oweals/openssl.git
6 years agoWindows build: build foo.d after foo.obj
Richard Levitte [Wed, 31 Oct 2018 08:02:00 +0000 (09:02 +0100)]
Windows build: build foo.d after foo.obj

We made the build of foo.obj depend on foo.d, meaning the latter gets
built first.  Unfortunately, the way the compiler works, we are forced
to redirect all output to foo.d, meaning that if the source contains
an error, the build fails without showing those errors.

We therefore remove the dependency and force the build of foo.d to
always happen after build of foo.obj.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7533)

6 years ago[crypto/bn] swap BN_FLG_FIXED_TOP too
Billy Brumley [Fri, 9 Nov 2018 07:25:43 +0000 (09:25 +0200)]
[crypto/bn] swap BN_FLG_FIXED_TOP too

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7599)

(cherry picked from commit dd41956d80686638d74fd203bd67060f90966280)

6 years agoFix cherry-pick error
Richard Levitte [Fri, 9 Nov 2018 11:08:08 +0000 (12:08 +0100)]
Fix cherry-pick error

A couple of $(ECHO) sneaked in from patches in newer branches

Fixes #7600

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7601)

6 years agoVMS build: colon after target must be separated with a space
Richard Levitte [Fri, 9 Nov 2018 11:23:53 +0000 (12:23 +0100)]
VMS build: colon after target must be separated with a space

... otherwise, it's taken to be part of a device name.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7602)

(cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3)

6 years agoHave install targets depend on more precise build targets
Richard Levitte [Wed, 7 Nov 2018 15:13:57 +0000 (16:13 +0100)]
Have install targets depend on more precise build targets

We only had the main 'install' target depend on 'all'.  This changes
the dependencies so targets like install_dev, install_runtime_libs,
install_engines and install_programs depend on build targets that are
correspond to them more specifically.  This increases the parallel
possibilities.

Fixes #7466

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7583)

(cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f)

6 years agoAllow parallel install
Richard Levitte [Thu, 25 Oct 2018 07:09:20 +0000 (09:09 +0200)]
Allow parallel install

When trying 'make -j{n} install', you may occasionally run into
trouble because to sub-targets (install_dev and install_runtime) try
to install the same shared libraries.  That makes parallel install
difficult.

This is solved by dividing install_runtime into two parts, one for
libraries and one for programs, and have install_dev depend on
install_runtime_libs instead of installing the shared runtime
libraries itself.

Fixes #7466

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7583)

(cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d)

6 years agoAdd a constant time flag to one of the bignums to avoid a timing leak.
Pauli [Wed, 31 Oct 2018 22:44:11 +0000 (08:44 +1000)]
Add a constant time flag to one of the bignums to avoid a timing leak.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)

(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

6 years agoRemove brace from bad cherry-pick of DSA reallocation fix
Rod Vagg [Mon, 29 Oct 2018 09:43:53 +0000 (20:43 +1100)]
Remove brace from bad cherry-pick of DSA reallocation fix

Commit 56fb454 backported the DSA reallocation fix to 1.1.0, however a
code block that has multiple statements in 1.1.1+ only has a `goto` in
1.1.0 so introduces a brace that causes a compile failure.

CLA:trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7516)

6 years agoTiming vulnerability in ECDSA signature generation (CVE-2018-0735)
Pauli [Fri, 26 Oct 2018 00:54:58 +0000 (10:54 +1000)]
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)

6 years agoTiming vulnerability in DSA signature generation (CVE-2018-0734).
Pauli [Tue, 23 Oct 2018 21:42:46 +0000 (07:42 +1000)]
Timing vulnerability in DSA signature generation (CVE-2018-0734).

Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized.  Increasing the size of the BNs
prior to doing anything with them suppresses the attack.

Thanks due to Samuel Weiser for finding and locating this.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)

6 years agoDSA mod inverse fix
Pauli [Sun, 28 Oct 2018 20:50:51 +0000 (06:50 +1000)]
DSA mod inverse fix

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)

(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)

6 years agomd_rand.c: don't stop polling until properly initialized
Dr. Matthias St. Pierre [Thu, 18 Oct 2018 21:04:32 +0000 (23:04 +0200)]
md_rand.c: don't stop polling until properly initialized

Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.

This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7438)

6 years agoarch/async_posix.h: improve portability.
Andy Polyakov [Wed, 17 Oct 2018 08:09:33 +0000 (10:09 +0200)]
arch/async_posix.h: improve portability.

{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7420)

(cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f)

6 years agoApply self-imposed path length also to root CAs
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs

Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)

6 years agoOnly CA certificates can be self-issued
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued

At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA
   certificate.)

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)

6 years agossl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
Andy Polyakov [Fri, 12 Oct 2018 20:17:51 +0000 (22:17 +0200)]
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.

(back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7392)

6 years agoapps: allow empty attribute values with -subj
Benjamin Kaduk [Thu, 4 Oct 2018 18:49:21 +0000 (13:49 -0500)]
apps: allow empty attribute values with -subj

Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

(cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142)
(cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7368)

6 years agoFix copy&paste error found in Coverity scan
Tomas Mraz [Tue, 9 Oct 2018 16:37:10 +0000 (18:37 +0200)]
Fix copy&paste error found in Coverity scan

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7377)

(cherry picked from commit 628ee796389b555ddb5fc28355e16e9417ab1724)

6 years agorsa/rsa_ossl.c: fix and extend commentary [skip ci].
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)

(cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849)

6 years agoClean out aliases in include/openssl/symhacks.h
Richard Levitte [Sun, 30 Sep 2018 00:18:47 +0000 (02:18 +0200)]
Clean out aliases in include/openssl/symhacks.h

Only a few clashing ones remain

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)

(cherry picked from commit b44882a0bd0717e0aab84f5dc3ef81ab673155e9)

6 years agoSmall cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)
Richard Levitte [Sat, 29 Sep 2018 23:59:11 +0000 (01:59 +0200)]
Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)

BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented.  Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.

include/openssl/ocsp.h had a few duplicate declarations.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)

(cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f)

6 years agoImplement coordinate blinding for EC_POINT
Sohaib ul Hassan [Sat, 16 Jun 2018 14:07:40 +0000 (17:07 +0300)]
Implement coordinate blinding for EC_POINT

This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.

This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.

Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.

For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.

For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)

6 years ago[test] ECC: make sure negative tests pass for the right reasons
Billy Brumley [Wed, 22 Aug 2018 06:50:43 +0000 (09:50 +0300)]
[test] ECC: make sure negative tests pass for the right reasons

This is a backport of #7028 to 1.1.0.

It squashes the two original commits and applies changes for
compatibility with 1.1.0.

1. cherry picked from commit 30c41bfb158c0f595809d0eaf032926a3c2cf236
    [test] ECC: make sure negative tests pass for the right reasons
2. cherry picked from commit bfb10b975818d1887d676d309fcc21a765611f6d
    [test] throw error from wrapper function instead of an EC_METHOD specific one

Given that in 1.1.0 `EC_POINT_get_affine_coordinates_GFp` and
`EC_POINT_get_affine_coordinates_GF2m` have not been unified, in this
backport the tests distinguish between the 2 different functions as the
cause of the expected error.

[extended tests] to trigger sanitizer checks and coverage analysis.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)

6 years agoMore EVP ECC testing: positive and negative
Billy Brumley [Thu, 28 Jun 2018 07:59:08 +0000 (10:59 +0300)]
More EVP ECC testing: positive and negative

This is a backport of #6608 to 1.1.0.

1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
   ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative
   tests.

There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).

"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:

1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)

The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.

(cherry picked from commit 249330de0250bc598d20d383bab37d150cdad239)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)

6 years agoMove evp test programs input data to its own data dir
Nicola Tuveri [Fri, 7 Sep 2018 15:27:56 +0000 (18:27 +0300)]
Move evp test programs input data to its own data dir

This is a manual backport of #3472 to 1.1.0.
This is a partial backport, limited only to evptests, as #3472 also
affected bntests, which has a completely different form in 1.1.0.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)

6 years agoSplit test/evptests.txt into separate files.
Nicola Tuveri [Fri, 7 Sep 2018 15:14:30 +0000 (18:14 +0300)]
Split test/evptests.txt into separate files.

This is a manual port of #3443 (and the related bugfix PR #3452) to
1.1.0.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)

6 years agoDocument OPENSSL_VERSION_TEXT macro
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]
Document OPENSSL_VERSION_TEXT macro

This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7301)

(cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165)

6 years agoUse secure_getenv(3) when available.
Pauli [Mon, 24 Sep 2018 01:21:18 +0000 (11:21 +1000)]
Use secure_getenv(3) when available.

Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.

CPU processor override flags are unchanged.

Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7047)

(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)

6 years agocrypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG

This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)

(cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72)

6 years agocrypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too

These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)

(cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067)

6 years agoUse 'i' as parameter name not 'I'.
Pauli [Sun, 16 Sep 2018 21:47:42 +0000 (07:47 +1000)]
Use 'i' as parameter name not 'I'.

The latter causes problems when complex.h is #included.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)

(cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46)

6 years agoAdd a compile time test to verify that openssl/rsa.h and complex.h can
Pauli [Sun, 16 Sep 2018 22:09:25 +0000 (08:09 +1000)]
Add a compile time test to verify that openssl/rsa.h and complex.h can
coexist.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)

(cherry picked from commit da5fac72b1cba5651b871902eea234e693cf01e5)

6 years agoAdd an explicit cast to time_t
Matt Caswell [Wed, 12 Sep 2018 15:49:19 +0000 (16:49 +0100)]
Add an explicit cast to time_t

Caused a compilation failure in some environments

Fixes #7204

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7205)

(cherry picked from commit bc278f30f0b766bfb82426c641dc1d51ace4a994)

6 years agominor fixes for Windows
Viktor Szakats [Tue, 11 Sep 2018 22:34:00 +0000 (22:34 +0000)]
minor fixes for Windows

- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7189)

6 years agoMake the config script fail with an error code if Configure failed
Bernd Edlinger [Mon, 10 Sep 2018 12:18:23 +0000 (14:18 +0200)]
Make the config script fail with an error code if Configure failed

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7166)

6 years agoFix typos in documentation.
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.

CLA: trivial

(cherry picked from commit fa332bba919d094c1654bbb3be0528b3df6e9023)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7040)

6 years agoCAPI engine: add support for RSA_NO_PADDING
Richard Levitte [Tue, 11 Sep 2018 09:00:30 +0000 (11:00 +0200)]
CAPI engine: add support for RSA_NO_PADDING

Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable.  This change fixes that.

Fixes #7131

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7174)

(cherry picked from commit 37f4928701aa54937ce8eef422a2165afeec5cec)

6 years agoCheck the return value from ASN1_INTEGER_set
Matt Caswell [Mon, 10 Sep 2018 15:23:14 +0000 (16:23 +0100)]
Check the return value from ASN1_INTEGER_set

Found by Coverity

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)

(cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7)

6 years agoRSA padding Zeroization fixes
Shane Lontis [Mon, 3 Sep 2018 01:39:50 +0000 (11:39 +1000)]
RSA padding Zeroization fixes

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)

(cherry picked from commit 82eba370daeb6d80b01b521d9e2963451487f0cb)

6 years agoHarmonize the error handling codepath
Nicola Tuveri [Wed, 5 Sep 2018 09:08:12 +0000 (12:08 +0300)]
Harmonize the error handling codepath

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)

6 years agoFix segfault in RSA_free() (and DSA/DH/EC_KEY)
Nicola Tuveri [Wed, 5 Sep 2018 08:58:55 +0000 (11:58 +0300)]
Fix segfault in RSA_free() (and DSA/DH/EC_KEY)

`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).

For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.

If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.

This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.

Fixes #7102 .

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)

6 years agoKey zeroization fix for EVP_SealInit.
Pauli [Tue, 4 Sep 2018 21:50:17 +0000 (07:50 +1000)]
Key zeroization fix for EVP_SealInit.

Manual backport from master.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7116)

6 years agoNew openssl subject parser hard to debug
Eric Curtin [Mon, 3 Sep 2018 14:23:37 +0000 (15:23 +0100)]
New openssl subject parser hard to debug

-subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote Device Access Test Local CA, emailAddress = rda@hpe.com'
was a valid subject in openssl 1.0. Error received in 1.1 is:

problems making Certificate Request

Not very informative, I only figured this out because I compiled the
code and added logging.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7098)

(cherry picked from commit 2167640b0bf76ec50a397dd90444b97c242e3f04)

6 years agoMake OBJ_NAME case insensitive.
Pauli [Tue, 4 Sep 2018 19:35:34 +0000 (05:35 +1000)]
Make OBJ_NAME case insensitive.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7101)

6 years agohkdf zeroization fix
Shane Lontis [Tue, 4 Sep 2018 04:01:37 +0000 (14:01 +1000)]
hkdf zeroization fix

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)

(cherry picked from commit 64ed55ab033f1bfa795d46f0ecc61c313204b418)

6 years agokey zeroisation fix for p12
Shane Lontis [Tue, 4 Sep 2018 05:00:21 +0000 (15:00 +1000)]
key zeroisation fix for p12

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)

(cherry picked from commit f5cee414fa8e7e9a088d8d5ebe641f368df20801)

6 years agokey zeroisation for pvkfmt now done on all branch paths
Shane Lontis [Tue, 4 Sep 2018 04:31:11 +0000 (14:31 +1000)]
key zeroisation for pvkfmt now done on all branch paths

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)

(cherry picked from commit 0239283d99a37e8527199a62100fec867b9996cb)

6 years agoopenssl req: don't try to report bits
Richard Levitte [Mon, 3 Sep 2018 11:17:03 +0000 (13:17 +0200)]
openssl req: don't try to report bits

With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated.  Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information.  For the moment, it's better not
to try to report the number of bits at all.

Fixes #7086

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)

(cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039)

6 years agoClarify the EVP_DigestSignInit docs
Matt Caswell [Thu, 23 Aug 2018 10:37:22 +0000 (11:37 +0100)]
Clarify the EVP_DigestSignInit docs

They did not make it clear how the memory management works for the |pctx|
parameter.

Fixes #7037

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7042)

(cherry picked from commit f097e8759820f6f9b78adb99eb4bfced2945d623)

6 years agoFix example in crl(1) man page
Jakub Wilk [Mon, 3 Sep 2018 09:09:51 +0000 (11:09 +0200)]
Fix example in crl(1) man page

The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.

CLA: trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)

(cherry picked from commit 785e614a95a134831f213749332bcf40c4920f69)

6 years agoThe req documentation incorrectly states that we default to md5
Matt Caswell [Thu, 9 Aug 2018 15:25:29 +0000 (16:25 +0100)]
The req documentation incorrectly states that we default to md5

Just remove that statement. It's not been true since 2005.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/6905)

6 years agoadd docs for OCSP_resp_get0_signature
Paul Kehrer [Sat, 1 Sep 2018 14:50:28 +0000 (10:50 -0400)]
add docs for OCSP_resp_get0_signature

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoadd getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
Paul Kehrer [Sat, 1 Sep 2018 04:05:55 +0000 (00:05 -0400)]
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP

fixes #7081

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoCheck the return from BN_sub() in BN_X931_generate_Xpq().
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)

(cherry picked from commit 6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)

6 years agoRemove redundant ASN1_INTEGER_set call
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call

This trivial patch removes a duplicated call to ASN1_INTEGER_set.

Fixes Issue #6977

Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)

(cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3)

6 years agoBackport #7007 to 1.1.0
Dmitry Belyavskiy [Fri, 24 Aug 2018 08:48:00 +0000 (11:48 +0300)]
Backport #7007 to 1.1.0

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7052)

6 years agoFree SSL object on an error path
Matt Caswell [Mon, 27 Aug 2018 14:04:28 +0000 (15:04 +0100)]
Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

6 years agobn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.

(cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agobn/bn_blind.c: use Montgomery multiplication when possible.
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.

(cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28)

Resolved conflicts:
crypto/bn/bn_blind.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agorsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
Andy Polyakov [Fri, 10 Aug 2018 17:46:03 +0000 (19:46 +0200)]
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."

In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...

(cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)

Resolved conflicts:
crypto/rsa/rsa_ossl.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

(cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agoBackport #6648 to OpenSSL_1_1_0-stable
Nicola Tuveri [Mon, 20 Aug 2018 21:50:01 +0000 (00:50 +0300)]
Backport #6648 to OpenSSL_1_1_0-stable

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7015)

6 years agoZero memory in CRYPTO_secure_malloc.
Pauli [Wed, 22 Aug 2018 00:04:27 +0000 (10:04 +1000)]
Zero memory in CRYPTO_secure_malloc.

This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

[manual merge of #7011]

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7026)

6 years agocrypto/init.c: improve destructor_key's portability.
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.

It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)

(cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53)

6 years agoFix a warning from MSVC build
Bernd Edlinger [Fri, 17 Aug 2018 07:02:53 +0000 (09:02 +0200)]
Fix a warning from MSVC build

Apparently after internal/numbers.h defines INTx_MIN/MAX
stdint gets included and it defines those differently:

C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48):
 warning C4005: 'INT8_MIN': macro redefinition

Avoid that by changing the sequence in which the include files
appear in crypto/bio/b_print.c.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6995)

6 years agoAvoid shadowing 'free' in X509_LOOKUP_met_set_free
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free

gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)

(cherry picked from commit 50f3994b513ead4da94845bf38222bb71c440fb3)

6 years agoPrepare for 1.1.0j-dev
Matt Caswell [Tue, 14 Aug 2018 12:46:03 +0000 (13:46 +0100)]
Prepare for 1.1.0j-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoPrepare for 1.1.0i release OpenSSL_1_1_0i
Matt Caswell [Tue, 14 Aug 2018 12:45:05 +0000 (13:45 +0100)]
Prepare for 1.1.0i release

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoUpdate copyright year
Matt Caswell [Tue, 14 Aug 2018 12:25:55 +0000 (13:25 +0100)]
Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6954)

6 years agoUpdates to CHANGES and NEWS for the new release
Matt Caswell [Tue, 14 Aug 2018 09:39:19 +0000 (10:39 +0100)]
Updates to CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6950)

6 years agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

(cherry picked from commit 2369111fd94ebc9b7d37e68f3ea9629f2fe5fa2e)

6 years agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

(cherry picked from commit cba024dc685d13dbcbd0577bed028ee6b295b56a)

6 years agox509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)

(back-ported from commit f21b5b64cbbc279ef31389e6ae312690575187da)

6 years agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)

(cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7)

6 years agoIncrease CT_NUMBER values
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values

Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)
(cherry picked from commit b5ee517794cf546dc7e3d5a82b400955a7381053)

6 years agoFix setting of ssl_strings_inited.
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.

Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)
(cherry picked from commit 10281e83eac0fb96de3f14855154197aa33bb800)

6 years agoCheck early that the config target exists and isn't a template
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)

(cherry picked from commit 4e360445473c3da938703a8142a36cf6ee86a191)

6 years agoMake EVP_PKEY_asn1_new() stricter with its input
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)

(cherry picked from commit 38eca7fed09a57c1b7a05d651af2c667b3e87719)

6 years agoFix uninitialized value $s warning in windows static builds
Bernd Edlinger [Thu, 2 Aug 2018 17:47:42 +0000 (19:47 +0200)]
Fix uninitialized value $s warning in windows static builds

Fixes: #6826

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/pr6849)

6 years agoAvoid errors when loading a cert multiple times.
Pauli [Sun, 5 Aug 2018 21:31:49 +0000 (07:31 +1000)]
Avoid errors when loading a cert multiple times.
Manual backport of #2830 to 1.1.0

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6861)

6 years agoUse auto-null-initializer
Rich Salz [Fri, 3 Aug 2018 22:03:22 +0000 (18:03 -0400)]
Use auto-null-initializer

Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6853)

6 years agoasn1/tasn_utl.c: fix logical error in asn1_do_lock.
Andy Polyakov [Thu, 2 Aug 2018 07:02:47 +0000 (09:02 +0200)]
asn1/tasn_utl.c: fix logical error in asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)

6 years agoRevert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."
Andy Polyakov [Thu, 2 Aug 2018 06:59:48 +0000 (08:59 +0200)]
Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."

This reverts commit 24233a0f3c491919ee3a38e2567271ccc041ee1d.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)

6 years agoasn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 680b9d45b005c2d0a48fd574db903bf4486b49ae)

6 years agoCheck return from BN_sub
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)

(cherry picked from commit 3d3cbce550ff5d6172cf28dbbf80bda93f6577a9)

6 years agoCheck conversion return in ASN1_INTEGER_print_bio.
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.

Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)

(cherry picked from commit 35c9408108f3608eb572acd7f64a93cf4f43f4f6)

6 years agoRemove DSA digest length checks when no digest is passed
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed

FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

(cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd)

6 years agocrypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.

Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)

(cherry picked from commit 80ae7285e1994d35c84519bf9e038b11d9942875)

Resolved conflicts:
crypto/init.c

6 years agocrypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)

(cherry picked from commit b86d57bb0b23253c720db38ab18ca97cb888f701)

Resolved conflicts:
crypto/cryptlib.c

6 years agoCHANGES: mention blinding reverting in ECDSA.
Andy Polyakov [Thu, 26 Jul 2018 12:38:53 +0000 (14:38 +0200)]
CHANGES: mention blinding reverting in ECDSA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

6 years agobn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.

New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e)

6 years agoec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
Andy Polyakov [Thu, 12 Jul 2018 20:27:43 +0000 (22:27 +0200)]
ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 37132c9702328940a99b1307f742ab094ef754a7)

6 years agoec/ecdsa_ossl.c: formatting and readability fixes.
Andy Polyakov [Fri, 6 Jul 2018 14:13:29 +0000 (16:13 +0200)]
ec/ecdsa_ossl.c: formatting and readability fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d)

6 years agoec/ecdsa_ossl.c: revert blinding in ECDSA signature.
Andy Polyakov [Fri, 6 Jul 2018 13:55:34 +0000 (15:55 +0200)]
ec/ecdsa_ossl.c: revert blinding in ECDSA signature.

Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f)

Resolved conflicts:
crypto/ec/ecdsa_ossl.c

6 years agobn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.
Andy Polyakov [Fri, 6 Jul 2018 13:13:15 +0000 (15:13 +0200)]
bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.

Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)

(cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b)

Resolved conflicts:
crypto/bn/bn_exp.c
crypto/bn/bn_mont.c
crypto/include/internal/bn_int.h

6 years agobn/bn_lib.c: add BN_FLG_FIXED_TOP flag.
Andy Polyakov [Fri, 6 Jul 2018 13:02:29 +0000 (15:02 +0200)]
bn/bn_lib.c: add BN_FLG_FIXED_TOP flag.

The new flag marks vectors that were not treated with bn_correct_top,
in other words such vectors are permitted to be zero padded. For now
it's BN_DEBUG-only flag, as initial use case for zero-padded vectors
would be controlled Montgomery multiplication/exponentiation, not
general purpose. For general purpose use another type might be more
appropriate. Advantage of this suggestion is that it's possible to
back-port it...

bn/bn_div.c: fix memory sanitizer problem.
bn/bn_sqr.c: harmonize with BN_mul.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)

(cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb)

Resolved conflicts:
crypto/bn/bn_lcl.h

6 years agoFix inconsistent use of bit vs bits
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsistent use of bit vs bits

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
(cherry picked from commit b9e54e98066c1ff8adab5d68b6c114b14d2f74e5)

6 years agoMake number of Miller-Rabin tests for a prime tests depend on the security level...
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime

The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
(cherry picked from commit feac7a1c8be49fbcb76fcb721ec9f02fdd91030e)

6 years agoChange the number of Miller-Rabin test for DSA generation to 64
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64

This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
(cherry picked from commit 74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8)

6 years agoCheck for failures, to avoid memory leak
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak

Thanks to Jiecheng Wu, Zuxing Gu for the report.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
(cherry picked from commit 037241bf046be8cfc7e9216959393dd20b06fc21)