oweals/openssl.git
4 years agoRemove CRYPTO_secure_allocated from util/missingcrypto111.txt
Richard Levitte [Wed, 11 Dec 2019 18:21:49 +0000 (19:21 +0100)]
Remove CRYPTO_secure_allocated from util/missingcrypto111.txt

Followup on #10523

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10611)

4 years agoAdd better support for using deprecated symbols internally
Richard Levitte [Wed, 11 Dec 2019 13:36:36 +0000 (14:36 +0100)]
Add better support for using deprecated symbols internally

OPENSSL_SUPPRESS_DEPRECATED only does half the job, in telling the
deprecation macros not to add the warning attribute.  However, with
'no-deprecated', the symbols are still removed entirely, while we
might still want to use them internally.

The solution is to permit <openssl/opensslconf.h> macros to be
modified internally, such as undefining OPENSSL_NO_DEPRECATED in this
case.

However, with the way <openssl/opensslconf.h> includes
<openssl/macros.h>, that's easier said than done.  That's solved by
generating <openssl/configuration.h> instead, and add a new
<openssl/opensslconf.h> that includes <openssl/configuration.h> as
well as <openssl/macros.h>, thus allowing to replace an inclusion of
<openssl/opensslconf.h> with this:

    #include <openssl/configuration.h>

    #undef OPENSSL_NO_DEPRECATED
    #define OPENSSL_SUPPRESS_DEPRECATED

    #include <openssl/macros.h>

Or simply add the following prior to any other openssl inclusion:

    #include <openssl/configuration.h>

    #undef OPENSSL_NO_DEPRECATED
    #define OPENSSL_SUPPRESS_DEPRECATED

Note that undefining OPENSSL_NO_DEPRECATED must never be done by
applications, since the symbols must still be exported by the
library.  Internal test programs are excempt of this rule, though.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10608)

4 years agotest/namemap_internal_test.c: use "cookie" instead of "foo"...
Richard Levitte [Tue, 10 Dec 2019 19:38:09 +0000 (20:38 +0100)]
test/namemap_internal_test.c: use "cookie" instead of "foo"...

... in test_namemap()

Because tests may sometimes run in random order (subject of the
environment variable OPENSSL_TEST_RAND_ORDER being defined), and we're
dealing with the global namemap, each test must use names that are
globally unique for that test.  Unfortunately, we used "foo" in two of
them, which might lead to surprising results.

Fixes #10401

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10601)

4 years agoCheck return value after loading config file
kinichiro [Wed, 11 Dec 2019 12:12:53 +0000 (21:12 +0900)]
Check return value after loading config file

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10607)

4 years agomac poly1305: add missing NULL check in new function.
Pauli [Wed, 11 Dec 2019 21:34:46 +0000 (07:34 +1000)]
mac poly1305: add missing NULL check in new function.

Bug reported by Kihong Heo.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10613)

4 years agomac siphash: add missing NULL check on context creation
Pauli [Wed, 11 Dec 2019 21:34:22 +0000 (07:34 +1000)]
mac siphash: add missing NULL check on context creation

Bug reported by Kihong Heo.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10613)

4 years agoVarious missing-link fixes
Rich Salz [Sat, 5 Oct 2019 22:14:30 +0000 (18:14 -0400)]
Various missing-link fixes

Also, turn missing L<foo(3)> into foo(3)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10104)

4 years agoPROV: Move AES_GCM specialisation away from common cipher header
Richard Levitte [Wed, 11 Dec 2019 12:43:24 +0000 (13:43 +0100)]
PROV: Move AES_GCM specialisation away from common cipher header

The AES_GCM specialisation was defined in the common cipher header
providers/implementations/include/prov/ciphercommon_gcm.h, when it
should in fact be in a local providers/implementations/ciphers/
header.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10606)

4 years agoPROV: Move AES_CCM specialisation away from common cipher header
Richard Levitte [Wed, 11 Dec 2019 12:11:34 +0000 (13:11 +0100)]
PROV: Move AES_CCM specialisation away from common cipher header

The AES_CCM specialisation was defined in the common cipher header
providers/implementations/include/prov/ciphercommon_ccm.h, when it
should in fact be in a local providers/implementations/ciphers/
header.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10606)

4 years agochunk 6 of CMP contribution to OpenSSL
Dr. David von Oheimb [Tue, 5 Nov 2019 08:56:59 +0000 (09:56 +0100)]
chunk 6 of CMP contribution to OpenSSL

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10297)

4 years agorand_lib.c: fix null pointer dereferences after RAND_get_rand_method() failure
Dr. Matthias St. Pierre [Wed, 11 Dec 2019 21:41:00 +0000 (07:41 +1000)]
rand_lib.c: fix null pointer dereferences after RAND_get_rand_method() failure

RAND_get_rand_method() can return a NULL method pointer in the case of a
malloc failure, so don't dereference it without a check.

Reported-by: Zu-Ming Jiang (detected by FIFUZZ)
Fixes #10480

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10483)

4 years agoAdd support for otherName:NAIRealm in output
Jan-Frederik Rieckers [Mon, 9 Dec 2019 14:33:32 +0000 (15:33 +0100)]
Add support for otherName:NAIRealm in output

This commit adds support for displaying RFC 7585 otherName:NAIRealm in
the text output of openssl

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10594)

4 years agoEnrich arm64 tests in Travis matrix
Fangming.Fang [Fri, 15 Nov 2019 07:47:22 +0000 (07:47 +0000)]
Enrich arm64 tests in Travis matrix

1, Remove simple test just with --strict-warnings enabled.
2, Share the three common envs with amd64.
3, Add matrix item running test in bionic(default xenial) for arm64.
4, Enable MSan test on arm64 for extended test.
5, Enable UBSan test on arm64 for extended test.

Change-Id: Ic1f2c5e39ee6fbafed6ede74a925301121463520

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10519)

4 years agoFix docs for CRYPTO_secure_allocated
Rich Salz [Tue, 26 Nov 2019 14:16:41 +0000 (09:16 -0500)]
Fix docs for CRYPTO_secure_allocated

Fixes #9300

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10523)

4 years agoFix some typos
Veres Lajos [Sat, 30 Nov 2019 23:18:47 +0000 (23:18 +0000)]
Fix some typos

Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10544)

4 years agoOptimize AES-ECB mode in OpenSSL for both aarch64 and aarch32
XiaokangQian [Thu, 7 Nov 2019 02:36:45 +0000 (02:36 +0000)]
Optimize AES-ECB mode in OpenSSL for both aarch64 and aarch32

Aes-ecb mode can be optimized by inverleaving cipher operation on
several blocks and loop unrolling. Interleaving needs one ideal
unrolling factor, here we adopt the same factor with aes-cbc,
which is described as below:
    If blocks number > 5, select 5 blocks as one iteration,every
    loop, decrease the blocks number by 5.
    If 3 < left blocks < 5 select 3 blocks as one iteration, every
    loop, decrease the block number by 3.
    If left blocks < 3, treat them as tail blocks.
Detailed implementation will have a little adjustment for squeezing
code space.
With this way, for small size such as 16 bytes, the performance is
similar as before, but for big size such as 16k bytes, the performance
improves a lot, even reaches to 100%, for some arches such as A57,
the improvement  even exceeds 100%. The following table will list the
encryption performance data on aarch64, take a72 and a57 as examples.
Performance value takes the unit of cycles per byte, takes the format
as comparision of values. List them as below:

A72:
                            Before optimization     After optimization  Improve
evp-aes-128-ecb@16          17.26538237             16.82663866         2.61%
evp-aes-128-ecb@64          5.50528499              5.222637557         5.41%
evp-aes-128-ecb@256         2.632700213             1.908442892         37.95%
evp-aes-128-ecb@1024        1.876102047             1.078018868         74.03%
evp-aes-128-ecb@8192        1.6550392               0.853982929         93.80%
evp-aes-128-ecb@16384       1.636871283             0.847623957         93.11%
evp-aes-192-ecb@16          17.73104961             17.09692468         3.71%
evp-aes-192-ecb@64          5.78984398              5.418545192         6.85%
evp-aes-192-ecb@256         2.872005308             2.081815274         37.96%
evp-aes-192-ecb@1024        2.083226672             1.25095642          66.53%
evp-aes-192-ecb@8192        1.831992057             0.995916251         83.95%
evp-aes-192-ecb@16384       1.821590009             0.993820525         83.29%
evp-aes-256-ecb@16          18.0606306              17.96963317         0.51%
evp-aes-256-ecb@64          6.19651997              5.762465812         7.53%
evp-aes-256-ecb@256         3.176991394             2.24642538          41.42%
evp-aes-256-ecb@1024        2.385991919             1.396018192         70.91%
evp-aes-256-ecb@8192        2.147862636             1.142222597         88.04%
evp-aes-256-ecb@16384       2.131361787             1.135944617         87.63%

A57:
                            Before optimization     After optimization  Improve
evp-aes-128-ecb@16          18.61045121             18.36456218         1.34%
evp-aes-128-ecb@64          6.438628994             5.467959461         17.75%
evp-aes-128-ecb@256         2.957452881             1.97238604          49.94%
evp-aes-128-ecb@1024        2.117096219             1.099665054         92.52%
evp-aes-128-ecb@8192        1.868385973             0.837440804         123.11%
evp-aes-128-ecb@16384       1.853078526             0.822420027         125.32%
evp-aes-192-ecb@16          19.07021756             18.50018552         3.08%
evp-aes-192-ecb@64          6.672351486             5.696088921         17.14%
evp-aes-192-ecb@256         3.260427769             2.131449916         52.97%
evp-aes-192-ecb@1024        2.410522832             1.250529718         92.76%
evp-aes-192-ecb@8192        2.17921605              0.973225504         123.92%
evp-aes-192-ecb@16384       2.162250997             0.95919871          125.42%
evp-aes-256-ecb@16          19.3008384              19.12743654         0.91%
evp-aes-256-ecb@64          6.992950658             5.92149541          18.09%
evp-aes-256-ecb@256         3.576361743             2.287619504         56.34%
evp-aes-256-ecb@1024        2.726671027             1.381267599         97.40%
evp-aes-256-ecb@8192        2.493583657             1.110959913         124.45%
evp-aes-256-ecb@16384       2.473916816             1.099967073         124.91%

Change-Id: Iccd23d972e0d52d22dc093f4c208f69c9d5a0ca7

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10518)

4 years agoMore testing for sign/verify through `dgst` and `pkeyutl`
Nicola Tuveri [Mon, 11 Nov 2019 13:52:52 +0000 (15:52 +0200)]
More testing for sign/verify through `dgst` and `pkeyutl`

Add tests for signature generation and verification with `dgst` and
`pkeyutl` CLI for common key types:
- RSA
- DSA
- ECDSA
- EdDSA

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10410)

4 years agoMore testing for CLI usage of Ed25519 and Ed448 keys
Nicola Tuveri [Mon, 11 Nov 2019 10:13:10 +0000 (12:13 +0200)]
More testing for CLI usage of Ed25519 and Ed448 keys

Add testing for the `req` app and explicit conversion tests similar to
what is done for ECDSA keys.

The included test keys for Ed25519 are from the examples in RFC 8410
(Sec. 10)

The key for Ed448 is derived from the first of the test vectors in
RFC 8032 (Sec. 7.4) using OpenSSL to encode it into PEM format.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10410)

4 years agoConfigure: use ELFv2 ABI on some ppc64 big endian systems
Andy Polyakov [Sun, 5 May 2019 16:30:55 +0000 (18:30 +0200)]
Configure: use ELFv2 ABI on some ppc64 big endian systems

If _CALL_ELF is defined to be 2, it's an ELFv2 system.
Conditionally switch to the v2 perlasm scheme.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)

4 years agocrypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
Andy Polyakov [Sun, 5 May 2019 16:25:50 +0000 (18:25 +0200)]
crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour

This is a big endian ELFv2 configuration. ELFv2 was already being
used for little endian, and big endian was traditionally ELFv1
but there are practical configurations that use ELFv2 with big
endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)

4 years agoMove providers/common/{ciphers,digests}/* to providers/implementations
Richard Levitte [Tue, 3 Dec 2019 18:41:05 +0000 (19:41 +0100)]
Move providers/common/{ciphers,digests}/* to providers/implementations

The idea to have all these things in providers/common was viable as
long as the implementations was spread around their main providers.
This is, however, no longer the case, so we move the common blocks
closer to the source that use them.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10564)

4 years agoRemove handling of outdated macro's
Rich Salz [Mon, 18 Nov 2019 10:29:21 +0000 (05:29 -0500)]
Remove handling of outdated macro's

DECLARE_STACK_OF was renamed to DEFINE_STACK_OF in commit 8588571.
Expanded the only use of TYPEDEF_{D2I,I2D,D2I2D}_OF, so that they can
easily be removed in a future release

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10464)

4 years agoConfiguration: compute openssl_other_defines and related info later
Richard Levitte [Wed, 4 Dec 2019 09:55:05 +0000 (10:55 +0100)]
Configuration: compute openssl_other_defines and related info later

The computation of macros and configdata.pm related data from %disabled
was done much too early, leaving later disablings without real support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)

4 years agoDisable devcryptoeng on newer OpenBSD versions
Richard Levitte [Tue, 3 Dec 2019 23:14:02 +0000 (00:14 +0100)]
Disable devcryptoeng on newer OpenBSD versions

It's reported that /dev/crypto support has been dropped in OpenBSD 5.7.

Fixes #10552

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)

4 years agotest/memleaktest.c: Modify for use with address/leak sanitizer
Richard Levitte [Mon, 25 Nov 2019 16:13:10 +0000 (17:13 +0100)]
test/memleaktest.c: Modify for use with address/leak sanitizer

Detects if leak sanitizing is on, and directs the exit code accordingly.

Note that this program is designed to fail when leaking, as that's
expected, so to make it easy for wrapper scripts, we also make it look
like it fails when sanitizing isn't on.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9294)

4 years agoUse leak sanitizer instead of internal mdebug to check for memory leaks
Richard Levitte [Tue, 2 Jul 2019 14:23:27 +0000 (16:23 +0200)]
Use leak sanitizer instead of internal mdebug to check for memory leaks

The leak sanitizer gives better reports (complete stack traces) and
works as a wrapper around the application instead of relying on
cooperative enabling and disabling calls (which are too easy to get
unbalanced).

Related to #8322

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9294)

4 years agoMove U64 macro from sha.h to sha512.c
avas [Thu, 5 Dec 2019 14:14:44 +0000 (06:14 -0800)]
Move U64 macro from sha.h to sha512.c

Summary:
U64 is too common name for macro, being in public header sha.h it
conflicts with other projects (WAVM in my case). Moving macro from
public header to the only .c file using it.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10579)

4 years agoapps/speed: replace list of #define by enums declarations.
FdaSilvaYY [Wed, 9 May 2018 20:27:27 +0000 (22:27 +0200)]
apps/speed: replace list of #define by enums declarations.
it simplifies some pieces of code.
Improve internal assertions
Tag a few #endif with OPENSSL_NO_EC to mark its ending.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: factorize ec test curves declarations
FdaSilvaYY [Tue, 15 Oct 2019 21:33:02 +0000 (23:33 +0200)]
apps/speed: factorize ec test curves declarations
remove 'test' prefix from variable names.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: improve sm2 failure code.
FdaSilvaYY [Sat, 19 Oct 2019 15:55:36 +0000 (17:55 +0200)]
apps/speed: improve sm2 failure code.
attach the new objects sooner, so error handling is simplified.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: simplify 'doit' action flag management code.
FdaSilvaYY [Tue, 5 Jun 2018 17:56:06 +0000 (19:56 +0200)]
apps/speed: simplify 'doit' action flag management code.
Optimize algorithm selection code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: initialize key material only when its algo is selected.
FdaSilvaYY [Tue, 5 Jun 2018 17:44:42 +0000 (19:44 +0200)]
apps/speed: initialize key material only when its algo is selected.
Remove some duplicate key data declarations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: remove a shared global variable
FdaSilvaYY [Sat, 19 Oct 2019 17:37:01 +0000 (19:37 +0200)]
apps/speed: remove a shared global variable
replace |save_count| by the right c[D_EVP(_xxx)] variable.
this may shared a value between various algorithm.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: discard useless protoypes as these methods are defines before being used.
FdaSilvaYY [Sat, 19 Oct 2019 15:58:07 +0000 (17:58 +0200)]
apps/speed: discard useless protoypes as these methods are defines before being used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoapps/speed: allow to continue tests after any init failure handling.
FdaSilvaYY [Sat, 19 Oct 2019 14:38:21 +0000 (16:38 +0200)]
apps/speed: allow to continue tests after any init failure handling.
previouly the exit(1) call was aborting the whole execution.
Improve error message.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)

4 years agoDifference between EVP_CipherInit and EVP_CipherInit_ex
Dmitry Belyavskiy [Sun, 1 Dec 2019 08:53:14 +0000 (11:53 +0300)]
Difference between EVP_CipherInit and EVP_CipherInit_ex

Fixes #10455

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10550)

4 years agoAdd a CHANGES entry for CVE-2019-1551
Bernd Edlinger [Thu, 5 Dec 2019 00:20:14 +0000 (01:20 +0100)]
Add a CHANGES entry for CVE-2019-1551

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10574)

4 years agoAdd a test case for rsaz_512_sqr overflow handling
Bernd Edlinger [Wed, 4 Dec 2019 21:38:19 +0000 (22:38 +0100)]
Add a test case for rsaz_512_sqr overflow handling

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10574)

4 years agoImprove the overflow handling in rsaz_512_sqr
Bernd Edlinger [Wed, 4 Dec 2019 11:57:41 +0000 (12:57 +0100)]
Improve the overflow handling in rsaz_512_sqr

We have always a carry in %rcx or %rbx in range 0..2
from the previous stage, that is added to the result
of the 64-bit square, but the low nibble of any square
can only be 0, 1, 4, 9.

Therefore one "adcq $0, %rdx" can be removed.
Likewise in the ADX code we can remove one
"adcx %rbp, $out" since %rbp is always 0, and carry is
also zero, therefore that is a no-op.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10574)

4 years agoFix an overflow bug in rsaz_512_sqr
Andy Polyakov [Wed, 4 Dec 2019 11:48:21 +0000 (12:48 +0100)]
Fix an overflow bug in rsaz_512_sqr

There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

CVE-2019-1551

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10574)

4 years agoAdd documentation for the newly added RSA_PKCS1_WITH_TLS_PADDING
Matt Caswell [Mon, 11 Nov 2019 16:33:24 +0000 (16:33 +0000)]
Add documentation for the newly added RSA_PKCS1_WITH_TLS_PADDING

Documentation for RSA_PKCS1_WITH_TLS_PADDING padding mode as per the
previous commits, as well as the associated parameters for this mode.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)

4 years agoMove constant time RSA code out of libssl
Matt Caswell [Mon, 11 Nov 2019 15:54:33 +0000 (15:54 +0000)]
Move constant time RSA code out of libssl

Server side RSA key transport code in a Client Key Exchange message
currently uses constant time code to check that the RSA decrypt is
correctly formatted. The previous commit taught the underlying RSA
implementation how to do this instead, so we use that implementation and
remove this code from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)

4 years agoTeach the RSA implementation about TLS RSA Key Transport
Matt Caswell [Mon, 11 Nov 2019 14:37:02 +0000 (14:37 +0000)]
Teach the RSA implementation about TLS RSA Key Transport

In TLSv1.2 a pre-master secret value is passed from the client to the
server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange
message. As well as the normal formatting rules for RSA PKCA1 type 2
padding TLS imposes some additional rules about what constitutes a well
formed key. Specifically it must be exactly the right length and
encode the TLS version originally requested by the client (as opposed to
the actual negotiated version) in its first two bytes.

All of these checks need to be done in constant time and, if they fail,
then the TLS implementation is supposed to continue anyway with a random
key (and therefore the connection will fail later on). This avoids
padding oracle type attacks.

This commit implements this within the RSA padding code so that we keep
all the constant time padding logic in one place. A later commit will
remove it from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)

4 years agoFix exit issue in travisci
Fangming.Fang [Mon, 2 Dec 2019 02:44:21 +0000 (02:44 +0000)]
Fix exit issue in travisci

Ungraceful 'exit' probably causes unexpeced error on background activity.
So replace 'exit' with recommended 'travis_terminate'. Also see
https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4

Change-Id: I382bd93a3e15ecdf305bab23fc4adefbf0348ffb

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10561)

4 years agoRemove spurious space from file.
Pauli [Tue, 3 Dec 2019 09:56:41 +0000 (19:56 +1000)]
Remove spurious space from file.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10562)

4 years agoDeprecate the AES_ige_*() functions
Matt Caswell [Fri, 29 Nov 2019 12:02:54 +0000 (12:02 +0000)]
Deprecate the AES_ige_*() functions

These functions were already partially deprecated. Now we do it fully.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10558)

4 years agoAdd the ability to supress deprecation warnings
Matt Caswell [Fri, 29 Nov 2019 12:01:18 +0000 (12:01 +0000)]
Add the ability to supress deprecation warnings

We add a new macro OPENSSL_SUPRESS_DEPRECATED which enables applications
to supress deprecation warnings where necessary.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10558)

4 years agoadd X509_cmp_timeframe() including its documentation
Dr. David von Oheimb [Fri, 22 Nov 2019 12:02:52 +0000 (13:02 +0100)]
add X509_cmp_timeframe() including its documentation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10502)

4 years agoutil/mkerr.pl: don't stop reading conserved symbols from the state file
Richard Levitte [Sun, 1 Dec 2019 08:14:48 +0000 (09:14 +0100)]
util/mkerr.pl: don't stop reading conserved symbols from the state file

If we don't read them, they will not be conserved.

Fixes #10522

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10549)

4 years agoconfigdata.pm.in: Don't try to quotify undefined values
Richard Levitte [Sun, 1 Dec 2019 07:20:09 +0000 (08:20 +0100)]
configdata.pm.in: Don't try to quotify undefined values

Fixes #10503

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10548)

4 years agoUpdate NOTES.ANDROID for newer NDK versions + small fixes.
zero [Tue, 3 Dec 2019 09:50:52 +0000 (19:50 +1000)]
Update NOTES.ANDROID for newer NDK versions + small fixes.

Fixes #8941

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10478)

4 years agoSet argument only after successful dup on CMP APIs
raja-ashok [Tue, 3 Dec 2019 09:31:49 +0000 (19:31 +1000)]
Set argument only after successful dup on CMP APIs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10511)

4 years agoFix typos in fipsinstall test
Dr. Matthias St. Pierre [Sat, 23 Nov 2019 07:54:29 +0000 (08:54 +0100)]
Fix typos in fipsinstall test

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10506)

4 years agoutil/find-doc-nits: ignore macros ending in _fnsig
Richard Levitte [Wed, 27 Nov 2019 07:59:09 +0000 (08:59 +0100)]
util/find-doc-nits: ignore macros ending in _fnsig

These are helper macros alongside the IMPLEMENT_ and DECLARE_ macros.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoutil/find-doc-nits: limit the prototype check
Richard Levitte [Tue, 19 Nov 2019 09:50:14 +0000 (10:50 +0100)]
util/find-doc-nits: limit the prototype check

The prototype checks shouldn't be performed on SYNOPSIS lines that
aren't function prototypes.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoAdd NEWS and CHANGES entries about OSSL_SERIALIZER
Richard Levitte [Mon, 18 Nov 2019 01:31:33 +0000 (02:31 +0100)]
Add NEWS and CHANGES entries about OSSL_SERIALIZER

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoTEST: add tests of text and PEM printout of a provider made key
Richard Levitte [Mon, 18 Nov 2019 01:30:50 +0000 (02:30 +0100)]
TEST: add tests of text and PEM printout of a provider made key

This renames test/evp_fromdata_test.c to test/evp_pkey_provided_test.c,
to encourage additional testing of provider made keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoPROV SERIALIZER: add support for writing DSA keys and parameters
Richard Levitte [Mon, 18 Nov 2019 01:01:13 +0000 (02:01 +0100)]
PROV SERIALIZER: add support for writing DSA keys and parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoPROV SERIALIZER: add support for writing DH keys and parameters
Richard Levitte [Mon, 18 Nov 2019 00:57:56 +0000 (01:57 +0100)]
PROV SERIALIZER: add support for writing DH keys and parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoPROV SERIALIZER: add support for writing RSA keys
Richard Levitte [Mon, 18 Nov 2019 00:56:22 +0000 (01:56 +0100)]
PROV SERIALIZER: add support for writing RSA keys

This also adds the missing accessor RSA_get0_pss_params(), so those
parameters can be included in the PKCS#8 data structure without
needing to know the inside of the RSA structure.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoPROV SERIALIZER: add common functionality to serialize keys
Richard Levitte [Mon, 18 Nov 2019 00:54:11 +0000 (01:54 +0100)]
PROV SERIALIZER: add common functionality to serialize keys

To support generic output of public keys wrapped in a X509_PUBKEY,
additional PEM and i2d/d2i routines are added for that type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoPROV BIO: add a BIO_vprintf() upcall, and a provider BIO library
Richard Levitte [Mon, 18 Nov 2019 00:50:18 +0000 (01:50 +0100)]
PROV BIO: add a BIO_vprintf() upcall, and a provider BIO library

The BIO_vprintf() will allow the provider to print any text, given a
BIO supplied by libcrypto.

Additionally, we add a provider library with functions to collect all
the currently supplied BIO upcalls, as well as wrappers around those
upcalls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoSERIALIZER: add hooks in EVP_PKEY_print_ routines
Richard Levitte [Mon, 18 Nov 2019 00:47:32 +0000 (01:47 +0100)]
SERIALIZER: add hooks in EVP_PKEY_print_ routines

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoSERIALIZER: add hooks in PEM_write_bio_ and PEM_write_fp_ routines
Richard Levitte [Mon, 18 Nov 2019 00:44:23 +0000 (01:44 +0100)]
SERIALIZER: add hooks in PEM_write_bio_ and PEM_write_fp_ routines

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoSERIALIZER: add support for serializing EVP_PKEYs
Richard Levitte [Mon, 18 Nov 2019 00:34:26 +0000 (01:34 +0100)]
SERIALIZER: add support for serializing EVP_PKEYs

The following public functions is added:

- OSSL_SERIALIZER_CTX_new_by_EVP_PKEY()
- OSSL_SERIALIZER_CTX_set_cipher()
- OSSL_SERIALIZER_CTX_set_passphrase()
- OSSL_SERIALIZER_CTX_set_passphrase_cb()
- OSSL_SERIALIZER_CTX_set_passphrase_ui()

OSSL_SERIALIZER_CTX_new_by_EVP_PKEY() selects a suitable serializer
for the given EVP_PKEY, and sets up the OSSL_SERIALIZER_CTX to
function together with OSSL_SERIALIZER_to_bio() and
OSSL_SERIALIZER_to_fp().

OSSL_SERIALIZER_CTX_set_cipher() indicates what cipher should be used
to produce an encrypted serialization of the EVP_PKEY.  This is passed
directly to the provider using OSSL_SERIALIZER_CTX_set_params().

OSSL_SERIALIZER_CTX_set_passphrase() can be used to set a pass phrase
to be used for the encryption.  This is passed directly to the
provider using OSSL_SERIALIZER_CTX_set_params().

OSSL_SERIALIZER_CTX_set_passphrase_cb() and
OSSL_SERIALIZER_CTX_set_passphrase_ui() sets up a callback to be used
to prompt for a passphrase.  This is stored in the context, and is
called via an internal intermediary at the time of serialization.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoCORE: expose the property parsers and checker to the rest of the libraries
Richard Levitte [Tue, 19 Nov 2019 13:17:04 +0000 (14:17 +0100)]
CORE: expose the property parsers and checker to the rest of the libraries

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoSERIALIZER: add functions for serialization to file
Richard Levitte [Mon, 18 Nov 2019 00:32:22 +0000 (01:32 +0100)]
SERIALIZER: add functions for serialization to file

These functions are added:

- OSSL_SERIALIZER_to_bio()
- OSSL_SERIALIZER_to_fp() (unless 'no-stdio')

OSSL_SERIALIZER_to_bio() and OSSL_SERIALIZER_to_fp() work as wrapper
functions, and call an internal "do_output" function with the given
serializer context and a BIO to output the serialized result to.

The internal "do_output" function must have intimate knowledge of the
object being output.  This will defined independently with context
creators for specific OpenSSL types.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoSERIALIZER: New API for serialization of objects through providers
Richard Levitte [Mon, 18 Nov 2019 00:29:06 +0000 (01:29 +0100)]
SERIALIZER: New API for serialization of objects through providers

Serialization is needed to be able to take a provider object (such as
the provider side key data) and output it in PEM form, DER form, text
form (for display), and possibly other future forms (XML? JSON? JWK?)

The idea is that a serializer should be able to handle objects it has
intimate knowledge of, as well as object data in OSSL_PARAM form.  The
latter will allow libcrypto to serialize some object with a different
provider than the one holding the data, if exporting of that data is
allowed and there is a serializer that can handle it.

We will provide serializers for the types of objects we know about,
which should be useful together with any other provider that provides
implementations of the same type of object.

Serializers are selected by method name and a couple of additional
properties:

- format        used to tell what format the output should be in.
                Possibilities could include "format=text",
                "format=pem", "format=der", "format=pem-pkcs1"
                (traditional), "format=der-pkcs1" (traditional)
- type          used to tell exactly what type of data should be
                output, for example "type=public" (the public part of
                a key), "type=private" (the private part of a key),
                "type=domainparams" (domain parameters).

This also adds a passphrase callback function type,
OSSL_PASSPHRASE_CALLBACK, which is a bit like OSSL_CALLBACK, but it
takes a few extra arguments to place the result in.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoCORE: pass the full algorithm definition to the method constructor
Richard Levitte [Tue, 19 Nov 2019 08:55:56 +0000 (09:55 +0100)]
CORE: pass the full algorithm definition to the method constructor

So far, the API level method constructors that are called by
ossl_method_construct_this() were passed the algorithm name string and
the dispatch table and had no access to anything else.

This change gives them access to the full OSSL_ALGORITHM item, thereby
giving them access to the property definition.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoCORE: ossl_namemap_add_names(): new function to add multiple names
Richard Levitte [Fri, 8 Nov 2019 23:18:05 +0000 (00:18 +0100)]
CORE: ossl_namemap_add_names(): new function to add multiple names

This was originally the private add_names_to_namemap() in
crypto/evp/evp_fetch.c, but made more generally useful.

To make for more consistent function naming, ossl_namemap_add() and
ossl_namemap_add_n() are renamed to ossl_namemap_add_name() and
ossl_namemap_add_name_n().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

4 years agoDisable mem leak checking for the self test lock
Matt Caswell [Thu, 19 Sep 2019 10:52:45 +0000 (11:52 +0100)]
Disable mem leak checking for the self test lock

The fips self test lock is deallocated in platform specific ways that may
occur after we do mem leak checking. If we don't know how to free it for
a particular platform then we just leak it deliberately. So we
temporarily disable the mem leak checking while we allocate the lock.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)

4 years agoMake sure we only run the self tests once
Matt Caswell [Wed, 18 Sep 2019 16:27:10 +0000 (17:27 +0100)]
Make sure we only run the self tests once

Fixes #9909

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)

4 years agoCheck the return from OPENSSL_buf2hexstr()
Matt Caswell [Tue, 26 Nov 2019 17:15:20 +0000 (17:15 +0000)]
Check the return from OPENSSL_buf2hexstr()

The function OPENSSL_buf2hexstr() can return NULL if it fails to allocate
memory so the callers should check its return value.

Fixes #10525

Reported-by: Ziyang Li (@Liby99)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)

4 years agoCheck that OPENSSL_zalloc was successful when creating EVP types
Matt Caswell [Tue, 26 Nov 2019 17:14:08 +0000 (17:14 +0000)]
Check that OPENSSL_zalloc was successful when creating EVP types

We were missing a NULL check in a few very similar places following an
OPENSSL_zalloc() call.

Reported-by: Ziyang Li (@Liby99)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)

4 years agoAdd a test for NULL chunks in encrypt/decrypt
Matt Caswell [Fri, 31 May 2019 13:32:55 +0000 (14:32 +0100)]
Add a test for NULL chunks in encrypt/decrypt

Issue #8675 describes a problem where calling EVP_DecryptUpdate() with an
empty chunk causes the result to be different compared to if you do not
use an empty chunk. This adds a test for that case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)

4 years agoMake sure we handle input NULL with length 0
Matt Caswell [Wed, 27 Nov 2019 16:06:34 +0000 (16:06 +0000)]
Make sure we handle input NULL with length 0

If we call EVP_EncryptUpdate/EVP_DecryptUpdate with length 0 we should
be able to handle it. Most importantly we shouldn't get different
results if we do this compared to if we don't!

An exception is made for CCM mode which has special handling for this in
the low level cipher function.

Fixes #8675

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)

4 years agoConfigure: make it possible to have generated generators
Richard Levitte [Wed, 20 Nov 2019 13:58:20 +0000 (14:58 +0100)]
Configure: make it possible to have generated generators

This makes it possible to chain GENERATOR statements, which allows
constructs like this:

    GENERATE[something.html]=something.pod
    GENERATE[something.pod]=something.pod.in

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

4 years agoAdapt *.tmpl to generate docs at build time
Richard Levitte [Wed, 31 Aug 2016 20:57:25 +0000 (22:57 +0200)]
Adapt *.tmpl to generate docs at build time

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

4 years agoAdd doc/build.info to build the documentation
Richard Levitte [Wed, 31 Aug 2016 20:56:02 +0000 (22:56 +0200)]
Add doc/build.info to build the documentation

This build.info is entirely generated when configuring

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

4 years agoAdd the possibility to generate documentation at build time
Richard Levitte [Wed, 31 Aug 2016 20:54:39 +0000 (22:54 +0200)]
Add the possibility to generate documentation at build time

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

4 years agoconfigdata.pm.in, util/dofile.pl: load 'platform' unconditionally
Richard Levitte [Mon, 25 Nov 2019 11:53:19 +0000 (12:53 +0100)]
configdata.pm.in, util/dofile.pl: load 'platform' unconditionally

The 'platform' module handles defaults fine, there's no need to add
extra conditions on it being loaded.

Fixes #10513

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10514)

4 years agoapps/ocsp.c: sock_timeout -> socket_timeout
Richard Levitte [Mon, 25 Nov 2019 12:27:33 +0000 (13:27 +0100)]
apps/ocsp.c: sock_timeout -> socket_timeout

It appears that 'sock_timeout' is defined at least with DJGPP, so we
rename our symbol and hope the new name isn't taken.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10515)

5 years agoFix L<EVP_MD_CTX_set_pkey_ctx> links
moehuster [Tue, 12 Nov 2019 11:28:51 +0000 (19:28 +0800)]
Fix L<EVP_MD_CTX_set_pkey_ctx> links

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10420)

(cherry picked from commit ca7c982821cd6d7546f92623da61a6f43ee32d0a)

5 years agochacha/asm/chacha-armv8.pl: preserve FP registers d8 and d9 correctly
Ard Biesheuvel [Thu, 21 Nov 2019 17:13:41 +0000 (18:13 +0100)]
chacha/asm/chacha-armv8.pl: preserve FP registers d8 and d9 correctly

Depending on the size of the input, we may take different paths through
the accelerated arm64 ChaCha20 routines, each of which use a different
subset of the FP registers, some of which need to be preserved and
restored, as required by the AArch64 calling convention (AAPCS64)

In some cases, (e.g., when the input size is 640 bytes), we call the 512
byte NEON path followed directly by the scalar path, and in this case,
we preserve and restore d8 and d9, only to clobber them again
immediately before handing over to the scalar path which does not touch
the FP registers at all, and hence does not restore them either.

Fix this by moving the restoration of d8 and d9 to a later stage in the
512 byte routine, either before calling the scalar path, or when exiting
the function.

Fixes #10470
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10497)

5 years agoUse option/parameter consistently.
Rich Salz [Thu, 21 Nov 2019 23:14:12 +0000 (18:14 -0500)]
Use option/parameter consistently.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)

5 years agoDocument more env var stuff, fix some typo's
Rich Salz [Wed, 9 Oct 2019 19:45:12 +0000 (15:45 -0400)]
Document more env var stuff, fix some typo's

Add openssl-env.pod
Also fix up many other environment page formatting nits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)

5 years agotest/cipher_overhead_test.c: build unconditionally
Richard Levitte [Mon, 25 Nov 2019 15:30:51 +0000 (16:30 +0100)]
test/cipher_overhead_test.c: build unconditionally

Build it against static libraries always, since that's the only way it
can work as intended.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10516)

5 years agoutil/find-doc-nits: Better parsing of links
Richard Levitte [Sat, 23 Nov 2019 20:41:35 +0000 (21:41 +0100)]
util/find-doc-nits: Better parsing of links

When checking links, we need to peal away stuff that aren't part of
the link proper first.  That makes it easier to check the link
itself.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10507)

5 years agodoc/man7/proxy-certificates.pod: New guide for proxy certificates
Richard Levitte [Sat, 23 Nov 2019 09:36:16 +0000 (10:36 +0100)]
doc/man7/proxy-certificates.pod: New guide for proxy certificates

This replaces doc/HOWTO/proxy_certificates.txt

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10507)

5 years agoProperty: fix memory leak.
Pauli [Sun, 24 Nov 2019 08:15:15 +0000 (18:15 +1000)]
Property: fix memory leak.

Coverity 1456008.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10509)

5 years agoCache constants for fetched EVP_cipher
Shane Lontis [Mon, 18 Nov 2019 00:32:36 +0000 (10:32 +1000)]
Cache constants for fetched EVP_cipher

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/10461)

5 years agoSupport ciphersuites using a SHA2 384 digest in FreeBSD KTLS.
John Baldwin [Thu, 31 Oct 2019 23:51:08 +0000 (16:51 -0700)]
Support ciphersuites using a SHA2 384 digest in FreeBSD KTLS.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #10372

5 years agoProperty: fix intermittent test failure.
Pauli [Fri, 22 Nov 2019 22:04:38 +0000 (08:04 +1000)]
Property: fix intermittent test failure.

The reduction in the cache flush threshold in #10408 caused the stochastic test
to fail with noticeable probability.  Revert that part of the change.

Also add a comment to help avoid this in future.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10505)

5 years agoRemove RANDFILE settings from configuration files
Dr. Matthias St. Pierre [Wed, 13 Nov 2019 15:02:09 +0000 (16:02 +0100)]
Remove RANDFILE settings from configuration files

OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.

Fixes #10433

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)

5 years agoRemove deadlock that was caused by calling pthread_rwlock_wrlock() on same thread...
Matus Kysel [Fri, 22 Nov 2019 09:44:02 +0000 (10:44 +0100)]
Remove deadlock that was caused by calling pthread_rwlock_wrlock() on same thread twice. This can be reproduce only with musl.

CLA: trivial

Signed-off-by: Matus Kysel <mkysel@tachyum.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10501)

5 years agoProcess GOST ClientKeyExchange message in SSL_trace
Daniil Zotkin [Tue, 24 Sep 2019 09:47:26 +0000 (12:47 +0300)]
Process GOST ClientKeyExchange message in SSL_trace

Use ssl_print_hex to print message in case of GOST key exchange algorithm.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9995)

5 years agoUI_UTIL_wrap_read_pem_callback(): when |cb| is NULL, use PEM_def_callback
Richard Levitte [Thu, 14 Nov 2019 11:09:42 +0000 (12:09 +0100)]
UI_UTIL_wrap_read_pem_callback(): when |cb| is NULL, use PEM_def_callback

Fixes #10444

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10447)

5 years agoThread: Avoid a NULL dereference after failed initialisation.
Pauli [Thu, 21 Nov 2019 03:15:21 +0000 (13:15 +1000)]
Thread: Avoid a NULL dereference after failed initialisation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10493)

5 years agomain: avoid a NULL dereference on initialisation.
Pauli [Thu, 21 Nov 2019 03:50:03 +0000 (13:50 +1000)]
main: avoid a NULL dereference on initialisation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10495)

5 years agoPROV: Avoid NULL dereference in SHA3 dup call.
Pauli [Wed, 20 Nov 2019 22:41:42 +0000 (08:41 +1000)]
PROV: Avoid NULL dereference in SHA3 dup call.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10487)