Richard Levitte [Tue, 24 Jul 2018 17:29:06 +0000 (19:29 +0200)]
Configure death handler: bail out early when run in eval block
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
(cherry picked from commit
1a6c30029802179ebe0ec1eedfdc9d78bb6dc4dd)
Richard Levitte [Tue, 24 Jul 2018 08:45:05 +0000 (10:45 +0200)]
Configure: print generic advice when dying
On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.
Fixes #6765
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)
(cherry picked from commit
8937a4ed8ac3fd64be61e9ce7a16bccccf3d2273)
Andy Polyakov [Wed, 18 Jul 2018 13:22:07 +0000 (15:22 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit
8fc4aeb9521270ac74b29ce7f569939b0b39e685)
Andy Polyakov [Wed, 18 Jul 2018 13:14:44 +0000 (15:14 +0200)]
ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit
87a75b3e5c04a1696208c279f32d1114b862cfed)
Andy Polyakov [Wed, 18 Jul 2018 13:13:27 +0000 (15:13 +0200)]
bn/bn_intern.c: const-ify bn_set_{static}_words.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit
f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1)
Andy Polyakov [Sat, 21 Jul 2018 11:50:14 +0000 (13:50 +0200)]
apps/dsaparam.c: fix -C output.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)
(cherry picked from commit
708c28f2f0598af6bccbeb60fb46086784aed7da)
Richard Levitte [Sun, 22 Jul 2018 08:56:25 +0000 (10:56 +0200)]
Configure: Display error/warning on deprecated/unsupported options after loop
Fixes #6755
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)
(cherry picked from commit
ddbe700e93e34694519d303e1b4e4525184c9dad)
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
As per RFC 7292.
Fixes #6665
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
(cherry picked from commit
b709babbca0498cd2b05f543b09f57f4a670298e)
Andy Polyakov [Mon, 16 Jul 2018 16:17:44 +0000 (18:17 +0200)]
bn/bn_lib.c address Coverity nit in bn2binpad.
It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
83e034379fa3f6f0d308ec75fbcb137e26154aec)
Andy Polyakov [Sun, 4 Feb 2018 14:24:54 +0000 (15:24 +0100)]
rsa/*: switch to BN_bn2binpad.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit
582ad5d4d9b7703eb089016935133e3a18ea8205)
Andy Polyakov [Sun, 4 Feb 2018 14:20:29 +0000 (15:20 +0100)]
bn/bn_lib.c: make BN_bn2binpad computationally constant-time.
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit
89d8aade5f4011ddeea7827f08ec544c914f275a)
Alexandre Perrin [Fri, 13 Jul 2018 08:32:42 +0000 (10:32 +0200)]
Documentation typo fix in BN_bn2bin.pod
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)
Andy Polyakov [Fri, 6 Jul 2018 12:54:34 +0000 (14:54 +0200)]
bn/bn_mont.c: improve readability of post-condition code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit
6c90182a5f87af1a1e462536e7123ad2afb84c43)
Andy Polyakov [Fri, 6 Jul 2018 11:46:07 +0000 (13:46 +0200)]
bn/bn_mont.c: move boundary condition check closer to caller.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit
3c97e4121ecec20cfac433883cd4709580a05620)
Andy Polyakov [Fri, 6 Jul 2018 11:16:40 +0000 (13:16 +0200)]
bn/bn_lib.c: remove bn_check_top from bn_expand2.
Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit
e42395e637c3507b80b25c7ed63236898822d2f1)
Richard Levitte [Tue, 10 Jul 2018 14:05:55 +0000 (16:05 +0200)]
Avoid __GNUC__ warnings when defining DECLARE_DEPRECATED
We need to check that __GNUC__ is defined before trying to use it.
This demands a slightly different way to define DECLARE_DEPRECATED.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6688)
Richard Levitte [Wed, 11 Jul 2018 09:05:15 +0000 (11:05 +0200)]
Windows: avoid using 'rem' in the nmake makefile
To avoid the possibility that someone creates rem.exe, rem.bat or
rem.cmd, simply don't use it. In the cases it was used, it was to
avoid empty lines, but it turns out that nmake handles those fine, so
no harm done.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)
(cherry picked from commit
1b6a0a261e22eb5a574bdb75da208817ffa2fbba)
Richard Levitte [Tue, 10 Jul 2018 12:12:33 +0000 (14:12 +0200)]
Windows: fix echo for nmake
It seems that nmake first tries to run executables on its own, and
only pass commands to cmd if that fails. That means it's possible to
have nmake run something like 'echo.exe' when the builtin 'echo'
command was expected, which might give us unexpected results.
To get around this, we create our own echoing script and call it
explicitly from the nmake makefile.
Fixes #6670
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)
(cherry picked from commit
9abce88b4b0055d6238a838aa00360152e185f02)
Richard Levitte [Mon, 9 Jul 2018 19:10:10 +0000 (21:10 +0200)]
util/dofile.pl: require Text::Template 1.46 or newer
The reason is that we override Text::Template::append_text_to_output(),
and it didn't exist before Text::Template 1.46.
Fixes #6641
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit
4e351ca92e3a1f447cef3d2e330f13941f9412c6)
Richard Levitte [Mon, 9 Jul 2018 19:09:30 +0000 (21:09 +0200)]
Existing transfer modules must have a package and a $VERSION
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit
f7dce50f21c13520d36f51bed83d19d3eb0bf698)
Richard Levitte [Mon, 9 Jul 2018 19:07:25 +0000 (21:07 +0200)]
Make 'with_fallback' use 'use' instead of 'require'
This enables us to require module versions, and to fall back to a
bundled version if the system version is too low.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit
e9bc5706744213a1a6748dbbcd1b43a6ad4ca09e)
Bernd Edlinger [Thu, 5 Jul 2018 13:38:28 +0000 (15:38 +0200)]
Fix minor windows build issues
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6663)
Richard Levitte [Wed, 4 Jul 2018 07:26:05 +0000 (09:26 +0200)]
Document more EVP_MD_CTX functions
Fixes #6644
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6645)
(cherry picked from commit
a9cf71a3716f8f624b711faa0d5ea391bb26d9f6)
Matt Caswell [Mon, 2 Jul 2018 13:09:03 +0000 (14:09 +0100)]
Don't create an invalid CertificateRequest
We should validate that the various fields we put into the
CertificateRequest are not too long. Otherwise we will construct an
invalid message.
Fixes #6609
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6628)
Matt Caswell [Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)]
Fix a NULL ptr deref in error path in tls_process_cke_dhe()
Fixes #6574
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6594)
Andy Polyakov [Sat, 30 Jun 2018 10:52:10 +0000 (12:52 +0200)]
test/evp_test.c: address sanitizer errors in pderive_test_run.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6614)
Andy Polyakov [Fri, 29 Jun 2018 15:48:54 +0000 (17:48 +0200)]
modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6615)
(cherry picked from commit
ce5eb5e8149d8d03660575f4b8504c993851988a)
Pauli [Thu, 28 Jun 2018 23:55:23 +0000 (09:55 +1000)]
Check return from BN_set_word.
In ssl/t1_lib.c.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6613)
(cherry picked from commit
8eab767a718f44ccba9888eeb81a5328cff47bab)
Rich Salz [Thu, 28 Jun 2018 22:13:54 +0000 (18:13 -0400)]
Zero-fill IV by default.
Fixes uninitialized memory read reported by Nick Mathewson
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit
10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c)
Richard Levitte [Mon, 25 Jun 2018 15:14:12 +0000 (17:14 +0200)]
Move documentation to its correct location for this branch
The 1.1.1 branch has a different location for documentation, this is
the obvious result of a cherry-pick from there.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6589)
Richard Levitte [Mon, 25 Jun 2018 15:08:20 +0000 (17:08 +0200)]
OpenSSL_add_ssl_algorithm-is-deprecated() is deprecated, make it so
This function is documented to be deprecated since OpenSSL 1.1.0. We
need to make it so in openssl/ssl.h as well.
Fixes #6565
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6588)
(cherry picked from commit
71419442a279a12c2e19a097b5c7e01c29d1fc9c)
Bernd Edlinger [Sat, 23 Jun 2018 20:17:19 +0000 (22:17 +0200)]
Fix a new gcc-9 warning [-Wstringop-truncation]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)
(cherry picked from commit
dc6c374bdb4872f6d5d727e73a2ed834e972842c)
Kurt Roeckx [Sat, 23 Jun 2018 08:24:00 +0000 (10:24 +0200)]
Fix prototype of ASN1_INTEGER_get and ASN1_INTEGER_set
The parameters where switched
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6578
(cherry picked from commit
eaf39a9fe6f55feb5251e235069e02f7f50d9a49)
Richard Levitte [Fri, 22 Jun 2018 07:33:29 +0000 (09:33 +0200)]
OpenSSL-II style for emacs: don't indent because of extern block
We don't want an indentation step inside a 'extern "C" {' .. '}'
block. Apparently, cc-mode has a c-offsets-alist keyword to allow
exactly this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6557)
(cherry picked from commit
8973112884e67feb46384b573db14e62ad18d4cb)
Andy Polyakov [Thu, 21 Jun 2018 11:52:04 +0000 (13:52 +0200)]
sha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
2e51557bc93f90ca2274230b042acb53cc3a268d)
David von Oheimb [Sat, 10 Feb 2018 14:45:11 +0000 (15:45 +0100)]
add documentation for OCSP_basic_verify()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6227)
(cherry picked from commit
b8c32081e02b7008a90d878eccce46da256dfe86)
Nick Mathewson [Thu, 24 May 2018 19:23:15 +0000 (15:23 -0400)]
Improve the example getpass() implementation to show an error return
Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit
c8c250333cd254ab3f4d709ebc5ed86a7c065721)
Nick Mathewson [Wed, 16 May 2018 15:07:48 +0000 (11:07 -0400)]
Update documentation for PEM callback: error is now -1.
In previous versions of OpenSSL, the documentation for PEM_read_*
said:
The callback B<must> return the number of characters in the
passphrase or 0 if an error occurred.
But since
c82c3462267afdbbaa5, 0 is now treated as a non-error
return value. Applications that want to indicate an error need to
return -1 instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit
bbbf752a3c8b5a966bcb48fc71a3dc03832e7b27)
Billy Brumley [Wed, 20 Jun 2018 07:56:37 +0000 (10:56 +0300)]
[crypto/ec] don't assume points are of order group->order
(cherry picked from commit
01fd5df77d401c87f926552ec24c0a09e5735006)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
Andy Polyakov [Mon, 7 May 2018 08:27:45 +0000 (10:27 +0200)]
ec/ec_mult.c: get BN_CTX_start,end sequence right.
Triggered by Coverity analysis.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
7d859d1c8868b81c5d810021af0b40f355af4e1f)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
Matt Caswell [Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)]
Add blinding to a DSA signature
This extends the recently added ECDSA signature blinding to blind DSA too.
This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.
Normally, as in ECDSA, during signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)
Richard Levitte [Thu, 21 Jun 2018 04:24:33 +0000 (06:24 +0200)]
openssl ca: open the output file as late as possible
Fixes #6544
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)
(cherry picked from commit
63871d9f810fec1e8a441d82c9ac79c58b19e2ad)
Andy Polyakov [Sat, 16 Jun 2018 14:25:40 +0000 (16:25 +0200)]
ec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
575045f59fc393abc9d49604d82ccd17c82925fa)
Andy Polyakov [Sat, 16 Jun 2018 14:24:55 +0000 (16:24 +0200)]
{chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
27635a4ecb1bc4852ccf456a9374a68931dc330f)
Andy Polyakov [Sat, 16 Jun 2018 14:23:34 +0000 (16:23 +0200)]
sha/asm/sha{1|256}-586.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
b55e21b357902959ae8ec0255952402f5ccaa515)
Andy Polyakov [Sat, 16 Jun 2018 14:22:19 +0000 (16:22 +0200)]
bn/asm/rsaz-avx2.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
9e97f61dec312084abe03226e5c962d818c9fc2b)
Jack Bates [Thu, 5 Jan 2017 16:58:18 +0000 (09:58 -0700)]
Convert _meth_get_ functions to const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
693be9a2cb0fc79fe856259feea54772c18a3637)
(Merged from https://github.com/openssl/openssl/pull/5750)
Bernd Edlinger [Tue, 3 Apr 2018 21:47:10 +0000 (23:47 +0200)]
Backport of commit
6b49b30811f4afa0340342af9400b8d0357b5291
Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit
aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb
differently.
Fixes: #6493
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6494)
Matt Caswell [Fri, 25 May 2018 11:10:13 +0000 (12:10 +0100)]
Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Nicola Tuveri [Tue, 12 Jun 2018 01:27:28 +0000 (04:27 +0300)]
Deprecate DSA_sign_setup() in the documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6460)
(cherry picked from commit
8fe4c0b001f85c5a918c6a6d4687813ea3d2945f)
Guido Vranken [Mon, 11 Jun 2018 17:38:54 +0000 (19:38 +0200)]
Reject excessively large primes in DH key generation.
CVE-2018-0732
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
(cherry picked from commit
91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
Richard Levitte [Mon, 11 Jun 2018 08:33:09 +0000 (10:33 +0200)]
VMS: have mkdef.pl parse lettered versions properly
Fixes #6449
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6450)
Andy Polyakov [Fri, 8 Jun 2018 13:02:39 +0000 (15:02 +0200)]
bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path.
This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6440)
(cherry picked from commit
f55ef97b5c0f8559f393b72ebd4b2de32ad6d231)
Mingtao Yang [Wed, 6 Jun 2018 16:34:18 +0000 (09:34 -0700)]
modes/ocb128.c: Reset nonce-dependent variables on setiv
Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or
indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent
variables in the OCB_CTX.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6420)
(cherry picked from commit
bbb02a5b6d27f76931c3385321b2c594781c7a1b)
Marcus Huewe [Fri, 11 May 2018 10:24:56 +0000 (12:24 +0200)]
Do not free a session before calling the remove_session_cb
If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:
- The session cache is full
(SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
(that is, ctx->session_cache_tail->references == 1)
Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.
The free before calling the callback behavior was introduced in
commit
e4612d02c53cccd24fa97b08fc01250d1238cca1 ("Remove sessions
from external cache, even if internal cache not used.").
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)
(cherry picked from commit
c0a58e034d3eff68ca5e0d36d7b4d147425b0599)
Rich Salz [Tue, 5 Jun 2018 15:17:59 +0000 (11:17 -0400)]
Improve wording
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6413)
(cherry picked from commit
630fe1da888490b7dfef3fe0928b813ddff5d51a)
Rich Salz [Sat, 2 Jun 2018 18:57:34 +0000 (14:57 -0400)]
Make OS/X more explicit, to avoid questions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6404)
(cherry picked from commit
886c2e614fc1e78e658122bf6f6bccdd7dd23857)
Ken Goldman [Sat, 2 Jun 2018 20:17:32 +0000 (16:17 -0400)]
Document failure return for ECDSA_SIG_new
ECDSA_SIG_new() returns NULL on error.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6398)
(cherry picked from commit
6da34cfbddede5e46f9c9183b724c99999dcfb41)
Richard Levitte [Thu, 31 May 2018 09:12:34 +0000 (11:12 +0200)]
ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method
Just because an engine implements algorithm methods, that doesn't mean
it also implements the ASN1 method. Therefore, be careful when looking
for an ASN1 method among all engines, don't try to use one that doesn't
exist.
Fixes #6381
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6383)
(cherry picked from commit
1ac3cd6277f880fac4df313702d5e3b3814e56e2)
Richard Levitte [Thu, 31 May 2018 04:51:25 +0000 (06:51 +0200)]
apps: when the 'compat' nameopt has been set, leave it be
XN_FLAG_COMPAT has a unique property, its zero for value. This means
it needs special treatment; if it has been set (which can only be
determined indirectly) and set alone (*), no other flags should be
set.
(*) if any other nameopt flag has been set by the user, compatibility
mode is blown away.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6382)
(cherry picked from commit
3190d1dca43ecfd748c06aa06752de06af3768b9)
Mingtao Yang [Fri, 9 Feb 2018 18:23:18 +0000 (10:23 -0800)]
Add APIs for custom X509_LOOKUP_METHOD creation
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.
This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
(cherry picked from commit
0124f32a01b2b4f4f7146f226b6a9dfe227c4008)
Matt Caswell [Thu, 24 May 2018 15:12:52 +0000 (16:12 +0100)]
The result of a ^ 0 mod -1 is 0 not 1
Thanks to Guido Vranken and OSSFuzz for finding this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
(cherry picked from commit
4aa5b725d549b3ebc3a4f2f1c44e44a11f68752b)
Bernd Edlinger [Sat, 26 May 2018 15:08:03 +0000 (17:08 +0200)]
Try to work around ubuntu gcc-5 ubsan build failure
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6362)
David Benjamin [Sun, 20 May 2018 21:24:30 +0000 (17:24 -0400)]
Save and restore the Windows error around TlsGetValue.
TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.
Fixes #6299.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
2de108dfa343c3e06eb98beb122cd06306bb12fd)
(Merged from https://github.com/openssl/openssl/pull/6349)
Matt Caswell [Mon, 21 May 2018 14:24:56 +0000 (15:24 +0100)]
Improve compatibility of point and curve checks
We check that the curve name associated with the point is the same as that
for the curve.
Fixes #6302
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6323)
(cherry picked from commit
b14e60155009f4f1d168e220fa01cd2b75557b72)
Viktor Dukhovni [Tue, 22 May 2018 18:46:02 +0000 (14:46 -0400)]
Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.
Add pertinent documentation, and touch up some stale text about
name checks and DANE.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Viktor Dukhovni [Fri, 18 May 2018 13:09:51 +0000 (09:09 -0400)]
Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.
Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names. Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label. In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Tilman Keskinöz [Thu, 17 May 2018 11:04:31 +0000 (13:04 +0200)]
ssl/ssl_txt: fix NULL-check
NULL-check for cipher is redundant, instead check if cipher->name is NULL
While here fix formatting of BIO_printf calls as suggested by Andy Polyakov.
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6282)
(cherry picked from commit
d61e6040a02464f1dd41942ee1e17ef59822102d)
Matt Caswell [Wed, 16 May 2018 10:59:47 +0000 (11:59 +0100)]
Fix undefined behaviour in X509_NAME_cmp()
If the lengths of both names is 0 then don't attempt to do a memcmp.
Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6291)
(cherry picked from commit
511190b691183a1fb160e7e05e2974dc73cab0c6)
Richard Levitte [Sat, 19 May 2018 05:09:19 +0000 (07:09 +0200)]
Windows: don't install __DECC_*.H
This adds the possibility to exclude files by regexp in util/copy.pl
Partial fix for #3254
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6303)
(cherry picked from commit
246bd8fd0507f4555432c148eed5a9322c113bf5)
Richard Levitte [Sat, 19 May 2018 05:22:10 +0000 (07:22 +0200)]
Quiet pod2html warnings
--quiet stops warnings of this sort:
Cannot find "BIO_read_ex" in podpath: cannot find suitable replacement path, cannot resolve link
We know what causes these warnings, it's perfectly innocuous, and we
don't want to hear it any more.
Partial fix for #3254
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6304)
(cherry picked from commit
6439e343fa64f06941197d085acd11bd13856596)
Richard Levitte [Thu, 17 May 2018 07:53:14 +0000 (09:53 +0200)]
Restore check of |*xn| against |name| in X509_NAME_set
A previous change of this function introduced a fragility when the
destination happens to be the same as the source. Such alias isn't
recommended, but could still happen, for example in this kind of code:
X509_NAME *subject = X509_get_issuer_name(x);
/* ... some code passes ... */
X509_set_issuer_name(x, subject);
Fixes #4710
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)
(cherry picked from commit
c1c1783d45a5e91951e6328a820939d0256c841c)
Bernd Edlinger [Thu, 29 Mar 2018 09:27:29 +0000 (11:27 +0200)]
Fix a possible crash in BN_from_montgomery_word
Thanks to Darovskikh Andrei for for reporting this issue.
Fixes: #5785
Fixes: #6302
Cherry-picked from
f91e026e3832 (without test/bntest.c)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6310)
FdaSilvaYY [Sun, 29 Apr 2018 23:13:58 +0000 (01:13 +0200)]
apps/speed: fix possible OOB access in some EC arrays
because there are actually 17 curves defined, but only 16 are plugged for
ecdsa test.
Deduce array size using OSSL_NELEM and so remove various magic numbers,
which required some declarations moving.
Implement OPT_PAIR list search without a null-ending element.
Fix some comparison between signed and unsigned integer expressions.
cherry-picking from commit
5c6a69f539.
Partial Back-port of #6133 to 1.1.0
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6245)
Matt Caswell [Wed, 16 May 2018 08:58:27 +0000 (09:58 +0100)]
Make BN_GF2m_mod_arr more constant time
Experiments have shown that the lookup table used by BN_GF2m_mod_arr
introduces sufficient timing signal to recover the private key for an
attacker with access to cache timing information on the victim's host.
This only affects binary curves (which are less frequently used).
No CVE is considered necessary for this issue.
The fix is to replace the lookup table with an on-the-fly calculation of
the value from the table instead, which can be performed in constant time.
Thanks to Youngjoo Shin for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6270)
(cherry picked from commit
b336ce57f2d5cca803a920d2a9e622b588cead3c)
Richard Levitte [Mon, 14 May 2018 03:38:59 +0000 (05:38 +0200)]
Add a note on CHANGES and NEWS in CONTRIBUTING
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6249)
(cherry picked from commit
029c11c21fdd018ec51badaafd34118223055274)
Richard Levitte [Wed, 16 May 2018 09:12:21 +0000 (11:12 +0200)]
When producing man-pages, ensure NAME section is one line only
There are *roff parsers that are strict about the NAME section being
one line only. The man(7) on Debian GNU/Linux suggests that this is
appropriate, so we compensate our multi-line NAME sections by fixing
the *roff output.
Noted by Eric S. Raymond
Related to #6264
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6268)
(cherry picked from commit
8d483b2de78619e8592f2558301f3295daf59690)
Matt Caswell [Wed, 2 May 2018 15:07:13 +0000 (16:07 +0100)]
Mark DTLS records as read when we have finished with them
The TLS code marks records as read when its finished using a record. The DTLS code did
not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6160)
Richard Levitte [Mon, 14 May 2018 07:28:52 +0000 (09:28 +0200)]
CI config: no need to make both install and install_docs
'install' depends on 'install_docs', so making the latter explicit is
a waste.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6250)
(cherry picked from commit
986caf9e34fd60366a5b3711bb12e239e43a2431)
Richard Levitte [Wed, 2 May 2018 12:28:53 +0000 (14:28 +0200)]
UI console: Restore tty settings, do not force ECHO after prompt
The Console UI method always set echo on after prompting without
echo. However, echo might not have been on originally, so just
restore the original TTY settings.
Fixes #2373
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6157)
Pavel Kopyl [Fri, 3 Nov 2017 15:18:59 +0000 (18:18 +0300)]
Fix memory leaks in CA related functions.
(cherry picked from commit
aebd0e5ca12d1ba0b229a4121a54afa5ea2d8aa1)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6237)
Matt Caswell [Fri, 11 May 2018 09:28:47 +0000 (10:28 +0100)]
Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.
Fixes a travis issue.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6224)
Richard Levitte [Fri, 4 May 2018 12:19:44 +0000 (14:19 +0200)]
In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length
Fixes #4716
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6173)
(cherry picked from commit
c82c3462267afdbbaa53e11da0508ce4e03c02b3)
Dr. Matthias St. Pierre [Fri, 11 May 2018 14:58:44 +0000 (16:58 +0200)]
Fix typo 'is an error occurred' in documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6230)
Matt Caswell [Thu, 3 May 2018 15:00:51 +0000 (16:00 +0100)]
Keep the DTLS timer running after the end of the handshake if appropriate
During a full handshake the server is the last one to "speak". The timer
should continue to run until we know that the client has received our last
flight (e.g. because we receive some application data).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 15:00:05 +0000 (16:00 +0100)]
Only auto-retry for DTLS if configured to do so
Otherwise we may end up in a hang when using blocking sockets
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 14:59:31 +0000 (15:59 +0100)]
Fix s_client and s_server so that they correctly handle the DTLS timer
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 11:07:47 +0000 (12:07 +0100)]
Don't fail on an out-of-order CCS in DTLS
Fixes #4929
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Tue, 1 May 2018 08:29:17 +0000 (09:29 +0100)]
Fix a mem leak in CMS
The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
memory management passes to OpenSSL. If the same function is called again
then we should ensure that any previous value that was set is freed first
before we set it again.
Fixes #5052
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
(cherry picked from commit
3d551b20df1acd01f80d3ae00d37177e0fdf344a)
Emilia Kasper [Fri, 17 Feb 2017 18:00:15 +0000 (19:00 +0100)]
X509 time: tighten validation per RFC 5280
- Reject fractional seconds
- Reject offsets
- Check that the date/time digits are in valid range.
- Add documentation for X509_cmp_time
GH issue 2620
Backported from
80770da39e
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6181)
Todd Short [Thu, 3 May 2018 15:17:49 +0000 (11:17 -0400)]
Configure: fix Mac OS X builds that still require makedepend
Earlier Apple Xcode compilers, e.g. one targeting Mac OS X 10.7, don't
support dependency generation and one still has to use makedepend. It's
unclear when it was fixed, but all clang-based Apple compilers seem to
support -M options.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6167)
Richard Levitte [Fri, 4 May 2018 12:44:19 +0000 (14:44 +0200)]
BIO_s_mem() write: Skip early when input length is zero
When the input length is zero, just return zero early. Otherwise,
there's a small chance that memory allocation is engaged, fails and
returns -1, which is a bit confusing when nothing should be written.
Fixes #4782 #4827
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6175)
(cherry picked from commit
0d94212a046e87fafea6e83e8ea2b2a58db49979)
Richard Levitte [Fri, 4 May 2018 17:45:52 +0000 (19:45 +0200)]
docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6178)
Andy Polyakov [Mon, 30 Apr 2018 20:59:51 +0000 (22:59 +0200)]
bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6163)
(cherry picked from commit
774ff8fed67e19d4f5f0df2f59050f2737abab2a)
Resolved conflicts in ppc-mont.pl and x86_64-mont.pl.
Dr. Matthias St. Pierre [Wed, 2 May 2018 21:06:15 +0000 (23:06 +0200)]
v3_purp.c: add locking to x509v3_cache_extensions()
Fixes #6121
Thanks to Mingtao Yang for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6162)
Matt Caswell [Fri, 27 Apr 2018 16:36:11 +0000 (17:36 +0100)]
Return an error from BN_mod_inverse if n is 1 (or -1)
Calculating BN_mod_inverse where n is 1 (or -1) doesn't make sense. We
should return an error in that case. Instead we were returning a valid
result with value 0.
Fixes #6004
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6119)
(cherry picked from commit
b1860d6c71733314417d053a72af66ae72e8268e)
Matt Caswell [Wed, 2 May 2018 10:32:39 +0000 (11:32 +0100)]
Make X509_VERIFY_PARAM_get_hostflags() take a const arg
Commit
14e55560 added this function which should have taken a const
argument.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6155)
Matt Caswell [Fri, 27 Apr 2018 10:38:19 +0000 (11:38 +0100)]
Add some documentation for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)
Matt Caswell [Fri, 27 Apr 2018 10:24:01 +0000 (11:24 +0100)]
Fix comment in ssl_locl.h
The ciphers field in a session contains the stack of ciphers offered by
the client.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)
Matt Caswell [Fri, 27 Apr 2018 10:20:52 +0000 (11:20 +0100)]
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return ciphers shared
by the client and the server. However it only ever returned the client
ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)