d test/buildtest_ct.d ssl/bio_ssl.d crypto/idea/i_ecb.d crypto/aes/aes_wrap.d crypto/conf/conf_mall.d crypto/bn/bn_prime.d apps/genrsa.d ssl/ssl_asn1.d test/buildtest_ecdsa.d crypto/engine/tb_rsa.d apps/crl.d crypto/evp/p5_crpt.d crypto/x509v3/v3_info.d fuzz/server.d test/buildtest_x509.d crypto/ct/ct_oct.d crypto/evp/bio_enc.d crypto/ct/ct_err.d crypto/x509v3/v3_bitst.d crypto/rand/md_rand.d engines/e_capi.d crypto/bn/bn_intern.d crypto/cmac/cm_ameth.d ssl/record/ssl3_buffer.d test/sha1test.d test/buildtest_modes.d crypto/x509v3/v3_genn.d test/dhtest.d crypto/asn1/a_time.d crypto/evp/e_null.d crypto/x509v3/v3_skey.d crypto/blake2/m_blake2s.d crypto/pkcs12/p12_npas.d crypto/pem/pem_sign.d crypto/bn/bn_err.d apps/dsa.d test/buildtest_asn1t.d crypto/rsa/rsa_saos.d crypto/bn/bn_mont.d crypto/pkcs12/pk12err.d crypto/modes/gcm128.d crypto/evp/pmeth_gn.d crypto/ocsp/ocsp_vfy.d crypto/x509v3/v3_addr.d crypto/buffer/buf_err.d crypto/bio/bss_bio.d crypto/des/ofb64enc.d crypto/x509v3/v3_pmaps.d crypto/o_fopen.d crypto/seed/seed_cfb.d crypto/ct/ct_vfy.d crypto/x509/t_req.d apps/ec.d crypto/des/ecb3_enc.d crypto/blake2/m_blake2b.d test/ocspapitest.d crypto/x509v3/v3_asid.d crypto/seed/seed_cbc.d test/buildtest_pkcs12.d test/buildtest_rsa.d crypto/rsa/rsa_crpt.d ssl/ssl_utst.d crypto/rand/rand_unix.d crypto/ui/ui_openssl.d crypto/asn1/a_print.d crypto/evp/e_cast.d test/buildtest_txt_db.d crypto/dsa/dsa_key.d crypto/cms/cms_att.d crypto/idea/i_cfb64.d crypto/err/err.d fuzz/conf.d crypto/x509v3/v3_pci.d crypto/asn1/f_string.d crypto/pem/pem_xaux.d crypto/bn/bn_ctx.d test/buildtest_pem.d ssl/statem/statem_dtls.d crypto/srp/srp_lib.d test/buildtest_conf_api.d crypto/asn1/tasn_dec.d test/buildtest_sha.d crypto/bio/bf_nbio.d crypto/asn1/t_bitst.d test/buildtest_rc4.d test/testutil.d crypto/dso/dso_vms.d crypto/x509v3/v3_ia5.d crypto/ec/ec_check.d test/buildtest_bio.d crypto/idea/i_skey.d crypto/dsa/dsa_gen.d crypto/x509/x509_trs.d crypto/evp/e_camellia.d test/bntest.d crypto/engine/tb_pkmeth.d crypto/pkcs7/pk7_attr.d crypto/des/rand_key.d crypto/ec/ecp_nistp521.d crypto/ocsp/ocsp_lib.d test/ct_test.d crypto/threads_win.d crypto/seed/seed_ecb.d crypto/ec/ecx_meth.d crypto/evp/m_sigver.d crypto/bf/bf_skey.d crypto/bio/b_dump.d crypto/asn1/a_dup.d crypto/asn1/a_utf8.d crypto/evp/cmeth_lib.d crypto/x509v3/v3err.d crypto/x509v3/v3_extku.d crypto/x509/by_dir.d crypto/ocsp/ocsp_cl.d crypto/bn/bn_word.d crypto/srp/srp_vfy.d crypto/x509v3/pcy_data.d crypto/dh/dh_pmeth.d test/buildtest_err.d test/buildtest_buffer.d crypto/engine/eng_table.d ssl/ssl_conf.d crypto/bn/bn_div.d crypto/pkcs12/p12_utl.d ssl/ssl_err.d crypto/ocsp/ocsp_srv.d crypto/pem/pem_oth.d crypto/x509/x509_cmp.d crypto/o_dir.d test/md2test.d crypto/pkcs12/p12_mutl.d crypto/hmac/hmac.d crypto/bn/bn_nist.d apps/pkey.d crypto/ct/ct_prn.d crypto/asn1/a_octet.d test/evp_extra_test.d crypto/evp/m_ripemd.d crypto/modes/ocb128.d crypto/bn/bn_const.d fuzz/bndiv.d crypto/des/cfb64ede.d test/srptest.d crypto/asn1/a_type.d crypto/ui/ui_util.d ssl/ssl_rsa.d crypto/ec/ecdsa_ossl.d test/destest.d crypto/dsa/dsa_sign.d test/buildtest_pem2.d crypto/evp/pmeth_lib.d apps/cms.d crypto/asn1/x_info.d crypto/pkcs12/p12_attr.d test/buildtest_md5.d crypto/des/set_key.d crypto/pkcs7/pk7_asn1.d crypto/async/arch/async_posix.d crypto/ct/ct_b64.d test/buildtest_seed.d crypto/ocsp/ocsp_err.d test/d2i_test.d test/buildtest_md4.d test/buildtest_symhacks.d test/evp_test.d crypto/asn1/a_d2i_fp.d test/buildtest_engine.d fuzz/test-corpus.d crypto/bio/bf_lbuf.d test/buildtest_cast.d test/buildtest_ui.d crypto/pem/pem_x509.d crypto/x509v3/pcy_map.d crypto/bio/bss_fd.d crypto/evp/p_open.d crypto/dsa/dsa_lib.d crypto/comp/comp_err.d crypto/rc2/rc2_cbc.d crypto/ec/ec2_oct.d crypto/asn1/d2i_pu.d crypto/bn/bn_mpi.d test/rsa_test.d crypto/cms/cms_lib.d crypto/evp/e_aes_cbc_hmac_sha1.d test/asynciotest.d test/buildtest_comp.d crypto/bn/bn_kron.d crypto/asn1/a_i2d_fp.d crypto/engine/eng_rdrand.d crypto/ec/ecp_oct.d crypto/sha/sha512.d crypto/dso/dso_lib.d crypto/camellia/cmll_misc.d crypto/modes/cts128.d crypto/pem/pem_pkey.d crypto/x509v3/v3_akeya.d crypto/asn1/a_gentm.d crypto/x509v3/v3_tlsf.d crypto/evp/e_aes_cbc_hmac_sha256.d apps/srp.d apps/ocsp.d test/buildtest_rc2.d crypto/evp/p_sign.d crypto/pem/pvkfmt.d crypto/uid.d crypto/rc4/rc4_skey.d ssl/record/ssl3_record.d crypto/ec/ecdsa_vrf.d crypto/cast/c_cfb64.d crypto/rand/rand_err.d crypto/camellia/cmll_cbc.d test/buildtest_whrlpool.d crypto/x509v3/v3_crld.d ssl/record/rec_layer_s3.d crypto/rc2/rc2_skey.d crypto/ts/ts_req_print.d test/gmdifftest.d crypto/des/cfb_enc.d test/threadstest.d crypto/pkcs12/p12_crpt.d crypto/rsa/rsa_lib.d crypto/cryptlib.d crypto/x509/x509_att.d crypto/dso/dso_dlfcn.d crypto/asn1/p5_pbe.d ssl/tls_srp.d crypto/ocsp/v3_ocsp.d crypto/rsa/rsa_pss.d crypto/ct/ct_log.d test/buildtest_cmac.d crypto/pkcs12/p12_init.d crypto/engine/eng_cryptodev.d test/clienthellotest.d apps/ts.d crypto/bio/bss_null.d crypto/dh/dh_key.d crypto/mem_sec.d crypto/aes/aes_core.d crypto/bio/bio_lib.d fuzz/ct.d apps/s_socket.d crypto/x509v3/v3_enum.d crypto/rand/rand_egd.d crypto/bio/bss_file.d test/dsatest.d crypto/pkcs7/pk7_smime.d crypto/asn1/x_pkey.d crypto/asn1/bio_asn1.d crypto/ec/ec_cvt.d crypto/ct/ct_policy.d crypto/rsa/rsa_sign.d test/buildtest_srtp.d crypto/x509v3/v3_ncons.d crypto/cms/cms_sd.d crypto/engine/eng_init.d crypto/evp/pmeth_fn.d crypto/ec/ecp_smpl.d crypto/ec/ecdh_kdf.d crypto/rsa/rsa_pmeth.d crypto/conf/conf_def.d crypto/evp/e_rc2.d crypto/camellia/cmll_cfb.d test/handshake_helper.d crypto/x509/t_crl.d crypto/asn1/x_val.d test/secmemtest.d apps/nseq.d crypto/idea/i_cbc.d crypto/bn/bn_mod.d crypto/stack/stack.d test/aborttest.d crypto/x509/x_x509.d crypto/pkcs12/p12_p8d.d crypto/ec/ec_pmeth.d crypto/idea/i_ofb64.d test/memleaktest.d test/wp_test.d crypto/o_str.d crypto/dsa/dsa_ossl.d crypto/engine/tb_asnmth.d crypto/des/fcrypt.d crypto/engine/tb_rand.d crypto/evp/evp_enc.d crypto/bn/bn_exp2.d crypto/x509/x509_req.d crypto/mem_dbg.d test/danetest.d crypto/dsa/dsa_vrf.d apps/pkeyparam.d apps/pkeyutl.d ssl/s3_cbc.d ssl/t1_reneg.d crypto/ec/ec_err.d crypto/pkcs12/p12_decr.d apps/rand.d crypto/bn/bn_shift.d crypto/cms/cms_ess.d crypto/asn1/a_digest.d crypto/ec/ec_ameth.d crypto/asn1/tasn_scn.d crypto/evp/encode.d crypto/x509/x509_lu.d crypto/mem_clr.d crypto/ec/ec_kmeth.d crypto/ec/ecdsa_sign.d crypto/ec/ec_print.d apps/s_cb.d crypto/bn/bn_print.d crypto/asn1/d2i_pr.d crypto/x509/x509type.d crypto/ui/ui_lib.d crypto/asn1/tasn_enc.d crypto/cmac/cm_pmeth.d crypto/ts/ts_asn1.d crypto/objects/obj_xref.d crypto/modes/cfb128.d crypto/asn1/ameth_lib.d test/buildtest_camellia.d crypto/rsa/rsa_x931g.d crypto/asn1/i2d_pu.d crypto/asn1/tasn_typ.d crypto/bio/bio_meth.d crypto/camellia/cmll_ofb.d ssl/ssl_lib.d ssl/ssl_ciph.d crypto/ct/ct_sct.d test/buildtest_aes.d crypto/rc4/rc4_enc.d apps/s_time.d crypto/bn/bn_sqr.d crypto/bf/bf_ofb64.d crypto/x509/t_x509.d test/buildtest_hmac.d crypto/evp/m_md5_sha1.d crypto/bio/bss_acpt.d crypto/dh/dh_lib.d crypto/rsa/rsa_asn1.d crypto/x509/by_file.d crypto/x509v3/v3_alt.d crypto/aes/aes_ige.d crypto/evp/e_xcbc_d.d crypto/x509/x_attrib.d crypto/evp/c_alld.d crypto/evp/m_sha1.d crypto/ts/ts_verify_ctx.d crypto/bio/bss_conn.d crypto/ts/ts_rsp_verify.d crypto/camellia/camellia.d crypto/x509v3/pcy_lib.d crypto/lhash/lhash.d crypto/x509/x509_vpm.d crypto/asn1/i2d_pr.d crypto/kdf/tls1_prf.d crypto/rsa/rsa_prn.d test/md4test.d crypto/rc2/rc2ofb64.d test/bad_dtls_test.d apps/pkcs8.d crypto/des/ofb64ede.d apps/errstr.d test/buildtest_ec.d crypto/dh/dh_meth.d crypto/evp/evp_key.d test/enginetest.d crypto/asn1/a_object.d crypto/evp/m_mdc2.d ssl/d1_msg.d crypto/bio/b_print.d test/cipherlist_test.d crypto/ec/curve25519.d crypto/whrlpool/wp_dgst.d test/verify_extra_test.d crypto/asn1/a_bitstr.d crypto/evp/e_seed.d ssl/methods.d crypto/evp/m_md4.d test/ssl_test_ctx_test.d crypto/ts/ts_rsp_utils.d crypto/ec/ec_curve.d apps/passwd.d crypto/des/pcbc_enc.d crypto/chacha/chacha_enc.d crypto/rc2/rc2cfb64.d crypto/bn/bn_depr.d crypto/aes/aes_misc.d crypto/ts/ts_req_utils.d crypto/x509/x509_ext.d crypto/cast/c_ofb64.d crypto/asn1/x_bignum.d test/buildtest_ripemd.d test/buildtest_evp.d crypto/bn/bn_srp.d crypto/bn/bn_x931p.d crypto/evp/p5_crpt2.d crypto/evp/p_enc.d crypto/bio/bf_buff.d apps/pkcs7.d crypto/evp/e_rc4_hmac_md5.d test/buildtest_kdf.d crypto/pkcs7/bio_pk7.d crypto/evp/e_des3.d crypto/err/err_prn.d crypto/x509/x509_v3.d crypto/ts/ts_err.d crypto/ec/ecp_nistp224.d crypto/asn1/asn_mstbl.d crypto/cms/cms_asn1.d crypto/x509/x509_vfy.d crypto/conf/conf_api.d crypto/cms/cms_cd.d test/buildtest_dh.d crypto/kdf/hkdf.d crypto/asn1/tasn_new.d crypto/dsa/dsa_meth.d crypto/cms/cms_smime.d crypto/ec/eck_prn.d test/mdc2test.d crypto/dh/dh_kdf.d crypto/hmac/hm_ameth.d crypto/cms/cms_pwri.d crypto/rsa/rsa_x931.d crypto/x509/x_all.d crypto/objects/obj_err.d ssl/d1_srtp.d crypto/poly1305/poly1305.d crypto/asn1/asn1_par.d ssl/statem/statem_clnt.d test/v3ext.d crypto/lhash/lh_stats.d crypto/des/str2key.d crypto/asn1/a_mbstr.d ssl/ssl_txt.d crypto/pkcs12/p12_asn.d crypto/bn/bn_rand.d ssl/ssl_stat.d test/buildtest_crypto.d crypto/ec/ecp_nistputil.d crypto/evp/evp_lib.d crypto/evp/c_allc.d crypto/seed/seed.d crypto/dsa/dsa_asn1.d crypto/rand/rand_lib.d crypto/x509/x_name.d crypto/blake2/blake2b.d crypto/evp/evp_cnf.d apps/req.d crypto/bf/bf_ecb.d crypto/ocsp/ocsp_ext.d ssl/d1_lib.d crypto/asn1/a_sign.d crypto/evp/p_seal.d apps/s_client.d crypto/err/err_all.d crypto/ts/ts_conf.d crypto/bn/bn_add.d crypto/bio/bio_err.d crypto/md5/md5_dgst.d crypto/bio/b_sock.d test/ideatest.d crypto/ripemd/rmd_one.d test/sslapitest.d test/buildtest_lhash.d test/p5_crpt2_test.d crypto/cast/c_enc.d crypto/ocsp/ocsp_ht.d ssl/ssl_init.d crypto/x509/x_crl.d apps/asn1pars.d crypto/rsa/rsa_ossl.d test/buildtest_des.d ssl/s3_msg.d test/sha256t.d test/ssl_test.d crypto/engine/eng_list.d crypto/evp/evp_err.d crypto/evp/scrypt.d crypto/evp/p_lib.d test/casttest.d crypto/bio/bio_cb.d crypto/x509v3/v3_cpols.d crypto/asn1/a_strnid.d test/rc5test.d test/sha512t.d crypto/mdc2/mdc2dgst.d test/buildtest_conf.d test/heartbeat_test.d crypto/engine/tb_eckey.d test/buildtest_opensslv.d crypto/dh/dh_rfc5114.d crypto/x509v3/pcy_node.d crypto/o_time.d apps/x509.d crypto/camellia/cmll_ctr.d apps/pkcs12.d crypto/evp/e_rc4.d crypto/x509/x_exten.d crypto/des/des_enc.d test/buildtest_stack.d crypto/rsa/rsa_oaep.d crypto/bn/bn_gf2m.d apps/ca.d crypto/modes/wrap128.d crypto/pkcs12/p12_key.d crypto/dh/dh_prn.d crypto/rand/rand_vms.d crypto/hmac/hm_pmeth.d test/exdatatest.d crypto/asn1/nsseq.d ssl/statem/statem_lib.d crypto/ts/ts_rsp_sign.d test/buildtest_x509_vfy.d crypto/objects/o_names.d crypto/rsa/rsa_pk1.d crypto/x509v3/v3_pcons.d crypto/cms/cms_dd.d ssl/statem/statem.d crypto/comp/c_zlib.d test/buildtest_dsa.d fuzz/x509.d crypto/evp/e_aes.d crypto/x509v3/pcy_cache.d crypto/asn1/asn1_gen.d crypto/des/cfb64enc.d test/buildtest_rand.d crypto/asn1/t_pkey.d crypto/asn1/a_utctm.d apps/gendsa.d crypto/engine/tb_digest.d test/ectest.d test/ssltestlib.d crypto/rsa/rsa_none.d crypto/rsa/rsa_ameth.d crypto/engine/tb_dsa.d crypto/x509/x509_obj.d crypto/asn1/p8_pkey.d apps/dgst.d apps/s_server.d apps/openssl.d crypto/ct/ct_x509v3.d test/buildtest_srp.d test/asynctest.d fuzz/asn1.d crypto/dsa/dsa_err.d apps/engine.d crypto/engine/eng_ctrl.d test/buildtest_mdc2.d crypto/rsa/rsa_ssl.d crypto/asn1/a_verify.d crypto/cms/cms_io.d crypto/conf/conf_err.d crypto/o_init.d crypto/mdc2/mdc2_one.d crypto/bn/bn_asm.d crypto/cast/c_ecb.d crypto/ebcdic.d crypto/asn1/asn_moid.d fuzz/cms.d crypto/asn1/p5_pbev2.d apps/prime.d crypto/rand/randfile.d apps/enc.d crypto/o_fips.d crypto/asn1/f_int.d test/buildtest_blowfish.d crypto/bio/bss_sock.d crypto/bf/bf_cfb64.d crypto/asn1/a_int.d crypto/pem/pem_info.d crypto/evp/e_rc5.d apps/rehash.d crypto/asn1/x_int64.d crypto/rsa/rsa_gen.d crypto/ec/ecdh_ossl.d test/buildtest_safestack.d crypto/asn1/tasn_fre.d apps/genpkey.d crypto/async/arch/async_null.d crypto/x509/x_pubkey.d crypto/pem/pem_err.d crypto/dh/dh_err.d apps/rsa.d crypto/dso/dso_err.d crypto/rsa/rsa_depr.d apps/ciphers.d test/ecdsatest.d test/buildtest_ts.d crypto/ec/ec_key.d crypto/ts/ts_rsp_print.d fuzz/bignum.d crypto/x509v3/v3_prn.d crypto/des/qud_cksm.d crypto/asn1/t_spki.d apps/version.d test/buildtest_x509v3.d crypto/x509v3/v3_pku.d crypto/evp/p_verify.d crypto/bio/bss_log.d crypto/asn1/evp_asn1.d crypto/x509/x509_r2x.d crypto/cpt_err.d crypto/rand/rand_win.d crypto/ec/ecp_nistp256.d engines/e_padlock.d crypto/conf/conf_mod.d crypto/pkcs12/p12_add.d crypto/x509/x509_d2.d crypto/async/async.d crypto/modes/xts128.d crypto/pkcs12/p12_p8e.d crypto/aes/aes_cfb.d ssl/t1_trce.d test/rc4test.d ssl/t1_lib.d test/buildtest_asn1.d test/buildtest_dtls1.d crypto/asn1/bio_ndef.d crypto/engine/eng_dyn.d crypto/ripemd/rmd_dgst.d test/pbelutest.d crypto/conf/conf_sap.d test/md5test.d crypto/x509v3/v3_utl.d crypto/pkcs7/pk7_lib.d test/buildtest_bn.d crypto/x509v3/v3_conf.d crypto/modes/cbc128.d crypto/engine/eng_err.d crypto/evp/evp_pbe.d test/constant_time_test.d crypto/conf/conf_lib.d crypto/bio/bss_dgram.d test/buildtest_async.d crypto/asn1/a_strex.d test/ssl_test_ctx.d crypto/engine/eng_cnf.d test/dtlsv1listentest.d crypto/pkcs12/p12_kiss.d crypto/evp/e_old.d test/sslcorrupttest.d crypto/buffer/buffer.d crypto/asn1/p5_scrypt.d crypto/cms/cms_err.d crypto/asn1/asn_pack.d crypto/ex_data.d crypto/bn/bn_exp.d crypto/md4/md4_one.d crypto/md5/md5_one.d crypto/x509/x509cset.d crypto/evp/bio_b64.d crypto/dh/dh_check.d crypto/x509/x509_set.d crypto/cms/cms_kari.d fuzz/asn1parse.d crypto/modes/ofb128.d crypto/x509/x509_txt.d crypto/cms/cms_env.d test/buildtest_idea.d crypto/x509v3/v3_akey.d test/buildtest_ossl_typ.d crypto/des/cbc_cksm.d crypto/dso/dso_dl.d crypto/x509/x509name.d crypto/rc2/rc2_ecb.d crypto/bio/b_addr.d crypto/dsa/dsa_ameth.d test/buildtest_obj_mac.d crypto/ec/ec_asn1.d test/bioprinttest.d crypto/rsa/rsa_null.d crypto/modes/ccm128.d test/bftest.d test/hmactest.d crypto/sha/sha1_one.d crypto/x509/x509rset.d crypto/async/arch/async_win.d crypto/aes/aes_cbc.d test/buildtest_ssl.d crypto/engine/eng_all.d ssl/s3_lib.d crypto/asn1/tasn_utl.d crypto/ec/ecp_nist.d crypto/asn1/asn1_lib.d crypto/rsa/rsa_meth.d crypto/engine/eng_lib.d crypto/dh/dh_gen.d crypto/ct/ct_sct_ctx.d test/buildtest_ocsp.d test/dtlstest.d crypto/threads_none.d crypto/bn/bn_lib.d crypto/cversion.d test/afalgtest.d crypto/evp/p_dec.d crypto/x509v3/pcy_tree.d crypto/bn/bn_blind.d crypto/ui/ui_err.d apps/verify.d crypto/blake2/blake2s.d crypto/x509v3/v3_purp.d crypto/threads_pthread.d fuzz/crl.d crypto/engine/tb_dh.d crypto/asn1/tasn_prn.d test/sanitytest.d ssl/pqueue.d ssl/t1_ext.d crypto/evp/e_chacha20_poly1305.d apps/ecparam.d crypto/camellia/cmll_ecb.d crypto/async/async_err.d crypto/dh/dh_asn1.d ssl/record/dtls1_bitmap.d crypto/pem/pem_all.d crypto/ec/ec2_smpl.d ssl/s3_enc.d crypto/dh/dh_ameth.d crypto/bio/b_sock2.d crypto/pkcs7/pk7_mime.d crypto/aes/aes_ecb.d test/exptest.d apps/crl2p7.d crypto/engine/eng_pkey.d crypto/mem.d test/buildtest_objects.d crypto/md4/md4_dgst.d apps/app_rand.d crypto/asn1/x_spki.d crypto/asn1/x_algor.d crypto/x509v3/v3_bcons.d crypto/evp/bio_md.d apps/dsaparam.d ssl/ssl_sess.d crypto/ts/ts_lib.d crypto/evp/e_des.d crypto/evp/e_idea.d apps/rsautl.d crypto/evp/evp_pkey.d test/buildtest_e_os2.d crypto/evp/names.d crypto/asn1/x_long.d test/v3nametest.d test/rmdtest.d crypto/bn/bn_dh.d crypto/pem/pem_lib.d test/buildtest_ssl2.d crypto/asn1/x_sig.d crypto/des/rpc_enc.d ssl/statem/statem_srvr.d crypto/evp/m_null.d crypto/dsa/dsa_pmeth.d apps/opt.d crypto/engine/eng_openssl.d test/randtest.d test/buildtest_ecdh.d crypto/evp/e_bf.d crypto/whrlpool/wp_block.d crypto/x509/x509_def.d crypto/cmac/cmac.d crypto/txt_db/txt_db.d crypto/x509/x509spki.d ssl/record/rec_layer_d1.d crypto/ec/ec_mult.d crypto/ocsp/ocsp_prn.d apps/speed.d crypto/bn/bn_mul.d crypto/aes/aes_ofb.d crypto/pkcs7/pkcs7err.d crypto/modes/ctr128.d crypto/dso/dso_win32.d crypto/dh/dh_depr.d crypto/objects/obj_dat.d crypto/x509/x_req.d crypto/dso/dso_openssl.d crypto/pkcs12/p12_crt.d crypto/x509v3/v3_int.d crypto/async/async_wait.d crypto/pem/pem_pk8.d crypto/cms/cms_enc.d test/igetest.d apps/dhparam.d crypto/ec/ec2_mult.d test/buildtest_cms.d crypto/engine/tb_cipher.d crypto/evp/bio_ok.d crypto/ec/ec_lib.d test/rc2test.d crypto/x509/x509_err.d apps/smime.d crypto/ocsp/ocsp_asn.d crypto/ec/ecp_mont.d test/crltest.d crypto/pkcs7/pk7_doit.d crypto/x509/x_x509a.d crypto/ec/ec_oct.d crypto/des/cbc_enc.d crypto/evp/m_wp.d crypto/asn1/n_pkey.d crypto/seed/seed_ofb.d test/fatalerrtest.d crypto/evp/digest.d crypto/x509v3/v3_pcia.d crypto/dsa/dsa_prn.d crypto/cast/c_skey.d crypto/evp/m_md5.d crypto/sha/sha1dgst.d test/buildtest_pkcs7.d crypto/des/fcrypt_b.d crypto/rsa/rsa_chk.d test/ssltest_old.d test/buildtest_tls1.d crypto/objects/obj_lib.d crypto/x509v3/v3_lib.d crypto/engine/eng_fat.d ssl/t1_enc.d crypto/bf/bf_enc.d crypto/asn1/asn1_err.d crypto/bn/bn_gcd.d crypto/comp/comp_lib.d crypto/des/ecb_enc.d crypto/dsa/dsa_depr.d crypto/bn/bn_recp.d crypto/evp/m_md2.d crypto/init.d test/packettest.d crypto/bio/bf_null.d crypto/bn/bn_sqrt.d ssl/ssl_cert.d crypto/rsa/rsa_err.d crypto/x509v3/v3_sxnet.d crypto/des/xcbc_enc.d test/x509aux.d test/buildtest_ebcdic.d test/bio_enc_test.d apps/spkac.d ssl/ssl_mcnf.d crypto/kdf/kdf_err.d crypto/des/ofb_enc.d crypto/bio/bss_mem.d crypto/sha/sha256.d +DEPS=crypto/sha/sha1_one.d apps/ecparam.d test/buildtest_srp.d crypto/asn1/a_utctm.d crypto/pkcs7/pk7_doit.d crypto/des/cfb_enc.d crypto/bio/bio_meth.d test/buildtest_bn.d test/buildtest_ripemd.d crypto/x509/x509_def.d ssl/ssl_lib.d crypto/rsa/rsa_asn1.d crypto/rsa/rsa_ssl.d crypto/asn1/tasn_utl.d crypto/sha/sha256.d crypto/x509/x509name.d crypto/rand/rand_lib.d crypto/buffer/buf_err.d crypto/ec/ecdsa_ossl.d crypto/pkcs12/p12_key.d crypto/bio/bss_null.d test/buildtest_x509_vfy.d crypto/evp/bio_md.d crypto/asn1/a_time.d crypto/bn/bn_srp.d test/buildtest_pkcs12.d crypto/des/ecb3_enc.d crypto/ex_data.d crypto/bio/bss_mem.d apps/cms.d test/buildtest_safestack.d crypto/evp/e_rc5.d crypto/async/async_wait.d crypto/x509/x509_txt.d apps/crl.d test/secmemtest.d crypto/evp/e_aes_cbc_hmac_sha1.d crypto/x509/x_req.d test/sanitytest.d crypto/cms/cms_env.d test/buildtest_idea.d crypto/x509v3/v3_addr.d test/aborttest.d crypto/rsa/rsa_oaep.d apps/s_time.d crypto/evp/p_lib.d test/buildtest_whrlpool.d crypto/ts/ts_rsp_sign.d crypto/des/cbc_enc.d ssl/statem/statem_lib.d ssl/pqueue.d crypto/x509v3/v3_int.d crypto/rsa/rsa_chk.d crypto/idea/i_skey.d crypto/bn/bn_gcd.d crypto/asn1/bio_asn1.d crypto/cast/c_skey.d crypto/blake2/m_blake2s.d crypto/asn1/a_object.d crypto/rsa/rsa_sign.d crypto/kdf/tls1_prf.d crypto/stack/stack.d crypto/x509/x509_vfy.d crypto/evp/e_chacha20_poly1305.d apps/apps.d apps/x509.d test/buildtest_srtp.d crypto/md4/md4_dgst.d crypto/x509/x509_v3.d crypto/uid.d test/cipherlist_test.d crypto/dsa/dsa_asn1.d crypto/des/cbc_cksm.d ssl/s3_msg.d crypto/pem/pem_pkey.d crypto/ocsp/ocsp_vfy.d crypto/bn/bn_const.d crypto/cast/c_ecb.d test/versions.d crypto/objects/obj_xref.d crypto/pem/pem_x509.d ssl/t1_enc.d crypto/camellia/cmll_misc.d test/sha256t.d crypto/x509/x509spki.d crypto/engine/eng_cnf.d crypto/cms/cms_lib.d crypto/asn1/i2d_pu.d crypto/hmac/hm_pmeth.d test/buildtest_ocsp.d crypto/bn/bn_gf2m.d test/packettest.d test/buildtest_ec.d crypto/des/ofb_enc.d crypto/evp/pmeth_fn.d crypto/ec/ecdsa_sign.d crypto/ec/ecx_meth.d test/asynciotest.d crypto/dh/dh_rfc5114.d crypto/txt_db/txt_db.d crypto/evp/encode.d crypto/x509v3/v3_lib.d crypto/modes/cts128.d test/buildtest_cast.d test/constant_time_test.d crypto/bn/bn_dh.d crypto/asn1/t_bitst.d crypto/evp/p_seal.d crypto/md4/md4_one.d crypto/asn1/a_octet.d crypto/pkcs12/p12_init.d crypto/rc4/rc4_skey.d crypto/dsa/dsa_err.d crypto/ec/ecdsa_vrf.d crypto/evp/e_null.d crypto/des/ofb64ede.d crypto/asn1/x_spki.d crypto/conf/conf_def.d crypto/ct/ct_vfy.d test/dtlstest.d crypto/asn1/a_strnid.d apps/dsaparam.d test/asynctest.d crypto/dh/dh_asn1.d crypto/asn1/a_bitstr.d crypto/async/async.d crypto/ts/ts_req_utils.d apps/prime.d crypto/evp/e_des.d ssl/t1_lib.d apps/dgst.d crypto/ocsp/ocsp_prn.d crypto/dso/dso_vms.d crypto/asn1/p5_pbe.d apps/genpkey.d crypto/bn/bn_nist.d crypto/aes/aes_ofb.d crypto/bio/bio_err.d test/buildtest_rsa.d crypto/asn1/a_type.d crypto/asn1/bio_ndef.d crypto/aes/aes_cfb.d crypto/buffer/buffer.d crypto/rsa/rsa_x931.d crypto/engine/tb_rand.d crypto/dsa/dsa_key.d test/buildtest_asn1.d crypto/rsa/rsa_meth.d crypto/async/async_err.d crypto/evp/e_xcbc_d.d crypto/cms/cms_cd.d apps/ciphers.d crypto/hmac/hm_ameth.d crypto/pem/pem_pk8.d crypto/bf/bf_ecb.d crypto/engine/eng_init.d fuzz/test-corpus.d crypto/asn1/tasn_dec.d crypto/ec/ecp_nistp521.d crypto/bio/bss_fd.d crypto/async/arch/async_null.d crypto/pkcs7/pkcs7err.d crypto/x509v3/pcy_lib.d test/buildtest_ecdsa.d test/wp_test.d crypto/ec/ecp_nist.d test/x509aux.d crypto/pkcs12/p12_sbag.d apps/gendsa.d crypto/x509v3/v3_alt.d apps/pkeyparam.d crypto/bn/bn_intern.d crypto/o_time.d test/buildtest_rand.d crypto/evp/e_aes.d crypto/pkcs12/p12_p8e.d crypto/camellia/cmll_ofb.d test/gmdifftest.d crypto/x509v3/pcy_cache.d test/buildtest_comp.d crypto/des/rpc_enc.d crypto/rand/rand_win.d test/ocspapitest.d apps/s_server.d test/buildtest_x509.d crypto/bio/b_addr.d ssl/s3_cbc.d test/buildtest_aes.d crypto/rand/rand_vms.d apps/opt.d ssl/statem/statem_srvr.d crypto/evp/e_des3.d ssl/ssl_utst.d crypto/x509v3/v3_pci.d crypto/asn1/a_i2d_fp.d crypto/evp/m_md4.d ssl/d1_srtp.d crypto/cms/cms_pwri.d fuzz/bndiv.d fuzz/server.d crypto/cms/cms_enc.d crypto/asn1/t_spki.d crypto/engine/tb_rsa.d crypto/x509/x_crl.d crypto/threads_pthread.d crypto/cms/cms_sd.d crypto/evp/p5_crpt2.d crypto/rsa/rsa_crpt.d crypto/ui/ui_util.d crypto/srp/srp_lib.d apps/engine.d crypto/bio/b_print.d apps/pkcs12.d crypto/dsa/dsa_ameth.d crypto/ec/ec2_oct.d crypto/bn/bn_ctx.d crypto/des/ofb64enc.d crypto/x509/x_all.d crypto/evp/scrypt.d crypto/pem/pem_lib.d apps/version.d test/buildtest_modes.d crypto/ui/ui_lib.d crypto/asn1/x_val.d crypto/cmac/cm_ameth.d crypto/bio/bf_buff.d crypto/asn1/tasn_fre.d crypto/idea/i_ecb.d crypto/x509/x_attrib.d crypto/cms/cms_kari.d crypto/bio/bss_acpt.d ssl/statem/statem_dtls.d crypto/ec/ec_err.d crypto/pkcs12/p12_mutl.d test/rc5test.d crypto/rsa/rsa_pk1.d crypto/asn1/d2i_pr.d crypto/evp/evp_pkey.d test/srptest.d ssl/record/ssl3_record.d crypto/pkcs7/pk7_mime.d ssl/record/dtls1_bitmap.d crypto/engine/eng_openssl.d crypto/ct/ct_prn.d crypto/whrlpool/wp_dgst.d crypto/evp/m_md5.d crypto/evp/bio_enc.d crypto/asn1/evp_asn1.d apps/ec.d ssl/s3_enc.d test/buildtest_tls1.d crypto/comp/comp_err.d crypto/pkcs12/p12_attr.d crypto/evp/pmeth_gn.d apps/dhparam.d test/evp_extra_test.d crypto/mem_dbg.d crypto/x509v3/v3_crld.d test/buildtest_ts.d crypto/evp/e_seed.d crypto/dh/dh_depr.d crypto/ec/ecp_nistputil.d fuzz/asn1parse.d test/memleaktest.d crypto/engine/tb_dsa.d apps/ocsp.d crypto/engine/eng_dyn.d crypto/ts/ts_err.d ssl/ssl_err.d crypto/asn1/asn_moid.d crypto/cms/cms_ess.d crypto/dsa/dsa_prn.d test/buildtest_evp.d test/enginetest.d crypto/x509v3/v3_info.d crypto/x509/x509_req.d crypto/conf/conf_mod.d test/igetest.d crypto/dh/dh_err.d crypto/poly1305/poly1305.d crypto/chacha/chacha_enc.d ssl/record/ssl3_buffer.d crypto/comp/c_zlib.d crypto/modes/ofb128.d crypto/pem/pem_err.d crypto/asn1/f_string.d crypto/engine/eng_err.d crypto/rc4/rc4_enc.d crypto/asn1/n_pkey.d crypto/dh/dh_lib.d test/buildtest_engine.d test/buildtest_buffer.d fuzz/asn1.d crypto/x509v3/v3_purp.d test/buildtest_ui.d test/buildtest_ebcdic.d crypto/o_dir.d crypto/des/fcrypt_b.d crypto/pkcs12/pk12err.d test/fatalerrtest.d crypto/bn/bn_word.d crypto/evp/m_md5_sha1.d test/buildtest_cmac.d crypto/idea/i_cfb64.d crypto/x509v3/v3_ncons.d crypto/bn/bn_sqrt.d crypto/mdc2/mdc2dgst.d crypto/pem/pem_info.d crypto/cms/cms_asn1.d crypto/dsa/dsa_lib.d crypto/dh/dh_ameth.d crypto/bio/bss_dgram.d crypto/dsa/dsa_meth.d apps/app_rand.d crypto/ec/ec_oct.d crypto/asn1/asn_mstbl.d crypto/cast/c_ofb64.d crypto/asn1/i2d_pr.d crypto/x509/x509cset.d crypto/conf/conf_ssl.d crypto/evp/p_enc.d crypto/dsa/dsa_pmeth.d crypto/x509/x_name.d crypto/bn/bn_sqr.d crypto/engine/eng_lib.d test/buildtest_asn1t.d crypto/des/ecb_enc.d test/ideatest.d apps/openssl.d crypto/rsa/rsa_depr.d crypto/sha/sha512.d crypto/ebcdic.d fuzz/cms.d crypto/x509v3/v3_ia5.d test/v3nametest.d test/buildtest_des.d apps/rsa.d test/md5test.d crypto/des/rand_key.d crypto/bn/bn_mont.d crypto/modes/ccm128.d crypto/asn1/asn1_err.d crypto/x509v3/v3_akey.d crypto/rand/md_rand.d test/ectest.d crypto/ocsp/ocsp_asn.d crypto/dsa/dsa_ossl.d crypto/kdf/hkdf.d crypto/rand/rand_err.d crypto/rc2/rc2ofb64.d crypto/ct/ct_sct_ctx.d crypto/evp/e_old.d crypto/dh/dh_kdf.d crypto/bn/bn_blind.d crypto/bn/bn_print.d crypto/asn1/p5_pbev2.d crypto/x509v3/v3_skey.d crypto/x509v3/v3_akeya.d crypto/bio/bio_lib.d test/buildtest_dsa.d crypto/engine/tb_dh.d crypto/evp/evp_pbe.d test/buildtest_crypto.d ssl/ssl_conf.d test/buildtest_err.d crypto/evp/m_wp.d crypto/x509/x509_vpm.d crypto/evp/e_rc4.d crypto/ct/ct_log.d crypto/bn/bn_recp.d crypto/x509/t_x509.d crypto/objects/o_names.d apps/ca.d test/ssltestlib.d crypto/engine/eng_list.d ssl/record/rec_layer_d1.d crypto/evp/m_sigver.d test/buildtest_ssl.d crypto/cmac/cmac.d crypto/asn1/a_verify.d crypto/mem_clr.d test/x509_time_test.d crypto/x509/x509type.d crypto/x509v3/v3_pmaps.d crypto/evp/e_camellia.d crypto/dh/dh_check.d apps/pkcs8.d test/danetest.d test/md4test.d crypto/asn1/asn1_gen.d crypto/engine/eng_fat.d crypto/evp/p5_crpt.d crypto/asn1/tasn_typ.d crypto/asn1/ameth_lib.d crypto/whrlpool/wp_block.d crypto/pkcs12/p12_asn.d test/buildtest_opensslv.d crypto/engine/tb_pkmeth.d crypto/asn1/a_sign.d test/buildtest_conf_api.d crypto/blake2/m_blake2b.d crypto/x509v3/pcy_data.d ssl/t1_trce.d crypto/modes/cbc128.d crypto/rsa/rsa_err.d crypto/engine/eng_ctrl.d crypto/dh/dh_pmeth.d crypto/evp/p_open.d crypto/ct/ct_oct.d crypto/engine/eng_rdrand.d crypto/pkcs12/p12_kiss.d test/buildtest_md5.d test/buildtest_rc4.d crypto/evp/evp_cnf.d test/buildtest_hmac.d crypto/bio/b_dump.d crypto/x509v3/v3_pcia.d crypto/ts/ts_asn1.d test/dsatest.d test/buildtest_rc2.d apps/errstr.d test/testutil.d crypto/cast/c_enc.d apps/ts.d test/mdc2test.d test/buildtest_dtls1.d crypto/rsa/rsa_saos.d crypto/x509v3/v3_genn.d crypto/rsa/rsa_ossl.d crypto/pkcs7/pk7_lib.d crypto/blake2/blake2b.d test/ssl_test_ctx_test.d crypto/seed/seed_ecb.d test/buildtest_ossl_typ.d ssl/statem/statem.d apps/rsautl.d crypto/init.d test/rmdtest.d test/destest.d crypto/idea/i_cbc.d crypto/evp/digest.d crypto/camellia/cmll_ecb.d crypto/cms/cms_smime.d crypto/evp/p_verify.d crypto/cast/c_cfb64.d crypto/asn1/nsseq.d crypto/ts/ts_verify_ctx.d crypto/bn/bn_mod.d test/ct_test.d crypto/camellia/cmll_cfb.d crypto/rc2/rc2_ecb.d crypto/aes/aes_ecb.d crypto/conf/conf_api.d crypto/rsa/rsa_gen.d crypto/srp/srp_vfy.d test/buildtest_seed.d crypto/bn/bn_shift.d test/buildtest_ecdh.d test/buildtest_pem.d crypto/ocsp/ocsp_srv.d crypto/x509v3/pcy_tree.d crypto/asn1/f_int.d crypto/dh/dh_gen.d test/rc2test.d crypto/rsa/rsa_none.d test/buildtest_async.d crypto/o_fopen.d crypto/ec/ec_mult.d crypto/evp/evp_lib.d ssl/tls_srp.d crypto/bf/bf_ofb64.d ssl/t1_reneg.d apps/s_socket.d crypto/des/des_enc.d crypto/ocsp/ocsp_err.d test/heartbeat_test.d crypto/seed/seed_cbc.d crypto/x509/x_x509.d crypto/x509/x509_set.d test/bad_dtls_test.d test/buildtest_bio.d apps/asn1pars.d crypto/async/arch/async_win.d crypto/x509v3/v3_sxnet.d crypto/ui/ui_openssl.d crypto/evp/p_dec.d crypto/asn1/x_bignum.d crypto/evp/m_md2.d crypto/md5/md5_one.d test/p5_crpt2_test.d crypto/bn/bn_asm.d crypto/hmac/hmac.d crypto/mem_sec.d crypto/asn1/t_pkey.d crypto/pem/pvkfmt.d engines/e_capi.d crypto/bn/bn_prime.d ssl/d1_lib.d crypto/asn1/a_print.d crypto/threads_none.d test/buildtest_objects.d crypto/ts/ts_req_print.d test/buildtest_kdf.d crypto/evp/m_mdc2.d crypto/dso/dso_lib.d fuzz/conf.d crypto/dso/dso_win32.d crypto/x509/x_pubkey.d test/ssl_test.d ssl/ssl_cert.d ssl/ssl_asn1.d crypto/asn1/asn_pack.d test/bftest.d crypto/x509v3/v3_utl.d crypto/cms/cms_io.d crypto/rsa/rsa_pss.d crypto/camellia/camellia.d crypto/ocsp/ocsp_lib.d crypto/cmac/cm_pmeth.d crypto/x509/by_file.d crypto/asn1/x_algor.d test/buildtest_mdc2.d crypto/rsa/rsa_pmeth.d crypto/asn1/x_pkey.d ssl/methods.d crypto/x509v3/v3_bitst.d test/dhtest.d crypto/rand/rand_egd.d crypto/x509/t_crl.d crypto/cms/cms_dd.d crypto/rand/randfile.d apps/smime.d crypto/ocsp/ocsp_ht.d crypto/x509/x509_obj.d crypto/pkcs7/bio_pk7.d crypto/x509v3/v3_cpols.d crypto/ec/ec_ameth.d test/v3ext.d crypto/pkcs12/p12_crpt.d crypto/evp/e_rc2.d ssl/ssl_sess.d crypto/ocsp/ocsp_ext.d crypto/seed/seed.d crypto/des/fcrypt.d crypto/pem/pem_oth.d crypto/x509v3/v3_extku.d crypto/pkcs12/p12_npas.d crypto/dso/dso_openssl.d test/buildtest_x509v3.d test/buildtest_pem2.d crypto/bio/bf_lbuf.d ssl/d1_msg.d crypto/asn1/asn1_par.d crypto/blake2/blake2s.d ssl/bio_ssl.d crypto/async/arch/async_posix.d crypto/bn/bn_lib.d ssl/s3_lib.d crypto/asn1/tasn_scn.d crypto/ui/ui_err.d crypto/bio/bss_log.d fuzz/bignum.d crypto/asn1/p8_pkey.d crypto/dso/dso_dl.d crypto/lhash/lh_stats.d crypto/pkcs12/p12_p8d.d crypto/evp/e_rc4_hmac_md5.d crypto/dsa/dsa_sign.d crypto/ec/ecdh_kdf.d crypto/x509/x509_meth.d crypto/ec/ec2_smpl.d crypto/rand/rand_unix.d crypto/pkcs12/p12_decr.d crypto/evp/e_cast.d crypto/pkcs7/pk7_attr.d crypto/engine/tb_eckey.d crypto/rsa/rsa_x931g.d crypto/ec/eck_prn.d crypto/pem/pem_xaux.d crypto/err/err_prn.d apps/pkcs7.d test/buildtest_sha.d test/ssltest_old.d crypto/rsa/rsa_lib.d crypto/evp/cmeth_lib.d crypto/evp/e_bf.d crypto/mdc2/mdc2_one.d crypto/engine/eng_pkey.d crypto/modes/ocb128.d crypto/ec/ecdh_ossl.d crypto/asn1/x_info.d crypto/aes/aes_core.d test/ecdsatest.d crypto/ts/ts_rsp_print.d apps/rehash.d crypto/asn1/tasn_new.d crypto/modes/xts128.d crypto/modes/wrap128.d crypto/err/err.d apps/req.d crypto/x509v3/v3err.d apps/pkeyutl.d crypto/asn1/a_d2i_fp.d test/d2i_test.d crypto/asn1/tasn_enc.d crypto/dh/dh_key.d crypto/pem/pem_sign.d test/buildtest_camellia.d crypto/engine/eng_table.d crypto/conf/conf_err.d test/dtlsv1listentest.d crypto/bio/bss_conn.d crypto/ec/curve25519.d crypto/objects/obj_err.d crypto/x509/x509_cmp.d crypto/x509/x_exten.d test/hmactest.d crypto/ec/ecp_oct.d apps/sess_id.d crypto/asn1/x_int64.d crypto/bn/bn_x931p.d crypto/rsa/rsa_ameth.d crypto/asn1/a_strex.d test/randtest.d crypto/asn1/x_long.d crypto/x509v3/v3_pku.d crypto/ec/ec_cvt.d test/buildtest_lhash.d crypto/bf/bf_enc.d crypto/pkcs12/p12_add.d crypto/evp/m_sha1.d crypto/mem.d crypto/bio/bio_cb.d engines/e_padlock.d crypto/asn1/a_digest.d crypto/x509v3/v3_pcons.d crypto/des/set_key.d crypto/modes/gcm128.d test/errtest.d crypto/asn1/d2i_pu.d crypto/seed/seed_cfb.d crypto/ct/ct_sct.d crypto/pkcs7/pk7_smime.d crypto/ec/ec_key.d crypto/des/xcbc_enc.d test/rc4test.d apps/genrsa.d test/exptest.d crypto/asn1/asn1_lib.d apps/spkac.d crypto/asn1/tasn_prn.d crypto/dh/dh_prn.d ssl/statem/statem_clnt.d crypto/conf/conf_mall.d crypto/rsa/rsa_prn.d crypto/aes/aes_misc.d crypto/threads_win.d crypto/evp/evp_key.d test/sha512t.d crypto/asn1/asn_mime.d crypto/evp/evp_err.d crypto/rsa/rsa_null.d crypto/cms/cms_att.d crypto/evp/pmeth_lib.d crypto/evp/m_null.d fuzz/crl.d crypto/bio/bss_sock.d crypto/sha/sha1dgst.d apps/nseq.d ssl/ssl_txt.d crypto/err/err_all.d crypto/ec/ec_lib.d test/buildtest_dh.d test/x509_dup_cert_test.d test/ssl_test_ctx.d crypto/x509v3/pcy_node.d crypto/ct/ct_b64.d crypto/ct/ct_err.d crypto/o_str.d test/clienthellotest.d crypto/pkcs12/p12_utl.d test/sha1test.d ssl/record/rec_layer_s3.d crypto/ec/ecp_smpl.d crypto/x509v3/v3_enum.d crypto/des/cfb64ede.d crypto/x509v3/v3_tlsf.d crypto/engine/tb_digest.d crypto/des/cfb64enc.d crypto/asn1/a_mbstr.d test/handshake_helper.d crypto/evp/evp_enc.d crypto/asn1/p5_scrypt.d test/buildtest_blowfish.d crypto/seed/seed_ofb.d crypto/dsa/dsa_gen.d crypto/md5/md5_dgst.d crypto/cpt_err.d test/buildtest_pkcs7.d crypto/rc2/rc2_skey.d crypto/rc2/rc2cfb64.d test/threadstest.d crypto/x509/x_x509a.d crypto/ec/ec_print.d crypto/ec/ecp_mont.d crypto/ts/ts_rsp_utils.d crypto/asn1/a_int.d crypto/cryptlib.d crypto/bn/bn_kron.d crypto/evp/bio_b64.d crypto/x509v3/pcy_map.d crypto/x509/by_dir.d crypto/x509/x509_ext.d test/bio_enc_test.d crypto/des/qud_cksm.d crypto/ec/ec_pmeth.d crypto/o_fips.d crypto/bn/bn_depr.d crypto/rc2/rc2_cbc.d crypto/aes/aes_wrap.d test/casttest.d test/buildtest_e_os2.d crypto/ec/ec2_mult.d crypto/dh/dh_meth.d test/buildtest_cms.d crypto/x509v3/v3_prn.d apps/crl2p7.d test/verify_extra_test.d ssl/ssl_mcnf.d apps/rand.d fuzz/ct.d crypto/engine/eng_cryptodev.d apps/dsa.d crypto/evp/m_ripemd.d crypto/ec/ec_asn1.d crypto/ocsp/v3_ocsp.d apps/passwd.d ssl/ssl_ciph.d crypto/aes/aes_cbc.d crypto/evp/e_aes_cbc_hmac_sha256.d crypto/x509/x509_r2x.d crypto/bn/bn_exp.d ssl/ssl_stat.d test/buildtest_obj_mac.d crypto/ripemd/rmd_dgst.d crypto/o_init.d crypto/bn/bn_add.d crypto/conf/conf_sap.d test/buildtest_stack.d apps/enc.d crypto/asn1/a_gentm.d test/buildtest_md4.d test/pbelutest.d crypto/bf/bf_cfb64.d crypto/ts/ts_conf.d crypto/camellia/cmll_ctr.d crypto/objects/obj_lib.d crypto/asn1/x_sig.d apps/s_client.d crypto/asn1/a_utf8.d crypto/ec/ecp_nistp256.d crypto/bn/bn_mpi.d crypto/bn/bn_mul.d apps/srp.d test/crltest.d crypto/x509/x509_d2.d crypto/bn/bn_div.d crypto/bio/b_sock2.d crypto/bio/bf_nbio.d crypto/bn/bn_err.d test/bioprinttest.d crypto/ripemd/rmd_one.d fuzz/x509.d crypto/ts/ts_rsp_verify.d crypto/cversion.d crypto/evp/c_alld.d crypto/engine/tb_asnmth.d apps/verify.d crypto/dsa/dsa_vrf.d crypto/ec/ec_check.d crypto/bio/bss_file.d crypto/bn/bn_exp2.d apps/s_cb.d crypto/cms/cms_err.d crypto/comp/comp_lib.d crypto/lhash/lhash.d crypto/bf/bf_skey.d crypto/des/pcbc_enc.d crypto/bio/b_sock.d crypto/ct/ct_x509v3.d crypto/conf/conf_lib.d test/buildtest_ct.d crypto/bn/bn_rand.d test/md2test.d crypto/des/str2key.d crypto/ec/ec_kmeth.d crypto/evp/c_allc.d crypto/pkcs12/p12_crt.d test/buildtest_symhacks.d ssl/ssl_init.d test/exdatatest.d crypto/x509/x509_err.d test/sslcorrupttest.d crypto/dso/dso_dlfcn.d crypto/x509/x509_lu.d test/buildtest_txt_db.d crypto/x509/x509_trs.d crypto/evp/names.d crypto/x509v3/v3_conf.d crypto/aes/aes_ige.d crypto/dso/dso_err.d test/evp_test.d crypto/modes/ctr128.d test/bntest.d ssl/ssl_rsa.d crypto/x509v3/v3_bcons.d crypto/engine/eng_all.d crypto/x509/t_req.d crypto/modes/cfb128.d ssl/t1_ext.d crypto/x509/x509rset.d apps/pkey.d crypto/bio/bss_bio.d crypto/idea/i_ofb64.d crypto/pem/pem_all.d crypto/camellia/cmll_cbc.d crypto/ec/ecp_nistp224.d crypto/engine/tb_cipher.d test/sslapitest.d test/buildtest_ssl2.d crypto/asn1/a_dup.d crypto/ocsp/ocsp_cl.d crypto/evp/bio_ok.d test/afalgtest.d test/rsa_test.d apps/speed.d crypto/bio/bf_null.d crypto/pkcs7/pk7_asn1.d crypto/objects/obj_dat.d test/buildtest_conf.d crypto/kdf/kdf_err.d crypto/dsa/dsa_depr.d crypto/evp/p_sign.d crypto/x509v3/v3_asid.d crypto/ct/ct_policy.d crypto/ec/ec_curve.d crypto/x509/x509_att.d crypto/evp/e_idea.d crypto/ts/ts_lib.d GENERATED_MANDATORY=crypto/include/internal/bn_conf.h crypto/include/internal/dso_conf.h include/openssl/opensslconf.h -GENERATED=test/buildtest_ct.c test/buildtest_ecdsa.c test/buildtest_x509.c test/buildtest_modes.c test/buildtest_asn1t.c test/buildtest_pkcs12.c test/buildtest_rsa.c test/buildtest_txt_db.c test/buildtest_pem.c test/buildtest_conf_api.c test/buildtest_sha.c test/buildtest_rc4.c test/buildtest_bio.c test/buildtest_err.c test/buildtest_buffer.c test/buildtest_pem2.c test/buildtest_md5.c test/buildtest_seed.c test/buildtest_md4.c test/buildtest_symhacks.c test/buildtest_engine.c test/buildtest_cast.c test/buildtest_ui.c test/buildtest_comp.c test/buildtest_rc2.c test/buildtest_whrlpool.c test/buildtest_cmac.c test/buildtest_srtp.c test/buildtest_camellia.c test/buildtest_aes.c test/buildtest_hmac.c test/buildtest_ec.c test/buildtest_ripemd.c test/buildtest_evp.c test/buildtest_kdf.c test/buildtest_dh.c test/buildtest_crypto.c test/buildtest_lhash.c test/buildtest_des.c test/buildtest_conf.c test/buildtest_opensslv.c test/buildtest_stack.c test/buildtest_x509_vfy.c test/buildtest_dsa.c test/buildtest_rand.c test/buildtest_srp.c test/buildtest_mdc2.c test/buildtest_blowfish.c test/buildtest_safestack.c test/buildtest_ts.c test/buildtest_x509v3.c test/buildtest_asn1.c test/buildtest_dtls1.c test/buildtest_bn.c test/buildtest_async.c test/buildtest_idea.c test/buildtest_ossl_typ.c test/buildtest_obj_mac.c test/buildtest_ssl.c test/buildtest_ocsp.c test/buildtest_objects.c test/buildtest_e_os2.c test/buildtest_ssl2.c test/buildtest_ecdh.c test/buildtest_cms.c test/buildtest_pkcs7.c test/buildtest_tls1.c test/buildtest_ebcdic.c include/openssl/opensslconf.h crypto/include/internal/bn_conf.h apps/progs.h crypto/include/internal/dso_conf.h crypto/buildinf.h +GENERATED=test/buildtest_srp.c test/buildtest_bn.c test/buildtest_ripemd.c test/buildtest_x509_vfy.c test/buildtest_pkcs12.c test/buildtest_safestack.c test/buildtest_idea.c test/buildtest_whrlpool.c test/buildtest_srtp.c test/buildtest_ocsp.c test/buildtest_ec.c test/buildtest_cast.c test/buildtest_rsa.c test/buildtest_asn1.c test/buildtest_ecdsa.c test/buildtest_rand.c test/buildtest_comp.c test/buildtest_x509.c test/buildtest_aes.c test/buildtest_modes.c test/buildtest_tls1.c test/buildtest_ts.c test/buildtest_evp.c test/buildtest_engine.c test/buildtest_buffer.c test/buildtest_ui.c test/buildtest_ebcdic.c test/buildtest_cmac.c test/buildtest_asn1t.c test/buildtest_des.c test/buildtest_dsa.c test/buildtest_crypto.c test/buildtest_err.c test/buildtest_ssl.c test/buildtest_opensslv.c test/buildtest_conf_api.c test/buildtest_md5.c test/buildtest_rc4.c test/buildtest_hmac.c test/buildtest_rc2.c test/buildtest_dtls1.c test/buildtest_ossl_typ.c test/buildtest_seed.c test/buildtest_ecdh.c test/buildtest_pem.c test/buildtest_async.c test/buildtest_bio.c test/buildtest_objects.c test/buildtest_kdf.c test/buildtest_mdc2.c test/buildtest_x509v3.c test/buildtest_pem2.c test/buildtest_sha.c test/buildtest_camellia.c test/buildtest_lhash.c test/buildtest_dh.c test/buildtest_blowfish.c test/buildtest_pkcs7.c test/buildtest_e_os2.c test/buildtest_cms.c test/buildtest_obj_mac.c test/buildtest_stack.c test/buildtest_md4.c test/buildtest_ct.c test/buildtest_symhacks.c test/buildtest_txt_db.c test/buildtest_ssl2.c test/buildtest_conf.c crypto/include/internal/bn_conf.h include/openssl/opensslconf.h apps/progs.h crypto/include/internal/dso_conf.h crypto/buildinf.h INSTALL_LIBS=libcrypto.a libssl.a INSTALL_SHLIBS= @@ -507,8 +507,10 @@ tar: DISTDIR=$(NAME); \ mkdir -p $$TMPDIR/$$DISTDIR; \ (cd $(SRCDIR); \ + excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \ + echo "$$excl_re"; \ git ls-tree -r --name-only --full-tree HEAD \ - | grep -v '^fuzz/corpora' \ + | egrep -v "$$excl_re" \ | while read F; do \ mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \ cp $$F $$TMPDIR/$$DISTDIR/$$F; \ @@ -579,7 +581,7 @@ openssl.pc: echo 'Version: '$(VERSION); \ echo 'Requires: libssl libcrypto' ) > openssl.pc -configdata.pm: $(SRCDIR)/Configure $(SRCDIR)/config Configurations/unix-Makefile.tmpl Configurations/common.tmpl ./build.info crypto/build.info ssl/build.info engines/build.info apps/build.info test/build.info util/build.info tools/build.info fuzz/build.info crypto/objects/build.info crypto/md4/build.info crypto/md5/build.info crypto/sha/build.info crypto/mdc2/build.info crypto/hmac/build.info crypto/ripemd/build.info crypto/whrlpool/build.info crypto/poly1305/build.info crypto/blake2/build.info crypto/des/build.info crypto/aes/build.info crypto/rc2/build.info crypto/rc4/build.info crypto/idea/build.info crypto/bf/build.info crypto/cast/build.info crypto/camellia/build.info crypto/seed/build.info crypto/chacha/build.info crypto/modes/build.info crypto/bn/build.info crypto/ec/build.info crypto/rsa/build.info crypto/dsa/build.info crypto/dh/build.info crypto/dso/build.info crypto/engine/build.info crypto/buffer/build.info crypto/bio/build.info crypto/stack/build.info crypto/lhash/build.info crypto/rand/build.info crypto/err/build.info crypto/evp/build.info crypto/asn1/build.info crypto/pem/build.info crypto/x509/build.info crypto/x509v3/build.info crypto/conf/build.info crypto/txt_db/build.info crypto/pkcs7/build.info crypto/pkcs12/build.info crypto/comp/build.info crypto/ocsp/build.info crypto/ui/build.info crypto/cms/build.info crypto/ts/build.info crypto/srp/build.info crypto/cmac/build.info crypto/ct/build.info crypto/async/build.info crypto/kdf/build.info Configurations/90-team.conf +configdata.pm: $(SRCDIR)/Configure $(SRCDIR)/config Configurations/unix-Makefile.tmpl Configurations/common.tmpl ./build.info crypto/build.info ssl/build.info engines/build.info apps/build.info test/build.info util/build.info tools/build.info fuzz/build.info crypto/objects/build.info crypto/md4/build.info crypto/md5/build.info crypto/sha/build.info crypto/mdc2/build.info crypto/hmac/build.info crypto/ripemd/build.info crypto/whrlpool/build.info crypto/poly1305/build.info crypto/blake2/build.info crypto/des/build.info crypto/aes/build.info crypto/rc2/build.info crypto/rc4/build.info crypto/idea/build.info crypto/bf/build.info crypto/cast/build.info crypto/camellia/build.info crypto/seed/build.info crypto/chacha/build.info crypto/modes/build.info crypto/bn/build.info crypto/ec/build.info crypto/rsa/build.info crypto/dsa/build.info crypto/dh/build.info crypto/dso/build.info crypto/engine/build.info crypto/buffer/build.info crypto/bio/build.info crypto/stack/build.info crypto/lhash/build.info crypto/rand/build.info crypto/err/build.info crypto/evp/build.info crypto/asn1/build.info crypto/pem/build.info crypto/x509/build.info crypto/x509v3/build.info crypto/conf/build.info crypto/txt_db/build.info crypto/pkcs7/build.info crypto/pkcs12/build.info crypto/comp/build.info crypto/ocsp/build.info crypto/ui/build.info crypto/cms/build.info crypto/ts/build.info crypto/srp/build.info crypto/cmac/build.info crypto/ct/build.info crypto/async/build.info crypto/kdf/build.info Configurations/00-base-templates.conf Configurations/dist.conf @echo "Detected changed: $?" @echo "Reconfiguring..." $(PERL) $(SRCDIR)/Configure reconf @@ -600,7 +602,7 @@ crypto/include/internal/dso_conf.h: crypto/include/internal/dso_conf.h.in config include/openssl/opensslconf.h: include/openssl/opensslconf.h.in configdata.pm $(PERL) "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \ "-oMakefile" include/openssl/opensslconf.h.in > $@ -libcrypto.a: crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ige.o crypto/aes/aes_misc.o crypto/aes/aes_ofb.o crypto/aes/aes_wrap.o crypto/asn1/a_bitstr.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o crypto/asn1/a_dup.o crypto/asn1/a_gentm.o crypto/asn1/a_i2d_fp.o crypto/asn1/a_int.o crypto/asn1/a_mbstr.o crypto/asn1/a_object.o crypto/asn1/a_octet.o crypto/asn1/a_print.o crypto/asn1/a_sign.o crypto/asn1/a_strex.o crypto/asn1/a_strnid.o crypto/asn1/a_time.o crypto/asn1/a_type.o crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o crypto/asn1/a_verify.o crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o crypto/asn1/asn1_gen.o crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o crypto/asn1/asn_mime.o crypto/asn1/asn_moid.o crypto/asn1/asn_mstbl.o crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o crypto/asn1/d2i_pr.o crypto/asn1/d2i_pu.o crypto/asn1/evp_asn1.o crypto/asn1/f_int.o crypto/asn1/f_string.o crypto/asn1/i2d_pr.o crypto/asn1/i2d_pu.o crypto/asn1/n_pkey.o crypto/asn1/nsseq.o crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p5_scrypt.o crypto/asn1/p8_pkey.o crypto/asn1/t_bitst.o crypto/asn1/t_pkey.o crypto/asn1/t_spki.o crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o crypto/asn1/tasn_fre.o crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o crypto/asn1/tasn_scn.o crypto/asn1/tasn_typ.o crypto/asn1/tasn_utl.o crypto/asn1/x_algor.o crypto/asn1/x_bignum.o crypto/asn1/x_info.o crypto/asn1/x_int64.o crypto/asn1/x_long.o crypto/asn1/x_pkey.o crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o crypto/async/arch/async_null.o crypto/async/arch/async_posix.o crypto/async/arch/async_win.o crypto/async/async.o crypto/async/async_err.o crypto/async/async_wait.o crypto/bf/bf_cfb64.o crypto/bf/bf_ecb.o crypto/bf/bf_enc.o crypto/bf/bf_ofb64.o crypto/bf/bf_skey.o crypto/bio/b_addr.o crypto/bio/b_dump.o crypto/bio/b_print.o crypto/bio/b_sock.o crypto/bio/b_sock2.o crypto/bio/bf_buff.o crypto/bio/bf_lbuf.o crypto/bio/bf_nbio.o crypto/bio/bf_null.o crypto/bio/bio_cb.o crypto/bio/bio_err.o crypto/bio/bio_lib.o crypto/bio/bio_meth.o crypto/bio/bss_acpt.o crypto/bio/bss_bio.o crypto/bio/bss_conn.o crypto/bio/bss_dgram.o crypto/bio/bss_fd.o crypto/bio/bss_file.o crypto/bio/bss_log.o crypto/bio/bss_mem.o crypto/bio/bss_null.o crypto/bio/bss_sock.o crypto/blake2/blake2b.o crypto/blake2/blake2s.o crypto/blake2/m_blake2b.o crypto/blake2/m_blake2s.o crypto/bn/bn_add.o crypto/bn/bn_asm.o crypto/bn/bn_blind.o crypto/bn/bn_const.o crypto/bn/bn_ctx.o crypto/bn/bn_depr.o crypto/bn/bn_dh.o crypto/bn/bn_div.o crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o crypto/bn/bn_gcd.o crypto/bn/bn_gf2m.o crypto/bn/bn_intern.o crypto/bn/bn_kron.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o crypto/bn/bn_mont.o crypto/bn/bn_mpi.o crypto/bn/bn_mul.o crypto/bn/bn_nist.o crypto/bn/bn_prime.o crypto/bn/bn_print.o crypto/bn/bn_rand.o crypto/bn/bn_recp.o crypto/bn/bn_shift.o crypto/bn/bn_sqr.o crypto/bn/bn_sqrt.o crypto/bn/bn_srp.o crypto/bn/bn_word.o crypto/bn/bn_x931p.o crypto/buffer/buf_err.o crypto/buffer/buffer.o crypto/camellia/camellia.o crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o crypto/camellia/cmll_ctr.o crypto/camellia/cmll_ecb.o crypto/camellia/cmll_misc.o crypto/camellia/cmll_ofb.o crypto/cast/c_cfb64.o crypto/cast/c_ecb.o crypto/cast/c_enc.o crypto/cast/c_ofb64.o crypto/cast/c_skey.o crypto/chacha/chacha_enc.o crypto/cmac/cm_ameth.o crypto/cmac/cm_pmeth.o crypto/cmac/cmac.o crypto/cms/cms_asn1.o crypto/cms/cms_att.o crypto/cms/cms_cd.o crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o crypto/cms/cms_err.o crypto/cms/cms_ess.o crypto/cms/cms_io.o crypto/cms/cms_kari.o crypto/cms/cms_lib.o crypto/cms/cms_pwri.o crypto/cms/cms_sd.o crypto/cms/cms_smime.o crypto/comp/c_zlib.o crypto/comp/comp_err.o crypto/comp/comp_lib.o crypto/conf/conf_api.o crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o crypto/cpt_err.o crypto/cryptlib.o crypto/ct/ct_b64.o crypto/ct/ct_err.o crypto/ct/ct_log.o crypto/ct/ct_oct.o crypto/ct/ct_policy.o crypto/ct/ct_prn.o crypto/ct/ct_sct.o crypto/ct/ct_sct_ctx.o crypto/ct/ct_vfy.o crypto/ct/ct_x509v3.o crypto/cversion.o crypto/des/cbc_cksm.o crypto/des/cbc_enc.o crypto/des/cfb64ede.o crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc.o crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/fcrypt.o crypto/des/fcrypt_b.o crypto/des/ofb64ede.o crypto/des/ofb64enc.o crypto/des/ofb_enc.o crypto/des/pcbc_enc.o crypto/des/qud_cksm.o crypto/des/rand_key.o crypto/des/rpc_enc.o crypto/des/set_key.o crypto/des/str2key.o crypto/des/xcbc_enc.o crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o crypto/dh/dh_depr.o crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_kdf.o crypto/dh/dh_key.o crypto/dh/dh_lib.o crypto/dh/dh_meth.o crypto/dh/dh_pmeth.o crypto/dh/dh_prn.o crypto/dh/dh_rfc5114.o crypto/dsa/dsa_ameth.o crypto/dsa/dsa_asn1.o crypto/dsa/dsa_depr.o crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o crypto/dsa/dsa_key.o crypto/dsa/dsa_lib.o crypto/dsa/dsa_meth.o crypto/dsa/dsa_ossl.o crypto/dsa/dsa_pmeth.o crypto/dsa/dsa_prn.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o crypto/dso/dso_dl.o crypto/dso/dso_dlfcn.o crypto/dso/dso_err.o crypto/dso/dso_lib.o crypto/dso/dso_openssl.o crypto/dso/dso_vms.o crypto/dso/dso_win32.o crypto/ebcdic.o crypto/ec/curve25519.o crypto/ec/ec2_mult.o crypto/ec/ec2_oct.o crypto/ec/ec2_smpl.o crypto/ec/ec_ameth.o crypto/ec/ec_asn1.o crypto/ec/ec_check.o crypto/ec/ec_curve.o crypto/ec/ec_cvt.o crypto/ec/ec_err.o crypto/ec/ec_key.o crypto/ec/ec_kmeth.o crypto/ec/ec_lib.o crypto/ec/ec_mult.o crypto/ec/ec_oct.o crypto/ec/ec_pmeth.o crypto/ec/ec_print.o crypto/ec/ecdh_kdf.o crypto/ec/ecdh_ossl.o crypto/ec/ecdsa_ossl.o crypto/ec/ecdsa_sign.o crypto/ec/ecdsa_vrf.o crypto/ec/eck_prn.o crypto/ec/ecp_mont.o crypto/ec/ecp_nist.o crypto/ec/ecp_nistp224.o crypto/ec/ecp_nistp256.o crypto/ec/ecp_nistp521.o crypto/ec/ecp_nistputil.o crypto/ec/ecp_oct.o crypto/ec/ecp_smpl.o crypto/ec/ecx_meth.o crypto/engine/eng_all.o crypto/engine/eng_cnf.o crypto/engine/eng_cryptodev.o crypto/engine/eng_ctrl.o crypto/engine/eng_dyn.o crypto/engine/eng_err.o crypto/engine/eng_fat.o crypto/engine/eng_init.o crypto/engine/eng_lib.o crypto/engine/eng_list.o crypto/engine/eng_openssl.o crypto/engine/eng_pkey.o crypto/engine/eng_rdrand.o crypto/engine/eng_table.o crypto/engine/tb_asnmth.o crypto/engine/tb_cipher.o crypto/engine/tb_dh.o crypto/engine/tb_digest.o crypto/engine/tb_dsa.o crypto/engine/tb_eckey.o crypto/engine/tb_pkmeth.o crypto/engine/tb_rand.o crypto/engine/tb_rsa.o crypto/err/err.o crypto/err/err_all.o crypto/err/err_prn.o crypto/evp/bio_b64.o crypto/evp/bio_enc.o crypto/evp/bio_md.o crypto/evp/bio_ok.o crypto/evp/c_allc.o crypto/evp/c_alld.o crypto/evp/cmeth_lib.o crypto/evp/digest.o crypto/evp/e_aes.o crypto/evp/e_aes_cbc_hmac_sha1.o crypto/evp/e_aes_cbc_hmac_sha256.o crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_cast.o crypto/evp/e_chacha20_poly1305.o crypto/evp/e_des.o crypto/evp/e_des3.o crypto/evp/e_idea.o crypto/evp/e_null.o crypto/evp/e_old.o crypto/evp/e_rc2.o crypto/evp/e_rc4.o crypto/evp/e_rc4_hmac_md5.o crypto/evp/e_rc5.o crypto/evp/e_seed.o crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_cnf.o crypto/evp/evp_enc.o crypto/evp/evp_err.o crypto/evp/evp_key.o crypto/evp/evp_lib.o crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o crypto/evp/m_md2.o crypto/evp/m_md4.o crypto/evp/m_md5.o crypto/evp/m_md5_sha1.o crypto/evp/m_mdc2.o crypto/evp/m_null.o crypto/evp/m_ripemd.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o crypto/evp/m_wp.o crypto/evp/names.o crypto/evp/p5_crpt.o crypto/evp/p5_crpt2.o crypto/evp/p_dec.o crypto/evp/p_enc.o crypto/evp/p_lib.o crypto/evp/p_open.o crypto/evp/p_seal.o crypto/evp/p_sign.o crypto/evp/p_verify.o crypto/evp/pmeth_fn.o crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o crypto/evp/scrypt.o crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o crypto/hmac/hmac.o crypto/idea/i_cbc.o crypto/idea/i_cfb64.o crypto/idea/i_ecb.o crypto/idea/i_ofb64.o crypto/idea/i_skey.o crypto/init.o crypto/kdf/hkdf.o crypto/kdf/kdf_err.o crypto/kdf/tls1_prf.o crypto/lhash/lh_stats.o crypto/lhash/lhash.o crypto/md4/md4_dgst.o crypto/md4/md4_one.o crypto/md5/md5_dgst.o crypto/md5/md5_one.o crypto/mdc2/mdc2_one.o crypto/mdc2/mdc2dgst.o crypto/mem.o crypto/mem_clr.o crypto/mem_dbg.o crypto/mem_sec.o crypto/modes/cbc128.o crypto/modes/ccm128.o crypto/modes/cfb128.o crypto/modes/ctr128.o crypto/modes/cts128.o crypto/modes/gcm128.o crypto/modes/ocb128.o crypto/modes/ofb128.o crypto/modes/wrap128.o crypto/modes/xts128.o crypto/o_dir.o crypto/o_fips.o crypto/o_fopen.o crypto/o_init.o crypto/o_str.o crypto/o_time.o crypto/objects/o_names.o crypto/objects/obj_dat.o crypto/objects/obj_err.o crypto/objects/obj_lib.o crypto/objects/obj_xref.o crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_cl.o crypto/ocsp/ocsp_err.o crypto/ocsp/ocsp_ext.o crypto/ocsp/ocsp_ht.o crypto/ocsp/ocsp_lib.o crypto/ocsp/ocsp_prn.o crypto/ocsp/ocsp_srv.o crypto/ocsp/ocsp_vfy.o crypto/ocsp/v3_ocsp.o crypto/pem/pem_all.o crypto/pem/pem_err.o crypto/pem/pem_info.o crypto/pem/pem_lib.o crypto/pem/pem_oth.o crypto/pem/pem_pk8.o crypto/pem/pem_pkey.o crypto/pem/pem_sign.o crypto/pem/pem_x509.o crypto/pem/pem_xaux.o crypto/pem/pvkfmt.o crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o crypto/pkcs12/p12_attr.o crypto/pkcs12/p12_crpt.o crypto/pkcs12/p12_crt.o crypto/pkcs12/p12_decr.o crypto/pkcs12/p12_init.o crypto/pkcs12/p12_key.o crypto/pkcs12/p12_kiss.o crypto/pkcs12/p12_mutl.o crypto/pkcs12/p12_npas.o crypto/pkcs12/p12_p8d.o crypto/pkcs12/p12_p8e.o crypto/pkcs12/p12_sbag.o crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/bio_pk7.o crypto/pkcs7/pk7_asn1.o crypto/pkcs7/pk7_attr.o crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o crypto/pkcs7/pk7_mime.o crypto/pkcs7/pk7_smime.o crypto/pkcs7/pkcs7err.o crypto/poly1305/poly1305.o crypto/rand/md_rand.o crypto/rand/rand_egd.o crypto/rand/rand_err.o crypto/rand/rand_lib.o crypto/rand/rand_unix.o crypto/rand/rand_vms.o crypto/rand/rand_win.o crypto/rand/randfile.o crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o crypto/rc2/rc2_skey.o crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o crypto/rc4/rc4_enc.o crypto/rc4/rc4_skey.o crypto/ripemd/rmd_dgst.o crypto/ripemd/rmd_one.o crypto/rsa/rsa_ameth.o crypto/rsa/rsa_asn1.o crypto/rsa/rsa_chk.o crypto/rsa/rsa_crpt.o crypto/rsa/rsa_depr.o crypto/rsa/rsa_err.o crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o crypto/rsa/rsa_meth.o crypto/rsa/rsa_none.o crypto/rsa/rsa_null.o crypto/rsa/rsa_oaep.o crypto/rsa/rsa_ossl.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o crypto/rsa/rsa_prn.o crypto/rsa/rsa_pss.o crypto/rsa/rsa_saos.o crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o crypto/rsa/rsa_x931.o crypto/rsa/rsa_x931g.o crypto/seed/seed.o crypto/seed/seed_cbc.o crypto/seed/seed_cfb.o crypto/seed/seed_ecb.o crypto/seed/seed_ofb.o crypto/sha/sha1_one.o crypto/sha/sha1dgst.o crypto/sha/sha256.o crypto/sha/sha512.o crypto/srp/srp_lib.o crypto/srp/srp_vfy.o crypto/stack/stack.o crypto/threads_none.o crypto/threads_pthread.o crypto/threads_win.o crypto/ts/ts_asn1.o crypto/ts/ts_conf.o crypto/ts/ts_err.o crypto/ts/ts_lib.o crypto/ts/ts_req_print.o crypto/ts/ts_req_utils.o crypto/ts/ts_rsp_print.o crypto/ts/ts_rsp_sign.o crypto/ts/ts_rsp_utils.o crypto/ts/ts_rsp_verify.o crypto/ts/ts_verify_ctx.o crypto/txt_db/txt_db.o crypto/ui/ui_err.o crypto/ui/ui_lib.o crypto/ui/ui_openssl.o crypto/ui/ui_util.o crypto/uid.o crypto/whrlpool/wp_block.o crypto/whrlpool/wp_dgst.o crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o crypto/x509/x_name.o crypto/x509/x_pubkey.o crypto/x509/x_req.o crypto/x509/x_x509.o crypto/x509/x_x509a.o crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o crypto/x509v3/pcy_tree.o crypto/x509v3/v3_addr.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o crypto/x509v3/v3_alt.o crypto/x509v3/v3_asid.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o crypto/x509v3/v3_tlsf.o crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o engines/e_capi.o engines/e_padlock.o +libcrypto.a: crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ige.o crypto/aes/aes_misc.o crypto/aes/aes_ofb.o crypto/aes/aes_wrap.o crypto/asn1/a_bitstr.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o crypto/asn1/a_dup.o crypto/asn1/a_gentm.o crypto/asn1/a_i2d_fp.o crypto/asn1/a_int.o crypto/asn1/a_mbstr.o crypto/asn1/a_object.o crypto/asn1/a_octet.o crypto/asn1/a_print.o crypto/asn1/a_sign.o crypto/asn1/a_strex.o crypto/asn1/a_strnid.o crypto/asn1/a_time.o crypto/asn1/a_type.o crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o crypto/asn1/a_verify.o crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o crypto/asn1/asn1_gen.o crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o crypto/asn1/asn_mime.o crypto/asn1/asn_moid.o crypto/asn1/asn_mstbl.o crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o crypto/asn1/d2i_pr.o crypto/asn1/d2i_pu.o crypto/asn1/evp_asn1.o crypto/asn1/f_int.o crypto/asn1/f_string.o crypto/asn1/i2d_pr.o crypto/asn1/i2d_pu.o crypto/asn1/n_pkey.o crypto/asn1/nsseq.o crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p5_scrypt.o crypto/asn1/p8_pkey.o crypto/asn1/t_bitst.o crypto/asn1/t_pkey.o crypto/asn1/t_spki.o crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o crypto/asn1/tasn_fre.o crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o crypto/asn1/tasn_scn.o crypto/asn1/tasn_typ.o crypto/asn1/tasn_utl.o crypto/asn1/x_algor.o crypto/asn1/x_bignum.o crypto/asn1/x_info.o crypto/asn1/x_int64.o crypto/asn1/x_long.o crypto/asn1/x_pkey.o crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o crypto/async/arch/async_null.o crypto/async/arch/async_posix.o crypto/async/arch/async_win.o crypto/async/async.o crypto/async/async_err.o crypto/async/async_wait.o crypto/bf/bf_cfb64.o crypto/bf/bf_ecb.o crypto/bf/bf_enc.o crypto/bf/bf_ofb64.o crypto/bf/bf_skey.o crypto/bio/b_addr.o crypto/bio/b_dump.o crypto/bio/b_print.o crypto/bio/b_sock.o crypto/bio/b_sock2.o crypto/bio/bf_buff.o crypto/bio/bf_lbuf.o crypto/bio/bf_nbio.o crypto/bio/bf_null.o crypto/bio/bio_cb.o crypto/bio/bio_err.o crypto/bio/bio_lib.o crypto/bio/bio_meth.o crypto/bio/bss_acpt.o crypto/bio/bss_bio.o crypto/bio/bss_conn.o crypto/bio/bss_dgram.o crypto/bio/bss_fd.o crypto/bio/bss_file.o crypto/bio/bss_log.o crypto/bio/bss_mem.o crypto/bio/bss_null.o crypto/bio/bss_sock.o crypto/blake2/blake2b.o crypto/blake2/blake2s.o crypto/blake2/m_blake2b.o crypto/blake2/m_blake2s.o crypto/bn/bn_add.o crypto/bn/bn_asm.o crypto/bn/bn_blind.o crypto/bn/bn_const.o crypto/bn/bn_ctx.o crypto/bn/bn_depr.o crypto/bn/bn_dh.o crypto/bn/bn_div.o crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o crypto/bn/bn_gcd.o crypto/bn/bn_gf2m.o crypto/bn/bn_intern.o crypto/bn/bn_kron.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o crypto/bn/bn_mont.o crypto/bn/bn_mpi.o crypto/bn/bn_mul.o crypto/bn/bn_nist.o crypto/bn/bn_prime.o crypto/bn/bn_print.o crypto/bn/bn_rand.o crypto/bn/bn_recp.o crypto/bn/bn_shift.o crypto/bn/bn_sqr.o crypto/bn/bn_sqrt.o crypto/bn/bn_srp.o crypto/bn/bn_word.o crypto/bn/bn_x931p.o crypto/buffer/buf_err.o crypto/buffer/buffer.o crypto/camellia/camellia.o crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o crypto/camellia/cmll_ctr.o crypto/camellia/cmll_ecb.o crypto/camellia/cmll_misc.o crypto/camellia/cmll_ofb.o crypto/cast/c_cfb64.o crypto/cast/c_ecb.o crypto/cast/c_enc.o crypto/cast/c_ofb64.o crypto/cast/c_skey.o crypto/chacha/chacha_enc.o crypto/cmac/cm_ameth.o crypto/cmac/cm_pmeth.o crypto/cmac/cmac.o crypto/cms/cms_asn1.o crypto/cms/cms_att.o crypto/cms/cms_cd.o crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o crypto/cms/cms_err.o crypto/cms/cms_ess.o crypto/cms/cms_io.o crypto/cms/cms_kari.o crypto/cms/cms_lib.o crypto/cms/cms_pwri.o crypto/cms/cms_sd.o crypto/cms/cms_smime.o crypto/comp/c_zlib.o crypto/comp/comp_err.o crypto/comp/comp_lib.o crypto/conf/conf_api.o crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o crypto/conf/conf_ssl.o crypto/cpt_err.o crypto/cryptlib.o crypto/ct/ct_b64.o crypto/ct/ct_err.o crypto/ct/ct_log.o crypto/ct/ct_oct.o crypto/ct/ct_policy.o crypto/ct/ct_prn.o crypto/ct/ct_sct.o crypto/ct/ct_sct_ctx.o crypto/ct/ct_vfy.o crypto/ct/ct_x509v3.o crypto/cversion.o crypto/des/cbc_cksm.o crypto/des/cbc_enc.o crypto/des/cfb64ede.o crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc.o crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/fcrypt.o crypto/des/fcrypt_b.o crypto/des/ofb64ede.o crypto/des/ofb64enc.o crypto/des/ofb_enc.o crypto/des/pcbc_enc.o crypto/des/qud_cksm.o crypto/des/rand_key.o crypto/des/rpc_enc.o crypto/des/set_key.o crypto/des/str2key.o crypto/des/xcbc_enc.o crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o crypto/dh/dh_depr.o crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_kdf.o crypto/dh/dh_key.o crypto/dh/dh_lib.o crypto/dh/dh_meth.o crypto/dh/dh_pmeth.o crypto/dh/dh_prn.o crypto/dh/dh_rfc5114.o crypto/dsa/dsa_ameth.o crypto/dsa/dsa_asn1.o crypto/dsa/dsa_depr.o crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o crypto/dsa/dsa_key.o crypto/dsa/dsa_lib.o crypto/dsa/dsa_meth.o crypto/dsa/dsa_ossl.o crypto/dsa/dsa_pmeth.o crypto/dsa/dsa_prn.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o crypto/dso/dso_dl.o crypto/dso/dso_dlfcn.o crypto/dso/dso_err.o crypto/dso/dso_lib.o crypto/dso/dso_openssl.o crypto/dso/dso_vms.o crypto/dso/dso_win32.o crypto/ebcdic.o crypto/ec/curve25519.o crypto/ec/ec2_mult.o crypto/ec/ec2_oct.o crypto/ec/ec2_smpl.o crypto/ec/ec_ameth.o crypto/ec/ec_asn1.o crypto/ec/ec_check.o crypto/ec/ec_curve.o crypto/ec/ec_cvt.o crypto/ec/ec_err.o crypto/ec/ec_key.o crypto/ec/ec_kmeth.o crypto/ec/ec_lib.o crypto/ec/ec_mult.o crypto/ec/ec_oct.o crypto/ec/ec_pmeth.o crypto/ec/ec_print.o crypto/ec/ecdh_kdf.o crypto/ec/ecdh_ossl.o crypto/ec/ecdsa_ossl.o crypto/ec/ecdsa_sign.o crypto/ec/ecdsa_vrf.o crypto/ec/eck_prn.o crypto/ec/ecp_mont.o crypto/ec/ecp_nist.o crypto/ec/ecp_nistp224.o crypto/ec/ecp_nistp256.o crypto/ec/ecp_nistp521.o crypto/ec/ecp_nistputil.o crypto/ec/ecp_oct.o crypto/ec/ecp_smpl.o crypto/ec/ecx_meth.o crypto/engine/eng_all.o crypto/engine/eng_cnf.o crypto/engine/eng_cryptodev.o crypto/engine/eng_ctrl.o crypto/engine/eng_dyn.o crypto/engine/eng_err.o crypto/engine/eng_fat.o crypto/engine/eng_init.o crypto/engine/eng_lib.o crypto/engine/eng_list.o crypto/engine/eng_openssl.o crypto/engine/eng_pkey.o crypto/engine/eng_rdrand.o crypto/engine/eng_table.o crypto/engine/tb_asnmth.o crypto/engine/tb_cipher.o crypto/engine/tb_dh.o crypto/engine/tb_digest.o crypto/engine/tb_dsa.o crypto/engine/tb_eckey.o crypto/engine/tb_pkmeth.o crypto/engine/tb_rand.o crypto/engine/tb_rsa.o crypto/err/err.o crypto/err/err_all.o crypto/err/err_prn.o crypto/evp/bio_b64.o crypto/evp/bio_enc.o crypto/evp/bio_md.o crypto/evp/bio_ok.o crypto/evp/c_allc.o crypto/evp/c_alld.o crypto/evp/cmeth_lib.o crypto/evp/digest.o crypto/evp/e_aes.o crypto/evp/e_aes_cbc_hmac_sha1.o crypto/evp/e_aes_cbc_hmac_sha256.o crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_cast.o crypto/evp/e_chacha20_poly1305.o crypto/evp/e_des.o crypto/evp/e_des3.o crypto/evp/e_idea.o crypto/evp/e_null.o crypto/evp/e_old.o crypto/evp/e_rc2.o crypto/evp/e_rc4.o crypto/evp/e_rc4_hmac_md5.o crypto/evp/e_rc5.o crypto/evp/e_seed.o crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_cnf.o crypto/evp/evp_enc.o crypto/evp/evp_err.o crypto/evp/evp_key.o crypto/evp/evp_lib.o crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o crypto/evp/m_md2.o crypto/evp/m_md4.o crypto/evp/m_md5.o crypto/evp/m_md5_sha1.o crypto/evp/m_mdc2.o crypto/evp/m_null.o crypto/evp/m_ripemd.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o crypto/evp/m_wp.o crypto/evp/names.o crypto/evp/p5_crpt.o crypto/evp/p5_crpt2.o crypto/evp/p_dec.o crypto/evp/p_enc.o crypto/evp/p_lib.o crypto/evp/p_open.o crypto/evp/p_seal.o crypto/evp/p_sign.o crypto/evp/p_verify.o crypto/evp/pmeth_fn.o crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o crypto/evp/scrypt.o crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o crypto/hmac/hmac.o crypto/idea/i_cbc.o crypto/idea/i_cfb64.o crypto/idea/i_ecb.o crypto/idea/i_ofb64.o crypto/idea/i_skey.o crypto/init.o crypto/kdf/hkdf.o crypto/kdf/kdf_err.o crypto/kdf/tls1_prf.o crypto/lhash/lh_stats.o crypto/lhash/lhash.o crypto/md4/md4_dgst.o crypto/md4/md4_one.o crypto/md5/md5_dgst.o crypto/md5/md5_one.o crypto/mdc2/mdc2_one.o crypto/mdc2/mdc2dgst.o crypto/mem.o crypto/mem_clr.o crypto/mem_dbg.o crypto/mem_sec.o crypto/modes/cbc128.o crypto/modes/ccm128.o crypto/modes/cfb128.o crypto/modes/ctr128.o crypto/modes/cts128.o crypto/modes/gcm128.o crypto/modes/ocb128.o crypto/modes/ofb128.o crypto/modes/wrap128.o crypto/modes/xts128.o crypto/o_dir.o crypto/o_fips.o crypto/o_fopen.o crypto/o_init.o crypto/o_str.o crypto/o_time.o crypto/objects/o_names.o crypto/objects/obj_dat.o crypto/objects/obj_err.o crypto/objects/obj_lib.o crypto/objects/obj_xref.o crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_cl.o crypto/ocsp/ocsp_err.o crypto/ocsp/ocsp_ext.o crypto/ocsp/ocsp_ht.o crypto/ocsp/ocsp_lib.o crypto/ocsp/ocsp_prn.o crypto/ocsp/ocsp_srv.o crypto/ocsp/ocsp_vfy.o crypto/ocsp/v3_ocsp.o crypto/pem/pem_all.o crypto/pem/pem_err.o crypto/pem/pem_info.o crypto/pem/pem_lib.o crypto/pem/pem_oth.o crypto/pem/pem_pk8.o crypto/pem/pem_pkey.o crypto/pem/pem_sign.o crypto/pem/pem_x509.o crypto/pem/pem_xaux.o crypto/pem/pvkfmt.o crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o crypto/pkcs12/p12_attr.o crypto/pkcs12/p12_crpt.o crypto/pkcs12/p12_crt.o crypto/pkcs12/p12_decr.o crypto/pkcs12/p12_init.o crypto/pkcs12/p12_key.o crypto/pkcs12/p12_kiss.o crypto/pkcs12/p12_mutl.o crypto/pkcs12/p12_npas.o crypto/pkcs12/p12_p8d.o crypto/pkcs12/p12_p8e.o crypto/pkcs12/p12_sbag.o crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/bio_pk7.o crypto/pkcs7/pk7_asn1.o crypto/pkcs7/pk7_attr.o crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o crypto/pkcs7/pk7_mime.o crypto/pkcs7/pk7_smime.o crypto/pkcs7/pkcs7err.o crypto/poly1305/poly1305.o crypto/rand/md_rand.o crypto/rand/rand_egd.o crypto/rand/rand_err.o crypto/rand/rand_lib.o crypto/rand/rand_unix.o crypto/rand/rand_vms.o crypto/rand/rand_win.o crypto/rand/randfile.o crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o crypto/rc2/rc2_skey.o crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o crypto/rc4/rc4_enc.o crypto/rc4/rc4_skey.o crypto/ripemd/rmd_dgst.o crypto/ripemd/rmd_one.o crypto/rsa/rsa_ameth.o crypto/rsa/rsa_asn1.o crypto/rsa/rsa_chk.o crypto/rsa/rsa_crpt.o crypto/rsa/rsa_depr.o crypto/rsa/rsa_err.o crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o crypto/rsa/rsa_meth.o crypto/rsa/rsa_none.o crypto/rsa/rsa_null.o crypto/rsa/rsa_oaep.o crypto/rsa/rsa_ossl.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o crypto/rsa/rsa_prn.o crypto/rsa/rsa_pss.o crypto/rsa/rsa_saos.o crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o crypto/rsa/rsa_x931.o crypto/rsa/rsa_x931g.o crypto/seed/seed.o crypto/seed/seed_cbc.o crypto/seed/seed_cfb.o crypto/seed/seed_ecb.o crypto/seed/seed_ofb.o crypto/sha/sha1_one.o crypto/sha/sha1dgst.o crypto/sha/sha256.o crypto/sha/sha512.o crypto/srp/srp_lib.o crypto/srp/srp_vfy.o crypto/stack/stack.o crypto/threads_none.o crypto/threads_pthread.o crypto/threads_win.o crypto/ts/ts_asn1.o crypto/ts/ts_conf.o crypto/ts/ts_err.o crypto/ts/ts_lib.o crypto/ts/ts_req_print.o crypto/ts/ts_req_utils.o crypto/ts/ts_rsp_print.o crypto/ts/ts_rsp_sign.o crypto/ts/ts_rsp_utils.o crypto/ts/ts_rsp_verify.o crypto/ts/ts_verify_ctx.o crypto/txt_db/txt_db.o crypto/ui/ui_err.o crypto/ui/ui_lib.o crypto/ui/ui_openssl.o crypto/ui/ui_util.o crypto/uid.o crypto/whrlpool/wp_block.o crypto/whrlpool/wp_dgst.o crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_meth.o crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o crypto/x509/x_name.o crypto/x509/x_pubkey.o crypto/x509/x_req.o crypto/x509/x_x509.o crypto/x509/x_x509a.o crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o crypto/x509v3/pcy_tree.o crypto/x509v3/v3_addr.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o crypto/x509v3/v3_alt.o crypto/x509v3/v3_asid.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o crypto/x509v3/v3_tlsf.o crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o engines/e_capi.o engines/e_padlock.o $(AR) $@ $? $(RANLIB) $@ || echo Never mind. crypto/aes/aes_cbc.o: crypto/aes/aes_cbc.c @@ -2059,6 +2061,14 @@ crypto/conf/conf_sap.o: crypto/conf/conf_sap.c else \ mv crypto/conf/conf_sap.d.tmp crypto/conf/conf_sap.d; \ fi +crypto/conf/conf_ssl.o: crypto/conf/conf_ssl.c + $(CC) -I. -Icrypto/include -Iinclude $(CFLAGS) $(LIB_CFLAGS) -MMD -MF crypto/conf/conf_ssl.d.tmp -MT $@ -c -o $@ crypto/conf/conf_ssl.c + @touch crypto/conf/conf_ssl.d.tmp + @if cmp crypto/conf/conf_ssl.d.tmp crypto/conf/conf_ssl.d > /dev/null 2> /dev/null; then \ + rm -f crypto/conf/conf_ssl.d.tmp; \ + else \ + mv crypto/conf/conf_ssl.d.tmp crypto/conf/conf_ssl.d; \ + fi crypto/cpt_err.o: crypto/cpt_err.c $(CC) -I. -Icrypto/include -Iinclude $(CFLAGS) $(LIB_CFLAGS) -MMD -MF crypto/cpt_err.d.tmp -MT $@ -c -o $@ crypto/cpt_err.c @touch crypto/cpt_err.d.tmp @@ -4941,6 +4951,14 @@ crypto/x509/x509_lu.o: crypto/x509/x509_lu.c else \ mv crypto/x509/x509_lu.d.tmp crypto/x509/x509_lu.d; \ fi +crypto/x509/x509_meth.o: crypto/x509/x509_meth.c + $(CC) -I. -Icrypto/include -Iinclude $(CFLAGS) $(LIB_CFLAGS) -MMD -MF crypto/x509/x509_meth.d.tmp -MT $@ -c -o $@ crypto/x509/x509_meth.c + @touch crypto/x509/x509_meth.d.tmp + @if cmp crypto/x509/x509_meth.d.tmp crypto/x509/x509_meth.d > /dev/null 2> /dev/null; then \ + rm -f crypto/x509/x509_meth.d.tmp; \ + else \ + mv crypto/x509/x509_meth.d.tmp crypto/x509/x509_meth.d; \ + fi crypto/x509/x509_obj.o: crypto/x509/x509_obj.c $(CC) -I. -Icrypto/include -Iinclude $(CFLAGS) $(LIB_CFLAGS) -MMD -MF crypto/x509/x509_obj.d.tmp -MT $@ -c -o $@ crypto/x509/x509_obj.c @touch crypto/x509/x509_obj.d.tmp @@ -7829,7 +7847,7 @@ test/cipherlist_test.o: test/cipherlist_test.c mv test/cipherlist_test.d.tmp test/cipherlist_test.d; \ fi test/testutil.o: test/testutil.c - $(CC) -Icrypto/include -Itest -Iinclude -I. $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/testutil.d.tmp -MT $@ -c -o $@ test/testutil.c + $(CC) -Itest -Icrypto/include -Iinclude -I. $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/testutil.d.tmp -MT $@ -c -o $@ test/testutil.c @touch test/testutil.d.tmp @if cmp test/testutil.d.tmp test/testutil.d > /dev/null 2> /dev/null; then \ rm -f test/testutil.d.tmp; \ @@ -8074,6 +8092,23 @@ test/enginetest.o: test/enginetest.c else \ mv test/enginetest.d.tmp test/enginetest.d; \ fi +test/errtest: test/errtest.o test/testutil.o libcrypto.a + $(RM) test/errtest + $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ + PERL="$(PERL)" SRCDIR=$(SRCDIR) \ + APPNAME=test/errtest OBJECTS="test/errtest.o test/testutil.o" \ + LIBDEPS='$(PLIB_LDFLAGS) '" -L. -lcrypto"' $(EX_LIBS)' \ + CC='$(CC)' CFLAGS='$(CFLAGS) $(BIN_CFLAGS)' \ + LDFLAGS='$(LDFLAGS)' \ + link_app. +test/errtest.o: test/errtest.c + $(CC) -Iinclude $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/errtest.d.tmp -MT $@ -c -o $@ test/errtest.c + @touch test/errtest.d.tmp + @if cmp test/errtest.d.tmp test/errtest.d > /dev/null 2> /dev/null; then \ + rm -f test/errtest.d.tmp; \ + else \ + mv test/errtest.d.tmp test/errtest.d; \ + fi test/evp_extra_test: test/evp_extra_test.o libcrypto.a $(RM) test/evp_extra_test $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ @@ -8770,6 +8805,23 @@ test/verify_extra_test.o: test/verify_extra_test.c else \ mv test/verify_extra_test.d.tmp test/verify_extra_test.d; \ fi +test/versions: test/versions.o libcrypto.a + $(RM) test/versions + $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ + PERL="$(PERL)" SRCDIR=$(SRCDIR) \ + APPNAME=test/versions OBJECTS="test/versions.o" \ + LIBDEPS='$(PLIB_LDFLAGS) '" -L. -lcrypto"' $(EX_LIBS)' \ + CC='$(CC)' CFLAGS='$(CFLAGS) $(BIN_CFLAGS)' \ + LDFLAGS='$(LDFLAGS)' \ + link_app. +test/versions.o: test/versions.c + $(CC) -Iinclude $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/versions.d.tmp -MT $@ -c -o $@ test/versions.c + @touch test/versions.d.tmp + @if cmp test/versions.d.tmp test/versions.d > /dev/null 2> /dev/null; then \ + rm -f test/versions.d.tmp; \ + else \ + mv test/versions.d.tmp test/versions.d; \ + fi test/wp_test: test/wp_test.o libcrypto.a $(RM) test/wp_test $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ @@ -8787,6 +8839,40 @@ test/wp_test.o: test/wp_test.c else \ mv test/wp_test.d.tmp test/wp_test.d; \ fi +test/x509_dup_cert_test: test/x509_dup_cert_test.o libcrypto.a + $(RM) test/x509_dup_cert_test + $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ + PERL="$(PERL)" SRCDIR=$(SRCDIR) \ + APPNAME=test/x509_dup_cert_test OBJECTS="test/x509_dup_cert_test.o" \ + LIBDEPS='$(PLIB_LDFLAGS) '" -L. -lcrypto"' $(EX_LIBS)' \ + CC='$(CC)' CFLAGS='$(CFLAGS) $(BIN_CFLAGS)' \ + LDFLAGS='$(LDFLAGS)' \ + link_app. +test/x509_dup_cert_test.o: test/x509_dup_cert_test.c + $(CC) -Iinclude $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/x509_dup_cert_test.d.tmp -MT $@ -c -o $@ test/x509_dup_cert_test.c + @touch test/x509_dup_cert_test.d.tmp + @if cmp test/x509_dup_cert_test.d.tmp test/x509_dup_cert_test.d > /dev/null 2> /dev/null; then \ + rm -f test/x509_dup_cert_test.d.tmp; \ + else \ + mv test/x509_dup_cert_test.d.tmp test/x509_dup_cert_test.d; \ + fi +test/x509_time_test: test/testutil.o test/x509_time_test.o libcrypto.a + $(RM) test/x509_time_test + $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ + PERL="$(PERL)" SRCDIR=$(SRCDIR) \ + APPNAME=test/x509_time_test OBJECTS="test/testutil.o test/x509_time_test.o" \ + LIBDEPS='$(PLIB_LDFLAGS) '" -L. -lcrypto"' $(EX_LIBS)' \ + CC='$(CC)' CFLAGS='$(CFLAGS) $(BIN_CFLAGS)' \ + LDFLAGS='$(LDFLAGS)' \ + link_app. +test/x509_time_test.o: test/x509_time_test.c + $(CC) -I. -Iinclude $(CFLAGS) $(BIN_CFLAGS) -MMD -MF test/x509_time_test.d.tmp -MT $@ -c -o $@ test/x509_time_test.c + @touch test/x509_time_test.d.tmp + @if cmp test/x509_time_test.d.tmp test/x509_time_test.d > /dev/null 2> /dev/null; then \ + rm -f test/x509_time_test.d.tmp; \ + else \ + mv test/x509_time_test.d.tmp test/x509_time_test.d; \ + fi test/x509aux: test/x509aux.o libcrypto.a $(RM) test/x509aux $(MAKE) -f $(SRCDIR)/Makefile.shared -e \ @@ -8837,7 +8923,7 @@ crypto/chacha crypto/chacha/: crypto/chacha/chacha_enc.o crypto/cmac crypto/cmac/: crypto/cmac/cm_ameth.o crypto/cmac/cm_pmeth.o crypto/cmac/cmac.o crypto/cms crypto/cms/: crypto/cms/cms_asn1.o crypto/cms/cms_att.o crypto/cms/cms_cd.o crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o crypto/cms/cms_err.o crypto/cms/cms_ess.o crypto/cms/cms_io.o crypto/cms/cms_kari.o crypto/cms/cms_lib.o crypto/cms/cms_pwri.o crypto/cms/cms_sd.o crypto/cms/cms_smime.o crypto/comp crypto/comp/: crypto/comp/c_zlib.o crypto/comp/comp_err.o crypto/comp/comp_lib.o -crypto/conf crypto/conf/: crypto/conf/conf_api.o crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o +crypto/conf crypto/conf/: crypto/conf/conf_api.o crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o crypto/conf/conf_ssl.o crypto/ct crypto/ct/: crypto/ct/ct_b64.o crypto/ct/ct_err.o crypto/ct/ct_log.o crypto/ct/ct_oct.o crypto/ct/ct_policy.o crypto/ct/ct_prn.o crypto/ct/ct_sct.o crypto/ct/ct_sct_ctx.o crypto/ct/ct_vfy.o crypto/ct/ct_x509v3.o crypto/des crypto/des/: crypto/des/cbc_cksm.o crypto/des/cbc_enc.o crypto/des/cfb64ede.o crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc.o crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/fcrypt.o crypto/des/fcrypt_b.o crypto/des/ofb64ede.o crypto/des/ofb64enc.o crypto/des/ofb_enc.o crypto/des/pcbc_enc.o crypto/des/qud_cksm.o crypto/des/rand_key.o crypto/des/rpc_enc.o crypto/des/set_key.o crypto/des/str2key.o crypto/des/xcbc_enc.o crypto/dh crypto/dh/: crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o crypto/dh/dh_depr.o crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_kdf.o crypto/dh/dh_key.o crypto/dh/dh_lib.o crypto/dh/dh_meth.o crypto/dh/dh_pmeth.o crypto/dh/dh_prn.o crypto/dh/dh_rfc5114.o @@ -8874,7 +8960,7 @@ crypto/ts crypto/ts/: crypto/ts/ts_asn1.o crypto/ts/ts_conf.o crypto/ts/ts_err.o crypto/txt_db crypto/txt_db/: crypto/txt_db/txt_db.o crypto/ui crypto/ui/: crypto/ui/ui_err.o crypto/ui/ui_lib.o crypto/ui/ui_openssl.o crypto/ui/ui_util.o crypto/whrlpool crypto/whrlpool/: crypto/whrlpool/wp_block.o crypto/whrlpool/wp_dgst.o -crypto/x509 crypto/x509/: crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o crypto/x509/x_name.o crypto/x509/x_pubkey.o crypto/x509/x_req.o crypto/x509/x_x509.o crypto/x509/x_x509a.o +crypto/x509 crypto/x509/: crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_meth.o crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o crypto/x509/x_name.o crypto/x509/x_pubkey.o crypto/x509/x_req.o crypto/x509/x_x509.o crypto/x509/x_x509a.o crypto/x509v3 crypto/x509v3/: crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o crypto/x509v3/pcy_tree.o crypto/x509v3/v3_addr.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o crypto/x509v3/v3_alt.o crypto/x509v3/v3_asid.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o crypto/x509v3/v3_tlsf.o crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o engines engines/: engines/e_capi.o engines/e_padlock.o fuzz fuzz/: fuzz/asn1-test fuzz/asn1parse-test fuzz/bignum-test fuzz/bndiv-test fuzz/cms-test fuzz/conf-test fuzz/crl-test fuzz/ct-test fuzz/server-test fuzz/x509-test diff --git a/crypto/external/bsd/openssl/dist/NEWS b/crypto/external/bsd/openssl/dist/NEWS index 8744fe68ec5a..b6cf1f21ac24 100644 --- a/crypto/external/bsd/openssl/dist/NEWS +++ b/crypto/external/bsd/openssl/dist/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] + + o Client DoS due to large DH parameter (CVE-2018-0732) + o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) + Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] o Constructed ASN.1 types with a recursive definition could exceed the diff --git a/crypto/external/bsd/openssl/dist/README b/crypto/external/bsd/openssl/dist/README index 3491280ead13..76888cbb09e3 100644 --- a/crypto/external/bsd/openssl/dist/README +++ b/crypto/external/bsd/openssl/dist/README @@ -1,7 +1,7 @@ - OpenSSL 1.1.0h 27 Mar 2018 + OpenSSL 1.1.0i 14 Aug 2018 - Copyright (c) 1998-2016 The OpenSSL Project + Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/external/bsd/openssl/dist/apps/apps.c b/crypto/external/bsd/openssl/dist/apps/apps.c index 8703d0cc31ee..d52201f1f389 100644 --- a/crypto/external/bsd/openssl/dist/apps/apps.c +++ b/crypto/external/bsd/openssl/dist/apps/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1012,7 +1012,8 @@ int set_name_ex(unsigned long *flags, const char *arg) }; if (set_multi_opts(flags, arg, ex_tbl) == 0) return 0; - if ((*flags & XN_FLAG_SEP_MASK) == 0) + if (*flags != XN_FLAG_COMPAT + && (*flags & XN_FLAG_SEP_MASK) == 0) *flags |= XN_FLAG_SEP_CPLUS_SPC; return 1; } diff --git a/crypto/external/bsd/openssl/dist/apps/asn1pars.c b/crypto/external/bsd/openssl/dist/apps/asn1pars.c index 1ac261c7629e..008a6797d045 100644 --- a/crypto/external/bsd/openssl/dist/apps/asn1pars.c +++ b/crypto/external/bsd/openssl/dist/apps/asn1pars.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,7 +41,7 @@ OPTIONS asn1parse_options[] = { {"dump", OPT_DUMP, 0, "unknown data in hex form"}, {"dlimit", OPT_DLIMIT, 'p', "dump the first arg bytes of unknown data in hex form"}, - {"strparse", OPT_STRPARSE, 's', + {"strparse", OPT_STRPARSE, 'p', "offset; a series of these can be used to 'dig'"}, {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, @@ -113,13 +113,13 @@ int asn1parse_main(int argc, char **argv) offset = strtol(opt_arg(), NULL, 0); break; case OPT_LENGTH: - length = atoi(opt_arg()); + length = strtol(opt_arg(), NULL, 0); break; case OPT_DUMP: dump = -1; break; case OPT_DLIMIT: - dump = atoi(opt_arg()); + dump = strtol(opt_arg(), NULL, 0); break; case OPT_STRPARSE: sk_OPENSSL_STRING_push(osk, opt_arg()); @@ -191,7 +191,7 @@ int asn1parse_main(int argc, char **argv) num = 0; for (;;) { - if (!BUF_MEM_grow(buf, (int)num + BUFSIZ)) + if (!BUF_MEM_grow(buf, num + BUFSIZ)) goto end; i = BIO_read(in, &(buf->data[num]), BUFSIZ); if (i <= 0) @@ -211,9 +211,9 @@ int asn1parse_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) { ASN1_TYPE *atmp; int typ; - j = atoi(sk_OPENSSL_STRING_value(osk, i)); - if (j == 0) { - BIO_printf(bio_err, "'%s' is an invalid number\n", + j = strtol(sk_OPENSSL_STRING_value(osk, i), NULL, 0); + if (j <= 0 || j >= tmplen) { + BIO_printf(bio_err, "'%s' is out of range\n", sk_OPENSSL_STRING_value(osk, i)); continue; } @@ -244,14 +244,14 @@ int asn1parse_main(int argc, char **argv) num = tmplen; } - if (offset >= num) { - BIO_printf(bio_err, "Error: offset too large\n"); + if (offset < 0 || offset >= num) { + BIO_printf(bio_err, "Error: offset out of range\n"); goto end; } num -= offset; - if ((length == 0) || ((long)length > num)) + if (length == 0 || length > (unsigned int)num) length = (unsigned int)num; if (derout) { if (BIO_write(derout, str + offset, length) != (int)length) { diff --git a/crypto/external/bsd/openssl/dist/apps/ca.c b/crypto/external/bsd/openssl/dist/apps/ca.c index d474a2b69a64..c69a2b5cdd9f 100644 --- a/crypto/external/bsd/openssl/dist/apps/ca.c +++ b/crypto/external/bsd/openssl/dist/apps/ca.c @@ -725,10 +725,10 @@ end_of_options: /*****************************************************************/ if (req || gencrl) { - /* FIXME: Is it really always text? */ - Sout = bio_open_default(outfile, 'w', FORMAT_TEXT); - if (Sout == NULL) - goto end; + if (spkac_file != NULL) { + output_der = 1; + batch = 1; + } } if (md == NULL @@ -872,10 +872,6 @@ end_of_options: BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } - if (outfile) { - output_der = 1; - batch = 1; - } } } if (ss_cert_file != NULL) { @@ -929,10 +925,13 @@ end_of_options: if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); - if (!BN_add_word(serial, 1)) + if (!BN_add_word(serial, 1)) { + X509_free(x); goto end; + } if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); + X509_free(x); goto end; } } @@ -1017,6 +1016,11 @@ end_of_options: if (verbose) BIO_printf(bio_err, "writing %s\n", buf[2]); + Sout = bio_open_default(outfile, 'w', + output_der ? FORMAT_ASN1 : FORMAT_TEXT); + if (Sout == NULL) + goto end; + Cout = BIO_new_file(buf[2], "w"); if (Cout == NULL) { perror(buf[2]); @@ -1025,6 +1029,8 @@ end_of_options: write_new_certificate(Cout, xi, 0, notext); write_new_certificate(Sout, xi, output_der, notext); BIO_free_all(Cout); + BIO_free_all(Sout); + Sout = NULL; } if (sk_X509_num(cert_sk)) { @@ -1173,6 +1179,11 @@ end_of_options: if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) goto end; + Sout = bio_open_default(outfile, 'w', + output_der ? FORMAT_ASN1 : FORMAT_TEXT); + if (Sout == NULL) + goto end; + PEM_write_bio_X509_CRL(Sout, crl); if (crlnumberfile != NULL) /* Rename the crlnumber file */ diff --git a/crypto/external/bsd/openssl/dist/apps/dhparam.c b/crypto/external/bsd/openssl/dist/apps/dhparam.c index 94322e37def4..8a28414562ba 100644 --- a/crypto/external/bsd/openssl/dist/apps/dhparam.c +++ b/crypto/external/bsd/openssl/dist/apps/dhparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,6 +151,11 @@ int dhparam_main(int argc, char **argv) goto end; } # endif + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + /* DH parameters */ if (num && !g) g = 2; @@ -266,10 +271,6 @@ int dhparam_main(int argc, char **argv) /* dh != NULL */ } - out = bio_open_default(outfile, 'w', outformat); - if (out == NULL) - goto end; - if (text) { DHparams_print(out, dh); } diff --git a/crypto/external/bsd/openssl/dist/apps/dsaparam.c b/crypto/external/bsd/openssl/dist/apps/dsaparam.c index 5c3c8f80893e..20891cf3ddbc 100644 --- a/crypto/external/bsd/openssl/dist/apps/dsaparam.c +++ b/crypto/external/bsd/openssl/dist/apps/dsaparam.c @@ -226,25 +226,28 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); - BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); - print_bignum_var(bio_out, p, "dsap", len, data); - print_bignum_var(bio_out, q, "dsaq", len, data); - print_bignum_var(bio_out, g, "dsag", len, data); + BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p); + print_bignum_var(bio_out, p, "dsap", bits_p, data); + print_bignum_var(bio_out, q, "dsaq", bits_p, data); + print_bignum_var(bio_out, g, "dsag", bits_p, data); BIO_printf(bio_out, " DSA *dsa = DSA_new();\n" + " BIGNUM *p, *q, *g;\n" "\n"); BIO_printf(bio_out, " if (dsa == NULL)\n" " return NULL;\n"); - BIO_printf(bio_out, " dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " if (!dsa->p || !dsa->q || !dsa->g) {\n" - " DSA_free(dsa);\n" + BIO_printf(bio_out, " if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n", + bits_p, bits_p); + BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n", + bits_p, bits_p); + BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n", + bits_p, bits_p); + BIO_printf(bio_out, " DSA_free(dsa);\n" + " BN_free(p);\n" + " BN_free(q);\n" + " BN_free(g);\n" " return NULL;\n" " }\n" - " return(dsa);\n}\n"); + " return dsa;\n}\n"); OPENSSL_free(data); } diff --git a/crypto/external/bsd/openssl/dist/apps/ocsp.c b/crypto/external/bsd/openssl/dist/apps/ocsp.c index 4b533348b43b..0c15f5114d23 100644 --- a/crypto/external/bsd/openssl/dist/apps/ocsp.c +++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -639,7 +639,6 @@ int ocsp_main(int argc, char **argv) OCSP_response_status_str(i), i); if (ignore_err) goto redo_accept; - ret = 0; goto end; } diff --git a/crypto/external/bsd/openssl/dist/apps/rehash.c b/crypto/external/bsd/openssl/dist/apps/rehash.c index 273ad749692b..aa3f8643a5af 100644 --- a/crypto/external/bsd/openssl/dist/apps/rehash.c +++ b/crypto/external/bsd/openssl/dist/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -130,9 +130,10 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename, for (ep = bp->first_entry; ep; ep = ep->next) { if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) { BIO_printf(bio_err, - "%s: skipping duplicate %s in %s\n", opt_getprog(), + "%s: warning: skipping duplicate %s in %s\n", + opt_getprog(), type == TYPE_CERT ? "certificate" : "CRL", filename); - return 1; + return 0; } if (strcmp(filename, ep->filename) == 0) { found = ep; @@ -144,7 +145,7 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename, if (ep == NULL) { if (bp->num_needed >= MAX_COLLISIONS) { BIO_printf(bio_err, - "%s: hash table overflow for %s\n", + "%s: error: hash table overflow for %s\n", opt_getprog(), filename); return 1; } @@ -235,7 +236,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) /* Does it have X.509 data in it? */ if ((b = BIO_new_file(fullpath, "r")) == NULL) { - BIO_printf(bio_err, "%s: skipping %s, cannot open file\n", + BIO_printf(bio_err, "%s: error: skipping %s, cannot open file\n", opt_getprog(), filename); errs++; goto end; @@ -247,7 +248,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) if (sk_X509_INFO_num(inf) != 1) { BIO_printf(bio_err, - "%s: skipping %s," + "%s: warning: skipping %s," "it does not contain exactly one certificate or CRL\n", opt_getprog(), filename); /* This is not an error. */ @@ -502,13 +503,14 @@ int rehash_main(int argc, char **argv) if (*argv) { while (*argv) errs += do_dir(*argv++, h); - } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { + } else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) { + char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' }; m = OPENSSL_strdup(env); - for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) + for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc)) errs += do_dir(e, h); OPENSSL_free(m); } else { - errs += do_dir("/etc/ssl/certs", h); + errs += do_dir(X509_get_default_cert_dir(), h); } end: diff --git a/crypto/external/bsd/openssl/dist/apps/s_client.c b/crypto/external/bsd/openssl/dist/apps/s_client.c index fb89f0cd6131..3c0c73e8516c 100644 --- a/crypto/external/bsd/openssl/dist/apps/s_client.c +++ b/crypto/external/bsd/openssl/dist/apps/s_client.c @@ -593,7 +593,8 @@ OPTIONS s_client_options[] = { "Disable name checks when matching DANE-EE(3) TLSA records"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, - {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"showcerts", OPT_SHOWCERTS, '-', + "Show all certificates sent by the server"}, {"debug", OPT_DEBUG, '-', "Extra output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>', @@ -2114,8 +2115,7 @@ int s_client_main(int argc, char **argv) FD_ZERO(&readfds); FD_ZERO(&writefds); - if ((SSL_version(con) == DTLS1_VERSION) && - DTLSv1_get_timeout(con, &timeout)) + if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)) timeoutp = &timeout; else timeoutp = NULL; @@ -2235,10 +2235,8 @@ int s_client_main(int argc, char **argv) } } - if ((SSL_version(con) == DTLS1_VERSION) - && DTLSv1_handle_timeout(con) > 0) { + if (SSL_is_dtls(con) && DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occurred\n"); - } if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) { k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len); diff --git a/crypto/external/bsd/openssl/dist/apps/s_server.c b/crypto/external/bsd/openssl/dist/apps/s_server.c index 31c90fdd0e64..e8aa323a4f9e 100644 --- a/crypto/external/bsd/openssl/dist/apps/s_server.c +++ b/crypto/external/bsd/openssl/dist/apps/s_server.c @@ -2012,9 +2012,7 @@ static int sv_body(int s, int stype, unsigned char *context) SSL *con = NULL; BIO *sbio; struct timeval timeout; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) - struct timeval tv; -#else +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)) struct timeval *timeoutp; #endif @@ -2149,26 +2147,23 @@ static int sv_body(int s, int stype, unsigned char *context) * second and check for any keypress. In a proper Windows * application we wouldn't do this because it is inefficient. */ - tv.tv_sec = 1; - tv.tv_usec = 0; - i = select(width, (void *)&readfds, NULL, NULL, &tv); + timeout.tv_sec = 1; + timeout.tv_usec = 0; + i = select(width, (void *)&readfds, NULL, NULL, &timeout); if (has_stdin_waiting()) read_from_terminal = 1; if ((i < 0) || (!i && !read_from_terminal)) continue; #else - if ((SSL_version(con) == DTLS1_VERSION) && - DTLSv1_get_timeout(con, &timeout)) + if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)) timeoutp = &timeout; else timeoutp = NULL; i = select(width, (void *)&readfds, NULL, NULL, timeoutp); - if ((SSL_version(con) == DTLS1_VERSION) - && DTLSv1_handle_timeout(con) > 0) { + if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occurred\n"); - } if (i <= 0) continue; diff --git a/crypto/external/bsd/openssl/dist/apps/speed.c b/crypto/external/bsd/openssl/dist/apps/speed.c index b0a7b6ece18c..3ef37b78a658 100644 --- a/crypto/external/bsd/openssl/dist/apps/speed.c +++ b/crypto/external/bsd/openssl/dist/apps/speed.c @@ -129,13 +129,6 @@ #define BUFSIZE (1024*16+1) #define MAX_MISALIGNMENT 63 -#define ALGOR_NUM 30 -#define SIZE_NUM 6 -#define PRIME_NUM 3 -#define RSA_NUM 7 -#define DSA_NUM 3 - -#define EC_NUM 17 #define MAX_ECDH_SIZE 256 #define MISALIGN 64 @@ -144,37 +137,6 @@ static volatile int run = 0; static int mr = 0; static int usertime = 1; -typedef void *(*kdf_fn) ( - const void *in, size_t inlen, void *out, size_t *xoutlen); - -typedef struct loopargs_st { - ASYNC_JOB *inprogress_job; - ASYNC_WAIT_CTX *wait_ctx; - unsigned char *buf; - unsigned char *buf2; - unsigned char *buf_malloc; - unsigned char *buf2_malloc; - unsigned int siglen; -#ifndef OPENSSL_NO_RSA - RSA *rsa_key[RSA_NUM]; -#endif -#ifndef OPENSSL_NO_DSA - DSA *dsa_key[DSA_NUM]; -#endif -#ifndef OPENSSL_NO_EC - EC_KEY *ecdsa[EC_NUM]; - EC_KEY *ecdh_a[EC_NUM]; - EC_KEY *ecdh_b[EC_NUM]; - unsigned char *secret_a; - unsigned char *secret_b; - size_t outlen; - kdf_fn kdf; -#endif - EVP_CIPHER_CTX *ctx; - HMAC_CTX *hctx; - GCM128_CONTEXT *gcm_ctx; -} loopargs_t; - #ifndef OPENSSL_NO_MD2 static int EVP_Digest_MD2_loop(void *args); #endif @@ -227,7 +189,6 @@ static int ECDSA_sign_loop(void *args); static int ECDSA_verify_loop(void *args); static int ECDH_compute_key_loop(void *args); #endif -static int run_benchmark(int async_jobs, int (*loop_function)(void *), loopargs_t *loopargs); static double Time_F(int s); static void print_message(const char *s, long num, int length); @@ -238,32 +199,10 @@ static void print_result(int alg, int run_no, int count, double time_used); static int do_multi(int multi); #endif -static const char *names[ALGOR_NUM] = { - "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", - "des cbc", "des ede3", "idea cbc", "seed cbc", - "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", - "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", - "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", - "evp", "sha256", "sha512", "whirlpool", - "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash" -}; - -static double results[ALGOR_NUM][SIZE_NUM]; - -static const int lengths[SIZE_NUM] = { +static const int lengths[] = { 16, 64, 256, 1024, 8 * 1024, 16 * 1024 }; - -#ifndef OPENSSL_NO_RSA -static double rsa_results[RSA_NUM][2]; -#endif -#ifndef OPENSSL_NO_DSA -static double dsa_results[DSA_NUM][2]; -#endif -#ifndef OPENSSL_NO_EC -static double ecdsa_results[EC_NUM][2]; -static double ecdh_results[EC_NUM][1]; -#endif +#define SIZE_NUM OSSL_NELEM(lengths) #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) static const char rnd_seed[] = @@ -348,9 +287,14 @@ static double Time_F(int s) static void multiblock_speed(const EVP_CIPHER *evp_cipher); -static int found(const char *name, const OPT_PAIR *pairs, int *result) +#define found(value, pairs, result)\ + opt_found(value, result, pairs, OSSL_NELEM(pairs)) +static int opt_found(const char *name, unsigned int *result, + const OPT_PAIR pairs[], unsigned int nbelem) { - for (; pairs->name; pairs++) + unsigned int idx; + + for (idx = 0; idx < nbelem; ++idx, pairs++) if (strcmp(name, pairs->name) == 0) { *result = pairs->retval; return 1; @@ -387,7 +331,7 @@ OPTIONS speed_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif - {NULL}, + {NULL} }; #define D_MD2 0 @@ -420,7 +364,19 @@ OPTIONS speed_options[] = { #define D_IGE_192_AES 27 #define D_IGE_256_AES 28 #define D_GHASH 29 -static OPT_PAIR doit_choices[] = { +/* name of algorithms to test */ +static const char *names[] = { + "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", + "des cbc", "des ede3", "idea cbc", "seed cbc", + "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", + "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", + "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", + "evp", "sha256", "sha512", "whirlpool", + "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash" +}; +#define ALGOR_NUM OSSL_NELEM(names) +/* list of configured algorithm (remaining) */ +static const OPT_PAIR doit_choices[] = { #ifndef OPENSSL_NO_MD2 {"md2", D_MD2}, #endif @@ -484,21 +440,24 @@ static OPT_PAIR doit_choices[] = { {"cast", D_CBC_CAST}, {"cast5", D_CBC_CAST}, #endif - {"ghash", D_GHASH}, - {NULL} + {"ghash", D_GHASH} }; +static double results[ALGOR_NUM][SIZE_NUM]; + #ifndef OPENSSL_NO_DSA # define R_DSA_512 0 # define R_DSA_1024 1 # define R_DSA_2048 2 -static OPT_PAIR dsa_choices[] = { +static const OPT_PAIR dsa_choices[] = { {"dsa512", R_DSA_512}, {"dsa1024", R_DSA_1024}, - {"dsa2048", R_DSA_2048}, - {NULL}, + {"dsa2048", R_DSA_2048} }; -#endif +# define DSA_NUM OSSL_NELEM(dsa_choices) + +static double dsa_results[DSA_NUM][2]; /* 2 ops: sign then verify */ +#endif /* OPENSSL_NO_DSA */ #define R_RSA_512 0 #define R_RSA_1024 1 @@ -507,16 +466,18 @@ static OPT_PAIR dsa_choices[] = { #define R_RSA_4096 4 #define R_RSA_7680 5 #define R_RSA_15360 6 -static OPT_PAIR rsa_choices[] = { +static const OPT_PAIR rsa_choices[] = { {"rsa512", R_RSA_512}, {"rsa1024", R_RSA_1024}, {"rsa2048", R_RSA_2048}, {"rsa3072", R_RSA_3072}, {"rsa4096", R_RSA_4096}, {"rsa7680", R_RSA_7680}, - {"rsa15360", R_RSA_15360}, - {NULL} + {"rsa15360", R_RSA_15360} }; +# define RSA_NUM OSSL_NELEM(rsa_choices) + +static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ #define R_EC_P160 0 #define R_EC_P192 1 @@ -536,7 +497,7 @@ static OPT_PAIR rsa_choices[] = { #define R_EC_B571 15 #define R_EC_X25519 16 #ifndef OPENSSL_NO_EC -static OPT_PAIR ecdsa_choices[] = { +static const OPT_PAIR ecdsa_choices[] = { {"ecdsap160", R_EC_P160}, {"ecdsap192", R_EC_P192}, {"ecdsap224", R_EC_P224}, @@ -552,11 +513,13 @@ static OPT_PAIR ecdsa_choices[] = { {"ecdsab233", R_EC_B233}, {"ecdsab283", R_EC_B283}, {"ecdsab409", R_EC_B409}, - {"ecdsab571", R_EC_B571}, - {NULL} + {"ecdsab571", R_EC_B571} }; +# define ECDSA_NUM OSSL_NELEM(ecdsa_choices) -static OPT_PAIR ecdh_choices[] = { +static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ + +static const OPT_PAIR ecdh_choices[] = { {"ecdhp160", R_EC_P160}, {"ecdhp192", R_EC_P192}, {"ecdhp224", R_EC_P224}, @@ -576,7 +539,10 @@ static OPT_PAIR ecdh_choices[] = { {"ecdhx25519", R_EC_X25519}, {NULL} }; -#endif +# define EC_NUM OSSL_NELEM(ecdh_choices) + +static double ecdh_results[EC_NUM][1]; /* 1 op: derivation */ +#endif /* OPENSSL_NO_EC */ #ifndef SIGALRM # define COND(d) (count < (d)) @@ -586,7 +552,40 @@ static OPT_PAIR ecdh_choices[] = { # define COUNT(d) (count) #endif /* SIGALRM */ -static int testnum; +static unsigned int testnum; +typedef void *(*kdf_fn) (const void *in, size_t inlen, void *out, + size_t *xoutlen); + +typedef struct loopargs_st { + ASYNC_JOB *inprogress_job; + ASYNC_WAIT_CTX *wait_ctx; + unsigned char *buf; + unsigned char *buf2; + unsigned char *buf_malloc; + unsigned char *buf2_malloc; + unsigned int siglen; +#ifndef OPENSSL_NO_RSA + RSA *rsa_key[RSA_NUM]; +#endif +#ifndef OPENSSL_NO_DSA + DSA *dsa_key[DSA_NUM]; +#endif +#ifndef OPENSSL_NO_EC + EC_KEY *ecdsa[ECDSA_NUM]; + EC_KEY *ecdh_a[EC_NUM]; + EC_KEY *ecdh_b[EC_NUM]; + unsigned char *secret_a; + unsigned char *secret_b; + size_t outlen; + kdf_fn kdf; +#endif + EVP_CIPHER_CTX *ctx; + HMAC_CTX *hctx; + GCM128_CONTEXT *gcm_ctx; +} loopargs_t; + +static int run_benchmark(int async_jobs, int (*loop_function) (void *), + loopargs_t * loopargs); /* Nb of iterations to do per algorithm and key-size */ static long c[ALGOR_NUM][SIZE_NUM]; @@ -995,7 +994,7 @@ static int DSA_verify_loop(void *args) #endif #ifndef OPENSSL_NO_EC -static long ecdsa_c[EC_NUM][2]; +static long ecdsa_c[ECDSA_NUM][2]; static int ECDSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **)args; @@ -1222,26 +1221,23 @@ int speed_main(int argc, char **argv) { ENGINE *e = NULL; loopargs_t *loopargs = NULL; - int async_init = 0; - int loopargs_len = 0; - char *prog; + const char *prog; const char *engine_id = NULL; const EVP_CIPHER *evp_cipher = NULL; double d = 0.0; OPTION_CHOICE o; - int multiblock = 0, pr_header = 0; + int async_init = 0, multiblock = 0, pr_header = 0; int doit[ALGOR_NUM] = { 0 }; - int ret = 1, i, k, misalign = 0; + int ret = 1, misalign = 0; long count = 0; + unsigned int i, k, loop, loopargs_len = 0, async_jobs = 0; #ifndef NO_FORK int multi = 0; #endif - unsigned int async_jobs = 0; #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) \ || !defined(OPENSSL_NO_EC) long rsa_count = 1; #endif - size_t loop; /* What follows are the buffers and key material. */ #ifndef OPENSSL_NO_RC5 @@ -1325,7 +1321,7 @@ int speed_main(int argc, char **argv) /* * We only test over the following curves as they are representative, To * add tests over more curves, simply add the curve NID and curve name to - * the following arrays and increase the EC_NUM value accordingly. + * the following arrays and increase the |ecdh_choices| list accordingly. */ static const unsigned int test_curves[EC_NUM] = { /* Prime Curves */ @@ -1360,7 +1356,7 @@ int speed_main(int argc, char **argv) 571, 253 /* X25519 */ }; - int ecdsa_doit[EC_NUM] = { 0 }; + int ecdsa_doit[ECDSA_NUM] = { 0 }; int ecdh_doit[EC_NUM] = { 0 }; #endif /* ndef OPENSSL_NO_EC */ @@ -1418,9 +1414,7 @@ int speed_main(int argc, char **argv) goto opterr; } if (async_jobs > 99999) { - BIO_printf(bio_err, - "%s: too many async_jobs\n", - prog); + BIO_printf(bio_err, "%s: too many async_jobs\n", prog); goto opterr; } #endif @@ -1471,10 +1465,8 @@ int speed_main(int argc, char **argv) if (strcmp(*argv, "openssl") == 0) continue; if (strcmp(*argv, "rsa") == 0) { - rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = - rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = - rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = - rsa_doit[R_RSA_15360] = 1; + for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) + rsa_doit[loop] = 1; continue; } if (found(*argv, rsa_choices, &i)) { @@ -1507,8 +1499,8 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_EC if (strcmp(*argv, "ecdsa") == 0) { - for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) - ecdsa_doit[ecdsa_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) + ecdsa_doit[loop] = 1; continue; } if (found(*argv, ecdsa_choices, &i)) { @@ -1516,8 +1508,8 @@ int speed_main(int argc, char **argv) continue; } if (strcmp(*argv, "ecdh") == 0) { - for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) - ecdh_doit[ecdh_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) + ecdh_doit[loop] = 1; continue; } if (found(*argv, ecdh_choices, &i)) { @@ -1584,10 +1576,10 @@ int speed_main(int argc, char **argv) dsa_doit[i] = 1; #endif #ifndef OPENSSL_NO_EC - for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) - ecdsa_doit[ecdsa_choices[loop].retval] = 1; - for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) - ecdh_doit[ecdh_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) + ecdsa_doit[loop] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) + ecdh_doit[loop] = 1; #endif } for (i = 0; i < ALGOR_NUM; i++) @@ -1850,6 +1842,8 @@ int speed_main(int argc, char **argv) } } } + /* default iteration count for the last EC Curve */ + ecdh_c[R_EC_X25519][0] = count / 1800; # endif # else @@ -2472,7 +2466,7 @@ int speed_main(int argc, char **argv) if (RAND_status() != 1) { RAND_seed(rnd_seed, sizeof(rnd_seed)); } - for (testnum = 0; testnum < EC_NUM; testnum++) { + for (testnum = 0; testnum < ECDSA_NUM; testnum++) { int st = 1; if (!ecdsa_doit[testnum]) @@ -2584,7 +2578,7 @@ int speed_main(int argc, char **argv) ecdh_checks = 0; rsa_count = 1; } else { - int secret_size_a, secret_size_b; + int secret_size_a, secret_size_b, j; /* * If field size is not more than 24 octets, then use SHA-1 * hash of result; otherwise, use result (see section 4.8 of @@ -2613,8 +2607,8 @@ int speed_main(int argc, char **argv) else ecdh_checks = 1; - for (k = 0; k < secret_size_a && ecdh_checks == 1; k++) { - if (loopargs[i].secret_a[k] != loopargs[i].secret_b[k]) + for (j = 0; j < secret_size_a && ecdh_checks == 1; j++) { + if (loopargs[i].secret_a[j] != loopargs[i].secret_b[j]) ecdh_checks = 0; } @@ -2644,7 +2638,7 @@ int speed_main(int argc, char **argv) if (rsa_count <= 1) { /* if longer than 10s, don't do any more */ - for (testnum++; testnum < EC_NUM; testnum++) + for (testnum++; testnum < OSSL_NELEM(ecdh_doit); testnum++) ecdh_doit[testnum] = 0; } } @@ -2693,7 +2687,7 @@ int speed_main(int argc, char **argv) if (!doit[k]) continue; if (mr) - printf("+F:%d:%s", k, names[k]); + printf("+F:%u:%s", k, names[k]); else printf("%-13s", names[k]); for (testnum = 0; testnum < SIZE_NUM; testnum++) { @@ -2742,7 +2736,7 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_EC testnum = 1; - for (k = 0; k < EC_NUM; k++) { + for (k = 0; k < OSSL_NELEM(ecdsa_doit); k++) { if (!ecdsa_doit[k]) continue; if (testnum && !mr) { @@ -2800,8 +2794,9 @@ int speed_main(int argc, char **argv) DSA_free(loopargs[i].dsa_key[k]); #endif #ifndef OPENSSL_NO_EC - for (k = 0; k < EC_NUM; k++) { + for (k = 0; k < ECDSA_NUM; k++) EC_KEY_free(loopargs[i].ecdsa[k]); + for (k = 0; k < EC_NUM; k++) { EC_KEY_free(loopargs[i].ecdh_a[k]); EC_KEY_free(loopargs[i].ecdh_b[k]); } @@ -2950,7 +2945,7 @@ static int do_multi(int multi) printf("Got: %s from %d\n", buf, n); if (strncmp(buf, "+F:", 3) == 0) { int alg; - int j; + unsigned int j; p = buf + 3; alg = atoi(sstrsep(&p, sep)); diff --git a/crypto/external/bsd/openssl/dist/apps/verify.c b/crypto/external/bsd/openssl/dist/apps/verify.c index 0925ee627fd2..8bcbff61774a 100644 --- a/crypto/external/bsd/openssl/dist/apps/verify.c +++ b/crypto/external/bsd/openssl/dist/apps/verify.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -219,6 +219,7 @@ static int check(X509_STORE *ctx, const char *file, X509_STORE_set_flags(ctx, vflags); if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { + X509_STORE_CTX_free(csc); printf("error %s: X.509 store context initialization failed\n", (file == NULL) ? "stdin" : file); goto end; diff --git a/crypto/external/bsd/openssl/dist/appveyor.yml b/crypto/external/bsd/openssl/dist/appveyor.yml index 8dd6cb6fb0af..ba291fdd174b 100644 --- a/crypto/external/bsd/openssl/dist/appveyor.yml +++ b/crypto/external/bsd/openssl/dist/appveyor.yml @@ -41,5 +41,5 @@ test_script: - cd _build - nmake test - mkdir ..\_install - - nmake install install_docs DESTDIR=..\_install + - nmake install DESTDIR=..\_install - cd .. diff --git a/crypto/external/bsd/openssl/dist/configdata.pm b/crypto/external/bsd/openssl/dist/configdata.pm index db118767faa2..e0689f5efae3 100644 --- a/crypto/external/bsd/openssl/dist/configdata.pm +++ b/crypto/external/bsd/openssl/dist/configdata.pm @@ -22,7 +22,7 @@ our %config = ( builddir => ".", cc => "cc", cflags => "", - conf_files => [ "Configurations/90-team.conf" ], + conf_files => [ "Configurations/00-base-templates.conf", "Configurations/dist.conf" ], cross_compile_prefix => "", defines => [ "NDEBUG", "OPENSSL_NO_DYNAMIC_ENGINE" ], dirs => [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ], @@ -57,12 +57,12 @@ our %config = ( shlib_version_number => "1.1", sourcedir => ".", target => "dist", - version => "1.1.0h", - version_num => "0x1010008fL", + version => "1.1.0i", + version_num => "0x1010009fL", ); our %target = ( - _conf_fname_int => [ "Configurations/90-team.conf" ], + _conf_fname_int => [ "Configurations/00-base-templates.conf", "Configurations/00-base-templates.conf", "Configurations/dist.conf" ], aes_asm_src => "aes_core.c aes_cbc.c", aes_obj => "aes_core.o aes_cbc.o", apps_aux_src => "", @@ -1078,6 +1078,10 @@ our %unified_info = ( [ "libcrypto", ], + "test/errtest" => + [ + "libcrypto", + ], "test/evp_extra_test" => [ "libcrypto", @@ -1244,10 +1248,22 @@ our %unified_info = ( [ "libcrypto", ], + "test/versions" => + [ + "libcrypto", + ], "test/wp_test" => [ "libcrypto", ], + "test/x509_dup_cert_test" => + [ + "libcrypto", + ], + "test/x509_time_test" => + [ + "libcrypto", + ], "test/x509aux" => [ "libcrypto", @@ -3909,6 +3925,12 @@ our %unified_info = ( "crypto/include", "include", ], + "crypto/conf/conf_ssl.o" => + [ + ".", + "crypto/include", + "include", + ], "crypto/cpt_err.o" => [ ".", @@ -6167,6 +6189,12 @@ our %unified_info = ( "crypto/include", "include", ], + "crypto/x509/x509_meth.o" => + [ + ".", + "crypto/include", + "include", + ], "crypto/x509/x509_obj.o" => [ ".", @@ -7158,6 +7186,10 @@ our %unified_info = ( [ "include", ], + "test/errtest.o" => + [ + "include", + ], "test/evp_extra_test.o" => [ "include", @@ -7330,8 +7362,8 @@ our %unified_info = ( ], "test/testutil.o" => [ - "crypto/include", "test", + "crypto/include", "include", ".", ], @@ -7352,10 +7384,23 @@ our %unified_info = ( [ "include", ], + "test/versions.o" => + [ + "include", + ], "test/wp_test.o" => [ "include", ], + "test/x509_dup_cert_test.o" => + [ + "include", + ], + "test/x509_time_test.o" => + [ + ".", + "include", + ], "test/x509aux.o" => [ "include", @@ -7512,6 +7557,7 @@ our %unified_info = ( "test/ecdsatest", "test/ectest", "test/enginetest", + "test/errtest", "test/evp_extra_test", "test/evp_test", "test/exdatatest", @@ -7552,7 +7598,10 @@ our %unified_info = ( "test/v3ext", "test/v3nametest", "test/verify_extra_test", + "test/versions", "test/wp_test", + "test/x509_dup_cert_test", + "test/x509_time_test", "test/x509aux", ], "rawlines" => @@ -7937,6 +7986,9 @@ our %unified_info = ( "test/enginetest" => [ ], + "test/errtest" => + [ + ], "test/evp_extra_test" => [ ], @@ -8057,9 +8109,18 @@ our %unified_info = ( "test/verify_extra_test" => [ ], + "test/versions" => + [ + ], "test/wp_test" => [ ], + "test/x509_dup_cert_test" => + [ + ], + "test/x509_time_test" => + [ + ], "test/x509aux" => [ ], @@ -9060,6 +9121,10 @@ our %unified_info = ( [ "crypto/conf/conf_sap.c", ], + "crypto/conf/conf_ssl.o" => + [ + "crypto/conf/conf_ssl.c", + ], "crypto/cpt_err.o" => [ "crypto/cpt_err.c", @@ -10500,6 +10565,10 @@ our %unified_info = ( [ "crypto/x509/x509_lu.c", ], + "crypto/x509/x509_meth.o" => + [ + "crypto/x509/x509_meth.c", + ], "crypto/x509/x509_obj.o" => [ "crypto/x509/x509_obj.c", @@ -11022,6 +11091,7 @@ our %unified_info = ( "crypto/conf/conf_mall.o", "crypto/conf/conf_mod.o", "crypto/conf/conf_sap.o", + "crypto/conf/conf_ssl.o", "crypto/cpt_err.o", "crypto/cryptlib.o", "crypto/ct/ct_b64.o", @@ -11382,6 +11452,7 @@ our %unified_info = ( "crypto/x509/x509_err.o", "crypto/x509/x509_ext.o", "crypto/x509/x509_lu.o", + "crypto/x509/x509_meth.o", "crypto/x509/x509_obj.o", "crypto/x509/x509_r2x.o", "crypto/x509/x509_req.o", @@ -12393,6 +12464,15 @@ our %unified_info = ( [ "test/enginetest.c", ], + "test/errtest" => + [ + "test/errtest.o", + "test/testutil.o", + ], + "test/errtest.o" => + [ + "test/errtest.c", + ], "test/evp_extra_test" => [ "test/evp_extra_test.o", @@ -12742,6 +12822,14 @@ our %unified_info = ( [ "test/verify_extra_test.c", ], + "test/versions" => + [ + "test/versions.o", + ], + "test/versions.o" => + [ + "test/versions.c", + ], "test/wp_test" => [ "test/wp_test.o", @@ -12750,6 +12838,23 @@ our %unified_info = ( [ "test/wp_test.c", ], + "test/x509_dup_cert_test" => + [ + "test/x509_dup_cert_test.o", + ], + "test/x509_dup_cert_test.o" => + [ + "test/x509_dup_cert_test.c", + ], + "test/x509_time_test" => + [ + "test/testutil.o", + "test/x509_time_test.o", + ], + "test/x509_time_test.o" => + [ + "test/x509_time_test.c", + ], "test/x509aux" => [ "test/x509aux.o", diff --git a/crypto/external/bsd/openssl/dist/crypto/arm_arch.h b/crypto/external/bsd/openssl/dist/crypto/arm_arch.h index 3fc9e69b1c0a..25419e0df17d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/arm_arch.h +++ b/crypto/external/bsd/openssl/dist/crypto/arm_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,7 @@ # endif # endif -# if !__ASSEMBLER__ +# ifndef __ASSEMBLER__ extern unsigned int OPENSSL_armcap_P; # endif diff --git a/crypto/external/bsd/openssl/dist/crypto/armcap.c b/crypto/external/bsd/openssl/dist/crypto/armcap.c index 432a06c0c126..28e97c8c4a04 100644 --- a/crypto/external/bsd/openssl/dist/crypto/armcap.c +++ b/crypto/external/bsd/openssl/dist/crypto/armcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,7 @@ #include #include #include +#include #include "arm_arch.h" diff --git a/crypto/external/bsd/openssl/dist/crypto/armv4cpuid.pl b/crypto/external/bsd/openssl/dist/crypto/armv4cpuid.pl index f7d31a698ae7..ab007c19c3cd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/armv4cpuid.pl +++ b/crypto/external/bsd/openssl/dist/crypto/armv4cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -125,7 +125,7 @@ CRYPTO_memcmp: ldmia sp!,{r4,r5} .Lno_data: - neg r0,ip + rsb r0,ip,#0 mov r0,r0,lsr#31 #if __ARM_ARCH__>=5 bx lr diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/a_object.c b/crypto/external/bsd/openssl/dist/crypto/asn1/a_object.c index 1ec7a7e15f4f..7d332ec2f6e1 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_object.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_object.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,7 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { - unsigned char *p; + unsigned char *p, *allocated = NULL; int objsize; if ((a == NULL) || (a->data == NULL)) @@ -29,13 +29,24 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) if (pp == NULL || objsize == -1) return objsize; - p = *pp; + if (*pp == NULL) { + if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { + ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); + return 0; + } + } else { + p = *pp; + } + ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); - p += a->length; - *pp = p; - return (objsize); + /* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ + *pp = allocated != NULL ? allocated : p + a->length; + return objsize; } int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c b/crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c index b91266b3c52f..207190c52b22 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -139,7 +139,7 @@ static int do_buf(unsigned char *buf, int buflen, int type, unsigned short flags, char *quotes, char_io *io_ch, void *arg) { - int i, outlen, len; + int i, outlen, len, charwidth; unsigned short orflags; unsigned char *p, *q; unsigned long c; @@ -147,12 +147,32 @@ static int do_buf(unsigned char *buf, int buflen, p = buf; q = buf + buflen; outlen = 0; + charwidth = type & BUF_TYPE_WIDTH_MASK; + + switch (charwidth) { + case 4: + if (buflen & 3) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH); + return -1; + } + break; + case 2: + if (buflen & 1) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH); + return -1; + } + break; + default: + break; + } + while (p != q) { if (p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; - switch (type & BUF_TYPE_WIDTH_MASK) { + + switch (charwidth) { case 4: c = ((unsigned long)*p++) << 24; c |= ((unsigned long)*p++) << 16; @@ -173,6 +193,7 @@ static int do_buf(unsigned char *buf, int buflen, i = UTF8_getc(p, buflen, &c); if (i < 0) return -1; /* Invalid UTF8String */ + buflen -= i; p += i; break; default: @@ -592,53 +613,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) *out = stmp.data; return stmp.length; } - -/* Return 1 if host is a valid hostname and 0 otherwise */ -int asn1_valid_host(const ASN1_STRING *host) -{ - int hostlen = host->length; - const unsigned char *hostptr = host->data; - int type = host->type; - int i; - signed char width = -1; - unsigned short chflags = 0, prevchflags; - - if (type > 0 && type < 31) - width = tag2nbyte[type]; - if (width == -1 || hostlen == 0) - return 0; - /* Treat UTF8String as width 1 as any MSB set is invalid */ - if (width == 0) - width = 1; - for (i = 0 ; i < hostlen; i+= width) { - prevchflags = chflags; - /* Value must be <= 0x7F: check upper bytes are all zeroes */ - if (width == 4) { - if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0) - return 0; - } else if (width == 2) { - if (*hostptr++ != 0) - return 0; - } - if (*hostptr > 0x7f) - return 0; - chflags = char_type[*hostptr++]; - if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) { - /* Nothing else allowed at start or end of string */ - if (i == 0 || i == hostlen - 1) - return 0; - /* Otherwise invalid if not dot or hyphen */ - if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN))) - return 0; - /* - * If previous is dot or hyphen then illegal unless both - * are hyphens: as .- -. .. are all illegal - */ - if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN) - && ((prevchflags & CHARTYPE_HOST_DOT) - || (chflags & CHARTYPE_HOST_DOT))) - return 0; - } - } - return 1; -} diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/ameth_lib.c b/crypto/external/bsd/openssl/dist/crypto/asn1/ameth_lib.c index b8ba06787763..9b0a2ccb20b7 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/ameth_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/ameth_lib.c @@ -255,6 +255,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, goto err; } + /* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ + if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) + || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) + goto err; + if (pem_str) { ameth->pem_str = OPENSSL_strdup(pem_str); if (!ameth->pem_str) diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c index 8602c408d962..5d895d30095d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c @@ -92,8 +92,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_D2I_AUTOPRIVATEKEY), "d2i_AutoPrivateKey"}, {ERR_FUNC(ASN1_F_D2I_PRIVATEKEY), "d2i_PrivateKey"}, {ERR_FUNC(ASN1_F_D2I_PUBLICKEY), "d2i_PublicKey"}, + {ERR_FUNC(ASN1_F_DO_BUF), "do_buf"}, {ERR_FUNC(ASN1_F_DO_TCREATE), "do_tcreate"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, + {ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY), "i2d_EC_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"}, diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c b/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c index 84475e9470d9..da0085f680cd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c @@ -969,12 +969,14 @@ static int strip_eol(char *linebuf, int *plen, int flags) p = linebuf + len - 1; for (p = linebuf + len - 1; len > 0; len--, p--) { c = *p; - if (c == '\n') + if (c == '\n') { is_eol = 1; - else if (is_eol && flags & SMIME_ASCIICRLF && c < 33) + } else if (is_eol && flags & SMIME_ASCIICRLF && c == 32) { + /* Strip trailing space on a line; 32 == ASCII for ' ' */ continue; - else if (c != '\r') + } else if (c != '\r') { break; + } } *plen = len; return is_eol; diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/p5_scrypt.c b/crypto/external/bsd/openssl/dist/crypto/asn1/p5_scrypt.c index 4cb783749881..10a736023351 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/p5_scrypt.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/p5_scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -91,7 +91,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c index caa48696da4e..3b723a1845db 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -528,6 +528,8 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, otmp = (ASN1_OBJECT *)*pval; cont = otmp->data; len = otmp->length; + if (cont == NULL || len == 0) + return -1; break; case V_ASN1_NULL: diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_utl.c b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_utl.c index f79d7d6b447c..832603b1dbcd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_utl.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,7 +76,7 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) } return 1; } - if (CRYPTO_atomic_add(lck, op, &ret, *lock) < 0) + if (!CRYPTO_atomic_add(lck, op, &ret, *lock)) return -1; /* failed */ #ifdef REF_PRINT fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); diff --git a/crypto/external/bsd/openssl/dist/crypto/async/async.c b/crypto/external/bsd/openssl/dist/crypto/async/async.c index 9a4e6b26574f..0862cca21ae2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/async/async.c +++ b/crypto/external/bsd/openssl/dist/crypto/async/async.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,11 +30,12 @@ static CRYPTO_THREAD_LOCAL ctxkey; static CRYPTO_THREAD_LOCAL poolkey; -static void async_free_pool_internal(async_pool *pool); - static async_ctx *async_ctx_new(void) { - async_ctx *nctx = NULL; + async_ctx *nctx; + + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) + return NULL; nctx = OPENSSL_malloc(sizeof(async_ctx)); if (nctx == NULL) { @@ -57,9 +58,6 @@ err: async_ctx *async_get_ctx(void) { - if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) - return NULL; - return (async_ctx *)CRYPTO_THREAD_get_local(&ctxkey); } @@ -169,16 +167,19 @@ void async_start_func(void) int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *wctx, int *ret, int (*func)(void *), void *args, size_t size) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return ASYNC_ERR; + + ctx = async_get_ctx(); if (ctx == NULL) ctx = async_ctx_new(); - if (ctx == NULL) { + if (ctx == NULL) return ASYNC_ERR; - } - if (*job) { + if (*job) ctx->currjob = *job; - } for (;;) { if (ctx->currjob != NULL) { @@ -219,9 +220,8 @@ int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *wctx, int *ret, } /* Start a new job */ - if ((ctx->currjob = async_get_pool_job()) == NULL) { + if ((ctx->currjob = async_get_pool_job()) == NULL) return ASYNC_NO_JOBS; - } if (args != NULL) { ctx->currjob->funcargs = OPENSSL_malloc(size); @@ -323,12 +323,11 @@ int ASYNC_init_thread(size_t max_size, size_t init_size) return 0; } - if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) { + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) return 0; - } - if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) { + + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) return 0; - } pool = OPENSSL_zalloc(sizeof(*pool)); if (pool == NULL) { @@ -369,32 +368,41 @@ int ASYNC_init_thread(size_t max_size, size_t init_size) return 1; err: - async_free_pool_internal(pool); - return 0; -} - -static void async_free_pool_internal(async_pool *pool) -{ - if (pool == NULL) - return; - async_empty_pool(pool); sk_ASYNC_JOB_free(pool->jobs); OPENSSL_free(pool); - CRYPTO_THREAD_set_local(&poolkey, NULL); + return 0; +} + +void async_delete_thread_state(void) +{ + async_pool *pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey); + + if (pool != NULL) { + async_empty_pool(pool); + sk_ASYNC_JOB_free(pool->jobs); + OPENSSL_free(pool); + CRYPTO_THREAD_set_local(&poolkey, NULL); + } async_local_cleanup(); async_ctx_free(); } void ASYNC_cleanup_thread(void) { - async_free_pool_internal((async_pool *)CRYPTO_THREAD_get_local(&poolkey)); + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + async_delete_thread_state(); } ASYNC_JOB *ASYNC_get_current_job(void) { async_ctx *ctx; + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return NULL; + ctx = async_get_ctx(); if (ctx == NULL) return NULL; @@ -409,7 +417,12 @@ ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job) void ASYNC_block_pause(void) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + ctx = async_get_ctx(); if (ctx == NULL || ctx->currjob == NULL) { /* * We're not in a job anyway so ignore this @@ -421,7 +434,12 @@ void ASYNC_block_pause(void) void ASYNC_unblock_pause(void) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + ctx = async_get_ctx(); if (ctx == NULL || ctx->currjob == NULL) { /* * We're not in a job anyway so ignore this diff --git a/crypto/external/bsd/openssl/dist/crypto/bio/b_addr.c b/crypto/external/bsd/openssl/dist/crypto/bio/b_addr.c index aea843a7b942..6ed1652c8a86 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bio/b_addr.c +++ b/crypto/external/bsd/openssl/dist/crypto/bio/b_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -66,18 +66,18 @@ void BIO_ADDR_clear(BIO_ADDR *ap) int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa) { if (sa->sa_family == AF_INET) { - ap->s_in = *(const struct sockaddr_in *)sa; + memcpy(&(ap->s_in), sa, sizeof(struct sockaddr_in)); return 1; } #ifdef AF_INET6 if (sa->sa_family == AF_INET6) { - ap->s_in6 = *(const struct sockaddr_in6 *)sa; + memcpy(&(ap->s_in6), sa, sizeof(struct sockaddr_in6)); return 1; } #endif #ifdef AF_UNIX if (sa->sa_family == AF_UNIX) { - ap->s_un = *(const struct sockaddr_un *)sa; + memcpy(&(ap->s_un), sa, sizeof(struct sockaddr_un)); return 1; } #endif @@ -604,7 +604,8 @@ static int addrinfo_wrap(int family, int socktype, DEFINE_RUN_ONCE_STATIC(do_bio_lookup_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; bio_lookup_lock = CRYPTO_THREAD_lock_new(); return bio_lookup_lock != NULL; } diff --git a/crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c b/crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c index 97dcc7005efe..fac1432787dc 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c +++ b/crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -317,7 +317,7 @@ int BIO_socket_nbio(int s, int mode) l = fcntl(s, F_GETFL, 0); if (l == -1) { - SYSerr(SYS_F_FCNTL, get_last_rtl_error()); + SYSerr(SYS_F_FCNTL, get_last_sys_error()); ret = -1; } else { # if defined(O_NONBLOCK) @@ -335,7 +335,7 @@ int BIO_socket_nbio(int s, int mode) ret = fcntl(s, F_SETFL, l); if (ret < 0) { - SYSerr(SYS_F_FCNTL, get_last_rtl_error()); + SYSerr(SYS_F_FCNTL, get_last_sys_error()); } } # else diff --git a/crypto/external/bsd/openssl/dist/crypto/bio/bio_meth.c b/crypto/external/bsd/openssl/dist/crypto/bio/bio_meth.c index 1e785d348f11..63a7cccc827f 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bio/bio_meth.c +++ b/crypto/external/bsd/openssl/dist/crypto/bio/bio_meth.c @@ -43,6 +43,7 @@ BIO_METHOD *BIO_meth_new(int type, const char *name) BIOerr(BIO_F_BIO_METH_NEW, ERR_R_MALLOC_FAILURE); return NULL; } + biom->type = type; return biom; } @@ -54,7 +55,7 @@ void BIO_meth_free(BIO_METHOD *biom) } } -int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int) +int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int) { return biom->bwrite; } @@ -66,7 +67,7 @@ int BIO_meth_set_write(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int) +int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int) { return biom->bread; } @@ -78,7 +79,7 @@ int BIO_meth_set_read(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *) +int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *) { return biom->bputs; } @@ -90,7 +91,7 @@ int BIO_meth_set_puts(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int) +int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int) { return biom->bgets; } @@ -102,7 +103,7 @@ int BIO_meth_set_gets(BIO_METHOD *biom, return 1; } -long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *) +long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *) { return biom->ctrl; } @@ -114,7 +115,7 @@ int BIO_meth_set_ctrl(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_create(BIO_METHOD *biom)) (BIO *) +int (*BIO_meth_get_create(const BIO_METHOD *biom)) (BIO *) { return biom->create; } @@ -125,7 +126,7 @@ int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)) return 1; } -int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *) +int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *) { return biom->destroy; } @@ -136,7 +137,7 @@ int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)) return 1; } -long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *) +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *) { return biom->callback_ctrl; } diff --git a/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c b/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c index 5221acc2e3bc..4719a5e66a68 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c +++ b/crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -196,7 +196,7 @@ static int slg_write(BIO *b, const char *in, int inl) if ((buf = OPENSSL_malloc(inl + 1)) == NULL) { return (0); } - strncpy(buf, in, inl); + memcpy(buf, in, inl); buf[inl] = '\0'; i = 0; diff --git a/crypto/external/bsd/openssl/dist/crypto/bio/bss_mem.c b/crypto/external/bsd/openssl/dist/crypto/bio/bss_mem.c index ff9a3ebb413f..4c0e4d7412df 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bio/bss_mem.c +++ b/crypto/external/bsd/openssl/dist/crypto/bio/bss_mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -212,6 +212,8 @@ static int mem_write(BIO *b, const char *in, int inl) goto end; } BIO_clear_retry_flags(b); + if (inl == 0) + return 0; blen = bbm->readp->length; mem_buf_sync(b); if (BUF_MEM_grow_clean(bbm->buf, blen + inl) == 0) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/alpha-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/alpha-mont.pl index 1d68d6d07215..96321330904d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/alpha-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/alpha-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -297,15 +297,12 @@ bn_mul_mont: mov sp,$tp mov $bp,$rp # restore rp - and sp,$hi0,$ap - bic $bp,$hi0,$bp - bis $bp,$ap,$ap # ap=borrow?tp:rp - .align 4 -.Lcopy: ldq $aj,0($ap) # copy or in-place refresh +.Lcopy: ldq $aj,0($tp) # conditional copy + ldq $nj,0($rp) lda $tp,8($tp) lda $rp,8($rp) - lda $ap,8($ap) + cmoveq $hi0,$nj,$aj stq zero,-8($tp) # zap tp cmpult $tp,$tj,AT stq $aj,-8($rp) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/armv4-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/armv4-mont.pl index 0dc4fe95e439..ddee8b7fa14e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/armv4-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/armv4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -262,14 +262,15 @@ bn_mul_mont: mov $tp,sp @ "rewind" $tp sub $rp,$rp,$aj @ "rewind" $rp - and $ap,$tp,$nhi - bic $np,$rp,$nhi - orr $ap,$ap,$np @ ap=borrow?tp:rp - -.Lcopy: ldr $tj,[$ap],#4 @ copy or in-place refresh +.Lcopy: ldr $tj,[$tp] @ conditional copy + ldr $aj,[$rp] str sp,[$tp],#4 @ zap tp - str $tj,[$rp],#4 - cmp $tp,$num +#ifdef __thumb2__ + it cc +#endif + movcc $aj,$tj + str $aj,[$rp],#4 + teq $tp,$num @ preserve carry bne .Lcopy mov sp,$num diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ia64-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ia64-mont.pl index 5cc5c599f9de..0df1fad115bc 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ia64-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ia64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -341,19 +341,19 @@ bn_mul_mont_general: { .mmb; sub rptr=rptr,len // rewind sub tptr=tptr,len clrrrb.pr };; -{ .mmi; and aptr=tptr,topbit - andcm bptr=rptr,topbit +{ .mmi; mov aptr=rptr + mov bptr=tptr mov pr.rot=1<<16 };; -{ .mii; or nptr=aptr,bptr +{ .mii; cmp.eq p0,p6=topbit,r0 mov ar.lc=lc - mov ar.ec=3 };; + mov ar.ec=2 };; .Lcopy_ctop: -{ .mmb; (p16) ld8 n[0]=[nptr],8 - (p18) st8 [tptr]=r0,8 - (p16) nop.b 0 } -{ .mmb; (p16) nop.m 0 - (p18) st8 [rptr]=n[2],8 +{ .mmi; (p16) ld8 a[0]=[aptr],8 + (p16) ld8 t[0]=[bptr],8 + (p6) mov a[1]=t[1] };; // (p17) +{ .mmb; (p17) st8 [rptr]=a[1],8 + (p17) st8 [tptr]=r0,8 br.ctop.sptk .Lcopy_ctop };; .Lcopy_cend: diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/mips-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/mips-mont.pl index a907571bec3f..e141e1a92524 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/mips-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/mips-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -384,15 +384,13 @@ $code.=<<___; $PTR_SUB $rp,$num # restore rp not $hi1,$hi0 - and $ap,$hi0,$sp - and $bp,$hi1,$rp - or $ap,$ap,$bp # ap=borrow?tp:rp - -.align 4 -.Lcopy: $LD $aj,($ap) - $PTR_ADD $ap,$BNSZ +.Lcopy: $LD $nj,($tp) # conditional move + $LD $aj,($rp) $ST $zero,($tp) $PTR_ADD $tp,$BNSZ + and $nj,$hi0 + and $aj,$hi1 + or $aj,$nj sltu $at,$tp,$tj $ST $aj,($rp) bnez $at,.Lcopy diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/parisc-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/parisc-mont.pl index 8aa94e8511c9..cd9926a25f8a 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/parisc-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/parisc-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -517,7 +517,6 @@ L\$sub stws,ma $hi1,4($rp) subb $ti0,%r0,$hi1 - ldo -4($tp),$tp ___ $code.=<<___ if ($BN_SZ==8); ldd,ma 8($tp),$ti0 @@ -532,21 +531,19 @@ L\$sub extrd,u $ti0,31,32,$ti0 ; carry in flipped word order sub,db $ti0,%r0,$hi1 - ldo -8($tp),$tp ___ $code.=<<___; - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np - + ldo `$LOCALS+32`($fp),$tp sub $rp,$arrsz,$rp ; rewind rp subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp L\$copy - ldd $idx($np),$hi0 + ldd 0($tp),$ti0 + ldd 0($rp),$hi0 std,ma %r0,8($tp) - addib,<> 8,$idx,.-8 ; L\$copy - std,ma $hi0,8($rp) + comiclr,= 0,$hi1,%r0 + copy $ti0,$hi0 + addib,<> 8,$idx,L\$copy + std,ma $hi0,8($rp) ___ if ($BN_SZ==4) { # PA-RISC 1.1 code-path @@ -856,17 +853,16 @@ L\$sub_pa11 stws,ma $hi1,4($rp) subb $ti0,%r0,$hi1 - ldo -4($tp),$tp - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np + ldo `$LOCALS+32`($fp),$tp sub $rp,$arrsz,$rp ; rewind rp subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp L\$copy_pa11 - ldwx $idx($np),$hi0 + ldw 0($tp),$ti0 + ldw 0($rp),$hi0 stws,ma %r0,4($tp) + comiclr,= 0,$hi1,%r0 + copy $ti0,$hi0 addib,<> 4,$idx,L\$copy_pa11 stws,ma $hi0,4($rp) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc-mont.pl index 5802260ca680..9d14a121565a 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -301,15 +301,16 @@ Lsub: $LDX $tj,$tp,$j li $j,0 mtctr $num subfe $ovf,$j,$ovf ; handle upmost overflow bit - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp .align 4 -Lcopy: ; copy or in-place refresh - $LDX $tj,$ap,$j - $STX $tj,$rp,$j +Lcopy: ; conditional copy + $LDX $tj,$tp,$j + $LDX $aj,$rp,$j + and $tj,$tj,$ovf + andc $aj,$aj,$ovf $STX $j,$tp,$j ; zap at once + or $aj,$aj,$tj + $STX $aj,$rp,$j addi $j,$j,$BNSZ bdnz Lcopy diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc64-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc64-mont.pl index 1e19c958a16f..5d9f43aa5dbe 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc64-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/ppc64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1501,16 +1501,14 @@ Lsub: ldx $t0,$tp,$i li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp - addi $t7,$ap,8 mtctr $j .align 4 -Lcopy: ; copy or in-place refresh - ldx $t0,$ap,$i - ldx $t1,$t7,$i +Lcopy: ; conditional copy + ldx $t0,$tp,$i + ldx $t1,$t4,$i + ldx $t2,$rp,$i + ldx $t3,$t6,$i std $i,8($nap_d) ; zap nap_d std $i,16($nap_d) std $i,24($nap_d) @@ -1519,6 +1517,12 @@ Lcopy: ; copy or in-place refresh std $i,48($nap_d) std $i,56($nap_d) stdu $i,64($nap_d) + and $t0,$t0,$ovf + and $t1,$t1,$ovf + andc $t2,$t2,$ovf + andc $t3,$t3,$ovf + or $t0,$t0,$t2 + or $t1,$t1,$t3 stdx $t0,$rp,$i stdx $t1,$t6,$i stdx $i,$tp,$i ; zap tp at once @@ -1561,20 +1565,21 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit - addi $tp,$sp,`$FRAME+$TRANSFER+4` + addi $ap,$sp,`$FRAME+$TRANSFER+4` subf $rp,$num,$rp ; rewind rp - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp addi $tp,$sp,`$FRAME+$TRANSFER` mtctr $j .align 4 -Lcopy: ; copy or in-place refresh +Lcopy: ; conditional copy lwz $t0,4($ap) lwz $t1,8($ap) lwz $t2,12($ap) lwzu $t3,16($ap) + lwz $t4,4($rp) + lwz $t5,8($rp) + lwz $t6,12($rp) + lwz $t7,16($rp) std $i,8($nap_d) ; zap nap_d std $i,16($nap_d) std $i,24($nap_d) @@ -1583,6 +1588,18 @@ Lcopy: ; copy or in-place refresh std $i,48($nap_d) std $i,56($nap_d) stdu $i,64($nap_d) + and $t0,$t0,$ovf + and $t1,$t1,$ovf + and $t2,$t2,$ovf + and $t3,$t3,$ovf + andc $t4,$t4,$ovf + andc $t5,$t5,$ovf + andc $t6,$t6,$ovf + andc $t7,$t7,$ovf + or $t0,$t0,$t4 + or $t1,$t1,$t5 + or $t2,$t2,$t6 + or $t3,$t3,$t7 stw $t0,4($rp) stw $t1,8($rp) stw $t2,12($rp) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl index 46d746b7d0e7..0466e11a2518 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -104,7 +104,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/s390x-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/s390x-mont.pl index 2205bc2ca043..66780cdf80bc 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/s390x-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/s390x-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -252,16 +252,16 @@ $code.=<<___; brct $count,.Lsub lghi $ahi,0 slbgr $AHI,$ahi # handle upmost carry - - ngr $ap,$AHI - lghi $np,-1 - xgr $np,$AHI - ngr $np,$rp - ogr $ap,$np # ap=borrow?tp:rp + lghi $NHI,-1 + xgr $NHI,$AHI la $j,0(%r0) lgr $count,$num -.Lcopy: lg $alo,0($j,$ap) # copy or in-place refresh +.Lcopy: lg $ahi,$stdframe($j,$sp) # conditional copy + lg $alo,0($j,$rp) + ngr $ahi,$AHI + ngr $alo,$NHI + ogr $alo,$ahi _dswap $alo stg $j,$stdframe($j,$sp) # zap tp stg $alo,0($j,$rp) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparct4-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparct4-mont.pl index 4faf66f10a52..4f339b22796e 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparct4-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparct4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -888,19 +888,17 @@ $code.=<<___; sub $tp, $num, $tp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy sub $num, 8, $cnt .align 16 -.Lcopy: ! copy or in-place refresh - ldx [$ap+0], $t2 - add $ap, 8, $ap +.Lcopy: ! conditional copy + ldx [$tp], $tj + ldx [$rp+0], $t2 stx %g0, [$tp] ! zap add $tp, 8, $tp + movcs %icc, $tj, $t2 stx $t2, [$rp+0] add $rp, 8, $rp brnz $cnt, .Lcopy @@ -1136,19 +1134,17 @@ $code.=<<___; sub $tp, $num, $tp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy_g5 sub $num, 8, $cnt .align 16 -.Lcopy_g5: ! copy or in-place refresh - ldx [$ap+0], $t2 - add $ap, 8, $ap +.Lcopy_g5: ! conditional copy + ldx [$tp], $tj + ldx [$rp+0], $t2 stx %g0, [$tp] ! zap add $tp, 8, $tp + movcs %icc, $tj, $t2 stx $t2, [$rp+0] add $rp, 8, $rp brnz $cnt, .Lcopy_g5 diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparcv9-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparcv9-mont.pl index 6807c8b6e0b9..074f9df14bc2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/sparcv9-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -265,7 +265,6 @@ $fname: .Ltail: add $np,$num,$np add $rp,$num,$rp - mov $tp,$ap sub %g0,$num,%o7 ! k=-num ba .Lsub subcc %g0,%g0,%g0 ! clear %icc.c @@ -278,15 +277,14 @@ $fname: add %o7,4,%o7 brnz %o7,.Lsub st %o1,[$i] - subc $car2,0,$car2 ! handle upmost overflow bit - and $tp,$car2,$ap - andn $rp,$car2,$np - or $ap,$np,$ap + subccc $car2,0,$car2 ! handle upmost overflow bit sub %g0,$num,%o7 .Lcopy: - ld [$ap+%o7],%o0 ! copy or in-place refresh + ld [$tp+%o7],%o1 ! conditional copy + ld [$rp+%o7],%o0 st %g0,[$tp+%o7] ! zap tp + movcs %icc,%o1,%o0 st %o0,[$rp+%o7] add %o7,4,%o7 brnz %o7,.Lcopy @@ -495,6 +493,9 @@ $code.=<<___; mulx $npj,$mul1,$acc1 add $tpj,$car1,$car1 ld [$np+$j],$npj ! np[j] + srlx $car1,32,$tmp0 + and $car1,$mask,$car1 + add $tmp0,$sbit,$sbit add $acc0,$car1,$car1 ld [$tp+8],$tpj ! tp[j] add $acc1,$car1,$car1 diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/via-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/via-mont.pl index 9f81bc822e8a..9d65a146a280 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/via-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/via-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -213,18 +213,15 @@ $sp=&DWP(28,"esp"); &mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit &sbb ("eax",0); - &and ("esi","eax"); - ¬ ("eax"); - &mov ("ebp","edi"); - &and ("ebp","eax"); - &or ("esi","ebp"); # tp=carry?tp:rp &mov ("ecx","edx"); # num - &xor ("edx","edx"); # i=0 + &mov ("edx",0); # i=0 &set_label("copy",8); - &mov ("eax",&DWP(0,"esi","edx",4)); - &mov (&DWP(64,"esp","edx",4),"ecx"); # zap tp + &mov ("ebx",&DWP(0,"esi","edx",4)); + &mov ("eax",&DWP(0,"edi","edx",4)); + &mov (&DWP(0,"esi","edx",4),"ecx"); # zap tp + &cmovc ("eax","ebx"); &mov (&DWP(0,"edi","edx",4),"eax"); &lea ("edx",&DWP(1,"edx")); # i++ &loop (&label("copy")); diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/vis3-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/vis3-mont.pl index 64dba4480fbe..ba34b36a81ec 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/vis3-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/vis3-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -310,23 +310,23 @@ $code.=<<___; sub $anp, $num, $anp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy sub $num, 8, $cnt .align 16 -.Lcopy: ! copy or in-place refresh - ld [$ap+0], $t2 - ld [$ap+4], $t3 - add $ap, 8, $ap +.Lcopy: ! conditional copy + ld [$tp+0], $t0 + ld [$tp+4], $t1 + ld [$rp+0], $t2 + ld [$rp+4], $t3 stx %g0, [$tp] ! zap add $tp, 8, $tp stx %g0, [$anp] ! zap stx %g0, [$anp+8] add $anp, 16, $anp + movcs %icc, $t0, $t2 + movcs %icc, $t1, $t3 st $t3, [$rp+0] ! flip order st $t2, [$rp+4] add $rp, 8, $rp diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86-mont.pl index 6787503666de..f1abcc5b4c4b 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -604,16 +604,18 @@ $sbit=$num; &jge (&label("sub")); &sbb ("eax",0); # handle upmost overflow bit - &and ($tp,"eax"); - ¬ ("eax"); - &mov ($np,$rp); - &and ($np,"eax"); - &or ($tp,$np); # tp=carry?tp:rp + &mov ("edx",-1); + &xor ("edx","eax"); + &jmp (&label("copy")); -&set_label("copy",16); # copy or in-place refresh - &mov ("eax",&DWP(0,$tp,$num,4)); - &mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i] +&set_label("copy",16); # conditional copy + &mov ($tp,&DWP($frame,"esp",$num,4)); + &mov ($np,&DWP(0,$rp,$num,4)); &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector + &and ($tp,"eax"); + &and ($np,"edx"); + &or ($np,$tp); + &mov (&DWP(0,$rp,$num,4),$np); &dec ($num); &jge (&label("copy")); diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont.pl index df4cca5bfebf..8d2fb2cebb89 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -302,30 +302,30 @@ $code.=<<___; xor $i,$i # i=0 and clear CF! mov (%rsp),%rax # tp[0] - lea (%rsp),$ap # borrow ap for tp mov $num,$j # j=num - jmp .Lsub + .align 16 .Lsub: sbb ($np,$i,8),%rax mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 8($ap,$i,8),%rax # tp[i+1] + mov 8(%rsp,$i,8),%rax # tp[i+1] lea 1($i),$i # i++ dec $j # doesnn't affect CF! jnz .Lsub sbb \$0,%rax # handle upmost overflow bit + mov \$-1,%rbx + xor %rax,%rbx # not %rax xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax - mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] + +.Lcopy: # conditional copy + mov ($rp,$i,8),%rcx + mov (%rsp,$i,8),%rdx + and %rbx,%rcx + and %rax,%rdx + mov $num,(%rsp,$i,8) # zap temporary vector + or %rcx,%rdx + mov %rdx,($rp,$i,8) # rp[i]=tp[i] lea 1($i),$i sub \$1,$j jnz .Lcopy @@ -695,10 +695,10 @@ ___ my @ri=("%rax","%rdx",$m0,$m1); $code.=<<___; mov 16(%rsp,$num,8),$rp # restore $rp + lea -4($num),$j mov 0(%rsp),@ri[0] # tp[0] - pxor %xmm0,%xmm0 mov 8(%rsp),@ri[1] # tp[1] - shr \$2,$num # num/=4 + shr \$2,$j # j=num/4-1 lea (%rsp),$ap # borrow ap for tp xor $i,$i # i=0 and clear CF! @@ -706,9 +706,7 @@ $code.=<<___; mov 16($ap),@ri[2] # tp[2] mov 24($ap),@ri[3] # tp[3] sbb 8($np),@ri[1] - lea -1($num),$j # j=num/4-1 - jmp .Lsub4x -.align 16 + .Lsub4x: mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] @@ -735,34 +733,35 @@ $code.=<<___; sbb \$0,@ri[0] # handle upmost overflow bit mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - xor $i,$i # i=0 - and @ri[0],$ap - not @ri[0] - mov $rp,$np - and @ri[0],$np - lea -1($num),$j - or $np,$ap # ap=borrow?tp:rp + pxor %xmm0,%xmm0 + movq @ri[0],%xmm4 + pcmpeqd %xmm5,%xmm5 + pshufd \$0,%xmm4,%xmm4 + mov $num,$j + pxor %xmm4,%xmm5 + shr \$2,$j # j=num/4 + xor %eax,%eax # i=0 - movdqu ($ap),%xmm1 - movdqa %xmm0,(%rsp) - movdqu %xmm1,($rp) jmp .Lcopy4x .align 16 -.Lcopy4x: # copy or in-place refresh - movdqu 16($ap,$i),%xmm2 - movdqu 32($ap,$i),%xmm1 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) - movdqa %xmm0,32(%rsp,$i) - movdqu %xmm1,32($rp,$i) - lea 32($i),$i +.Lcopy4x: # conditional copy + movdqa (%rsp,%rax),%xmm1 + movdqu ($rp,%rax),%xmm2 + pand %xmm4,%xmm1 + pand %xmm5,%xmm2 + movdqa 16(%rsp,%rax),%xmm3 + movdqa %xmm0,(%rsp,%rax) + por %xmm2,%xmm1 + movdqu 16($rp,%rax),%xmm2 + movdqu %xmm1,($rp,%rax) + pand %xmm4,%xmm3 + pand %xmm5,%xmm2 + movdqa %xmm0,16(%rsp,%rax) + por %xmm2,%xmm3 + movdqu %xmm3,16($rp,%rax) + lea 32(%rax),%rax dec $j jnz .Lcopy4x - - shl \$2,$num - movdqu 16($ap,$i),%xmm2 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) ___ } $code.=<<___; diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl index 5779059ea268..97d8eee700b6 100755 --- a/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -414,18 +414,19 @@ $code.=<<___; jnz .Lsub sbb \$0,%rax # handle upmost overflow bit + mov \$-1,%rbx + xor %rax,%rbx xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax + +.Lcopy: # conditional copy + mov ($rp,$i,8),%rcx + mov (%rsp,$i,8),%rdx + and %rbx,%rcx + and %rax,%rdx mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] + or %rcx,%rdx + mov %rdx,($rp,$i,8) # rp[i]=tp[i] lea 1($i),$i sub \$1,$j jnz .Lcopy diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c index 5e620b2096ca..884ff2991702 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -240,6 +240,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; + wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c index 0d2d1eca6bb2..a6ad475a0b26 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c @@ -188,8 +188,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { @@ -330,8 +330,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -371,17 +371,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } - if (!BN_to_montgomery(val[0], aa, mont, ctx)) + if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) + if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) + !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx)) goto err; } } @@ -403,19 +403,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; - /* - * Upper words will be zero if the corresponding words of 'm' were - * 0xfff[...], so decrement r->top accordingly. - */ - bn_correct_top(r); + r->flags |= BN_FLG_FIXED_TOP; } else #endif - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } if (wstart == 0) @@ -446,12 +442,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx)) goto err; /* move the 'window' down further */ @@ -461,6 +457,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (wstart < 0) break; } + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { j = mont->N.top; /* borrow j */ @@ -587,7 +588,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, } b->top = top; - bn_correct_top(b); + b->flags |= BN_FLG_FIXED_TOP; return 1; } @@ -639,8 +640,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, */ bits = p->top * BN_BITS2; if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -757,16 +758,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, tmp.top = top; } else #endif - if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx)) goto err; /* prepare a^1 in Montgomery domain */ if (a->neg || BN_ucmp(a, m) >= 0) { if (!BN_mod(&am, a, m, ctx)) goto err; - if (!BN_to_montgomery(&am, &am, mont, ctx)) + if (!bn_to_mont_fixed_top(&am, &am, mont, ctx)) goto err; - } else if (!BN_to_montgomery(&am, a, mont, ctx)) + } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; #if defined(SPARC_T4_MONT) @@ -1033,14 +1034,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * performance advantage of sqr over mul). */ if (window > 1) { - if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err; for (i = 3; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, window)) @@ -1064,7 +1065,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* Scan the window, squaring the result as we go */ for (i = 0; i < window; i++, bits--) { - if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx)) goto err; wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); } @@ -1077,12 +1078,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; /* Multiply the result into the intermediate result */ - if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx)) goto err; } } - /* Convert the final result from montgomery to standard format */ + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { am.d[0] = 1; /* borrow am */ @@ -1151,8 +1156,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -1273,9 +1278,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (bits == 0) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c index 067642644ec1..bed231c8fa66 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,7 +140,14 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in, BIGNUM *ret = NULL; int sign; - if (pnoinv) + /* This is invalid input so we don't worry about constant time here */ + if (BN_abs_is_word(n, 1) || BN_is_zero(n)) { + if (pnoinv != NULL) + *pnoinv = 1; + return NULL; + } + + if (pnoinv != NULL) *pnoinv = 0; if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gf2m.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gf2m.c index b1987f55dd2f..d80f3ec94027 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_gf2m.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_gf2m.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,30 +32,32 @@ */ # define MAX_ITERATIONS 50 -static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21, - 64, 65, 68, 69, 80, 81, 84, 85 -}; +# define SQR_nibble(w) ((((w) & 8) << 3) \ + | (((w) & 4) << 2) \ + | (((w) & 2) << 1) \ + | ((w) & 1)) + /* Platform-specific macros to accelerate squaring. */ # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) # define SQR1(w) \ - SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \ - SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \ - SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \ - SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF] + SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \ + SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \ + SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \ + SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32) # define SQR0(w) \ - SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \ - SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \ + SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \ + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # ifdef THIRTY_TWO_BIT # define SQR1(w) \ - SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \ - SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF] + SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \ + SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16) # define SQR0(w) \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # if !defined(OPENSSL_BN_ASM_GF2m) diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_intern.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_intern.c index 2c970647defd..7b25927f9bca 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_intern.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_intern.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -177,16 +177,20 @@ BN_ULONG *bn_get_words(const BIGNUM *a) return a->d; } -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size) { - a->d = words; + /* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ + a->d = (BN_ULONG *)words; a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; bn_correct_top(a); } -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words) { if (bn_wexpand(a, num_words) == NULL) { BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h b/crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h index 5fb3814554c3..4d9808f5b8d1 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -145,7 +145,16 @@ extern "C" { */ # ifdef BN_DEBUG - +/* + * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with + * bn_correct_top, in other words such vectors are permitted to have zeros + * in most significant limbs. Such vectors are used internally to achieve + * execution time invariance for critical operations with private keys. + * It's BN_DEBUG-only flag, because user application is not supposed to + * observe it anyway. Moreover, optimizing compiler would actually remove + * all operations manipulating the bit in question in non-BN_DEBUG build. + */ +# define BN_FLG_FIXED_TOP 0x10000 # ifdef BN_DEBUG_RAND /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ # ifndef RAND_bytes @@ -177,8 +186,10 @@ int RAND_bytes(unsigned char *buf, int num); do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ - OPENSSL_assert(((_bnum2->top == 0) && !_bnum2->neg) || \ - (_bnum2->top && (_bnum2->d[_bnum2->top - 1] != 0))); \ + int _top = _bnum2->top; \ + OPENSSL_assert((_top == 0 && !_bnum2->neg) || \ + (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ + || _bnum2->d[_top - 1] != 0))); \ bn_pollute(_bnum2); \ } \ } while(0) @@ -197,6 +208,7 @@ int RAND_bytes(unsigned char *buf, int num); # else /* !BN_DEBUG */ +# define BN_FLG_FIXED_TOP 0 # define bn_pollute(a) # define bn_check_top(a) # define bn_fix_top(a) bn_correct_top(a) @@ -228,7 +240,8 @@ struct bignum_st { /* Used for montgomery multiplication */ struct bn_mont_ctx_st { int ri; /* number of bits in R */ - BIGNUM RR; /* used to convert to montgomery form */ + BIGNUM RR; /* used to convert to montgomery form, + possibly zero-padded */ BIGNUM N; /* The modulus */ BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only * stored for bignum algorithm) */ diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c index 705849409292..25eac396e094 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -222,8 +223,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) const BN_ULONG *B; int i; - bn_check_top(b); - if (words > (INT_MAX / (4 * BN_BITS2))) { BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); return NULL; @@ -298,8 +297,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words) { - bn_check_top(b); - if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (!a) @@ -312,7 +309,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) b->dmax = words; } - bn_check_top(b); return b; } @@ -379,12 +375,19 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); #endif - a->top = b->top; a->neg = b->neg; + a->top = b->top; + a->flags |= b->flags & BN_FLG_FIXED_TOP; bn_check_top(a); return (a); } +#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \ + | BN_FLG_CONSTTIME \ + | BN_FLG_SECURE \ + | BN_FLG_FIXED_TOP)) +#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED)) + void BN_swap(BIGNUM *a, BIGNUM *b) { int flags_old_a, flags_old_b; @@ -412,10 +415,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) b->dmax = tmp_dmax; b->neg = tmp_neg; - a->flags = - (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA); - b->flags = - (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA); + a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b); + b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a); bn_check_top(a); bn_check_top(b); } @@ -425,8 +426,9 @@ void BN_clear(BIGNUM *a) bn_check_top(a); if (a->d != NULL) OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); - a->top = 0; a->neg = 0; + a->top = 0; + a->flags &= ~BN_FLG_FIXED_TOP; } BN_ULONG BN_get_word(const BIGNUM *a) @@ -447,6 +449,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w) a->neg = 0; a->d[0] = w; a->top = (w ? 1 : 0); + a->flags &= ~BN_FLG_FIXED_TOP; bn_check_top(a); return (1); } @@ -499,24 +502,29 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { - int i; + int n; + size_t i, inc, lasti, j; BN_ULONG l; - bn_check_top(a); - i = BN_num_bytes(a); + n = BN_num_bytes(a); if (tolen == -1) - tolen = i; - else if (tolen < i) + tolen = n; + else if (tolen < n) return -1; - /* Add leading zeroes if necessary */ - if (tolen > i) { - memset(to, 0, tolen - i); - to += tolen - i; + + if (n == 0) { + OPENSSL_cleanse(to, tolen); + return tolen; } - while (i--) { + + lasti = n - 1; + for (i = 0, inc = 1, j = tolen; j > 0;) { l = a->d[i / BN_BYTES]; - *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; + to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); + inc = (i - lasti) >> (8 * sizeof(i) - 1); + i += inc; /* stay on top limb */ } + return tolen; } @@ -683,6 +691,7 @@ int BN_set_bit(BIGNUM *a, int n) for (k = a->top; k < i + 1; k++) a->d[k] = 0; a->top = i + 1; + a->flags &= ~BN_FLG_FIXED_TOP; } a->d[i] |= (((BN_ULONG)1) << j); @@ -824,6 +833,34 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) a->top ^= t; b->top ^= t; + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /*- + * Idea behind BN_FLG_STATIC_DATA is actually to + * indicate that data may not be written to. + * Intention is actually to treat it as it's + * read-only data, and some (if not most) of it does + * reside in read-only segment. In other words + * observation of BN_FLG_STATIC_DATA in + * BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or + * effectively cause data corruption. + * BN_FLG_MALLOCED refers to BN structure itself, + * and hence must be preserved. Remaining flags are + * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be + * preserved, because it determines how x->d was + * allocated and hence how to free it. This leaves + * BN_FLG_CONSTTIME that one can do something about. + * To summarize it's sufficient to mask and swap + * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should + * be treated as fatal. + */ + t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + a->flags ^= t; + b->flags ^= t; + #define BN_CONSTTIME_SWAP(ind) \ do { \ t = (a->d[ind] ^ b->d[ind]) & condition; \ @@ -887,8 +924,9 @@ int BN_security_bits(int L, int N) void BN_zero_ex(BIGNUM *a) { - a->top = 0; a->neg = 0; + a->top = 0; + a->flags &= ~BN_FLG_FIXED_TOP; } int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) @@ -1012,5 +1050,6 @@ void bn_correct_top(BIGNUM *a) } if (a->top == 0) a->neg = 0; + a->flags &= ~BN_FLG_FIXED_TOP; bn_pollute(a); } diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mod.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mod.c index 13b583f76c9f..2361094ee4f6 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mod.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mod.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,16 +35,71 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + * if (!BN_uadd(r, a, b)) + * return 0; + * if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) +{ + size_t i, ai, bi, mtop = m->top; + BN_ULONG storage[1024 / BN_BITS2]; + BN_ULONG carry, temp, mask, *rp, *tp = storage; + const BN_ULONG *ap, *bp; + + if (bn_wexpand(r, mtop) == NULL) + return 0; + + if (mtop > sizeof(storage) / sizeof(storage[0]) + && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + + ap = a->d != NULL ? a->d : tp; + bp = b->d != NULL ? b->d : tp; + + for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) { + mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); + temp = ((ap[ai] & mask) + carry) & BN_MASK2; + carry = (temp < carry); + + mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); + tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2; + carry += (tp[i] < temp); + + i++; + ai += (i - a->dmax) >> (8 * sizeof(i) - 1); + bi += (i - b->dmax) >> (8 * sizeof(i) - 1); + } + rp = r->d; + carry -= bn_sub_words(rp, tp, m->d, mtop); + for (i = 0; i < mtop; i++) { + rp[i] = (carry & tp[i]) | (~carry & rp[i]); + ((volatile BN_ULONG *)tp)[i] = 0; + } + r->top = mtop; + r->neg = 0; + + if (tp != storage) + OPENSSL_free(tp); + + return 1; +} + int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { - if (!BN_uadd(r, a, b)) - return 0; - if (BN_ucmp(r, m) >= 0) - return BN_usub(r, r, m); - return 1; + int ret = bn_mod_add_fixed_top(r, a, b, m); + + if (ret) + bn_correct_top(r); + + return ret; } int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c index faef5815717d..3ccf8eaf3713 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c @@ -20,29 +20,43 @@ #define MONT_WORD /* use the faster word-based algorithm */ #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); #endif int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx) +{ + int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx) { BIGNUM *tmp; int ret = 0; -#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) int num = mont->N.top; +#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) if (num > 1 && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return (0); if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { r->neg = a->neg ^ b->neg; r->top = num; - bn_correct_top(r); + r->flags |= BN_FLG_FIXED_TOP; return (1); } } #endif + if ((a->top + b->top) > 2 * num) + return 0; + BN_CTX_start(ctx); tmp = BN_CTX_get(ctx); if (tmp == NULL) @@ -58,13 +72,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } /* reduce from aRR to aR */ #ifdef MONT_WORD - if (!BN_from_montgomery_word(r, tmp, mont)) + if (!bn_from_montgomery_word(r, tmp, mont)) goto err; #else if (!BN_from_montgomery(r, tmp, mont, ctx)) goto err; #endif - bn_check_top(r); ret = 1; err: BN_CTX_end(ctx); @@ -72,7 +85,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) { BIGNUM *n; BN_ULONG *ap, *np, *rp, n0, v, carry; @@ -99,6 +112,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) memset(&rp[r->top], 0, sizeof(*rp) * i); r->top = max; + r->flags |= BN_FLG_FIXED_TOP; n0 = mont->n0[0]; /* @@ -117,6 +131,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) if (bn_wexpand(ret, nl) == NULL) return (0); ret->top = nl; + ret->flags |= BN_FLG_FIXED_TOP; ret->neg = r->neg; rp = ret->d; @@ -127,20 +142,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) */ ap = &(r->d[nl]); + carry -= bn_sub_words(rp, ap, np, nl); /* - * |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v| - * cannot be -1. That would imply the subtraction did not fit in |nl| words, - * and we know at most one subtraction is needed. + * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note + * |carry| cannot be 1. That would imply the subtraction did not fit in + * |nl| words, and we know at most one subtraction is needed. */ - v = bn_sub_words(rp, ap, np, nl) - carry; - v = 0 - v; for (i = 0; i < nl; i++) { - rp[i] = (v & ap[i]) | (~v & rp[i]); + rp[i] = (carry & ap[i]) | (~carry & rp[i]); ap[i] = 0; } - bn_correct_top(r); - bn_correct_top(ret); - bn_check_top(ret); return (1); } @@ -154,8 +165,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BIGNUM *t; BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) - retn = BN_from_montgomery_word(ret, t, mont); + if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) { + retn = bn_from_montgomery_word(ret, t, mont); + bn_correct_top(ret); + bn_check_top(ret); + } BN_CTX_end(ctx); #else /* !MONT_WORD */ BIGNUM *t1, *t2; @@ -193,6 +207,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, return (retn); } +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx) +{ + return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx); +} + BN_MONT_CTX *BN_MONT_CTX_new(void) { BN_MONT_CTX *ret; @@ -229,7 +249,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { - int ret = 0; + int i, ret = 0; BIGNUM *Ri, *R; if (BN_is_zero(mod)) @@ -278,7 +298,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) tmod.top = 2; - if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) + if (BN_is_one(&tmod)) + BN_zero(Ri); + else if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) goto err; if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) goto err; /* R*Ri */ @@ -311,7 +333,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) buf[1] = 0; tmod.top = buf[0] != 0 ? 1 : 0; /* Ri = R^-1 mod N */ - if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) + if (BN_is_one(&tmod)) + BN_zero(Ri); + else if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) goto err; if (!BN_lshift(Ri, Ri, BN_BITS2)) goto err; /* R*Ri */ @@ -360,6 +384,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) goto err; + for (i = mont->RR.top, ret = mont->N.top; i < ret; i++) + mont->RR.d[i] = 0; + mont->RR.top = ret; + mont->RR.flags |= BN_FLG_FIXED_TOP; + ret = 1; err: BN_CTX_end(ctx); diff --git a/crypto/external/bsd/openssl/dist/crypto/bn/bn_sqr.c b/crypto/external/bsd/openssl/dist/crypto/bn/bn_sqr.c index 44e7332acf1a..1f12a14e4423 100644 --- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_sqr.c +++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_sqr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -82,14 +82,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) } rr->neg = 0; - /* - * If the most-significant half of the top word of 'a' is zero, then the - * square of 'a' will max-1 words. - */ - if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) - rr->top = max - 1; - else - rr->top = max; + rr->top = max; + bn_correct_top(rr); if (r != rr && BN_copy(r, rr) == NULL) goto err; diff --git a/crypto/external/bsd/openssl/dist/crypto/build.info b/crypto/external/bsd/openssl/dist/crypto/build.info index 916d24f66ed5..e693ebadcd32 100644 --- a/crypto/external/bsd/openssl/dist/crypto/build.info +++ b/crypto/external/bsd/openssl/dist/crypto/build.info @@ -1,4 +1,3 @@ -{- use File::Spec::Functions qw/catdir catfile/; -} LIBS=../libcrypto SOURCE[../libcrypto]=\ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ diff --git a/crypto/external/bsd/openssl/dist/crypto/chacha/asm/chacha-x86.pl b/crypto/external/bsd/openssl/dist/crypto/chacha/asm/chacha-x86.pl index 61b328612b7c..932dec67e43c 100755 --- a/crypto/external/bsd/openssl/dist/crypto/chacha/asm/chacha-x86.pl +++ b/crypto/external/bsd/openssl/dist/crypto/chacha/asm/chacha-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -61,7 +61,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && $1>=10); # first version supporting AVX $ymm=1 if ($xmm && !$ymm && - `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && + `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $a="eax"; diff --git a/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c b/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c index 8d4594353084..fe5076ec02dd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c +++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -282,6 +282,7 @@ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT); return 0; } + EVP_PKEY_free(ri->d.ktri->pkey); ri->d.ktri->pkey = pkey; return 1; } diff --git a/crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c b/crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c index 7e7b6e5d4f79..5dcf803f4bd3 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c +++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) * all. */ else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_pkey(ri, NULL); diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/build.info b/crypto/external/bsd/openssl/dist/crypto/conf/build.info index 4438eb42620f..ff367994ea09 100644 --- a/crypto/external/bsd/openssl/dist/crypto/conf/build.info +++ b/crypto/external/bsd/openssl/dist/crypto/conf/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]= \ conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \ - conf_mall.c conf_sap.c + conf_mall.c conf_sap.c conf_ssl.c diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/conf_api.c b/crypto/external/bsd/openssl/dist/crypto/conf/conf_api.c index 5535416ab3bf..79e682a84748 100644 --- a/crypto/external/bsd/openssl/dist/crypto/conf/conf_api.c +++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_api.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -205,10 +205,14 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) vv = lh_CONF_VALUE_insert(conf->data, v); OPENSSL_assert(vv == NULL); + if (lh_CONF_VALUE_error(conf->data) > 0) + goto err; return v; err: sk_CONF_VALUE_free(sk); + if (v != NULL) + OPENSSL_free(v->section); OPENSSL_free(v); return NULL; } diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/conf_err.c b/crypto/external/bsd/openssl/dist/crypto/conf/conf_err.c index 0863bc4d3616..19f480d5b32b 100644 --- a/crypto/external/bsd/openssl/dist/crypto/conf/conf_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,6 +37,7 @@ static ERR_STRING_DATA CONF_str_functs[] = { {ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"}, {ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"}, {ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"}, + {ERR_FUNC(CONF_F_SSL_MODULE_INIT), "ssl_module_init"}, {ERR_FUNC(CONF_F_STR_COPY), "str_copy"}, {0, NULL} }; @@ -57,6 +58,12 @@ static ERR_STRING_DATA CONF_str_reasons[] = { {ERR_REASON(CONF_R_NO_SECTION), "no section"}, {ERR_REASON(CONF_R_NO_SUCH_FILE), "no such file"}, {ERR_REASON(CONF_R_NO_VALUE), "no value"}, + {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_EMPTY), + "ssl command section empty"}, + {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_NOT_FOUND), + "ssl command section not found"}, + {ERR_REASON(CONF_R_SSL_SECTION_EMPTY), "ssl section empty"}, + {ERR_REASON(CONF_R_SSL_SECTION_NOT_FOUND), "ssl section not found"}, {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"}, {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME), "unknown module name"}, diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/conf_lcl.h b/crypto/external/bsd/openssl/dist/crypto/conf/conf_lcl.h new file mode 100644 index 000000000000..6e1f7fe00d70 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_lcl.h @@ -0,0 +1,11 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +void conf_add_ssl_module(void); + diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/conf_mall.c b/crypto/external/bsd/openssl/dist/crypto/conf/conf_mall.c index 4e7a434e0e4d..7e86948e89e9 100644 --- a/crypto/external/bsd/openssl/dist/crypto/conf/conf_mall.c +++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_mall.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,7 @@ #include #include #include +#include "conf_lcl.h" /* Load all OpenSSL builtin modules */ @@ -26,4 +27,5 @@ void OPENSSL_load_builtin_modules(void) ENGINE_add_conf_module(); #endif EVP_add_alg_module(); + conf_add_ssl_module(); } diff --git a/crypto/external/bsd/openssl/dist/crypto/conf/conf_ssl.c b/crypto/external/bsd/openssl/dist/crypto/conf/conf_ssl.c new file mode 100644 index 000000000000..015c46c6da52 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_ssl.c @@ -0,0 +1,178 @@ +/* + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "internal/sslconf.h" +#include "conf_lcl.h" + +/* + * SSL library configuration module placeholder. We load it here but defer + * all decisions about its contents to libssl. + */ + +struct ssl_conf_name_st { + /* Name of this set of commands */ + char *name; + /* List of commands */ + SSL_CONF_CMD *cmds; + /* Number of commands */ + size_t cmd_count; +}; + +struct ssl_conf_cmd_st { + /* Command */ + char *cmd; + /* Argument */ + char *arg; +}; + +static struct ssl_conf_name_st *ssl_names; +static size_t ssl_names_count; + +static void ssl_module_free(CONF_IMODULE *md) +{ + size_t i, j; + if (ssl_names == NULL) + return; + for (i = 0; i < ssl_names_count; i++) { + struct ssl_conf_name_st *tname = ssl_names + i; + + OPENSSL_free(tname->name); + for (j = 0; j < tname->cmd_count; j++) { + OPENSSL_free(tname->cmds[j].cmd); + OPENSSL_free(tname->cmds[j].arg); + } + OPENSSL_free(tname->cmds); + } + OPENSSL_free(ssl_names); + ssl_names = NULL; + ssl_names_count = 0; +} + +static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) +{ + size_t i, j, cnt; + int rv = 0; + const char *ssl_conf_section; + STACK_OF(CONF_VALUE) *cmd_lists; + + ssl_conf_section = CONF_imodule_get_value(md); + cmd_lists = NCONF_get_section(cnf, ssl_conf_section); + if (sk_CONF_VALUE_num(cmd_lists) <= 0) { + if (cmd_lists == NULL) + CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_NOT_FOUND); + else + CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_EMPTY); + ERR_add_error_data(2, "section=", ssl_conf_section); + goto err; + } + cnt = sk_CONF_VALUE_num(cmd_lists); + ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt); + ssl_names_count = cnt; + for (i = 0; i < ssl_names_count; i++) { + struct ssl_conf_name_st *ssl_name = ssl_names + i; + CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i); + STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value); + + if (sk_CONF_VALUE_num(cmds) <= 0) { + if (cmds == NULL) + CONFerr(CONF_F_SSL_MODULE_INIT, + CONF_R_SSL_COMMAND_SECTION_NOT_FOUND); + else + CONFerr(CONF_F_SSL_MODULE_INIT, + CONF_R_SSL_COMMAND_SECTION_EMPTY); + ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value); + goto err; + } + ssl_name->name = OPENSSL_strdup(sect->name); + if (ssl_name->name == NULL) + goto err; + cnt = sk_CONF_VALUE_num(cmds); + ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st)); + if (ssl_name->cmds == NULL) + goto err; + ssl_name->cmd_count = cnt; + for (j = 0; j < cnt; j++) { + const char *name; + CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j); + struct ssl_conf_cmd_st *cmd = ssl_name->cmds + j; + + /* Skip any initial dot in name */ + name = strchr(cmd_conf->name, '.'); + if (name != NULL) + name++; + else + name = cmd_conf->name; + cmd->cmd = OPENSSL_strdup(name); + cmd->arg = OPENSSL_strdup(cmd_conf->value); + if (cmd->cmd == NULL || cmd->arg == NULL) + goto err; + } + + } + rv = 1; + err: + if (rv == 0) + ssl_module_free(md); + return rv; +} + +/* + * Returns the set of commands with index |idx| previously searched for via + * conf_ssl_name_find. Also stores the name of the set of commands in |*name| + * and the number of commands in the set in |*cnt|. + */ +const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt) +{ + *name = ssl_names[idx].name; + *cnt = ssl_names[idx].cmd_count; + return ssl_names[idx].cmds; +} + +/* + * Search for the named set of commands given in |name|. On success return the + * index for the command set in |*idx|. + * Returns 1 on success or 0 on failure. + */ +int conf_ssl_name_find(const char *name, size_t *idx) +{ + size_t i; + const struct ssl_conf_name_st *nm; + + if (name == NULL) + return 0; + for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { + if (strcmp(nm->name, name) == 0) { + *idx = i; + return 1; + } + } + return 0; +} + +/* + * Given a command set |cmd|, return details on the command at index |idx| which + * must be less than the number of commands in the set (as returned by + * conf_ssl_get). The name of the command will be returned in |*cmdstr| and the + * argument is returned in |*arg|. + */ +void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg) +{ + *cmdstr = cmd[idx].cmd; + *arg = cmd[idx].arg; +} + +void conf_add_ssl_module(void) +{ + CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free); +} diff --git a/crypto/external/bsd/openssl/dist/crypto/cryptlib.c b/crypto/external/bsd/openssl/dist/crypto/cryptlib.c index d93bcd357b63..3b878cd0c20e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cryptlib.c +++ b/crypto/external/bsd/openssl/dist/crypto/cryptlib.c @@ -23,29 +23,97 @@ extern unsigned int OPENSSL_ia32cap_P[4]; # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) -#include + +/* + * Purpose of these minimalistic and character-type-agnostic subroutines + * is to break dependency on MSVCRT (on Windows) and locale. This makes + * OPENSSL_cpuid_setup safe to use as "constructor". "Character-type- + * agnostic" means that they work with either wide or 8-bit characters, + * exploiting the fact that first 127 characters can be simply casted + * between the sets, while the rest would be simply rejected by ossl_is* + * subroutines. + */ +# ifdef _WIN32 +typedef WCHAR variant_char; + +static variant_char *ossl_getenv(const char *name) +{ + /* + * Since we pull only one environment variable, it's simpler to + * to just ignore |name| and use equivalent wide-char L-literal. + * As well as to ignore excessively long values... + */ + static WCHAR value[48]; + DWORD len = GetEnvironmentVariableW(L"OPENSSL_ia32cap", value, 48); + + return (len > 0 && len < 48) ? value : NULL; +} +# else +typedef char variant_char; +# define ossl_getenv getenv +# endif + +static int todigit(variant_char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + else if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + else if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + + /* return largest base value to make caller terminate the loop */ + return 16; +} + +static uint64_t ossl_strtouint64(const variant_char *str) +{ + uint64_t ret = 0; + unsigned int digit, base = 10; + + if (*str == '0') { + base = 8, str++; + if (*str == 'x' || *str == 'X') + base = 16, str++; + } + + while((digit = todigit(*str++)) < base) + ret = ret * base + digit; + + return ret; +} + +static variant_char *ossl_strchr(const variant_char *str, char srch) +{ variant_char c; + + while((c = *str)) { + if (c == srch) + return (variant_char *)str; + str++; + } + + return NULL; +} + # define OPENSSL_CPUID_SETUP typedef uint64_t IA32CAP; + void OPENSSL_cpuid_setup(void) { static int trigger = 0; IA32CAP OPENSSL_ia32_cpuid(unsigned int *); IA32CAP vec; - char *env; + const variant_char *env; if (trigger) return; trigger = 1; - if ((env = getenv("OPENSSL_ia32cap"))) { + if ((env = ossl_getenv("OPENSSL_ia32cap")) != NULL) { int off = (env[0] == '~') ? 1 : 0; -# if defined(_WIN32) - if (!sscanf(env + off, "%I64i", &vec)) - vec = strtoul(env + off, NULL, 0); -# else - if (!sscanf(env + off, "%lli", (long long *)&vec)) - vec = strtoul(env + off, NULL, 0); -# endif + + vec = ossl_strtouint64(env + off); + if (off) { IA32CAP mask = vec; vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~mask; @@ -64,15 +132,17 @@ void OPENSSL_cpuid_setup(void) vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); } - if ((env = strchr(env, ':'))) { - unsigned int vecx; + if ((env = ossl_strchr(env, ':')) != NULL) { + IA32CAP vecx; + env++; off = (env[0] == '~') ? 1 : 0; - vecx = strtoul(env + off, NULL, 0); - if (off) - OPENSSL_ia32cap_P[2] &= ~vecx; - else - OPENSSL_ia32cap_P[2] = vecx; + vecx = ossl_strtouint64(env + off); + if (off) { + OPENSSL_ia32cap_P[2] &= ~(unsigned int)vecx; + } else { + OPENSSL_ia32cap_P[2] = (unsigned int)vecx; + } } else { OPENSSL_ia32cap_P[2] = 0; } @@ -128,10 +198,14 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); + FARPROC f; + if (mod != NULL) - _OPENSSL_isservice.f = GetProcAddress(mod, "_OPENSSL_isservice"); - if (_OPENSSL_isservice.p == NULL) + f = GetProcAddress(mod, "_OPENSSL_isservice"); + if (f == NULL) _OPENSSL_isservice.p = (void *)-1; + else + _OPENSSL_isservice.f = f; } if (_OPENSSL_isservice.p != (void *)-1) diff --git a/crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c b/crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c index fce9ff47f367..b53a0632445b 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c +++ b/crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -78,10 +78,15 @@ static int generate_key(DH *dh) int ok = 0; int generate_new_key = 0; unsigned l; - BN_CTX *ctx; + BN_CTX *ctx = NULL; BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err; diff --git a/crypto/external/bsd/openssl/dist/crypto/dh/dh_meth.c b/crypto/external/bsd/openssl/dist/crypto/dh/dh_meth.c index ce6114c1335f..59c4d7e96782 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dh/dh_meth.c +++ b/crypto/external/bsd/openssl/dist/crypto/dh/dh_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -75,7 +75,7 @@ int DH_meth_set1_name(DH_METHOD *dhm, const char *name) return 1; } -int DH_meth_get_flags(DH_METHOD *dhm) +int DH_meth_get_flags(const DH_METHOD *dhm) { return dhm->flags; } diff --git a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_err.c b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_err.c index b8f0af4662e6..132008803e5e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -40,6 +40,7 @@ static ERR_STRING_DATA DSA_str_functs[] = { {ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"}, {ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "old_dsa_priv_decode"}, {ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "pkey_dsa_ctrl"}, + {ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "pkey_dsa_ctrl_str"}, {ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "pkey_dsa_keygen"}, {0, NULL} }; diff --git a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c index e58ad8d70d31..46f4f01ee0e4 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c +++ b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -64,9 +64,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* invalid q size */ return 0; - if (evpmd == NULL) - /* use SHA1 as default */ - evpmd = EVP_sha1(); + if (evpmd == NULL) { + if (qsize == SHA_DIGEST_LENGTH) + evpmd = EVP_sha1(); + else if (qsize == SHA224_DIGEST_LENGTH) + evpmd = EVP_sha224(); + else + evpmd = EVP_sha256(); + } else { + qsize = EVP_MD_size(evpmd); + } if (bits < 512) bits = 512; diff --git a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_meth.c b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_meth.c index f0188f2007df..04203780c42b 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_meth.c +++ b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,7 +83,7 @@ int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name) return 1; } -int DSA_meth_get_flags(DSA_METHOD *dsam) +int DSA_meth_get_flags(const DSA_METHOD *dsam) { return dsam->flags; } diff --git a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c index 7f48cf2e3326..4aa49f554af3 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c +++ b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -61,19 +61,13 @@ const DSA_METHOD *DSA_OpenSSL(void) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv = NULL; - BIGNUM *m; - BIGNUM *xr; + BIGNUM *m, *blind, *blindm, *tmp; BN_CTX *ctx = NULL; int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; - m = BN_new(); - xr = BN_new(); - if (m == NULL || xr == NULL) - goto err; - - if (!dsa->p || !dsa->q || !dsa->g) { + if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { reason = DSA_R_MISSING_PARAMETERS; goto err; } @@ -89,6 +83,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ctx = BN_CTX_new(); if (ctx == NULL) goto err; + m = BN_CTX_get(ctx); + blind = BN_CTX_get(ctx); + blindm = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; + redo: if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen)) goto err; @@ -103,17 +104,50 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) if (BN_bin2bn(dgst, dlen, m) == NULL) goto err; - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(xr, dsa->priv_key, ret->r, dsa->q, ctx)) - goto err; /* s = xr */ - if (!BN_add(ret->s, xr, m)) - goto err; /* s = m + xr */ - if (BN_cmp(ret->s, dsa->q) > 0) - if (!BN_sub(ret->s, ret->s, dsa->q)) + /* + * The normal signature calculation is: + * + * s := k^-1 * (m + r * priv_key) mod q + * + * We will blind this to protect against side channel attacks + * + * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q + */ + + /* Generate a blinding value */ + do { + if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, BN_RAND_TOP_ANY, + BN_RAND_BOTTOM_ANY)) goto err; + } while (BN_is_zero(blind)); + BN_set_flags(blind, BN_FLG_CONSTTIME); + BN_set_flags(blindm, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + + /* tmp := blind * priv_key * r mod q */ + if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx)) + goto err; + if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx)) + goto err; + + /* blindm := blind * m mod q */ + if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx)) + goto err; + + /* s : = (blind * priv_key * r) + (blind * m) mod q */ + if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q)) + goto err; + + /* s := s * k^-1 mod q */ if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx)) goto err; + /* s:= s * blind^-1 mod q */ + if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL) + goto err; + if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx)) + goto err; + /* * Redo if r or s is zero as required by FIPS 186-3: this is very * unlikely. @@ -130,8 +164,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ret = NULL; } BN_CTX_free(ctx); - BN_clear_free(m); - BN_clear_free(xr); BN_clear_free(kinv); return ret; } diff --git a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_pmeth.c b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_pmeth.c index 95f088a5ec25..d60631695482 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_pmeth.c +++ b/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa); @@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); @@ -187,9 +177,15 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, NULL); } if (strcmp(type, "dsa_paramgen_md") == 0) { + const EVP_MD *md = EVP_get_digestbyname(value); + + if (md == NULL) { + DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE); + return 0; + } return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, - (void *)EVP_get_digestbyname(value)); + (void *)md); } return -2; } diff --git a/crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c b/crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c index a4b0cdd95b5d..e01425bc75e8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c +++ b/crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,7 @@ # endif # include # define HAVE_DLINFO 1 -# if defined(_AIX) || defined(__CYGWIN__) || \ +# if defined(__CYGWIN__) || \ defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ (defined(__osf__) && !defined(RTLD_NEXT)) || \ (defined(__OpenBSD__) && !defined(RTLD_SELF)) || \ @@ -308,6 +308,76 @@ static int dladdr(void *address, Dl_info *dl) } # endif /* __sgi */ +# ifdef _AIX +/*- + * See IBM's AIX Version 7.2, Technical Reference: + * Base Operating System and Extensions, Volume 1 and 2 + * https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.base/technicalreferences.htm + */ +# include +# include +/* ~ 64 * (sizeof(struct ld_info) + _XOPEN_PATH_MAX + _XOPEN_NAME_MAX) */ +# define DLFCN_LDINFO_SIZE 86976 +typedef struct Dl_info { + const char *dli_fname; +} Dl_info; +/* + * This dladdr()-implementation will also find the ptrgl (Pointer Glue) virtual + * address of a function, which is just located in the DATA segment instead of + * the TEXT segment. + */ +static int dladdr(void *ptr, Dl_info *dl) +{ + uintptr_t addr = (uintptr_t)ptr; + unsigned int found = 0; + struct ld_info *ldinfos, *next_ldi, *this_ldi; + + if ((ldinfos = (struct ld_info *)OPENSSL_malloc(DLFCN_LDINFO_SIZE)) == NULL) { + errno = ENOMEM; + dl->dli_fname = NULL; + return 0; + } + + if ((loadquery(L_GETINFO, (void *)ldinfos, DLFCN_LDINFO_SIZE)) < 0) { + /*- + * Error handling is done through errno and dlerror() reading errno: + * ENOMEM (ldinfos buffer is too small), + * EINVAL (invalid flags), + * EFAULT (invalid ldinfos ptr) + */ + OPENSSL_free((void *)ldinfos); + dl->dli_fname = NULL; + return 0; + } + next_ldi = ldinfos; + + do { + this_ldi = next_ldi; + if (((addr >= (uintptr_t)this_ldi->ldinfo_textorg) + && (addr < ((uintptr_t)this_ldi->ldinfo_textorg + + this_ldi->ldinfo_textsize))) + || ((addr >= (uintptr_t)this_ldi->ldinfo_dataorg) + && (addr < ((uintptr_t)this_ldi->ldinfo_dataorg + + this_ldi->ldinfo_datasize)))) { + found = 1; + /* + * Ignoring the possibility of a member name and just returning + * the path name. See docs: sys/ldr.h, loadquery() and + * dlopen()/RTLD_MEMBER. + */ + if ((dl->dli_fname = + OPENSSL_strdup(this_ldi->ldinfo_filename)) == NULL) + errno = ENOMEM; + } else { + next_ldi = + (struct ld_info *)((uintptr_t)this_ldi + this_ldi->ldinfo_next); + } + } while (this_ldi->ldinfo_next && !found); + OPENSSL_free((void *)ldinfos); + return (found && dl->dli_fname != NULL); +} +# endif /* _AIX */ + static int dlfcn_pathbyaddr(void *addr, char *path, int sz) { # ifdef HAVE_DLINFO @@ -326,12 +396,19 @@ static int dlfcn_pathbyaddr(void *addr, char *path, int sz) if (dladdr(addr, &dli)) { len = (int)strlen(dli.dli_fname); - if (sz <= 0) + if (sz <= 0) { +# ifdef _AIX + OPENSSL_free((void *)dli.dli_fname); +# endif return len + 1; + } if (len >= sz) len = sz - 1; memcpy(path, dli.dli_fname, len); path[len++] = 0; +# ifdef _AIX + OPENSSL_free((void *)dli.dli_fname); +# endif return len; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv4.pl index 2314b7524421..4eb4c68977e4 100755 --- a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs $index,$index,#1 - strb $mask,[$out,#64*0-1] + strb $mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*1-1] + strb $mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*2-1] + strb $mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*3-1] + strb $mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 @@ -1633,7 +1633,7 @@ ___ $code.=<<___; .Ladd_done: add sp,sp,#32*18+16+16 @ +16 means "skip even over saved r0-r3" -#if __ARM_ARCH__>=5 || defined(__thumb__) +#if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else ldmia sp!,{r4-r12,lr} diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv8.pl index cdc91617ff13..2a39675bfd10 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7: prfm pstl1strm,[$out,#4096+64*5] prfm pstl1strm,[$out,#4096+64*6] prfm pstl1strm,[$out,#4096+64*7] - strb w3,[$out,#64*0-1] + strb w3,[$out,#64*0] lsr x3,x3,#8 - strb w3,[$out,#64*1-1] + strb w3,[$out,#64*1] lsr x3,x3,#8 - strb w3,[$out,#64*2-1] + strb w3,[$out,#64*2] lsr x3,x3,#8 - strb w3,[$out,#64*3-1] + strb w3,[$out,#64*3] lsr x3,x3,#8 - strb w3,[$out,#64*4-1] + strb w3,[$out,#64*4] lsr x3,x3,#8 - strb w3,[$out,#64*5-1] + strb w3,[$out,#64*5] lsr x3,x3,#8 - strb w3,[$out,#64*6-1] + strb w3,[$out,#64*6] lsr x3,x3,#8 - strb w3,[$out,#64*7-1] + strb w3,[$out,#64*7] add $out,$out,#64*8 b.ne .Loop_scatter_w7 diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-avx2.pl b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-avx2.pl index 3bdd2cf13f01..edd7d01281ca 100755 --- a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-avx2.pl +++ b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-sparcv9.pl index 97201cb271b5..0c1af95b134b 100755 --- a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1531,13 +1531,13 @@ ecp_nistz256_scatter_w7: ld [$inp],%l0 add $inp,4,$inp subcc $index,1,$index - stb %l0,[$out+64*0-1] + stb %l0,[$out+64*0] srl %l0,8,%l1 - stb %l1,[$out+64*1-1] + stb %l1,[$out+64*1] srl %l0,16,%l2 - stb %l2,[$out+64*2-1] + stb %l2,[$out+64*2] srl %l0,24,%l3 - stb %l3,[$out+64*3-1] + stb %l3,[$out+64*3] bne .Loop_scatter_w7 add $out,64*4,$out diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-x86.pl b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-x86.pl index 1d9e00616b58..b3bec23228f3 100755 --- a/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-x86.pl +++ b/crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1179,7 +1179,7 @@ for ($i=0;$i<7;$i++) { &mov ("esi",&wparam(1)); &mov ("ebp",&wparam(2)); - &lea ("edi",&DWP(-1,"edi","ebp")); + &lea ("edi",&DWP(0,"edi","ebp")); &mov ("ebp",64/4); &set_label("scatter_w7_loop"); &mov ("eax",&DWP(0,"esi")); diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c index cfeef5fc7495..28b91d510236 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -330,6 +330,7 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c index b66adf2bbc24..f8f1e2c842ce 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -92,19 +92,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) static EC_KEY *eckey_type2param(int ptype, const void *pval) { EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + if (ptype == V_ASN1_SEQUENCE) { const ASN1_STRING *pstr = pval; - const unsigned char *pm = NULL; - int pmlen; - pm = pstr->data; - pmlen = pstr->length; + const unsigned char *pm = pstr->data; + int pmlen = pstr->length; + if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { const ASN1_OBJECT *poid = pval; - EC_GROUP *group; /* * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID @@ -129,6 +129,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval) ecerr: EC_KEY_free(eckey); + EC_GROUP_free(group); return NULL; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_curve.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_curve.c index f8a3846fd566..b022528be2fd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_curve.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_curve.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -3036,6 +3036,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) } #endif + EC_GROUP_set_curve_name(group, curve.nid); + if ((P = EC_POINT_new(group)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); goto err; @@ -3101,8 +3103,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) return NULL; } - EC_GROUP_set_curve_name(ret, nid); - return ret; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h b/crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h index ded35a72a014..d8141704cfb1 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -269,6 +269,8 @@ struct ec_key_st { struct ec_point_st { const EC_METHOD *meth; + /* NID for the curve if known */ + int curve_name; /* * All members except 'meth' are handled by the method functions, even if * they appear generic @@ -281,6 +283,20 @@ struct ec_point_st { * special case */ }; + +static ossl_inline int ec_point_is_compat(const EC_POINT *point, + const EC_GROUP *group) +{ + if (group->meth != point->meth + || (group->curve_name != 0 + && point->curve_name != 0 + && group->curve_name != point->curve_name)) + return 0; + + return 1; +} + + NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c index 7cb4bfee2844..e256e4e51180 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,8 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) if (dest == src) return 1; + dest->curve_name = src->curve_name; + /* Copy precomputed */ dest->pre_comp_type = src->pre_comp_type; switch (src->pre_comp_type) { @@ -202,7 +204,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) return 0; } - dest->curve_name = src->curve_name; dest->asn1_flag = src->asn1_flag; dest->asn1_form = src->asn1_form; @@ -563,6 +564,7 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group) } ret->meth = group->meth; + ret->curve_name = group->curve_name; if (!ret->meth->point_init(ret)) { OPENSSL_free(ret); @@ -600,7 +602,10 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (dest->meth != src->meth) { + if (dest->meth != src->meth + || (dest->curve_name != src->curve_name + && dest->curve_name != 0 + && src->curve_name != 0)) { ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -657,7 +662,7 @@ int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -676,7 +681,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -694,7 +699,7 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -720,7 +725,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -746,7 +751,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -764,7 +769,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -780,8 +785,8 @@ int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth) - || (a->meth != b->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group) + || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -795,7 +800,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -808,7 +813,7 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != a->meth) { + if (!ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -822,7 +827,7 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -843,7 +848,7 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -857,7 +862,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } - if ((group->meth != a->meth) || (a->meth != b->meth)) { + if (!ec_point_is_compat(a, group) || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); return -1; } @@ -870,7 +875,7 @@ int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -887,7 +892,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, return 0; } for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c index b39777fbf2f0..56c7767772d1 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -105,6 +105,224 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre) OPENSSL_free(pre); } +#define EC_POINT_BN_set_flags(P, flags) do { \ + BN_set_flags((P)->X, (flags)); \ + BN_set_flags((P)->Y, (flags)); \ + BN_set_flags((P)->Z, (flags)); \ +} while(0) + +/*- + * This functions computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed scalar point multiplication + * (scalar * generator) + * when point is NULL, or a generic scalar point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx) +{ + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; + EC_POINT *s = NULL; + BIGNUM *k = NULL; + BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; + BN_CTX *new_ctx = NULL; + int ret = 0; + + if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + + s = EC_POINT_new(group); + if (s == NULL) + goto err; + + if (point == NULL) { + if (!EC_POINT_copy(s, group->generator)) + goto err; + } else { + if (!EC_POINT_copy(s, point)) + goto err; + } + + EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); + + cardinality = BN_CTX_get(ctx); + lambda = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx)) + goto err; + + /* + * Group cardinalities are often on a word boundary. + * So when we pad the scalar, some timing diff might + * pop if it needs to be expanded due to carries. + * So expand ahead of time. + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); + if ((bn_wexpand(k, group_top + 1) == NULL) + || (bn_wexpand(lambda, group_top + 1) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) + goto err; + + BN_set_flags(k, BN_FLG_CONSTTIME); + + if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { + /*- + * this is an unusual input, and we don't guarantee + * constant-timeness + */ + if (!BN_nnmod(k, k, cardinality, ctx)) + goto err; + } + + if (!BN_add(lambda, k, cardinality)) + goto err; + BN_set_flags(lambda, BN_FLG_CONSTTIME); + if (!BN_add(k, lambda, cardinality)) + goto err; + /* + * lambda := scalar + cardinality + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); + BN_consttime_swap(kbit, k, lambda, group_top + 1); + + group_top = bn_get_top(group->field); + if ((bn_wexpand(s->X, group_top) == NULL) + || (bn_wexpand(s->Y, group_top) == NULL) + || (bn_wexpand(s->Z, group_top) == NULL) + || (bn_wexpand(r->X, group_top) == NULL) + || (bn_wexpand(r->Y, group_top) == NULL) + || (bn_wexpand(r->Z, group_top) == NULL)) + goto err; + + /* top bit is a 1, in a fixed pos */ + if (!EC_POINT_copy(r, s)) + goto err; + + EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); + + if (!EC_POINT_dbl(group, s, s, ctx)) + goto err; + + pbit = 0; + +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ + BN_consttime_swap(c, (a)->X, (b)->X, w); \ + BN_consttime_swap(c, (a)->Y, (b)->Y, w); \ + BN_consttime_swap(c, (a)->Z, (b)->Z, w); \ + t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ + (a)->Z_is_one ^= (t); \ + (b)->Z_is_one ^= (t); \ +} while(0) + + /*- + * The ladder step, with branches, is + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * Swapping R, S conditionally on k[i] leaves you with state + * + * k[i] == 0: T, U = R, S + * k[i] == 1: T, U = S, R + * + * Then perform the ECC ops. + * + * U = add(T, U) + * T = dbl(T) + * + * Which leaves you with state + * + * k[i] == 0: U = add(R, S), T = dbl(R) + * k[i] == 1: U = add(S, R), T = dbl(S) + * + * Swapping T, U conditionally on k[i] leaves you with state + * + * k[i] == 0: R, S = T, U + * k[i] == 1: R, S = U, T + * + * Which leaves you with state + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * So we get the same logic, but instead of a branch it's a + * conditional swap, followed by ECC ops, then another conditional swap. + * + * Optimization: The end of iteration i and start of i-1 looks like + * + * ... + * CSWAP(k[i], R, S) + * ECC + * CSWAP(k[i], R, S) + * (next iteration) + * CSWAP(k[i-1], R, S) + * ECC + * CSWAP(k[i-1], R, S) + * ... + * + * So instead of two contiguous swaps, you can merge the condition + * bits and do a single swap. + * + * k[i] k[i-1] Outcome + * 0 0 No Swap + * 0 1 Swap + * 1 0 Swap + * 1 1 No Swap + * + * This is XOR. pbit tracks the previous bit of k. + */ + + for (i = cardinality_bits - 1; i >= 0; i--) { + kbit = BN_is_bit_set(k, i) ^ pbit; + EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); + if (!EC_POINT_add(group, s, r, s, ctx)) + goto err; + if (!EC_POINT_dbl(group, r, r, ctx)) + goto err; + /* + * pbit logic merges this cswap with that of the + * next iteration + */ + pbit ^= kbit; + } + /* one final cswap to move the right value into r */ + EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); +#undef EC_POINT_CSWAP + + ret = 1; + + err: + EC_POINT_free(s); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + return ret; +} + +#undef EC_POINT_BN_set_flags + /* * TODO: table should be optimised for the wNAF-based implementation, * sometimes smaller windows will give better performance (thus the @@ -155,7 +373,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * precomputation is not available */ int ret = 0; - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -164,8 +382,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } + /*- + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. + */ + if ((scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return ec_mul_consttime(group, r, scalar, NULL, ctx); + } + if ((scalar == NULL) && (num == 1)) { + /*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ + return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + } + for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ec_oct.c b/crypto/external/bsd/openssl/dist/crypto/ec/ec_oct.c index effc42a344da..e185df6edfd5 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ec_oct.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ec_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -66,7 +66,7 @@ int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -93,7 +93,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -123,7 +123,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ecdsa_ossl.c b/crypto/external/bsd/openssl/dist/crypto/ec/ecdsa_ossl.c index 72e2f0f28bc2..9e4a68d9ca35 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ecdsa_ossl.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,9 +10,8 @@ #include #include #include -#include #include -#include +#include "internal/bn_int.h" #include "ec_lcl.h" int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, @@ -53,13 +52,12 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, return 0; } - if (ctx_in == NULL) { + if ((ctx = ctx_in) == NULL) { if ((ctx = BN_CTX_new()) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); return 0; } - } else - ctx = ctx_in; + } k = BN_new(); /* this value is later returned in *kinvp */ r = BN_new(); /* this value is later returned in *rp */ @@ -73,10 +71,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); - goto err; - } /* Preallocate space */ order_bits = BN_num_bits(order); @@ -87,23 +81,23 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, do { /* get random k */ - do + do { if (dgst != NULL) { - if (!BN_generate_dsa_nonce - (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen, - ctx)) { + if (!BN_generate_dsa_nonce(k, order, + EC_KEY_get0_private_key(eckey), + dgst, dlen, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } else { if (!BN_rand_range(k, order)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } - while (BN_is_zero(k)); + } while (BN_is_zero(k)); /* * We do not want timing information to leak the length of k, so we @@ -129,18 +123,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp - (group, tmp_point, X, NULL, ctx)) { + if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M else { /* NID_X9_62_characteristic_two_field */ - - if (!EC_POINT_get_affine_coordinates_GF2m(group, - tmp_point, X, NULL, - ctx)) { + if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } @@ -150,8 +142,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } - } - while (BN_is_zero(r)); + } while (BN_is_zero(r)); /* compute the inverse of k */ if (EC_GROUP_get_mont_data(group) != NULL) { @@ -210,7 +201,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; - BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; + BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; const EC_GROUP *group; @@ -243,17 +234,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } s = ret->s; - if ((ctx = BN_CTX_new()) == NULL || - (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { + if ((ctx = BN_CTX_new()) == NULL + || (m = BN_new()) == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB); - goto err; - } i = BN_num_bits(order); /* * Need to truncate digest if it is too long: first truncate whole bytes. @@ -264,7 +251,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - /* If still too long truncate remaining bits with a shift */ + /* If still too long, truncate remaining bits with a shift */ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; @@ -284,18 +271,32 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } } - if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { + /* + * With only one multiplicant being in Montgomery domain + * multiplication yields real result without post-conversion. + * Also note that all operations but last are performed with + * zero-padded vectors. Last operation, BN_mod_mul_montgomery + * below, returns user-visible value with removed zero padding. + */ + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - if (!BN_mod_add_quick(s, tmp, m, order)) { + if (!bn_mod_add_fixed_top(s, s, m, order)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + /* + * |s| can still be larger than modulus, because |m| can be. In + * such case we count on Montgomery reduction to tie it up. + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } + if (BN_is_zero(s)) { /* * if kinv and r have been supplied by the caller don't to @@ -305,11 +306,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); goto err; } - } else + } else { /* s != 0 => we have a valid signature */ break; - } - while (1); + } + } while (1); ok = 1; err: @@ -319,7 +320,6 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } BN_CTX_free(ctx); BN_clear_free(m); - BN_clear_free(tmp); BN_clear_free(kinv); return ret; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c index 246189833ec2..4dbe21692721 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1110,28 +1110,12 @@ __owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *gr const P256_POINT_AFFINE *in, BN_CTX *ctx) { - BIGNUM *x, *y; - BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; int ret = 0; - x = BN_new(); - if (x == NULL) - return 0; - y = BN_new(); - if (y == NULL) { - BN_free(x); - return 0; - } - memcpy(d_x, in->X, sizeof(d_x)); - bn_set_static_words(x, d_x, P256_LIMBS); - - memcpy(d_y, in->Y, sizeof(d_y)); - bn_set_static_words(y, d_y, P256_LIMBS); - - ret = EC_POINT_set_affine_coordinates_GFp(group, out, x, y, ctx); - - BN_free(x); - BN_free(y); + if ((ret = bn_set_words(out->X, in->X, P256_LIMBS)) + && (ret = bn_set_words(out->Y, in->Y, P256_LIMBS)) + && (ret = bn_set_words(out->Z, ONE, P256_LIMBS))) + out->Z_is_one = 1; return ret; } @@ -1168,7 +1152,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return 0; } - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1177,7 +1161,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return EC_POINT_set_to_infinity(group, r); for (j = 0; j < num; j++) { - if (group->meth != points[j]->meth) { + if (!ec_point_is_compat(points[j], group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1210,9 +1194,9 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, if (pre_comp_generator == NULL) goto err; + ecp_nistz256_gather_w7(&p.a, pre_comp->precomp[0], 1); if (!ecp_nistz256_set_from_affine(pre_comp_generator, - group, pre_comp->precomp[0], - ctx)) { + group, &p.a, ctx)) { EC_POINT_free(pre_comp_generator); goto err; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c index abd379504666..e3b88315fd47 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c +++ b/crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -352,6 +352,7 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } diff --git a/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c b/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c index cbefc7eb6c6d..ef8e99550334 100644 --- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,8 @@ CRYPTO_ONCE engine_lock_init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE(do_engine_lock_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; global_engine_lock = CRYPTO_THREAD_lock_new(); return global_engine_lock != NULL; } @@ -143,8 +144,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) if (!int_cleanup_check(1)) return; item = int_cleanup_item(cb); - if (item) - sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) + OPENSSL_free(item); + } } /* The API function that performs all cleanup */ diff --git a/crypto/external/bsd/openssl/dist/crypto/engine/tb_asnmth.c b/crypto/external/bsd/openssl/dist/crypto/engine/tb_asnmth.c index 480267daabad..5c7b16170390 100644 --- a/crypto/external/bsd/openssl/dist/crypto/engine/tb_asnmth.c +++ b/crypto/external/bsd/openssl/dist/crypto/engine/tb_asnmth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -170,7 +170,8 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg) ENGINE *e = sk_ENGINE_value(sk, i); EVP_PKEY_ASN1_METHOD *ameth; e->pkey_asn1_meths(e, &ameth, NULL, nid); - if (((int)strlen(ameth->pem_str) == lk->len) + if (ameth != NULL + && ((int)strlen(ameth->pem_str) == lk->len) && strncasecmp(ameth->pem_str, lk->str, lk->len) == 0) { lk->e = e; lk->ameth = ameth; diff --git a/crypto/external/bsd/openssl/dist/crypto/err/err.c b/crypto/external/bsd/openssl/dist/crypto/err/err.c index c4399285fe12..08c27a3e8385 100644 --- a/crypto/external/bsd/openssl/dist/crypto/err/err.c +++ b/crypto/external/bsd/openssl/dist/crypto/err/err.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -254,7 +254,8 @@ static void ERR_STATE_free(ERR_STATE *s) DEFINE_RUN_ONCE_STATIC(do_err_strings_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; err_string_lock = CRYPTO_THREAD_lock_new(); return err_string_lock != NULL; } @@ -653,29 +654,31 @@ DEFINE_RUN_ONCE_STATIC(err_do_init) ERR_STATE *ERR_get_state(void) { - ERR_STATE *state = NULL; + ERR_STATE *state; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) + return NULL; if (!RUN_ONCE(&err_init, err_do_init)) return NULL; - /* - * If base OPENSSL_init_crypto() hasn't been called yet, be sure to call - * it now to avoid state to be doubly allocated and thereby leak memory. - * Needed on any platform that doesn't define OPENSSL_USE_NODELETE. - */ - if (!OPENSSL_init_crypto(0, NULL)) + state = CRYPTO_THREAD_get_local(&err_thread_local); + if (state == (ERR_STATE*)-1) return NULL; - state = CRYPTO_THREAD_get_local(&err_thread_local); - if (state == NULL) { - state = OPENSSL_zalloc(sizeof(*state)); - if (state == NULL) + if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) return NULL; + if ((state = OPENSSL_zalloc(sizeof(*state))) == NULL) { + CRYPTO_THREAD_set_local(&err_thread_local, NULL); + return NULL; + } + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE) - || !CRYPTO_THREAD_set_local(&err_thread_local, state)) { + || !CRYPTO_THREAD_set_local(&err_thread_local, state)) { ERR_STATE_free(state); + CRYPTO_THREAD_set_local(&err_thread_local, NULL); return NULL; } @@ -686,13 +689,41 @@ ERR_STATE *ERR_get_state(void) return state; } +/* + * err_shelve_state returns the current thread local error state + * and freezes the error module until err_unshelve_state is called. + */ +int err_shelve_state(void **state) +{ + if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) + return 0; + + if (!RUN_ONCE(&err_init, err_do_init)) + return 0; + + *state = CRYPTO_THREAD_get_local(&err_thread_local); + if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) + return 0; + + return 1; +} + +/* + * err_unshelve_state restores the error state that was returned + * by err_shelve_state previously. + */ +void err_unshelve_state(void* state) +{ + if (state != (void*)-1) + CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)state); +} + int ERR_get_next_error_library(void) { int ret; - if (!RUN_ONCE(&err_string_init, do_err_strings_init)) { + if (!RUN_ONCE(&err_string_init, do_err_strings_init)) return 0; - } CRYPTO_THREAD_write_lock(err_string_lock); ret = int_err_library_number++; diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c b/crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c index c4b163f0ba65..3543d44cb416 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c @@ -70,6 +70,8 @@ static ERR_STRING_DATA EVP_str_functs[] = { {ERR_FUNC(EVP_F_EVP_PKEY_GET0_RSA), "EVP_PKEY_get0_RSA"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN), "EVP_PKEY_keygen"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN_INIT), "EVP_PKEY_keygen_init"}, + {ERR_FUNC(EVP_F_EVP_PKEY_METH_ADD0), "EVP_PKEY_meth_add0"}, + {ERR_FUNC(EVP_F_EVP_PKEY_METH_NEW), "EVP_PKEY_meth_new"}, {ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"}, {ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN), "EVP_PKEY_paramgen"}, {ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN_INIT), "EVP_PKEY_paramgen_init"}, @@ -143,6 +145,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, {ERR_REASON(EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, + {ERR_REASON(EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, {ERR_REASON(EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED), "pkey application asn1 method already registered"}, {ERR_REASON(EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED), diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/pmeth_lib.c b/crypto/external/bsd/openssl/dist/crypto/evp/pmeth_lib.c index 5e650a9db33e..f623db34836a 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/pmeth_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,8 +151,10 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) EVP_PKEY_METHOD *pmeth; pmeth = OPENSSL_zalloc(sizeof(*pmeth)); - if (pmeth == NULL) + if (pmeth == NULL) { + EVPerr(EVP_F_EVP_PKEY_METH_NEW, ERR_R_MALLOC_FAILURE); return NULL; + } pmeth->pkey_id = id; pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC; @@ -238,8 +240,10 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) } #endif rctx = OPENSSL_malloc(sizeof(*rctx)); - if (rctx == NULL) + if (rctx == NULL) { + EVPerr(EVP_F_EVP_PKEY_CTX_DUP, ERR_R_MALLOC_FAILURE); return NULL; + } rctx->pmeth = pctx->pmeth; #ifndef OPENSSL_NO_ENGINE @@ -273,11 +277,15 @@ int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth) { if (app_pkey_methods == NULL) { app_pkey_methods = sk_EVP_PKEY_METHOD_new(pmeth_cmp); - if (app_pkey_methods == NULL) + if (app_pkey_methods == NULL) { + EVPerr(EVP_F_EVP_PKEY_METH_ADD0, ERR_R_MALLOC_FAILURE); return 0; + } } - if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth)) + if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth)) { + EVPerr(EVP_F_EVP_PKEY_METH_ADD0, ERR_R_MALLOC_FAILURE); return 0; + } sk_EVP_PKEY_METHOD_sort(app_pkey_methods); return 1; } @@ -557,26 +565,26 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, pmeth->ctrl_str = ctrl_str; } -void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth, int (**pinit) (EVP_PKEY_CTX *ctx)) { *pinit = pmeth->init; } -void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth, int (**pcopy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)) { *pcopy = pmeth->copy; } -void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth, void (**pcleanup) (EVP_PKEY_CTX *ctx)) { *pcleanup = pmeth->cleanup; } -void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth, int (**pparamgen_init) (EVP_PKEY_CTX *ctx), int (**pparamgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)) @@ -587,7 +595,7 @@ void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, *pparamgen = pmeth->paramgen; } -void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth, int (**pkeygen_init) (EVP_PKEY_CTX *ctx), int (**pkeygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)) @@ -598,7 +606,7 @@ void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, *pkeygen = pmeth->keygen; } -void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth, int (**psign_init) (EVP_PKEY_CTX *ctx), int (**psign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, @@ -611,7 +619,7 @@ void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, *psign = pmeth->sign; } -void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth, int (**pverify_init) (EVP_PKEY_CTX *ctx), int (**pverify) (EVP_PKEY_CTX *ctx, const unsigned char *sig, @@ -625,7 +633,7 @@ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, *pverify = pmeth->verify; } -void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth, int (**pverify_recover_init) (EVP_PKEY_CTX *ctx), int (**pverify_recover) (EVP_PKEY_CTX @@ -643,7 +651,7 @@ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, *pverify_recover = pmeth->verify_recover; } -void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth, int (**psignctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**psignctx) (EVP_PKEY_CTX *ctx, @@ -657,7 +665,7 @@ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, *psignctx = pmeth->signctx; } -void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth, int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**pverifyctx) (EVP_PKEY_CTX *ctx, @@ -671,7 +679,7 @@ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, *pverifyctx = pmeth->verifyctx; } -void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth, int (**pencrypt_init) (EVP_PKEY_CTX *ctx), int (**pencryptfn) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -685,7 +693,7 @@ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, *pencryptfn = pmeth->encrypt; } -void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth, int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), int (**pdecrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -699,7 +707,7 @@ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, *pdecrypt = pmeth->decrypt; } -void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth, int (**pderive_init) (EVP_PKEY_CTX *ctx), int (**pderive) (EVP_PKEY_CTX *ctx, unsigned char *key, @@ -711,7 +719,7 @@ void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, *pderive = pmeth->derive; } -void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2), int (**pctrl_str) (EVP_PKEY_CTX *ctx, diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/scrypt.c b/crypto/external/bsd/openssl/dist/crypto/evp/scrypt.c index 101bb1edbd48..3543df540337 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/scrypt.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -171,8 +171,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) return 0; /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ - if (p > SCRYPT_PR_MAX / r) + if (p > SCRYPT_PR_MAX / r) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } /* * Need to check N: if 2^(128 * r / 8) overflows limit this is @@ -180,8 +182,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, */ if (16 * r <= LOG2_UINT64_MAX) { - if (N >= (((uint64_t)1) << (16 * r))) + if (N >= (((uint64_t)1) << (16 * r))) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } } /* Memory checks: check total allocated buffer size fits in uint64_t */ @@ -199,13 +203,17 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, * This is combined size V, X and T (section 4) */ i = UINT64_MAX / (32 * sizeof(uint32_t)); - if (N + 2 > i / r) + if (N + 2 > i / r) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } Vlen = 32 * r * (N + 2) * sizeof(uint32_t); /* check total allocated size fits in uint64_t */ - if (Blen > UINT64_MAX - Vlen) + if (Blen > UINT64_MAX - Vlen) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } /* check total allocated size fits in size_t */ if (Blen > SIZE_MAX - Vlen) return 0; @@ -225,8 +233,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, return 1; B = OPENSSL_malloc(allocsize); - if (B == NULL) + if (B == NULL) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); return 0; + } X = (uint32_t *)(B + Blen); T = X + 32 * r; V = T + 32 * r; @@ -242,6 +252,9 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, goto err; rv = 1; err: + if (rv == 0) + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); + OPENSSL_clear_free(B, allocsize); return rv; } diff --git a/crypto/external/bsd/openssl/dist/crypto/ex_data.c b/crypto/external/bsd/openssl/dist/crypto/ex_data.c index 22c4d3d9b904..6e3072f2a948 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ex_data.c +++ b/crypto/external/bsd/openssl/dist/crypto/ex_data.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,8 @@ static CRYPTO_ONCE ex_data_init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(do_ex_data_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; ex_data_lock = CRYPTO_THREAD_lock_new(); return ex_data_lock != NULL; } diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H b/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H new file mode 100644 index 000000000000..5f63860808b6 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H @@ -0,0 +1,16 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* restore state. Must correspond to the save in __decc_include_prologue.h */ +#pragma names restore diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H b/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H new file mode 100644 index 000000000000..78b2a87d8868 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H @@ -0,0 +1,20 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* save state */ +#pragma names save +/* have the compiler shorten symbols larger than 31 chars to 23 chars + * followed by a 8 hex char CRC + */ +#pragma names as_is,shortened diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/asn1_int.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/asn1_int.h index f70e3b47ba32..ba9c062702c5 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/asn1_int.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/asn1_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -90,5 +90,3 @@ struct asn1_pctx_st { unsigned long oid_flags; unsigned long str_flags; } /* ASN1_PCTX */ ; - -int asn1_valid_host(const ASN1_STRING *host); diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/async.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/async.h index db56258f29eb..dc8e937b0ced 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/async.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/async.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,4 +11,5 @@ int async_init(void); void async_deinit(void); +void async_delete_thread_state(void); diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/bn_int.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/bn_int.h index 9c984ba78183..2fcdd0d13e19 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/bn_int.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/bn_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -53,7 +53,7 @@ BN_ULONG *bn_get_words(const BIGNUM *a); * Set the internal data words in a to point to words which contains size * elements. The BN_FLG_STATIC_DATA flag is set */ -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size); +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size); /* * Copy words into the BIGNUM |a|, reallocating space as necessary. @@ -64,7 +64,7 @@ void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size); * |num_words| is int because bn_expand2 takes an int. This is an internal * function so we simply trust callers not to pass negative values. */ -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words); +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); size_t bn_sizeof_BIGNUM(void); @@ -74,6 +74,19 @@ size_t bn_sizeof_BIGNUM(void); */ BIGNUM *bn_array_el(BIGNUM *base, int el); +/* + * Some BIGNUM functions assume most significant limb to be non-zero, which + * is customarily arranged by bn_correct_top. Output from below functions + * is not processed with bn_correct_top, and for this reason it may not be + * returned out of public API. It may only be passed internally into other + * functions known to support non-minimal or zero-padded BIGNUMs. + */ +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); #ifdef __cplusplus } diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib.h index f3ec9b67b825..627fd8caf4a1 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,6 +74,8 @@ FILE *openssl_fopen(const char *filename, const char *mode); void *openssl_fopen(const char *filename, const char *mode); # endif +unsigned long OPENSSL_rdtsc(void); + #ifdef __cplusplus } #endif diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib_int.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib_int.h index 8e2a7199a162..ceeb63ddd0d6 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib_int.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/cryptlib_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,7 @@ int ossl_init_thread_start(uint64_t opts); * use". */ # define OPENSSL_INIT_ZLIB 0x00010000L +# define OPENSSL_INIT_BASE_ONLY 0x00040000L /* OPENSSL_INIT_THREAD flags */ # define OPENSSL_INIT_THREAD_ASYNC 0x01 diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/err_int.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/err_int.h index 7fec3ed76773..44ac94462750 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/err_int.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/err_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,5 +13,7 @@ int err_load_crypto_strings_int(void); void err_cleanup(void); void err_delete_thread_state(void); +int err_shelve_state(void **); +void err_unshelve_state(void *); #endif diff --git a/crypto/external/bsd/openssl/dist/crypto/include/internal/x509_int.h b/crypto/external/bsd/openssl/dist/crypto/include/internal/x509_int.h index 2845026dd82f..eb439977049b 100644 --- a/crypto/external/bsd/openssl/dist/crypto/include/internal/x509_int.h +++ b/crypto/external/bsd/openssl/dist/crypto/include/internal/x509_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -166,6 +166,7 @@ struct x509_st { unsigned char sha1_hash[SHA_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_RWLOCK *lock; + volatile int ex_cached; } /* X509 */ ; /* diff --git a/crypto/external/bsd/openssl/dist/crypto/init.c b/crypto/external/bsd/openssl/dist/crypto/init.c index 173eac374767..00a91792d838 100644 --- a/crypto/external/bsd/openssl/dist/crypto/init.c +++ b/crypto/external/bsd/openssl/dist/crypto/init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,11 +27,25 @@ static int stopped = 0; +/* + * Since per-thread-specific-data destructors are not universally + * available, i.e. not on Windows, only below CRYPTO_THREAD_LOCAL key + * is assumed to have destructor associated. And then an effort is made + * to call this single destructor on non-pthread platform[s]. + * + * Initial value is "impossible". It is used as guard value to shortcut + * destructor for threads terminating before libcrypto is initialized or + * after it's de-initialized. Access to the key doesn't have to be + * serialized for the said threads, because they didn't use libcrypto + * and it doesn't matter if they pick "impossible" or derefernce real + * key value and pull NULL past initialization in the first thread that + * intends to use libcrypto. + */ +static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; + static void ossl_init_thread_stop(struct thread_local_inits_st *locals); -static CRYPTO_THREAD_LOCAL threadstopkey; - -static void ossl_init_thread_stop_wrap(void *local) +static void ossl_init_thread_destructor(void *local) { ossl_init_thread_stop((struct thread_local_inits_st *)local); } @@ -39,17 +53,17 @@ static void ossl_init_thread_stop_wrap(void *local) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) { struct thread_local_inits_st *local = - CRYPTO_THREAD_get_local(&threadstopkey); + CRYPTO_THREAD_get_local(&destructor_key); - if (local == NULL && alloc) { - local = OPENSSL_zalloc(sizeof(*local)); - if (local != NULL && !CRYPTO_THREAD_set_local(&threadstopkey, local)) { + if (alloc) { + if (local == NULL + && (local = OPENSSL_zalloc(sizeof(*local))) != NULL + && !CRYPTO_THREAD_set_local(&destructor_key, local)) { OPENSSL_free(local); return NULL; } - } - if (!alloc) { - CRYPTO_THREAD_set_local(&threadstopkey, NULL); + } else { + CRYPTO_THREAD_set_local(&destructor_key, NULL); } return local; @@ -68,29 +82,42 @@ static CRYPTO_ONCE base = CRYPTO_ONCE_STATIC_INIT; static int base_inited = 0; DEFINE_RUN_ONCE_STATIC(ossl_init_base) { + CRYPTO_THREAD_LOCAL key; + #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_base: Setting up stop handlers\n"); #endif - /* - * We use a dummy thread local key here. We use the destructor to detect - * when the thread is going to stop (where that feature is available) - */ - CRYPTO_THREAD_init_local(&threadstopkey, ossl_init_thread_stop_wrap); -#ifndef OPENSSL_SYS_UEFI - atexit(OPENSSL_cleanup); -#endif - if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL) + if (!CRYPTO_THREAD_init_local(&key, ossl_init_thread_destructor)) return 0; + if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL) + goto err; +#ifndef OPENSSL_SYS_UEFI + if (atexit(OPENSSL_cleanup) != 0) + goto err; +#endif OPENSSL_cpuid_setup(); - /* - * BIG FAT WARNING! - * Everything needed to be initialized in this function before threads - * come along MUST happen before base_inited is set to 1, or we will - * see race conditions. - */ + destructor_key = key; base_inited = 1; + return 1; +err: +#ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_base not ok!\n"); +#endif + CRYPTO_THREAD_lock_free(init_lock); + init_lock = NULL; + + CRYPTO_THREAD_cleanup_local(&key); + return 0; +} + +static CRYPTO_ONCE load_crypto_nodelete = CRYPTO_ONCE_STATIC_INIT; +DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete) +{ +#ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_load_crypto_nodelete()\n"); +#endif #if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE) # ifdef DSO_WIN32 { @@ -102,6 +129,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) | GET_MODULE_HANDLE_EX_FLAG_PIN, (void *)&base_inited, &handle); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: obtained DSO reference? %s\n", + (ret == TRUE ? "No!" : "Yes.")); +# endif return (ret == TRUE) ? 1 : 0; } # else @@ -110,12 +141,24 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) * to remain loaded until the atexit() handler is run at process exit. */ { - DSO *dso = NULL; + DSO *dso; + void *err; + + if (!err_shelve_state(&err)) + return 0; - ERR_set_mark(); dso = DSO_dsobyaddr(&base_inited, DSO_FLAG_NO_UNLOAD_ON_FREE); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: obtained DSO reference? %s\n", + (dso == NULL ? "No!" : "Yes.")); + /* + * In case of No!, it is uncertain our exit()-handlers can still be + * called. After dlclose() the whole library might have been unloaded + * already. + */ +# endif DSO_free(dso); - ERR_pop_to_mark(); + err_unshelve_state(err); } # endif #endif @@ -335,9 +378,9 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) if (locals->async) { #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_stop: " - "ASYNC_cleanup_thread()\n"); + "async_delete_thread_state()\n"); #endif - ASYNC_cleanup_thread(); + async_delete_thread_state(); } if (locals->err_state) { @@ -353,8 +396,8 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) void OPENSSL_thread_stop(void) { - ossl_init_thread_stop( - (struct thread_local_inits_st *)ossl_init_get_thread_local(0)); + if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) + ossl_init_thread_stop(ossl_init_get_thread_local(0)); } int ossl_init_thread_start(uint64_t opts) @@ -391,6 +434,7 @@ int ossl_init_thread_start(uint64_t opts) void OPENSSL_cleanup(void) { OPENSSL_INIT_STOP *currhandler, *lasthandler; + CRYPTO_THREAD_LOCAL key; /* If we've not been inited then no need to deinit */ if (!base_inited) @@ -449,7 +493,9 @@ void OPENSSL_cleanup(void) err_free_strings_int(); } - CRYPTO_THREAD_cleanup_local(&threadstopkey); + key = destructor_key; + destructor_key = (CRYPTO_THREAD_LOCAL)-1; + CRYPTO_THREAD_cleanup_local(&key); #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: " @@ -505,22 +551,18 @@ void OPENSSL_cleanup(void) */ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { - static int stoperrset = 0; - if (stopped) { - if (!stoperrset) { - /* - * We only ever set this once to avoid getting into an infinite - * loop where the error system keeps trying to init and fails so - * sets an error etc - */ - stoperrset = 1; + if (!(opts & OPENSSL_INIT_BASE_ONLY)) CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL); - } return 0; } - if (!base_inited && !RUN_ONCE(&base, ossl_init_base)) + if (!RUN_ONCE(&base, ossl_init_base)) + return 0; + + if (!(opts & OPENSSL_INIT_BASE_ONLY) + && !RUN_ONCE(&load_crypto_nodelete, + ossl_init_load_crypto_nodelete)) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) @@ -657,6 +699,12 @@ int OPENSSL_atexit(void (*handler)(void)) ERR_set_mark(); dso = DSO_dsobyaddr(handlersym.sym, DSO_FLAG_NO_UNLOAD_ON_FREE); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, + "OPENSSL_INIT: OPENSSL_atexit: obtained DSO reference? %s\n", + (dso == NULL ? "No!" : "Yes.")); + /* See same code above in ossl_init_base() for an explanation. */ +# endif DSO_free(dso); ERR_pop_to_mark(); } diff --git a/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-armv4.pl b/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-armv4.pl index 7d880c94a7cf..1cf14a6c9f76 100644 --- a/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-armv4.pl +++ b/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -145,6 +145,8 @@ $code=<<___; .text #if defined(__thumb2__) || defined(__clang__) .syntax unified +#define ldrplb ldrbpl +#define ldrneb ldrbne #endif #if defined(__thumb2__) .thumb @@ -152,11 +154,6 @@ $code=<<___; .code 32 #endif -#ifdef __clang__ -#define ldrplb ldrbpl -#define ldrneb ldrbne -#endif - .type rem_4bit,%object .align 5 rem_4bit: diff --git a/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghashv8-armx.pl b/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghashv8-armx.pl index dcd5f595d21a..e13c70901920 100644 --- a/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghashv8-armx.pl +++ b/crypto/external/bsd/openssl/dist/crypto/modes/asm/ghashv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -64,6 +64,7 @@ my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14)); $code=<<___; #include "arm_arch.h" +#if __ARM_MAX_ARCH__>=7 .text ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); @@ -351,6 +352,7 @@ ___ $code.=<<___; .asciz "GHASH for ARMv8, CRYPTOGAMS by " .align 2 +#endif ___ if ($flavour =~ /64/) { ######## 64-bit code diff --git a/crypto/external/bsd/openssl/dist/crypto/modes/modes_lcl.h b/crypto/external/bsd/openssl/dist/crypto/modes/modes_lcl.h index 7a1603bf9082..4fc32e190fb3 100644 --- a/crypto/external/bsd/openssl/dist/crypto/modes/modes_lcl.h +++ b/crypto/external/bsd/openssl/dist/crypto/modes/modes_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,12 +174,13 @@ struct ocb128_context { OCB_BLOCK l_dollar; OCB_BLOCK *l; /* Must be reset for each session */ - u64 blocks_hashed; - u64 blocks_processed; - OCB_BLOCK tag; - OCB_BLOCK offset_aad; - OCB_BLOCK sum; - OCB_BLOCK offset; - OCB_BLOCK checksum; + struct { + u64 blocks_hashed; + u64 blocks_processed; + OCB_BLOCK offset_aad; + OCB_BLOCK sum; + OCB_BLOCK offset; + OCB_BLOCK checksum; + } sess; }; #endif /* OPENSSL_NO_OCB */ diff --git a/crypto/external/bsd/openssl/dist/crypto/modes/ocb128.c b/crypto/external/bsd/openssl/dist/crypto/modes/ocb128.c index db794d085474..fc92b246bd51 100644 --- a/crypto/external/bsd/openssl/dist/crypto/modes/ocb128.c +++ b/crypto/external/bsd/openssl/dist/crypto/modes/ocb128.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -236,6 +236,9 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, return -1; } + /* Reset nonce-dependent variables */ + memset(&ctx->sess, 0, sizeof(ctx->sess)); + /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */ nonce[0] = ((taglen * 8) % 128) << 1; memset(nonce + 1, 0, 15); @@ -256,10 +259,10 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, /* Offset_0 = Stretch[1+bottom..128+bottom] */ shift = bottom % 8; - ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c); + ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c); mask = 0xff; mask <<= 8 - shift; - ctx->offset.c[15] |= + ctx->sess.offset.c[15] |= (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift); return 1; @@ -278,25 +281,25 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, /* Calculate the number of blocks of AAD provided now, and so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_hashed; + all_num_blocks = num_blocks + ctx->sess.blocks_hashed; /* Loop through all full blocks of AAD */ - for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad); memcpy(tmp.c, aad, 16); aad += 16; /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } /* @@ -307,20 +310,21 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, if (last_len > 0) { /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star, + &ctx->sess.offset_aad); /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */ memset(tmp.c, 0, 16); memcpy(tmp.c, aad, last_len); tmp.c[last_len] = 0x80; - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */ ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } - ctx->blocks_hashed = all_num_blocks; + ctx->sess.blocks_hashed = all_num_blocks; return 1; } @@ -341,7 +345,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -357,11 +361,11 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keyenc, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { /* Loop through all full blocks to be encrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; OCB_BLOCK tmp; @@ -369,18 +373,18 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); memcpy(out, tmp.c, 16); out += 16; @@ -397,10 +401,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* C_* = P_* xor Pad[1..bitlen(P_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -409,10 +413,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, in, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } @@ -433,7 +437,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -449,30 +453,30 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keydec, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { OCB_BLOCK tmp; /* Loop through all full blocks to be decrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->decrypt(tmp.c, tmp.c, ctx->keydec); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); memcpy(out, tmp.c, 16); out += 16; @@ -489,10 +493,10 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* P_* = C_* xor Pad[1..bitlen(C_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -501,39 +505,46 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, out, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } +static int ocb_finish(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len, + int write) +{ + OCB_BLOCK tmp; + + if (len > 16 || len < 1) { + return -1; + } + + /* + * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) + */ + ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp); + ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp); + ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); + ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp); + + if (write) { + memcpy(tag, &tmp, len); + return 1; + } else { + return CRYPTO_memcmp(&tmp, tag, len); + } +} + /* * Calculate the tag and verify it against the supplied tag */ int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, size_t len) { - OCB_BLOCK tmp; - - /* - * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) - */ - ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp); - ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp); - ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag); - - if (len > 16 || len < 1) { - return -1; - } - - /* Compare the tag if we've been given one */ - if (tag) - return CRYPTO_memcmp(&ctx->tag, tag, len); - else - return -1; + return ocb_finish(ctx, (unsigned char*)tag, len, 0); } /* @@ -541,17 +552,7 @@ int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, */ int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len) { - if (len > 16 || len < 1) { - return -1; - } - - /* Calculate the tag */ - CRYPTO_ocb128_finish(ctx, NULL, 0); - - /* Copy the tag into the supplied buffer */ - memcpy(tag, ctx->tag.c, len); - - return 1; + return ocb_finish(ctx, tag, len, 1); } /* diff --git a/crypto/external/bsd/openssl/dist/crypto/o_fopen.c b/crypto/external/bsd/openssl/dist/crypto/o_fopen.c index a3a006574d70..bfd5af1151d4 100644 --- a/crypto/external/bsd/openssl/dist/crypto/o_fopen.c +++ b/crypto/external/bsd/openssl/dist/crypto/o_fopen.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,24 @@ * https://www.openssl.org/source/license.html */ +# if defined(__linux) || defined(__sun) || defined(__hpux) +/* + * Following definition aliases fopen to fopen64 on above mentioned + * platforms. This makes it possible to open and sequentially access files + * larger than 2GB from 32-bit application. It does not allow to traverse + * them beyond 2GB with fseek/ftell, but on the other hand *no* 32-bit + * platform permits that, not with fseek/ftell. Not to mention that breaking + * 2GB limit for seeking would require surgery to *our* API. But sequential + * access suffices for practical cases when you can run into large files, + * such as fingerprinting, so we can let API alone. For reference, the list + * of 32-bit platforms which allow for sequential access of large files + * without extra "magic" comprise *BSD, Darwin, IRIX... + */ +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 +# endif +# endif + #include "internal/cryptlib.h" #if !defined(OPENSSL_NO_STDIO) diff --git a/crypto/external/bsd/openssl/dist/crypto/o_time.c b/crypto/external/bsd/openssl/dist/crypto/o_time.c index b2fb38a541a6..6d764f55e2e8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/o_time.c +++ b/crypto/external/bsd/openssl/dist/crypto/o_time.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) if (gmtime_r(timer, result) == NULL) return NULL; ts = result; +#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 + if (gmtime_s(result, timer)) + return NULL; + ts = result; #else ts = gmtime(timer); if (ts == NULL) diff --git a/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c b/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c index e9202f44ae1c..6f06c5291fbb 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,23 +28,23 @@ static int load_iv(char **fromp, unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int pem_check_suffix(const char *pem_str, const char *suffix); -int PEM_def_callback(char *buf, int num, int w, void *key) +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata) { -#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI) int i; -#else - int i, j; +#ifndef OPENSSL_NO_UI + int min_len; const char *prompt; #endif - if (key) { - i = strlen(key); + /* We assume that the user passes a default password as userdata */ + if (userdata) { + i = strlen(userdata); i = (i > num) ? num : i; - memcpy(buf, key, i); + memcpy(buf, userdata, i); return i; } -#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI) +#ifdef OPENSSL_NO_UI PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; #else @@ -52,28 +52,22 @@ int PEM_def_callback(char *buf, int num, int w, void *key) if (prompt == NULL) prompt = "Enter PEM pass phrase:"; - for (;;) { - /* - * We assume that w == 0 means decryption, - * while w == 1 means encryption - */ - int min_len = w ? MIN_LENGTH : 0; + /* + * rwflag == 0 means decryption + * rwflag == 1 means encryption + * + * We assume that for encryption, we want a minimum length, while for + * decryption, we cannot know any minimum length, so we assume zero. + */ + min_len = rwflag ? MIN_LENGTH : 0; - i = EVP_read_pw_string_min(buf, min_len, num, prompt, w); - if (i != 0) { - PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)num); - return -1; - } - j = strlen(buf); - if (min_len && j < min_len) { - fprintf(stderr, - "phrase is too short, needs to be at least %d chars\n", - min_len); - } else - break; + i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag); + if (i != 0) { + PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); + memset(buf, 0, (unsigned int)num); + return -1; } - return j; + return strlen(buf); #endif } @@ -414,7 +408,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, keylen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u); else keylen = callback(buf, PEM_BUFSIZE, 0, u); - if (keylen <= 0) { + if (keylen < 0) { PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ); return 0; } @@ -472,6 +466,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) char *dekinfostart, c; cipher->cipher = NULL; + memset(cipher->iv, 0, sizeof(cipher->iv)); if ((header == NULL) || (*header == '\0') || (*header == '\n')) return 1; diff --git a/crypto/external/bsd/openssl/dist/crypto/pem/pem_pk8.c b/crypto/external/bsd/openssl/dist/crypto/pem/pem_pk8.c index 5caad9faab87..a8363b39b9df 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pem/pem_pk8.c +++ b/crypto/external/bsd/openssl/dist/crypto/pem/pem_pk8.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,7 +124,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); return NULL; diff --git a/crypto/external/bsd/openssl/dist/crypto/pem/pem_pkey.c b/crypto/external/bsd/openssl/dist/crypto/pem/pem_pkey.c index 671b374f365e..7dadc1391cf4 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pem/pem_pkey.c +++ b/crypto/external/bsd/openssl/dist/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,7 +59,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; diff --git a/crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c b/crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c index d0a423957cb3..63ce9259638a 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c +++ b/crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c @@ -685,7 +685,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, inlen = cb(psbuf, PEM_BUFSIZE, 0, u); else inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (inlen <= 0) { + if (inlen < 0) { PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); goto err; } diff --git a/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_asn.c b/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_asn.c index f2bfe32ebd6e..422dfc398fab 100644 --- a/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_asn.c +++ b/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,7 +51,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ ASN1_ADB(PKCS12_SAFEBAG) = { ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), - ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), + ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) diff --git a/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl index fc899ced8671..5cdb6be05914 100755 --- a/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -186,6 +186,7 @@ $code.=<<___; .type poly1305_blocks,%function .align 5 poly1305_blocks: +.Lpoly1305_blocks: stmdb sp!,{r3-r11,lr} ands $len,$len,#-16 @@ -677,7 +678,7 @@ poly1305_blocks_neon: cmp $len,#64 bhs .Lenter_neon tst ip,ip @ is_base2_26? - beq poly1305_blocks + beq .Lpoly1305_blocks .Lenter_neon: stmdb sp!,{r4-r7} diff --git a/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-x86.pl b/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-x86.pl index ab24dfcfadda..93179e37d5e1 100755 --- a/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-x86.pl +++ b/crypto/external/bsd/openssl/dist/crypto/poly1305/asm/poly1305-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -70,7 +70,7 @@ if ($sse2) { $avx = ($1>=2.09) + ($1>=2.10); } - if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { + if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } } diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c index 9af43e058631..79f77e3eafdf 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c @@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); BN_set_flags(r2, BN_FLG_CONSTTIME); /* generate p and q */ for (;;) { diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_meth.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_meth.c index 9480abd70090..83de5540d0af 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_meth.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -75,7 +75,7 @@ int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) return 1; } -int RSA_meth_get_flags(RSA_METHOD *meth) +int RSA_meth_get_flags(const RSA_METHOD *meth) { return meth->flags; } diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c index 4878d495fe05..f3135198a350 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); - em = OPENSSL_malloc(num); - if (db == NULL || em == NULL) { + if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); + if (flen != num) { + em = OPENSSL_zalloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); + goto cleanup; + } + + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memcpy(em + num - flen, from, flen); + from = em; + } /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(em[0]); + good = constant_time_is_zero(from[0]); - maskedseed = em + 1; - maskeddb = em + 1 + mdlen; + maskedseed = from + 1; + maskeddb = from + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c index 62a88959fae4..36c4e42a0f12 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -62,7 +62,7 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -136,15 +136,10 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, goto err; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(ret); - i = BN_bn2bin(ret, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = BN_bn2binpad(ret, to, num); err: if (ctx != NULL) BN_CTX_end(ctx); @@ -233,7 +228,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret, *res; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -337,7 +332,8 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, goto err; if (padding == RSA_X931_PADDING) { - BN_sub(f, rsa->n, ret); + if (!BN_sub(f, rsa->n, ret)) + goto err; if (BN_cmp(ret, f) > 0) res = f; else @@ -346,15 +342,10 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, res = ret; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(res); - i = BN_bn2bin(res, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = BN_bn2binpad(res, to, num); err: if (ctx != NULL) BN_CTX_end(ctx); @@ -368,7 +359,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int j, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -463,8 +453,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - p = buf; - j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ + j = BN_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -477,7 +466,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_SSLv23(to, num, buf, j, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, j, num); + memcpy(to, buf, (r = j)); break; default: RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); @@ -500,7 +489,6 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int i, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -565,8 +553,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, if (!BN_sub(ret, rsa->n, ret)) goto err; - p = buf; - i = BN_bn2bin(ret, p); + i = BN_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -576,7 +563,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_X931(to, num, buf, i, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, i, num); + memcpy(to, buf, (r = i)); break; default: RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c index aeeb32c2dc0b..63d6c3a3b8dd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -175,27 +175,30 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, if (num < 11) goto err; - em = OPENSSL_zalloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); - return -1; + if (flen != num) { + em = OPENSSL_zalloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); + return -1; + } + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memcpy(em + num - flen, from, flen); + from = em; } - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memcpy(em + num - flen, from, flen); - good = constant_time_is_zero(em[0]); - good &= constant_time_eq(em[1], 2); + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(em[i]); + unsigned int equals0 = constant_time_is_zero(from[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -203,7 +206,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |em|. + * PS must be at least 8 bytes long, and it starts two bytes into |from|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -232,7 +235,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, goto err; } - memcpy(to, em + msg_index, mlen); + memcpy(to, from + msg_index, mlen); err: OPENSSL_clear_free(em, num); diff --git a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c index 9ef6b80ea8ff..77b28b46f2b4 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c +++ b/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,6 +63,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } + /* Accept even zero-padded input */ + if (flen == num) { + if (*(p++) != 0) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); + return -1; + } + flen--; + } if ((num != (flen + 1)) || (*(p++) != 02)) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); return (-1); diff --git a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-586.pl b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-586.pl index 5adca23404fd..cf34b2c2936c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-586.pl +++ b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-586.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -141,7 +141,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && `ml 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); # first version supporting AVX -$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && +$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $shaext=$xmm; ### set to zero if compiling for 1.0.1 diff --git a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-586.pl b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-586.pl index 6af1d84beb2b..72ee0c7b83db 100644 --- a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-586.pl +++ b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-586.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -93,7 +93,7 @@ if ($xmm && !$avx && $ARGV[0] eq "win32" && $avx = ($1>=10) + ($1>=11); } -if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { +if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-armv4.pl b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-armv4.pl index 55d30cba3a21..edcfc31278e3 100644 --- a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -254,7 +254,7 @@ for($i=0;$i<16;$i++) { &BODY_00_15($i,@V); unshift(@V,pop(@V)); } $code.=".Lrounds_16_xx:\n"; for (;$i<32;$i++) { &BODY_16_XX($i,@V); unshift(@V,pop(@V)); } $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t3,[sp,#16*4] @ pull ctx diff --git a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-armv4.pl b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-armv4.pl index 22b5a9d0b132..0b4c5674d9df 100644 --- a/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -157,7 +157,7 @@ $code.=<<___; teq $t0,#$magic ldr $t3,[sp,#$Coff+0] @ c.lo -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ it eq @ Thumb2 thing, sanity check in ARM #endif orreq $Ktbl,$Ktbl,#1 @@ -411,7 +411,7 @@ $code.=<<___; ___ &BODY_00_15(0x17); $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0] diff --git a/crypto/external/bsd/openssl/dist/crypto/threads_win.c b/crypto/external/bsd/openssl/dist/crypto/threads_win.c index 4e0de908ee26..27334e13f3a2 100644 --- a/crypto/external/bsd/openssl/dist/crypto/threads_win.c +++ b/crypto/external/bsd/openssl/dist/crypto/threads_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,26 @@ int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *)) void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key) { - return TlsGetValue(*key); + DWORD last_error; + void *ret; + + /* + * TlsGetValue clears the last error even on success, so that callers may + * distinguish it successfully returning NULL or failing. It is documented + * to never fail if the argument is a valid index from TlsAlloc, so we do + * not need to handle this. + * + * However, this error-mangling behavior interferes with the caller's use of + * GetLastError. In particular SSL_get_error queries the error queue to + * determine whether the caller should look at the OS's errors. To avoid + * destroying state, save and restore the Windows error. + * + * https://msdn.microsoft.com/en-us/library/windows/desktop/ms686812(v=vs.85).aspx + */ + last_error = GetLastError(); + ret = TlsGetValue(*key); + SetLastError(last_error); + return ret; } int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val) diff --git a/crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c b/crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c index de36e0e08420..ce2e12c593e0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,10 +22,9 @@ int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) int result = 0; char *hex; - num_bn = BN_new(); + num_bn = ASN1_INTEGER_to_BN(num, NULL); if (num_bn == NULL) return -1; - ASN1_INTEGER_to_BN(num, num_bn); if ((hex = BN_bn2hex(num_bn))) { result = BIO_write(bio, "0x", 2) > 0; result = result && BIO_write(bio, hex, strlen(hex)) > 0; diff --git a/crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_sign.c b/crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_sign.c index aea7b922a34d..0d714a71b7a8 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_sign.c +++ b/crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include #include #include +#include #include "ts_lcl.h" static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *); @@ -840,7 +841,7 @@ static ASN1_GENERALIZEDTIME long sec, long usec, unsigned precision) { time_t time_sec = (time_t)sec; - struct tm *tm = NULL; + struct tm *tm = NULL, tm_result; char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS]; char *p = genTime_str; char *p_end = genTime_str + sizeof(genTime_str); @@ -848,7 +849,7 @@ static ASN1_GENERALIZEDTIME if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) goto err; - if ((tm = gmtime(&time_sec)) == NULL) + if ((tm = OPENSSL_gmtime(&time_sec, &tm_result)) == NULL) goto err; /* diff --git a/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c b/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c index 8fa8deca66ad..bfe93a57f1cd 100644 --- a/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c +++ b/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -524,17 +524,13 @@ static int echo_console(UI *ui) { #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig)); - tty_new.TTY_FLAGS |= ECHO; -#endif - -#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1)) return 0; #endif #ifdef OPENSSL_SYS_VMS if (is_a_tty) { tty_new[0] = tty_orig[0]; - tty_new[1] = tty_orig[1] & ~TT$M_NOECHO; + tty_new[1] = tty_orig[1]; tty_new[2] = tty_orig[2]; status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0, 0); @@ -555,7 +551,6 @@ static int echo_console(UI *ui) #if defined(_WIN32) && !defined(_WIN32_WCE) if (is_a_tty) { tty_new = tty_orig; - tty_new |= ENABLE_ECHO_INPUT; SetConsoleMode(GetStdHandle(STD_INPUT_HANDLE), tty_new); } #endif diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/build.info b/crypto/external/bsd/openssl/dist/crypto/x509/build.info index 7fc4b45048b5..afd0b6134e52 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/build.info +++ b/crypto/external/bsd/openssl/dist/crypto/x509/build.info @@ -4,7 +4,7 @@ SOURCE[../../libcrypto]=\ x509_obj.c x509_req.c x509spki.c x509_vfy.c \ x509_set.c x509cset.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c x509_att.c \ - x509type.c x509_lu.c x_all.c x509_txt.c \ + x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \ x509_trs.c by_file.c by_dir.c x509_vpm.c \ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c index 21672a7ef551..a69045572927 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,7 +111,7 @@ static int new_dir(X509_LOOKUP *lu) OPENSSL_free(a); return 0; } - lu->method_data = (char *)a; + lu->method_data = a; return 1; } diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c index 01056356c583..49b0368dfca4 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,7 +174,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) ret = a->canon_enclen - b->canon_enclen; - if (ret) + if (ret != 0 || a->canon_enclen == 0) return ret; return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c index 3f4b8ef0bc7a..9f91188a7659 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,7 @@ static ERR_STRING_DATA X509_str_functs[] = { {ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"}, {ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"}, {ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"}, + {ERR_FUNC(X509_F_X509_LOOKUP_METH_NEW), "X509_LOOKUP_meth_new"}, {ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"}, {ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"}, diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_lcl.h b/crypto/external/bsd/openssl/dist/crypto/x509/x509_lcl.h index 40bd102f7028..8a47da4fef0d 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_lcl.h +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,7 @@ struct x509_crl_method_st { }; struct x509_lookup_method_st { - const char *name; + char *name; int (*new_item) (X509_LOOKUP *ctx); void (*free) (X509_LOOKUP *ctx); int (*init) (X509_LOOKUP *ctx); @@ -91,7 +91,7 @@ struct x509_lookup_st { int init; /* have we been started */ int skip; /* don't use us. */ X509_LOOKUP_METHOD *method; /* the functions */ - char *method_data; /* method data */ + void *method_data; /* method data */ X509_STORE *store_ctx; /* who owns us */ }; diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c index 90f23520f49a..e5bea5b2764e 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -117,6 +117,23 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, return ctx->method->get_by_alias(ctx, type, str, len, ret); } +int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data) +{ + ctx->method_data = data; + return 1; +} + +void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx) +{ + return ctx->method_data; +} + +X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx) +{ + return ctx->store_ctx; +} + + static int x509_object_cmp(const X509_OBJECT *const *a, const X509_OBJECT *const *b) { @@ -265,6 +282,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, X509_OBJECT stmp, *tmp; int i, j; + if (ctx == NULL) + return 0; + CRYPTO_THREAD_write_lock(ctx->lock); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_THREAD_unlock(ctx->lock); @@ -290,26 +310,30 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return 1; } -int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +static int x509_store_add(X509_STORE *ctx, void *x, int crl) { X509_OBJECT *obj; - int ret = 1, added = 1; + int ret = 0, added = 0; if (x == NULL) return 0; obj = X509_OBJECT_new(); if (obj == NULL) return 0; - obj->type = X509_LU_X509; - obj->data.x509 = x; + + if (crl) { + obj->type = X509_LU_CRL; + obj->data.crl = (X509_CRL *)x; + } else { + obj->type = X509_LU_X509; + obj->data.x509 = (X509 *)x; + } X509_OBJECT_up_ref_count(obj); CRYPTO_THREAD_write_lock(ctx->lock); if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { - X509err(X509_F_X509_STORE_ADD_CERT, - X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; + ret = 1; } else { added = sk_X509_OBJECT_push(ctx->objs, obj); ret = added != 0; @@ -317,46 +341,28 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) CRYPTO_THREAD_unlock(ctx->lock); - if (!ret) /* obj not pushed */ + if (added == 0) /* obj not pushed */ X509_OBJECT_free(obj); - if (!added) /* on push failure */ - X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return ret; } +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +{ + if (!x509_store_add(ctx, x, 0)) { + X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); + return 0; + } + return 1; +} + int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) { - X509_OBJECT *obj; - int ret = 1, added = 1; - - if (x == NULL) - return 0; - obj = X509_OBJECT_new(); - if (obj == NULL) - return 0; - obj->type = X509_LU_CRL; - obj->data.crl = x; - X509_OBJECT_up_ref_count(obj); - - CRYPTO_THREAD_write_lock(ctx->lock); - - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { - X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; - } else { - added = sk_X509_OBJECT_push(ctx->objs, obj); - ret = added != 0; - } - - CRYPTO_THREAD_unlock(ctx->lock); - - if (!ret) /* obj not pushed */ - X509_OBJECT_free(obj); - if (!added) /* on push failure */ + if (!x509_store_add(ctx, x, 1)) { X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); - - return ret; + return 0; + } + return 1; } int X509_OBJECT_up_ref_count(X509_OBJECT *a) @@ -403,8 +409,7 @@ X509_OBJECT *X509_OBJECT_new() return ret; } - -void X509_OBJECT_free(X509_OBJECT *a) +static void x509_object_free_internal(X509_OBJECT *a) { if (a == NULL) return; @@ -418,6 +423,33 @@ void X509_OBJECT_free(X509_OBJECT *a) X509_CRL_free(a->data.crl); break; } +} + +int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj) +{ + if (a == NULL || !X509_up_ref(obj)) + return 0; + + x509_object_free_internal(a); + a->type = X509_LU_X509; + a->data.x509 = obj; + return 1; +} + +int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj) +{ + if (a == NULL || !X509_CRL_up_ref(obj)) + return 0; + + x509_object_free_internal(a); + a->type = X509_LU_CRL; + a->data.crl = obj; + return 1; +} + +void X509_OBJECT_free(X509_OBJECT *a) +{ + x509_object_free_internal(a); OPENSSL_free(a); } @@ -489,6 +521,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) X509 *x; X509_OBJECT *obj; + if (ctx->ctx == NULL) + return NULL; + CRYPTO_THREAD_write_lock(ctx->ctx->lock); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { @@ -538,8 +573,10 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) X509_OBJECT *obj, *xobj = X509_OBJECT_new(); /* Always do lookup to possibly add new CRLs to cache */ - if (sk == NULL || xobj == NULL || - !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { + if (sk == NULL + || xobj == NULL + || ctx->ctx == NULL + || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { X509_OBJECT_free(xobj); sk_X509_CRL_free(sk); return NULL; @@ -633,6 +670,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } X509_OBJECT_free(obj); + if (ctx->ctx == NULL) + return 0; + /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_THREAD_write_lock(ctx->ctx->lock); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_meth.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_meth.c new file mode 100644 index 000000000000..05ed4bf86372 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_meth.c @@ -0,0 +1,166 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include + +#include "internal/cryptlib.h" +#include +#include +#include +#include "x509_lcl.h" + +X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name) +{ + X509_LOOKUP_METHOD *method = OPENSSL_zalloc(sizeof(X509_LOOKUP_METHOD)); + + if (method != NULL) { + method->name = OPENSSL_strdup(name); + if (method->name == NULL) { + X509err(X509_F_X509_LOOKUP_METH_NEW, ERR_R_MALLOC_FAILURE); + goto err; + } + } + + return method; + +err: + OPENSSL_free(method); + return NULL; +} + +void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method) +{ + if (method != NULL) + OPENSSL_free(method->name); + OPENSSL_free(method); +} + +int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)) +{ + method->new_item = new_item; + return 1; +} + +int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->new_item; +} + +int X509_LOOKUP_meth_set_free( + X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)) +{ + method->free = free; + return 1; +} + +void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->free; +} + +int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)) +{ + method->init = init; + return 1; +} + +int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->init; +} + +int X509_LOOKUP_meth_set_shutdown( + X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)) +{ + method->shutdown = shutdown; + return 1; +} + +int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->shutdown; +} + +int X509_LOOKUP_meth_set_ctrl( + X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl) +{ + method->ctrl = ctrl; + return 1; +} + +X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method) +{ + return method->ctrl; +} + +int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn get_by_subject) +{ + method->get_by_subject = get_by_subject; + return 1; +} + +X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_subject; +} + + +int X509_LOOKUP_meth_set_get_by_issuer_serial(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_issuer_serial_fn get_by_issuer_serial) +{ + method->get_by_issuer_serial = get_by_issuer_serial; + return 1; +} + +X509_LOOKUP_get_by_issuer_serial_fn + X509_LOOKUP_meth_get_get_by_issuer_serial(const X509_LOOKUP_METHOD *method) +{ + return method->get_by_issuer_serial; +} + + +int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn get_by_fingerprint) +{ + method->get_by_fingerprint = get_by_fingerprint; + return 1; +} + +X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_fingerprint; +} + +int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn get_by_alias) +{ + method->get_by_alias = get_by_alias; + return 1; +} + +X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_alias; +} + diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c index 3018c69ae48a..f86871f6d2b9 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include #include #include @@ -557,6 +558,27 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) return 1; } +static int has_san_id(X509 *x, int gtype) +{ + int i; + int ret = 0; + GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + + if (gs == NULL) + return 0; + + for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) { + GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); + + if (g->type == gtype) { + ret = 1; + break; + } + } + GENERAL_NAMES_free(gs); + return ret; +} + static int check_name_constraints(X509_STORE_CTX *ctx) { int i; @@ -655,7 +677,12 @@ static int check_name_constraints(X509_STORE_CTX *ctx) int rv = NAME_CONSTRAINTS_check(x, nc); /* If EE certificate check commonName too */ - if (rv == X509_V_OK && i == 0) + if (rv == X509_V_OK && i == 0 + && (ctx->param->hostflags + & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0 + && ((ctx->param->hostflags + & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0 + || !has_san_id(x, GEN_DNS))) rv = NAME_CONSTRAINTS_check_CN(x, nc); switch (rv) { @@ -1756,119 +1783,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { - char *str; - ASN1_TIME atm; - long offset; - char buff1[24], buff2[24], *p; - int i, j, remaining; + static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1; + static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1; + ASN1_TIME *asn1_cmp_time = NULL; + int i, day, sec, ret = 0; - p = buff1; - remaining = ctm->length; - str = (char *)ctm->data; /* - * Note that the following (historical) code allows much more slack in the - * time format than RFC5280. In RFC5280, the representation is fixed: + * Note that ASN.1 allows much more slack in the time format than RFC5280. + * In RFC5280, the representation is fixed: * UTCTime: YYMMDDHHMMSSZ * GeneralizedTime: YYYYMMDDHHMMSSZ + * + * We do NOT currently enforce the following RFC 5280 requirement: + * "CAs conforming to this profile MUST always encode certificate + * validity dates through the year 2049 as UTCTime; certificate validity + * dates in 2050 or later MUST be encoded as GeneralizedTime." */ - if (ctm->type == V_ASN1_UTCTIME) { - /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ - int min_length = sizeof("YYMMDDHHMMZ") - 1; - int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + switch (ctm->type) { + case V_ASN1_UTCTIME: + if (ctm->length != (int)(utctime_length)) return 0; - memcpy(p, str, 10); - p += 10; - str += 10; - remaining -= 10; - } else { - /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ - int min_length = sizeof("YYYYMMDDHHMMZ") - 1; - int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + break; + case V_ASN1_GENERALIZEDTIME: + if (ctm->length != (int)(generalizedtime_length)) return 0; - memcpy(p, str, 12); - p += 12; - str += 12; - remaining -= 12; - } - - if ((*str == 'Z') || (*str == '-') || (*str == '+')) { - *(p++) = '0'; - *(p++) = '0'; - } else { - /* SS (seconds) */ - if (remaining < 2) - return 0; - *(p++) = *(str++); - *(p++) = *(str++); - remaining -= 2; - /* - * Skip any (up to three) fractional seconds... - * TODO(emilia): in RFC5280, fractional seconds are forbidden. - * Can we just kill them altogether? - */ - if (remaining && *str == '.') { - str++; - remaining--; - for (i = 0; i < 3 && remaining; i++, str++, remaining--) { - if (*str < '0' || *str > '9') - break; - } - } - - } - *(p++) = 'Z'; - *(p++) = '\0'; - - /* We now need either a terminating 'Z' or an offset. */ - if (!remaining) + break; + default: return 0; - if (*str == 'Z') { - if (remaining != 1) - return 0; - offset = 0; - } else { - /* (+-)HHMM */ - if ((*str != '+') && (*str != '-')) - return 0; - /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ - if (remaining != 5) - return 0; - if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || - str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') - return 0; - offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; - offset += (str[3] - '0') * 10 + (str[4] - '0'); - if (*str == '-') - offset = -offset; } - atm.type = ctm->type; - atm.flags = 0; - atm.length = sizeof(buff2); - atm.data = (unsigned char *)buff2; - if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) + /** + * Verify the format: the ASN.1 functions we use below allow a more + * flexible format than what's mandated by RFC 5280. + * Digit and date ranges will be verified in the conversion methods. + */ + for (i = 0; i < ctm->length - 1; i++) { + if (!isdigit(ctm->data[i])) + return 0; + } + if (ctm->data[ctm->length - 1] != 'Z') return 0; - if (ctm->type == V_ASN1_UTCTIME) { - i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); - if (i < 50) - i += 100; /* cf. RFC 2459 */ - j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); - if (j < 50) - j += 100; + /* + * There is ASN1_UTCTIME_cmp_time_t but no + * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t, + * so we go through ASN.1 + */ + asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time); + if (asn1_cmp_time == NULL) + goto err; + if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time)) + goto err; - if (i < j) - return -1; - if (i > j) - return 1; - } - i = strcmp(buff1, buff2); - if (i == 0) /* wait a second then return younger :-) */ - return -1; - else - return i; + /* + * X509_cmp_time comparison is <=. + * The return value 0 is reserved for errors. + */ + ret = (day >= 0 && sec >= 0) ? -1 : 1; + + err: + ASN1_TIME_free(asn1_cmp_time); + return ret; } ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) @@ -3264,6 +3239,10 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) if (level > NUM_AUTH_LEVELS) level = NUM_AUTH_LEVELS; + /* We are not able to look up the CA MD for RSA PSS in this version */ + if (nid == NID_rsassaPss) + return 1; + /* Lookup signature algorithm digest */ if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { const EVP_MD *md; diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vpm.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vpm.c index b5067220adbe..9bc4c6110130 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vpm.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vpm.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -412,6 +412,11 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->hostflags = flags; } +unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param) +{ + return param->hostflags; +} + char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { return param->peername; diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x509name.c b/crypto/external/bsd/openssl/dist/crypto/x509/x509name.c index f87dc7db993a..81dce376f856 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x509name.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -191,7 +191,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, loc = n; else if (loc < 0) loc = n; - + inc = (set == 0); name->modified = 1; if (set == -1) { @@ -200,7 +200,6 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, inc = 1; } else { set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set; - inc = 0; } } else { /* if (set >= 0) */ @@ -211,12 +210,11 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, set = 0; } else set = sk_X509_NAME_ENTRY_value(sk, loc)->set; - inc = (set == 0) ? 1 : 0; } /* * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily - * const'ified; harmless cast as dup() don't modify its input. + * const'ified; harmless cast since dup() don't modify its input. */ if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL) goto err; @@ -228,7 +226,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, if (inc) { n = sk_X509_NAME_ENTRY_num(sk); for (i = loc + 1; i < n; i++) - sk_X509_NAME_ENTRY_value(sk, i - 1)->set += 1; + sk_X509_NAME_ENTRY_value(sk, i)->set += 1; } return (1); err: diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c b/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c index 0af5df5cfc4f..1a33dc1daa7c 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/x_name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -472,6 +472,8 @@ static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname, int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { + if (*xn == name) + return *xn != NULL; if ((name = X509_NAME_dup(name)) == NULL) return 0; X509_NAME_free(*xn); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_ncons.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_ncons.c index 2eec405a36b5..bd7301e45589 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_ncons.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_ncons.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -297,47 +297,140 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) } +static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) +{ + int utf8_length; + unsigned char *utf8_value; + int i; + int isdnsname = 0; + + /* Don't leave outputs uninitialized */ + *dnsid = NULL; + *idlen = 0; + + /*- + * Per RFC 6125, DNS-IDs representing internationalized domain names appear + * in certificates in A-label encoded form: + * + * https://tools.ietf.org/html/rfc6125#section-6.4.2 + * + * The same applies to CNs which are intended to represent DNS names. + * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be + * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8 + * to ensure that we get an ASCII representation of any CNs that are + * representable as ASCII, but just not encoded as ASCII. The UTF-8 form + * may contain some non-ASCII octets, and that's fine, such CNs are not + * valid legacy DNS names. + * + * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what + * we must use for 'utf8_length'. + */ + if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0) + return X509_V_ERR_OUT_OF_MEM; + + /* + * Some certificates have had names that include a *trailing* NUL byte. + * Remove these harmless NUL characters. They would otherwise yield false + * alarms with the following embedded NUL check. + */ + while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0') + --utf8_length; + + /* Reject *embedded* NULs */ + if ((size_t)utf8_length != strlen((char *)utf8_value)) { + OPENSSL_free(utf8_value); + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } + + /* + * XXX: Deviation from strict DNS name syntax, also check names with '_' + * Check DNS name syntax, any '-' or '.' must be internal, + * and on either side of each '.' we can't have a '-' or '.'. + * + * If the name has just one label, we don't consider it a DNS name. This + * means that "CN=sometld" cannot be precluded by DNS name constraints, but + * that is not a problem. + */ + for (i = 0; i < utf8_length; ++i) { + unsigned char c = utf8_value[i]; + + if ((c >= 'a' && c <= 'z') + || (c >= 'A' && c <= 'Z') + || (c >= '0' && c <= '9') + || c == '_') + continue; + + /* Dot and hyphen cannot be first or last. */ + if (i > 0 && i < utf8_length - 1) { + if (c == '-') + continue; + /* + * Next to a dot the preceding and following characters must not be + * another dot or a hyphen. Otherwise, record that the name is + * plausible, since it has two or more labels. + */ + if (c == '.' + && utf8_value[i + 1] != '.' + && utf8_value[i - 1] != '-' + && utf8_value[i + 1] != '-') { + isdnsname = 1; + continue; + } + } + isdnsname = 0; + break; + } + + if (isdnsname) { + *dnsid = utf8_value; + *idlen = (size_t)utf8_length; + return X509_V_OK; + } + OPENSSL_free(utf8_value); + return X509_V_OK; +} + +/* + * Check CN against DNS-ID name constraints. + */ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) { int r, i; - X509_NAME *nm; - + X509_NAME *nm = X509_get_subject_name(x); ASN1_STRING stmp; GENERAL_NAME gntmp; + stmp.flags = 0; stmp.type = V_ASN1_IA5STRING; gntmp.type = GEN_DNS; gntmp.d.dNSName = &stmp; - nm = X509_get_subject_name(x); - /* Process any commonName attributes in subject name */ for (i = -1;;) { X509_NAME_ENTRY *ne; - ASN1_STRING *hn; + ASN1_STRING *cn; + unsigned char *idval; + size_t idlen; + i = X509_NAME_get_index_by_NID(nm, NID_commonName, i); if (i == -1) break; ne = X509_NAME_get_entry(nm, i); - hn = X509_NAME_ENTRY_get_data(ne); + cn = X509_NAME_ENTRY_get_data(ne); + /* Only process attributes that look like host names */ - if (asn1_valid_host(hn)) { - unsigned char *h; - int hlen = ASN1_STRING_to_UTF8(&h, hn); - if (hlen <= 0) - return X509_V_ERR_OUT_OF_MEM; + if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK) + return r; + if (idlen == 0) + continue; - stmp.length = hlen; - stmp.data = h; - - r = nc_match(&gntmp, nc); - - OPENSSL_free(h); - - if (r != X509_V_OK) - return r; - } + stmp.length = idlen; + stmp.data = idval; + r = nc_match(&gntmp, nc); + OPENSSL_free(idval); + if (r != X509_V_OK) + return r; } return X509_V_OK; } diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c index 6d2f354d70f1..7ac067229fbb 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c @@ -78,11 +78,9 @@ int X509_check_purpose(X509 *x, int id, int ca) { int idx; const X509_PURPOSE *pt; - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_THREAD_write_lock(x->lock); - x509v3_cache_extensions(x); - CRYPTO_THREAD_unlock(x->lock); - } + + x509v3_cache_extensions(x); + /* Return if side-effect only call */ if (id == -1) return 1; @@ -352,10 +350,18 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; - if (x->ex_flags & EXFLAG_SET) + + /* fast lock-free check, see end of the function for details. */ + if (x->ex_cached) return; + + CRYPTO_THREAD_write_lock(x->lock); + if (x->ex_flags & EXFLAG_SET) { + CRYPTO_THREAD_unlock(x->lock); + return; + } + X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); /* V1 should mean no extensions ... */ if (!X509_get_version(x)) @@ -489,6 +495,13 @@ static void x509v3_cache_extensions(X509 *x) } } x->ex_flags |= EXFLAG_SET; + CRYPTO_THREAD_unlock(x->lock); + /* + * It has to be placed after memory barrier, which is implied by unlock. + * Worst thing that can happen is that another thread proceeds to lock + * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function. + */ + x->ex_cached = 1; } /*- @@ -541,11 +554,7 @@ void X509_set_proxy_pathlen(X509 *x, long l) int X509_check_ca(X509 *x) { - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_THREAD_write_lock(x->lock); - x509v3_cache_extensions(x); - CRYPTO_THREAD_unlock(x->lock); - } + x509v3_cache_extensions(x); return check_ca(x); } @@ -759,6 +768,7 @@ int X509_check_issued(X509 *issuer, X509 *subject) if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); diff --git a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_tlsf.c b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_tlsf.c index fec67243f8d3..d93781e1b7b7 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_tlsf.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_tlsf.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -121,13 +121,12 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method, } } - ai = ASN1_INTEGER_new(); - if (ai == NULL) { + if ((ai = ASN1_INTEGER_new()) == NULL + || !ASN1_INTEGER_set(ai, tlsextid) + || sk_ASN1_INTEGER_push(tlsf, ai) <= 0) { X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE); goto err; } - ASN1_INTEGER_set(ai, tlsextid); - sk_ASN1_INTEGER_push(tlsf, ai); } return tlsf; diff --git a/crypto/external/bsd/openssl/dist/doc/apps/cms.pod b/crypto/external/bsd/openssl/dist/doc/apps/cms.pod index 96acd315d4d3..64ec106b09cc 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/cms.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/cms.pod @@ -393,6 +393,9 @@ When encrypting a message this option may be used multiple times to specify each recipient. This form B be used if customised parameters are required (for example to specify RSA-OAEP). +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +option. + =item B<-keyid> use subject key identifier to identify certificates instead of issuer name and @@ -712,23 +715,20 @@ No revocation checking is done on the signer's certificate. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 +added in OpenSSL 1.0.0. -The B option was first added in OpenSSL 1.1.0 +The B option was first added in OpenSSL 1.0.2 -The use of B<-recip> to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 - -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added -to OpenSSL 1.1.0. +to OpenSSL 1.0.2. -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.0.2b. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/apps/config.pod b/crypto/external/bsd/openssl/dist/doc/apps/config.pod index 76f282f28ce0..a5153a65f1a5 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/config.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/config.pod @@ -20,7 +20,7 @@ started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred -to as the B section this is usually unnamed and is from the +to as the B section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. @@ -377,7 +377,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod b/crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod index d48695200b13..91b12e249b3b 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod @@ -12,7 +12,7 @@ B B [B<-out filename>] [B<-outform PEM|DER>] [B<-pass arg>] -[B<-cipher>] +[B<-I>] [B<-engine id>] [B<-paramfile file>] [B<-algorithm alg>] @@ -39,21 +39,21 @@ standard output is used. =item B<-outform DER|PEM> -This specifies the output format DER or PEM. +This specifies the output format DER or PEM. The default format is PEM. =item B<-pass arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. -=item B<-cipher> +=item B<-I> This option encrypts the private key with the supplied cipher. Any algorithm name accepted by EVP_get_cipherbyname() is acceptable such as B. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. If used this option should precede all other @@ -61,19 +61,32 @@ options. =item B<-algorithm alg> -public key algorithm to use such as RSA, DSA or DH. If used this option must +Public key algorithm to use such as RSA, DSA or DH. If used this option must precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> -are mutually exclusive. +are mutually exclusive. Engines may add algorithms in addition to the standard +built-in ones. + +Valid built-in algorithm names for private key generation are RSA and EC. + +Valid built-in algorithm names for parameter generation (see the B<-genparam> +option) are DH, DSA and EC. + +Note that the algorithm name X9.42 DH may be used as a synonym for the DH +algorithm. These are identical and do not indicate the type of parameters that +will be generated. Use the B option to indicate whether PKCS#3 +or X9.42 DH parameters are required. See L +below for more details. =item B<-pkeyopt opt:value> -set the public key algorithm option B to B. The precise set of +Set the public key algorithm option B to B. The precise set of options supported depends on the public key algorithm used and its -implementation. See B below for more details. +implementation. See L and +L below for more details. =item B<-genparam> -generate a set of parameters instead of a private key. If used this option must +Generate a set of parameters instead of a private key. If used this option must precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. =item B<-paramfile filename> @@ -97,7 +110,7 @@ The options supported by each algorithm and indeed each implementation of an algorithm can vary. The options for the OpenSSL implementations are detailed below. -=head1 RSA KEY GENERATION OPTIONS +=head2 RSA Key Generation Options =over 4 @@ -112,91 +125,92 @@ hexadecimal value if preceded by B<0x>. Default value is 65537. =back -=head1 DSA PARAMETER GENERATION OPTIONS +=head2 EC Key Generation Options -=over 4 - -=item B - -The number of bits in the generated parameters. If not specified 1024 is used. - -=back - -=head1 DH PARAMETER GENERATION OPTIONS - -=over 4 - -=item B - -The number of bits in the prime parameter B

. - -=item B - -The value to use for the generator B. - -=item B - -If this option is set then the appropriate RFC5114 parameters are used -instead of generating new parameters. The value B can take the -values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of -1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup -and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections -2.1, 2.2 and 2.3 respectively. - -=back - -=head1 EC PARAMETER GENERATION OPTIONS - -The EC parameter generation options below can also -be supplied as EC key generation options. This can (for example) generate a -key from a named curve without the need to use an explicit parameter file. +The EC key generation options can also be used for parameter generation. =over 4 =item B -the EC curve to use. OpenSSL supports NIST curve names such as "P-256". +The EC curve to use. OpenSSL supports NIST curve names such as "P-256". =item B -the encoding to use for parameters. The "encoding" parameter must be either -"named_curve" or "explicit". +The encoding to use for parameters. The "encoding" parameter must be either +"named_curve" or "explicit". The default value is "named_curve". =back -=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS +=head1 PARAMETER GENERATION OPTIONS -Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. -See README.gost file in the engines/ccgost directory of the source -distribution for more details. +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. -Use of a parameter file for the GOST R 34.10 algorithm is optional. -Parameters can be specified during key generation directly as well as -during generation of parameter file. +=head2 DSA Parameter Generation Options =over 4 -=item B +=item B -Specifies GOST R 34.10-2001 parameter set according to RFC 4357. -Parameter set can be specified using abbreviated name, object short name or -numeric OID. Following parameter sets are supported: +The number of bits in the generated prime. If not specified 1024 is used. - paramset OID Usage - A 1.2.643.2.2.35.1 Signature - B 1.2.643.2.2.35.2 Signature - C 1.2.643.2.2.35.3 Signature - XA 1.2.643.2.2.36.0 Key exchange - XB 1.2.643.2.2.36.1 Key exchange - test 1.2.643.2.2.35.0 Test purposes +=item B + +The number of bits in the q parameter. Must be one of 160, 224 or 256. If not +specified 160 is used. + +=item B + +The digest to use during parameter generation. Must be one of B, B +or B. If set, then the number of bits in B will match the output size +of the specified digest and the B parameter will be +ignored. If not set, then a digest will be used that gives an output matching +the number of bits in B, i.e. B if q length is 160, B if it 224 +or B if it is 256. =back -=head1 X25519 KEY GENERATION OPTIONS +=head2 DH Parameter Generation Options -The X25519 algorithm does not currently support any key generation options. +=over 4 +=item B + +The number of bits in the prime parameter B

. The default is 1024. + +=item B + +The number of bits in the sub prime parameter B. The default is 256 if the +prime is at least 2048 bits long or 160 otherwise. Only relevant if used in +conjunction with the B option to generate X9.42 DH parameters. + +=item B + +The value to use for the generator B. The default is 2. + +=item B + +The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH. +The default is 0. + +=item B + +If this option is set, then the appropriate RFC5114 parameters are used +instead of generating new parameters. The value B can take the +values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of +1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup +and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections +2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter +options. + +=back + +=head2 EC Parameter Generation Options + +The EC parameter generation options are the same as for key generation. See +L above. =head1 NOTES @@ -219,19 +233,25 @@ Generate a 2048 bit RSA key using 3 as the public exponent: openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3 -Generate 1024 bit DSA parameters: +Generate 2048 bit DSA parameters: openssl genpkey -genparam -algorithm DSA -out dsap.pem \ - -pkeyopt dsa_paramgen_bits:1024 + -pkeyopt dsa_paramgen_bits:2048 Generate DSA key from parameters: openssl genpkey -paramfile dsap.pem -out dsakey.pem -Generate 1024 bit DH parameters: +Generate 2048 bit DH parameters: openssl genpkey -genparam -algorithm DH -out dhp.pem \ - -pkeyopt dh_paramgen_prime_len:1024 + -pkeyopt dh_paramgen_prime_len:2048 + +Generate 2048 bit X9.42 DH parameters: + + openssl genpkey -genparam -algorithm DH -out dhpx.pem \ + -pkeyopt dh_paramgen_prime_len:2048 \ + -pkeyopt dh_paramgen_type:1 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: @@ -264,11 +284,12 @@ Generate an X25519 private key: =head1 HISTORY The ability to use NIST curve names, and to generate an EC key directly, -were added in OpenSSL 1.0.2. +were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in +OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/apps/rehash.pod b/crypto/external/bsd/openssl/dist/doc/apps/rehash.pod index 79268d47926c..22f3b7a40a6d 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/rehash.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/rehash.pod @@ -99,6 +99,12 @@ Note that current versions will not use the old style. Do not remove existing links. This is needed when keeping new and old-style links in the same directory. +=item B<-compat> + +Generate links for both old-style (MD5) and new-style (SHA1) hashing. +This allows releases before 1.0.0 to use these links along-side newer +releases. + =item B<-v> Print messages about old links removed and new links created. @@ -130,7 +136,7 @@ L. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod b/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod index 01a6c5f7fc7a..9c17075337b4 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod @@ -281,8 +281,9 @@ be used as a test that session caching is working. =item B<-showcerts> -display the whole server certificate chain: normally only the server -certificate itself is displayed. +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +B a verified chain. =item B<-prexit> @@ -579,7 +580,8 @@ a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the -B<-showcerts> option can be used to show the whole chain. +B<-showcerts> option can be used to show all the certificates sent by the +server. The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will @@ -609,7 +611,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/ASN1_INTEGER_get_int64.pod b/crypto/external/bsd/openssl/dist/doc/crypto/ASN1_INTEGER_get_int64.pod index f61268d6ac39..d0a6a3c810a1 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/ASN1_INTEGER_get_int64.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/ASN1_INTEGER_get_int64.pod @@ -11,10 +11,10 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s #include int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a); - int ASN1_INTEGER_get(const ASN1_INTEGER *a, long v); + long ASN1_INTEGER_get(const ASN1_INTEGER *a); int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); - long ASN1_INTEGER_set(const ASN1_INTEGER *a); + int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v); int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a); int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r); @@ -123,7 +123,7 @@ were added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/BIO_meth_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/BIO_meth_new.pod index f682c37d171e..89179a46e76a 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/BIO_meth_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/BIO_meth_new.pod @@ -17,26 +17,26 @@ BIO_meth_set_callback_ctrl - Routines to build up BIO methods int BIO_get_new_index(void); BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); - int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); + int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); - int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); - int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); + int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); - int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); - long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); + long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); - int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); + int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); - int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); + int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); - long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) + long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, @@ -121,7 +121,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/BN_add.pod b/crypto/external/bsd/openssl/dist/doc/crypto/BN_add.pod index db3b0d45b479..b2c5dd2cc54d 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/BN_add.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/BN_add.pod @@ -92,7 +92,9 @@ BN_exp() raises I to the I

-th power and places the result in I BN_mul(). BN_mod_exp() computes I to the I

-th power modulo I (C). This function uses less time and space than BN_exp(). +m>). This function uses less time and space than BN_exp(). Do not call this +function when B is even and any of the parameters have the +B flag set. BN_gcd() computes the greatest common divisor of I and I and places the result in I. I may be the same B as I or @@ -117,7 +119,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/BN_bn2bin.pod b/crypto/external/bsd/openssl/dist/doc/crypto/BN_bn2bin.pod index ac46948477dc..c9ca33fd136d 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/BN_bn2bin.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/BN_bn2bin.pod @@ -55,8 +55,8 @@ freed later using OPENSSL_free(). BN_hex2bn() takes as many characters as possible from the string B, including the leading character '-' which means negative, to form a valid hexadecimal number representation and converts them to a B and -stores it in **B. If *B is NULL, a new B is created. If -B is NULL, it only computes the length of valid representation. +stores it in **B. If *B is NULL, a new B is created. If +B is NULL, it only computes the length of valid representation. A "negative zero" is converted to zero. BN_dec2bn() is the same using the decimal system. @@ -106,7 +106,7 @@ L =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/BN_generate_prime.pod b/crypto/external/bsd/openssl/dist/doc/crypto/BN_generate_prime.pod index c97536b5c4e3..4cd667e2e36e 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/BN_generate_prime.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/BN_generate_prime.pod @@ -100,7 +100,17 @@ If B, this test is skipped. Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin probabilistic primality test with B iterations. If B, a number of iterations is used that -yields a false positive rate of at most 2^-80 for random input. +yields a false positive rate of at most 2^-64 for random input. +The error rate depends on the size of the prime and goes down for bigger primes. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits, +2^-192 at 3747 bits and 2^-256 at 6394 bits. + +When the source of the prime is not random or not trusted, the number +of checks needs to be much higher to reach the same level of assurance: +It should equal half of the targeted security level in bits (rounded up to the +next integer if necessary). +For instance, to reach the 128 bit security level, B should be set to +64. If B is not B, B is called after the j-th iteration (j = 0, 1, ...). B is a @@ -184,7 +194,7 @@ and BN_GENCB_get_arg() were added in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_encrypt.pod b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_encrypt.pod index 0ed42628c3cf..cbd5a21353e2 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_encrypt.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_encrypt.pod @@ -18,9 +18,8 @@ B is the symmetric cipher to use. B is an optional set of flags. =head1 NOTES -Only certificates carrying RSA keys are supported so the recipient certificates -supplied to this function must all contain RSA public keys, though they do not -have to be signed using the RSA algorithm. +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +function. EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. @@ -94,7 +93,7 @@ The B flag was first supported in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get0_SignerInfos.pod b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get0_SignerInfos.pod index e5532c96f440..cea088857a6f 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get0_SignerInfos.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get0_SignerInfos.pod @@ -54,7 +54,7 @@ CMS_SignerInfo_set1_signer_cert(). Once all signer certificates have been set CMS_verify() can be used. -Although CMS_get0_SignerInfos() can return NULL is an error occur B if +Although CMS_get0_SignerInfos() can return NULL if an error occurs B if there are no signers this is not a problem in practice because the only error which can occur is if the B structure is not of type signedData due to application error. @@ -79,7 +79,7 @@ L, L =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get1_ReceiptRequest.pod b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get1_ReceiptRequest.pod index 79f5f4232dd1..cb961be79758 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get1_ReceiptRequest.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/CMS_get1_ReceiptRequest.pod @@ -48,7 +48,7 @@ CMS_verify(). CMS_ReceiptRequest_create0() returns a signed receipt request structure or NULL if an error occurred. -CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred. +CMS_add1_ReceiptRequest() returns 1 for success or 0 if an error occurred. CMS_get1_ReceiptRequest() returns 1 is a signed receipt request is found and decoded. It returns 0 if a signed receipt request is not present and -1 if @@ -62,7 +62,7 @@ L =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/DH_meth_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/DH_meth_new.pod index d768da8c6eb7..ef0a80b19510 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/DH_meth_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/DH_meth_new.pod @@ -19,7 +19,7 @@ DH_meth_set_generate_params - Routines to build up DH methods DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); const char *DH_meth_get0_name(const DH_METHOD *dhm); int DH_meth_set1_name(DH_METHOD *dhm, const char *name); - int DH_meth_get_flags(DH_METHOD *dhm); + int DH_meth_get_flags(const DH_METHOD *dhm); int DH_meth_set_flags(DH_METHOD *dhm, int flags); void *DH_meth_get0_app_data(const DH_METHOD *dhm); int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); @@ -146,7 +146,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/DSA_meth_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/DSA_meth_new.pod index 948ab29b58c8..8ebf7ab6bcc1 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/DSA_meth_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/DSA_meth_new.pod @@ -21,7 +21,7 @@ DSA_meth_set_keygen - Routines to build up DSA methods DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); const char *DSA_meth_get0_name(const DSA_METHOD *dsam); int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); - int DSA_meth_get_flags(DSA_METHOD *dsam); + int DSA_meth_get_flags(const DSA_METHOD *dsam); int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); @@ -183,7 +183,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/DSA_sign.pod b/crypto/external/bsd/openssl/dist/doc/crypto/DSA_sign.pod index ba0f6b863ecf..b91f89f0733c 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/DSA_sign.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/DSA_sign.pod @@ -24,13 +24,12 @@ digest B using the private key B and places its ASN.1 DER encoding at B. The length of the signature is places in *B. B must point to DSA_size(B) bytes of memory. -DSA_sign_setup() may be used to precompute part of the signing -operation in case signature generation is time-critical. It expects -B to contain DSA parameters. It places the precomputed values -in newly allocated Bs at *B and *B, after freeing -the old ones unless *B and *B are NULL. These values may -be passed to DSA_sign() in Bkinv> and Br>. -B is a pre-allocated B or NULL. +DSA_sign_setup() is defined only for backward binary compatibility and +should not be used. +Since OpenSSL 1.1.0 the DSA type is opaque and the output of +DSA_sign_setup() cannot be used anyway: calling this function will only +cause overhead, and does not affect the actual signature +(pre-)computation. DSA_verify() verifies that the signature B of size B matches a given message digest B of size B. @@ -60,7 +59,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/ECDSA_SIG_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/ECDSA_SIG_new.pod index 9e1f662c621f..f544ccbb32fe 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/ECDSA_SIG_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/ECDSA_SIG_new.pod @@ -114,6 +114,8 @@ returned as a newly allocated B structure (or NULL on error). =head1 RETURN VALUES +ECDSA_SIG_new() returns NULL if the allocation fails. + ECDSA_SIG_set0() returns 1 on success or 0 on failure. ECDSA_size() returns the maximum length signature or 0 on error. @@ -197,7 +199,7 @@ L =head1 COPYRIGHT -Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod index bb7ef7a28fd6..1dc76cbdf86b 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod @@ -3,11 +3,12 @@ =head1 NAME EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, +EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha1, -EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, +EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, EVP_md_null, EVP_md2, +EVP_md5, EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, EVP_ripemd160, EVP_blake2b512, EVP_blake2s256, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -18,6 +19,9 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines EVP_MD_CTX *EVP_MD_CTX_new(void); int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); void EVP_MD_CTX_free(EVP_MD_CTX *ctx); + void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); + void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); + int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); @@ -41,6 +45,7 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines int EVP_MD_CTX_size(const EVP_MD *ctx); int EVP_MD_CTX_block_size(const EVP_MD *ctx); int EVP_MD_CTX_type(const EVP_MD *ctx); + void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); const EVP_MD *EVP_md_null(void); const EVP_MD *EVP_md2(void); @@ -73,6 +78,9 @@ to reuse an already existing context. EVP_MD_CTX_free() cleans up digest context B and frees up the space allocated to it. +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +sets, clears and tests B flags. See L below for more information. + EVP_DigestInit_ex() sets up digest context B to use a digest B from ENGINE B. B must be initialized before calling this function. B will typically be supplied by a function such as EVP_sha1(). @@ -117,6 +125,11 @@ representing the given message digest when passed an B structure. For example EVP_MD_type(EVP_sha1()) returns B. This function is normally used when setting ASN1 OIDs. +EVP_MD_CTX_md_data() return the digest method private data for the passed +B. +The space is allocated by OpenSSL and has the size originally set with +EVP_MD_meth_set_app_datasize(). + EVP_MD_CTX_md() returns the B structure corresponding to the passed B. @@ -139,6 +152,38 @@ EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return an B structure when passed a digest name, a digest NID or an ASN1_OBJECT structure respectively. +=head1 FLAGS + +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +can be used the manipulate and test these B flags: + +=over 4 + +=item EVP_MD_CTX_FLAG_ONESHOT + +This flag instructs the digest to optimize for one update only, if possible. + +=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it + +=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it + +=for comment We currently avoid documenting flags that are only bit holder: +EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_* + +=item EVP_MD_CTX_FLAG_NO_INIT + +This flag instructs EVP_DigestInit() and similar not to initialise the +implementation specific data. + +=item EVP_MD_CTX_FLAG_FINALISE + +Some functions such as EVP_DigestSign only finalise copies of internal +contexts so additional data can be included after the finalisation call. +This is inefficient if this functionality is not required, and can be +disabled with this flag. + +=back + =head1 RETURN VALUES EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for @@ -249,7 +294,7 @@ was removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestSignInit.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestSignInit.pod index 7ec06b7a272e..5fadc82e6aac 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestSignInit.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestSignInit.pod @@ -21,7 +21,48 @@ EVP_DigestSignInit() sets up signing context B to use digest B from ENGINE B and private key B. B must be created with EVP_MD_CTX_new() before calling this function. If B is not NULL the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. +be used to set alternative signing options. The digest B may be NULL if +the signing algorithm supports it. + +Only EVP_PKEY types that support signing can be used with these functions. This +includes MAC algorithms where the MAC generation is considered as a form of +"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, +ECDSA, HMAC and RSA. + +Not all digests can be used for all key types. The following combinations apply. + +=over 4 + +=item DSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item ECDSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item RSA with no padding + +Supports no digests (the digest B must be NULL) + +=item RSA with X931 padding + +Supports SHA1, SHA256, SHA384 and SHA512 + +=item All other RSA padding types + +Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, +RIPEMD160 + +=item HMAC + +Supports any digest + +=item CMAC + +Will ignore any digest provided. + +=back EVP_DigestSignUpdate() hashes B bytes of data at B into the signature context B. This function can be called several times on the @@ -86,7 +127,7 @@ were first added to OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod index 61e0eec52882..459e7a02ffcc 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod @@ -59,7 +59,7 @@ All these functions are implemented as macros. A context for HKDF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_HKDF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); The digest, key, salt and info values must be set before a key is derived or an error occurs. @@ -118,7 +118,7 @@ L =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod index f1f0ae4fbe4d..fe35a5ece8cf 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod @@ -50,7 +50,7 @@ All these functions are implemented as macros. A context for the TLS PRF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_TLS1_PRF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); The digest, secret value and seed must be set before a key is derived or an error occurs. @@ -98,7 +98,7 @@ L =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/OBJ_nid2obj.pod b/crypto/external/bsd/openssl/dist/doc/crypto/OBJ_nid2obj.pod index 3ada6679cf92..c84adb2e4634 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/OBJ_nid2obj.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/OBJ_nid2obj.pod @@ -54,7 +54,7 @@ constants. OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B to an ASN1_OBJECT structure, its long name and its short name respectively, -or B is an error occurred. +or B if an error occurred. OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID for the object B, the long name or the short name respectively @@ -188,7 +188,7 @@ OBJ_cleanup() was deprecated in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/OCSP_resp_find_status.pod b/crypto/external/bsd/openssl/dist/doc/crypto/OCSP_resp_find_status.pod index 5123f0ad6da4..e014df500b6f 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/OCSP_resp_find_status.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/OCSP_resp_find_status.pod @@ -7,7 +7,8 @@ OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, -OCSP_single_get0_status, OCSP_check_validity +OCSP_single_get0_status, OCSP_check_validity, +OCSP_basic_verify - OCSP response utility functions =head1 SYNOPSIS @@ -44,6 +45,9 @@ OCSP_single_get0_status, OCSP_check_validity ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); + =head1 DESCRIPTION OCSP_resp_find_status() searches B for an OCSP response for B. If it is @@ -93,6 +97,27 @@ OCSP_single_get0_status(). If B is non-zero it indicates how many seconds leeway should be allowed in the check. If B is positive it indicates the maximum age of B in seconds. +OCSP_basic_verify() checks that the basic response message B is correctly +signed and that the signer certificate can be validated. It takes B as +the trusted store and B as a set of untrusted intermediate certificates. +The function first tries to find the signer certificate of the response +in . It also searches the certificates the responder may have included +in B unless the B contain B. +It fails if the signer certificate cannot be found. +Next, the function checks the signature of B and fails on error +unless the B contain B. Then the function already returns +success if the B contain B or if the signer certificate +was found in B and the B contain B. +Otherwise the function continues by validating the signer certificate. +To this end, all certificates in B and in B are considered as +untrusted certificates for the construction of the validation path for the +signer certificate unless the B flag is set. After successful path +validation the function returns success if the B flag is set. +Otherwise it verifies that the signer certificate meets the OCSP issuer +criteria including potential delegation. If this does not succeed and the +B do not contain B the function checks for explicit +trust for OCSP signing in the root CA certificate. + =head1 RETURN VALUES OCSP_resp_find_status() returns 1 if B is found in B and 0 otherwise. @@ -112,6 +137,9 @@ occurred. OCSP_resp_get0_signer() returns 1 if the signing certificate was located, or 0 on error. +OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such +as malloc failure. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate @@ -142,7 +170,7 @@ L =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f50faec772d5..f5429d217e52 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -47,11 +47,6 @@ number was therefore 0x0090581f. OpenSSL_version_num() returns the version number. -The macro OPENSSL_VERSION_AT_LEAST(major,minor) can be used at compile -time test if the current version is at least as new as the version provided. -The arguments major, minor and fix correspond to the version information -as given above. - OpenSSL_version() returns different strings depending on B: =over 4 diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_init_crypto.pod b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_init_crypto.pod index f0b3c8aa8da5..f9664ee35298 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_init_crypto.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_init_crypto.pod @@ -190,10 +190,10 @@ resources should be freed at an earlier time, or under the circumstances described in the NOTES section below. The B flag will load a default configuration -file. To specify a different file, an B must -be created and used. The routines -OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can be used to -allocate the object and set the application name, and then the +file. For optional configuration file settings, an B +must be created and used. +The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can +be used to allocate the object and set the application name, and then the object can be released with OPENSSL_INIT_free() when done. =head1 NOTES @@ -235,7 +235,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_malloc.pod b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_malloc.pod index 2104f43108f1..ba5dc1069f39 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_malloc.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_malloc.pod @@ -68,8 +68,8 @@ CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp - Memory allocation functions int CRYPTO_mem_debug_push(const char *info, const char *file, int line); int CRYPTO_mem_debug_pop(void); - void CRYPTO_mem_leaks(BIO *b); - void CRYPTO_mem_leaks_fp(FILE *fp); + int CRYPTO_mem_leaks(BIO *b); + int CRYPTO_mem_leaks_fp(FILE *fp); =head1 DESCRIPTION @@ -197,7 +197,7 @@ only, say, the malloc() implementation is outright dangerous.> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/PEM_read_bio_PrivateKey.pod b/crypto/external/bsd/openssl/dist/doc/crypto/PEM_read_bio_PrivateKey.pod index 6b3006ef3523..b0ba62a3b367 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/PEM_read_bio_PrivateKey.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/PEM_read_bio_PrivateKey.pod @@ -294,7 +294,7 @@ for it twice) if B is 1. The B parameter has the same value as the B parameter passed to the PEM routine. It allows arbitrary data to be passed to the callback by the application (for example a window handle in a GUI application). The callback -B return the number of characters in the passphrase or 0 if +B return the number of characters in the passphrase or -1 if an error occurred. =head1 EXAMPLES @@ -348,17 +348,16 @@ Skeleton pass phrase callback: int pass_cb(char *buf, int size, int rwflag, void *u) { - int len; - char *tmp; /* We'd probably do something else if 'rwflag' is 1 */ printf("Enter pass phrase for \"%s\"\n", (char *)u); /* get pass phrase, length 'len' into 'tmp' */ - tmp = "hello"; - len = strlen(tmp); - if (len <= 0) - return 0; + char *tmp = "hello"; + if (tmp == NULL) /* An error occurred */ + return -1; + + size_t len = strlen(tmp); if (len > size) len = size; @@ -471,7 +470,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/RSA_meth_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/RSA_meth_new.pod index 9970aa6b73ef..9c89426a9a28 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/RSA_meth_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/RSA_meth_new.pod @@ -24,7 +24,7 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); const char *RSA_meth_get0_name(const RSA_METHOD *meth); int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); - int RSA_meth_get_flags(RSA_METHOD *meth); + int RSA_meth_get_flags(const RSA_METHOD *meth); int RSA_meth_set_flags(RSA_METHOD *meth, int flags); void *RSA_meth_get0_app_data(const RSA_METHOD *meth); int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); @@ -225,7 +225,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/SMIME_read_PKCS7.pod b/crypto/external/bsd/openssl/dist/doc/crypto/SMIME_read_PKCS7.pod index 3eb8bbc9a0f8..c11090891ad3 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/SMIME_read_PKCS7.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/SMIME_read_PKCS7.pod @@ -57,7 +57,7 @@ streaming single pass option should be available. =head1 RETURN VALUES SMIME_read_PKCS7() returns a valid B structure or B -is an error occurred. The error can be obtained from ERR_get_error(3). +if an error occurred. The error can be obtained from ERR_get_error(3). =head1 SEE ALSO @@ -68,7 +68,7 @@ L =head1 COPYRIGHT -Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_hash_dir.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_hash_dir.pod index 5f8dfa93b0f1..4f2768d4f4a5 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_hash_dir.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_hash_dir.pod @@ -117,10 +117,11 @@ L, L, L, L, +L, =head1 COPYRIGHT -Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_meth_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_meth_new.pod new file mode 100644 index 000000000000..fb165fd6ad9d --- /dev/null +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_LOOKUP_meth_new.pod @@ -0,0 +1,189 @@ +=pod + +=head1 NAME + +X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, +X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, +X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, +X509_LOOKUP_meth_get_init, X509_LOOKUP_meth_set_shutdown, +X509_LOOKUP_meth_get_shutdown, +X509_LOOKUP_ctrl_fn, X509_LOOKUP_meth_set_ctrl, X509_LOOKUP_meth_get_ctrl, +X509_LOOKUP_get_by_subject_fn, X509_LOOKUP_meth_set_get_by_subject, +X509_LOOKUP_meth_get_get_by_subject, +X509_LOOKUP_get_by_issuer_serial_fn, X509_LOOKUP_meth_set_get_by_issuer_serial, +X509_LOOKUP_meth_get_get_by_issuer_serial, +X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, +X509_LOOKUP_meth_get_get_by_fingerprint, +X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, +X509_LOOKUP_meth_get_get_by_alias, +X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, +X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL +- Routines to build up X509_LOOKUP methods + +=head1 SYNOPSIS + + #include + + X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); + void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)); + void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl_fn); + X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn fn); + X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_issuer_serial( + X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn); + X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const unsigned char* bytes, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn fn); + X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn fn); + X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); + void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); + + X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); + + int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); + int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); + +=head1 DESCRIPTION + +The B type is a structure used for the implementation of new +X509_LOOKUP types. It provides a set of functions used by OpenSSL for the +implementation of various X509 and X509_CRL lookup capabilities. One instance +of an X509_LOOKUP_METHOD can be associated to many instantiations of an +B structure. + +X509_LOOKUP_meth_new() creates a new B structure. It should +be given a human-readable string containing a brief description of the lookup +method. + +X509_LOOKUP_meth_free() destroys a B structure. + +X509_LOOKUP_get_new_item() and X509_LOOKUP_set_new_item() get and set the +function that is called when an B object is created with +X509_LOOKUP_new(). If an X509_LOOKUP_METHOD requires any per-X509_LOOKUP +specific data, the supplied new_item function should allocate this data and +invoke X509_LOOKUP_set_method_data(). + +X509_LOOKUP_get_free() and X509_LOOKUP_set_free() get and set the function +that is used to free any method data that was allocated and set from within +new_item function. + +X509_LOOKUP_meth_get_init() and X509_LOOKUP_meth_set_init() get and set the +function that is used to initialize the method data that was set with +X509_LOOKUP_set_method_data() as part of the new_item routine. + +X509_LOOKUP_meth_get_shutdown() and X509_LOOKUP_meth_set_shutdown() get and set +the function that is used to shut down the method data whose state was +previously initialized in the init function. + +X509_LOOKUP_meth_get_ctrl() and X509_LOOKUP_meth_set_ctrl() get and set a +function to be used to handle arbitrary control commands issued by +X509_LOOKUP_ctrl(). The control function is given the X509_LOOKUP +B, along with the arguments passed by X509_LOOKUP_ctrl. B is +an arbitrary integer that defines some operation. B is a pointer +to an array of characters. B is an integer. B, if set, +points to a location where any return data should be written to. How +B and B are used depends entirely on the control function. + + +X509_LOOKUP_set_get_by_subject(), X509_LOOKUP_set_get_by_issuer_serial(), +X509_LOOKUP_set_get_by_fingerprint(), X509_LOOKUP_set_get_by_alias() set +the functions used to retrieve an X509 or X509_CRL object by the object's +subject, issuer, fingerprint, and alias respectively. These functions are given +the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters +related to the lookup, and an X509_OBJECT that will receive the requested +object. + +Implementations should use either X509_OBJECT_set1_X509() or +X509_OBJECT_set1_X509_CRL() to set the result. Any method data that was +created as a result of the new_item function set by +X509_LOOKUP_meth_set_new_item() can be accessed with +X509_LOOKUP_get_method_data(). The B object that owns the +X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups +should return 1, and unsuccessful lookups should return 0. + +X509_LOOKUP_get_get_by_subject(), X509_LOOKUP_get_get_by_issuer_serial(), +X509_LOOKUP_get_get_by_fingerprint(), X509_LOOKUP_get_get_by_alias() retrieve +the function set by the corresponding setter. + +=head1 RETURN VALUES + +The B functions return 1 on success or 0 on error. + +The B functions return the corresponding function +pointers. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +The functions described here were added in OpenSSL 1.1.0i. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 5263facfd48d..320b258a85cd 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -11,7 +11,9 @@ X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, -X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, +X509_VERIFY_PARAM_set_hostflags, +X509_VERIFY_PARAM_get_hostflags, +X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters @@ -54,6 +56,7 @@ X509_VERIFY_PARAM_set1_ip_asc const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); + unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen); @@ -130,14 +133,32 @@ B clearing any previously specified host name or names. If B is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If B is NUL-terminated, B may be zero, otherwise B -must be set to the length of B. When a hostname is specified, +must be set to the length of B. + +When a hostname is specified, certificate verification automatically invokes L with flags equal to the B argument given to X509_VERIFY_PARAM_set_hostflags() (default zero). Applications are strongly advised to use this interface in preference to explicitly -calling L, hostname checks are out of scope +calling L, hostname checks may be out of scope with the DANE-EE(3) certificate usage, and the internal check will -be suppressed as appropriate when DANE support is added to OpenSSL. +be suppressed as appropriate when DANE verification is enabled. + +When the subject CommonName will not be ignored, whether as a result of the +B host flag, or because no DNS subject +alternative names are present in the certificate, any DNS name constraints in +issuer certificates apply to the subject CommonName as well as the subject +alternative name extension. + +When the subject CommonName will be ignored, whether as a result of the +B host flag, or because some DNS subject +alternative names are present in the certificate, DNS name constraints in +issuer certificates will not be applied to the subject DN. +As described in X509_check_host(3) the B +flag takes precendence over the B flag. + +X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a +call to X509_VERIFY_PARAM_set_hostflags(). X509_VERIFY_PARAM_add1_host() adds B as an additional reference identifier that can match the peer's certificate. Any previous names @@ -186,6 +207,8 @@ failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. +X509_VERIFY_PARAM_get_hostflags() returns any current host flags. + X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return @@ -347,6 +370,8 @@ The B flag was added in OpenSSL 1.1.0 The legacy B flag is deprecated as of OpenSSL 1.1.0, and has no effect. +X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i. + =head1 COPYRIGHT Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_check_host.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_check_host.pod index 93848152b5ec..fb9f6a64ecd5 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/X509_check_host.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_check_host.pod @@ -93,6 +93,9 @@ consider the subject DN even if the certificate contains no subject alternative names of the right type (DNS name or email address as appropriate); the default is to use the subject DN when no corresponding subject alternative names are present. +If both B and +B are specified, the latter takes +precedence and the subject DN is not checked for matching names. If set, B disables wildcard expansion; this only applies to B. @@ -128,9 +131,9 @@ NULs. Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling L. Host name -checks are out of scope with the DANE-EE(3) certificate usage, +checks may be out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when -DANE support is added to OpenSSL. +DANE support is enabled. =head1 SEE ALSO @@ -147,7 +150,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_cmp_time.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_cmp_time.pod new file mode 100644 index 000000000000..5bf51114511a --- /dev/null +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_cmp_time.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +X509_cmp_time - X509 time functions + +=head1 SYNOPSIS + + X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time); + +=head1 DESCRIPTION + +X509_cmp_time() compares the ASN1_TIME in B with the time in +. + +B must satisfy the ASN1_TIME format mandated by RFC 5280, i.e., +its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ. + +If B is NULL the current time is used. + +=head1 BUGS + +Unlike many standard comparison functions, X509_cmp_time returns 0 on error. + +=head1 RETURN VALUES + +X509_cmp_time() returns -1 if B is earlier than, or equal to, +B, and 1 otherwise. It returns 0 on error. + +=head1 COPYRIGHT + +Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/crypto/external/bsd/openssl/dist/doc/fingerprints.txt b/crypto/external/bsd/openssl/dist/doc/fingerprints.txt index 1863224df37a..2cb74aec2778 100644 --- a/crypto/external/bsd/openssl/dist/doc/fingerprints.txt +++ b/crypto/external/bsd/openssl/dist/doc/fingerprints.txt @@ -18,10 +18,7 @@ uid Richard Levitte uid Richard Levitte uid Richard Levitte -pub 4096R/FA40E9E2 2005-03-19 - Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2 -uid Dr Stephen N Henson - pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +uid Matt Caswell uid Matt Caswell diff --git a/crypto/external/bsd/openssl/dist/doc/openssl-c-indent.el b/crypto/external/bsd/openssl/dist/doc/openssl-c-indent.el index cca118303e30..852f794f9656 100644 --- a/crypto/external/bsd/openssl/dist/doc/openssl-c-indent.el +++ b/crypto/external/bsd/openssl/dist/doc/openssl-c-indent.el @@ -54,6 +54,7 @@ (arglist-close . c-lineup-arglist) ; From "gnu" style (inline-open . 0) ; From "gnu" style (brace-list-open . +) ; From "gnu" style + (inextern-lang . 0) ; Don't indent inside extern block (topmost-intro-cont first c-lineup-topmost-intro-cont c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style ) diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CONF_cmd.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CONF_cmd.pod index a28e21833285..12fdcab83c4a 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CONF_cmd.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CONF_cmd.pod @@ -506,10 +506,6 @@ Set supported curves to P-256, P-384: SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); -Set automatic support for any elliptic curve for key exchange: - - SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); - =head1 RETURN VALUES SSL_CONF_cmd() returns 1 if the value of B is recognised and B is diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_use_certificate.pod index c645f58078e8..8ed7b5ea15c8 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_use_certificate.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_use_certificate.pod @@ -153,6 +153,13 @@ L. of view, it however does not make sense as the data in the certificate is considered public anyway.) +All of the functions to set a new certificate will replace any existing +certificate of the same type that has already been set. Similarly all of the +functions to set a new private key will replace any private key that has already +been set. Applications should call L or +L as appropriate after loading a new certificate and +private key to confirm that the certificate and key match. + =head1 RETURN VALUES On success, the functions return 1. @@ -170,7 +177,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_ciphers.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_ciphers.pod index cc55095d4784..2759cc3cc617 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_ciphers.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_ciphers.pod @@ -2,8 +2,12 @@ =head1 NAME -SSL_get1_supported_ciphers, SSL_get_client_ciphers, -SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list +SSL_get1_supported_ciphers, +SSL_get_client_ciphers, +SSL_get_ciphers, +SSL_CTX_get_ciphers, +SSL_get_cipher_list, +SSL_get_shared_ciphers - get list of available SSL_CIPHERs =head1 SYNOPSIS @@ -15,6 +19,7 @@ SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl); const char *SSL_get_cipher_list(const SSL *ssl, int priority); + char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); =head1 DESCRIPTION @@ -25,16 +30,16 @@ is returned. SSL_CTX_get_ciphers() returns the stack of available SSL_CIPHERs for B. SSL_get1_supported_ciphers() returns the stack of enabled SSL_CIPHERs for -B, sorted by preference. +B as would be sent in a ClientHello (that is, sorted by preference). The list depends on settings like the cipher list, the supported protocol versions, the security level, and the enabled signature algorithms. SRP and PSK ciphers are only enabled if the appropriate callbacks or settings have been applied. -This is the list that will be sent by the client to the server. -The list supported by the server might include more ciphers in case there is a -hole in the list of supported protocols. -The server will also not use ciphers from this list depending on the -configured certificates and DH parameters. +The list of ciphers that would be sent in a ClientHello can differ from +the list of ciphers that would be acceptable when acting as a server. +For example, additional ciphers may be usable by a server if there is +a gap in the list of supported protocols, and some ciphers may not be +usable by a server if there is not a suitable certificate configured. If B is NULL or no ciphers are available, NULL is returned. SSL_get_client_ciphers() returns the stack of available SSL_CIPHERs matching the @@ -46,6 +51,19 @@ listed for B with B. If B is NULL, no ciphers are available, or there are less ciphers than B available, NULL is returned. +SSL_get_shared_ciphers() creates a colon separated and NUL terminated list of +SSL_CIPHER names that are available in both the client and the server. B is +the buffer that should be populated with the list of names and B is the +size of that buffer. A pointer to B is returned on success or NULL on +error. If the supplied buffer is not large enough to contain the complete list +of names then a truncated list of names will be returned. Note that just because +a ciphersuite is available (i.e. it is configured in the cipher list) and shared +by both the client and the server it does not mean that it is enabled (see the +description of SSL_get1_supported_ciphers() above). This function will return +available shared ciphersuites whether or not they are enabled. This is a server +side function only and must only be called after the completion of the initial +handshake. + =head1 NOTES The details of the ciphers obtained by SSL_get_ciphers(), SSL_CTX_get_ciphers() @@ -74,7 +92,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_session.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_session.pod index 99936ad76542..2de241fcdae2 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_session.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_session.pod @@ -28,6 +28,11 @@ count of the B is incremented by one. The ssl session contains all information required to re-establish the connection without a new handshake. +A session will be automatically removed from the session cache and marked as +non-resumable if the connection is not closed down cleanly, e.g. if a fatal +error occurs on the connection or L is not called prior to +L. + SSL_get0_session() returns a pointer to the actual session. As the reference counter is not incremented, the pointer is only valid while the connection is in use. If L or @@ -72,7 +77,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_version.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_version.pod index 23b6497d4f3b..507ca9f3627d 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_version.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_version.pod @@ -15,7 +15,9 @@ SSL_get_version, SSL_is_dtls - get the protocol information of a connection =head1 DESCRIPTION SSL_get_version() returns the name of the protocol used for the -connection B. +connection B. It should only be called after the initial handshake has been +completed. Prior to that the results returned from this function may be +unreliable. SSL_is_dtls() returns one if the connection is using DTLS, zero if not. @@ -43,7 +45,7 @@ The connection uses the TLSv1.2 protocol. =item unknown -This indicates that no version has been set (no connection established). +This indicates an unknown protocol version. =back @@ -57,7 +59,7 @@ SSL_is_dtls() was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set1_host.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set1_host.pod index 3339a0e803b5..715845e1f7c6 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set1_host.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set1_host.pod @@ -56,7 +56,7 @@ is cleared or freed, or a renegotiation takes place. Applications must not free the return value. SSL clients are advised to use these functions in preference to -explicitly calling L. Hostname checks are out +explicitly calling L. Hostname checks may be out of scope with the RFC7671 DANE-EE(3) certificate usage, and the internal check will be suppressed as appropriate when DANE is enabled. @@ -111,7 +111,7 @@ These functions were first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/ssl.pod b/crypto/external/bsd/openssl/dist/doc/ssl/ssl.pod index 4d919072ea38..da12e29c6351 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/ssl.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/ssl.pod @@ -91,12 +91,6 @@ includes both more private SSL headers and headers from the B library. Whenever you need hard-core details on the internals of the SSL API, look inside this header file. -OPENSSL_VERSION_AT_LEAST(major,minor) can be -used in C<#if> statements in order to determine which version of the library is -being used. This can be used to either enable optional features at compile -time, or work around issues with a previous version. -See L. - =item B Unused. Present for backwards compatibility only. @@ -574,7 +568,7 @@ fresh handle for each connection. =item SSL_SESSION *B(const SSL *ssl); -=item char *B(const SSL *ssl, char *buf, int len); +=item char *B(const SSL *ssl, char *buf, int size); =item int B(const SSL *ssl); diff --git a/crypto/external/bsd/openssl/dist/external/perl/transfer/Text/Template.pm b/crypto/external/bsd/openssl/dist/external/perl/transfer/Text/Template.pm index 7dbfe3f84f4d..b21f875312b5 100644 --- a/crypto/external/bsd/openssl/dist/external/perl/transfer/Text/Template.pm +++ b/crypto/external/bsd/openssl/dist/external/perl/transfer/Text/Template.pm @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,9 @@ # Quick transfer to the downloaded Text::Template +package transfer::Text::Template; +$VERSION = 1.46; + BEGIN { use File::Spec::Functions; use File::Basename; diff --git a/crypto/external/bsd/openssl/dist/fuzz/test-corpus.c b/crypto/external/bsd/openssl/dist/fuzz/test-corpus.c index c553697d6c78..628e633536d3 100644 --- a/crypto/external/bsd/openssl/dist/fuzz/test-corpus.c +++ b/crypto/external/bsd/openssl/dist/fuzz/test-corpus.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. @@ -16,9 +16,47 @@ #include #include +#include #include #include #include "fuzzer.h" +#include "internal/o_dir.h" + +#if defined(_WIN32) && defined(_MAX_PATH) +# define PATH_MAX _MAX_PATH +#endif + +#ifndef PATH_MAX +# define PATH_MAX 4096 +#endif + +# if !defined(S_ISREG) +# define S_ISREG(m) ((m) & S_IFREG) +# endif + +static void testfile(const char *pathname) +{ + struct stat st; + FILE *f; + unsigned char *buf; + size_t s; + + if (stat(pathname, &st) < 0 || !S_ISREG(st.st_mode)) + return; + printf("# %s\n", pathname); + fflush(stdout); + f = fopen(pathname, "rb"); + if (f == NULL) + return; + buf = malloc(st.st_size); + if (buf != NULL) { + s = fread(buf, 1, st.st_size, f); + OPENSSL_assert(s == (size_t)st.st_size); + FuzzerTestOneInput(buf, s); + free(buf); + } + fclose(f); +} int main(int argc, char **argv) { int n; @@ -26,21 +64,38 @@ int main(int argc, char **argv) { FuzzerInitialize(&argc, &argv); for (n = 1; n < argc; ++n) { - struct stat st; - FILE *f; - unsigned char *buf; - size_t s; + size_t dirname_len = strlen(argv[n]); + const char *filename = NULL; + char *pathname = NULL; + OPENSSL_DIR_CTX *ctx = NULL; + int wasdir = 0; - stat(argv[n], &st); - f = fopen(argv[n], "rb"); - if (f == NULL) - continue; - buf = malloc(st.st_size); - s = fread(buf, 1, st.st_size, f); - OPENSSL_assert(s == (size_t)st.st_size); - FuzzerTestOneInput(buf, s); - free(buf); - fclose(f); + /* + * We start with trying to read the given path as a directory. + */ + while ((filename = OPENSSL_DIR_read(&ctx, argv[n])) != NULL) { + wasdir = 1; + if (pathname == NULL) { + pathname = malloc(PATH_MAX); + if (pathname == NULL) + break; + strcpy(pathname, argv[n]); +#ifdef __VMS + if (strchr(":<]", pathname[dirname_len - 1]) == NULL) +#endif + pathname[dirname_len++] = '/'; + pathname[dirname_len] = '\0'; + } + strcpy(pathname + dirname_len, filename); + testfile(pathname); + } + OPENSSL_DIR_end(&ctx); + + /* If it wasn't a directory, treat it as a file instead */ + if (!wasdir) + testfile(argv[n]); + + free(pathname); } return 0; } diff --git a/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_EPILOGUE.H b/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_EPILOGUE.H new file mode 100644 index 000000000000..5f63860808b6 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_EPILOGUE.H @@ -0,0 +1,16 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* restore state. Must correspond to the save in __decc_include_prologue.h */ +#pragma names restore diff --git a/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_PROLOGUE.H b/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_PROLOGUE.H new file mode 100644 index 000000000000..78b2a87d8868 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/include/internal/__DECC_INCLUDE_PROLOGUE.H @@ -0,0 +1,20 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* save state */ +#pragma names save +/* have the compiler shorten symbols larger than 31 chars to 23 chars + * followed by a 8 hex char CRC + */ +#pragma names as_is,shortened diff --git a/crypto/external/bsd/openssl/dist/include/internal/sslconf.h b/crypto/external/bsd/openssl/dist/include/internal/sslconf.h new file mode 100644 index 000000000000..d538f8614f58 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/include/internal/sslconf.h @@ -0,0 +1,20 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_SSLCONF_H +# define HEADER_SSLCONF_H + +typedef struct ssl_conf_cmd_st SSL_CONF_CMD; + +const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt); +int conf_ssl_name_find(const char *name, size_t *idx); +void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg); + +#endif diff --git a/crypto/external/bsd/openssl/dist/include/openssl/asn1.h b/crypto/external/bsd/openssl/dist/include/openssl/asn1.h index 05ae1dbe1c23..d0b1099a4faf 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/asn1.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/asn1.h @@ -953,8 +953,10 @@ int ERR_load_ASN1_strings(void); # define ASN1_F_D2I_AUTOPRIVATEKEY 207 # define ASN1_F_D2I_PRIVATEKEY 154 # define ASN1_F_D2I_PUBLICKEY 155 +# define ASN1_F_DO_BUF 142 # define ASN1_F_DO_TCREATE 222 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_OBJECT 143 # define ASN1_F_I2D_DSA_PUBKEY 161 # define ASN1_F_I2D_EC_PUBKEY 181 # define ASN1_F_I2D_PRIVATEKEY 163 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/bio.h b/crypto/external/bsd/openssl/dist/include/openssl/bio.h index f435bd8ef6db..3a72862561fa 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/bio.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/bio.h @@ -730,26 +730,26 @@ __bio_h__attr__((__format__(__printf__, 3, 0))); BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); -int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); +int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); -int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); +int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); -int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); +int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); -int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); +int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); -long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); +long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); -int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); +int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); -int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); +int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); -long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, diff --git a/crypto/external/bsd/openssl/dist/include/openssl/bn.h b/crypto/external/bsd/openssl/dist/include/openssl/bn.h index 54ae760152f1..301edd525062 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/bn.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -119,25 +119,76 @@ void *BN_GENCB_get_arg(BN_GENCB *cb); * on the size of the number */ /* - * number of Miller-Rabin iterations for an error rate of less than 2^-80 for - * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of - * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error - * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) - * 177-194) + * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations + * that will be done for checking that a random number is probably prime. The + * error rate for accepting a composite number as prime depends on the size of + * the prime |b|. The error rates used are for calculating an RSA key with 2 primes, + * and so the level is what you would expect for a key of double the size of the + * prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section F.1, page 117. + * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) + * + * The following magma script was used to generate the output: + * securitybits:=125; + * k:=1024; + * for t:=1 to 65 do + * for M:=3 to Floor(2*Sqrt(k-1)-1) do + * S:=0; + * // Sum over m + * for m:=3 to M do + * s:=0; + * // Sum over j + * for j:=2 to m do + * s+:=(RealField(32)!2)^-(j+(k-1)/j); + * end for; + * S+:=2^(m-(m-1)*t)*s; + * end for; + * A:=2^(k-2-M*t); + * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; + * pkt:=2.00743*Log(2)*k*2^-k*(A+B); + * seclevel:=Floor(-Log(2,pkt)); + * if seclevel ge securitybits then + * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; + * break; + * end if; + * end for; + * if seclevel ge securitybits then break; end if; + * end for; + * + * It can be run online at: + * http://magma.maths.usyd.edu.au/calc + * + * And will output: + * k: 1024, security: 129 bits (t: 6, M: 23) + * + * k is the number of bits of the prime, securitybits is the level we want to + * reach. + * + * prime length | RSA key size | # MR tests | security level + * -------------+--------------|------------+--------------- + * (b) >= 6394 | >= 12788 | 3 | 256 bit + * (b) >= 3747 | >= 7494 | 3 | 192 bit + * (b) >= 1345 | >= 2690 | 4 | 128 bit + * (b) >= 1080 | >= 2160 | 5 | 128 bit + * (b) >= 852 | >= 1704 | 5 | 112 bit + * (b) >= 476 | >= 952 | 5 | 80 bit + * (b) >= 400 | >= 800 | 6 | 80 bit + * (b) >= 347 | >= 694 | 7 | 80 bit + * (b) >= 308 | >= 616 | 8 | 80 bit + * (b) >= 55 | >= 110 | 27 | 64 bit + * (b) >= 6 | >= 12 | 34 | 64 bit */ -# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) + +# define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ + (b) >= 1345 ? 4 : \ + (b) >= 476 ? 5 : \ + (b) >= 400 ? 6 : \ + (b) >= 347 ? 7 : \ + (b) >= 308 ? 8 : \ + (b) >= 55 ? 27 : \ + /* b >= 6 */ 34) # define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) diff --git a/crypto/external/bsd/openssl/dist/include/openssl/conf.h b/crypto/external/bsd/openssl/dist/include/openssl/conf.h index 980a51b157f4..e0539e312884 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/conf.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/conf.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -191,6 +191,7 @@ int ERR_load_CONF_strings(void); # define CONF_F_NCONF_LOAD_BIO 110 # define CONF_F_NCONF_LOAD_FP 114 # define CONF_F_NCONF_NEW 111 +# define CONF_F_SSL_MODULE_INIT 123 # define CONF_F_STR_COPY 101 /* Reason codes. */ @@ -206,6 +207,10 @@ int ERR_load_CONF_strings(void); # define CONF_R_NO_SECTION 107 # define CONF_R_NO_SUCH_FILE 114 # define CONF_R_NO_VALUE 108 +# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117 +# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118 +# define CONF_R_SSL_SECTION_EMPTY 119 +# define CONF_R_SSL_SECTION_NOT_FOUND 120 # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 # define CONF_R_UNKNOWN_MODULE_NAME 113 # define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/crypto.h b/crypto/external/bsd/openssl/dist/include/openssl/crypto.h index 1ba7f25f0123..fa3f12af3b23 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/crypto.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/crypto.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -371,7 +371,9 @@ int CRYPTO_memcmp(const volatile void * volatile in_a, # define OPENSSL_INIT_ENGINE_CAPI 0x00002000L # define OPENSSL_INIT_ENGINE_PADLOCK 0x00004000L # define OPENSSL_INIT_ENGINE_AFALG 0x00008000L -/* OPENSSL_INIT flag 0x00010000 reserved for internal use */ +/* OPENSSL_INIT_ZLIB 0x00010000L */ +/* currently unused 0x00020000L */ +/* OPENSSL_INIT_BASE_ONLY 0x00040000L */ /* OPENSSL_INIT flag range 0xfff00000 reserved for OPENSSL_init_ssl() */ /* Max OPENSSL_INIT flag value is 0x80000000 */ diff --git a/crypto/external/bsd/openssl/dist/include/openssl/dh.h b/crypto/external/bsd/openssl/dist/include/openssl/dh.h index fbd479039e9e..8cf879e14fad 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/dh.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -187,7 +187,7 @@ void DH_meth_free(DH_METHOD *dhm); DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); const char *DH_meth_get0_name(const DH_METHOD *dhm); int DH_meth_set1_name(DH_METHOD *dhm, const char *name); -int DH_meth_get_flags(DH_METHOD *dhm); +int DH_meth_get_flags(const DH_METHOD *dhm); int DH_meth_set_flags(DH_METHOD *dhm, int flags); void *DH_meth_get0_app_data(const DH_METHOD *dhm); int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); diff --git a/crypto/external/bsd/openssl/dist/include/openssl/dsa.h b/crypto/external/bsd/openssl/dist/include/openssl/dsa.h index 139718edb940..3a7b1a626e19 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/dsa.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -146,10 +146,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); int DSA_print_fp(FILE *bp, const DSA *x, int off); # endif -# define DSS_prime_checks 50 +# define DSS_prime_checks 64 /* - * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of - * Rabin-Miller + * Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only + * have one value here we set the number of checks to 64 which is the 128 bit + * security level that is the highest level and valid for creating a 3072 bit + * DSA key. */ # define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) @@ -186,7 +188,7 @@ void DSA_meth_free(DSA_METHOD *dsam); DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam); const char *DSA_meth_get0_name(const DSA_METHOD *dsam); int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); -int DSA_meth_get_flags(DSA_METHOD *dsam); +int DSA_meth_get_flags(const DSA_METHOD *dsam); int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); @@ -260,6 +262,7 @@ int ERR_load_DSA_strings(void); # define DSA_F_DSA_SIG_NEW 102 # define DSA_F_OLD_DSA_PRIV_DECODE 122 # define DSA_F_PKEY_DSA_CTRL 120 +# define DSA_F_PKEY_DSA_CTRL_STR 104 # define DSA_F_PKEY_DSA_KEYGEN 121 /* Reason codes. */ diff --git a/crypto/external/bsd/openssl/dist/include/openssl/evp.h b/crypto/external/bsd/openssl/dist/include/openssl/evp.h index 43c97a7560fb..36e2934485aa 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/evp.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/evp.h @@ -1351,34 +1351,34 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, const char *type, const char *value)); -void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth, int (**pinit) (EVP_PKEY_CTX *ctx)); -void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth, int (**pcopy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)); -void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth, void (**pcleanup) (EVP_PKEY_CTX *ctx)); -void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth, int (**pparamgen_init) (EVP_PKEY_CTX *ctx), int (**pparamgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)); -void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth, int (**pkeygen_init) (EVP_PKEY_CTX *ctx), int (**pkeygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)); -void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth, int (**psign_init) (EVP_PKEY_CTX *ctx), int (**psign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth, int (**pverify_init) (EVP_PKEY_CTX *ctx), int (**pverify) (EVP_PKEY_CTX *ctx, const unsigned char *sig, @@ -1386,7 +1386,7 @@ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, const unsigned char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth, int (**pverify_recover_init) (EVP_PKEY_CTX *ctx), int (**pverify_recover) (EVP_PKEY_CTX @@ -1398,7 +1398,7 @@ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth, int (**psignctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**psignctx) (EVP_PKEY_CTX *ctx, @@ -1406,7 +1406,7 @@ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, size_t *siglen, EVP_MD_CTX *mctx)); -void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth, int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**pverifyctx) (EVP_PKEY_CTX *ctx, @@ -1414,7 +1414,7 @@ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, int siglen, EVP_MD_CTX *mctx)); -void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth, int (**pencrypt_init) (EVP_PKEY_CTX *ctx), int (**pencryptfn) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -1422,7 +1422,7 @@ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, const unsigned char *in, size_t inlen)); -void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth, int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), int (**pdecrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -1430,13 +1430,13 @@ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, const unsigned char *in, size_t inlen)); -void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth, int (**pderive_init) (EVP_PKEY_CTX *ctx), int (**pderive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)); -void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2), int (**pctrl_str) (EVP_PKEY_CTX *ctx, @@ -1506,6 +1506,8 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_PKEY_GET0_RSA 121 # define EVP_F_EVP_PKEY_KEYGEN 146 # define EVP_F_EVP_PKEY_KEYGEN_INIT 147 +# define EVP_F_EVP_PKEY_METH_ADD0 172 +# define EVP_F_EVP_PKEY_METH_NEW 173 # define EVP_F_EVP_PKEY_NEW 106 # define EVP_F_EVP_PKEY_PARAMGEN 148 # define EVP_F_EVP_PKEY_PARAMGEN_INIT 149 @@ -1570,6 +1572,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 # define EVP_R_PARTIALLY_OVERLAPPING 162 +# define EVP_R_PBKDF2_ERROR 176 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 175 # define EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED 164 # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/lhash.h b/crypto/external/bsd/openssl/dist/include/openssl/lhash.h index 82d40c1e0e70..8ecc58848420 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/lhash.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/lhash.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,7 +95,7 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # define _LHASH OPENSSL_LHASH # define LHASH_NODE OPENSSL_LH_NODE # define lh_error OPENSSL_LH_error -# define lh_new OPENSSL_lh_new +# define lh_new OPENSSL_LH_new # define lh_free OPENSSL_LH_free # define lh_insert OPENSSL_LH_insert # define lh_delete OPENSSL_LH_delete diff --git a/crypto/external/bsd/openssl/dist/include/openssl/opensslconf.h.in b/crypto/external/bsd/openssl/dist/include/openssl/opensslconf.h.in index 9f8634a3a28e..17807fb6bd37 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/opensslconf.h.in +++ b/crypto/external/bsd/openssl/dist/include/openssl/opensslconf.h.in @@ -68,12 +68,18 @@ extern "C" { * still won't see them if the library has been built to disable deprecated * functions. */ -#if defined(OPENSSL_NO_DEPRECATED) -# define DECLARE_DEPRECATED(f) -#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); -#else -# define DECLARE_DEPRECATED(f) f; +#ifndef DECLARE_DEPRECATED +# if defined(OPENSSL_NO_DEPRECATED) +# define DECLARE_DEPRECATED(f) +# else +# define DECLARE_DEPRECATED(f) f; +# ifdef __GNUC__ +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +# undef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# endif +# endif +# endif #endif #ifndef OPENSSL_FILE diff --git a/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h b/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h index 4fb437f2ee3e..c5ef2a753564 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/opensslv.h @@ -39,18 +39,13 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010008fL +# define OPENSSL_VERSION_NUMBER 0x1010009fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0h-fips 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i-fips 14 Aug 2018" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0h 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i 14 Aug 2018" # endif -#define OPENSSL_MAKE_VERSION(maj,min,fix,patch) ((0x10000000L)+((maj&0xff)<<20)+((min&0xff)<<12)+((fix&0xff)<<4)+patch) - -/* use this for #if tests, should never depend upon fix/patch */ -#define OPENSSL_VERSION_AT_LEAST(maj,min) (OPENSSL_MAKE_VERSION(maj,min, 0, 0) >= OPENSSL_VERSION_NUMBER) - /*- * The macros below are to be used for shared library (.so, .dll, ...) * versioning. That kind of versioning works a bit differently between diff --git a/crypto/external/bsd/openssl/dist/include/openssl/pem.h b/crypto/external/bsd/openssl/dist/include/openssl/pem.h index 2375d6355381..f7ce3c61f5fa 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/pem.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/pem.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -322,7 +322,8 @@ int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt); int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, EVP_PKEY *pkey); -int PEM_def_callback(char *buf, int num, int w, void *key); +/* The default pem_password_cb that's used internally */ +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata); void PEM_proc_type(char *buf, int type); void PEM_dek_info(char *buf, const char *type, int len, char *str); diff --git a/crypto/external/bsd/openssl/dist/include/openssl/rsa.h b/crypto/external/bsd/openssl/dist/include/openssl/rsa.h index d97d6e075aef..790831b94545 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/rsa.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -374,7 +374,7 @@ void RSA_meth_free(RSA_METHOD *meth); RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); const char *RSA_meth_get0_name(const RSA_METHOD *meth); int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); -int RSA_meth_get_flags(RSA_METHOD *meth); +int RSA_meth_get_flags(const RSA_METHOD *meth); int RSA_meth_set_flags(RSA_METHOD *meth, int flags); void *RSA_meth_get0_app_data(const RSA_METHOD *meth); int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); diff --git a/crypto/external/bsd/openssl/dist/include/openssl/ssl.h b/crypto/external/bsd/openssl/dist/include/openssl/ssl.h index f070bd2d6e52..56e2056260d6 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/ssl.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/ssl.h @@ -967,8 +967,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); # define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 # define SSL_VERIFY_CLIENT_ONCE 0x04 -# define OpenSSL_add_ssl_algorithms() SSL_library_init() # if OPENSSL_API_COMPAT < 0x10100000L +# define OpenSSL_add_ssl_algorithms() SSL_library_init() # define SSLeay_add_ssl_algorithms() SSL_library_init() # endif @@ -1358,7 +1358,7 @@ __owur int SSL_get_fd(const SSL *s); __owur int SSL_get_rfd(const SSL *s); __owur int SSL_get_wfd(const SSL *s); __owur const char *SSL_get_cipher_list(const SSL *s, int n); -__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len); +__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); __owur int SSL_get_read_ahead(const SSL *s); __owur int SSL_pending(const SSL *s); __owur int SSL_has_pending(const SSL *s); diff --git a/crypto/external/bsd/openssl/dist/include/openssl/ssl3.h b/crypto/external/bsd/openssl/dist/include/openssl/ssl3.h index 4ca434e760ed..115940ad3157 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/ssl3.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/ssl3.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -252,9 +252,15 @@ extern "C" { # define SSL3_CT_FORTEZZA_DMS 20 /* * SSL3_CT_NUMBER is used to size arrays and it must be large enough to - * contain all of the cert types defined either for SSLv3 and TLSv1. + * contain all of the cert types defined for *either* SSLv3 and TLSv1. */ -# define SSL3_CT_NUMBER 9 +# define SSL3_CT_NUMBER 10 + +# if defined(TLS_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +# error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/tls1.h b/crypto/external/bsd/openssl/dist/include/openssl/tls1.h index 3fe01fe81383..732e87ab35c2 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/tls1.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/tls1.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -883,7 +883,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -# define TLS_CT_NUMBER 9 +# define TLS_CT_NUMBER 10 + +# if defined(SSL3_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +# error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define TLS1_FINISH_MAC_LENGTH 12 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/x509.h b/crypto/external/bsd/openssl/dist/include/openssl/x509.h index ee98df8e771e..780386d530ce 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/x509.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/x509.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1055,6 +1055,7 @@ int ERR_load_X509_strings(void); # define X509_F_X509_LOAD_CERT_CRL_FILE 132 # define X509_F_X509_LOAD_CERT_FILE 111 # define X509_F_X509_LOAD_CRL_FILE 112 +# define X509_F_X509_LOOKUP_METH_NEW 160 # define X509_F_X509_NAME_ADD_ENTRY 113 # define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114 # define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131 diff --git a/crypto/external/bsd/openssl/dist/include/openssl/x509_vfy.h b/crypto/external/bsd/openssl/dist/include/openssl/x509_vfy.h index 1aa0a33b8a32..d91581c77353 100644 --- a/crypto/external/bsd/openssl/dist/include/openssl/x509_vfy.h +++ b/crypto/external/bsd/openssl/dist/include/openssl/x509_vfy.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -257,7 +257,9 @@ X509_OBJECT *X509_OBJECT_new(void); void X509_OBJECT_free(X509_OBJECT *a); X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a); X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); +int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a); +int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *v); int X509_STORE_lock(X509_STORE *ctx); @@ -364,6 +366,76 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); X509_LOOKUP_METHOD *X509_LOOKUP_file(void); +typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); +typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const unsigned char* bytes, + int len, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); + +X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); +void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)); +void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl_fn); +X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn fn); +X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_issuer_serial(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_issuer_serial_fn fn); +X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn fn); +X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn fn); +X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method); + + int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); @@ -393,6 +465,9 @@ int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, X509_OBJECT *ret); int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const char *str, int len, X509_OBJECT *ret); +int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); +void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); +X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); int X509_STORE_load_locations(X509_STORE *ctx, @@ -475,6 +550,7 @@ int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); +unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *, X509_VERIFY_PARAM *); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, diff --git a/crypto/external/bsd/openssl/dist/ms/uplink-x86.pl b/crypto/external/bsd/openssl/dist/ms/uplink-x86.pl index e25668ea35d1..2c0b12b86e74 100755 --- a/crypto/external/bsd/openssl/dist/ms/uplink-x86.pl +++ b/crypto/external/bsd/openssl/dist/ms/uplink-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -41,4 +41,4 @@ for ($i=1;$i<=$N;$i++) { } &asm_finish(); -close OUTPUT; +close STDOUT; diff --git a/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c b/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c index b3ff5f1fbfc7..6111a2e1913e 100644 --- a/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c +++ b/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_d1.c @@ -423,6 +423,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* get new packet if necessary */ if ((SSL3_RECORD_get_length(rr) == 0) || (s->rlayer.rstate == SSL_ST_READ_BODY)) { + RECORD_LAYER_set_numrpipes(&s->rlayer, 0); ret = dtls1_get_record(s); if (ret <= 0) { ret = dtls1_read_failed(s, ret); @@ -432,6 +433,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, else goto start; } + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); } /* @@ -442,6 +444,19 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, && SSL3_RECORD_get_length(rr) != 0) s->rlayer.alert_count = 0; + if (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE + && SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC + && !SSL_in_init(s) + && (s->d1->next_timeout.tv_sec != 0 + || s->d1->next_timeout.tv_usec != 0)) { + /* + * The timer is still running but we've received something that isn't + * handshake data - so the peer must have finished processing our + * last handshake flight. Stop the timer. + */ + dtls1_stop_timer(s); + } + /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, @@ -458,6 +473,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, return -1; } SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -467,8 +483,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); s->rwstate = SSL_NOTHING; - return (0); + return 0; } if (type == SSL3_RECORD_get_type(rr) @@ -493,8 +510,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (recvd_type != NULL) *recvd_type = SSL3_RECORD_get_type(rr); - if (len <= 0) - return (len); + if (len <= 0) { + /* + * Mark a zero length record as read. This ensures multiple calls to + * SSL_read() with a zero length buffer will eventually cause + * SSL_pending() to report data as being available. + */ + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + return len; + } if ((unsigned int)len > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); @@ -502,12 +527,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, n = (unsigned int)len; memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n); - if (!peek) { + if (peek) { + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + } else { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) { s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_off(rr, 0); + SSL3_RECORD_set_read(rr); } } #ifndef OPENSSL_NO_SCTP @@ -558,6 +587,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } /* Exit and notify application to read again */ SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); s->rwstate = SSL_READING; BIO_clear_retry_flags(SSL_get_rbio(s)); BIO_set_retry_read(SSL_get_rbio(s)); @@ -602,6 +632,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, #endif s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -611,6 +642,8 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, SSL3_RECORD_add_off(rr, 1); SSL3_RECORD_add_length(rr, -1); } + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); *dest_len = dest_maxlen; } } @@ -681,6 +714,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } } else { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); } /* @@ -705,6 +739,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, || (s->options & SSL_OP_NO_RENEGOTIATION) != 0)) { s->rlayer.d->handshake_fragment_len = 0; SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } @@ -732,6 +767,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (alert_level == SSL3_AL_WARNING) { s->s3->warn_alert = alert_descr; + SSL3_RECORD_set_read(rr); s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { @@ -796,6 +832,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL3_RECORD_set_read(rr); SSL_CTX_remove_session(s->session_ctx, s->session); return (0); } else { @@ -811,7 +848,8 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * shutdown */ s->rwstate = SSL_NOTHING; SSL3_RECORD_set_length(rr, 0); - return (0); + SSL3_RECORD_set_read(rr); + return 0; } if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) { @@ -820,6 +858,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * are still missing, so just drop it. */ SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -834,6 +873,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, dtls1_get_message_header(rr->data, &msg_hdr); if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -847,6 +887,19 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, dtls1_retransmit_buffered_messages(s); SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { + /* no read-ahead left? */ + BIO *bio; + + s->rwstate = SSL_READING; + bio = SSL_get_rbio(s); + BIO_clear_retry_flags(bio); + BIO_set_retry_read(bio); + return -1; + } + } goto start; } @@ -889,6 +942,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* TLS just ignores unknown message types */ if (s->version == TLS1_VERSION) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } al = SSL_AD_UNEXPECTED_MESSAGE; diff --git a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c index c7a54feb126a..c80add37f931 100644 --- a/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c +++ b/crypto/external/bsd/openssl/dist/ssl/record/ssl3_record.c @@ -1531,6 +1531,7 @@ int dtls1_get_record(SSL *s) p += 6; n2s(p, rr->length); + rr->read = 0; /* * Lets check the version. We tolerate alerts that don't have the exact @@ -1540,6 +1541,7 @@ int dtls1_get_record(SSL *s) if (version != s->version) { /* unexpected version, silently discard */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1548,6 +1550,7 @@ int dtls1_get_record(SSL *s) if ((version & 0xff00) != (s->version & 0xff00)) { /* wrong version, silently discard record */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1555,10 +1558,10 @@ int dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { /* record too long, silently discard it */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } - /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } @@ -1572,6 +1575,7 @@ int dtls1_get_record(SSL *s) /* this packet contained a partial record, dump it */ if (n != i) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1588,6 +1592,7 @@ int dtls1_get_record(SSL *s) bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1602,6 +1607,7 @@ int dtls1_get_record(SSL *s) */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1610,8 +1616,10 @@ int dtls1_get_record(SSL *s) #endif /* just read a 0 length packet */ - if (rr->length == 0) + if (rr->length == 0) { + rr->read = 1; goto again; + } /* * If this record is from the next epoch (either HM or ALERT), and a @@ -1626,12 +1634,14 @@ int dtls1_get_record(SSL *s) return -1; } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } if (!dtls1_process_record(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c b/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c index 7a393cbe8031..b8da98210585 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c @@ -101,10 +101,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, }; -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL -}; +static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]; #define SSL_COMP_NULL_IDX 0 #define SSL_COMP_ZLIB_IDX 1 diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_conf.c b/crypto/external/bsd/openssl/dist/ssl/ssl_conf.c index 7f894885dc51..9d9309ac15f3 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_conf.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_conf.c @@ -222,8 +222,9 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) int nid; /* Ignore values supported by 1.0.2 for the automatic selection */ - if ((cctx->flags & SSL_CONF_FLAG_FILE) && - strcasecmp(value, "+automatic") == 0) + if ((cctx->flags & SSL_CONF_FLAG_FILE) + && (strcasecmp(value, "+automatic") == 0 + || strcasecmp(value, "automatic") == 0)) return 1; if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && strcmp(value, "auto") == 0) diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_init.c b/crypto/external/bsd/openssl/dist/ssl/ssl_init.c index 3e62d4811102..dc16e39bf341 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_init.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #include "internal/err.h" #include #include +#include #include #include "ssl_locl.h" #include "internal/thread_once.h" @@ -126,8 +127,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) "ERR_load_SSL_strings()\n"); # endif ERR_load_SSL_strings(); -#endif ssl_strings_inited = 1; +#endif return 1; } @@ -191,11 +192,13 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) return 0; } - if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base)) + if (!OPENSSL_init_crypto(opts + | OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS, + settings)) return 0; - if (!OPENSSL_init_crypto(opts | OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS, settings)) + if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base)) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c b/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c index 8a190d23e807..2002c1712f68 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c @@ -2213,28 +2213,37 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) { char *p; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; const SSL_CIPHER *c; int i; - if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) - return (NULL); - - p = buf; - sk = s->session->ciphers; - - if (sk_SSL_CIPHER_num(sk) == 0) + if (!s->server + || s->session == NULL + || s->session->ciphers == NULL + || size < 2) return NULL; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + p = buf; + clntsk = s->session->ciphers; + srvrsk = SSL_get_ciphers(s); + if (clntsk == NULL || srvrsk == NULL) + return NULL; + + if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) + return NULL; + + for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { int n; - c = sk_SSL_CIPHER_value(sk, i); + c = sk_SSL_CIPHER_value(clntsk, i); + if (sk_SSL_CIPHER_find(srvrsk, c) < 0) + continue; + n = strlen(c->name); - if (n + 1 > len) { + if (n + 1 > size) { if (p != buf) --p; *p = '\0'; @@ -2243,7 +2252,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) memcpy(p, c->name, n + 1); p += n; *(p++) = ':'; - len -= n + 1; + size -= n + 1; } p[-1] = '\0'; return (buf); @@ -3035,12 +3044,13 @@ void ssl_update_cache(SSL *s, int mode) /* * If sid_ctx_length is 0 there is no specific application context * associated with this session, so when we try to resume it and - * SSL_VERIFY_PEER is requested, we have no indication that this is - * actually a session for the proper application context, and the - * *handshake* will fail, not just the resumption attempt. - * Do not cache these sessions that are not resumable. + * SSL_VERIFY_PEER is requested to verify the client identity, we have no + * indication that this is actually a session for the proper application + * context, and the *handshake* will fail, not just the resumption attempt. + * Do not cache (on the server) these sessions that are not resumable + * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). */ - if (s->session->sid_ctx_length == 0 + if (s->server && s->session->sid_ctx_length == 0 && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; @@ -3519,7 +3529,6 @@ void ssl_free_wbio_buffer(SSL *s) return; s->wbio = BIO_pop(s->wbio); - assert(s->wbio != NULL); BIO_free(s->bbio); s->bbio = NULL; } diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h b/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h index d86bd7e8e207..3c7c1a8e6483 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -164,6 +164,8 @@ (c)[1]=(unsigned char)(((l)>> 8)&0xff), \ (c)[2]=(unsigned char)(((l) )&0xff)),(c)+=3) +# define SSL_MAX_2_BYTE_LEN (0xffff) + /* * DTLS version numbers are strange because they're inverted. Except for * DTLS1_BAD_VER, which should be considered "lower" than the rest. @@ -347,6 +349,9 @@ /* we have used 0000003f - 26 bits left to go */ +# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \ + || (s)->s3->tmp.peer_finish_md_len == 0) + /* Check if an SSL structure is using DTLS */ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) /* See if we need explicit IV */ @@ -537,7 +542,7 @@ struct ssl_session_st { const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to * load the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* * These are used to make removal of session-ids more efficient and to diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_mcnf.c b/crypto/external/bsd/openssl/dist/ssl/ssl_mcnf.c index c2d9dba64ac9..24742660e434 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_mcnf.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_mcnf.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,148 +11,35 @@ #include #include #include "ssl_locl.h" +#include "internal/sslconf.h" /* SSL library configuration module. */ -struct ssl_conf_name { - /* Name of this set of commands */ - char *name; - /* List of commands */ - struct ssl_conf_cmd *cmds; - /* Number of commands */ - size_t cmd_count; -}; - -struct ssl_conf_cmd { - /* Command */ - char *cmd; - /* Argument */ - char *arg; -}; - -static struct ssl_conf_name *ssl_names; -static size_t ssl_names_count; - -static void ssl_module_free(CONF_IMODULE *md) -{ - size_t i, j; - if (ssl_names == NULL) - return; - for (i = 0; i < ssl_names_count; i++) { - struct ssl_conf_name *tname = ssl_names + i; - OPENSSL_free(tname->name); - for (j = 0; j < tname->cmd_count; j++) { - OPENSSL_free(tname->cmds[j].cmd); - OPENSSL_free(tname->cmds[j].arg); - } - OPENSSL_free(tname->cmds); - } - OPENSSL_free(ssl_names); - ssl_names = NULL; - ssl_names_count = 0; -} - -static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) -{ - size_t i, j, cnt; - int rv = 0; - const char *ssl_conf_section; - STACK_OF(CONF_VALUE) *cmd_lists; - ssl_conf_section = CONF_imodule_get_value(md); - cmd_lists = NCONF_get_section(cnf, ssl_conf_section); - if (sk_CONF_VALUE_num(cmd_lists) <= 0) { - if (cmd_lists == NULL) - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND); - else - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY); - ERR_add_error_data(2, "section=", ssl_conf_section); - goto err; - } - cnt = sk_CONF_VALUE_num(cmd_lists); - ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt); - ssl_names_count = cnt; - for (i = 0; i < ssl_names_count; i++) { - struct ssl_conf_name *ssl_name = ssl_names + i; - CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i); - STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value); - if (sk_CONF_VALUE_num(cmds) <= 0) { - if (cmds == NULL) - SSLerr(SSL_F_SSL_MODULE_INIT, - SSL_R_SSL_COMMAND_SECTION_NOT_FOUND); - else - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY); - ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value); - goto err; - } - ssl_name->name = BUF_strdup(sect->name); - if (ssl_name->name == NULL) - goto err; - cnt = sk_CONF_VALUE_num(cmds); - ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd)); - if (ssl_name->cmds == NULL) - goto err; - ssl_name->cmd_count = cnt; - for (j = 0; j < cnt; j++) { - const char *name; - CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j); - struct ssl_conf_cmd *cmd = ssl_name->cmds + j; - /* Skip any initial dot in name */ - name = strchr(cmd_conf->name, '.'); - if (name != NULL) - name++; - else - name = cmd_conf->name; - cmd->cmd = BUF_strdup(name); - cmd->arg = BUF_strdup(cmd_conf->value); - if (cmd->cmd == NULL || cmd->arg == NULL) - goto err; - } - - } - rv = 1; - err: - if (rv == 0) - ssl_module_free(md); - return rv; -} - void SSL_add_ssl_module(void) { - CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free); -} - -static const struct ssl_conf_name *ssl_name_find(const char *name) -{ - size_t i; - const struct ssl_conf_name *nm; - if (name == NULL) - return NULL; - for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { - if (strcmp(nm->name, name) == 0) - return nm; - } - return NULL; + /* Just load all of the crypto builtin modules. This includes the SSL one */ + OPENSSL_load_builtin_modules(); } static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) { SSL_CONF_CTX *cctx = NULL; - size_t i; + size_t i, idx, cmd_count; int rv = 0; unsigned int flags; const SSL_METHOD *meth; - const struct ssl_conf_name *nm; - struct ssl_conf_cmd *cmd; + const SSL_CONF_CMD *cmds; + if (s == NULL && ctx == NULL) { SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER); goto err; } - nm = ssl_name_find(name); - if (nm == NULL) { + if (!conf_ssl_name_find(name, &idx)) { SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); ERR_add_error_data(2, "name=", name); goto err; } + cmds = conf_ssl_get(idx, &name, &cmd_count); cctx = SSL_CONF_CTX_new(); if (cctx == NULL) goto err; @@ -170,15 +57,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) if (meth->ssl_connect != ssl_undefined_function) flags |= SSL_CONF_FLAG_CLIENT; SSL_CONF_CTX_set_flags(cctx, flags); - for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) { - rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg); + for (i = 0; i < cmd_count; i++) { + char *cmdstr, *arg; + + conf_ssl_get_cmd(cmds, i, &cmdstr, &arg); + rv = SSL_CONF_cmd(cctx, cmdstr, arg); if (rv <= 0) { if (rv == -2) SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND); else SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE); - ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd, - ", arg=", cmd->arg); + ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr, + ", arg=", arg); goto err; } } diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c b/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c index 0dea8b52242a..926b55c7ba2b 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -734,11 +734,11 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (lck) CRYPTO_THREAD_unlock(ctx->lock); - if (ret) - SSL_SESSION_free(r); - if (ctx->remove_session_cb != NULL) ctx->remove_session_cb(ctx, c); + + if (ret) + SSL_SESSION_free(r); } else ret = 0; return (ret); diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c b/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c index dbbf9d9e8d8b..f149a3ad0915 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c +++ b/crypto/external/bsd/openssl/dist/ssl/ssl_txt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -70,18 +70,18 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->cipher == NULL) { if (((x->cipher_id) & 0xff000000) == 0x02000000) { - if (BIO_printf - (bp, " Cipher : %06lX\n", x->cipher_id & 0xffffff) <= 0) + if (BIO_printf(bp, " Cipher : %06lX\n", + x->cipher_id & 0xffffff) <= 0) goto err; } else { - if (BIO_printf - (bp, " Cipher : %04lX\n", x->cipher_id & 0xffff) <= 0) + if (BIO_printf(bp, " Cipher : %04lX\n", + x->cipher_id & 0xffff) <= 0) goto err; } } else { - if (BIO_printf - (bp, " Cipher : %s\n", - ((x->cipher == NULL) ? "unknown" : x->cipher->name)) <= 0) + if (BIO_printf(bp, " Cipher : %s\n", + ((x->cipher->name == NULL) ? "unknown" + : x->cipher->name)) <= 0) goto err; } if (BIO_puts(bp, " Session-ID: ") <= 0) diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem.c index b91ec0a360a3..69bb40f00e11 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem.c @@ -556,10 +556,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) * Validate that we are allowed to move to the new state and move * to that state if so */ - if (!transition(s, mt)) { - ossl_statem_set_error(s); + if (!transition(s, mt)) return SUB_STATE_ERROR; - } if (s->s3->tmp.message_size > max_message_size(s)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c index 6fa3f1db6702..ed993553c56e 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -265,6 +265,21 @@ int ossl_statem_client_read_transition(SSL *s, int mt) err: /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } + ossl_statem_set_error(s); ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); return 0; diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c index 6b80620ee9c5..5b3442544536 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_dtls.c @@ -493,7 +493,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) al = dtls1_preprocess_fragment(s, &frag->msg_header); - if (al == 0) { /* no alert */ + /* al will be 0 if no alert */ + if (al == 0 && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c index 36d410bdf778..eba4c6fb4011 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c @@ -299,6 +299,15 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) s->ctx->stats.sess_accept_good++; s->handshake_func = ossl_statem_accept; + + if (SSL_IS_DTLS(s) && !s->hit) { + /* + * We are finishing after the client. We start the timer going + * in case there are any retransmits of our final flight + * required. + */ + dtls1_start_timer(s); + } } else { ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); if (s->hit) @@ -306,6 +315,15 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) s->handshake_func = ossl_statem_connect; s->ctx->stats.sess_connect_good++; + + if (SSL_IS_DTLS(s) && s->hit) { + /* + * We are finishing after the server. We start the timer going + * in case there are any retransmits of our final flight + * required. + */ + dtls1_start_timer(s); + } } if (s->info_callback != NULL) @@ -1073,6 +1091,13 @@ int ssl_set_client_hello_version(SSL *s) { int ver_min, ver_max, ret; + /* + * In a renegotiation we always send the same client_version that we sent + * last time, regardless of which version we eventually negotiated. + */ + if (!SSL_IS_FIRST_HANDSHAKE(s)) + return 0; + ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); if (ret != 0) diff --git a/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c b/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c index c7cd9eb662d4..f81fa5e19943 100644 --- a/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c +++ b/crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -213,6 +213,21 @@ int ossl_statem_server_read_transition(SSL *s, int mt) } /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } + ossl_statem_set_error(s); ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); return 0; @@ -1698,6 +1713,12 @@ int tls_construct_server_key_exchange(SSL *s) } dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); + if (dh == NULL) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } EVP_PKEY_free(pkdh); pkdh = NULL; @@ -1985,6 +2006,11 @@ int tls_construct_certificate_request(SSL *s) const unsigned char *psigs; unsigned char *etmp = p; nl = tls12_get_psigalgs(s, 1, &psigs); + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } /* Skip over length for now */ p += 2; nl = tls12_copy_sigalgs(s, p, psigs, nl); @@ -2004,6 +2030,11 @@ int tls_construct_certificate_request(SSL *s) for (i = 0; i < sk_X509_NAME_num(sk); i++) { name = sk_X509_NAME_value(sk, i); j = i2d_X509_NAME(name, NULL); + if (j > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); goto err; @@ -2013,6 +2044,11 @@ int tls_construct_certificate_request(SSL *s) i2d_X509_NAME(name, &p); n += 2 + j; nl += 2 + j; + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } } } /* else no CA names */ @@ -2303,13 +2339,12 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB); goto err; } + cdh = EVP_PKEY_get0_DH(ckey); pub_key = BN_bin2bn(data, i, NULL); - - if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) { + if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) { SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); - if (pub_key != NULL) - BN_free(pub_key); + BN_free(pub_key); goto err; } diff --git a/crypto/external/bsd/openssl/dist/ssl/t1_lib.c b/crypto/external/bsd/openssl/dist/ssl/t1_lib.c index 7a5721a1e213..95711fb6df87 100644 --- a/crypto/external/bsd/openssl/dist/ssl/t1_lib.c +++ b/crypto/external/bsd/openssl/dist/ssl/t1_lib.c @@ -408,7 +408,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, return 1; } -# define MAX_CURVELIST 28 +# define MAX_CURVELIST OSSL_NELEM(nid_list) typedef struct { size_t nidcnt; @@ -490,13 +490,16 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, return 1; } +# define DONT_CHECK_OWN_GROUPS 0 +# define CHECK_OWN_GROUPS 1 /* Check an EC key is compatible with extensions */ -static int tls1_check_ec_key(SSL *s, - unsigned char *curve_id, unsigned char *comp_id) +static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, + unsigned char *comp_id, int check_own_groups) { const unsigned char *pformats, *pcurves; size_t num_formats, num_curves, i; int j; + /* * If point formats extension present check it, otherwise everything is * supported (see RFC4492). @@ -513,8 +516,12 @@ static int tls1_check_ec_key(SSL *s, } if (!curve_id) return 1; + + if (!s->server && !check_own_groups) + return 1; + /* Check curve is consistent with client and server preferences */ - for (j = 0; j <= 1; j++) { + for (j = check_own_groups ? 0 : 1; j <= 1; j++) { if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) return 0; if (j == 1 && num_curves == 0) { @@ -579,9 +586,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) return 0; /* * Can't check curve_id for client certs as we don't have a supported - * curves extension. + * curves extension. For server certs we will tolerate certificates that + * aren't in our own list of curves. If we've been configured to use an EC + * cert then we should use it - therefore we use DONT_CHECK_OWN_GROUPS here. */ - rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); + rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id, + DONT_CHECK_OWN_GROUPS); if (!rv) return 0; /* @@ -644,7 +654,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 0; curve_id[0] = 0; /* Check this curve is acceptable */ - if (!tls1_check_ec_key(s, curve_id, NULL)) + if (!tls1_check_ec_key(s, curve_id, NULL, CHECK_OWN_GROUPS)) return 0; return 1; } @@ -746,8 +756,9 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) } /* - * Check signature algorithm is consistent with sent supported signature - * algorithms and if so return relevant digest. + * Check signature algorithm received from the peer with a signature is + * consistent with the sent supported signature algorithms and if so return + * relevant digest. */ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, const unsigned char *sig, EVP_PKEY *pkey) @@ -769,7 +780,8 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, /* Check compression and curve matches extensions */ if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; - if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { + if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id, + CHECK_OWN_GROUPS)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); return 0; } @@ -2144,6 +2156,10 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } } } else if (type == TLSEXT_TYPE_status_request) { + /* Ignore this if resuming */ + if (s->hit) + continue; + if (!PACKET_get_1(&extension, (unsigned int *)&s->tlsext_status_type)) { return 0; @@ -2784,7 +2800,7 @@ int tls1_set_server_sigalgs(SSL *s) if (!s->cert->shared_sigalgs) { SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); - al = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_HANDSHAKE_FAILURE; goto err; } } else { @@ -4125,13 +4141,16 @@ DH *ssl_get_auto_dh(SSL *s) if (dhp == NULL) return NULL; g = BN_new(); - if (g != NULL) - BN_set_word(g, 2); + if (g == NULL || !BN_set_word(g, 2)) { + DH_free(dhp); + BN_free(g); + return NULL; + } if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else p = BN_get_rfc3526_prime_3072(NULL); - if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { + if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { DH_free(dhp); BN_free(p); BN_free(g); @@ -4172,6 +4191,9 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) return 1; sig_nid = X509_get_signature_nid(x); + /* We are not able to look up the CA MD for RSA PSS in this version */ + if (sig_nid == NID_rsassaPss) + return 1; if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) { const EVP_MD *md; if (md_nid && (md = EVP_get_digestbynid(md_nid))) diff --git a/crypto/external/bsd/openssl/dist/ssl/t1_trce.c b/crypto/external/bsd/openssl/dist/ssl/t1_trce.c index 76bdf792ae3b..588cb8cc3d8f 100644 --- a/crypto/external/bsd/openssl/dist/ssl/t1_trce.c +++ b/crypto/external/bsd/openssl/dist/ssl/t1_trce.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -725,6 +725,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server, BIO_puts(bio, "No Extensions\n"); return 1; } + if (msglen < 2) + return 0; extslen = (msg[0] << 8) | msg[1]; if (extslen != msglen - 2) return 0; @@ -1092,6 +1094,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, msglen -= xlen + 2; skip_sig: + if (msglen < 2) + return 0; xlen = (msg[0] << 8) | msg[1]; BIO_indent(bio, indent, 80); if (msglen < xlen + 2) @@ -1271,7 +1275,16 @@ void SSL_trace(int write_p, int version, int content_type, switch (content_type) { case SSL3_RT_HEADER: { - int hvers = msg[1] << 8 | msg[2]; + int hvers; + + /* avoid overlapping with length at the end of buffer */ + if (msglen < (size_t)(SSL_IS_DTLS(ssl) ? + DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) { + BIO_puts(bio, write_p ? "Sent" : "Received"); + ssl_print_hex(bio, 0, " too short message", msg, msglen); + break; + } + hvers = msg[1] << 8 | msg[2]; BIO_puts(bio, write_p ? "Sent" : "Received"); BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n", ssl_trace_str(hvers, ssl_version_tbl), hvers); diff --git a/crypto/external/bsd/openssl/dist/test/build.info b/crypto/external/bsd/openssl/dist/test/build.info index c262248b6f27..d850b5229cee 100644 --- a/crypto/external/bsd/openssl/dist/test/build.info +++ b/crypto/external/bsd/openssl/dist/test/build.info @@ -1,5 +1,6 @@ IF[{- !$disabled{tests} -}] PROGRAMS_NO_INST=\ + versions \ aborttest \ sanitytest exdatatest bntest \ ectest ecdsatest gmdifftest pbelutest ideatest \ @@ -17,7 +18,11 @@ IF[{- !$disabled{tests} -}] dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ - ocspapitest fatalerrtest + ocspapitest fatalerrtest x509_time_test x509_dup_cert_test errtest + + SOURCE[versions]=versions.c + INCLUDE[versions]=../include + DEPEND[versions]=../libcrypto SOURCE[aborttest]=aborttest.c INCLUDE[aborttest]=../include @@ -292,11 +297,23 @@ IF[{- !$disabled{tests} -}] INCLUDE[bio_enc_test]=../include DEPEND[bio_enc_test]=../libcrypto + SOURCE[x509_time_test]=x509_time_test.c testutil.c + INCLUDE[x509_time_test]=.. ../include + DEPEND[x509_time_test]=../libcrypto + + SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c + INCLUDE[x509_dup_cert_test]=../include + DEPEND[x509_dup_cert_test]=../libcrypto + IF[{- !$disabled{shared} -}] PROGRAMS_NO_INST=shlibloadtest SOURCE[shlibloadtest]=shlibloadtest.c INCLUDE[shlibloadtest]=../include ENDIF + + SOURCE[errtest]=errtest.c testutil.c + INCLUDE[errtest]=../include + DEPEND[errtest]=../libcrypto ENDIF {- diff --git a/crypto/external/bsd/openssl/dist/test/certs/alt1-cert.pem b/crypto/external/bsd/openssl/dist/test/certs/alt1-cert.pem index b94d0eaf9ddd..d68b0e519305 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/alt1-cert.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/alt1-cert.pem @@ -1,22 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh -BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu -Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k -LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa -3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY -Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK -gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp -xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA -YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH -xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw -HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV -HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y -Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py -8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni -ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2 -Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ -Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT -P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L -vRlTFVjv65nn +MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDIzODEzWhgPMjExODA1MTcwMjM4MTNaMFQxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRgwFgYDVQQDDA93d3cu +ZXhhbXBsZS5uZXQxEzARBgNVBAMMCkpvZSBCbG9nZ3MwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDTqvf6j+WxCtn4RU8/6uXXgCTcksv6NDXCZ9JAz4Vv +cQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzPlrt36cevsoPmpuqGbHrUaOLneme2 +x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awcid4SiotLOY2F1jBazmqprqKZBUiyQ +XqpSp+9uSav77ydwDXCrQozBdns1YRshgU9omQrTcIqHCj1f9Lo+A2y4+TZYZkvS +DuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24N+zz3O3jwH82BZEjzavw92J9npJB +UXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnVpchwr3VHAgMBAAGjgZgwgZUwHQYD +VR0OBBYEFHvLhGWckFjVXdDI3ds9Wti6zgXAMB8GA1UdIwQYMBaAFAjRm/nm1WRw +oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn +ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA +ATANBgkqhkiG9w0BAQsFAAOCAQEATVcTyrAxsehdQNrkL6kquXxWlyegJcxvVxUe +hfh9+Lw4620b2S1/l2YxFM3peLAsRgJOznmJOeG18+y7/kx/3UNqYGY7e8iJQ3Gl +JwDIJp5JCaUOlodjhMJtRc7jn9RcsL97oizXdcryyWT0vSlM9Pie9NtHG5iq5X4+ +oL3X8+OG25MOkF2h3YVCEG3vDu7quyTlHc2ebwpdLZRndcOewO2Cap1ettyWXUPP +Mha6wyJE8LJhrGmrI8Lw+i7gGscP0xYZn3yCLk5BtOabn4dvCiDmb+TPruKQQARw +BG45LEZzGxz+Ad3xRdZyVi1I67v9YShoYTCpMTSxJaR0erH74g== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/alt1-key.pem b/crypto/external/bsd/openssl/dist/test/certs/alt1-key.pem index b5d4d326c55a..6df050a38f3a 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/alt1-key.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/alt1-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40 -2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa -2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5 -ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A -qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF -wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta -h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j -IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF -geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM -szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu -w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c -55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4 -AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8 -hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf -FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg -s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/ -0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ -iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6 -65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr -cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+ -AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr -g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo -dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd -LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV -g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3 -sXJAoFllBNfAK3aanFOR1Q== +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDTqvf6j+WxCtn4 +RU8/6uXXgCTcksv6NDXCZ9JAz4VvcQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzP +lrt36cevsoPmpuqGbHrUaOLneme2x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awci +d4SiotLOY2F1jBazmqprqKZBUiyQXqpSp+9uSav77ydwDXCrQozBdns1YRshgU9o +mQrTcIqHCj1f9Lo+A2y4+TZYZkvSDuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24 +N+zz3O3jwH82BZEjzavw92J9npJBUXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnV +pchwr3VHAgMBAAECggEACPTB+1sdV+lioaulF8pDoWOtq5uWf+a3o5sq/U0Kk1WP ++PSZnWWq6oGZyzxUKhf8CFjxt+qJUKY6Zbo2AnPk3B1MkXTclYV/iP9LIoo+WzCH +EoYaBB6MTd+ycg/jri8oqEnxHgo/681yhtXRyePj0ZHI7OVZjI3tyhJfvoHQmuci +u6qYYUP0GWuyM+kHS11vn6Q1U8nOZWvXpEDXDDdJ7+2QRuv01AXcjFxpbFzkMn2W +JkhKkCTIQpUU66VMRHwNexi+TR2rRESq0G+fa+6gaVFVIs0vBukq48IeC5W21j1L +zyftHxci67FlYC9iaiUxDVt3KB+lcukx6Cz5mjtzqQKBgQD/GrAtFfjiXKj9O5ld +K7dnnBHE8fzyWQWyOfwpVjNAC1J7tgwFvDpBpTHOwS5JnCwMWWM3rkBPRhCusmrF +AtfE8b643G+cJbTgDuEhGh11QR0p9VWMVFQL9kZxx12PegDtFBfzcfcI3XQwKVKL +ZbQn4ibW3BKSt9+Nh3APa0s5iwKBgQDUaTxZBajTdzoDd6Pg3warL5BhsxWr2tUQ +qf+iVoba2Y9NTBdxBht2whSaYweU9kxmeNZvnCu95B8HeRGE69Dxb7IWwpsaxoaf +ND0NcCF7aPZgx7hvhbHF7duzt3nuv+q5sOuuyHPzm+nF2snAuY3Zg+Bpv3nlYekf +18aXZdwStQKBgEpF8e9ei1UUl1sLZC6dUMvIw9+sePHye1cVzNYYM9m8sio0qbFt +ySRdvW+uDRT/dE+wItQOVsj95FOIvM9ZcYr0u4vFGnXDALOPgXqKyPLfn2cc9+hg +kQvei0oLOrFQWz6rcAHAN6WMHIz9KvxNAzPtg1NhRcMT5/Gj8jt7CK7bAoGAIeKz +7OO5Phr8F0eDzkDmGHMbDmr6XxMnAGSOUoCJPOqOMN+dsbsusHBfxw1bTUlJgONw +GhgI5l85EAEhaVoRWCLgfz8GbWwUV9uGjdlAjiZ9f4z9AFWMua2rae0wN4VIVd1C +i/yQeuF5lsXDf8paNcQTDeus74oCHcFXfhmS1S0CgYB2q8E+H0kFHbUxkIZYwhsM +r0lTecn+kVsyPPje2UlzfTwvcC9dFIC4ppCdJGUJAwi/PJnr6xNyOH6I1pjUA8ER +Aofm4Oj2DwX8W+81oO71/RXSfEFUjdOw0H6iRDyvWa1gqftj2/aWjV7Ifdo49thx +EzX/9GdsRInifN6FfOfo/A== -----END PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badalt6-cert.pem b/crypto/external/bsd/openssl/dist/test/certs/badalt6-cert.pem index fbe040b52c6a..f41568f6eefa 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/badalt6-cert.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/badalt6-cert.pem @@ -1,22 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg +MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDMyNjMyWhgPMjExODA1MTcwMzI2MzJaMGkxIjAg BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v -ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv -BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu -9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd -7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ -6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb -jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 -1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ -MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD -VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v -cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a -YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb -JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB -2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb -WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk -zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By -GH32QmEN5o5jZQ== +ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl46xhstHmmYhp +XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ +E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP +DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc +qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg +gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 +KRL2Le8jAgMBAAGjezB5MB0GA1UdDgQWBBRJJljvheyfKr9neNplhIMIFx25QjAf +BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMCwGA1Ud +EQQlMCOBDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG +9w0BAQsFAAOCAQEAPfRFkpkTsPlH54n/i3kxR8Hw17kUOV0/v39fnNzV+PXS/IIU +9OFfP7qNeuoWVQKXCwNWGWYXb7O0LNJMJQWWtyXtzWH3rOSxdSRIrTsCVHA41Lbo +te2nrfnGMtg6em51Do6Kk0JM304sVAWl5OY/eckBmuDgN/5WfZudOLd8Ohv8vZ6U +ZNoSBNpu1x5gfEPywMUGAgbkNZVpzNAfulx3/D2kWk0qwEKqnphUyaXiTVqO49gr +n1LwSVdqBcmapBmEO3puV4TBWFwM49iMMNGn0fp/JBVsLjt+q7TK96qGBo/BSEL+ +e2TXTNpdkn3l+ZK2FYdf7s8fytoe+6o92dN+fA== -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badalt6-key.pem b/crypto/external/bsd/openssl/dist/test/certs/badalt6-key.pem index 203a4c7a0010..782d69334a40 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/badalt6-key.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/badalt6-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv -BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu -9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd -7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ -6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb -jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 -1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3 -UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq -2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH -/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp -rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+ -b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc -kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9 -x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1 -HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU -fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec -hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2 -eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD -DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE -48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh -F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9 -p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb -iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75 -4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z -ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo -R1UfsJugW9Yetsqd9WB6q3ln +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl46xhstHmmYhp +XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ +E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP +DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc +qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg +gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 +KRL2Le8jAgMBAAECggEBAMcDjTTa2GmYWoZUr+UPizqyvsTnMmg/NoFBhy9WJVne +kpR3kJvvm30XNiEGbCV1GGryL5p7w5UVuPXjhQ7xIkY3feQNC4H361iP93HK7dXJ +i9V9AfGCdLzSuILsT2Wpm88MifUQIpqrRmqtqakKHkyMFG655409rpYlZNVogl9H +vzrTE8rjysNMjP+bpbgkxUJfeATw8OYhEwd9ahj/E0r0r2enYhGEP3j+1zYsGdmM +L2Uy4M+modaAWpZg5pUWpFjxl+V2cSJHdaQc8KYg8Z8RUyzYipFk3YzjP5jtprq5 +dHf9FqlcXk+MtzcYe+x8mIb3uwZhOtdpnUqe5l+GTyECgYEA9j++rS9sajQzMqp0 +p+EptacD/p7A3wldIDGEpPJsSQL+vhcigyn4iPCM1pGWR4iuR7Od9RpQSf3Tfnqc +ZwUJQOpiYpxo1+QlqlBJkDjDRztp+kETZAgzc084ZhwQv9PfYyxa+8layQFhnClt +Z9G0o4AV1povVeQLO5+9CQZQ4VMCgYEA7v4WuydzlLGKppsJEG8vvieR64mjOfO4 +gHBMEYnzEeTZPDvIfEfguM1upJCvt5GXp3huVHCAsFgs6kDjVbpIL1A2HzrMPtOa +MNDSOrpuLcakAgEgx2VFv4TMnA1QKPg3//YCqEqqTJyX0C4OwaADRZJS7YfHp9lg +mpv90baE8PECgYAv3oxulj15F9SsEL7Es9yr11/La4kK0oMr8vRaLFYoi1CCG3U2 +Ej6iQEDgpUSVe1iFz8DxGMBq4dDvUV5+GFiIKggeK1GmRk+cICdsxdwQSNh9MZFX +bNCzpb7M+r+2yrUuTj0RnT7svDwBY3xFJlr7PbcBFNAG3mHgoVjaHEQ0yQKBgHbS +zepvSv/65bzACFmrbklU0zAQVp9RlcIGE0wFEl0rMvbHon5oHkrDmOcpKLRUJtqU +/gXtiY4jyPEPIfhVjd44OzB7w2DZRChRKrUYS/9ma9SzSuDYcT0vgat00w4Lm4wf +fGK//Lvqf3B59cw/CmFkxuZiQ9ooMees9x11adOBAoGBAMdb0r8sAtgh+KTbA8Kq +guIWiknOk6/LYUTuT3fidPIPbErrUQQR9WWHuXjrj2RyHI/RLjYLFamikvhU7PmE +jPjPAo4p1a0WBwrYgjGDIRjTVjbUK282vuYkunGWYfgnZurAyjJCndL/eNZuX2F5 +m1rTfab8O+tOOGKGyzfouD2A -----END PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badalt7-cert.pem b/crypto/external/bsd/openssl/dist/test/certs/badalt7-cert.pem index b515ba43d99b..4fa81b3c6f8d 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/badalt7-cert.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/badalt7-cert.pem @@ -1,23 +1,22 @@ -----BEGIN CERTIFICATE----- -MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw +MIIDtjCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDMyNzA5WhgPMjExODA1MTcwMzI3MDlaMIGmMTsw OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg -QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9 -GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh -1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi -Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf -UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ -2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw -CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv -bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB -CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY -gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az -uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O -WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE -phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex -IL5WuKFm0XSGKTX8SzyMGErMGeriveL2 +ggEBAOG4PegItzkmJDwlSA/FyVHWLWUIQrnxgS0KSds3On2CMsjDJ+X77B4s1IPI +yKHuqNbXqV/hJGAxKnZRZe0D6VsmKlYOYpz9QtFxvpo5DwA3q6BTx6sIElFn/lip +Pbu5ZeIMNeN4bot7x5sBobr6OgidAVaAuqQHHJnD7mQ1s22qY0UqkBqNBhhJWOmx +YC0Q56WDi9+C7Cy2+kiiSlT4jCZ8m1K0F7tTK5mF0p4HppXmXLzcecZ/Sw8jOqQK +JM/4UCj/nxWCGYKWkv8zLJtG+ryfZMf15/0Cd1dzHAS9mYU4mFssPdFyT+WFpw7b +K3TOTXkS/tAPbj0xin2wqBJz8m8CAwEAAaN7MHkwHQYDVR0OBBYEFOWYNq+H1LH6 +lZUpgijb/S/sAiDsMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkG +A1UdEwQCMAAwLAYDVR0RBCUwI4ENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29t +hwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQAwUxnqq0gBgKmEHIRgZVu10KtOknjt +p/wEcqQ9METvXb+4/a4U6ftjTgaOrPVjamNFlaoUcTgx2nk2zRsjM+e+tpnxDgRR +/yoVB3HsISpdeN70s/WYAgvev/FdV3O+JWhUYHdKrDB4DMfPhlRIfSgOymJljo6+ +wL8qa7lVonF91Im4SCbq4dqtAnbg4ttblQ3yjFfQtuwzyJD/3ism6FQPLbg1K4eu +1Si0EDL4Fct581Gb5D+NU8PYiwg7Nk8ubNlRHXydoVGDLmT0hLE+/IsPd1M8tMqm +sifRl2Is+lGVeg4pPHFjB0npTNkaYafu89dz/3PNRRr5If06B+apk4AX -----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badalt7-key.pem b/crypto/external/bsd/openssl/dist/test/certs/badalt7-key.pem index 50557e896812..b453f1ff30a2 100644 --- a/crypto/external/bsd/openssl/dist/test/certs/badalt7-key.pem +++ b/crypto/external/bsd/openssl/dist/test/certs/badalt7-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP -Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk -l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7 -dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv -OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb -uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3 -3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB -We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF -jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA -mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul -mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk -yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH -NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM -oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3 -LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET -GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2 -uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS -CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF -M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+ -J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4 -Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3 -t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x -s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt -mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8 -M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA -cZtQWiEyaf026DdR8YBYn6tf +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuD3oCLc5JiQ8 +JUgPxclR1i1lCEK58YEtCknbNzp9gjLIwyfl++weLNSDyMih7qjW16lf4SRgMSp2 +UWXtA+lbJipWDmKc/ULRcb6aOQ8AN6ugU8erCBJRZ/5YqT27uWXiDDXjeG6Le8eb +AaG6+joInQFWgLqkBxyZw+5kNbNtqmNFKpAajQYYSVjpsWAtEOelg4vfguwstvpI +okpU+IwmfJtStBe7UyuZhdKeB6aV5ly83HnGf0sPIzqkCiTP+FAo/58VghmClpL/ +MyybRvq8n2TH9ef9AndXcxwEvZmFOJhbLD3Rck/lhacO2yt0zk15Ev7QD249MYp9 +sKgSc/JvAgMBAAECggEAZG2cJawTEXtV7ejMii//Jck8g1JMlfzM86Q7Pizxejw+ +qjKiguI2qSpbF5NzKRFNz+E+e+lpTN8zPFd1GSJ/Zk2x0n4uBBlu7E9GdcnjUb5z +Py9njEJYHB4//WS3kdmoag3ywBWqYaceJWpxcga5YXGx0bIO2MJNSGDzpWR7Q9QQ +tG/lWmno5goY2BxI08BTKSlqNIBkg/rr9jJo3axRcEmbx7hj4vUkAlypFKtmR4dW +bNo0f6VAd5Y6c9YbnKybR/44lScBksuSkZjm076cbbbp5PpsiLGe/12bqUcwCH+T +8hRVndmOLdOxC11OZOvMbX6x2uXNh3/Qr/GMyfzZcQKBgQD4we7E9vOygk1J5Vbl +1zETR9x3dujpBBx3xaHXUSJNUTNwmnZ+0JoFTqPkRmmPMNK7XfZuPymBehtk8WYt +NnezM2UNTdbfVOnJWnU6igRNGBaDW6F9AezlADBNwIbFVw6RqP4fTUFsmm9TQ/8M +4kZmmlW4uLZyX0WQO+AJa7NShwKBgQDoSpnQgmWqXMcaHwY2l8fEDuDc41nDoJIm +/CMppPbr7GkUX4OU785p6E0N0o1ONt+xCBT1lxHwWEeMAKZXrNC1XGpfvhpVZ72v +VruATDFs1rcL3S2Sty7A+jhFKKXlGeDWNcpaKY8nDvv2uJG0+J3bLprdMqnY/gQ1 +C+FzyQ6S2QKBgDnHIaRSD6xoo3cEc7iS0O0/ha+hyNtGfy46kyqlx6fZsm73EYrG +/N86ssp0qFP/7RJj8rcMqKFQMUiy4R6jRg4zY8dBSyU4XczM2+mq4PDfJWuBPvMA +HXvbHV0R2LvBSrr+W3f9w7Jr9GuMoZLmg5+VPU/YZ1gNVOT5Y0IM5+vFAoGBANx9 +CzlGvLeTrw1VS3GAaobn1Hr2dlrhTDki9UFvK03PLgK/ksdJRLV0YcdwBt6p6XRB +hpuC1O087lSuvTXVfJnZacMNUDOm7/7BpeJm8DcuK7tgKwTrSb61A7ppleY7xRWv +Iy6n6hCaAYIzuWJ85mGJAEhb8apdmqK7bzmXK3UpAoGBALdOvJfqbF0YlHbdQCVi +ftjtxs/dZKdF1rNARR0VMqUtZX+WP2b6OPXlwux94Cr//iNv5ih3B4Z4LIgTpgBJ +AKGXEBGMMthAlptC4BcOAEs9cYeWGLAoYk8jpNmXvXjhGqvzhPO2YrX5xy46dVOG +iiCseyA7Kr8Axt9QhUzoi5f7 -----END PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badcn1-cert.pem b/crypto/external/bsd/openssl/dist/test/certs/badcn1-cert.pem new file mode 100644 index 000000000000..3b3bad658bc4 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/certs/badcn1-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDI0MTMyWhgPMjExODA1MTcwMjQxMzJaME4xIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcxEDAOBgNVBAMMB2JhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN9WI6OyxnW+R98FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh +8wFR9gfNrKhqXubJ3lCHKgaApTXNKM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R +03Yn+dJnZLDz7BDpnuhORp8XzQqfxSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos +/LIDvjzye5GaPXqXkAkcBcLBpWlgMm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+A +jSbT522yHy1r6WeElbSY7WOFvnmgbZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh +/YuRhCgRExvdQ6kImwdKAfO7RLkxho6jny1HAgMBAAGjXjBcMB0GA1UdDgQWBBT5 +fenRjyFKUb1XvUnm4GV9kZmONDAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa +3fVQQzAJBgNVHRMEAjAAMA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQAD +ggEBACKtfZCcP/pY8Bu+lb/pGZj5txsmNbJ1l2RVACQA7CGjwfUr7VaQGMuT+FuA +Erlh+UnEC3R/e1xQwgJeuAXBOWFkxA61isVSrmM7YM6vDB0+t8N9lMUFjPbRyEkM +A5kaSLPrgSOg7ONsO6YGbaWm1XCoUC6Ilrdzy+ckzklgjYRth99b2d5WrjIxEWIq +BX2DI2ruetjXYGRzsqSK+O9d4fsqrb5M0ZCNWQZ4WnrMNaAeHWpW6NqSvof/N21x +WC5zcU7GXLrDigwWPMDLQhVtu4OihWjsqugh6Jl7DxDBhi8JKO6tJQAISHjKaL98 +yXZFsQ//q7ATwlcHyB81B+X16AI= +-----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/badcn1-key.pem b/crypto/external/bsd/openssl/dist/test/certs/badcn1-key.pem new file mode 100644 index 000000000000..dbcf4b5d44ca --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/certs/badcn1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN9WI6OyxnW+R9 +8FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh8wFR9gfNrKhqXubJ3lCHKgaApTXN +KM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R03Yn+dJnZLDz7BDpnuhORp8XzQqf +xSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos/LIDvjzye5GaPXqXkAkcBcLBpWlg +Mm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+AjSbT522yHy1r6WeElbSY7WOFvnmg +bZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh/YuRhCgRExvdQ6kImwdKAfO7RLkx +ho6jny1HAgMBAAECggEBAKDxiUHx7cATShm0ElZnd6+dtQfKwv8zsuIpm+hk62Ef +d0zYI+UhrT1sIiryKmV9JaJITOtixtQOxl088D+Obrx8cnC4B84rUTVXpnfgVf9j +FljDtjpxIZsZmPbc836ZUZoOaICKpVYHD69Mb+NWG+mN2oaLc8VP0L4FXKLzvl7u +69NQlTPG2CS61BktVqMtWWc/9CvdOwqwVbckyISj9QLUgSXIyB4IP3bjp0RYSpOu +m3nhuhil1G3c05R4UfiE2d9Er7SBBoQ304ld892YRinSgtZqC1G25uZmWJ3ekAAM +bg6P0hBd86F/G2TxNdelYrxTazjqZShYi1N48SK6kUECgYEA+51O19Q5XkskD/Dn +VfaCjSOTFwDlb5ATmVCrJu+13/5IJfmJgWA6xdqfWoqxSOsJzXBEETKWgkahoo4K +OU1UaBTHEJ588xOpoMzbJkKlb5hPseEQsvu055Ky0euMgmlrALPQQ9e1DUSlowui +Cq9wCak4dqq9NNs6FMIeGhqczGECgYEA0YxcajJFxPHJsdFCVa4tdy9jgfC64t4Y +CWDzRfUnuX24ILbW9+olvvoZkMSzoVpiQ9YU8kPJUaOyFrw6jUV5GRHUCMgfkx2Y +nqe+7aSFmv0Nlo0RMV2PqaOZzlxnG9FzyNE+4PygZqtFhN21b5Idc69k2Ltu7K4J +J4MG1kMUGqcCgYEA0ttUPEisPtoHgZhntUFczHx4gnmMzH5X/k5876dIqkrFGZXR +5urGthHtIwpBYZMeZtxjHmpfeRNJ1xjjdnvYdVScMdAvc+ERcSDbsmd9jlR8zNuI +jAWl576nPoX//TXspu0JZiE5p8HUcRuJkxzMbjwyhje1Ubs6JDU81rFgn2ECgYAG +3WVNqVX1zMIBzEwzCGC+7dOBt0Q4GHSLIhz2JsDlZ8P3dmX2ezo/Vmwt/POxjod3 +l3TaNvRKc2VrL0FvzV3ZP2dF3mCCbk7Iq9AqcuBZon6mdvqgNmN1eEGarBZIqAT2 +CDzaHAyZMHU3lBfUjuHeH1nba9CHenAcVkOME2h+MwKBgQDiHAnTK4ovCNmT5E9i +03x/wPSH8FZ3Wrb1GMtNlTc7lOtB5eYIvwkaloJkNKHbUDv57V66hnYT6CyH4u45 +dPtuohtafL9mdScYqmicGLtbLLglSQpJYt4J59hffNZ30E84dKXtyDN7E5P5Z00Z +8PbOMUy3oK6j+GMP/xRNI76RtA== +-----END PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/goodcn1-cert.pem b/crypto/external/bsd/openssl/dist/test/certs/goodcn1-cert.pem new file mode 100644 index 000000000000..d9205e03b005 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/certs/goodcn1-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDI0MDA0WhgPMjExODA1MTcwMjQwMDRaMIGeMSMw +IQYDVQQKDBpHb29kIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTEVMBMGA1UEAwwMd3d3 +Lmdvb2Qub3JnMRUwEwYDVQQDDAxhbnkuZ29vZC5jb20xETAPBgNVBAMMCG5vdC4u +ZG5zMRAwDgYDVQQDDAdub3RAZG5zMREwDwYDVQQDDAhub3QtLmRuczERMA8GA1UE +AwwIbm90LmRucy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDigxI +nlYVjHtrFI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7 +jZe+gMX+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADe +mD/YdekRf3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9Txa +ZeFvWvvc6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLs +FPkw4yUtJHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLT +OKw6dm1UG2J7iuqtAgMBAAGjXjBcMB0GA1UdDgQWBBSTKvqap2ab0z/UPrdDgc0V +m88R3TAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAA +MA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQADggEBADcdm62qaOHbIDoa +5oUjXGHSQjV1g4BFe6DLH5/CZ0wOws3QzfQbPIxJrp3yJgDcQyZNOE/xQlq/nASS +thU6cUTB07voFVnbotB8YQuNU1wM9TAJOHC9LT1Y0J2GIP6QeXts6Cz6aBlqaQEZ +IrGRLuKVZePTO0Haup0mZ91XoXs3CBzkSerl0XpFL7BeugSigrhprFRPB4UC3IWb +pdNar61Wk4bN/COb6utRkK3iYk5YUTqYFib9EG4VBdxYfXv/tiBIGqQLnqPbId6w +q+McpSEPF1DIcCyL0vEDdIVN0SzxMfnfHMx0Qp0sh2aydIZk4xfEqXHZgZthSrse +u7nhn7s= +-----END CERTIFICATE----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/goodcn1-key.pem b/crypto/external/bsd/openssl/dist/test/certs/goodcn1-key.pem new file mode 100644 index 000000000000..2ad660c6dbfa --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/certs/goodcn1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDigxInlYVjHtr +FI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7jZe+gMX+ +sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADemD/YdekR +f3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9TxaZeFvWvvc +6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLsFPkw4yUt +JHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLTOKw6dm1U +G2J7iuqtAgMBAAECggEAeQ1xZVOAf36kuTnVUhdplTii6v3JcQIIUjG0dG/U/P8M +otS45uNZ36CelvaVStwHaJEvcVzK4EjgSjiSNJvwkxzPbkA3XkgNVptPmdcG5yqO +RLNOChVeqYdOurdcR1XXbXv57dPbUqpMS2TWjdzieW/QXKuTRsbjTo3D75tJqUO6 +1Bm4sSM3PogmsQwTP8HlZAmJXuSD+ZSB22Np5pT1dn5TvQU6xeA3NJR4ZO/HEZz4 +CHJEiOx2BuGD6M0V1ZL6DzEsyIS/KKsvj4I2F4ROAK1j3lSD5VqrYPXn3oEsQdlm +OW8aVnHPYO6FI0LVLgcIEKxhdwGV3i6v/GRUe0Y9kQKBgQD0Zqn1trAuP5Peiy1K +Wc91yRjQxQTwSD00hzXMtvKzkEIiLEuVZq9qrqQ2TRRa5xneDGHDuUY9eZY8JwEr +l7f8CcfYC93PXLyRM2Gaz0jMxZxVPz5w7zssK3DZ+7JvH3nKkCUl7+Y0tH26qTO0 +wTD9w9jd9bf85SLVgk3zSbUDwwKBgQDM0b2ffZpxyA16h7w8ZBuk1Z+iumrxnn5/ +lKtffR2b4dZN37KiWw2c265vYhRfe/ANnVuagXb9aRM97yeQloRlWR10AaXJz3EB +sromqFShkorYRhwZoRiJC0laLG3W76wKMRr2T6TM1UG9gJ0szdGFG/yUDU+9pTRo +uq514rGgzwKBgQCGtsAgLF7YXzsGg/im7vInnn0LNk4OlAMInS7OdFk7GN0bMQdI +hp1SVIk3VS1PHetoNbL9y3YoFIj3BxjiCnLjfhClyYSt9BQMhSHbzz31gUc2xfGJ +FpSrOBawUMh97/+V4/ZV/vIJQyO6a+GQVJzIg9daIUMVJsgYoAaPf6VDOQKBgFyH +eHnf/XDfpq8vOOuzcgWieG7EduHW72DlohIObNzqRq2BnKraJakyWXh6P6fvTsBn +0WVYjY/n80hsjVw1k3RRsQuiXupv66aPvqcOLsWbdVxFOBaf/3yR+75gCfMq7Xbh +PkP+MP5UbVGWE+uUw821mgKsjNSpGKcjhwM8uXBjAoGAFEU3O8gQXfocVB8lxUeU +c0inLdAIgiw/36NPuW4NwKxzLOmHzlmvn7C98ihnbnGoQ0XBRfLw8siTbD3INgHY +NA0JeK8Qrt56b6wK14w9RzLQTu9gy1pULW21p1wswdNK4tlxfnnnozISZAYxeqAx +YMTtYZN77nb+yY4oE6XEugQ= +-----END PRIVATE KEY----- diff --git a/crypto/external/bsd/openssl/dist/test/certs/setup.sh b/crypto/external/bsd/openssl/dist/test/certs/setup.sh index 7e1086a2240d..018e5fc69095 100755 --- a/crypto/external/bsd/openssl/dist/test/certs/setup.sh +++ b/crypto/external/bsd/openssl/dist/test/certs/setup.sh @@ -241,15 +241,30 @@ NC="$NC excluded;DNS:bad.ok.good.com" NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ ncca1-key ncca1-cert -# all subjectAltNames allowed by CA1. +# all subjectAltNames allowed by CA1. Some CNs are not! ./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \ - "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ + "1.CN=www.example.net" "2.CN=Joe Bloggs" | \ ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \ "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" +# all DNS-like CNs allowed by CA1, no DNS SANs. + +./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \ + "1.CN=www.good.org" "2.CN=any.good.com" \ + "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \ + ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + +# Some DNS-like CNs not permitted by CA1, no DNS SANs. + +./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \ + "1.CN=www.good.org" "3.CN=bad.net" | \ + ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + # no subjectAltNames excluded by CA2. ./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \ @@ -293,19 +308,17 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.2" -# all subject alt names OK but subject CN not allowed by CA1. +# No DNS-ID SANs and subject CN not allowed by CA1. ./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \ "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \ - "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" -# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING +# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \ - "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" diff --git a/crypto/external/bsd/openssl/dist/test/errtest.c b/crypto/external/bsd/openssl/dist/test/errtest.c new file mode 100644 index 000000000000..df4cddb096dd --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/errtest.c @@ -0,0 +1,40 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include "testutil.h" + +#if defined(OPENSSL_SYS_WINDOWS) +# include +#else +# include +#endif + +/* Test that querying the error queue preserves the OS error. */ +static int preserves_system_error(void) +{ +#if defined(OPENSSL_SYS_WINDOWS) + SetLastError(ERROR_INVALID_FUNCTION); + ERR_get_error(); + return GetLastError() == ERROR_INVALID_FUNCTION; +#else + errno = EINVAL; + ERR_get_error(); + return errno == EINVAL; +#endif +} + +int main(int argc, char **argv) +{ + ADD_TEST(preserves_system_error); + + return run_tests(argv[0]); +} diff --git a/crypto/external/bsd/openssl/dist/test/evp_test.c b/crypto/external/bsd/openssl/dist/test/evp_test.c index fb2ca279bf7c..ea9455374f48 100644 --- a/crypto/external/bsd/openssl/dist/test/evp_test.c +++ b/crypto/external/bsd/openssl/dist/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1592,19 +1592,19 @@ static int pderive_test_run(struct evp_test *t) struct pkey_data *kdata = t->data; unsigned char *out = NULL; size_t out_len; - const char *err = "INTERNAL_ERROR"; + const char *err = "DERIVE_ERROR"; - out_len = kdata->output_len; + if (EVP_PKEY_derive(kdata->ctx, NULL, &out_len) <= 0) + goto err; out = OPENSSL_malloc(out_len); if (!out) { fprintf(stderr, "Error allocating output buffer!\n"); exit(1); } - err = "DERIVE_ERROR"; if (EVP_PKEY_derive(kdata->ctx, out, &out_len) <= 0) goto err; err = "SHARED_SECRET_LENGTH_MISMATCH"; - if (out_len != kdata->output_len) + if (kdata->output == NULL || out_len != kdata->output_len) goto err; err = "SHARED_SECRET_MISMATCH"; if (check_output(t, kdata->output, out, out_len)) diff --git a/crypto/external/bsd/openssl/dist/test/evptests.txt b/crypto/external/bsd/openssl/dist/test/evptests.txt index fd8d98d6a5d8..269684e11b3f 100644 --- a/crypto/external/bsd/openssl/dist/test/evptests.txt +++ b/crypto/external/bsd/openssl/dist/test/evptests.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -19144,6 +19144,35 @@ PeerKey=KAS-ECC-CDH_B-571_C24-Peer-PUBLIC Ctrl=ecdh_cofactor_mode:1 SharedSecret=02da266a269bdc8d8b2a0c6bb5762f102fc801c8d5394a9271539136bd81d4b69cfbb7525cd0a983fb7f7e9deec583b8f8e574c6184b2d79831ec770649e484dc006fa35b0bffd0b +# for cofactor-order points, ECC CDH (co-factor ECDH) should fail. Test that. + +PrivateKey=ALICE_cf_sect283k1 +-----BEGIN PRIVATE KEY----- +MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAHtPwRfQZ9pWgSctyHdt +xt3pd8ESMI3ugVx8MDLkiVB8GkCRoUwDSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3 +n68A32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM +8uKr +-----END PRIVATE KEY----- + +PublicKey=ALICE_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3n68A +32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM8uKr +-----END PUBLIC KEY----- + +PublicKey=BOB_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +-----END PUBLIC KEY----- + +PrivPubKeyPair = ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB + +# ECDH Alice with Bob peer +Derive=ALICE_cf_sect283k1 +PeerKey=BOB_cf_sect283k1_PUB +Ctrl=ecdh_cofactor_mode:1 +Result = DERIVE_ERROR # Test mismatches PrivPubKeyPair = Alice-25519:Bob-25519-PUBLIC diff --git a/crypto/external/bsd/openssl/dist/test/recipes/04-test_err.t b/crypto/external/bsd/openssl/dist/test/recipes/04-test_err.t new file mode 100644 index 000000000000..dd7681afa4e4 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/recipes/04-test_err.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_err", "errtest"); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/15-test_genrsa.t b/crypto/external/bsd/openssl/dist/test/recipes/15-test_genrsa.t index cc74e303f115..766ea4f0aa3f 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/15-test_genrsa.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/15-test_genrsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,9 +18,38 @@ setup("test_genrsa"); plan tests => 5; +# We want to know that an absurdly small number of bits isn't support is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); -ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '16'])), "genrsa -3 16"); -ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); -ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', '16'])), "genrsa -f4 16"); -ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); + +# Depending on the shared library, we might have different lower limits. +# Let's find it! This is a simple binary search +# ------------------------------------------------------------ +# NOTE: $good may need an update in the future +# ------------------------------------------------------------ +note "Looking for lowest amount of bits"; +my $bad = 3; # Log2 of number of bits (2 << 3 == 8) +my $good = 11; # Log2 of number of bits (2 << 11 == 2048) +while ($good > $bad + 1) { + my $checked = int(($good + $bad + 1) / 2); + if (run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', + 2 ** $checked ], stderr => undef))) { + note 2 ** $checked, " bits is good"; + $good = $checked; + } else { + note 2 ** $checked, " bits is bad"; + $bad = $checked; + } +} +$good++ if $good == $bad; +$good = 2 ** $good; +note "Found lowest allowed amount of bits to be $good"; + +ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])), + "genrsa -3 $good"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); +ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), + "genrsa -f4 $good"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); unlink 'genrsatest.pem'; diff --git a/crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t b/crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t index 11bd43090f0b..11f54d0486f6 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,7 @@ sub verify { run(app([@args])); } -plan tests => 127; +plan tests => 129; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -326,6 +326,12 @@ ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), "Name Constraints nested test all permitted"); +ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs permitted"); + +ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs not permitted"); + ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), "Name Constraints hostname not permitted"); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_dup_cert.t b/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_dup_cert.t new file mode 100644 index 000000000000..8e1c31381470 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_dup_cert.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# ====================================================================== +# Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved. + + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_x509_dup_cert"); + +plan tests => 1; + +ok(run(test(["x509_dup_cert_test", srctop_file("test", "certs", "leaf.pem")]))); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_time.t b/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_time.t new file mode 100644 index 000000000000..e812cd0b26f3 --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/recipes/60-test_x509_time.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_x509_time", "x509_time_test"); diff --git a/crypto/external/bsd/openssl/dist/test/recipes/80-test_cipherlist.t b/crypto/external/bsd/openssl/dist/test/recipes/80-test_cipherlist.t index 98d537e5f368..5c1b1d45457f 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/80-test_cipherlist.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/80-test_cipherlist.t @@ -1,6 +1,6 @@ #! /usr/bin/perl # -# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -12,11 +12,16 @@ use strict; use warnings; use OpenSSL::Test::Simple; -use OpenSSL::Test; +use OpenSSL::Test qw(:DEFAULT openssl_versions); use OpenSSL::Test::Utils qw(alldisabled available_protocols); setup("test_cipherlist"); +my ($build_version, $library_version) = openssl_versions(); +plan skip_all => + "This test recipe isn't supported when doing regression testing" + if $build_version != $library_version; + my $no_anytls = alldisabled(available_protocols("tls")); # If we have no protocols, then we also have no supported ciphers. diff --git a/crypto/external/bsd/openssl/dist/test/recipes/90-test_fuzz.t b/crypto/external/bsd/openssl/dist/test/recipes/90-test_fuzz.t index d15292573350..8d3b3541fc4b 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/90-test_fuzz.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/90-test_fuzz.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -26,14 +26,14 @@ plan tests => scalar @fuzzers; foreach my $f (@fuzzers) { subtest "Fuzzing $f" => sub { - my @files = glob(srctop_file('fuzz', 'corpora', $f, '*')); - push @files, glob(srctop_file('fuzz', 'corpora', "$f-*", '*')); + my @dirs = glob(srctop_file('fuzz', 'corpora', $f)); + push @dirs, glob(srctop_file('fuzz', 'corpora', "$f-*")); - plan skip_all => "No corpora for $f-test" unless @files; + plan skip_all => "No corpora for $f-test" unless @dirs; - plan tests => scalar @files; + plan tests => scalar @dirs; - foreach (@files) { + foreach (@dirs) { ok(run(fuzz(["$f-test", $_]))); } } diff --git a/crypto/external/bsd/openssl/dist/test/recipes/90-test_shlibload.t b/crypto/external/bsd/openssl/dist/test/recipes/90-test_shlibload.t index aa8d98de29e2..04d52658900b 100644 --- a/crypto/external/bsd/openssl/dist/test/recipes/90-test_shlibload.t +++ b/crypto/external/bsd/openssl/dist/test/recipes/90-test_shlibload.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -20,7 +20,7 @@ use configdata; plan skip_all => "Test only supported in a shared build" if disabled("shared"); -plan tests => 3; +plan tests => 4; my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto"; my $libssl_idx = $unified_info{rename}->{libssl} // "libssl"; @@ -35,4 +35,6 @@ ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])), "running shlibloadtest -ssl_first"); ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])), "running shlibloadtest -just_crypto"); +ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])), + "running shlibloadtest -dso_ref"); diff --git a/crypto/external/bsd/openssl/dist/test/shlibloadtest.c b/crypto/external/bsd/openssl/dist/test/shlibloadtest.c index 25df363f235b..d584413ac9be 100644 --- a/crypto/external/bsd/openssl/dist/test/shlibloadtest.c +++ b/crypto/external/bsd/openssl/dist/test/shlibloadtest.c @@ -40,6 +40,16 @@ static OpenSSL_version_num_t OpenSSL_version_num; #ifdef DSO_DLFCN +# define DSO_DSOBYADDR "DSO_dsobyaddr" +# define DSO_FREE "DSO_free" + +typedef void DSO; +typedef DSO * (*DSO_dsobyaddr_t)(void (*addr)(void), int flags); +typedef int (*DSO_free_t)(DSO *dso); + +static DSO_dsobyaddr_t DSO_dsobyaddr; +static DSO_free_t DSO_free; + # include typedef void * SHLIB; @@ -108,11 +118,13 @@ static int shlib_close(SHLIB lib) # define CRYPTO_FIRST_OPT "-crypto_first" # define SSL_FIRST_OPT "-ssl_first" # define JUST_CRYPTO_OPT "-just_crypto" +# define DSO_REFTEST_OPT "-dso_ref" enum test_types_en { CRYPTO_FIRST, SSL_FIRST, - JUST_CRYPTO + JUST_CRYPTO, + DSO_REFTEST }; int main(int argc, char **argv) @@ -123,7 +135,7 @@ int main(int argc, char **argv) void (*func) (void); SHLIB_SYM sym; } tls_method_sym, ssl_ctx_new_sym, ssl_ctx_free_sym, err_get_error_sym, - openssl_version_num_sym; + openssl_version_num_sym, dso_dsobyaddr_sym, dso_free_sym; enum test_types_en test_type; int i; @@ -138,6 +150,8 @@ int main(int argc, char **argv) test_type = SSL_FIRST; } else if (strcmp(argv[1], JUST_CRYPTO_OPT) == 0) { test_type = JUST_CRYPTO; + } else if (strcmp(argv[1], DSO_REFTEST_OPT) == 0) { + test_type = DSO_REFTEST; } else { printf("Unrecognised argument\n"); return 1; @@ -145,7 +159,8 @@ int main(int argc, char **argv) for (i = 0; i < 2; i++) { if ((i == 0 && (test_type == CRYPTO_FIRST - || test_type == JUST_CRYPTO)) + || test_type == JUST_CRYPTO + || test_type == DSO_REFTEST)) || (i == 1 && test_type == SSL_FIRST)) { if (!shlib_load(argv[2], &cryptolib)) { printf("Unable to load libcrypto\n"); @@ -161,7 +176,7 @@ int main(int argc, char **argv) } } - if (test_type != JUST_CRYPTO) { + if (test_type != JUST_CRYPTO && test_type != DSO_REFTEST) { if (!shlib_sym(ssllib, TLS_METHOD, &tls_method_sym.sym) || !shlib_sym(ssllib, SSL_CTX_NEW, &ssl_ctx_new_sym.sym) || !shlib_sym(ssllib, SSL_CTX_FREE, &ssl_ctx_free_sym.sym)) { @@ -215,6 +230,38 @@ int main(int argc, char **argv) return 1; } + if (test_type == DSO_REFTEST) { +# ifdef DSO_DLFCN + /* + * This is resembling the code used in ossl_init_base() and + * OPENSSL_atexit() to block unloading the library after dlclose(). + * We are not testing this on Windows, because it is done there in a + * completely different way. Especially as a call to DSO_dsobyaddr() + * will always return an error, because DSO_pathbyaddr() is not + * implemented there. + */ + if (!shlib_sym(cryptolib, DSO_DSOBYADDR, &dso_dsobyaddr_sym.sym) + || !shlib_sym(cryptolib, DSO_FREE, &dso_free_sym.sym)) { + printf("Unable to load crypto dso symbols\n"); + return 1; + } + + DSO_dsobyaddr = (DSO_dsobyaddr_t)dso_dsobyaddr_sym.func; + DSO_free = (DSO_free_t)dso_free_sym.func; + + { + DSO *hndl; + /* use known symbol from crypto module */ + if ((hndl = DSO_dsobyaddr((void (*)(void))ERR_get_error, 0)) != NULL) { + DSO_free(hndl); + } else { + printf("Unable to obtain DSO reference from crypto symbol\n"); + return 1; + } + } +# endif /* DSO_DLFCN */ + } + for (i = 0; i < 2; i++) { if ((i == 0 && test_type == CRYPTO_FIRST) || (i == 1 && test_type == SSL_FIRST)) { @@ -224,7 +271,8 @@ int main(int argc, char **argv) } } if ((i == 0 && (test_type == SSL_FIRST - || test_type == JUST_CRYPTO)) + || test_type == JUST_CRYPTO + || test_type == DSO_REFTEST)) || (i == 1 && test_type == CRYPTO_FIRST)) { if (!shlib_close(cryptolib)) { printf("Unable to close libcrypto\n"); diff --git a/crypto/external/bsd/openssl/dist/test/sslapitest.c b/crypto/external/bsd/openssl/dist/test/sslapitest.c index 77e8f2e9ad36..8badd284e328 100644 --- a/crypto/external/bsd/openssl/dist/test/sslapitest.c +++ b/crypto/external/bsd/openssl/dist/test/sslapitest.c @@ -1208,6 +1208,61 @@ end: return testresult; } +static int test_ssl_pending(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char msg[] = "A test message"; + char buf[5]; + size_t written; + + if (tst == 0) { + if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Failed creating SSL_CTX pair\n"); + goto end; + } + } else { +#ifndef OPENSSL_NO_DTLS + if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), + DTLS1_VERSION, DTLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Failed creating SSL_CTX pair\n"); + goto end; + } +#else + return 1; +#endif + } + + if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) + || !create_ssl_connection(serverssl, clientssl)) { + printf("Failed creating connection\n"); + goto end; + } + + written = SSL_write(serverssl, msg, sizeof(msg)); + if (written != sizeof(msg) + || SSL_read(clientssl, buf, sizeof(buf)) != sizeof(buf) + || SSL_pending(clientssl) != (int)(written - sizeof(buf))) { + printf("Failed checking SSL_pending\n"); + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + + int main(int argc, char *argv[]) { BIO *err = NULL; @@ -1244,6 +1299,7 @@ int main(int argc, char *argv[]) ADD_TEST(test_ssl_bio_change_wbio); ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_ALL_TESTS(test_custom_exts, 2); + ADD_ALL_TESTS(test_ssl_pending, 2); testresult = run_tests(argv[0]); diff --git a/crypto/external/bsd/openssl/dist/test/verify_extra_test.c b/crypto/external/bsd/openssl/dist/test/verify_extra_test.c index cc05bc2ef1f0..fabc1dc59f6f 100644 --- a/crypto/external/bsd/openssl/dist/test/verify_extra_test.c +++ b/crypto/external/bsd/openssl/dist/test/verify_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -137,6 +137,43 @@ static int test_alt_chains_cert_forgery(const char *roots_f, return ret; } +static int test_store_ctx(const char *bad_f) +{ + X509_STORE_CTX *sctx = NULL; + X509 *x = NULL; + BIO *bio = NULL; + int testresult = 0, ret; + + bio = BIO_new_file(bad_f, "r"); + if (bio == NULL) + goto err; + + x = PEM_read_bio_X509(bio, NULL, 0, NULL); + if (x == NULL) + goto err; + + sctx = X509_STORE_CTX_new(); + if (sctx == NULL) + goto err; + + if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) + goto err; + + /* Verifying a cert where we have no trusted certs should fail */ + ret = X509_verify_cert(sctx); + + if (ret == 0) { + /* This is the result we were expecting: Test passed */ + testresult = 1; + } + + err: + X509_STORE_CTX_free(sctx); + X509_free(x); + BIO_free(bio); + return testresult; +} + int main(int argc, char **argv) { CRYPTO_set_mem_debug(1); @@ -152,6 +189,11 @@ int main(int argc, char **argv) return 1; } + if (!test_store_ctx(argv[3])) { + fprintf(stderr, "Test X509_STORE_CTX failed\n"); + return 1; + } + #ifndef OPENSSL_NO_CRYPTO_MDEBUG if (CRYPTO_mem_leaks_fp(stderr) <= 0) return 1; diff --git a/crypto/external/bsd/openssl/dist/test/versions.c b/crypto/external/bsd/openssl/dist/test/versions.c new file mode 100644 index 000000000000..3ab05ec35d5d --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/versions.c @@ -0,0 +1,20 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include + +/* A simple helper for the perl function OpenSSL::Test::openssl_versions */ +int main(void) +{ + printf("Build version: 0x%08lX\n", OPENSSL_VERSION_NUMBER); + printf("Library version: 0x%08lX\n", OpenSSL_version_num()); + return 0; +} diff --git a/crypto/external/bsd/openssl/dist/test/x509_dup_cert_test.c b/crypto/external/bsd/openssl/dist/test/x509_dup_cert_test.c new file mode 100644 index 000000000000..7f7adebbb0fb --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/x509_dup_cert_test.c @@ -0,0 +1,70 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved. + */ + +#include +#include +#include + +static int test_509_dup_cert(const char *cert_f) +{ + int ret = 0; + X509_STORE_CTX *sctx = NULL; + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + store = X509_STORE_new(); + if (store == NULL) + goto err; + + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto err; + + if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)) + goto err; + if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)) + goto err; + + ret = 1; + + err: + X509_STORE_CTX_free(sctx); + X509_STORE_free(store); + if (ret != 1) + ERR_print_errors_fp(stderr); + return ret; +} + +int main(int argc, char **argv) +{ + CRYPTO_set_mem_debug(1); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + if (argc != 2) { + fprintf(stderr, "usage: x509_dup_cert_test cert.pem\n"); + return 1; + } + + if (!test_509_dup_cert(argv[1])) { + fprintf(stderr, "Test X509 duplicate cert failed\n"); + return 1; + } + +#ifndef OPENSSL_NO_CRYPTO_MDEBUG + if (CRYPTO_mem_leaks_fp(stderr) <= 0) + return 1; +#endif + + printf("PASS\n"); + return 0; +} diff --git a/crypto/external/bsd/openssl/dist/test/x509_time_test.c b/crypto/external/bsd/openssl/dist/test/x509_time_test.c new file mode 100644 index 000000000000..32d65c87617b --- /dev/null +++ b/crypto/external/bsd/openssl/dist/test/x509_time_test.c @@ -0,0 +1,212 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Tests for X509 time functions */ + +#include +#include + +#include +#include +#include "testutil.h" +#include "e_os.h" + +typedef struct { + const char *data; + int type; + time_t cmp_time; + /* -1 if asn1_time <= cmp_time, 1 if asn1_time > cmp_time, 0 if error. */ + int expected; +} TESTDATA; + +static TESTDATA x509_cmp_tests[] = { + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* The same in seconds since epoch. */ + 1487354514, -1, + }, + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* One second more. */ + 1487354515, -1, + }, + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* One second less. */ + 1487354513, 1, + }, + /* Same as UTC time. */ + { + "170217180154Z", V_ASN1_UTCTIME, + /* The same in seconds since epoch. */ + 1487354514, -1, + }, + { + "170217180154Z", V_ASN1_UTCTIME, + /* One second more. */ + 1487354515, -1, + }, + { + "170217180154Z", V_ASN1_UTCTIME, + /* One second less. */ + 1487354513, 1, + }, + /* UTCTime from the 20th century. */ + { + "990217180154Z", V_ASN1_UTCTIME, + /* The same in seconds since epoch. */ + 919274514, -1, + }, + { + "990217180154Z", V_ASN1_UTCTIME, + /* One second more. */ + 919274515, -1, + }, + { + "990217180154Z", V_ASN1_UTCTIME, + /* One second less. */ + 919274513, 1, + }, + /* Various invalid formats. */ + { + /* No trailing Z. */ + "20170217180154", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* No trailing Z, UTCTime. */ + "170217180154", V_ASN1_UTCTIME, 0, 0, + }, + { + /* No seconds. */ + "201702171801Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* No seconds, UTCTime. */ + "1702171801Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Fractional seconds. */ + "20170217180154.001Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Fractional seconds, UTCTime. */ + "170217180154.001Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Timezone offset. */ + "20170217180154+0100", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Timezone offset, UTCTime. */ + "170217180154+0100", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Extra digits. */ + "2017021718015400Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Extra digits, UTCTime. */ + "17021718015400Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Non-digits. */ + "2017021718015aZ", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Non-digits, UTCTime. */ + "17021718015aZ", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Trailing garbage. */ + "20170217180154Zlongtrailinggarbage", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Trailing garbage, UTCTime. */ + "170217180154Zlongtrailinggarbage", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Swapped type. */ + "20170217180154Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Swapped type. */ + "170217180154Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Bad type. */ + "20170217180154Z", V_ASN1_OCTET_STRING, 0, 0, + }, +}; + +static int test_x509_cmp_time(int idx) +{ + ASN1_TIME t; + int result; + + memset(&t, 0, sizeof(t)); + t.type = x509_cmp_tests[idx].type; + t.data = (unsigned char*)(x509_cmp_tests[idx].data); + t.length = strlen(x509_cmp_tests[idx].data); + + result = X509_cmp_time(&t, &x509_cmp_tests[idx].cmp_time); + if (result != x509_cmp_tests[idx].expected) { + fprintf(stderr, "test_x509_cmp_time(%d) failed: expected %d, got %d\n", + idx, x509_cmp_tests[idx].expected, result); + return 0; + } + return 1; +} + +static int test_x509_cmp_time_current() +{ + time_t now = time(NULL); + /* Pick a day earlier and later, relative to any system clock. */ + ASN1_TIME *asn1_before = NULL, *asn1_after = NULL; + int cmp_result, failed = 0; + + asn1_before = ASN1_TIME_adj(NULL, now, -1, 0); + asn1_after = ASN1_TIME_adj(NULL, now, 1, 0); + + cmp_result = X509_cmp_time(asn1_before, NULL); + if (cmp_result != -1) { + fprintf(stderr, "test_x509_cmp_time_current failed: expected -1, got %d\n", + cmp_result); + failed = 1; + } + + cmp_result = X509_cmp_time(asn1_after, NULL); + if (cmp_result != 1) { + fprintf(stderr, "test_x509_cmp_time_current failed: expected 1, got %d\n", + cmp_result); + failed = 1; + } + + ASN1_TIME_free(asn1_before); + ASN1_TIME_free(asn1_after); + + return failed == 0; +} + +int main(int argc, char **argv) +{ + int ret = 0; + unsigned int idx; + + if (!test_x509_cmp_time_current()) + ret = 1; + + for (idx=0 ; idx < OSSL_NELEM(x509_cmp_tests) ; ++idx) { + if (!test_x509_cmp_time(idx)) + ret = 1; + } + + if (ret == 0) + printf("PASS\n"); + return ret; +} diff --git a/crypto/external/bsd/openssl/dist/util/copy.pl b/crypto/external/bsd/openssl/dist/util/copy.pl index 01964f585e87..fe1c908e681a 100644 --- a/crypto/external/bsd/openssl/dist/util/copy.pl +++ b/crypto/external/bsd/openssl/dist/util/copy.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,6 +18,7 @@ use Fcntl; my $stripcr = 0; my $arg; +my @excludes = (); foreach $arg (@ARGV) { if ($arg eq "-stripcr") @@ -25,11 +26,16 @@ foreach $arg (@ARGV) { $stripcr = 1; next; } + if ($arg =~ /^-exclude_re=(.*)$/) + { + push @excludes, $1; + next; + } $arg =~ s|\\|/|g; # compensate for bug/feature in cygwin glob... $arg = qq("$arg") if ($arg =~ /\s/); # compensate for bug in 5.10... - foreach (glob $arg) + foreach my $f (glob $arg) { - push @filelist, $_; + push @filelist, $f unless grep { $f =~ /$_/ } @excludes; } } diff --git a/crypto/external/bsd/openssl/dist/util/dofile.pl b/crypto/external/bsd/openssl/dist/util/dofile.pl index fc72989b0fd9..4533c135a30e 100644 --- a/crypto/external/bsd/openssl/dist/util/dofile.pl +++ b/crypto/external/bsd/openssl/dist/util/dofile.pl @@ -40,7 +40,7 @@ package OpenSSL::Template; use File::Basename; use File::Spec::Functions; use lib "$FindBin::Bin/perl"; -use with_fallback qw(Text::Template); +use with_fallback "Text::Template 1.46"; #use parent qw/Text::Template/; use vars qw/@ISA/; @@ -99,9 +99,9 @@ package main; # This adds quotes (") around the given string, and escapes any $, @, \, # " and ' by prepending a \ to them. sub quotify1 { - my $s = my $orig = shift @_; + my $s = shift @_; $s =~ s/([\$\@\\"'])/\\$1/g; - $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s; + '"'.$s.'"'; } # quotify_l LIST diff --git a/crypto/external/bsd/openssl/dist/util/echo.pl b/crypto/external/bsd/openssl/dist/util/echo.pl new file mode 100644 index 000000000000..d90e52129bab --- /dev/null +++ b/crypto/external/bsd/openssl/dist/util/echo.pl @@ -0,0 +1,12 @@ +#! /usr/bin/perl + +use strict; +use warnings; +use Getopt::Std; + +our $opt_n = 0; + +getopts('n') or die "Invalid option: $!\n"; + +print join(' ', @ARGV); +print "\n" unless $opt_n; diff --git a/crypto/external/bsd/openssl/dist/util/libcrypto.num b/crypto/external/bsd/openssl/dist/util/libcrypto.num index 8414d97ff114..51f1d7d6540a 100644 --- a/crypto/external/bsd/openssl/dist/util/libcrypto.num +++ b/crypto/external/bsd/openssl/dist/util/libcrypto.num @@ -4234,3 +4234,32 @@ CRYPTO_secure_clear_free 4315 1_1_0g EXIST::FUNCTION: EVP_PKEY_set1_engine 4347 1_1_0g EXIST::FUNCTION:ENGINE OCSP_resp_get0_signer 4374 1_1_0h EXIST::FUNCTION:OCSP X509_get0_authority_key_id 4448 1_1_0h EXIST::FUNCTION: +conf_ssl_name_find 4469 1_1_0i EXIST::FUNCTION: +conf_ssl_get_cmd 4470 1_1_0i EXIST::FUNCTION: +conf_ssl_get 4471 1_1_0i EXIST::FUNCTION: +X509_VERIFY_PARAM_get_hostflags 4472 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_fingerprint 4493 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_new 4494 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_init 4495 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_alias 4496 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_new_item 4497 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_shutdown 4498 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_new_item 4499 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_ctrl 4500 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_issuer_serial 4501 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_get_store 4502 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_ctrl 4503 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_alias 4504 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_subject 4505 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_free 4506 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_subject 4507 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_free 4508 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_shutdown 4509 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_set_method_data 4510 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_get_method_data 4511 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_fingerprint 4512 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_free 4513 1_1_0i EXIST::FUNCTION: +X509_OBJECT_set1_X509 4514 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_issuer_serial 4515 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_init 4516 1_1_0i EXIST::FUNCTION: +X509_OBJECT_set1_X509_CRL 4517 1_1_0i EXIST::FUNCTION: diff --git a/crypto/external/bsd/openssl/dist/util/mkdef.pl b/crypto/external/bsd/openssl/dist/util/mkdef.pl index 66db26c3b956..823cb664d0ae 100755 --- a/crypto/external/bsd/openssl/dist/util/mkdef.pl +++ b/crypto/external/bsd/openssl/dist/util/mkdef.pl @@ -252,6 +252,7 @@ $crypto.=" include/internal/o_dir.h"; $crypto.=" include/internal/o_str.h"; $crypto.=" include/internal/err.h"; $crypto.=" include/internal/asn1t.h"; +$crypto.=" include/internal/sslconf.h"; $crypto.=" include/openssl/des.h" ; # unless $no_des; $crypto.=" include/openssl/idea.h" ; # unless $no_idea; $crypto.=" include/openssl/rc4.h" ; # unless $no_rc4; @@ -1335,7 +1336,7 @@ EOF } elsif ($VMS) { print OUT ")\n"; (my $libvmaj, my $libvmin, my $libvedit) = - $currversion =~ /^(\d+)_(\d+)_(\d+)$/; + $currversion =~ /^(\d+)_(\d+)_(\d+)[a-z]{0,2}$/; # The reason to multiply the edit number with 100 is to make space # for the possibility that we want to encode the patch letters print OUT "GSMATCH=LEQUAL,",($libvmaj * 100 + $libvmin),",",($libvedit * 100),"\n"; diff --git a/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/Test.pm b/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/Test.pm index 5de7b58e8be4..a6be4878950a 100644 --- a/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/Test.pm +++ b/crypto/external/bsd/openssl/dist/util/perl/OpenSSL/Test.pm @@ -21,7 +21,8 @@ $VERSION = "0.8"; @EXPORT_OK = (@Test::More::EXPORT_OK, qw(bldtop_dir bldtop_file srctop_dir srctop_file data_file - pipe with cmdstr quotify)); + pipe with cmdstr quotify + openssl_versions)); =head1 NAME @@ -695,6 +696,32 @@ sub quotify { return map { $arg_formatter->($_) } @_; } +=over 4 + +=item B + +Returns a list of two numbers, the first representing the build version, +the second representing the library version. See opensslv.h for more +information on those numbers. + += back + +=cut + +my @versions = (); +sub openssl_versions { + unless (@versions) { + my %lines = + map { s/\R$//; + /^(.*): (0x[[:xdigit:]]{8})$/; + die "Weird line: $_" unless defined $1; + $1 => hex($2) } + run(test(['versions']), capture => 1); + @versions = ( $lines{'Build version'}, $lines{'Library version'} ); + } + return @versions; +} + ###################################################################### # private functions. These are never exported. diff --git a/crypto/external/bsd/openssl/dist/util/perl/with_fallback.pm b/crypto/external/bsd/openssl/dist/util/perl/with_fallback.pm index 2af1d5fbd50d..242365033fc4 100644 --- a/crypto/external/bsd/openssl/dist/util/perl/with_fallback.pm +++ b/crypto/external/bsd/openssl/dist/util/perl/with_fallback.pm @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,15 +8,17 @@ package with_fallback; sub import { + shift; + use File::Basename; use File::Spec::Functions; foreach (@_) { - eval "require $_"; + eval "use $_"; if ($@) { unshift @INC, catdir(dirname(__FILE__), "..", "..", "external", "perl"); my $transfer = "transfer::$_"; - eval "require $transfer"; + eval "use $transfer"; shift @INC; warn $@ if $@; } diff --git a/crypto/external/bsd/openssl/dist/util/process_docs.pl b/crypto/external/bsd/openssl/dist/util/process_docs.pl index e084df78a571..f7daef0dd896 100755 --- a/crypto/external/bsd/openssl/dist/util/process_docs.pl +++ b/crypto/external/bsd/openssl/dist/util/process_docs.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -101,7 +101,7 @@ foreach my $subdir (keys %{$options{subdir}}) { my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""), html => ".html" } -> {$options{type}}; my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"", - html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\"" + html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\" --quiet" } -> {$options{type}}; my $output_dir = catdir($options{destdir}, "man$podinfo{section}"); my $output_file = $podname . $suffix; @@ -115,6 +115,32 @@ foreach my $subdir (keys %{$options{subdir}}) { @output = `$generate`; map { s|href="http://man\.he\.net/(man\d/[^"]+)(?:\.html)?"|href="../$1.html|g; } @output if $options{type} eq "html"; + if ($options{type} eq "man") { + # Because some *roff parsers are more strict than others, + # multiple lines in the NAME section must be merged into + # one. + my $in_name = 0; + my $name_line = ""; + my @newoutput = (); + foreach (@output) { + if ($in_name) { + if (/^\.SH "/) { + $in_name = 0; + push @newoutput, $name_line."\n"; + } else { + chomp (my $x = $_); + $name_line .= " " if $name_line; + $name_line .= $x; + next; + } + } + if (/^\.SH +"NAME" *$/) { + $in_name = 1; + } + push @newoutput, $_; + } + @output = @newoutput; + } } print STDERR "DEBUG: Done processing\n" if $options{debug}; @@ -238,7 +264,7 @@ Print extra debugging output. =head1 COPYRIGHT -Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy