aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2017-11-02 17:35:19 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2017-11-02 17:35:19 +0000
commitb6a9311a3edd056eaacbcbae2fcb723df5d99057 (patch)
tree720225dbdc898757e7df9a925ec85ade660013c1
parent12df5ad9af4981f5d3c31a9819d31618c0f1af51 (diff)
downloadsrc-vendor/openssl/1.0.2m.tar.gz
src-vendor/openssl/1.0.2m.zip
Import OpenSSL 1.0.2m.vendor/openssl/1.0.2m
-rw-r--r--CHANGES38
-rw-r--r--FREEBSD-upgrade4
-rw-r--r--INSTALL6
-rw-r--r--Makefile2
-rw-r--r--NEWS5
-rw-r--r--README2
-rw-r--r--apps/ca.c13
-rw-r--r--apps/s_client.c2
-rw-r--r--apps/s_server.c2
-rw-r--r--apps/speed.c4
-rw-r--r--apps/spkac.c19
-rw-r--r--apps/srp.c66
-rw-r--r--apps/tsget1
-rw-r--r--crypto/asn1/Makefile4
-rw-r--r--crypto/asn1/a_bitstr.c6
-rw-r--r--crypto/asn1/asn1_int.h63
-rw-r--r--crypto/asn1/tasn_fre.c7
-rw-r--r--crypto/asn1/tasn_new.c5
-rw-r--r--crypto/asn1/x_name.c18
-rw-r--r--crypto/asn1/x_pkey.c21
-rwxr-xr-xcrypto/bn/asm/x86_64-mont5.pl12
-rw-r--r--crypto/bn/bn_exp.c22
-rw-r--r--crypto/bn/bn_lib.c3
-rw-r--r--crypto/bn/bn_mont.c3
-rw-r--r--crypto/bn/bn_mul.c40
-rw-r--r--crypto/bn/bn_x931p.c8
-rw-r--r--crypto/cryptlib.c7
-rw-r--r--crypto/dh/Makefile2
-rw-r--r--crypto/dh/dh.h2
-rw-r--r--crypto/dh/dh_kdf.c4
-rw-r--r--crypto/dh/dh_pmeth.c9
-rw-r--r--crypto/dsa/dsa_ameth.c1
-rw-r--r--crypto/dsa/dsa_gen.c2
-rw-r--r--crypto/dsa/dsa_ossl.c42
-rwxr-xr-xcrypto/ec/asm/ecp_nistz256-x86_64.pl22
-rw-r--r--crypto/ec/ecp_mont.c2
-rw-r--r--crypto/ec/ecp_nistp224.c3
-rw-r--r--crypto/ec/ecp_nistp256.c3
-rw-r--r--crypto/ec/ecp_nistp521.c3
-rw-r--r--crypto/ecdh/ech_lib.c9
-rw-r--r--crypto/ecdsa/ecs_lib.c9
-rw-r--r--crypto/ecdsa/ecs_ossl.c24
-rw-r--r--crypto/err/err.c19
-rw-r--r--crypto/evp/e_aes_cbc_hmac_sha1.c13
-rw-r--r--crypto/evp/e_aes_cbc_hmac_sha256.c21
-rw-r--r--crypto/evp/evp.h92
-rw-r--r--crypto/evp/evp_key.c20
-rw-r--r--crypto/evp/pmeth_lib.c167
-rw-r--r--crypto/ex_data.c9
-rw-r--r--crypto/lhash/lhash.c77
-rw-r--r--crypto/ocsp/ocsp_vfy.c2
-rw-r--r--crypto/opensslv.h6
-rw-r--r--crypto/pem/pem_lib.c3
-rw-r--r--crypto/pem/pem_pk8.c1
-rw-r--r--crypto/pem/pem_pkey.c1
-rw-r--r--crypto/pkcs12/p12_kiss.c21
-rw-r--r--crypto/rsa/rsa_ameth.c2
-rw-r--r--crypto/rsa/rsa_oaep.c8
-rw-r--r--crypto/rsa/rsa_pk1.c6
-rw-r--r--crypto/rsa/rsa_pmeth.c75
-rw-r--r--crypto/ui/ui_lib.c1
-rw-r--r--crypto/whrlpool/wp_dgst.c4
-rw-r--r--crypto/x509/by_dir.c1
-rw-r--r--crypto/x509/by_file.c10
-rw-r--r--crypto/x509v3/pcy_tree.c14
-rw-r--r--crypto/x509v3/v3_addr.c10
-rw-r--r--crypto/x509v3/v3_genn.c1
-rw-r--r--crypto/x509v3/v3_ncons.c51
-rw-r--r--crypto/x86_64cpuid.pl19
-rw-r--r--doc/apps/asn1parse.pod1
-rw-r--r--doc/apps/ca.pod1
-rw-r--r--doc/apps/ciphers.pod1
-rw-r--r--doc/apps/cms.pod1
-rw-r--r--doc/apps/crl.pod1
-rw-r--r--doc/apps/crl2pkcs7.pod1
-rw-r--r--doc/apps/dgst.pod1
-rw-r--r--doc/apps/dhparam.pod1
-rw-r--r--doc/apps/dsa.pod1
-rw-r--r--doc/apps/dsaparam.pod1
-rw-r--r--doc/apps/ec.pod1
-rw-r--r--doc/apps/ecparam.pod1
-rw-r--r--doc/apps/enc.pod1
-rw-r--r--doc/apps/errstr.pod1
-rw-r--r--doc/apps/gendsa.pod1
-rw-r--r--doc/apps/genpkey.pod1
-rw-r--r--doc/apps/genrsa.pod1
-rw-r--r--doc/apps/nseq.pod1
-rw-r--r--doc/apps/ocsp.pod1
-rw-r--r--doc/apps/passwd.pod1
-rw-r--r--doc/apps/pkcs12.pod1
-rw-r--r--doc/apps/pkcs7.pod1
-rw-r--r--doc/apps/pkcs8.pod1
-rw-r--r--doc/apps/pkey.pod1
-rw-r--r--doc/apps/pkeyparam.pod1
-rw-r--r--doc/apps/pkeyutl.pod1
-rw-r--r--doc/apps/rand.pod1
-rw-r--r--doc/apps/req.pod1
-rw-r--r--doc/apps/rsa.pod1
-rw-r--r--doc/apps/rsautl.pod3
-rw-r--r--doc/apps/s_client.pod3
-rw-r--r--doc/apps/s_server.pod6
-rw-r--r--doc/apps/s_time.pod1
-rw-r--r--doc/apps/sess_id.pod1
-rw-r--r--doc/apps/smime.pod1
-rw-r--r--doc/apps/speed.pod1
-rw-r--r--doc/apps/spkac.pod1
-rw-r--r--doc/apps/ts.pod1
-rw-r--r--doc/apps/tsget.pod1
-rw-r--r--doc/apps/verify.pod1
-rw-r--r--doc/apps/version.pod1
-rw-r--r--doc/apps/x509.pod1
-rw-r--r--doc/crypto/BN_bn2bin.pod5
-rw-r--r--doc/crypto/BN_new.pod4
-rw-r--r--doc/crypto/EVP_EncryptInit.pod3
-rw-r--r--doc/crypto/EVP_PKEY_meth_new.pod376
-rw-r--r--doc/crypto/RSA_padding_add_PKCS1_type_1.pod7
-rw-r--r--doc/crypto/RSA_public_encrypt.pod7
-rw-r--r--doc/crypto/X509_check_private_key.pod54
-rw-r--r--doc/crypto/hmac.pod3
-rw-r--r--doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod (renamed from doc/man3/SSL_CTX_set_tlsext_servername_callback.pod)0
-rw-r--r--doc/ssl/SSL_export_keying_material.pod61
-rw-r--r--doc/ssl/SSL_set_connect_state.pod2
-rw-r--r--ssl/s23_clnt.c28
-rw-r--r--ssl/s3_pkt.c2
-rw-r--r--ssl/s3_srvr.c36
-rw-r--r--ssl/ssl_ciph.c2
-rw-r--r--ssl/ssl_lib.c10
-rw-r--r--ssl/ssl_sess.c6
-rw-r--r--ssl/ssltest.c71
-rw-r--r--ssl/tls1.h2
-rwxr-xr-xutil/copy-if-different.pl2
-rw-r--r--util/copy.pl2
-rwxr-xr-xutil/libeay.num16
-rwxr-xr-xutil/mk1mf.pl4
134 files changed, 1578 insertions, 350 deletions
diff --git a/CHANGES b/CHANGES
index 307b2ed5e312..e3d57b328c58 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,44 @@
OpenSSL CHANGES
_______________
+ This is a high-level summary of the most important changes.
+ For a full list of changes, see the git commit log; for example,
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
+
+ Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
+
+ *) bn_sqrx8x_internal carry bug on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3736)
+ [Andy Polyakov]
+
+ *) Malformed X.509 IPAddressFamily could cause OOB read
+
+ If an X.509 certificate has a malformed IPAddressFamily extension,
+ OpenSSL could do a one-byte buffer overread. The most likely result
+ would be an erroneous display of the certificate in text format.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3735)
+ [Rich Salz]
+
Changes between 1.0.2k and 1.0.2l [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade
index f799ae51156c..3b42f5aeb6e9 100644
--- a/FREEBSD-upgrade
+++ b/FREEBSD-upgrade
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2l
-# OSSLTAG format: v1_0_2l
+setenv OSSLVER 1.0.2m
+# OSSLTAG format: v1_0_2m
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
diff --git a/INSTALL b/INSTALL
index aa7e35fa79fe..fcdbfc0a6ee0 100644
--- a/INSTALL
+++ b/INSTALL
@@ -190,10 +190,8 @@
the failure that isn't a problem in OpenSSL itself (like a missing
or malfunctioning bc). If it is a problem with OpenSSL itself,
try removing any compiler optimization flags from the CFLAG line
- in Makefile.ssl and run "make clean; make". Please send a bug
- report to <openssl-bugs@openssl.org>, including the output of
- "make report" in order to be added to the request tracker at
- http://www.openssl.org/support/rt.html.
+ in Makefile.ssl and run "make clean; make". To report a bug please open an
+ issue on GitHub, at https://github.com/openssl/openssl/issues.
4. If everything tests ok, install OpenSSL with
diff --git a/Makefile b/Makefile
index a3d30318f917..484f2f45f776 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2l
+VERSION=1.0.2m
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
diff --git a/NEWS b/NEWS
index fd49cedeba4c..1b72013ad186 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]
+
+ o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
+ o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
+
Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]
o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
diff --git a/README b/README
index 4c357d9a836d..b5aae6260ce8 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2l 25 May 2017
+ OpenSSL 1.0.2m 2 Nov 2017
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/apps/ca.c b/apps/ca.c
index f90f033baed3..9a839969a204 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1985,10 +1985,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
- if (ci->version == NULL)
- if ((ci->version = ASN1_INTEGER_new()) == NULL)
- goto err;
- ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
/*
* Free the current entries if any, there should not be any I believe
@@ -2051,6 +2047,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto err;
}
+ {
+ STACK_OF(X509_EXTENSION) *exts = ci->extensions;
+
+ if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
+ /* Make it an X509 v3 certificate. */
+ if (!X509_set_version(ret, 2))
+ goto err;
+ }
+
/* Set the right value for the noemailDN option */
if (email_dn == 0) {
if (!X509_set_subject_name(ret, dn_subject))
diff --git a/apps/s_client.c b/apps/s_client.c
index 85c1b6b57944..dc467994f8e2 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1667,6 +1667,8 @@ int MAIN(int argc, char **argv)
if (strstr(mbuf, "/stream:features>"))
goto shut;
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (seen <= 0)
+ goto shut;
mbuf[seen] = 0;
}
BIO_printf(sbio,
diff --git a/apps/s_server.c b/apps/s_server.c
index d75871386928..98ffc09314a3 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3017,7 +3017,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
PEM_write_bio_X509(io, peer);
} else
BIO_puts(io, "no client certificate available\n");
- BIO_puts(io, "</BODY></HTML>\r\n\r\n");
+ BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
break;
} else if ((www == 2 || www == 3)
&& (strncmp("GET /", buf, 5) == 0)) {
diff --git a/apps/speed.c b/apps/speed.c
index 6cd102152504..5259c16f1218 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -307,7 +307,8 @@ static SIGRETTYPE sig_done(int sig)
# if !defined(SIGALRM)
# define SIGALRM
# endif
-static unsigned int lapse, schlock;
+static volatile unsigned int lapse;
+static volatile unsigned int schlock;
static void alarm_win32(unsigned int secs)
{
lapse = secs * 1000;
@@ -725,6 +726,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "no EVP given\n");
goto end;
}
+ evp_md = NULL;
evp_cipher = EVP_get_cipherbyname(*argv);
if (!evp_cipher) {
evp_md = EVP_get_digestbyname(*argv);
diff --git a/apps/spkac.c b/apps/spkac.c
index 7f5333fe832e..4b4106d03b99 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -5,7 +5,7 @@
* 1999. Based on an original idea by Massimiliano Pala (madwolf@openca.org).
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2017 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -185,20 +185,23 @@ int MAIN(int argc, char **argv)
}
e = setup_engine(bio_err, engine, 0);
- if (keyfile) {
+ if (keyfile != NULL) {
pkey = load_key(bio_err,
strcmp(keyfile, "-") ? keyfile : NULL,
FORMAT_PEM, 1, passin, e, "private key");
- if (!pkey) {
+ if (pkey == NULL)
goto end;
- }
spki = NETSCAPE_SPKI_new();
- if (challenge)
+ if (spki == NULL)
+ goto end;
+ if (challenge != NULL)
ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)strlen(challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
+ if (spkstr == NULL)
+ goto end;
if (outfile)
out = BIO_new_file(outfile, "w");
@@ -253,7 +256,7 @@ int MAIN(int argc, char **argv)
spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
- if (!spki) {
+ if (spki == NULL) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
@@ -282,9 +285,9 @@ int MAIN(int argc, char **argv)
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if (verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
- if (i > 0)
+ if (i > 0) {
BIO_printf(bio_err, "Signature OK\n");
- else {
+ } else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
diff --git a/apps/srp.c b/apps/srp.c
index ce01a24f2a78..491445df60b0 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -123,13 +123,14 @@ static int get_index(CA_DB *db, char *id, char type)
int i;
if (id == NULL)
return -1;
- if (type == DB_SRP_INDEX)
+ if (type == DB_SRP_INDEX) {
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == DB_SRP_INDEX
&& !strcmp(id, pp[DB_srpid]))
return i;
- } else
+ }
+ } else {
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
@@ -137,6 +138,7 @@ static int get_index(CA_DB *db, char *id, char type)
&& !strcmp(id, pp[DB_srpid]))
return i;
}
+ }
return -1;
}
@@ -177,8 +179,8 @@ static int update_index(CA_DB *db, BIO *bio, char **row)
char **irow;
int i;
- if ((irow =
- (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
+ irow = (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1));
+ if (irow == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
return 0;
}
@@ -205,30 +207,32 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
char *srp_usersalt, const char *g, const char *N,
const char *passin, BIO *bio, int verbose)
{
- char password[1024];
+ char password[1025];
PW_CB_DATA cb_tmp;
char *verifier = NULL;
char *gNid = NULL;
+ int len;
cb_tmp.prompt_info = user;
cb_tmp.password = passin;
- if (password_callback(password, 1024, 0, &cb_tmp) > 0) {
+ len = password_callback(password, sizeof(password)-1, 0, &cb_tmp);
+ if (len > 0) {
+ password[len] = 0;
VERBOSE BIO_printf(bio,
"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, srp_verifier, srp_usersalt, g, N);
- BIO_printf(bio, "Pass %s\n", password);
+ VVERBOSE BIO_printf(bio, "Pass %s\n", password);
- if (!
- (gNid =
- SRP_create_verifier(user, password, &srp_usersalt, &verifier, N,
- g))) {
+ if (!(gNid = SRP_create_verifier(user, password, &srp_usersalt,
+ &verifier, N, g))) {
BIO_printf(bio, "Internal error validating SRP verifier\n");
} else {
if (strcmp(verifier, srp_verifier))
gNid = NULL;
OPENSSL_free(verifier);
}
+ OPENSSL_cleanse(password, len);
}
return gNid;
}
@@ -237,24 +241,27 @@ static char *srp_create_user(char *user, char **srp_verifier,
char **srp_usersalt, char *g, char *N,
char *passout, BIO *bio, int verbose)
{
- char password[1024];
+ char password[1025];
PW_CB_DATA cb_tmp;
char *gNid = NULL;
char *salt = NULL;
+ int len;
cb_tmp.prompt_info = user;
cb_tmp.password = passout;
- if (password_callback(password, 1024, 1, &cb_tmp) > 0) {
+ len = password_callback(password, sizeof(password)-1, 1, &cb_tmp);
+ if (len > 0) {
+ password[len] = 0;
VERBOSE BIO_printf(bio,
"Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
user, g, N);
- if (!
- (gNid =
- SRP_create_verifier(user, password, &salt, srp_verifier, N,
- g))) {
+ if (!(gNid = SRP_create_verifier(user, password, &salt,
+ srp_verifier, N, g))) {
BIO_printf(bio, "Internal error creating SRP verifier\n");
- } else
+ } else {
*srp_usersalt = salt;
+ }
+ OPENSSL_cleanse(password, len);
VVERBOSE BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n",
gNid, salt, *srp_verifier);
@@ -314,9 +321,9 @@ int MAIN(int argc, char **argv)
argc--;
argv++;
while (argc >= 1 && badops == 0) {
- if (strcmp(*argv, "-verbose") == 0)
+ if (strcmp(*argv, "-verbose") == 0) {
verbose++;
- else if (strcmp(*argv, "-config") == 0) {
+ } else if (strcmp(*argv, "-config") == 0) {
if (--argc < 1)
goto bad;
configfile = *(++argv);
@@ -328,15 +335,15 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
dbfile = *(++argv);
- } else if (strcmp(*argv, "-add") == 0)
+ } else if (strcmp(*argv, "-add") == 0) {
add_user = 1;
- else if (strcmp(*argv, "-delete") == 0)
+ } else if (strcmp(*argv, "-delete") == 0) {
delete_user = 1;
- else if (strcmp(*argv, "-modify") == 0)
+ } else if (strcmp(*argv, "-modify") == 0) {
modify_user = 1;
- else if (strcmp(*argv, "-list") == 0)
+ } else if (strcmp(*argv, "-list") == 0) {
list_user = 1;
- else if (strcmp(*argv, "-gn") == 0) {
+ } else if (strcmp(*argv, "-gn") == 0) {
if (--argc < 1)
goto bad;
gN = *(++argv);
@@ -366,8 +373,9 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
- } else
+ } else {
break;
+ }
argc--;
argv++;
@@ -388,7 +396,7 @@ int MAIN(int argc, char **argv)
"Need at least one user for options -add, -delete, -modify. \n");
badops = 1;
}
- if ((passin || passout) && argc != 1) {
+ if ((passargin || passargout) && argc != 1) {
BIO_printf(bio_err,
"-passin, -passout arguments only valid with one user.\n");
badops = 1;
@@ -706,9 +714,9 @@ int MAIN(int argc, char **argv)
doupdatedb = 1;
}
}
- if (--argc > 0)
+ if (--argc > 0) {
user = *(argv++);
- else {
+ } else {
user = NULL;
list_user = 0;
}
diff --git a/apps/tsget b/apps/tsget
index 0d54e9fc9a76..0fca99f4385a 100644
--- a/apps/tsget
+++ b/apps/tsget
@@ -193,4 +193,3 @@ REQUEST: foreach (@ARGV) {
STDERR->printflush(", $output written.\n") if $options{v};
}
$curl->cleanup();
-WWW::Curl::Easy::global_cleanup();
diff --git a/crypto/asn1/Makefile b/crypto/asn1/Makefile
index 330fe81b740c..fb3140c1d302 100644
--- a/crypto/asn1/Makefile
+++ b/crypto/asn1/Makefile
@@ -680,7 +680,7 @@ tasn_fre.o: ../../include/openssl/e_os2.h ../../include/openssl/obj_mac.h
tasn_fre.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
tasn_fre.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
tasn_fre.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tasn_fre.o: ../../include/openssl/symhacks.h tasn_fre.c
+tasn_fre.o: ../../include/openssl/symhacks.h asn1_int.h tasn_fre.c
tasn_new.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
tasn_new.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
tasn_new.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -688,7 +688,7 @@ tasn_new.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
tasn_new.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
tasn_new.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
tasn_new.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tasn_new.o: ../../include/openssl/symhacks.h tasn_new.c
+tasn_new.o: ../../include/openssl/symhacks.h asn1_int.h tasn_new.c
tasn_prn.o: ../../e_os.h ../../include/openssl/asn1.h
tasn_prn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
tasn_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index c429342e03d4..0c8bb144a099 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
+#include <limits.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
@@ -136,6 +137,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
goto err;
}
+ if (len > INT_MAX) {
+ i = ASN1_R_STRING_TOO_LONG;
+ goto err;
+ }
+
if ((a == NULL) || ((*a) == NULL)) {
if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
return (NULL);
diff --git a/crypto/asn1/asn1_int.h b/crypto/asn1/asn1_int.h
new file mode 100644
index 000000000000..c9fd8b12ae17
--- /dev/null
+++ b/crypto/asn1/asn1_int.h
@@ -0,0 +1,63 @@
+/* asn1t.h */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Internal ASN1 template structures and functions: not for application use */
+
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
+ int combine);
diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c
index aeea4eff7ab8..0cf7510ff038 100644
--- a/crypto/asn1/tasn_fre.c
+++ b/crypto/asn1/tasn_fre.c
@@ -61,9 +61,7 @@
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
-
-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
- int combine);
+#include "asn1_int.h"
/* Free up an ASN1 structure */
@@ -77,8 +75,7 @@ void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
asn1_item_combine_free(pval, it, 0);
}
-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
- int combine)
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
{
const ASN1_TEMPLATE *tt = NULL, *seqtt;
const ASN1_EXTERN_FUNCS *ef;
diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index 54f459d1ed9c..6ba90260dab3 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -63,6 +63,7 @@
#include <openssl/err.h>
#include <openssl/asn1t.h>
#include <string.h>
+#include "asn1_int.h"
static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
int combine);
@@ -199,7 +200,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
return 1;
memerr2:
- ASN1_item_ex_free(pval, it);
+ asn1_item_combine_free(pval, it, combine);
memerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ERR_R_MALLOC_FAILURE);
#ifdef CRYPTO_MDEBUG
@@ -209,7 +210,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
return 0;
auxerr2:
- ASN1_item_ex_free(pval, it);
+ asn1_item_combine_free(pval, it, combine);
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ASN1_R_AUX_ERROR);
#ifdef CRYPTO_MDEBUG
diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index 1fb7ad1cbf88..aea0c2763c28 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -523,19 +523,11 @@ static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
{
- X509_NAME *in;
-
- if (!xn || !name)
- return (0);
-
- if (*xn != name) {
- in = X509_NAME_dup(name);
- if (in != NULL) {
- X509_NAME_free(*xn);
- *xn = in;
- }
- }
- return (*xn != NULL);
+ if ((name = X509_NAME_dup(name)) == NULL)
+ return 0;
+ X509_NAME_free(*xn);
+ *xn = name;
+ return 1;
}
IMPLEMENT_STACK_OF(X509_NAME_ENTRY)
diff --git a/crypto/asn1/x_pkey.c b/crypto/asn1/x_pkey.c
index 2da23e4756b4..59f855392840 100644
--- a/crypto/asn1/x_pkey.c
+++ b/crypto/asn1/x_pkey.c
@@ -106,10 +106,14 @@ X509_PKEY *X509_PKEY_new(void)
X509_PKEY *ret = NULL;
ASN1_CTX c;
- M_ASN1_New_Malloc(ret, X509_PKEY);
+ ret = OPENSSL_malloc(sizeof(X509_PKEY));
+ if (ret == NULL) {
+ c.line = __LINE__;
+ goto err;
+ }
ret->version = 0;
- M_ASN1_New(ret->enc_algor, X509_ALGOR_new);
- M_ASN1_New(ret->enc_pkey, M_ASN1_OCTET_STRING_new);
+ ret->enc_algor = X509_ALGOR_new();
+ ret->enc_pkey = M_ASN1_OCTET_STRING_new();
ret->dec_pkey = NULL;
ret->key_length = 0;
ret->key_data = NULL;
@@ -117,8 +121,15 @@ X509_PKEY *X509_PKEY_new(void)
ret->cipher.cipher = NULL;
memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
ret->references = 1;
- return (ret);
- M_ASN1_New_Error(ASN1_F_X509_PKEY_NEW);
+ if (ret->enc_algor == NULL || ret->enc_pkey == NULL) {
+ c.line = __LINE__;
+ goto err;
+ }
+ return ret;
+err:
+ X509_PKEY_free(ret);
+ ASN1_MAC_H_err(ASN1_F_X509_PKEY_NEW, ERR_R_MALLOC_FAILURE, c.line);
+ return NULL;
}
void X509_PKEY_free(X509_PKEY *x)
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 3bb0cdf5bd39..42178e455a98 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -3090,11 +3090,19 @@ $code.=<<___;
.align 32
.Lsqrx8x_break:
- sub 16+8(%rsp),%r8 # consume last carry
+ xor $zero,$zero
+ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf
+ adcx $zero,%r8
mov 24+8(%rsp),$carry # initial $tptr, borrow $carry
+ adcx $zero,%r9
mov 0*8($aptr),%rdx # a[8], modulo-scheduled
- xor %ebp,%ebp # xor $zero,$zero
+ adc \$0,%r10
mov %r8,0*8($tptr)
+ adc \$0,%r11
+ adc \$0,%r12
+ adc \$0,%r13
+ adc \$0,%r14
+ adc \$0,%r15
cmp $carry,$tptr # cf=0, of=0
je .Lsqrx8x_outer_loop
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 195a7867a46b..35facd213a25 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -145,7 +145,8 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
int i, bits, ret = 0;
BIGNUM *v, *rr;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return -1;
@@ -245,7 +246,9 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
if (BN_is_odd(m)) {
# ifdef MONT_EXP_WORD
if (a->top == 1 && !a->neg
- && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {
+ && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)
+ && (BN_get_flags(a, BN_FLG_CONSTTIME) == 0)
+ && (BN_get_flags(m, BN_FLG_CONSTTIME) == 0)) {
BN_ULONG A = a->d[0];
ret = BN_mod_exp_mont_word(r, A, p, m, ctx, NULL);
} else
@@ -277,7 +280,9 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_RECP_CTX recp;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_RECP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return -1;
@@ -411,7 +416,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_MONT_CTX *mont = NULL;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
}
@@ -1217,7 +1224,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
#define BN_TO_MONTGOMERY_WORD(r, w, mont) \
(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_MONT_WORD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return -1;
@@ -1348,7 +1356,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/* Table of variables obtained from 'ctx' */
BIGNUM *val[TABLE_SIZE];
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_SIMPLE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return -1;
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 10b78f512607..f9c65f9f948a 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -524,6 +524,9 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
#endif
+ if (BN_get_flags(b, BN_FLG_CONSTTIME) != 0)
+ BN_set_flags(a, BN_FLG_CONSTTIME);
+
a->top = b->top;
a->neg = b->neg;
bn_check_top(a);
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index be95bd55d020..3af9db870bcb 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -394,6 +394,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
tmod.dmax = 2;
tmod.neg = 0;
+ if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+ BN_set_flags(&tmod, BN_FLG_CONSTTIME);
+
mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
# if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index 3c618dc30708..6b455a755f71 100644
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -1032,46 +1032,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
rr->top = top;
goto end;
}
-# if 0
- if (i == 1 && !BN_get_flags(b, BN_FLG_STATIC_DATA)) {
- BIGNUM *tmp_bn = (BIGNUM *)b;
- if (bn_wexpand(tmp_bn, al) == NULL)
- goto err;
- tmp_bn->d[bl] = 0;
- bl++;
- i--;
- } else if (i == -1 && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
- BIGNUM *tmp_bn = (BIGNUM *)a;
- if (bn_wexpand(tmp_bn, bl) == NULL)
- goto err;
- tmp_bn->d[al] = 0;
- al++;
- i++;
- }
- if (i == 0) {
- /* symmetric and > 4 */
- /* 16 or larger */
- j = BN_num_bits_word((BN_ULONG)al);
- j = 1 << (j - 1);
- k = j + j;
- t = BN_CTX_get(ctx);
- if (al == j) { /* exact multiple */
- if (bn_wexpand(t, k * 2) == NULL)
- goto err;
- if (bn_wexpand(rr, k * 2) == NULL)
- goto err;
- bn_mul_recursive(rr->d, a->d, b->d, al, t->d);
- } else {
- if (bn_wexpand(t, k * 4) == NULL)
- goto err;
- if (bn_wexpand(rr, k * 4) == NULL)
- goto err;
- bn_mul_part_recursive(rr->d, a->d, b->d, al - j, j, t->d);
- }
- rr->top = top;
- goto end;
- }
-# endif
}
#endif /* BN_RECURSION */
if (bn_wexpand(rr, top) == NULL)
diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c
index efa48bdf8772..f444af3feabd 100644
--- a/crypto/bn/bn_x931p.c
+++ b/crypto/bn/bn_x931p.c
@@ -217,6 +217,8 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
BN_CTX_start(ctx);
t = BN_CTX_get(ctx);
+ if (t == NULL)
+ goto err;
for (i = 0; i < 1000; i++) {
if (!BN_rand(Xq, nbits, 1, 0))
@@ -255,10 +257,12 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
int ret = 0;
BN_CTX_start(ctx);
- if (!Xp1)
+ if (Xp1 == NULL)
Xp1 = BN_CTX_get(ctx);
- if (!Xp2)
+ if (Xp2 == NULL)
Xp2 = BN_CTX_get(ctx);
+ if (Xp1 == NULL || Xp2 == NULL)
+ goto error;
if (!BN_rand(Xp1, 101, 0, 0))
goto error;
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index 1925428f5ec5..5fab45b2ec85 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -469,11 +469,18 @@ void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr)
}
}
+#ifdef OPENSSL_FIPS
+extern int FIPS_crypto_threadid_set_callback(void (*func) (CRYPTO_THREADID *));
+#endif
+
int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
{
if (threadid_callback)
return 0;
threadid_callback = func;
+#ifdef OPENSSL_FIPS
+ FIPS_crypto_threadid_set_callback(func);
+#endif
return 1;
}
diff --git a/crypto/dh/Makefile b/crypto/dh/Makefile
index 46fa5ac57b47..cc366ec6fa38 100644
--- a/crypto/dh/Makefile
+++ b/crypto/dh/Makefile
@@ -134,7 +134,7 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
dh_gen.o: ../cryptlib.h dh_gen.c
-dh_kdf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_kdf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
dh_kdf.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h
dh_kdf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
dh_kdf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
index a228c7a7a4c3..80b28fb39dc8 100644
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -257,11 +257,13 @@ DH *DH_get_1024_160(void);
DH *DH_get_2048_224(void);
DH *DH_get_2048_256(void);
+# ifndef OPENSSL_NO_CMS
/* RFC2631 KDF */
int DH_KDF_X9_42(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
ASN1_OBJECT *key_oid,
const unsigned char *ukm, size_t ukmlen, const EVP_MD *md);
+# endif
# define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \
diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c
index a882cb286e0e..8947a0873152 100644
--- a/crypto/dh/dh_kdf.c
+++ b/crypto/dh/dh_kdf.c
@@ -51,6 +51,9 @@
* ====================================================================
*/
+#include <e_os.h>
+
+#ifndef OPENSSL_NO_CMS
#include <string.h>
#include <openssl/dh.h>
#include <openssl/evp.h>
@@ -185,3 +188,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
EVP_MD_CTX_cleanup(&mctx);
return rv;
}
+#endif
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index b58e3fa86fad..6452482c87d2 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -207,7 +207,11 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
case EVP_PKEY_CTRL_DH_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
+#ifdef OPENSSL_NO_CMS
+ if (p1 != EVP_PKEY_DH_KDF_NONE)
+#else
if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
+#endif
return -2;
dctx->kdf_type = p1;
return 1;
@@ -448,7 +452,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
return ret;
*keylen = ret;
return 1;
- } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
+ }
+#ifndef OPENSSL_NO_CMS
+ else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
unsigned char *Z = NULL;
size_t Zlen = 0;
if (!dctx->kdf_outlen || !dctx->kdf_oid)
@@ -479,6 +485,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
}
return ret;
}
+#endif
return 1;
}
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index c4fa105747fe..aac253095141 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -258,6 +258,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
goto dsaerr;
}
+ BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 1fce0f81c242..21af2e159fb2 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -482,6 +482,8 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
} else {
p = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
+ if (q == NULL)
+ goto err;
}
if (!BN_lshift(test, BN_value_one(), L - 1))
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 58013a4a13b5..aa10dd12f6f8 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -224,7 +224,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
{
BN_CTX *ctx;
BIGNUM k, kq, *K, *kinv = NULL, *r = NULL;
+ BIGNUM l, m;
int ret = 0;
+ int q_bits;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -233,6 +235,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
BN_init(&k);
BN_init(&kq);
+ BN_init(&l);
+ BN_init(&m);
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL)
@@ -243,6 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
if ((r = BN_new()) == NULL)
goto err;
+ /* Preallocate space */
+ q_bits = BN_num_bits(dsa->q);
+ if (!BN_set_bit(&k, q_bits)
+ || !BN_set_bit(&l, q_bits)
+ || !BN_set_bit(&m, q_bits))
+ goto err;
+
/* Get random k */
do
if (!BN_rand_range(&k, dsa->q))
@@ -263,24 +274,23 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
/* Compute r = (g^k mod p) mod q */
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- if (!BN_copy(&kq, &k))
- goto err;
-
- BN_set_flags(&kq, BN_FLG_CONSTTIME);
-
/*
* We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
- * is a kludge that we need because the BN_mod_exp_mont() does not
- * let us specify the desired timing behaviour.)
+ * compute G^k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the modulus.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(&kq, &kq, dsa->q))
+ if (!BN_add(&l, &k, dsa->q)
+ || !BN_add(&m, &l, dsa->q)
+ || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m))
goto err;
- if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) {
- if (!BN_add(&kq, &kq, dsa->q))
- goto err;
- }
+
+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
K = &kq;
} else {
@@ -314,7 +324,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
BN_CTX_free(ctx);
BN_clear_free(&k);
BN_clear_free(&kq);
- return (ret);
+ BN_clear_free(&l);
+ BN_clear_free(&m);
+ return ret;
}
static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
diff --git a/crypto/ec/asm/ecp_nistz256-x86_64.pl b/crypto/ec/asm/ecp_nistz256-x86_64.pl
index 7948bf71b51e..35d2b6d146c1 100755
--- a/crypto/ec/asm/ecp_nistz256-x86_64.pl
+++ b/crypto/ec/asm/ecp_nistz256-x86_64.pl
@@ -1178,19 +1178,18 @@ __ecp_nistz256_sqr_montx:
adox $t1, $acc5
.byte 0x67,0x67
mulx %rdx, $t0, $t4
- mov $acc0, %rdx
+ mov .Lpoly+8*3(%rip), %rdx
adox $t0, $acc6
shlx $a_ptr, $acc0, $t0
adox $t4, $acc7
shrx $a_ptr, $acc0, $t4
- mov .Lpoly+8*3(%rip), $t1
+ mov %rdx,$t1
# reduction step 1
add $t0, $acc1
adc $t4, $acc2
- mulx $t1, $t0, $acc0
- mov $acc1, %rdx
+ mulx $acc0, $t0, $acc0
adc $t0, $acc3
shlx $a_ptr, $acc1, $t0
adc \$0, $acc0
@@ -1200,8 +1199,7 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc2
adc $t4, $acc3
- mulx $t1, $t0, $acc1
- mov $acc2, %rdx
+ mulx $acc1, $t0, $acc1
adc $t0, $acc0
shlx $a_ptr, $acc2, $t0
adc \$0, $acc1
@@ -1211,8 +1209,7 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc3
adc $t4, $acc0
- mulx $t1, $t0, $acc2
- mov $acc3, %rdx
+ mulx $acc2, $t0, $acc2
adc $t0, $acc1
shlx $a_ptr, $acc3, $t0
adc \$0, $acc2
@@ -1222,12 +1219,12 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc0
adc $t4, $acc1
- mulx $t1, $t0, $acc3
+ mulx $acc3, $t0, $acc3
adc $t0, $acc2
adc \$0, $acc3
- xor $t3, $t3 # cf=0
- adc $acc0, $acc4 # accumulate upper half
+ xor $t3, $t3
+ add $acc0, $acc4 # accumulate upper half
mov .Lpoly+8*1(%rip), $a_ptr
adc $acc1, $acc5
mov $acc4, $acc0
@@ -1236,8 +1233,7 @@ __ecp_nistz256_sqr_montx:
mov $acc5, $acc1
adc \$0, $t3
- xor %eax, %eax # cf=0
- sbb \$-1, $acc4 # .Lpoly[0]
+ sub \$-1, $acc4 # .Lpoly[0]
mov $acc6, $acc2
sbb $a_ptr, $acc5 # .Lpoly[1]
sbb \$0, $acc6 # .Lpoly[2]
diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c
index b2de7faea75e..43c4330cb0b7 100644
--- a/crypto/ec/ecp_mont.c
+++ b/crypto/ec/ecp_mont.c
@@ -247,6 +247,8 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p,
BN_CTX_free(new_ctx);
if (mont != NULL)
BN_MONT_CTX_free(mont);
+ if (one != NULL)
+ BN_free(one);
return ret;
}
diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
index d81cc9ce6b1a..fcd754e44881 100644
--- a/crypto/ec/ecp_nistp224.c
+++ b/crypto/ec/ecp_nistp224.c
@@ -716,7 +716,7 @@ static limb felem_is_zero(const felem in)
return (zero | two224m96p1 | two225m97p2);
}
-static limb felem_is_zero_int(const felem in)
+static int felem_is_zero_int(const void *in)
{
return (int)(felem_is_zero(in) & ((limb) 1));
}
@@ -1391,7 +1391,6 @@ static void make_points_affine(size_t num, felem points[ /* num */ ][3],
sizeof(felem),
tmp_felems,
(void (*)(void *))felem_one,
- (int (*)(const void *))
felem_is_zero_int,
(void (*)(void *, const void *))
felem_assign,
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 78d191aac7af..1272966fff84 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -977,7 +977,7 @@ static limb smallfelem_is_zero(const smallfelem small)
return result;
}
-static int smallfelem_is_zero_int(const smallfelem small)
+static int smallfelem_is_zero_int(const void *small)
{
return (int)(smallfelem_is_zero(small) & ((limb) 1));
}
@@ -1979,7 +1979,6 @@ static void make_points_affine(size_t num, smallfelem points[][3],
sizeof(smallfelem),
tmp_smallfelems,
(void (*)(void *))smallfelem_one,
- (int (*)(const void *))
smallfelem_is_zero_int,
(void (*)(void *, const void *))
smallfelem_assign,
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index c53a61bbfb69..a1dc9946fd17 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -871,7 +871,7 @@ static limb felem_is_zero(const felem in)
return is_zero;
}
-static int felem_is_zero_int(const felem in)
+static int felem_is_zero_int(const void *in)
{
return (int)(felem_is_zero(in) & ((limb) 1));
}
@@ -1787,7 +1787,6 @@ static void make_points_affine(size_t num, felem points[][3],
sizeof(felem),
tmp_felems,
(void (*)(void *))felem_one,
- (int (*)(const void *))
felem_is_zero_int,
(void (*)(void *, const void *))
felem_assign,
diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index cbc21d1a276e..9cc22582e4ad 100644
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -225,9 +225,16 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
*/
ecdh_data_free(ecdh_data);
ecdh_data = (ECDH_DATA *)data;
+ } else if (EC_KEY_get_key_method_data(key, ecdh_data_dup,
+ ecdh_data_free,
+ ecdh_data_free) != ecdh_data) {
+ /* Or an out of memory error in EC_KEY_insert_key_method_data. */
+ ecdh_data_free(ecdh_data);
+ return NULL;
}
- } else
+ } else {
ecdh_data = (ECDH_DATA *)data;
+ }
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD)
&& !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) {
diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index 8dc1dda46259..f1dd47231793 100644
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -203,9 +203,16 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
*/
ecdsa_data_free(ecdsa_data);
ecdsa_data = (ECDSA_DATA *)data;
+ } else if (EC_KEY_get_key_method_data(key, ecdsa_data_dup,
+ ecdsa_data_free,
+ ecdsa_data_free) != ecdsa_data) {
+ /* Or an out of memory error in EC_KEY_insert_key_method_data. */
+ ecdsa_data_free(ecdsa_data);
+ return NULL;
}
- } else
+ } else {
ecdsa_data = (ECDSA_DATA *)data;
+ }
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !(ecdsa_data->flags & ECDSA_FLAG_FIPS_METHOD)
&& !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) {
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index dd769609be4c..16d4f59b9ba9 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -95,6 +95,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
+ int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
@@ -126,6 +127,13 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
goto err;
}
+ /* Preallocate space */
+ order_bits = BN_num_bits(order);
+ if (!BN_set_bit(k, order_bits)
+ || !BN_set_bit(r, order_bits)
+ || !BN_set_bit(X, order_bits))
+ goto err;
+
do {
/* get random k */
do
@@ -139,13 +147,19 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the order. This guarantees the code
+ * path used in the constant time implementations elsewhere.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(k, k, order))
+ if (!BN_add(r, k, order)
+ || !BN_add(X, r, order)
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
- if (BN_num_bits(k) <= BN_num_bits(order))
- if (!BN_add(k, k, order))
- goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 0b1fcfc1f1a5..cfe0e8083f39 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -725,6 +725,8 @@ void ERR_put_error(int lib, int func, int reason, const char *file, int line)
}
#endif
es = ERR_get_state();
+ if (es == NULL)
+ return;
es->top = (es->top + 1) % ERR_NUM_ERRORS;
if (es->top == es->bottom)
@@ -742,6 +744,8 @@ void ERR_clear_error(void)
ERR_STATE *es;
es = ERR_get_state();
+ if (es == NULL)
+ return;
for (i = 0; i < ERR_NUM_ERRORS; i++) {
err_clear(es, i);
@@ -806,6 +810,8 @@ static unsigned long get_error_values(int inc, int top, const char **file,
unsigned long ret;
es = ERR_get_state();
+ if (es == NULL)
+ return 0;
if (inc && top) {
if (file)
@@ -1016,7 +1022,6 @@ void ERR_remove_state(unsigned long pid)
ERR_STATE *ERR_get_state(void)
{
- static ERR_STATE fallback;
ERR_STATE *ret, tmp, *tmpp = NULL;
int i;
CRYPTO_THREADID tid;
@@ -1030,7 +1035,7 @@ ERR_STATE *ERR_get_state(void)
if (ret == NULL) {
ret = (ERR_STATE *)OPENSSL_malloc(sizeof(ERR_STATE));
if (ret == NULL)
- return (&fallback);
+ return NULL;
CRYPTO_THREADID_cpy(&ret->tid, &tid);
ret->top = 0;
ret->bottom = 0;
@@ -1042,7 +1047,7 @@ ERR_STATE *ERR_get_state(void)
/* To check if insertion failed, do a get. */
if (ERRFN(thread_get_item) (ret) != ret) {
ERR_STATE_free(ret); /* could not insert it */
- return (&fallback);
+ return NULL;
}
/*
* If a race occured in this function and we came second, tmpp is the
@@ -1066,10 +1071,10 @@ void ERR_set_error_data(char *data, int flags)
int i;
es = ERR_get_state();
+ if (es == NULL)
+ return;
i = es->top;
- if (i == 0)
- i = ERR_NUM_ERRORS - 1;
err_clear_data(es, i);
es->err_data[i] = data;
@@ -1121,6 +1126,8 @@ int ERR_set_mark(void)
ERR_STATE *es;
es = ERR_get_state();
+ if (es == NULL)
+ return 0;
if (es->bottom == es->top)
return 0;
@@ -1133,6 +1140,8 @@ int ERR_pop_to_mark(void)
ERR_STATE *es;
es = ERR_get_state();
+ if (es == NULL)
+ return 0;
while (es->bottom != es->top
&& (es->err_flags[es->top] & ERR_FLAG_MARK) == 0) {
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index d114710e98ec..b25fc6d541d4 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -579,12 +579,17 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
- ret &= constant_time_ge(maxpad, pad);
+ mask = constant_time_ge(maxpad, pad);
+ ret &= mask;
+ /*
+ * If pad is invalid then we will fail the above test but we must
+ * continue anyway because we are in constant time code. However,
+ * we'll use the maxpad value instead of the supplied pad to make
+ * sure we perform well defined pointer arithmetic.
+ */
+ pad = constant_time_select(mask, pad, maxpad);
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
- mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
- inp_len &= mask;
- ret &= (int)mask;
key->aux.tls_aad[plen - 2] = inp_len >> 8;
key->aux.tls_aad[plen - 1] = inp_len;
diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
index 917ae0751dee..9a8a2ad7787c 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -507,10 +507,12 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
* to identify it and avoid stitch invocation. So that after we
* establish that current CPU supports AVX, we even see if it's
* either even XOP-capable Bulldozer-based or GenuineIntel one.
+ * But SHAEXT-capable go ahead...
*/
- if (OPENSSL_ia32cap_P[1] & (1 << (60 - 32)) && /* AVX? */
- ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */
- | (OPENSSL_ia32cap_P[0] & (1<<30))) && /* "Intel CPU"? */
+ if (((OPENSSL_ia32cap_P[2] & (1 << 29)) || /* SHAEXT? */
+ ((OPENSSL_ia32cap_P[1] & (1 << (60 - 32))) && /* AVX? */
+ ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */
+ | (OPENSSL_ia32cap_P[0] & (1 << 30))))) && /* "Intel CPU"? */
plen > (sha_off + iv) &&
(blocks = (plen - (sha_off + iv)) / SHA256_CBLOCK)) {
SHA256_Update(&key->md, in + iv, sha_off);
@@ -590,12 +592,17 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
- ret &= constant_time_ge(maxpad, pad);
+ mask = constant_time_ge(maxpad, pad);
+ ret &= mask;
+ /*
+ * If pad is invalid then we will fail the above test but we must
+ * continue anyway because we are in constant time code. However,
+ * we'll use the maxpad value instead of the supplied pad to make
+ * sure we perform well defined pointer arithmetic.
+ */
+ pad = constant_time_select(mask, pad, maxpad);
inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1);
- mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
- inp_len &= mask;
- ret &= (int)mask;
key->aux.tls_aad[plen - 2] = inp_len >> 8;
key->aux.tls_aad[plen - 1] = inp_len;
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index d258ef870a36..cf1de15e6d03 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -1363,6 +1363,98 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
const char *type,
const char *value));
+void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+ int (**pinit) (EVP_PKEY_CTX *ctx));
+
+void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
+ int (**pcopy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src));
+
+void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (**pcleanup) (EVP_PKEY_CTX *ctx));
+
+void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
+ int (**pparamgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+
+void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+ int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
+ int (**pkeygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+
+void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+ int (**psign_init) (EVP_PKEY_CTX *ctx),
+ int (**psign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+
+void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_init) (EVP_PKEY_CTX *ctx),
+ int (**pverify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+
+void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (**pverify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen));
+
+void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
+ int (**psignctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**psignctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx));
+
+void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**pverifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx));
+
+void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pencryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+
+void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pdecrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+
+void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+ int (**pderive_init) (EVP_PKEY_CTX *ctx),
+ int (**pderive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen));
+
+void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (**pctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value));
+
void EVP_add_alg_module(void);
/* BEGIN ERROR CODES */
diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
index 5be9e336f9e7..cdffe1c8c428 100644
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -97,7 +97,7 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
int verify)
{
- int ret;
+ int ret = -1;
char buff[BUFSIZ];
UI *ui;
@@ -105,16 +105,18 @@ int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
prompt = prompt_string;
ui = UI_new();
if (ui == NULL)
- return -1;
- UI_add_input_string(ui, prompt, 0, buf, min,
- (len >= BUFSIZ) ? BUFSIZ - 1 : len);
- if (verify)
- UI_add_verify_string(ui, prompt, 0,
- buff, min, (len >= BUFSIZ) ? BUFSIZ - 1 : len,
- buf);
+ return ret;
+ if (UI_add_input_string(ui, prompt, 0, buf, min,
+ (len >= BUFSIZ) ? BUFSIZ - 1 : len) < 0
+ || (verify
+ && UI_add_verify_string(ui, prompt, 0, buff, min,
+ (len >= BUFSIZ) ? BUFSIZ - 1 : len,
+ buf) < 0))
+ goto end;
ret = UI_process(ui);
- UI_free(ui);
OPENSSL_cleanse(buff, BUFSIZ);
+ end:
+ UI_free(ui);
return ret;
}
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index b7b7bdcd0290..e50826b568d8 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -589,3 +589,170 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
pmeth->ctrl = ctrl;
pmeth->ctrl_str = ctrl_str;
}
+
+void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+ int (**pinit) (EVP_PKEY_CTX *ctx))
+{
+ *pinit = pmeth->init;
+}
+
+void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
+ int (**pcopy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src))
+{
+ *pcopy = pmeth->copy;
+}
+
+void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (**pcleanup) (EVP_PKEY_CTX *ctx))
+{
+ *pcleanup = pmeth->cleanup;
+}
+
+void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
+ int (**pparamgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey))
+{
+ if (pparamgen_init)
+ *pparamgen_init = pmeth->paramgen_init;
+ if (pparamgen)
+ *pparamgen = pmeth->paramgen;
+}
+
+void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+ int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
+ int (**pkeygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey))
+{
+ if (pkeygen_init)
+ *pkeygen_init = pmeth->keygen_init;
+ if (pkeygen)
+ *pkeygen = pmeth->keygen;
+}
+
+void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+ int (**psign_init) (EVP_PKEY_CTX *ctx),
+ int (**psign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen))
+{
+ if (psign_init)
+ *psign_init = pmeth->sign_init;
+ if (psign)
+ *psign = pmeth->sign;
+}
+
+void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_init) (EVP_PKEY_CTX *ctx),
+ int (**pverify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen))
+{
+ if (pverify_init)
+ *pverify_init = pmeth->verify_init;
+ if (pverify)
+ *pverify = pmeth->verify;
+}
+
+void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (**pverify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen))
+{
+ if (pverify_recover_init)
+ *pverify_recover_init = pmeth->verify_recover_init;
+ if (pverify_recover)
+ *pverify_recover = pmeth->verify_recover;
+}
+
+void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
+ int (**psignctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**psignctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx))
+{
+ if (psignctx_init)
+ *psignctx_init = pmeth->signctx_init;
+ if (psignctx)
+ *psignctx = pmeth->signctx;
+}
+
+void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**pverifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx))
+{
+ if (pverifyctx_init)
+ *pverifyctx_init = pmeth->verifyctx_init;
+ if (pverifyctx)
+ *pverifyctx = pmeth->verifyctx;
+}
+
+void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pencryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen))
+{
+ if (pencrypt_init)
+ *pencrypt_init = pmeth->encrypt_init;
+ if (pencryptfn)
+ *pencryptfn = pmeth->encrypt;
+}
+
+void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pdecrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen))
+{
+ if (pdecrypt_init)
+ *pdecrypt_init = pmeth->decrypt_init;
+ if (pdecrypt)
+ *pdecrypt = pmeth->decrypt;
+}
+
+void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+ int (**pderive_init) (EVP_PKEY_CTX *ctx),
+ int (**pderive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen))
+{
+ if (pderive_init)
+ *pderive_init = pmeth->derive_init;
+ if (pderive)
+ *pderive = pmeth->derive;
+}
+
+void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (**pctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value))
+{
+ if (pctrl)
+ *pctrl = pmeth->ctrl;
+ if (pctrl_str)
+ *pctrl_str = pmeth->ctrl_str;
+}
diff --git a/crypto/ex_data.c b/crypto/ex_data.c
index 108a1959eacf..723b21b3d281 100644
--- a/crypto/ex_data.c
+++ b/crypto/ex_data.c
@@ -473,7 +473,14 @@ static int int_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
if (j < mx)
mx = j;
if (mx > 0) {
- if (!CRYPTO_set_ex_data(to, mx - 1, NULL))
+ /*
+ * Make sure the ex_data stack is at least |mx| elements long to avoid
+ * issues in the for loop that follows; so go get the |mx|'th element
+ * (if it does not exist CRYPTO_get_ex_data() returns NULL), and assign
+ * to itself. This is normally a no-op; but ensures the stack is the
+ * proper size
+ */
+ if (!CRYPTO_set_ex_data(to, mx - 1, CRYPTO_get_ex_data(to, mx - 1)))
goto skip;
storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS *));
if (!storage)
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index f20353aea33f..f3798872598a 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -101,6 +101,24 @@
#include <openssl/crypto.h>
#include <openssl/lhash.h>
+/*
+ * A hashing implementation that appears to be based on the linear hashing
+ * alogrithm:
+ * https://en.wikipedia.org/wiki/Linear_hashing
+ *
+ * Litwin, Witold (1980), "Linear hashing: A new tool for file and table
+ * addressing", Proc. 6th Conference on Very Large Databases: 212–223
+ * http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
+ *
+ * From the wikipedia article "Linear hashing is used in the BDB Berkeley
+ * database system, which in turn is used by many software systems such as
+ * OpenLDAP, using a C implementation derived from the CACM article and first
+ * published on the Usenet in 1988 by Esmond Pitt."
+ *
+ * The CACM paper is available here:
+ * https://pdfs.semanticscholar.org/ff4d/1c5deca6269cc316bfd952172284dbf610ee.pdf
+ */
+
const char lh_version[] = "lhash" OPENSSL_VERSION_PTEXT;
#undef MIN_NODES
@@ -108,7 +126,7 @@ const char lh_version[] = "lhash" OPENSSL_VERSION_PTEXT;
#define UP_LOAD (2*LH_LOAD_MULT) /* load times 256 (default 2) */
#define DOWN_LOAD (LH_LOAD_MULT) /* load times 256 (default 1) */
-static void expand(_LHASH *lh);
+static int expand(_LHASH *lh);
static void contract(_LHASH *lh);
static LHASH_NODE **getrn(_LHASH *lh, const void *data, unsigned long *rhash);
@@ -182,8 +200,9 @@ void *lh_insert(_LHASH *lh, void *data)
void *ret;
lh->error = 0;
- if (lh->up_load <= (lh->num_items * LH_LOAD_MULT / lh->num_nodes))
- expand(lh);
+ if (lh->up_load <= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)
+ && !expand(lh))
+ return NULL;
rn = getrn(lh, data, &hash);
@@ -300,19 +319,37 @@ void lh_doall_arg(_LHASH *lh, LHASH_DOALL_ARG_FN_TYPE func, void *arg)
doall_util_fn(lh, 1, (LHASH_DOALL_FN_TYPE)0, func, arg);
}
-static void expand(_LHASH *lh)
+static int expand(_LHASH *lh)
{
LHASH_NODE **n, **n1, **n2, *np;
- unsigned int p, i, j;
- unsigned long hash, nni;
+ unsigned int p, pmax, nni, j;
+ unsigned long hash;
+
+ nni = lh->num_alloc_nodes;
+ p = lh->p;
+ pmax = lh->pmax;
+ if (p + 1 >= pmax) {
+ j = nni * 2;
+ n = OPENSSL_realloc(lh->b, (int)(sizeof(LHASH_NODE *) * j));
+ if (n == NULL) {
+ lh->error++;
+ return 0;
+ }
+ lh->b = n;
+ memset(n + nni, 0, sizeof(*n) * (j - nni));
+ lh->pmax = nni;
+ lh->num_alloc_nodes = j;
+ lh->num_expand_reallocs++;
+ lh->p = 0;
+ } else {
+ lh->p++;
+ }
lh->num_nodes++;
lh->num_expands++;
- p = (int)lh->p++;
n1 = &(lh->b[p]);
- n2 = &(lh->b[p + (int)lh->pmax]);
- *n2 = NULL; /* 27/07/92 - eay - undefined pointer bug */
- nni = lh->num_alloc_nodes;
+ n2 = &(lh->b[p + pmax]);
+ *n2 = NULL;
for (np = *n1; np != NULL;) {
#ifndef OPENSSL_NO_HASH_COMP
@@ -330,25 +367,7 @@ static void expand(_LHASH *lh)
np = *n1;
}
- if ((lh->p) >= lh->pmax) {
- j = (int)lh->num_alloc_nodes * 2;
- n = (LHASH_NODE **)OPENSSL_realloc(lh->b,
- (int)(sizeof(LHASH_NODE *) * j));
- if (n == NULL) {
- lh->error++;
- lh->num_nodes--;
- lh->p = 0;
- return;
- }
- /* else */
- for (i = (int)lh->num_alloc_nodes; i < j; i++) /* 26/02/92 eay */
- n[i] = NULL; /* 02/03/92 eay */
- lh->pmax = lh->num_alloc_nodes;
- lh->num_alloc_nodes = j;
- lh->num_expand_reallocs++;
- lh->p = 0;
- lh->b = n;
- }
+ return 1;
}
static void contract(_LHASH *lh)
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index d4a257c33bb5..7a7d06094edf 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -118,6 +118,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
goto end;
}
}
+ } else if (certs != NULL) {
+ untrusted = certs;
} else {
untrusted = bs->certs;
}
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 825a330abc88..c944d562dae0 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x100020cfL
+# define OPENSSL_VERSION_NUMBER 0x100020dfL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2l-fips 25 May 2017"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2m-fips 2 Nov 2017"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2l 25 May 2017"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2m 2 Nov 2017"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index c82b3c0ae263..865976bf8cce 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -536,7 +536,8 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
((c >= '0') && (c <= '9'))))
break;
#else
- if (!(isupper(c) || (c == '-') || isdigit(c)))
+ if (!(isupper((unsigned char)c) || (c == '-')
+ || isdigit((unsigned char)c)))
break;
#endif
header++;
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 5747c7366e3d..daf210fde0f9 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -178,6 +178,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
}
p8inf = PKCS8_decrypt(p8, psbuf, klen);
X509_SIG_free(p8);
+ OPENSSL_cleanse(psbuf, klen);
if (!p8inf)
return NULL;
ret = EVP_PKCS82PKEY(p8inf);
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 04d6319a225b..e8b3a1b92c8d 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -120,6 +120,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
}
p8inf = PKCS8_decrypt(p8, psbuf, klen);
X509_SIG_free(p8);
+ OPENSSL_cleanse(psbuf, klen);
if (!p8inf)
goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 9aa3c90c4e57..1841f78f6915 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -84,6 +84,12 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
{
STACK_OF(X509) *ocerts = NULL;
X509 *x = NULL;
+
+ if (pkey)
+ *pkey = NULL;
+ if (cert)
+ *cert = NULL;
+
/* Check for NULL PKCS12 structure */
if (!p12) {
@@ -92,11 +98,6 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
return 0;
}
- if (pkey)
- *pkey = NULL;
- if (cert)
- *cert = NULL;
-
/* Check the mac */
/*
@@ -125,7 +126,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
if (!ocerts) {
PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto err;
}
if (!parse_pk12(p12, pass, -1, pkey, ocerts)) {
@@ -163,10 +164,14 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
err:
- if (pkey && *pkey)
+ if (pkey) {
EVP_PKEY_free(*pkey);
- if (cert && *cert)
+ *pkey = NULL;
+ }
+ if (cert) {
X509_free(*cert);
+ *cert = NULL;
+ }
if (x)
X509_free(x);
if (ocerts)
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 951e1d5ca32b..ddead3d74455 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -768,6 +768,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
return 2;
}
+#ifndef OPENSSL_NO_CMS
static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
X509_ALGOR **pmaskHash)
{
@@ -791,7 +792,6 @@ static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
return pss;
}
-#ifndef OPENSSL_NO_CMS
static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
{
EVP_PKEY_CTX *pkctx;
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 19d28c6f0e60..9a01b4afc11f 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -237,10 +237,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
cleanup:
- if (db != NULL)
+ if (db != NULL) {
+ OPENSSL_cleanse(db, dblen);
OPENSSL_free(db);
- if (em != NULL)
+ }
+ if (em != NULL) {
+ OPENSSL_cleanse(em, num);
OPENSSL_free(em);
+ }
return mlen;
}
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index efa1fd3e993f..50397c335a5a 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -255,8 +255,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* We can't continue in constant-time because we need to copy the result
* and we cannot fake its length. This unavoidably leaks timing
* information at the API boundary.
- * TODO(emilia): this could be addressed at the call site,
- * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26.
*/
if (!good) {
mlen = -1;
@@ -266,8 +264,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
memcpy(to, em + msg_index, mlen);
err:
- if (em != NULL)
+ if (em != NULL) {
+ OPENSSL_cleanse(em, num);
OPENSSL_free(em);
+ }
if (mlen == -1)
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
RSA_R_PKCS_DECODING_ERROR);
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 8896e2e97714..00e730ffa958 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -180,27 +180,25 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
* FIPS mode.
*/
-static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
+static int pkey_fips_check_rsa(const RSA *rsa, const EVP_MD **pmd,
+ const EVP_MD **pmgf1md)
{
- RSA_PKEY_CTX *rctx = ctx->data;
- RSA *rsa = ctx->pkey->pkey.rsa;
int rv = -1;
+
if (!FIPS_mode())
return 0;
if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
rv = 0;
if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
return -1;
- if (rctx->md) {
- const EVP_MD *fmd;
- fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md));
- if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+ if (*pmd != NULL) {
+ *pmd = FIPS_get_digestbynid(EVP_MD_type(*pmd));
+ if (*pmd == NULL || !((*pmd)->flags & EVP_MD_FLAG_FIPS))
return rv;
}
- if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) {
- const EVP_MD *fmd;
- fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md));
- if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+ if (*pmgf1md != NULL) {
+ *pmgf1md = FIPS_get_digestbynid(EVP_MD_type(*pmgf1md));
+ if (*pmgf1md == NULL || !((*pmgf1md)->flags & EVP_MD_FLAG_FIPS))
return rv;
}
return 1;
@@ -214,27 +212,27 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
int ret;
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
+ const EVP_MD *md = rctx->md;
+ const EVP_MD *mgf1md = rctx->mgf1md;
#ifdef OPENSSL_FIPS
- ret = pkey_fips_check_ctx(ctx);
+ ret = pkey_fips_check_rsa(rsa, &md, &mgf1md);
if (ret < 0) {
RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
return -1;
}
#endif
- if (rctx->md) {
- if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
+ if (md != NULL) {
+ if (tbslen != (size_t)EVP_MD_size(md)) {
RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
return -1;
}
#ifdef OPENSSL_FIPS
if (ret > 0) {
unsigned int slen;
- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
- rctx->pad_mode,
- rctx->saltlen,
- rctx->mgf1md, sig, &slen);
+ ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, md, rctx->pad_mode,
+ rctx->saltlen, mgf1md, sig, &slen);
if (ret > 0)
*siglen = slen;
else
@@ -243,12 +241,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
}
#endif
- if (EVP_MD_type(rctx->md) == NID_mdc2) {
+ if (EVP_MD_type(md) == NID_mdc2) {
unsigned int sltmp;
if (rctx->pad_mode != RSA_PKCS1_PADDING)
return -1;
- ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
- tbs, tbslen, sig, &sltmp, rsa);
+ ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2, tbs, tbslen, sig, &sltmp,
+ rsa);
if (ret <= 0)
return ret;
@@ -263,23 +261,20 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
return -1;
}
memcpy(rctx->tbuf, tbs, tbslen);
- rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
+ rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(md));
ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
sig, rsa, RSA_X931_PADDING);
} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
unsigned int sltmp;
- ret = RSA_sign(EVP_MD_type(rctx->md),
- tbs, tbslen, sig, &sltmp, rsa);
+ ret = RSA_sign(EVP_MD_type(md), tbs, tbslen, sig, &sltmp, rsa);
if (ret <= 0)
return ret;
ret = sltmp;
} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
if (!setup_tbuf(rctx, ctx))
return -1;
- if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa,
- rctx->tbuf, tbs,
- rctx->md, rctx->mgf1md,
- rctx->saltlen))
+ if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, rctx->tbuf, tbs,
+ md, mgf1md, rctx->saltlen))
return -1;
ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
sig, rsa, RSA_NO_PADDING);
@@ -348,32 +343,31 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
{
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
+ const EVP_MD *md = rctx->md;
+ const EVP_MD *mgf1md = rctx->mgf1md;
size_t rslen;
+
#ifdef OPENSSL_FIPS
- int rv;
- rv = pkey_fips_check_ctx(ctx);
+ int rv = pkey_fips_check_rsa(rsa, &md, &mgf1md);
+
if (rv < 0) {
RSAerr(RSA_F_PKEY_RSA_VERIFY,
RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
return -1;
}
#endif
- if (rctx->md) {
+ if (md != NULL) {
#ifdef OPENSSL_FIPS
if (rv > 0) {
- return FIPS_rsa_verify_digest(rsa,
- tbs, tbslen,
- rctx->md,
- rctx->pad_mode,
- rctx->saltlen,
- rctx->mgf1md, sig, siglen);
+ return FIPS_rsa_verify_digest(rsa, tbs, tbslen, md, rctx->pad_mode,
+ rctx->saltlen, mgf1md, sig, siglen);
}
#endif
if (rctx->pad_mode == RSA_PKCS1_PADDING)
- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+ return RSA_verify(EVP_MD_type(md), tbs, tbslen,
sig, siglen, rsa);
- if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
+ if (tbslen != (size_t)EVP_MD_size(md)) {
RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
return -1;
}
@@ -388,8 +382,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
rsa, RSA_NO_PADDING);
if (ret <= 0)
return 0;
- ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs,
- rctx->md, rctx->mgf1md,
+ ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, md, mgf1md,
rctx->tbuf, rctx->saltlen);
if (ret <= 0)
return 0;
diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index 643ae593439a..03ef981cf912 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@@ -520,6 +520,7 @@ int UI_process(UI *ui)
}
}
}
+
err:
if (ui->meth->ui_close_session != NULL
&& ui->meth->ui_close_session(ui) <= 0)
diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c
index 807d1c49b2d3..96d042f5859e 100644
--- a/crypto/whrlpool/wp_dgst.c
+++ b/crypto/whrlpool/wp_dgst.c
@@ -166,7 +166,7 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
goto reconsider;
} else
#endif
- if (bits >= 8) {
+ if (bits > 8) {
b = ((inp[0] << inpgap) | (inp[1] >> (8 - inpgap)));
b &= 0xff;
if (bitrem)
@@ -183,7 +183,7 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
}
if (bitrem)
c->data[byteoff] = b << (8 - bitrem);
- } else { /* remaining less than 8 bits */
+ } else { /* remaining less than or equal to 8 bits */
b = (inp[0] << inpgap) & 0xff;
if (bitrem)
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index bbc3189381e5..6f0209a275ef 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -402,6 +402,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
if (!hent) {
hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
if (hent == NULL) {
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
goto finish;
}
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 43a073003d8b..82ce4e8d87c3 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -92,12 +92,12 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
long argl, char **ret)
{
int ok = 0;
- char *file;
+ const char *file;
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
@@ -140,7 +140,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
if (type == X509_FILETYPE_PEM) {
for (;;) {
- x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
+ x = PEM_read_bio_X509_AUX(in, NULL, NULL, "");
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
@@ -199,7 +199,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
if (type == X509_FILETYPE_PEM) {
for (;;) {
- x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+ x = PEM_read_bio_X509_CRL(in, NULL, NULL, "");
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
@@ -253,7 +253,7 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB);
return 0;
}
- inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+ inf = PEM_X509_INFO_read_bio(in, NULL, NULL, "");
BIO_free(in);
if (!inf) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB);
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 09b8691c8694..03c9533bcca9 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -732,6 +732,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags)
{
int ret;
+ int calc_ret;
X509_POLICY_TREE *tree = NULL;
STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
*ptree = NULL;
@@ -800,17 +801,20 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
/* Tree is not empty: continue */
- ret = tree_calculate_authority_set(tree, &auth_nodes);
+ calc_ret = tree_calculate_authority_set(tree, &auth_nodes);
- if (!ret)
+ if (!calc_ret)
goto error;
- if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
- goto error;
+ ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
- if (ret == 2)
+ if (calc_ret == 2)
sk_X509_POLICY_NODE_free(auth_nodes);
+ if (!ret)
+ goto error;
+
+
if (tree)
*ptree = tree;
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index 1290dec9bb8c..af080a04f2ba 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi)
*/
unsigned int v3_addr_get_afi(const IPAddressFamily *f)
{
- return ((f != NULL &&
- f->addressFamily != NULL && f->addressFamily->data != NULL)
- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
- : 0);
+ if (f == NULL
+ || f->addressFamily == NULL
+ || f->addressFamily->data == NULL
+ || f->addressFamily->length < 2)
+ return 0;
+ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
}
/*
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 7f40bfabe050..9bb01ee38e63 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -231,6 +231,7 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
oth = OTHERNAME_new();
if (!oth)
return 0;
+ ASN1_TYPE_free(oth->value);
oth->type_id = oid;
oth->value = value;
GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 2855269668be..1184091ccf30 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -107,6 +107,47 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+/*
+ * We cannot use strncasecmp here because that applies locale specific rules.
+ * For example in Turkish 'I' is not the uppercase character for 'i'. We need to
+ * do a simple ASCII case comparison ignoring the locale (that is why we use
+ * numeric constants below).
+ */
+static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
+{
+ for (; n > 0; n--, s1++, s2++) {
+ if (*s1 != *s2) {
+ unsigned char c1 = (unsigned char)*s1, c2 = (unsigned char)*s2;
+
+ /* Convert to lower case */
+ if (c1 >= 0x41 /* A */ && c1 <= 0x5A /* Z */)
+ c1 += 0x20;
+ if (c2 >= 0x41 /* A */ && c2 <= 0x5A /* Z */)
+ c2 += 0x20;
+
+ if (c1 == c2)
+ continue;
+
+ if (c1 < c2)
+ return -1;
+
+ /* c1 > c2 */
+ return 1;
+ } else if (*s1 == 0) {
+ /* If we get here we know that *s2 == 0 too */
+ return 0;
+ }
+ }
+
+ return 0;
+}
+
+static int ia5casecmp(const char *s1, const char *s2)
+{
+ /* No portable definition of SIZE_MAX, so we use (size_t)(-1) instead */
+ return ia5ncasecmp(s1, s2, (size_t)(-1));
+}
+
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
@@ -384,7 +425,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
return X509_V_ERR_PERMITTED_VIOLATION;
}
- if (strcasecmp(baseptr, dnsptr))
+ if (ia5casecmp(baseptr, dnsptr))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -404,7 +445,7 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
if (!baseat && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
- if (!strcasecmp(baseptr, emlptr))
+ if (ia5casecmp(baseptr, emlptr) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
@@ -425,7 +466,7 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
}
emlptr = emlat + 1;
/* Just have hostname left to match: case insensitive */
- if (strcasecmp(baseptr, emlptr))
+ if (ia5casecmp(baseptr, emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -464,14 +505,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
if (*baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
- if (!strncasecmp(p, baseptr, base->length))
+ if (ia5ncasecmp(p, baseptr, base->length) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
}
if ((base->length != (int)hostlen)
- || strncasecmp(hostptr, baseptr, hostlen))
+ || ia5ncasecmp(hostptr, baseptr, hostlen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
diff --git a/crypto/x86_64cpuid.pl b/crypto/x86_64cpuid.pl
index a3d6f438f91e..ef3608b13495 100644
--- a/crypto/x86_64cpuid.pl
+++ b/crypto/x86_64cpuid.pl
@@ -136,8 +136,19 @@ OPENSSL_ia32_cpuid:
or \$0x40000000,%edx # set reserved bit#30 on Intel CPUs
and \$15,%ah
cmp \$15,%ah # examine Family ID
- jne .Lnotintel
+ jne .LnotP4
or \$0x00100000,%edx # set reserved bit#20 to engage RC4_CHAR
+.LnotP4:
+ cmp \$6,%ah
+ jne .Lnotintel
+ and \$0x0fff0ff0,%eax
+ cmp \$0x00050670,%eax # Knights Landing
+ je .Lknights
+ cmp \$0x00080650,%eax # Knights Mill (according to sde)
+ jne .Lnotintel
+.Lknights:
+ and \$0xfbffffff,%ecx # clear XSAVE flag to mimic Silvermont
+
.Lnotintel:
bt \$28,%edx # test hyper-threading bit
jnc .Lgeneric
@@ -162,6 +173,10 @@ OPENSSL_ia32_cpuid:
mov \$7,%eax
xor %ecx,%ecx
cpuid
+ bt \$26,%r9d # check XSAVE bit, cleared on Knights
+ jc .Lnotknights
+ and \$0xfff7ffff,%ebx # clear ADCX/ADOX flag
+.Lnotknights:
mov %ebx,8(%rdi) # save extended feature flags
.Lno_extended_info:
@@ -175,7 +190,7 @@ OPENSSL_ia32_cpuid:
.Lclear_avx:
mov \$0xefffe7ff,%eax # ~(1<<28|1<<12|1<<11)
and %eax,%r9d # clear AVX, FMA and AMD XOP bits
- andl \$0xffffffdf,8(%rdi) # cleax AVX2, ~(1<<5)
+ andl \$0xffffffdf,8(%rdi) # clear AVX2, ~(1<<5)
.Ldone:
shl \$32,%r9
mov %r10d,%eax
diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod
index 76a765daf95b..a84dbc37dc89 100644
--- a/doc/apps/asn1parse.pod
+++ b/doc/apps/asn1parse.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-asn1parse,
asn1parse - ASN.1 parsing tool
=head1 SYNOPSIS
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index c90e6482e584..cc26bf48a3a7 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-ca,
ca - sample minimal CA application
=head1 SYNOPSIS
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 35d40bbf27ae..fa16124d08b8 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ciphers,
ciphers - SSL cipher display and cipher list tool.
=head1 SYNOPSIS
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index ac69804228cc..4a7783d47a4e 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-cms,
cms - CMS utility
=head1 SYNOPSIS
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod
index 044a9da91545..cdced1c742c0 100644
--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-crl,
crl - CRL utility
=head1 SYNOPSIS
diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod
index 3797bc0df4ef..18654c5afa0e 100644
--- a/doc/apps/crl2pkcs7.pod
+++ b/doc/apps/crl2pkcs7.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-crl2pkcs7,
crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
=head1 SYNOPSIS
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index b27bb946b1b2..72d6c87fabca 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dgst,
dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests
=head1 SYNOPSIS
diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod
index 1cd4c76663c5..018d9935085a 100644
--- a/doc/apps/dhparam.pod
+++ b/doc/apps/dhparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dhparam,
dhparam - DH parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod
index 8bf6cc9dcad6..77d66089beac 100644
--- a/doc/apps/dsa.pod
+++ b/doc/apps/dsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dsa,
dsa - DSA key processing
=head1 SYNOPSIS
diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod
index ba5ec4d72cdf..446903491357 100644
--- a/doc/apps/dsaparam.pod
+++ b/doc/apps/dsaparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dsaparam,
dsaparam - DSA parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod
index 5c7b45d4e75e..658eac5d509f 100644
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ec,
ec - EC key processing
=head1 SYNOPSIS
diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index 88e9d1e83d02..ba2f3b9ae274 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ecparam,
ecparam - EC parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 41791ad6713c..aceafcd4d557 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-enc,
enc - symmetric cipher routines
=head1 SYNOPSIS
diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod
index b3c6ccfc9cbd..0dee51c844ef 100644
--- a/doc/apps/errstr.pod
+++ b/doc/apps/errstr.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-errstr,
errstr - lookup error codes
=head1 SYNOPSIS
diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod
index d9f56be890f8..2c8e5c86f208 100644
--- a/doc/apps/gendsa.pod
+++ b/doc/apps/gendsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-gendsa,
gendsa - generate a DSA private key from a set of parameters
=head1 SYNOPSIS
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 929edcd26ff0..4d09fc0937c5 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-genpkey,
genpkey - generate a private key
=head1 SYNOPSIS
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index f4ed9593ae26..8be06834f507 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-genrsa,
genrsa - generate an RSA private key
=head1 SYNOPSIS
diff --git a/doc/apps/nseq.pod b/doc/apps/nseq.pod
index 989c3108fb83..de441fa87a4d 100644
--- a/doc/apps/nseq.pod
+++ b/doc/apps/nseq.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-nseq,
nseq - create or examine a netscape certificate sequence
=head1 SYNOPSIS
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 1bb7958d20e5..9e2716f00820 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ocsp,
ocsp - Online Certificate Status Protocol utility
=head1 SYNOPSIS
diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod
index f44982549bf1..7f74ce016d92 100644
--- a/doc/apps/passwd.pod
+++ b/doc/apps/passwd.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-passwd,
passwd - compute password hashes
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index 744984838dc7..debc9ea27a27 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkcs12,
pkcs12 - PKCS#12 file utility
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod
index acfb8100f078..651e9371c105 100644
--- a/doc/apps/pkcs7.pod
+++ b/doc/apps/pkcs7.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkcs7,
pkcs7 - PKCS#7 utility
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod
index 6901f1f3f211..f741741e5ad2 100644
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkcs8,
pkcs8 - PKCS#8 format private key conversion tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod
index 4851223f3fcd..6db8a6238393 100644
--- a/doc/apps/pkey.pod
+++ b/doc/apps/pkey.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkey,
pkey - public or private key processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod
index 154f6721af4a..27c10a6a745c 100644
--- a/doc/apps/pkeyparam.pod
+++ b/doc/apps/pkeyparam.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkeyparam,
pkeyparam - public key algorithm parameter processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod
index 5da347c97d32..78b3b02a7d96 100644
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkeyutl,
pkeyutl - public key algorithm utility
=head1 SYNOPSIS
diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod
index d1d213ef43cb..94df10d939e0 100644
--- a/doc/apps/rand.pod
+++ b/doc/apps/rand.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-rand,
rand - generate pseudo-random bytes
=head1 SYNOPSIS
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 1682ba5143dd..20b2f39e90f2 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-req,
req - PKCS#10 certificate request and certificate generating utility.
=head1 SYNOPSIS
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod
index 21cbf8ee009b..7e43e0f3d062 100644
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-rsa,
rsa - RSA key processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index 1a498c2f62e0..e16ce29cf609 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-rsautl,
rsautl - RSA utility
=head1 SYNOPSIS
@@ -105,7 +106,7 @@ Recover the signed data
Examine the raw signed data:
- openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
+ openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index b45acbc5e3e4..d9413a0cf211 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_client,
s_client - SSL/TLS client program
=head1 SYNOPSIS
@@ -197,12 +198,14 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
+The default value is "Client_identity" (without the quotes).
=item B<-psk key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 1fe93ddfbebb..9916fc3ef6a3 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_server,
s_server - SSL/TLS server program
=head1 SYNOPSIS
@@ -219,6 +220,7 @@ Use the PSK identity hint B<hint> when using a PSK cipher suite.
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
@@ -403,10 +405,6 @@ a web browser the command:
can be used for example.
-Most web browsers (in particular Netscape and MSIE) only support RSA cipher
-suites, so they cannot connect to servers which don't use a certificate
-carrying an RSA key or a version of OpenSSL with RSA disabled.
-
Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some SSL clients interpret this to
mean any CA is acceptable. This is useful for debugging purposes.
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index 9082d876feeb..1fa02800a419 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_time,
s_time - SSL/TLS performance timing program
=head1 SYNOPSIS
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index 9988d2cd3d5d..0771baef1173 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-sess_id,
sess_id - SSL/TLS session handling utility
=head1 SYNOPSIS
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 04a83ca8e427..fbf60da27faf 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-smime,
smime - S/MIME utility
=head1 SYNOPSIS
diff --git a/doc/apps/speed.pod b/doc/apps/speed.pod
index 1cd1998d1675..2bfe91e371cb 100644
--- a/doc/apps/speed.pod
+++ b/doc/apps/speed.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-speed,
speed - test library performance
=head1 SYNOPSIS
diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod
index 97fb80e4016b..b8a5477a063e 100644
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-spkac,
spkac - SPKAC printing and generating utility
=head1 SYNOPSIS
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index d6aa47d3144d..5da019b2eb2f 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ts,
ts - Time Stamping Authority tool (client/server)
=head1 SYNOPSIS
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod
index 56db985c4bb1..4856c850d8e1 100644
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-tsget,
tsget - Time Stamping HTTP/HTTPS client
=head1 SYNOPSIS
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index b3767325ae07..321d5ac7e126 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-verify,
verify - Utility to verify certificates.
=head1 SYNOPSIS
diff --git a/doc/apps/version.pod b/doc/apps/version.pod
index 58f543bc3e64..675b0f84d6a7 100644
--- a/doc/apps/version.pod
+++ b/doc/apps/version.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-version,
version - print OpenSSL version information
=head1 SYNOPSIS
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 1479a7495716..d50625862ac3 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-x509,
x509 - Certificate display and signing utility
=head1 SYNOPSIS
diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod
index 3bed47f8f1d5..f6bb484f902f 100644
--- a/doc/crypto/BN_bn2bin.pod
+++ b/doc/crypto/BN_bn2bin.pod
@@ -70,8 +70,9 @@ BN_bn2bin() returns the length of the big-endian number placed at B<to>.
BN_bin2bn() returns the B<BIGNUM>, NULL on error.
BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL
-on error. BN_hex2bn() and BN_dec2bn() return the number's length in
-hexadecimal or decimal digits, and 0 on error.
+on error. BN_hex2bn() and BN_dec2bn() return the number of characters
+used in parsing, or 0 on error, in which
+case no new B<BIGNUM> will be created.
BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod
index ab7a105e3ad7..d446603191af 100644
--- a/doc/crypto/BN_new.pod
+++ b/doc/crypto/BN_new.pod
@@ -30,10 +30,12 @@ to the value 0.
BN_free() frees the components of the B<BIGNUM>, and if it was created
by BN_new(), also the structure itself. BN_clear_free() additionally
overwrites the data before the memory is returned to the system.
+If B<a> is NULL, nothing is done.
=head1 RETURN VALUES
-BN_new() returns a pointer to the B<BIGNUM>. If the allocation fails,
+BN_new() returns a pointer to the B<BIGNUM> initialised to the value 0.
+If the allocation fails,
it returns B<NULL> and sets an error code that can be obtained
by L<ERR_get_error(3)|ERR_get_error(3)>.
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 0c0a30c1ffa0..dc9a2d76c5f6 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -395,8 +395,7 @@ processed (e.g. after an EVP_EncryptFinal() call).
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
-when decrypting data and must be made B<before> any data is processed (e.g.
-before any EVP_DecryptUpdate() call).
+when decrypting data.
=head1 CCM Mode
diff --git a/doc/crypto/EVP_PKEY_meth_new.pod b/doc/crypto/EVP_PKEY_meth_new.pod
new file mode 100644
index 000000000000..041492a8f0fb
--- /dev/null
+++ b/doc/crypto/EVP_PKEY_meth_new.pod
@@ -0,0 +1,376 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find,
+EVP_PKEY_meth_add0, EVP_PKEY_METHOD,
+EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup,
+EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign,
+EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx,
+EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt,
+EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl,
+EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup,
+EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign,
+EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx,
+EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt,
+EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl
+- manipulating EVP_PKEY_METHOD structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
+
+ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+ void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth);
+ void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth);
+
+ void EVP_PKEY_meth_set_init(EVP_PKEY_METHOD *pmeth,
+ int (*init) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth,
+ int (*copy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src));
+ void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (*cleanup) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (*paramgen_init) (EVP_PKEY_CTX *ctx),
+ int (*paramgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_set_keygen(EVP_PKEY_METHOD *pmeth,
+ int (*keygen_init) (EVP_PKEY_CTX *ctx),
+ int (*keygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
+ int (*sign_init) (EVP_PKEY_CTX *ctx),
+ int (*sign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_verify(EVP_PKEY_METHOD *pmeth,
+ int (*verify_init) (EVP_PKEY_CTX *ctx),
+ int (*verify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (*verify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (*verify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_signctx(EVP_PKEY_METHOD *pmeth,
+ int (*signctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (*signctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_set_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (*verifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (*verifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (*encrypt_init) (EVP_PKEY_CTX *ctx),
+ int (*encryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (*decrypt_init) (EVP_PKEY_CTX *ctx),
+ int (*decrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_set_derive(EVP_PKEY_METHOD *pmeth,
+ int (*derive_init) (EVP_PKEY_CTX *ctx),
+ int (*derive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen));
+ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (*ctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value));
+
+ void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+ int (**pinit) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
+ int (**pcopy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src));
+ void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (**pcleanup) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
+ int (**pparamgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+ int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
+ int (**pkeygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+ int (**psign_init) (EVP_PKEY_CTX *ctx),
+ int (**psign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_init) (EVP_PKEY_CTX *ctx),
+ int (**pverify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (**pverify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
+ int (**psignctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**psignctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**pverifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pencryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pdecrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+ int (**pderive_init) (EVP_PKEY_CTX *ctx),
+ int (**pderive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen));
+ void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (**pctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value));
+
+=head1 DESCRIPTION
+
+B<EVP_PKEY_METHOD> is a structure which holds a set of methods for a
+specific public key cryptographic algorithm. Those methods are usually
+used to perform different jobs, such as generating a key, signing or
+verifying, encrypting or decrypting, etc.
+
+There are two places where the B<EVP_PKEY_METHOD> objects are stored: one
+is a built-in static array representing the standard methods for different
+algorithms, and the other one is a stack of user-defined application-specific
+methods, which can be manipulated by using L<EVP_PKEY_meth_add0(3)>.
+
+The B<EVP_PKEY_METHOD> objects are usually referenced by B<EVP_PKEY_CTX>
+objects.
+
+=head2 Methods
+
+The methods are the underlying implementations of a particular public key
+algorithm present by the B<EVP_PKEY_CTX> object.
+
+ int (*init) (EVP_PKEY_CTX *ctx);
+ int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
+ void (*cleanup) (EVP_PKEY_CTX *ctx);
+
+The init() method is called to initialize algorithm-specific data when a new
+B<EVP_PKEY_CTX> is created. As opposed to init(), the cleanup() method is called
+when an B<EVP_PKEY_CTX> is freed. The copy() method is called when an B<EVP_PKEY_CTX>
+is being duplicated. Refer to L<EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_CTX_new_id(3)>,
+L<EVP_PKEY_CTX_free(3)> and L<EVP_PKEY_CTX_dup(3)>.
+
+ int (*paramgen_init) (EVP_PKEY_CTX *ctx);
+ int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+
+The paramgen_init() and paramgen() methods deal with key parameter generation.
+They are called by L<EVP_PKEY_paramgen_init(3)> and L<EVP_PKEY_paramgen(3)> to
+handle the parameter generation process.
+
+ int (*keygen_init) (EVP_PKEY_CTX *ctx);
+ int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+
+The keygen_init() and keygen() methods are used to generate the actual key for
+the specified algorithm. They are called by L<EVP_PKEY_keygen_init(3)> and
+L<EVP_PKEY_keygen(3)>.
+
+ int (*sign_init) (EVP_PKEY_CTX *ctx);
+ int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+
+The sign_init() and sign() methods are used to generate the signature of a
+piece of data using a private key. They are called by L<EVP_PKEY_sign_init(3)>
+and L<EVP_PKEY_sign(3)>.
+
+ int (*verify_init) (EVP_PKEY_CTX *ctx);
+ int (*verify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig, size_t siglen,
+ const unsigned char *tbs, size_t tbslen);
+
+The verify_init() and verify() methods are used to verify whether a signature is
+valid. They are called by L<EVP_PKEY_verify_init(3)> and L<EVP_PKEY_verify(3)>.
+
+ int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
+ int (*verify_recover) (EVP_PKEY_CTX *ctx,
+ unsigned char *rout, size_t *routlen,
+ const unsigned char *sig, size_t siglen);
+
+The verify_recover_init() and verify_recover() methods are used to verify a
+signature and then recover the digest from the signature (for instance, a
+signature that was generated by RSA signing algorithm). They are called by
+L<EVP_PKEY_verify_recover_init(3)> and L<EVP_PKEY_verify_recover(3)>.
+
+ int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+ int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ EVP_MD_CTX *mctx);
+
+The signctx_init() and signctx() methods are used to sign a digest present by
+a B<EVP_MD_CTX> object. They are called by the EVP_DigestSign functions. See
+L<EVP_DigestSignInit(3)> for detail.
+
+ int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+ int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
+ EVP_MD_CTX *mctx);
+
+The verifyctx_init() and verifyctx() methods are used to verify a signature
+against the data in a B<EVP_MD_CTX> object. They are called by the various
+EVP_DigestVerify functions. See L<EVP_DigestVerifyInit(3)> for detail.
+
+ int (*encrypt_init) (EVP_PKEY_CTX *ctx);
+ int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+ const unsigned char *in, size_t inlen);
+
+The encrypt_init() and encrypt() methods are used to encrypt a piece of data.
+They are called by L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)>.
+
+ int (*decrypt_init) (EVP_PKEY_CTX *ctx);
+ int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+ const unsigned char *in, size_t inlen);
+
+The decrypt_init() and decrypt() methods are used to decrypt a piece of data.
+They are called by L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)>.
+
+ int (*derive_init) (EVP_PKEY_CTX *ctx);
+ int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
+
+The derive_init() and derive() methods are used to derive the shared secret
+from a public key algorithm (for instance, the DH algorithm). They are called by
+L<EVP_PKEY_derive_init(3)> and L<EVP_PKEY_derive(3)>.
+
+ int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
+ int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
+
+The ctrl() and ctrl_str() methods are used to adjust algorithm-specific
+settings. See L<EVP_PKEY_CTX_ctrl(3)> and related functions for detail.
+
+ int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+ int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen, const unsigned char *tbs,
+ size_t tbslen);
+
+The digestsign() and digestverify() methods are used to generate or verify
+a signature in a one-shot mode. They could be called by L<EVP_DigetSign(3)>
+and L<EVP_DigestVerify(3)>.
+
+=head2 Functions
+
+EVP_PKEY_meth_new() creates and returns a new B<EVP_PKEY_METHOD> object,
+and associates the given B<id> and B<flags>. The following flags are
+supported:
+
+ EVP_PKEY_FLAG_AUTOARGLEN
+ EVP_PKEY_FLAG_SIGCTX_CUSTOM
+
+If an B<EVP_PKEY_METHOD> is set with the B<EVP_PKEY_FLAG_AUTOARGLEN> flag, the
+maximum size of the output buffer will be automatically calculated or checked
+in corresponding EVP methods by the EVP framework. Thus the implementations of
+these methods don't need to care about handling the case of returning output
+buffer size by themselves. For details on the output buffer size, refer to
+L<EVP_PKEY_sign(3)>.
+
+The B<EVP_PKEY_FLAG_SIGCTX_CUSTOM> is used to indicate the signctx() method
+of an B<EVP_PKEY_METHOD> is always called by the EVP framework while doing a
+digest signing operation by calling L<EVP_DigestSignFinal(3)>.
+
+EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
+B<pmeth>.
+
+EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
+to B<dst>.
+
+EVP_PKEY_meth_find() finds an B<EVP_PKEY_METHOD> object with the B<id>.
+This function first searches through the user-defined method objects and
+then the built-in objects.
+
+EVP_PKEY_meth_add0() adds B<pmeth> to the user defined stack of methods.
+
+The EVP_PKEY_meth_set functions set the corresponding fields of
+B<EVP_PKEY_METHOD> structure with the arguments passed.
+
+The EVP_PKEY_meth_get functions get the corresponding fields of
+B<EVP_PKEY_METHOD> structure to the arguments provided.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_meth_new() returns a pointer to a new B<EVP_PKEY_METHOD>
+object or returns NULL on error.
+
+EVP_PKEY_meth_free() and EVP_PKEY_meth_copy() do not return values.
+
+EVP_PKEY_meth_find() returns a pointer to the found B<EVP_PKEY_METHOD>
+object or returns NULL if not found.
+
+EVP_PKEY_meth_add0() returns 1 if method is added successfully or 0
+if an error occurred.
+
+All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return
+values. For the 'get' functions, function pointers are returned by
+arguments.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index b8f678fe729d..f20f815d4786 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -104,6 +104,13 @@ The RSA_padding_check_xxx() functions return the length of the
recovered data, -1 on error. Error codes can be obtained by calling
L<ERR_get_error(3)|ERR_get_error(3)>.
+=head1 WARNING
+
+The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+information which can potentially be used to mount a Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding.
+
=head1 SEE ALSO
L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
index 0541f348b3e2..4d7c1f2cac7a 100644
--- a/doc/crypto/RSA_public_encrypt.pod
+++ b/doc/crypto/RSA_public_encrypt.pod
@@ -67,6 +67,13 @@ recovered plaintext.
On error, -1 is returned; the error codes can be
obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+=head1 WARNING
+
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
+which can potentially be used to mount a Bleichenbacher padding oracle
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
+
=head1 CONFORMING TO
SSL, PKCS #1 v2.0
diff --git a/doc/crypto/X509_check_private_key.pod b/doc/crypto/X509_check_private_key.pod
new file mode 100644
index 000000000000..a1fb07b1097e
--- /dev/null
+++ b/doc/crypto/X509_check_private_key.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+X509_check_private_key, X509_REQ_check_private_key - check the consistency
+of a private key with the public key in an X509 certificate or certificate
+request
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_check_private_key(X509 *x, EVP_PKEY *k);
+
+ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
+
+=head1 DESCRIPTION
+
+X509_check_private_key() function checks the consistency of private
+key B<k> with the public key in B<x>.
+
+X509_REQ_check_private_key() is equivalent to X509_check_private_key()
+except that B<x> represents a certificate request of structure B<X509_REQ>.
+
+=head1 RETURN VALUE
+
+X509_check_private_key() and X509_REQ_check_private_key() return 1 if
+the keys match each other, and 0 if not.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)>.
+
+=head1 BUGS
+
+The B<check_private_key> functions don't check if B<k> itself is indeed
+a private key or not. It merely compares the public materials (e.g. exponent
+and modulus of an RSA key) and/or key parameters (e.g. EC params of an EC key)
+of a key pair. So if you pass a public key to these functions in B<k>, it will
+return success.
+
+=head1 SEE ALSO
+
+L<ERR_get_error(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/hmac.pod b/doc/crypto/hmac.pod
index 2c8f20a20188..ca9798af62c3 100644
--- a/doc/crypto/hmac.pod
+++ b/doc/crypto/hmac.pod
@@ -38,7 +38,8 @@ B<key_len> bytes long.
It places the result in B<md> (which must have space for the output of
the hash function, which is no more than B<EVP_MAX_MD_SIZE> bytes).
If B<md> is NULL, the digest is placed in a static array. The size of
-the output is placed in B<md_len>, unless it is B<NULL>.
+the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
+value for B<md> to use the static array is not thread safe.
B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
diff --git a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod
index 3b0a50956d9b..3b0a50956d9b 100644
--- a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod
diff --git a/doc/ssl/SSL_export_keying_material.pod b/doc/ssl/SSL_export_keying_material.pod
new file mode 100644
index 000000000000..ccb99ec9a8e0
--- /dev/null
+++ b/doc/ssl/SSL_export_keying_material.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_export_keying_material - obtain keying material for application use
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen,
+ const unsigned char *context,
+ size_t contextlen, int use_context);
+
+=head1 DESCRIPTION
+
+During the creation of a TLS or DTLS connection shared keying material is
+established between the two endpoints. The function SSL_export_keying_material()
+enables an application to use some of this keying material for its own purposes
+in accordance with RFC5705.
+
+An application may need to securely establish the context within which this
+keying material will be used. For example this may include identifiers for the
+application session, application algorithms or parameters, or the lifetime of
+the context. The context value is left to the application but must be the same
+on both sides of the communication.
+
+For a given SSL connection B<s>, B<olen> bytes of data will be written to
+B<out>. The application specific context should be supplied in the location
+pointed to by B<context> and should be B<contextlen> bytes long. Provision of
+a context is optional. If the context should be omitted entirely then
+B<use_context> should be set to 0. Otherwise it should be any other value. If
+B<use_context> is 0 then the values of B<context> and B<contextlen> are ignored.
+Note that a zero length context is treated differently to no context at all, and
+will result in different keying material being returned.
+
+An application specific label should be provided in the location pointed to by
+B<label> and should be B<llen> bytes long. Typically this will be a value from
+the IANA Exporter Label Registry
+(L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
+Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
+to be used without registration.
+
+Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
+above. Attempting to use it in SSLv3 will result in an error.
+
+=head1 RETURN VALUES
+
+SSL_export_keying_material() returns 0 or -1 on failure or 1 on success.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/ssl/SSL_set_connect_state.pod b/doc/ssl/SSL_set_connect_state.pod
index d88a057deffa..14facc6a57c9 100644
--- a/doc/ssl/SSL_set_connect_state.pod
+++ b/doc/ssl/SSL_set_connect_state.pod
@@ -25,7 +25,7 @@ it was either assigned a dedicated client method, a dedicated server
method, or a generic method, that can be used for both client and
server connections. (The method might have been changed with
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
-SSL_set_ssl_method().)
+SSL_set_ssl_method(3).)
When beginning a new handshake, the SSL engine must know whether it must
call the connect (client) or accept (server) routines. Even though it may
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index b80d1fd8ce6e..92f41dd549ad 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -735,7 +735,35 @@ static int ssl23_get_server_hello(SSL *s)
s->version = TLS1_2_VERSION;
s->method = TLSv1_2_client_method();
} else {
+ /*
+ * Unrecognised version, we'll send a protocol version alert using
+ * our preferred version.
+ */
+ switch(s->client_version) {
+ default:
+ /*
+ * Shouldn't happen
+ * Fall through
+ */
+ case TLS1_2_VERSION:
+ s->version = TLS1_2_VERSION;
+ s->method = TLSv1_2_client_method();
+ break;
+ case TLS1_1_VERSION:
+ s->version = TLS1_1_VERSION;
+ s->method = TLSv1_1_client_method();
+ break;
+ case TLS1_VERSION:
+ s->version = TLS1_VERSION;
+ s->method = TLSv1_client_method();
+ break;
+ case SSL3_VERSION:
+ s->version = SSL3_VERSION;
+ s->method = SSLv3_client_method();
+ break;
+ }
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
goto err;
}
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 0290c991d810..04212c51e726 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1427,7 +1427,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
(s->s3->handshake_fragment_len >= 4) &&
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
(s->session != NULL) && (s->session->cipher != NULL) &&
- !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
/*
* s->s3->handshake_fragment_len = 0;
*/
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ba17f1b56281..0fb4845d44fa 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2202,7 +2202,7 @@ int ssl3_get_client_key_exchange(SSL *s)
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
int decrypt_len;
unsigned char decrypt_good, version_good;
- size_t j;
+ size_t j, padding_len;
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp) {
@@ -2270,16 +2270,38 @@ int ssl3_get_client_key_exchange(SSL *s)
if (RAND_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0)
goto err;
+
+ /*
+ * Decrypt with no padding. PKCS#1 padding will be removed as part of
+ * the timing-sensitive code below.
+ */
decrypt_len =
- RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
- ERR_clear_error();
+ RSA_private_decrypt((int)n, p, p, rsa, RSA_NO_PADDING);
+ if (decrypt_len < 0)
+ goto err;
+
+ /* Check the padding. See RFC 3447, section 7.2.2. */
/*
- * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
- * be 0xff if so and zero otherwise.
+ * The smallest padded premaster is 11 bytes of overhead. Small keys
+ * are publicly invalid, so this may return immediately. This ensures
+ * PS is at least 8 bytes.
*/
- decrypt_good =
- constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
+ if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
+ al = SSL_AD_DECRYPT_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DECRYPTION_FAILED);
+ goto f_err;
+ }
+
+ padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
+ decrypt_good = constant_time_eq_int_8(p[0], 0) &
+ constant_time_eq_int_8(p[1], 2);
+ for (j = 2; j < padding_len - 1; j++) {
+ decrypt_good &= ~constant_time_is_zero_8(p[j]);
+ }
+ decrypt_good &= constant_time_is_zero_8(p[padding_len - 1]);
+ p += padding_len;
/*
* If the version in the decrypted pre-master secret is correct then
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 40021329a936..ccdf00fa1b3f 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1205,7 +1205,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.'))
#else
- while (isalnum(ch) || (ch == '-') || (ch == '.'))
+ while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.'))
#endif
{
ch = *(++l);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 24be376c9fdf..3539f4b8d20a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1825,15 +1825,15 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const char *label, size_t llen,
- const unsigned char *p, size_t plen,
+ const unsigned char *context, size_t contextlen,
int use_context)
{
if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
- llen, p, plen,
- use_context);
+ llen, context,
+ contextlen, use_context);
}
static unsigned long ssl_session_hash(const SSL_SESSION *a)
@@ -3180,6 +3180,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
#endif
ssl->cert = ssl_cert_dup(ctx->cert);
if (ocert) {
+ int i;
/* Preserve any already negotiated parameters */
if (ssl->server) {
ssl->cert->peer_sigalgs = ocert->peer_sigalgs;
@@ -3189,6 +3190,9 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
ocert->ciphers_raw = NULL;
}
+ for (i = 0; i < SSL_PKEY_NUM; i++) {
+ ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;
+ }
#ifndef OPENSSL_NO_TLSEXT
ssl->cert->alpn_proposed = ocert->alpn_proposed;
ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index f50f5142126f..23dd3e7a01c3 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -261,7 +261,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
#ifndef OPENSSL_NO_SRP
dest->srp_username = NULL;
#endif
- memset(&dest->ex_data, 0, sizeof(dest->ex_data));
/* We deliberately don't copy the prev and next pointers */
dest->prev = NULL;
@@ -275,6 +274,9 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
if (src->peer != NULL)
CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
+ goto err;
+
#ifndef OPENSSL_NO_PSK
if (src->psk_identity_hint) {
dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
@@ -325,7 +327,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
}
# endif
- if (ticket != 0) {
+ if (ticket != 0 && src->tlsext_tick != NULL) {
dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
if(dest->tlsext_tick == NULL)
goto err;
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index b75cac61fbdc..2d6141cd954e 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -315,6 +315,9 @@ static int s_ticket1 = 0;
static int s_ticket2 = 0;
static int c_ticket = 0;
static int ticket_expect = -1;
+static int sni_in_cert_cb = 0;
+static const char *client_sigalgs = NULL;
+static const char *server_digest_expect = NULL;
static int servername_cb(SSL *s, int *ad, void *arg)
{
@@ -355,6 +358,11 @@ static int verify_servername(SSL *client, SSL *server)
BIO_printf(bio_stdout, "Servername: context is unknown\n");
return -1;
}
+static int cert_cb(SSL *ssl, void *arg)
+{
+ int unused;
+ return servername_cb(ssl, &unused, NULL) != SSL_TLSEXT_ERR_ALERT_FATAL;
+}
static int verify_ticket(SSL* ssl)
{
@@ -371,6 +379,20 @@ static int verify_ticket(SSL* ssl)
return -1;
}
+static int verify_server_digest(SSL* ssl)
+{
+ int nid = NID_undef;
+
+ if (server_digest_expect == NULL)
+ return 0;
+ SSL_get_peer_signature_nid(ssl, &nid);
+ if (strcmp(server_digest_expect, OBJ_nid2sn(nid)) == 0)
+ return 1;
+ BIO_printf(bio_stdout, "Expected server digest %s, got %s.\n",
+ server_digest_expect, OBJ_nid2sn(nid));
+ return -1;
+}
+
/*-
* next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -831,6 +853,7 @@ static void sv_usage(void)
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, " -tls1 - use TLSv1\n");
+ fprintf(stderr, " -tls12 - use TLSv1.2\n");
#endif
#ifndef OPENSSL_NO_DTLS
fprintf(stderr, " -dtls1 - use DTLSv1\n");
@@ -884,6 +907,9 @@ static void sv_usage(void)
fprintf(stderr, " -c_ticket <yes|no> - enable/disable session tickets on the client\n");
fprintf(stderr, " -ticket_expect <yes|no> - indicate that the client should (or should not) have a ticket\n");
#endif
+ fprintf(stderr, " -sni_in_cert_cb - have the server handle SNI in the certificate callback\n");
+ fprintf(stderr, " -client_sigalgs arg - the signature algorithms to configure on the client\n");
+ fprintf(stderr, " -server_digest_expect arg - the expected server signing digest\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -1010,7 +1036,7 @@ int main(int argc, char *argv[])
int badop = 0;
int bio_pair = 0;
int force = 0;
- int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
+ int dtls1 = 0, dtls12 = 0, tls1 = 0, tls12 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
@@ -1164,6 +1190,11 @@ int main(int argc, char *argv[])
no_protocol = 1;
#endif
tls1 = 1;
+ } else if (strcmp(*argv, "-tls12") == 0) {
+#ifdef OPENSSL_NO_TLS1
+ no_protocol = 1;
+#endif
+ tls12 = 1;
} else if (strcmp(*argv, "-ssl3") == 0) {
#ifdef OPENSSL_NO_SSL3_METHOD
no_protocol = 1;
@@ -1343,6 +1374,16 @@ int main(int argc, char *argv[])
else if (strcmp(*argv, "no") == 0)
ticket_expect = 0;
#endif
+ } else if (strcmp(*argv, "-sni_in_cert_cb") == 0) {
+ sni_in_cert_cb = 1;
+ } else if (strcmp(*argv, "-client_sigalgs") == 0) {
+ if (--argc < 1)
+ goto bad;
+ client_sigalgs = *(++argv);
+ } else if (strcmp(*argv, "-server_digest_expect") == 0) {
+ if (--argc < 1)
+ goto bad;
+ server_digest_expect = *(++argv);
} else {
fprintf(stderr, "unknown option %s\n", *argv);
badop = 1;
@@ -1373,9 +1414,9 @@ int main(int argc, char *argv[])
goto end;
}
- if (ssl2 + ssl3 + tls1 + dtls1 + dtls12 > 1) {
- fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -dtls1 or -dtls12 should "
- "be requested.\n");
+ if (ssl2 + ssl3 + tls1 + tls12 + dtls1 + dtls12 > 1) {
+ fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -tls12, -dtls1 or "
+ "-dtls12 should be requested.\n");
EXIT(1);
}
@@ -1391,10 +1432,11 @@ int main(int argc, char *argv[])
goto end;
}
- if (!ssl2 && !ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
+ if (!ssl2 && !ssl3 && !tls1 && !tls12 && !dtls1 && !dtls12 && number > 1
+ && !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
- "or add one of ssl2, -ssl3, -tls1, -dtls1, -dtls12, -reuse\n"
+ "or add one of ssl2, -ssl3, -tls1, -tls12, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
@@ -1458,7 +1500,7 @@ int main(int argc, char *argv[])
#endif
/*
- * At this point, ssl2/ssl3/tls1 is only set if the protocol is
+ * At this point, ssl2/ssl3/tls1/tls12 is only set if the protocol is
* available. (Otherwise we exit early.) However the compiler doesn't
* know this, so we ifdef.
*/
@@ -1482,6 +1524,8 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_TLS1
if (tls1)
meth = TLSv1_method();
+ else if (tls12)
+ meth = TLSv1_2_method();
else
#endif
meth = SSLv23_method();
@@ -1778,8 +1822,12 @@ int main(int argc, char *argv[])
OPENSSL_free(alpn);
}
- if (sn_server1 || sn_server2)
- SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
+ if (sn_server1 || sn_server2) {
+ if (sni_in_cert_cb)
+ SSL_CTX_set_cert_cb(s_ctx, cert_cb, NULL);
+ else
+ SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
+ }
#ifndef OPENSSL_NO_TLSEXT
if (s_ticket1 == 0)
@@ -1799,6 +1847,9 @@ int main(int argc, char *argv[])
SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
#endif
+ if (client_sigalgs != NULL)
+ SSL_CTX_set1_sigalgs_list(c_ctx, client_sigalgs);
+
c_ssl = SSL_new(c_ctx);
s_ssl = SSL_new(s_ctx);
@@ -1864,6 +1915,8 @@ int main(int argc, char *argv[])
ret = 1;
if (verify_ticket(c_ssl) < 0)
ret = 1;
+ if (verify_server_digest(c_ssl) < 0)
+ ret = 1;
SSL_free(s_ssl);
SSL_free(c_ssl);
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 7e237d0631a3..dd1d8c109ee5 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -317,7 +317,7 @@ int SSL_get_servername_type(const SSL *s);
*/
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const char *label, size_t llen,
- const unsigned char *p, size_t plen,
+ const unsigned char *context, size_t contextlen,
int use_context);
int SSL_get_sigalgs(SSL *s, int idx,
diff --git a/util/copy-if-different.pl b/util/copy-if-different.pl
index ec99e084b56a..e1245f54aff1 100755
--- a/util/copy-if-different.pl
+++ b/util/copy-if-different.pl
@@ -12,7 +12,7 @@ my @filelist;
foreach my $arg (@ARGV) {
$arg =~ s|\\|/|g; # compensate for bug/feature in cygwin glob...
- foreach (glob $arg)
+ foreach (glob qq("$arg"))
{
push @filelist, $_;
}
diff --git a/util/copy.pl b/util/copy.pl
index eba6d5815e9c..a6b2a54ec6f0 100644
--- a/util/copy.pl
+++ b/util/copy.pl
@@ -19,7 +19,7 @@ foreach $arg (@ARGV) {
next;
}
$arg =~ s|\\|/|g; # compensate for bug/feature in cygwin glob...
- foreach (glob $arg)
+ foreach (glob qq("$arg"))
{
push @filelist, $_;
}
diff --git a/util/libeay.num b/util/libeay.num
index 2094ab364c8e..fddfe1cbb202 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4370,7 +4370,7 @@ DH_compute_key_padded 4732 EXIST::FUNCTION:DH
ECDSA_METHOD_set_sign 4733 EXIST::FUNCTION:ECDSA
CMS_RecipientEncryptedKey_cert_cmp 4734 EXIST:!VMS:FUNCTION:CMS
CMS_RecipEncryptedKey_cert_cmp 4734 EXIST:VMS:FUNCTION:CMS
-DH_KDF_X9_42 4735 EXIST::FUNCTION:DH
+DH_KDF_X9_42 4735 EXIST::FUNCTION:CMS,DH
RSA_OAEP_PARAMS_free 4736 EXIST::FUNCTION:RSA
EVP_des_ede3_wrap 4737 EXIST::FUNCTION:DES
RSA_OAEP_PARAMS_it 4738 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
@@ -4416,3 +4416,17 @@ X509_VERIFY_PARAM_add1_host 4771 EXIST::FUNCTION:
EC_GROUP_get_mont_data 4772 EXIST::FUNCTION:EC
i2d_re_X509_tbs 4773 EXIST::FUNCTION:
EVP_PKEY_asn1_set_item 4774 EXIST::FUNCTION:
+EVP_PKEY_meth_get_init 4775 EXIST::FUNCTION:
+EVP_PKEY_meth_get_verify_recover 4776 EXIST::FUNCTION:
+EVP_PKEY_meth_get_keygen 4777 EXIST::FUNCTION:
+EVP_PKEY_meth_get_derive 4778 EXIST::FUNCTION:
+EVP_PKEY_meth_get_verifyctx 4779 EXIST::FUNCTION:
+EVP_PKEY_meth_get_paramgen 4780 EXIST::FUNCTION:
+EVP_PKEY_meth_get_verify 4781 EXIST::FUNCTION:
+EVP_PKEY_meth_get_sign 4782 EXIST::FUNCTION:
+EVP_PKEY_meth_get_signctx 4783 EXIST::FUNCTION:
+EVP_PKEY_meth_get_ctrl 4784 EXIST::FUNCTION:
+EVP_PKEY_meth_get_decrypt 4785 EXIST::FUNCTION:
+EVP_PKEY_meth_get_cleanup 4786 EXIST::FUNCTION:
+EVP_PKEY_meth_get_encrypt 4787 EXIST::FUNCTION:
+EVP_PKEY_meth_get_copy 4788 EXIST::FUNCTION:
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 490a034e4037..6b31496ed1e6 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -428,7 +428,7 @@ EOF
{
$extra_install .= <<"EOF"
\$(MKDIR) \"\$(INSTALLTOP)${o}lib${o}engines\"
- \$(CP) \"\$(E_SHLIB)\" \"\$(INSTALLTOP)${o}lib${o}engines\"
+ \$(CP) \$(E_SHLIB) \"\$(INSTALLTOP)${o}lib${o}engines\"
EOF
}
}
@@ -608,7 +608,7 @@ install: all
\$(MKDIR) \"\$(INSTALLTOP)${o}include${o}openssl\"
\$(MKDIR) \"\$(INSTALLTOP)${o}lib\"
\$(CP) \"\$(INCO_D)${o}*.\[ch\]\" \"\$(INSTALLTOP)${o}include${o}openssl\"
- \$(CP) \"\$(BIN_D)$o\$(E_EXE)$exep \$(INSTALLTOP)${o}bin\"
+ \$(CP) \"\$(BIN_D)$o\$(E_EXE)$exep\" \"\$(INSTALLTOP)${o}bin\"
\$(MKDIR) \"\$(OPENSSLDIR)\"
\$(CP) apps${o}openssl.cnf \"\$(OPENSSLDIR)\"
$extra_install