oweals/openssl.git
6 years agoUse the new non-curve type specific EC functions internally
Matt Caswell [Mon, 30 Jul 2018 15:40:18 +0000 (16:40 +0100)]
Use the new non-curve type specific EC functions internally

Fixes #6646

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoAdd documentation for the new non-curve type specific EC functions
Matt Caswell [Mon, 30 Jul 2018 15:06:12 +0000 (16:06 +0100)]
Add documentation for the new non-curve type specific EC functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoProvide EC functions that are not curve type specific
Matt Caswell [Mon, 30 Jul 2018 14:39:41 +0000 (15:39 +0100)]
Provide EC functions that are not curve type specific

Some EC functions exist in *_GFp and *_GF2m forms, in spite of the
implementations between the two curve types being identical. This
commit provides equivalent generic functions with the *_GFp and *_GF2m
forms just calling the generic functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoCheck return from BN_sub
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)

6 years agoCheck conversion return in ASN1_INTEGER_print_bio.
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.

Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)

6 years agoapps/dsaparam.c generates code that is intended to be pasted or included
Beat Bolli [Sun, 29 Jul 2018 21:34:32 +0000 (07:34 +1000)]
apps/dsaparam.c generates code that is intended to be pasted or included
into an existing source file: the function is static, and the code
doesn't include dsa.h.  Match the generated C source style of dsaparam.

Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more
usual single-letter names.  Add an error return in the generated C source.

both: simplify the callback function

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6797)

6 years agoAdd test for DSA signatures of raw digests of various sizes
Bryan Donlan [Tue, 17 Jul 2018 20:04:09 +0000 (13:04 -0700)]
Add test for DSA signatures of raw digests of various sizes

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agoRemove DSA digest length checks when no digest is passed
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed

FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agodoc/BN_generate_prime: update doc about other callback values
Beat Bolli [Sat, 28 Jul 2018 20:45:22 +0000 (16:45 -0400)]
doc/BN_generate_prime: update doc about other callback values

This here page only documents the callback values 0 to 2, but the
callers of BN_generate_prime_ex() call it with the value 3.

The list of manual pages in the SEE ALSO section was extended with the
output from

    git grep BN_GENCB_call.*[3-9]

while in the doc/man3 directory.

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6802)

6 years agoImprove backwards compat for SSL_get_servername()
Benjamin Kaduk [Thu, 26 Jul 2018 02:00:45 +0000 (21:00 -0500)]
Improve backwards compat for SSL_get_servername()

Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process
and store SNI information during the handshake, so that a hostname is
only saved in the SSL_SESSION structure if that SNI value has actually
been negotiated.  SSL_get_servername() was adjusted to match, with a new
conditional being added to handle the case when the handshake processing
is ongoing, and a different location should be consulted for the offered
SNI value.  This was done in an attempt to preserve the historical
behavior of SSL_get_servername(), a function whose behavior only mostly
matches its documentation, and whose documentation is both lacking and
does not necessarily reflect the actual desired behavior for such an
API.  Unfortunately, sweeping changes that would bring more sanity to
this space are not possible until OpenSSL 1.2.0, for ABI compatibility
reasons, so we must attempt to maintain the existing behavior to the
extent possible.

The above-mentioned commit did not take into account the behavior
of SSL_get_servername() during resumption handshakes for TLS 1.2 and
prior, where no SNI negotiation is performed.  In that case we would
not properly parse the incoming SNI and erroneously return NULL as
the servername, when instead the logical session is associated with
the SNI value cached in the SSL_SESSION.  (Note that in some cases an
SNI callback may not need to do anything in a TLS 1.2 or prior resumption
flow, but we are calling the callbacks and did not provide any guidance
that they should no-op if the connection is being resumed, so we must
handle this case in a usable fashion.)  Update our behavior accordingly to
return the session's cached value during the handshake, when resuming.
This fixes the boringssl tests.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoFix ossl_shim SNI handling
Benjamin Kaduk [Wed, 25 Jul 2018 19:48:30 +0000 (14:48 -0500)]
Fix ossl_shim SNI handling

To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79821dee9be98e915159d52cc30d8403).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoEC GFp ladder
Billy Brumley [Thu, 19 Jul 2018 08:16:07 +0000 (11:16 +0300)]
EC GFp ladder

This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.

The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:

- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
  elliptic curve multiplication resistant against side channel attacks",
  as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
  from Izu-Takagi "A fast parallel elliptic curve multiplication
  resistant against side channel attacks", as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
  "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
  work in projective coordinates.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)

6 years ago00-base-templates.conf: engage x25519-ppc64 module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:42 +0000 (10:24 +0200)]
00-base-templates.conf: engage x25519-ppc64 module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agoAdd ec/asm/x25519-ppc64.pl module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:09 +0000 (10:24 +0200)]
Add ec/asm/x25519-ppc64.pl module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agobn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.

New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6783)

6 years agoapps/apps.c: harmonize print_bignum_var output with coding style.
Andy Polyakov [Wed, 25 Jul 2018 09:13:58 +0000 (11:13 +0200)]
apps/apps.c: harmonize print_bignum_var output with coding style.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoFix inconsisten use of bit vs bits
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsisten use of bit vs bits

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794

6 years agoFix a trivial coding style nit in sm2_sign.c
Paul Yang [Thu, 19 Jul 2018 16:55:20 +0000 (00:55 +0800)]
Fix a trivial coding style nit in sm2_sign.c

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6787

6 years agoMake number of Miller-Rabin tests for a prime tests depend on the security level...
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime

The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012

6 years agoChange the number of Miller-Rabin test for DSA generation to 64
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64

This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075

6 years agoFixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called
Shane Lontis [Wed, 25 Jul 2018 01:08:48 +0000 (11:08 +1000)]
Fixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6778)

6 years agoCheck for failures, to avoid memory leak
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak

Thanks to Jiecheng Wu, Zuxing Gu for the report.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)

6 years agocrypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.

Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.
Andy Polyakov [Fri, 20 Jul 2018 11:22:24 +0000 (13:22 +0200)]
crypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
Andy Polyakov [Fri, 20 Jul 2018 11:19:11 +0000 (13:19 +0200)]
crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agoINSTALL,NOTES.WIN: classify no-asm as non-production option.
Andy Polyakov [Tue, 24 Jul 2018 13:02:32 +0000 (15:02 +0200)]
INSTALL,NOTES.WIN: classify no-asm as non-production option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6773)

6 years agoec/ecp_nistz256.c: fix Coverity nit.
Andy Polyakov [Tue, 24 Jul 2018 13:48:15 +0000 (15:48 +0200)]
ec/ecp_nistz256.c: fix Coverity nit.

|ctx| recently became unconditionally non-NULL and is already dereferenced
earlier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoapps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
Andy Polyakov [Mon, 23 Jul 2018 20:26:30 +0000 (22:26 +0200)]
apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoConfigure death handler: instead of printing directly, amend the message
Richard Levitte [Tue, 24 Jul 2018 19:46:55 +0000 (21:46 +0200)]
Configure death handler: instead of printing directly, amend the message

This is done by calling die again, just make sure to reset the __DIE__
handler first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoConfigure death handler: remember to call original death handler
Richard Levitte [Tue, 24 Jul 2018 17:29:49 +0000 (19:29 +0200)]
Configure death handler: remember to call original death handler

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoConfigure death handler: bail out early when run in eval block
Richard Levitte [Tue, 24 Jul 2018 17:29:06 +0000 (19:29 +0200)]
Configure death handler: bail out early when run in eval block

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoRemove zero special-case in BN_mod_exp_mont.
David Benjamin [Tue, 17 Jul 2018 17:20:28 +0000 (13:20 -0400)]
Remove zero special-case in BN_mod_exp_mont.

A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6733)

6 years agoConfigure: print generic advice when dying
Richard Levitte [Tue, 24 Jul 2018 08:45:05 +0000 (10:45 +0200)]
Configure: print generic advice when dying

On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.

Fixes #6765

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)

6 years agoUpdate sm2_crypt.c
neighbads [Wed, 11 Jul 2018 07:40:03 +0000 (15:40 +0800)]
Update sm2_crypt.c

asn1_encode : x, y  =>    0 | x,0 | y
(because of DER encoding rules when x and y have high bit set)

CLA: Trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6694)

6 years agodef_load_bio(): Free |biosk| more carefully
Richard Levitte [Mon, 23 Jul 2018 20:29:22 +0000 (22:29 +0200)]
def_load_bio(): Free |biosk| more carefully

If there's anything in the |biosk| stack, the first element is always
the input BIO.  It should never be freed in this function, so we must
take careful steps not to do so inadvertently when freeing the stack.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6769)

6 years ago.travis.yml: omit linux-ppc64le target.
Andy Polyakov [Sun, 22 Jul 2018 09:51:38 +0000 (11:51 +0200)]
.travis.yml: omit linux-ppc64le target.

Build jobs keep timing out initializing...

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
6 years agoMake sure the 'tsget' script is called 'tsget.pl' everywhere
Richard Levitte [Mon, 23 Jul 2018 11:25:45 +0000 (13:25 +0200)]
Make sure the 'tsget' script is called 'tsget.pl' everywhere

The result is that we don't have to produce different names on
different platforms, and we won't have confusion on Windows depending
on if the script was built with mingw or with MSVC.

Partial fix for #3254

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6764)

6 years agoAdd a note about aborts encountered while sending early_data
Matt Caswell [Wed, 18 Jul 2018 14:22:06 +0000 (15:22 +0100)]
Add a note about aborts encountered while sending early_data

In some circumstances it is possible for a client to have a session
reporting a max early data value that is greater than the server will
support. In such cases the client could encounter an aborted connection.

Fixes #6735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6740)

6 years agoec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
Andy Polyakov [Wed, 18 Jul 2018 13:22:07 +0000 (15:22 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.

ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agoec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
Andy Polyakov [Wed, 18 Jul 2018 13:14:44 +0000 (15:14 +0200)]
ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.

The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agobn/bn_intern.c: const-ify bn_set_{static}_words.
Andy Polyakov [Wed, 18 Jul 2018 13:13:27 +0000 (15:13 +0200)]
bn/bn_intern.c: const-ify bn_set_{static}_words.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agoapps/dsaparam.c: fix -C output.
Andy Polyakov [Sat, 21 Jul 2018 11:50:14 +0000 (13:50 +0200)]
apps/dsaparam.c: fix -C output.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)

6 years agoConfigure: Display error/warning on deprecated/unsupported options after loop
Richard Levitte [Sun, 22 Jul 2018 08:56:25 +0000 (10:56 +0200)]
Configure: Display error/warning on deprecated/unsupported options after loop

Fixes #6755

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)

6 years agoPKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF

As per RFC 7292.

Fixes #6665

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)

6 years agoAdd TODO comment for a nonsensical public API
Benjamin Kaduk [Wed, 30 May 2018 16:12:22 +0000 (11:12 -0500)]
Add TODO comment for a nonsensical public API

The API used to set what SNI value to send in the ClientHello
can also be used on server SSL objects, with undocumented and
un-useful behavior.  Unfortunately, when generic SSL_METHODs
are used, s->server is still set, prior to the start of the
handshake, so we cannot prevent this nonsensical usage at the
present time.  Leave a note to revisit this when ABI-breaking
changes are permitted.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)

6 years agoNormalize SNI hostname handling for SSL and SSL_SESSION
Benjamin Kaduk [Wed, 30 May 2018 14:49:29 +0000 (09:49 -0500)]
Normalize SNI hostname handling for SSL and SSL_SESSION

In particular, adhere to the rule that we must not modify any
property of an SSL_SESSION object once it is (or might be) in
a session cache.  Such modifications are thread-unsafe and have
been observed to cause crashes at runtime.

To effect this change, standardize on the property that
SSL_SESSION->ext.hostname is set only when that SNI value
has been negotiated by both parties for use with that session.
For session resumption this is trivially the case, so only new
handshakes are affected.

On the client, the new semantics are that the SSL->ext.hostname is
for storing the value configured by the caller, and this value is
used when constructing the ClientHello.  On the server, SSL->ext.hostname
is used to hold the value received from the client.  Only if the
SNI negotiation is successful will the hostname be stored into the
session object; the server can do this after it sends the ServerHello,
and the client after it has received and processed the ServerHello.

This obviates the need to remove the hostname from the session object
in case of failed negotiation (a change that was introduced in commit
9fb6cb810b769abbd60f11ef6e936a4e4456b19d in order to allow TLS 1.3
early data when SNI was present in the ClientHello but not the session
being resumed), which was modifying cached sessions in certain cases.
(In TLS 1.3 we always produce a new SSL_SESSION object for new
connections, even in the case of resumption, so no TLS 1.3 handshakes
were affected.)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)

6 years agoconst-ify some input SSL * arguments
Benjamin Kaduk [Wed, 30 May 2018 14:28:03 +0000 (09:28 -0500)]
const-ify some input SSL * arguments

These tiny functions only read from the input SSL, and we are
about to use them from functions that only have a const SSL* available,
so propagate const a bit further.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)

6 years agocrypto/*: address standard-compilance nits.
Andy Polyakov [Thu, 19 Jul 2018 13:28:34 +0000 (15:28 +0200)]
crypto/*: address standard-compilance nits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)

6 years agobio/bss_dgram.c: harmonize usage of OPENSSL_USE_IPV6 with the rest.
Andy Polyakov [Thu, 19 Jul 2018 13:27:24 +0000 (15:27 +0200)]
bio/bss_dgram.c: harmonize usage of OPENSSL_USE_IPV6 with the rest.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)

6 years agoinclude/openssl/e_os2.h: define last-resort SSIZE_MAX.
Andy Polyakov [Thu, 19 Jul 2018 13:16:38 +0000 (15:16 +0200)]
include/openssl/e_os2.h: define last-resort SSIZE_MAX.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)

6 years agoec/ec_lcl.h: fix pre-C9x compilation problems.
Andy Polyakov [Thu, 19 Jul 2018 12:45:06 +0000 (14:45 +0200)]
ec/ec_lcl.h: fix pre-C9x compilation problems.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)

6 years ago.travis.yml: exercise -std=c89 in order to catch corresponding problems.
Andy Polyakov [Thu, 19 Jul 2018 10:30:26 +0000 (12:30 +0200)]
.travis.yml: exercise -std=c89 in order to catch corresponding problems.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)

6 years agoValidate legacy_version
Matt Caswell [Thu, 19 Jul 2018 15:51:58 +0000 (16:51 +0100)]
Validate legacy_version

The spec says that a client MUST set legacy_version to TLSv1.2, and
requires servers to verify that it isn't SSLv3.

Fixes #6600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6747)

6 years agoUpdate the TLSv1.3 test vectors
Matt Caswell [Thu, 19 Jul 2018 11:46:02 +0000 (12:46 +0100)]
Update the TLSv1.3 test vectors

Use the latest version of the test vectors available in:
https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6746)

6 years agoTest early_data sent after a second ClientHello causes a failure
Matt Caswell [Wed, 18 Jul 2018 11:29:36 +0000 (12:29 +0100)]
Test early_data sent after a second ClientHello causes a failure

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)

6 years agoDon't skip over early_data if we sent an HRR
Matt Caswell [Wed, 18 Jul 2018 10:16:28 +0000 (11:16 +0100)]
Don't skip over early_data if we sent an HRR

It is not valid to send early_data after an HRR has been received.

Fixes #6734

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)

6 years agoCHANGES: mention blinding reverting in ECDSA. [skip ci]
Andy Polyakov [Sun, 15 Jul 2018 15:59:59 +0000 (17:59 +0200)]
CHANGES: mention blinding reverting in ECDSA. [skip ci]

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)

6 years agoec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
Andy Polyakov [Thu, 12 Jul 2018 20:27:43 +0000 (22:27 +0200)]
ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)

6 years agoec/ecdsa_ossl.c: formatting and readability fixes.
Andy Polyakov [Fri, 6 Jul 2018 14:13:29 +0000 (16:13 +0200)]
ec/ecdsa_ossl.c: formatting and readability fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)

6 years agoec/ecdsa_ossl.c: revert blinding in ECDSA signature.
Andy Polyakov [Fri, 6 Jul 2018 13:55:34 +0000 (15:55 +0200)]
ec/ecdsa_ossl.c: revert blinding in ECDSA signature.

Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)

6 years agobn/bn_lib.c address Coverity nit in bn2binpad.
Andy Polyakov [Mon, 16 Jul 2018 16:17:44 +0000 (18:17 +0200)]
bn/bn_lib.c address Coverity nit in bn2binpad.

It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoAdd a test for mismatch between key OID and sig alg
Matt Caswell [Tue, 17 Jul 2018 16:29:08 +0000 (17:29 +0100)]
Add a test for mismatch between key OID and sig alg

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6732)

6 years agoCheck that the public key OID matches the sig alg
Matt Caswell [Tue, 17 Jul 2018 15:31:07 +0000 (16:31 +0100)]
Check that the public key OID matches the sig alg

Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is
rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is
rsassaPss. However we did not check this and incorrectly tolerated a key
OID that did not match the sig alg sent by the peer.

Fixes #6611

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6732)

6 years agoFix typo in x25519-x86_64.pl
Mat [Tue, 17 Jul 2018 13:48:27 +0000 (09:48 -0400)]
Fix typo in x25519-x86_64.pl

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6726)

6 years agoSkip the GOST test where appropriate
Matt Caswell [Tue, 17 Jul 2018 10:43:30 +0000 (11:43 +0100)]
Skip the GOST test where appropriate

The GOST ciphers are dynamically loaded via the GOST engine, so we must
be able to support that. The engine also uses DSA and CMS symbols, so we
skip the test on no-dsa or no-cms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6730)

6 years agoFix a memory leak in the ticket test
Matt Caswell [Tue, 17 Jul 2018 09:27:57 +0000 (10:27 +0100)]
Fix a memory leak in the ticket test

Also fixes a function name typo.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6729)

6 years agoFix no-psk
Matt Caswell [Mon, 16 Jul 2018 16:31:37 +0000 (17:31 +0100)]
Fix no-psk

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6724)

6 years agoTest that a failed resumption issues the correct number of tickets
Matt Caswell [Mon, 16 Jul 2018 15:58:23 +0000 (16:58 +0100)]
Test that a failed resumption issues the correct number of tickets

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)

6 years agoAlways issue new tickets when using TLSv1.3 stateful tickets
Matt Caswell [Mon, 16 Jul 2018 15:57:36 +0000 (16:57 +0100)]
Always issue new tickets when using TLSv1.3 stateful tickets

Previously we were failing to issue new tickets if a resumption attempt
failed.

Fixes #6654

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)

6 years agoImprove testing of stateful tickets
Matt Caswell [Thu, 5 Jul 2018 16:19:03 +0000 (17:19 +0100)]
Improve testing of stateful tickets

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)

6 years agoDon't remove sessions from the cache during PHA in TLSv1.3
Matt Caswell [Mon, 16 Jul 2018 13:57:35 +0000 (14:57 +0100)]
Don't remove sessions from the cache during PHA in TLSv1.3

If we issue new tickets due to post-handshake authentication there is no
reason to remove previous tickets from the cache. The code that did that
only removed the last session anyway - so if more than one ticket got
issued then those other tickets are still valid.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)

6 years agoImprove documentation about reading and writing
Kurt Roeckx [Sun, 13 May 2018 09:24:11 +0000 (11:24 +0200)]
Improve documentation about reading and writing

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #6240

6 years agoEnable all protocols and ciphers in the fuzzer
Kurt Roeckx [Sun, 15 Jul 2018 11:49:53 +0000 (13:49 +0200)]
Enable all protocols and ciphers in the fuzzer

The config file can override it.
In case of the server, it needs to be set on the ctx or some of the
other functions on the ctx might file.

Reviewed-by: Rich Salz <rsalz@openssl.org>
DH: #6718

6 years agoEC2M Lopez-Dahab ladder: use it also for ECDSA verify
Nicola Tuveri [Sun, 8 Jul 2018 07:39:39 +0000 (10:39 +0300)]
EC2M Lopez-Dahab ladder: use it also for ECDSA verify

By default `ec_scalar_mul_ladder` (which uses the Lopez-Dahab ladder
implementation) is used only for (k * Generator) or (k * VariablePoint).
ECDSA verification uses (a * Generator + b * VariablePoint): this commit
forces the use of `ec_scalar_mul_ladder` also for the ECDSA verification
path, while using the default wNAF implementation for any other case.

With this commit `ec_scalar_mul_ladder` loses the static attribute, and
is added to ec_lcl.h so EC_METHODs can directly use it.

While working on a new custom EC_POINTs_mul implementation, I realized
that many checks (e.g. all the points being compatible with the given
EC_GROUP, creating a temporary BN_CTX if `ctx == NULL`, check for the
corner case `scalar == NULL && num == 0`) were duplicated again and
again in every single implementation (and actually some
implementations lacked some of the tests).
I thought that it makes way more sense for those checks that are
independent from the actual implementation and should always be done, to
be moved in the EC_POINTs_mul wrapper: so this commit also includes
these changes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

6 years agoEC2M Lopez-Dahab ladder implementation
Nicola Tuveri [Fri, 13 Jul 2018 21:55:01 +0000 (00:55 +0300)]
EC2M Lopez-Dahab ladder implementation

This commit uses the new ladder scaffold to implement a specialized
ladder step based on differential addition-and-doubling in mixed
Lopez-Dahab projective coordinates, modified to independently blind the
operands.

The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
auto generated with tooling:
- see, e.g., "Guide to ECC" Alg 3.40 for reference about the
  `ladder_pre` implementation;
- see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
  for the differential addition-and-doubling formulas implemented in
  `ladder_step`;
- see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
  without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
  for the `ladder_post` implementation to recover the `(x,y)` result in
  affine coordinates.

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

6 years ago[test] test some important ladder corner cases
Billy Brumley [Sat, 7 Jul 2018 22:27:34 +0000 (01:27 +0300)]
[test] test some important ladder corner cases
and catch corner cases better and earlier

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

6 years agoEC point multiplication: add `ladder` scaffold
Nicola Tuveri [Sat, 7 Jul 2018 21:50:49 +0000 (00:50 +0300)]
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations

PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.

The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.

- `ladder_pre` is executed before the main loop of the ladder: by
  default it copies the input point P into S, and doubles it into R.
  Specialized implementations could, e.g., use this hook to transition
  to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
  computes `S := R+S; R := 2R;`, but specific implementations could,
  e.g., implement a more efficient formula for differential
  addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
  it's a noop, but specialized implementations could, e.g., use this
  hook to transition back from the coordinate system used for optimizing
  the differential addition-and-doubling or recover the y coordinate of
  the result point.

This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.

Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

6 years agoRemove stale SM2 error codes
Nicola Tuveri [Fri, 13 Jul 2018 08:48:29 +0000 (11:48 +0300)]
Remove stale SM2 error codes

Run `make update ERROR_REBUILD=-rebuild` to remove some stale error
codes for SM2 (which is now using its own submodule for error codes,
i.e., `SM2_*`).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

6 years agoec/curve25519.c: reorganize for better accessibility.
Andy Polyakov [Thu, 12 Jul 2018 09:53:16 +0000 (11:53 +0200)]
ec/curve25519.c: reorganize for better accessibility.

Move base 2^64 code to own #if section. It was nested in base 2^51 section,
which arguably might have been tricky to follow.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)

6 years agoec/asm/x25519-x86_64.pl: add CFI directives and Windows SE handler.
Andy Polyakov [Wed, 11 Jul 2018 20:36:49 +0000 (22:36 +0200)]
ec/asm/x25519-x86_64.pl: add CFI directives and Windows SE handler.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)

6 years agotest/.../evppkey.txt: X25519 regression test vectors.
Andy Polyakov [Wed, 11 Jul 2018 20:22:52 +0000 (22:22 +0200)]
test/.../evppkey.txt: X25519 regression test vectors.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)

6 years agoec/asm/x25519-x86_64.pl: fix base 2^64 add/sub and final reduction.
Andy Polyakov [Wed, 11 Jul 2018 20:08:02 +0000 (22:08 +0200)]
ec/asm/x25519-x86_64.pl: fix base 2^64 add/sub and final reduction.

Base 2^64 addition/subtraction and final reduction failed to treat
partially reduced values correctly.

Thanks to Wycheproof Project for vectors and Paul Kehrer for report.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)

6 years agobn/bn_lcl.h,bn_nist.c: addres strict warnings with -DBN_DEBUG.
Andy Polyakov [Thu, 12 Jul 2018 17:15:26 +0000 (19:15 +0200)]
bn/bn_lcl.h,bn_nist.c: addres strict warnings with -DBN_DEBUG.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agorsa/*: switch to BN_bn2binpad.
Andy Polyakov [Sun, 4 Feb 2018 14:24:54 +0000 (15:24 +0100)]
rsa/*: switch to BN_bn2binpad.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)

6 years agobn/bn_lib.c: make BN_bn2binpad computationally constant-time.
Andy Polyakov [Sun, 4 Feb 2018 14:20:29 +0000 (15:20 +0100)]
bn/bn_lib.c: make BN_bn2binpad computationally constant-time.

"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)

6 years agoAdd a GOST test
Matt Caswell [Fri, 13 Jul 2018 15:11:46 +0000 (16:11 +0100)]
Add a GOST test

Test that we never negotiate TLSv1.3 using GOST

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

6 years agoAs a server don't select TLSv1.3 if we're not capable of it
Matt Caswell [Wed, 4 Jul 2018 15:48:56 +0000 (16:48 +0100)]
As a server don't select TLSv1.3 if we're not capable of it

Check that we are either configured for PSK, or that we have a TLSv1.3
capable certificate type. DSA certs can't be used in TLSv1.3 and we
don't (currently) allow GOST ones either (owing to the lack of standard
sig algs).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

6 years agoUse ssl_version_supported() when choosing server version
Matt Caswell [Wed, 4 Jul 2018 15:02:20 +0000 (16:02 +0100)]
Use ssl_version_supported() when choosing server version

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

6 years agoDo not use GOST sig algs in TLSv1.3 where possible
Matt Caswell [Tue, 3 Jul 2018 16:45:35 +0000 (17:45 +0100)]
Do not use GOST sig algs in TLSv1.3 where possible

Fixes #6513

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

6 years agoDocumentation typo fix in BN_bn2bin.pod
Alexandre Perrin [Fri, 13 Jul 2018 08:32:42 +0000 (10:32 +0200)]
Documentation typo fix in BN_bn2bin.pod

Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)

6 years agoFix undefined behavior in s390x aes-gcm/ccm
Patrick Steuer [Thu, 12 Jul 2018 17:19:07 +0000 (13:19 -0400)]
Fix undefined behavior in s390x aes-gcm/ccm

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
6 years agobn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.
Andy Polyakov [Fri, 6 Jul 2018 13:13:15 +0000 (15:13 +0200)]
bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.

Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

6 years agobn/bn_lib.c: add BN_FLG_FIXED_TOP flag.
Andy Polyakov [Fri, 6 Jul 2018 13:02:29 +0000 (15:02 +0200)]
bn/bn_lib.c: add BN_FLG_FIXED_TOP flag.

The new flag marks vectors that were not treated with bn_correct_top,
in other words such vectors are permitted to be zero padded. For now
it's BN_DEBUG-only flag, as initial use case for zero-padded vectors
would be controlled Montgomery multiplication/exponentiation, not
general purpose. For general purpose use another type might be more
appropriate. Advantage of this suggestion is that it's possible to
back-port it...

bn/bn_div.c: fix memory sanitizer problem.
bn/bn_sqr.c: harmonize with BN_mul.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

6 years agobn/bn_mont.c: improve readability of post-condition code.
Andy Polyakov [Fri, 6 Jul 2018 12:54:34 +0000 (14:54 +0200)]
bn/bn_mont.c: improve readability of post-condition code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

6 years agobn/bn_mont.c: move boundary condition check closer to caller.
Andy Polyakov [Fri, 6 Jul 2018 11:46:07 +0000 (13:46 +0200)]
bn/bn_mont.c: move boundary condition check closer to caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

6 years agobn/bn_lib.c: remove bn_check_top from bn_expand2.
Andy Polyakov [Fri, 6 Jul 2018 11:16:40 +0000 (13:16 +0200)]
bn/bn_lib.c: remove bn_check_top from bn_expand2.

Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

6 years agoapps/speed.c: let EVP_Update_loop_ccm behave more like EVP_Update_loop
Patrick Steuer [Fri, 2 Feb 2018 10:09:25 +0000 (11:09 +0100)]
apps/speed.c: let EVP_Update_loop_ccm behave more like EVP_Update_loop

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5246)

6 years agoWindows: avoid using 'rem' in the nmake makefile
Richard Levitte [Wed, 11 Jul 2018 09:05:15 +0000 (11:05 +0200)]
Windows: avoid using 'rem' in the nmake makefile

To avoid the possibility that someone creates rem.exe, rem.bat or
rem.cmd, simply don't use it.  In the cases it was used, it was to
avoid empty lines, but it turns out that nmake handles those fine, so
no harm done.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)

6 years agoWindows: fix echo for nmake
Richard Levitte [Tue, 10 Jul 2018 12:12:33 +0000 (14:12 +0200)]
Windows: fix echo for nmake

It seems that nmake first tries to run executables on its own, and
only pass commands to cmd if that fails.  That means it's possible to
have nmake run something like 'echo.exe' when the builtin 'echo'
command was expected, which might give us unexpected results.

To get around this, we create our own echoing script and call it
explicitly from the nmake makefile.

Fixes #6670

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)