oweals/openssl.git
6 years agoFix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet
Richard Levitte [Tue, 12 Dec 2017 01:05:38 +0000 (02:05 +0100)]
Fix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet

If OPENSSL_init_crypto() hasn't been called yet when ERR_get_state()
is called, it need to be called early, so the base initialization is
done.  On some platforms (those who support DSO functionality and
don't define OPENSSL_USE_NODELETE), that includes a call of
ERR_set_mark(), which calls this function again.
Furthermore, we know that ossl_init_thread_start(), which is called
later in ERR_get_state(), calls OPENSSL_init_crypto(0, NULL), except
that's too late.
Here's what happens without an early call of OPENSSL_init_crypto():

    => ERR_get_state():
         => CRYPTO_THREAD_get_local():
         <= NULL;
         # no state is found, so it gets allocated.
         => ossl_init_thread_start():
              => OPENSSL_init_crypto():
                   # Here, base_inited is set to 1
                   # before ERR_set_mark() call
                   => ERR_set_mark():
                        => ERR_get_state():
                             => CRYPTO_THREAD_get_local():
                             <= NULL;
                             # no state is found, so it gets allocated!!!!!
                             => ossl_init_thread_start():
                                  => OPENSSL_init_crypto():
                                       # base_inited is 1,
                                       # so no more init to be done
                                  <= 1
                             <=
                             => CRYPTO_thread_set_local():
                             <=
                        <=
                   <=
              <= 1
         <=
         => CRYPTO_thread_set_local()      # previous value removed!
    <=

Result: double allocation, and we have a leak.

By calling the base OPENSSL_init_crypto() early, we get this instead:

    => ERR_get_state():
         => OPENSSL_init_crypto():
              # Here, base_inited is set to 1
              # before ERR_set_mark() call
              => ERR_set_mark():
                   => ERR_get_state():
                        => OPENSSL_init_crypto():
                             # base_inited is 1,
                             # so no more init to be done
                        <= 1
                        => CRYPTO_THREAD_get_local():
                        <= NULL;
                        # no state is found, so it gets allocated
                        # let's assume we got 0xDEADBEEF
                        => ossl_init_thread_start():
                             => OPENSSL_init_crypto():
                                  # base_inited is 1,
                                  # so no more init to be done
                             <= 1
                        <= 1
                        => CRYPTO_thread_set_local():
                        <=
                   <=
              <=
         <= 1
         => CRYPTO_THREAD_get_local():
         <= 0xDEADBEEF
    <= 0xDEADBEEF

Result: no leak.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4913)

6 years agoVMS build file template: adapt for when someone disabled 'makedepend'
Richard Levitte [Mon, 11 Dec 2017 20:01:18 +0000 (21:01 +0100)]
VMS build file template: adapt for when someone disabled 'makedepend'

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

6 years agoRestore makedepend capabilities for Windows and VMS
Richard Levitte [Mon, 11 Dec 2017 19:54:07 +0000 (20:54 +0100)]
Restore makedepend capabilities for Windows and VMS

This got lost somehow.  The methods to do makedepend on Windows and
VMS are hard coded for cl (Windows) and CC/DECC (VMS), because that's
what we currently support natively.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

6 years agoNote the removal of Makefile.shared in CHANGES
Richard Levitte [Mon, 4 Dec 2017 15:57:36 +0000 (16:57 +0100)]
Note the removal of Makefile.shared in CHANGES

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoRemove Makefile.shared, as it's now entirely unused
Richard Levitte [Mon, 4 Dec 2017 15:33:59 +0000 (16:33 +0100)]
Remove Makefile.shared, as it's now entirely unused

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure et al: cleanups
Richard Levitte [Mon, 4 Dec 2017 15:31:26 +0000 (16:31 +0100)]
Configure et al: cleanups

Remove some config attributes that just duplicate values that are
already there in other attributes.

Remove the special runs of mkdef.pl and mkrc.pl from build file
templates, as these are now done via GENERATE statements in
build.info.

Remove all references to ordinal files from build file templates, as
these are now treated via the GENERATE statements in build.info.

Also remove -shared flags and similar that are there in shared-info.pl
anyway.  (in the case of darwin, it's mandatory, as -bundle and
-dynamiclib don't mix)

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agobuild.info: adapt to the new handling of .rc / .def / .map / .opt files
Richard Levitte [Mon, 4 Dec 2017 13:59:27 +0000 (14:59 +0100)]
build.info: adapt to the new handling of .rc / .def / .map / .opt files

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoBuild file templates: Replace the use of Makefile.shared
Richard Levitte [Mon, 4 Dec 2017 13:27:58 +0000 (14:27 +0100)]
Build file templates: Replace the use of Makefile.shared

Because this also includes handling all sorts of non-object files when
linking a program, shared library or DSO, this also includes allowing
general recognition of files such as .res files (compiled from .rc
files), or .def / .map / .opt files (for export and possibly
versioning of public symbols only).

This does mean that there's a tangible change for all build file
templates: they must now recognise and handle the `.o` extension,
which is used internally to recognise object files internally.  This
extension was removed by common.tmpl before this change, but would
mean that the platform specific templates wouldn't know if "foo.map"
was originally "foo.map.o" (i.e. an object file in its own right) or
"foo.map" (an export definition file that should be treated as such,
not as an object file).

For the sake of simplifying things, we also modify util/mkdef.pl to
produce .def (Windows) and .opt (VMS) files that don't need additional
hackery.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Recognise .rc and .def / .map / .opt as source files
Richard Levitte [Fri, 1 Dec 2017 14:43:43 +0000 (15:43 +0100)]
Configure: Recognise .rc and .def / .map / .opt as source files

This makes it possible to add build.info statements for using resource
files as well as linker scripts (.def for Windows, .map for Unix, and
.opt for VMS) is if they were source files.  This requires changes in
the build file templates.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Read in extra information to help create shared libraries
Richard Levitte [Fri, 1 Dec 2017 14:40:43 +0000 (15:40 +0100)]
Configure: Read in extra information to help create shared libraries

This will replace the use of Makefile.shared

This also means a small adjustment on how the attributes dso_cflags,
dso_cxxflags and dso_lflags are treated.  They were previously treated
as an extension to shared_cflag, shared_cxxflag and shared_ldflag, but
they should really be regarded as alternatives instead, for example
for darwin, where -dynamiclib is used for shared libraries and -bundle
for DSOs.

We take the opportunity to clean out things that are redundant or
otherwise superfluous (for example the check of GNU ld on platforms
where it never existed).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Add read_eval_file, a general purpose perl file reader/evaluator
Richard Levitte [Fri, 1 Dec 2017 14:29:05 +0000 (15:29 +0100)]
Configure: Add read_eval_file, a general purpose perl file reader/evaluator

It will return the last expression from the input file.

We also use this in read_config, which slightly changes what's
expected of Configurations/*.conf.  They do not have to assign
%targets specifically.  On the other hand, the table of configs MUST
be the last expression in each of those files.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoMinor improvements to ssl.pod
Daniel Bevenius [Tue, 12 Dec 2017 12:14:45 +0000 (13:14 +0100)]
Minor improvements to ssl.pod

This commit contains suggestion that (hopefully) improve the
documentation in ssl.pod.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4914)

6 years agoFix typo in comment
Benjamin Kaduk [Mon, 11 Dec 2017 14:47:19 +0000 (08:47 -0600)]
Fix typo in comment

The one in rsa.c was overlooked when fixing the same comment in
pkey.c as part of eff1752b66cb7bf6ca8af816eb10ead26910d025.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4902)

6 years agoConfigure: move the processing of predefined macros to a function
Richard Levitte [Mon, 6 Nov 2017 16:11:03 +0000 (17:11 +0100)]
Configure: move the processing of predefined macros to a function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4899)

6 years agorsa: Do not allow less than 512 bit RSA keys
Sebastian Andrzej Siewior [Wed, 18 Oct 2017 11:30:23 +0000 (13:30 +0200)]
rsa: Do not allow less than 512 bit RSA keys

As per documentation, the RSA keys should not be smaller than 64bit (the
documentation mentions something about a quirk in the prime generation
algorithm). I am adding check into the code which used to be 16 for some
reason.
My primary motivation is to get rid of the last sentence in the
documentation which suggest that typical keys have 1024 bits (instead
updating it to the now default 2048).
I *assume* that keys less than the 2048 bits (say 512) are used for
education purposes.
The 512 bits as the minimum have been suggested by Bernd Edlinger.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4547)

6 years agoFix no-chacha
Matt Caswell [Sun, 10 Dec 2017 11:41:30 +0000 (11:41 +0000)]
Fix no-chacha

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)

6 years agoDon't expect a POLY1305 ciphersuite when using no-poly1305
Matt Caswell [Sun, 10 Dec 2017 11:05:19 +0000 (11:05 +0000)]
Don't expect a POLY1305 ciphersuite when using no-poly1305

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)

6 years agoReplace tabs with spaces in 25-cipher.conf.in
Matt Caswell [Sun, 10 Dec 2017 11:01:00 +0000 (11:01 +0000)]
Replace tabs with spaces in 25-cipher.conf.in

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)

6 years agoFix no-tls1_1
Matt Caswell [Sun, 10 Dec 2017 10:49:43 +0000 (10:49 +0000)]
Fix no-tls1_1

In 20-cert-select.conf there is a TLSv1.1 specific test which we should
skip if TLSv1.1. is disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4890)

6 years agoFix ssl_test_new with no-tls1_2
Matt Caswell [Sun, 10 Dec 2017 10:15:34 +0000 (10:15 +0000)]
Fix ssl_test_new with no-tls1_2

The tests in 25-cipher.conf all use TLSv1.2 ciphersuites so we shouldn't
run it if we don't have TLSv1.2

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4889)

6 years agoUseless conf != NULL test
FdaSilvaYY [Sat, 9 Dec 2017 14:49:13 +0000 (15:49 +0100)]
Useless conf != NULL test

check is already made 10 line above.
clean commented code

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4885)

6 years agoapps/speed.c: initialize buffers
Patrick Steuer [Mon, 4 Dec 2017 17:32:12 +0000 (18:32 +0100)]
apps/speed.c: initialize buffers

Stop valgrind's complaints about uninitialized values.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4842)

6 years agoapps/speed.c: generate evp_cipher keys implicitly
Patrick Steuer [Mon, 4 Dec 2017 16:40:23 +0000 (17:40 +0100)]
apps/speed.c: generate evp_cipher keys implicitly

Generate keys using EVP_CIPHER's key generation routine to support
keys of a specific form.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4842)

6 years agodoc/man3/EVP_EncryptInit.pod: add EVP_CIPHER_CTX_rand_key
Patrick Steuer [Mon, 4 Dec 2017 23:36:43 +0000 (00:36 +0100)]
doc/man3/EVP_EncryptInit.pod: add EVP_CIPHER_CTX_rand_key

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4843)

6 years agoMake BIO_METHOD struct definitions consistent
Daniel Bevenius [Fri, 8 Dec 2017 07:20:10 +0000 (08:20 +0100)]
Make BIO_METHOD struct definitions consistent

I noticed that some of the BIO_METHOD structs are placing the name on
the same line as the type and some don't. This commit places the name
on a separate line for consistency (which looks like what the majority
do)

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4878)

6 years agoCorrect minor typo in ssl_locl.h comment
Daniel Bevenius [Fri, 8 Dec 2017 13:13:30 +0000 (14:13 +0100)]
Correct minor typo in ssl_locl.h comment

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4880)

6 years agoConvert the remaining functions in the record layer to use SSLfatal()
Matt Caswell [Mon, 4 Dec 2017 16:54:59 +0000 (16:54 +0000)]
Convert the remaining functions in the record layer to use SSLfatal()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)

6 years agoConvert dlts1_write_bytes() to use SSLfatal()
Matt Caswell [Mon, 4 Dec 2017 16:21:53 +0000 (16:21 +0000)]
Convert dlts1_write_bytes() to use SSLfatal()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)

6 years agoMore record layer conversions to use SSLfatal()
Matt Caswell [Mon, 4 Dec 2017 16:16:37 +0000 (16:16 +0000)]
More record layer conversions to use SSLfatal()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)

6 years agoConvert ssl3_read_bytes() to use SSLfatal()
Matt Caswell [Mon, 4 Dec 2017 14:47:04 +0000 (14:47 +0000)]
Convert ssl3_read_bytes() to use SSLfatal()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)

6 years agoUpdate ssl3_get_record() to use SSLfatal()
Matt Caswell [Mon, 4 Dec 2017 14:28:35 +0000 (14:28 +0000)]
Update ssl3_get_record() to use SSLfatal()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)

6 years agoAddress some code-analysis issues.
FdaSilvaYY [Fri, 8 Dec 2017 15:49:41 +0000 (10:49 -0500)]
Address some code-analysis issues.

Expression '...' is always true.
The 'b->init' variable is assigned values twice successively

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4753)

6 years agoFix an incoherent test.
FdaSilvaYY [Fri, 8 Dec 2017 15:25:38 +0000 (10:25 -0500)]
Fix an incoherent test.

Pointer 'o' is set inside a local buffer, so it can't be NULL.
Also fix coding style and add comments

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4754)

6 years agoFix test_tls13messages with no-ocsp
Benjamin Kaduk [Thu, 7 Dec 2017 22:45:47 +0000 (16:45 -0600)]
Fix test_tls13messages with no-ocsp

s_client -status is not available in this configuration.

While here, remove an outdated TODO(TLS1.3) comment.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)

6 years agoWrap more of ocspapitest.c in OPENSSL_NO_OCSP
Benjamin Kaduk [Thu, 7 Dec 2017 22:37:54 +0000 (16:37 -0600)]
Wrap more of ocspapitest.c in OPENSSL_NO_OCSP

make_dummy_resp() uses OCSP types, and get_cert_and_key() is unused
once make_dummy_resp() is compiled out, so neither can be included
in the build when OCSP is disabled and strict warnings are active.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)

6 years agoFix coverity nit in handshake_helper.c
Benjamin Kaduk [Thu, 7 Dec 2017 20:23:35 +0000 (14:23 -0600)]
Fix coverity nit in handshake_helper.c

There's no reason to wrap this call in TEST_true() if we're not
checking the return value of TEST_true() -- all of the surrounding
similar calls do not have the macro wrapping them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)

6 years agoFix coverity-reported errors in ocspapitest
Benjamin Kaduk [Thu, 7 Dec 2017 20:14:47 +0000 (14:14 -0600)]
Fix coverity-reported errors in ocspapitest

Avoid memory leaks in error paths, and correctly apply
parentheses to function calls in a long if-chain.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)

6 years agoIn apps_startup(), call OPENSSL_init_ssl() rather than OPENSSL_init_crypto()
Richard Levitte [Sat, 25 Nov 2017 11:08:47 +0000 (12:08 +0100)]
In apps_startup(), call OPENSSL_init_ssl() rather than OPENSSL_init_crypto()

Otherwise, any command that relies on ssl modules may fail, because
SSL_add_ssl_module() will be called after the config file has already
been loaded.

Fixes #4788

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4792)

6 years agoIn OPENSSL_init_ssl(), run the base ssl init before OPENSSL_init_crypto()
Richard Levitte [Sat, 25 Nov 2017 11:02:58 +0000 (12:02 +0100)]
In OPENSSL_init_ssl(), run the base ssl init before OPENSSL_init_crypto()

IF OPENSSL_init_ssl() is called with the option flag
OPENSSL_INIT_LOAD_CONFIG, any SSL config will be handled wrongly
(i.e. there will be an attempt to load libssl_conf.so or whatever
corresponds to that on non-Unix platforms).  Therefore, at least
SSL_add_ssl_module() MUST be called before OPENSSL_init_crypto() is
called.  The base ssl init does that, plus adds all kinds of ciphers
and digests, which is harmless.

Fixes #4788

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4792)

6 years agoAdd missing range checks on number of multi primes in rsa_ossl_mod_exp
Bernd Edlinger [Thu, 7 Dec 2017 12:03:15 +0000 (13:03 +0100)]
Add missing range checks on number of multi primes in rsa_ossl_mod_exp

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4862)

6 years agoFix no-ec
Benjamin Kaduk [Thu, 7 Dec 2017 23:57:21 +0000 (17:57 -0600)]
Fix no-ec

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4874)

6 years agochacha/asm/chacha-x86_64.pl: add AVX512VL code path.
Andy Polyakov [Mon, 4 Dec 2017 13:16:19 +0000 (14:16 +0100)]
chacha/asm/chacha-x86_64.pl: add AVX512VL code path.

256-bit AVX512VL was estimated to deliver ~50% improvement over AVX2
and it did live up to the expectations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4838)

6 years agocrypto/x86_64cpuid.pl: suppress AVX512F flag on Skylake-X.
Andy Polyakov [Mon, 4 Dec 2017 13:03:05 +0000 (14:03 +0100)]
crypto/x86_64cpuid.pl: suppress AVX512F flag on Skylake-X.

It was observed that AVX512 code paths can negatively affect overall
Skylake-X system performance. But we are talking specifically about
512-bit code, while AVX512VL, 256-bit variant of AVX512F instructions,
is supposed to fly as smooth as AVX2. Which is why it remains unmasked.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4838)

6 years agoLeave a message in doc to indicate 0 is not acceptable
Paul Yang [Tue, 21 Nov 2017 15:43:03 +0000 (23:43 +0800)]
Leave a message in doc to indicate 0 is not acceptable

[to be squashed]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4767)

6 years agoFix some issues in apps/req
Paul Yang [Tue, 21 Nov 2017 14:37:23 +0000 (22:37 +0800)]
Fix some issues in apps/req

1. the 'ignore -days' warning should not be printed without '-x509'
2. the 'ignore -days' warning should terminate with new-line

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4767)

6 years agoRemove unicode characters from source
Richard Levitte [Fri, 8 Dec 2017 10:40:30 +0000 (11:40 +0100)]
Remove unicode characters from source

Some compilers react badly to non-ASCII characters

Fixes #4877

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4879)

6 years agoputting the missing static
JitendraLulla [Wed, 15 Nov 2017 10:44:36 +0000 (16:14 +0530)]
putting the missing static

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)

6 years agomake get_cipher_handle static
JitendraLulla [Wed, 15 Nov 2017 01:13:48 +0000 (06:43 +0530)]
make get_cipher_handle static

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)

6 years agofix --strict-warnings
JitendraLulla [Wed, 15 Nov 2017 00:33:07 +0000 (06:03 +0530)]
fix  --strict-warnings

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)

6 years agoextending afalg with aes-cbc-192/256, afalgtest.c also updated accordingly. comments...
JitendraLulla [Sat, 11 Nov 2017 06:31:58 +0000 (12:01 +0530)]
extending afalg with aes-cbc-192/256, afalgtest.c also updated accordingly. comments from matt, Stephen considered

fix  indentation, remove printf from afalgtest.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)

6 years agoConsistent formatting for sizeof(foo)
Rich Salz [Thu, 7 Dec 2017 18:39:34 +0000 (13:39 -0500)]
Consistent formatting for sizeof(foo)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4872)

6 years agoDocument how the configuration option 'reconf' works
Richard Levitte [Thu, 30 Nov 2017 20:48:04 +0000 (21:48 +0100)]
Document how the configuration option 'reconf' works

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoConfigure: die if there are other arguments with 'reconf'
Richard Levitte [Thu, 30 Nov 2017 20:46:53 +0000 (21:46 +0100)]
Configure: die if there are other arguments with 'reconf'

It's better to inform the user about this than silently ignoring
something that the user might expect to work, somehow.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoMake sure ./config passes options to ./Configure correctly
Richard Levitte [Thu, 30 Nov 2017 07:20:02 +0000 (08:20 +0100)]
Make sure ./config passes options to ./Configure correctly

This is, even when they contain spaces or all kinds of funny quotes

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoHave all relevant config targets use the env() function rather than $ENV
Richard Levitte [Wed, 29 Nov 2017 16:41:10 +0000 (17:41 +0100)]
Have all relevant config targets use the env() function rather than $ENV

This way, any of the relevant environment variables for the platform
being configured are preserved and don't have to be recalled manually
when reconfiguring.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoDocument the possibility for command line argument env assignments
Richard Levitte [Wed, 29 Nov 2017 12:23:07 +0000 (13:23 +0100)]
Document the possibility for command line argument env assignments

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoMake it possible to add env var assignments as Configure options
Richard Levitte [Wed, 29 Nov 2017 12:16:53 +0000 (13:16 +0100)]
Make it possible to add env var assignments as Configure options

In other words, make the following possible:

    ./config CC=clang

or

    ./Configure CC=clang linux-x86_64

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoSave away the environment variables we rely on
Richard Levitte [Wed, 29 Nov 2017 12:09:01 +0000 (13:09 +0100)]
Save away the environment variables we rely on

There are cases when we overwrite %ENV values, and while this is
perfectly fine on some platforms, it isn't on others, because the
Configure script isn't necessarely run in a separate process, and
thus, changing %ENV may very well change the environment of the
calling shell.  VMS is such a platform.

Furthermore, saving away values that we use also allow us to save them
in configdata.pm in an effective way, and recall those values just as
effectively when reconfiguring.  Also, this makes sure that we do use
the saved away values when reconfiguring, when the actual environment
variables might otherwise affect us.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

6 years agoFix the buffer sizing in the fatalerrtest
Matt Caswell [Thu, 7 Dec 2017 14:35:30 +0000 (14:35 +0000)]
Fix the buffer sizing in the fatalerrtest

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4867)

6 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Wed, 6 Dec 2017 14:09:11 +0000 (14:09 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoAdd a test for CVE-2017-3737
Matt Caswell [Wed, 29 Nov 2017 13:56:15 +0000 (13:56 +0000)]
Add a test for CVE-2017-3737

Test reading/writing to an SSL object after a fatal error has been
detected. This CVE only affected 1.0.2, but we should add it to other
branches for completeness.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
6 years agotest/bntest.c: add rsaz_1024_mul_avx2 regression test.
Andy Polyakov [Fri, 24 Nov 2017 10:37:59 +0000 (11:37 +0100)]
test/bntest.c: add rsaz_1024_mul_avx2 regression test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agobn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.
Andy Polyakov [Fri, 24 Nov 2017 10:35:50 +0000 (11:35 +0100)]
bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.

Credit to OSS-Fuzz for finding this.

CVE-2017-3738

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoFix the check_fatal macro
Matt Caswell [Tue, 5 Dec 2017 13:37:26 +0000 (13:37 +0000)]
Fix the check_fatal macro

The check_fatal macro is supposed to only be called if we are already
expecting to be in the fatal state. The macro asserts that we are and
puts us into the fatal state if not.

This issue combined with the problem fixed in the previous commit meant
that the fuzzer detected a crash at a point in the processing when we
should have already been in the fatal state.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4847)

6 years agoFix bug in TLSv1.3 PSK processing
Matt Caswell [Tue, 5 Dec 2017 13:36:13 +0000 (13:36 +0000)]
Fix bug in TLSv1.3 PSK processing

The recent SSL error overhaul left a case where an error occurs but
SSLfatal() is not called.

Credit to OSSfuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4847)

6 years agoapps/speed.c: detect evp cipher 32-bit ctr overflow and reset iv
Patrick Steuer [Tue, 5 Dec 2017 12:10:11 +0000 (13:10 +0100)]
apps/speed.c: detect evp cipher 32-bit ctr overflow and reset iv

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4846)

6 years agoAdd link for more SECLEVEL info
Rich Salz [Tue, 5 Dec 2017 15:53:45 +0000 (10:53 -0500)]
Add link for more SECLEVEL info

Thanks to Michel Sales for the suggestion.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4849)

6 years agoFix minor typo in comment in rsa_st
Daniel Bevenius [Tue, 5 Dec 2017 11:01:14 +0000 (12:01 +0100)]
Fix minor typo in comment in rsa_st

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4845)

6 years agoUpdate eng_fat.c
MerQGh [Mon, 4 Dec 2017 06:20:51 +0000 (09:20 +0300)]
Update eng_fat.c

This line will allow use private keys, which created by Crypto Pro, to
sign with OpenSSL.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4836)

6 years agomodes/asm/ghashv8-armx.pl: handle lengths not divisible by 4x.
Andy Polyakov [Fri, 1 Dec 2017 21:32:48 +0000 (22:32 +0100)]
modes/asm/ghashv8-armx.pl: handle lengths not divisible by 4x.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

6 years agomodes/asm/ghashv8-armx.pl: optimize modulo-scheduled loop.
Andy Polyakov [Fri, 1 Dec 2017 14:57:43 +0000 (15:57 +0100)]
modes/asm/ghashv8-armx.pl: optimize modulo-scheduled loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

6 years agomodes/asm/ghashv8-armx.pl: modulo-schedule loop.
Andy Polyakov [Fri, 1 Dec 2017 12:13:25 +0000 (13:13 +0100)]
modes/asm/ghashv8-armx.pl: modulo-schedule loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

6 years agomodes/asm/ghashv8-armx.pl: implement 4x aggregate factor.
Andy Polyakov [Fri, 1 Dec 2017 10:59:18 +0000 (11:59 +0100)]
modes/asm/ghashv8-armx.pl: implement 4x aggregate factor.

This initial commit is unoptimized reference version that handles
input lengths divisible by 4 blocks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

6 years agokey_A and key_B had 3 references, only 2 were freed.
Patrick Steuer [Mon, 4 Dec 2017 15:23:24 +0000 (10:23 -0500)]
key_A and key_B had 3 references, only 2 were freed.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4837)

6 years agoapps/speed.c: use 32 byte key material as default
Patrick Steuer [Sun, 3 Dec 2017 13:28:40 +0000 (14:28 +0100)]
apps/speed.c: use 32 byte key material as default

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4834)

6 years agoapps/speed.c: add -seconds and -bytes options
Patrick Steuer [Sat, 2 Dec 2017 09:05:35 +0000 (10:05 +0100)]
apps/speed.c: add -seconds and -bytes options

Add speed tool options to run cipher, digest and rand benchmarks for a
single buffer size specified by -bytes over a time interval specified
by -seconds.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4834)

6 years agoFix some formatting nits
Matt Caswell [Mon, 4 Dec 2017 13:37:01 +0000 (13:37 +0000)]
Fix some formatting nits

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoRemove spurious whitespace
Matt Caswell [Mon, 27 Nov 2017 11:41:26 +0000 (11:41 +0000)]
Remove spurious whitespace

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoUpdate an error reason code to be ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
Matt Caswell [Mon, 27 Nov 2017 11:34:05 +0000 (11:34 +0000)]
Update an error reason code to be ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED

The most likely explanation for us ending up at this point in the code
is that we were called by the user application incorrectly - so use an
appropriate error code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoFix the Boring tests following the SSLfatal() changes
Matt Caswell [Thu, 23 Nov 2017 14:35:19 +0000 (14:35 +0000)]
Fix the Boring tests following the SSLfatal() changes

An error reason code has changed for one of the boring tests, so
ossl_config.json needed an update to take account of it.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoAdd some more cleanups
Matt Caswell [Thu, 23 Nov 2017 13:11:42 +0000 (13:11 +0000)]
Add some more cleanups

Follow up from the conversion to use SSLfatal() in the state machine to
clean things up a bit more.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoAssert that SSLfatal() only gets called once
Matt Caswell [Thu, 23 Nov 2017 12:33:11 +0000 (12:33 +0000)]
Assert that SSLfatal() only gets called once

We shouldn't call SSLfatal() multiple times for the same error condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoAdd some sanity checks for the fatal error condition
Matt Caswell [Thu, 23 Nov 2017 12:10:54 +0000 (12:10 +0000)]
Add some sanity checks for the fatal error condition

Sometimes at the top level of the state machine code we know we are
supposed to be in a fatal error condition. This commit adds some sanity
checks to ensure that SSLfatal() has been called.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoFix up a few places in the state machine that got missed with SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 11:41:40 +0000 (11:41 +0000)]
Fix up a few places in the state machine that got missed with SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoConvert more functions in ssl/statem/statem_dtls.c to use SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 11:19:34 +0000 (11:19 +0000)]
Convert more functions in ssl/statem/statem_dtls.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoConvert more functions in ssl/statem/statem.c to use SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 10:37:51 +0000 (10:37 +0000)]
Convert more functions in ssl/statem/statem.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoConvert remaining functions in statem_srvr.c to use SSLfatal()
Matt Caswell [Wed, 22 Nov 2017 17:43:20 +0000 (17:43 +0000)]
Convert remaining functions in statem_srvr.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoConvert remaining functions in statem_clnt.c to use SSLfatal()
Matt Caswell [Wed, 22 Nov 2017 17:18:39 +0000 (17:18 +0000)]
Convert remaining functions in statem_clnt.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoConvert the state machine code to use SSLfatal()
Matt Caswell [Tue, 21 Nov 2017 17:18:43 +0000 (17:18 +0000)]
Convert the state machine code to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoReplace some usage of SSLerr with SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 16:25:05 +0000 (16:25 +0000)]
Replace some usage of SSLerr with SSLfatal()

This is an initial step towards using SSLfatal() everywhere. Initially in
this commit and in subsequent commits we focus on the state machine code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoProvide an SSLfatal() macro
Matt Caswell [Thu, 23 Nov 2017 16:21:46 +0000 (16:21 +0000)]
Provide an SSLfatal() macro

Typically if a fatal error occurs three things need to happen:

- Put an error on the error queue
- Send an alert
- Put the state machine into the error state

Although all 3 of these things need to be done every time we hit a fatal
error the responsibilities for doing this are distributed throughout the
code. The place where the error goes on the queue, where the alert gets
sent and where the state machine goes into the error state are almost
invariably different. It has been a common pattern to pass alert codes up
and down the stack to get the alert information from the point in the code
where the error is detected to the point in the code where the alert gets
sent.

This commit provides an SSLfatal() macro (backed by an ossl_statem_fatal
function) that does all 3 of the above error tasks. This is largely a drop
in replacement for SSLerr, but takes a couple of extra parameters (the SSL
object, and an alert code).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

6 years agoAdjusted Argument Indices
Markus Sauermann [Sun, 3 Dec 2017 12:23:21 +0000 (13:23 +0100)]
Adjusted Argument Indices
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4835)

6 years agoMake possible variant SONAMEs and symbol versions
Viktor Dukhovni [Tue, 21 Nov 2017 02:30:04 +0000 (21:30 -0500)]
Make possible variant SONAMEs and symbol versions

This small change in the Unix template and shared library build
scripts enables building "variant" shared libraries.  A "variant"
shared library has a non-default SONAME, and non default symbol
versions.  This makes it possible to build (say) an OpenSSL 1.1.0
library that can coexist without conflict in the same process address
space as the system's default OpenSSL library which may be OpenSSL
1.0.2.

Such "variant" shared libraries make it possible to link applications
against a custom OpenSSL library installed in /opt/openssl/1.1 or
similar location, and not risk conflict with an indirectly loaded
OpenSSL runtime that is required by some other dependency.

Variant shared libraries have been fully tested under Linux, and
build successfully on MacOS/X producing variant DYLD names.  MacOS/X
Darwin has no symbol versioning, but has a non-flat library namespace.
Variant libraries may therefore support multiple OpenSSL libraries
in the same address space also with MacOS/X, despite lack of symbol
versions, but this has not been verified.

Variant shared libraries are optional and off by default.

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoAdd "friendly name" extractor
Rich Salz [Tue, 28 Nov 2017 19:53:33 +0000 (14:53 -0500)]
Add "friendly name" extractor

From a comment posted by GitHub user "geniuz"

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4812)

6 years agoAdd sk_new_reserve support
Todd Short [Wed, 4 Oct 2017 13:15:19 +0000 (09:15 -0400)]
Add sk_new_reserve support

This is a specific 1.1.1 change; do not squash if the chacha
prioritization code is to be backported

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)

6 years agoUse ChaCha only if prioritized by clnt
Todd Short [Mon, 21 Dec 2015 20:19:29 +0000 (15:19 -0500)]
Use ChaCha only if prioritized by clnt

IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)

6 years agoA missing semicolon prevents compilation with ENGINE_REF_COUNT_DEBUG enabled.
Pauli [Tue, 28 Nov 2017 22:48:19 +0000 (08:48 +1000)]
A missing semicolon prevents compilation with ENGINE_REF_COUNT_DEBUG enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4816)

6 years agoFix chacha-armv4.pl with clang -fno-integrated-as.
David Benjamin [Fri, 16 Jun 2017 01:22:21 +0000 (21:22 -0400)]
Fix chacha-armv4.pl with clang -fno-integrated-as.

The __clang__-guarded #defines cause gas to complain if clang is passed
-fno-integrated-as. Emitting .syntax unified when those are used fixes
this. This matches the change made to ghash-armv4.pl in
6cf412c473d8145562b76219ce3da73b201b3255.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/3694)

6 years agorsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.
Andy Polyakov [Fri, 24 Nov 2017 21:45:45 +0000 (22:45 +0100)]
rsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)

6 years agorsa/rsa_lib.c: make RSA_security_bits multi-prime aware.
Andy Polyakov [Fri, 24 Nov 2017 20:31:11 +0000 (21:31 +0100)]
rsa/rsa_lib.c: make RSA_security_bits multi-prime aware.

Multi-prime RSA security is not determined by modulus length alone, but
depends even on number of primes. Too many primes render security
inadequate, but there is no common amount of primes or common factors'
length that provide equivalent secuity promise as two-prime for given
modulus length. Maximum amount of permitted primes is determined
according to following table.

   <1024 | >=1024 | >=4096 | >=8192
   ------+--------+--------+-------
     2   |   3    |   4    |   5

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)