Matt Caswell [Tue, 20 Nov 2018 13:21:36 +0000 (13:21 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7670)
Matt Caswell [Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7666)
Richard Levitte [Tue, 13 Nov 2018 16:57:45 +0000 (17:57 +0100)]
Fix typo in util/perl/OpenSSL/Test.pm
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7633)
(cherry picked from commit
2dc37bc2b4c678462a24d2904604e58c0c5ac1cb)
Richard Levitte [Tue, 13 Nov 2018 17:28:41 +0000 (18:28 +0100)]
test/recipes/90-test_shlibload.t needs $target{shared_extension}
We therefore must add defaults.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7631)
Richard Levitte [Tue, 13 Nov 2018 14:57:34 +0000 (15:57 +0100)]
Fix rpath-related Linux "test_shlibload" failure.
When libssl and libcrypto are compiled on Linux with "-rpath", but
not "--enable-new-dtags", the RPATH takes precedence over
LD_LIBRARY_PATH, and we end up running with the wrong libraries.
This is resolved by using full (or at least relative, rather than
just the filename to be found on LD_LIBRARY_PATH) paths to the
shared objects.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7631)
Richard Levitte [Tue, 13 Nov 2018 17:49:21 +0000 (18:49 +0100)]
Configuration: make sure the shared_sources table doesn't contain empty elements
Fixes #7634
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7635)
(cherry picked from commit
0c594ccc29f6ba241627f436ba3d05fc400d1066)
Richard Levitte [Wed, 31 Oct 2018 08:02:00 +0000 (09:02 +0100)]
Windows build: build foo.d after foo.obj
We made the build of foo.obj depend on foo.d, meaning the latter gets
built first. Unfortunately, the way the compiler works, we are forced
to redirect all output to foo.d, meaning that if the source contains
an error, the build fails without showing those errors.
We therefore remove the dependency and force the build of foo.d to
always happen after build of foo.obj.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7533)
Billy Brumley [Fri, 9 Nov 2018 07:25:43 +0000 (09:25 +0200)]
[crypto/bn] swap BN_FLG_FIXED_TOP too
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7599)
(cherry picked from commit
dd41956d80686638d74fd203bd67060f90966280)
Richard Levitte [Fri, 9 Nov 2018 11:08:08 +0000 (12:08 +0100)]
Fix cherry-pick error
A couple of $(ECHO) sneaked in from patches in newer branches
Fixes #7600
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7601)
Richard Levitte [Fri, 9 Nov 2018 11:23:53 +0000 (12:23 +0100)]
VMS build: colon after target must be separated with a space
... otherwise, it's taken to be part of a device name.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7602)
(cherry picked from commit
e9994901f835420764d020968d4588fc09ec74c3)
Richard Levitte [Wed, 7 Nov 2018 15:13:57 +0000 (16:13 +0100)]
Have install targets depend on more precise build targets
We only had the main 'install' target depend on 'all'. This changes
the dependencies so targets like install_dev, install_runtime_libs,
install_engines and install_programs depend on build targets that are
correspond to them more specifically. This increases the parallel
possibilities.
Fixes #7466
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7583)
(cherry picked from commit
e8d01a608705e4320082a11a3870aa7e19c7290f)
Richard Levitte [Thu, 25 Oct 2018 07:09:20 +0000 (09:09 +0200)]
Allow parallel install
When trying 'make -j{n} install', you may occasionally run into
trouble because to sub-targets (install_dev and install_runtime) try
to install the same shared libraries. That makes parallel install
difficult.
This is solved by dividing install_runtime into two parts, one for
libraries and one for programs, and have install_dev depend on
install_runtime_libs instead of installing the shared runtime
libraries itself.
Fixes #7466
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7583)
(cherry picked from commit
c1123d9f7efb005a109aeccaba82c40bf9bd4c1d)
Pauli [Wed, 31 Oct 2018 22:44:11 +0000 (08:44 +1000)]
Add a constant time flag to one of the bignums to avoid a timing leak.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)
(cherry picked from commit
00496b6423605391864fbbd1693f23631a1c5239)
Rod Vagg [Mon, 29 Oct 2018 09:43:53 +0000 (20:43 +1100)]
Remove brace from bad cherry-pick of DSA reallocation fix
Commit
56fb454 backported the DSA reallocation fix to 1.1.0, however a
code block that has multiple statements in 1.1.1+ only has a `goto` in
1.1.0 so introduces a brace that causes a compile failure.
CLA:trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7516)
Pauli [Fri, 26 Oct 2018 00:54:58 +0000 (10:54 +1000)]
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit
99540ec79491f59ed8b46b4edf130e17dc907f52)
Pauli [Tue, 23 Oct 2018 21:42:46 +0000 (07:42 +1000)]
Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit
a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
Pauli [Sun, 28 Oct 2018 20:50:51 +0000 (06:50 +1000)]
DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
(cherry picked from commit
415c33563528667868c3c653a612e6fc8736fd79)
Dr. Matthias St. Pierre [Thu, 18 Oct 2018 21:04:32 +0000 (23:04 +0200)]
md_rand.c: don't stop polling until properly initialized
Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.
This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7438)
Andy Polyakov [Wed, 17 Oct 2018 08:09:33 +0000 (10:09 +0200)]
arch/async_posix.h: improve portability.
{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7420)
(cherry picked from commit
9d71a24ebf57e7157888af1ca587eafe914bf96f)
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
dc5831da59e9bfad61ba425d886a0b06ac160cd6)
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
Andy Polyakov [Fri, 12 Oct 2018 20:17:51 +0000 (22:17 +0200)]
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
(back-port of commit
7d0effeacbb50b12bfc24df7614d7cf5c8686f51)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7392)
Benjamin Kaduk [Thu, 4 Oct 2018 18:49:21 +0000 (13:49 -0500)]
apps: allow empty attribute values with -subj
Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value. As a result, such strings are now treated as
hard errors and the operation fails.
Restore the check to skip empty attribute values and restore
the historical behavior.
Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.
(cherry picked from commit
3d362f190306b62a17aa2fd475b2bc8b3faa8142)
(cherry picked from commit
a7ee1ef61b1893038008691a4a6979cf2da91439)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7368)
Tomas Mraz [Tue, 9 Oct 2018 16:37:10 +0000 (18:37 +0200)]
Fix copy&paste error found in Coverity scan
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7377)
(cherry picked from commit
628ee796389b555ddb5fc28355e16e9417ab1724)
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)
(cherry picked from commit
d1c008f66bad435b18aa45aa59f72bed7c682849)
Richard Levitte [Sun, 30 Sep 2018 00:18:47 +0000 (02:18 +0200)]
Clean out aliases in include/openssl/symhacks.h
Only a few clashing ones remain
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)
(cherry picked from commit
b44882a0bd0717e0aab84f5dc3ef81ab673155e9)
Richard Levitte [Sat, 29 Sep 2018 23:59:11 +0000 (01:59 +0200)]
Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)
BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented. Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.
include/openssl/ocsp.h had a few duplicate declarations.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)
(cherry picked from commit
7e09c5eaa57295f87453286ffe25277c2f2bc73f)
Sohaib ul Hassan [Sat, 16 Jun 2018 14:07:40 +0000 (17:07 +0300)]
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=
131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)
Billy Brumley [Wed, 22 Aug 2018 06:50:43 +0000 (09:50 +0300)]
[test] ECC: make sure negative tests pass for the right reasons
This is a backport of #7028 to 1.1.0.
It squashes the two original commits and applies changes for
compatibility with 1.1.0.
1. cherry picked from commit
30c41bfb158c0f595809d0eaf032926a3c2cf236
[test] ECC: make sure negative tests pass for the right reasons
2. cherry picked from commit
bfb10b975818d1887d676d309fcc21a765611f6d
[test] throw error from wrapper function instead of an EC_METHOD specific one
Given that in 1.1.0 `EC_POINT_get_affine_coordinates_GFp` and
`EC_POINT_get_affine_coordinates_GF2m` have not been unified, in this
backport the tests distinguish between the 2 different functions as the
cause of the expected error.
[extended tests] to trigger sanitizer checks and coverage analysis.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)
Billy Brumley [Thu, 28 Jun 2018 07:59:08 +0000 (10:59 +0300)]
More EVP ECC testing: positive and negative
This is a backport of #6608 to 1.1.0.
1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative
tests.
There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).
"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:
1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)
The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.
(cherry picked from commit
249330de0250bc598d20d383bab37d150cdad239)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)
Nicola Tuveri [Fri, 7 Sep 2018 15:27:56 +0000 (18:27 +0300)]
Move evp test programs input data to its own data dir
This is a manual backport of #3472 to 1.1.0.
This is a partial backport, limited only to evptests, as #3472 also
affected bntests, which has a completely different form in 1.1.0.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)
Nicola Tuveri [Fri, 7 Sep 2018 15:14:30 +0000 (18:14 +0300)]
Split test/evptests.txt into separate files.
This is a manual port of #3443 (and the related bugfix PR #3452) to
1.1.0.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]
Document OPENSSL_VERSION_TEXT macro
This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7301)
(cherry picked from commit
7c69495712e3dc9aa8db38271f0c3faeb2037165)
Pauli [Mon, 24 Sep 2018 01:21:18 +0000 (11:21 +1000)]
Use secure_getenv(3) when available.
Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.
CPU processor override flags are unchanged.
Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7047)
(cherry picked from commit
5c39a55d04ea6e6f734b627a050b9e702788d50d)
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?). Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.
Fixes #7227
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)
(cherry picked from commit
dda5396aaec315bdbcb080e42fb5cd0191f2ad72)
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.
Fixes #7271
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)
(cherry picked from commit
276bf8620ce35a613c856f2b70348f65ffe94067)
Pauli [Sun, 16 Sep 2018 21:47:42 +0000 (07:47 +1000)]
Use 'i' as parameter name not 'I'.
The latter causes problems when complex.h is #included.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)
(cherry picked from commit
972f67889b5a10c33dbc3d500cfa65b544e68b46)
Pauli [Sun, 16 Sep 2018 22:09:25 +0000 (08:09 +1000)]
Add a compile time test to verify that openssl/rsa.h and complex.h can
coexist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)
(cherry picked from commit
da5fac72b1cba5651b871902eea234e693cf01e5)
Matt Caswell [Wed, 12 Sep 2018 15:49:19 +0000 (16:49 +0100)]
Add an explicit cast to time_t
Caused a compilation failure in some environments
Fixes #7204
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7205)
(cherry picked from commit
bc278f30f0b766bfb82426c641dc1d51ace4a994)
Viktor Szakats [Tue, 11 Sep 2018 22:34:00 +0000 (22:34 +0000)]
minor fixes for Windows
- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7189)
Bernd Edlinger [Mon, 10 Sep 2018 12:18:23 +0000 (14:18 +0200)]
Make the config script fail with an error code if Configure failed
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7166)
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.
CLA: trivial
(cherry picked from commit
fa332bba919d094c1654bbb3be0528b3df6e9023)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7040)
Richard Levitte [Tue, 11 Sep 2018 09:00:30 +0000 (11:00 +0200)]
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7174)
(cherry picked from commit
37f4928701aa54937ce8eef422a2165afeec5cec)
Matt Caswell [Mon, 10 Sep 2018 15:23:14 +0000 (16:23 +0100)]
Check the return value from ASN1_INTEGER_set
Found by Coverity
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)
(cherry picked from commit
512d811719fc955f574090af4c3586a9aba46fa7)
Shane Lontis [Mon, 3 Sep 2018 01:39:50 +0000 (11:39 +1000)]
RSA padding Zeroization fixes
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)
(cherry picked from commit
82eba370daeb6d80b01b521d9e2963451487f0cb)
Nicola Tuveri [Wed, 5 Sep 2018 09:08:12 +0000 (12:08 +0300)]
Harmonize the error handling codepath
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
Nicola Tuveri [Wed, 5 Sep 2018 08:58:55 +0000 (11:58 +0300)]
Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).
For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.
If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.
This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.
Fixes #7102 .
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
Pauli [Tue, 4 Sep 2018 21:50:17 +0000 (07:50 +1000)]
Key zeroization fix for EVP_SealInit.
Manual backport from master.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7116)
Eric Curtin [Mon, 3 Sep 2018 14:23:37 +0000 (15:23 +0100)]
New openssl subject parser hard to debug
-subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote Device Access Test Local CA, emailAddress = rda@hpe.com'
was a valid subject in openssl 1.0. Error received in 1.1 is:
problems making Certificate Request
Not very informative, I only figured this out because I compiled the
code and added logging.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7098)
(cherry picked from commit
2167640b0bf76ec50a397dd90444b97c242e3f04)
Pauli [Tue, 4 Sep 2018 19:35:34 +0000 (05:35 +1000)]
Make OBJ_NAME case insensitive.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7101)
Shane Lontis [Tue, 4 Sep 2018 04:01:37 +0000 (14:01 +1000)]
hkdf zeroization fix
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)
(cherry picked from commit
64ed55ab033f1bfa795d46f0ecc61c313204b418)
Shane Lontis [Tue, 4 Sep 2018 05:00:21 +0000 (15:00 +1000)]
key zeroisation fix for p12
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)
(cherry picked from commit
f5cee414fa8e7e9a088d8d5ebe641f368df20801)
Shane Lontis [Tue, 4 Sep 2018 04:31:11 +0000 (14:31 +1000)]
key zeroisation for pvkfmt now done on all branch paths
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)
(cherry picked from commit
0239283d99a37e8527199a62100fec867b9996cb)
Richard Levitte [Mon, 3 Sep 2018 11:17:03 +0000 (13:17 +0200)]
openssl req: don't try to report bits
With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated. Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information. For the moment, it's better not
to try to report the number of bits at all.
Fixes #7086
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)
(cherry picked from commit
17147181bd3f97c53592e2a5c9319b854b954039)
Matt Caswell [Thu, 23 Aug 2018 10:37:22 +0000 (11:37 +0100)]
Clarify the EVP_DigestSignInit docs
They did not make it clear how the memory management works for the |pctx|
parameter.
Fixes #7037
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7042)
(cherry picked from commit
f097e8759820f6f9b78adb99eb4bfced2945d623)
Jakub Wilk [Mon, 3 Sep 2018 09:09:51 +0000 (11:09 +0200)]
Fix example in crl(1) man page
The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.
CLA: trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)
(cherry picked from commit
785e614a95a134831f213749332bcf40c4920f69)
Matt Caswell [Thu, 9 Aug 2018 15:25:29 +0000 (16:25 +0100)]
The req documentation incorrectly states that we default to md5
Just remove that statement. It's not been true since 2005.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/6905)
Paul Kehrer [Sat, 1 Sep 2018 14:50:28 +0000 (10:50 -0400)]
add docs for OCSP_resp_get0_signature
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)
Paul Kehrer [Sat, 1 Sep 2018 04:05:55 +0000 (00:05 -0400)]
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
fixes #7081
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)
(cherry picked from commit
6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call
This trivial patch removes a duplicated call to ASN1_INTEGER_set.
Fixes Issue #6977
Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)
(cherry picked from commit
59701e6363531cddef5b2114c0127b8453deb1f3)
Dmitry Belyavskiy [Fri, 24 Aug 2018 08:48:00 +0000 (11:48 +0300)]
Backport #7007 to 1.1.0
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7052)
Matt Caswell [Mon, 27 Aug 2018 14:04:28 +0000 (15:04 +0100)]
Free SSL object on an error path
Thanks to @fangang190 for reporting this
Fixes #7061
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
(cherry picked from commit
324b95605225410763fe63f7cff36eb46ca54ee9)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.
(cherry picked from commit
e02c519cd32a55e6ad39a0cfbeeda775f9115f28)
Resolved conflicts:
crypto/bn/bn_blind.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
Andy Polyakov [Fri, 10 Aug 2018 17:46:03 +0000 (19:46 +0200)]
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...
(cherry picked from commit
41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)
Resolved conflicts:
crypto/rsa/rsa_ossl.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.
Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.
(cherry picked from commit
fcc4ee09473cac511eca90faa003661c7786e4f9)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
Nicola Tuveri [Mon, 20 Aug 2018 21:50:01 +0000 (00:50 +0300)]
Backport #6648 to OpenSSL_1_1_0-stable
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7015)
Pauli [Wed, 22 Aug 2018 00:04:27 +0000 (10:04 +1000)]
Zero memory in CRYPTO_secure_malloc.
This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks. This in turn helps prevent
information leakage from the secure memory area.
Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.
[manual merge of #7011]
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7026)
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.
It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)
(cherry picked from commit
0b1319ba94c85af9e87308e0d573d1260a802f53)
Bernd Edlinger [Fri, 17 Aug 2018 07:02:53 +0000 (09:02 +0200)]
Fix a warning from MSVC build
Apparently after internal/numbers.h defines INTx_MIN/MAX
stdint gets included and it defines those differently:
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48):
warning C4005: 'INT8_MIN': macro redefinition
Avoid that by changing the sequence in which the include files
appear in crypto/bio/b_print.c.
[extended tests]
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6995)
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free
gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:
crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1
(gcc 4.8 is fine with this code, as are newer compilers.)
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)
(cherry picked from commit
50f3994b513ead4da94845bf38222bb71c440fb3)
Matt Caswell [Tue, 14 Aug 2018 12:46:03 +0000 (13:46 +0100)]
Prepare for 1.1.0j-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Aug 2018 12:45:05 +0000 (13:45 +0100)]
Prepare for 1.1.0i release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Aug 2018 12:25:55 +0000 (13:25 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6954)
Matt Caswell [Tue, 14 Aug 2018 09:39:19 +0000 (10:39 +0100)]
Updates to CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6950)
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.
Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)
(cherry picked from commit
2369111fd94ebc9b7d37e68f3ea9629f2fe5fa2e)
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):
For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
allocated for a buffer and the encoded data written to it. In this
case B<*out> is not incremented and it points to the start of the
data just written.
i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.
Fixes #6914
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)
(cherry picked from commit
cba024dc685d13dbcbd0577bed028ee6b295b56a)
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)
(back-ported from commit
f21b5b64cbbc279ef31389e6ae312690575187da)
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)
(cherry picked from commit
0da7358b0757fa35f2c3a8f51fa036466ae50fd7)
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values
Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)
(cherry picked from commit
b5ee517794cf546dc7e3d5a82b400955a7381053)
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.
Thanks to GitHub user zsergey105 for reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)
(cherry picked from commit
10281e83eac0fb96de3f14855154197aa33bb800)
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)
(cherry picked from commit
4e360445473c3da938703a8142a36cf6ee86a191)
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)
(cherry picked from commit
38eca7fed09a57c1b7a05d651af2c667b3e87719)
Bernd Edlinger [Thu, 2 Aug 2018 17:47:42 +0000 (19:47 +0200)]
Fix uninitialized value $s warning in windows static builds
Fixes: #6826
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/pr6849)
Pauli [Sun, 5 Aug 2018 21:31:49 +0000 (07:31 +1000)]
Avoid errors when loading a cert multiple times.
Manual backport of #2830 to 1.1.0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6861)
Rich Salz [Fri, 3 Aug 2018 22:03:22 +0000 (18:03 -0400)]
Use auto-null-initializer
Thanks to GitHub user YuDudysheva for reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6853)
Andy Polyakov [Thu, 2 Aug 2018 07:02:47 +0000 (09:02 +0200)]
asn1/tasn_utl.c: fix logical error in asn1_do_lock.
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)
Andy Polyakov [Thu, 2 Aug 2018 06:59:48 +0000 (08:59 +0200)]
Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."
This reverts commit
24233a0f3c491919ee3a38e2567271ccc041ee1d.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
680b9d45b005c2d0a48fd574db903bf4486b49ae)
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)
(cherry picked from commit
3d3cbce550ff5d6172cf28dbbf80bda93f6577a9)
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.
Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)
(cherry picked from commit
35c9408108f3608eb572acd7f64a93cf4f43f4f6)
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed
FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.
Fixes: #6748
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
(cherry picked from commit
665d9d1c0655d6f709c99e1211c1e11fcebfeecd)
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)
(cherry picked from commit
80ae7285e1994d35c84519bf9e038b11d9942875)
Resolved conflicts:
crypto/init.c
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)
(cherry picked from commit
b86d57bb0b23253c720db38ab18ca97cb888f701)
Resolved conflicts:
crypto/cryptlib.c
Andy Polyakov [Thu, 26 Jul 2018 12:38:53 +0000 (14:38 +0200)]
CHANGES: mention blinding reverting in ECDSA.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit
70a579ae2f37437a1e02331eeaa84e1b68ba021e)
Andy Polyakov [Thu, 12 Jul 2018 20:27:43 +0000 (22:27 +0200)]
ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit
37132c9702328940a99b1307f742ab094ef754a7)
Andy Polyakov [Fri, 6 Jul 2018 14:13:29 +0000 (16:13 +0200)]
ec/ecdsa_ossl.c: formatting and readability fixes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit
fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d)
Andy Polyakov [Fri, 6 Jul 2018 13:55:34 +0000 (15:55 +0200)]
ec/ecdsa_ossl.c: revert blinding in ECDSA signature.
Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit
3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f)
Resolved conflicts:
crypto/ec/ecdsa_ossl.c