oweals/openssl.git
7 years agoVarious clean-ups
KaoruToda [Sat, 21 Oct 2017 02:58:46 +0000 (22:58 -0400)]
Various clean-ups

Add a check for NULL return in t1_lib.c.
    Since return type of ssl_cert_lookup_by_idx is pointer and unify coding
    style, I changed from zero to NULL in ssl_cert.c.

Remove unnecessary space for ++.

Fix incorrect condition
    Expression is always false because 'else if' condition matches previous
    condition.  SInce the next line of 'else if' condition has substituted
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if'
    condition should compare with NID_X9_62_characteristic_two_field.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4562)

7 years agoECDSA_* is deprecated. EC_KEY_* is used instead
Jakub Jelen [Fri, 20 Oct 2017 13:41:43 +0000 (15:41 +0200)]
ECDSA_* is deprecated. EC_KEY_* is used instead

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Laurie <ben@links.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4561)

7 years agoAdditional name for all commands
Rich Salz [Wed, 18 Oct 2017 19:33:56 +0000 (15:33 -0400)]
Additional name for all commands

Add openssl-foo as a name for the openssl "foo" command.
Addresses an issue found by a usability study to be published.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4553)

7 years agoRemove parentheses of return.
KaoruToda [Tue, 17 Oct 2017 14:04:09 +0000 (23:04 +0900)]
Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)

7 years agoAdd missing RAND_DRBG locking
Benjamin Kaduk [Wed, 11 Oct 2017 17:25:26 +0000 (19:25 +0200)]
Add missing RAND_DRBG locking

The drbg's lock must be held across calls to RAND_DRBG_generate()
to prevent simultaneous modification of internal state.

This was observed in practice with simultaneous SSL_new() calls attempting
to seed the (separate) per-SSL RAND_DRBG instances from the global
rand_drbg instance; this eventually led to simultaneous calls to
ctr_BCC_update() attempting to increment drbg->bltmp_pos for their
respective partial final block, violating the invariant that bltmp_pos < 16.
The AES operations performed in ctr_BCC_blocks() makes the race window
quite easy to trigger.  A value of bltmp_pos greater than 16 induces
catastrophic failure in ctr_BCC_final(), with subtraction overflowing
and leading to an attempt to memset() to zero a very large range,
which eventually reaches an unmapped page and segfaults.

Provide the needed locking in get_entropy_from_parent(), as well as
fixing a similar issue in RAND_priv_bytes().  There is also an
unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the
requisite serialization is already guaranteed by the requirements on
the application's usage of SSL objects, and no further locking is
needed for correct behavior.  In that case, leave a comment noting
the apparent discrepancy and the reason for its safety (at present).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agoRemove unnecessary DRBG_RESEED state
Dr. Matthias St. Pierre [Mon, 9 Oct 2017 21:51:42 +0000 (23:51 +0200)]
Remove unnecessary DRBG_RESEED state

The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in
Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable,
the scope of which is limited to the RAND_DRBG_generate() function. Hence there
is no need for a DRBG_RESEED state outside of the generate function. This state
was removed and replaced by a local variable |reseed_required|.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agoFix reseeding issues of the public RAND_DRBG
Dr. Matthias St. Pierre [Thu, 31 Aug 2017 21:16:22 +0000 (23:16 +0200)]
Fix reseeding issues of the public RAND_DRBG

Reseeding is handled very differently by the classic RAND_METHOD API
and the new RAND_DRBG api. These differences led to some problems when
the new RAND_DRBG was made the default OpenSSL RNG. In particular,
RAND_add() did not work as expected anymore. These issues are discussed
on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API'
and in Pull Request #4328. This commit fixes the mentioned issues,
introducing the following changes:

- Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which
  facilitates collecting entropy by the get_entropy() callback.
- Don't use RAND_poll()/RAND_add() for collecting entropy from the
  get_entropy() callback anymore. Instead, replace RAND_poll() by
  RAND_POOL_acquire_entropy().
- Add a new function rand_drbg_restart() which tries to get the DRBG
  in an instantiated state by all means, regardless of the current
  state (uninstantiated, error, ...) the DRBG is in. If the caller
  provides entropy or additional input, it will be used for reseeding.
- Restore the original documented behaviour of RAND_add() and RAND_poll()
  (namely to reseed the DRBG immediately) by a new implementation based
  on rand_drbg_restart().
- Add automatic error recovery from temporary failures of the entropy
  source to RAND_DRBG_generate() using the rand_drbg_restart() function.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agos390x assembly pack: remove capability double-checking.
Patrick Steuer [Mon, 30 Jan 2017 11:50:54 +0000 (12:50 +0100)]
s390x assembly pack: remove capability double-checking.

An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

7 years agocrypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Patrick Steuer [Fri, 27 Jan 2017 08:47:48 +0000 (09:47 +0100)]
crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

7 years agoUpdate RAND_load_file return value.
Rich Salz [Mon, 16 Oct 2017 16:10:45 +0000 (12:10 -0400)]
Update RAND_load_file return value.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4537)

7 years agox509v3/v3_utl.c: avoid double-free.
Andy Polyakov [Sat, 14 Oct 2017 08:21:19 +0000 (10:21 +0200)]
x509v3/v3_utl.c: avoid double-free.

Thanks to David Benjamin for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4532)

7 years agomodes/gcm128.c: harmonize GCM_MUL macro with GHASH.
Andy Polyakov [Sat, 14 Oct 2017 08:14:29 +0000 (10:14 +0200)]
modes/gcm128.c: harmonize GCM_MUL macro with GHASH.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoSome cleanups to apps/ca.c
FdaSilvaYY [Mon, 16 Oct 2017 19:46:50 +0000 (15:46 -0400)]
Some cleanups to apps/ca.c

Few code format fixup
Fix limit computation; was too strict by 2 bytes.
Simplify computation of buffer limits
Checking is strictly same as sizeof(".pem") == 5
Simplify loop of code for certificate filename creation
Fix MAX_PATH usage

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1936)

7 years agoMake '-name' option of the 's_client' more generic
Paul Yang [Mon, 16 Oct 2017 19:32:24 +0000 (15:32 -0400)]
Make '-name' option of the 's_client' more generic

And also make '-xmpphost' an alias of the '-name' option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4524)

7 years agoRemove unused variable.
Ben Laurie [Thu, 14 Sep 2017 10:21:11 +0000 (11:21 +0100)]
Remove unused variable.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4367)

7 years agoCleaning secret data after use
EasySec [Mon, 16 Oct 2017 19:05:10 +0000 (15:05 -0400)]
Cleaning secret data after use

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4509)

7 years agoadded cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author
Michael Richardson [Fri, 15 Sep 2017 16:21:21 +0000 (12:21 -0400)]
added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4378)

7 years agoCode hygiene; initialize some pointers.
Mouse [Tue, 10 Oct 2017 18:02:56 +0000 (14:02 -0400)]
Code hygiene; initialize some pointers.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4515)

7 years agoTweak the comment regarding record version check with respect to TLSv1.3
Matt Caswell [Mon, 16 Oct 2017 10:19:03 +0000 (11:19 +0100)]
Tweak the comment regarding record version check with respect to TLSv1.3

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoSanity check the HRR version field
Matt Caswell [Fri, 13 Oct 2017 13:36:32 +0000 (14:36 +0100)]
Sanity check the HRR version field

The previous commit removed version negotiation on an HRR. However we should
still sanity check the contents of the version field.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoDon't do version neg on an HRR
Matt Caswell [Fri, 13 Oct 2017 10:41:50 +0000 (11:41 +0100)]
Don't do version neg on an HRR

Previously if a client received an HRR then we would do version negotiation
immediately - because we know we are going to get TLSv1.3. However this
causes a problem when we emit the 2nd ClientHello because we start changing
a whole load of stuff to ommit things that aren't relevant for < TLSv1.3.
The spec requires that the 2nd ClientHello is the same except for changes
required from the HRR. Therefore the simplest thing to do is to defer the
version negotiation until we receive the ServerHello.

Fixes #4292

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoFix incorrect function name in BN_bn2bin manpage
daurnimator [Fri, 13 Oct 2017 23:06:25 +0000 (16:06 -0700)]
Fix incorrect function name in BN_bn2bin manpage

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4529)

7 years agoFix a bug in ALPN comparation code of a test case
Paul Yang [Tue, 10 Oct 2017 16:25:26 +0000 (00:25 +0800)]
Fix a bug in ALPN comparation code of a test case

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)

7 years agoFix reading heap overflow in a test case
Paul Yang [Mon, 9 Oct 2017 09:16:17 +0000 (17:16 +0800)]
Fix reading heap overflow in a test case

Caught by AddressSanitizer

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)

7 years agoAdd branch coverage to coveralls statistics
Richard Levitte [Sat, 30 Sep 2017 17:39:39 +0000 (19:39 +0200)]
Add branch coverage to coveralls statistics

Fixes #4444

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4447)

7 years agoRemove email addresses from source code.
Rich Salz [Tue, 10 Oct 2017 21:55:09 +0000 (17:55 -0400)]
Remove email addresses from source code.

Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)

7 years agoAdd CRYPTO_get_alloc_counts.
Rich Salz [Thu, 5 Oct 2017 01:17:58 +0000 (21:17 -0400)]
Add CRYPTO_get_alloc_counts.

Use atomic operations for the counters
Rename malloc_lock to memdbg_lock
Also fix some style errors in mem_dbg.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4359)

7 years agoFix memory leak in DH_get_nid()
Benjamin Kaduk [Thu, 12 Oct 2017 17:12:10 +0000 (12:12 -0500)]
Fix memory leak in DH_get_nid()

If q is non-NULL but p is indeed a safe prime, a modified copy
of p could be leaked.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4525)

7 years agoAdd a test for setting initial SNI in CH but not using it with early_data
Matt Caswell [Wed, 11 Oct 2017 13:42:25 +0000 (14:42 +0100)]
Add a test for setting initial SNI in CH but not using it with early_data

Test for the bug where early_data is not accepted by the server when it
does not have an SNI callback set up, but the client sent a servername in
the initial ClientHello establishing the session.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)

7 years agoFix bug where early_data does not work if no SNI callback is present
Matt Caswell [Tue, 10 Oct 2017 08:50:56 +0000 (09:50 +0100)]
Fix bug where early_data does not work if no SNI callback is present

Fixes #4496

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)

7 years agomake update
Dr. Stephen Henson [Thu, 12 Oct 2017 01:41:27 +0000 (02:41 +0100)]
make update

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd RFC7919 documentation.
Dr. Stephen Henson [Sat, 7 Oct 2017 12:42:05 +0000 (13:42 +0100)]
Add RFC7919 documentation.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd RFC7919 tests.
Dr. Stephen Henson [Sat, 7 Oct 2017 01:56:11 +0000 (02:56 +0100)]
Add RFC7919 tests.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd pad support
Dr. Stephen Henson [Thu, 21 Sep 2017 14:40:15 +0000 (15:40 +0100)]
Add pad support

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoDon't assume shared key length matches expected length
Dr. Stephen Henson [Fri, 6 Oct 2017 23:04:17 +0000 (00:04 +0100)]
Don't assume shared key length matches expected length

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd RFC7919 support to EVP
Dr. Stephen Henson [Tue, 30 May 2017 00:19:50 +0000 (01:19 +0100)]
Add RFC7919 support to EVP

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd objects for RFC7919 parameters
Dr. Stephen Henson [Tue, 19 Sep 2017 11:56:41 +0000 (12:56 +0100)]
Add objects for RFC7919 parameters

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoDH named parameter support
Dr. Stephen Henson [Tue, 30 May 2017 00:16:56 +0000 (01:16 +0100)]
DH named parameter support

Add functions to return DH parameters using NID and to return the
NID if parameters match a named set. Currently this supports only
RFC7919 parameters but could be expanded in future.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoAdd primes from RFC7919
Dr. Stephen Henson [Mon, 29 May 2017 19:38:02 +0000 (20:38 +0100)]
Add primes from RFC7919

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoSupport constant BN for DH parameters
Dr. Stephen Henson [Sun, 8 Oct 2017 20:04:05 +0000 (21:04 +0100)]
Support constant BN for DH parameters

If BN_FLG_STATIC_DATA is set don't cleanse a->d as it will reside
in read only memory. If BN_FLG_MALLOCED is not set don't modify the
BIGNUM at all.

This change applies to BN_clear_free() and BN_free(). Now the BIGNUM
structure is opaque applications cannot create a BIGNUM structure
without BN_FLG_MALLOCED being set so they are unaffected.

Update internal DH routines so they only copy pointers for read only
parameters.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)

7 years agoDocument EVP_PKEY_set1_engine()
Dr. Stephen Henson [Tue, 10 Oct 2017 12:42:24 +0000 (13:42 +0100)]
Document EVP_PKEY_set1_engine()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoAdd EVP_PKEY_METHOD redirection test
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:51 +0000 (23:24 +0100)]
Add EVP_PKEY_METHOD redirection test

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agomake update
Dr. Stephen Henson [Tue, 10 Oct 2017 12:31:04 +0000 (13:31 +0100)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoAdd EVP_PKEY_set1_engine() function.
Dr. Stephen Henson [Mon, 9 Oct 2017 14:21:11 +0000 (15:21 +0100)]
Add EVP_PKEY_set1_engine() function.

Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoFix memory leak on lookup failure
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:26 +0000 (23:24 +0100)]
Fix memory leak on lookup failure

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoDon't ignore passed ENGINE.
Dr. Stephen Henson [Mon, 9 Oct 2017 13:37:21 +0000 (14:37 +0100)]
Don't ignore passed ENGINE.

If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoEnsure we test all parameters for BN_FLG_CONSTTIME
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME

RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:

BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)

ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.

Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.

This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)

7 years agoRemove an unused file
Matt Caswell [Thu, 5 Oct 2017 09:01:03 +0000 (10:01 +0100)]
Remove an unused file

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4468)

7 years agoAppease -Werror=maybe-uninitialized
Benjamin Kaduk [Wed, 11 Oct 2017 13:18:13 +0000 (08:18 -0500)]
Appease -Werror=maybe-uninitialized

test/bad_dtls_test.c: In function 'validate_client_hello':
test/bad_dtls_test.c:128:33: error: 'u' may be used uninitialized in this function [-Werror=maybe-uninitialized]
     if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
                                 ^
Apparently -O1 does not perform sufficient optimization to ascertain
that PACKET_get_1 will always initialize u if it returns true.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)

7 years agoMove supportedgroup ext-block fields out of NO_EC
Benjamin Kaduk [Wed, 11 Oct 2017 12:55:30 +0000 (07:55 -0500)]
Move supportedgroup ext-block fields out of NO_EC

Now that we are moving to support named FFDH groups, these fields are not
ec-specific, so we need them to always be available.

This fixes the no-ec --strict-warnings build, since gcc
5.4.0-6ubuntu1~16.04.4 appears to always try to compile the static inline
functions from ssl_locl.h, even when they are not used in the current
compilation unit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)

7 years agoReturn a value from atomic read on Windows.
Pauli [Tue, 10 Oct 2017 23:47:54 +0000 (09:47 +1000)]
Return a value from atomic read on Windows.
Use a read lock when reading using pthreads.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4517)

7 years agoFix typos
Keshav Kini [Tue, 10 Oct 2017 06:32:56 +0000 (23:32 -0700)]
Fix typos

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4513)

7 years agocrypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems.
Andy Polyakov [Sun, 8 Oct 2017 18:10:13 +0000 (20:10 +0200)]
crypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4492)

7 years agoapps/speed.c: add 'rand' algo to enable DRBG performance measurements.
Patrick Steuer [Sat, 7 Oct 2017 09:38:19 +0000 (11:38 +0200)]
apps/speed.c: add 'rand' algo to enable DRBG performance measurements.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4481)

7 years agoDon't change client random in Client Hello in its second flight
Tatsuhiro Tsujikawa [Sun, 8 Oct 2017 14:37:01 +0000 (23:37 +0900)]
Don't change client random in Client Hello in its second flight

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4490)

7 years agoAdd atomic write call
Pauli [Mon, 9 Oct 2017 04:39:43 +0000 (14:39 +1000)]
Add atomic write call

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)

7 years agoAdd a CRYPTO_atomic_read call which allows an int variable to be read
Pauli [Mon, 25 Sep 2017 02:04:42 +0000 (12:04 +1000)]
Add a CRYPTO_atomic_read call which allows an int variable to be read
in an atomic fashion.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)

7 years agoEVP_EncryptInit.pod: EVP_CIPHER_mode and EVP_CIPHER_CTX_mode update
Patrick Steuer [Mon, 9 Oct 2017 10:16:34 +0000 (12:16 +0200)]
EVP_EncryptInit.pod: EVP_CIPHER_mode and EVP_CIPHER_CTX_mode update

Mention CTR, GCM, CCM, OCB, WRAP and XTS modes.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4498)

7 years agoapps/speed.c: fix ccm performance measurements.
Patrick Steuer [Mon, 20 Feb 2017 16:49:36 +0000 (17:49 +0100)]
apps/speed.c: fix ccm performance measurements.

CCM does not support streaming: An additional call to (EVP_...)Update must
precede each call to Update to pass the total message length. The generic
Update_loop calls Update one time such that in case of CCM only the total
message length is passed. No encryption/decryption measured.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4480)

7 years agoset_hex() behaviour change
EasySec [Mon, 9 Oct 2017 21:53:21 +0000 (07:53 +1000)]
set_hex() behaviour change

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4488)

7 years agoReduce the things we ignore in test/
Richard Levitte [Mon, 9 Oct 2017 15:58:50 +0000 (17:58 +0200)]
Reduce the things we ignore in test/

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

7 years agoUse the possibility to have test results in a different directory
Richard Levitte [Mon, 9 Oct 2017 15:57:13 +0000 (17:57 +0200)]
Use the possibility to have test results in a different directory

RESULT_D can be used to provide a separate directory for test results.
Let's use that to separate them from other files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

7 years agoFix util/perl/OpenSSL/Test.pm input variable overwrite
Richard Levitte [Mon, 9 Oct 2017 15:55:38 +0000 (17:55 +0200)]
Fix util/perl/OpenSSL/Test.pm input variable overwrite

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

7 years agoFix util/find-doc-nits to correctly parse function signature typedefs
Richard Levitte [Mon, 9 Oct 2017 11:21:24 +0000 (13:21 +0200)]
Fix util/find-doc-nits to correctly parse function signature typedefs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

7 years agoCorrect some typedef documentation
Richard Levitte [Mon, 9 Oct 2017 10:55:27 +0000 (12:55 +0200)]
Correct some typedef documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

7 years agoSince return is inconsistent, I removed unnecessary parentheses and
KaoruToda [Mon, 9 Oct 2017 11:05:58 +0000 (20:05 +0900)]
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
- return (0); -> return 0;
- return (1); -> return 1;
- return (-1); -> return -1;

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4500)

7 years agoDocument that lhash isn't thread safe under any circumstances and
Pauli [Thu, 28 Sep 2017 00:09:18 +0000 (10:09 +1000)]
Document that lhash isn't thread safe under any circumstances and
indicate the level of locking required for various operations.

Remove the lock and atomics from the lhash code.  These we're not complete
or adequate.

Refer to #4418 and #4427 for details.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4429)

7 years agoFix doc for i2d/d2i private/public key
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)

7 years agoAnchor the regexp match
Rich Salz [Sat, 7 Oct 2017 18:59:18 +0000 (14:59 -0400)]
Anchor the regexp match

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4483)

7 years agoRewrite some code
Rich Salz [Fri, 6 Oct 2017 15:06:12 +0000 (11:06 -0400)]
Rewrite some code

Rewrite the -req-nodes flag from CA.pl (idea from Andy)
Rewrite ERR_string_error_n

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4478)

7 years agoMerge tls1_check_curve into tls1_check_group_id
Dr. Stephen Henson [Tue, 26 Sep 2017 15:17:44 +0000 (16:17 +0100)]
Merge tls1_check_curve into tls1_check_group_id

The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agoChange curves to groups where relevant
Dr. Stephen Henson [Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)]
Change curves to groups where relevant

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agoUse separate functions for supported and peer groups lists
Dr. Stephen Henson [Tue, 26 Sep 2017 14:28:16 +0000 (15:28 +0100)]
Use separate functions for supported and peer groups lists

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agodoc/man1/openssl.pod: Add missing commands and links
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/man1/openssl.pod: Add missing commands and links

Fixes #4471 and more

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4472)

7 years agoFixes #4459 "issuserAltName" documentation typo.
Andrew Siplas [Wed, 4 Oct 2017 06:11:08 +0000 (02:11 -0400)]
Fixes #4459 "issuserAltName" documentation typo.

See crypto/objects/objects.txt:767 -- field is "issuerAltName"
CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4460)

7 years agostack/stack.c: various cleanups.
Andy Polyakov [Tue, 3 Oct 2017 11:39:53 +0000 (13:39 +0200)]
stack/stack.c: various cleanups.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4455)

7 years agoRemove some commented out code
Matt Caswell [Wed, 4 Oct 2017 14:50:17 +0000 (15:50 +0100)]
Remove some commented out code

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4462)

7 years agoRemove an incorrect comment
Matt Caswell [Tue, 3 Oct 2017 13:15:16 +0000 (14:15 +0100)]
Remove an incorrect comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4456)

7 years agoConfigurations/windows-makefile.tmpl: canonicalise configured paths
Richard Levitte [Wed, 4 Oct 2017 07:42:23 +0000 (09:42 +0200)]
Configurations/windows-makefile.tmpl: canonicalise configured paths

This avoids issues that can come with an ending backslash, among other.

Fixes #4458

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4461)

7 years agoSession resume broken switching contexts
Todd Short [Thu, 1 Sep 2016 12:40:54 +0000 (08:40 -0400)]
Session resume broken switching contexts

When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.

If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).

In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.

If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.

Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)

7 years agoUse more pre-allocation
FdaSilvaYY [Thu, 28 Sep 2017 21:30:22 +0000 (23:30 +0200)]
Use more pre-allocation

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)

7 years agoPostpone allocation of STACK internal storage ... until a first push(),
FdaSilvaYY [Thu, 28 Sep 2017 20:03:26 +0000 (22:03 +0200)]
Postpone allocation of STACK internal storage ... until a first push(),
insert() or an explicit call to OPENSSL_sk_reserve

Factorise STACK item deletion code

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)

7 years agonistp521: add a comment to the P+P exceptional case in point_add.
Adam Langley [Tue, 26 Sep 2017 17:48:55 +0000 (10:48 -0700)]
nistp521: add a comment to the P+P exceptional case in point_add.

This change adds a comment to the exceptional case in point_add that
handles the case of a doubling, which explains when this case may occur
during normal processing.

Thanks go to Antonio Sanso for noting this.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4424)

7 years agoFix the return type of felem_is_zero_int which should be int.
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.

Fixes #4413

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)

7 years agoAdded const-time flag to DSA key decoding to avoid potential leak of privkey
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)

7 years agodoc: note that the BN_new() initialises the BIGNUM
Hubert Kario [Fri, 29 Sep 2017 11:10:34 +0000 (13:10 +0200)]
doc: note that the BN_new() initialises the BIGNUM

BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.

Document that behaviour to make it explicit

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4438)

7 years agoPut back the #include <openssl/safestack.h> lines in public headers.
Pauli [Thu, 28 Sep 2017 21:56:35 +0000 (07:56 +1000)]
Put back the #include <openssl/safestack.h> lines in public headers.
the latter includes the former.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4437)

7 years agoRemove unnecessary #include <openssl/lhash.h> directives.
Pauli [Thu, 28 Sep 2017 21:27:04 +0000 (07:27 +1000)]
Remove unnecessary #include <openssl/lhash.h> directives.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4431)

7 years agoUse safestack.h exclusively internally.
Pauli [Thu, 28 Sep 2017 02:13:04 +0000 (12:13 +1000)]
Use safestack.h exclusively internally.
Remove all stack headers from some includes that don't use them.

Avoid a genearic untyped stack use.

Update stack POD file to include the OPENSSL_sk_ API functions in the notes
section.  They were mentioned in the name section but not defined anywhere.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4430)

7 years agoAdd stack space reservations.
Pauli [Mon, 18 Sep 2017 22:48:14 +0000 (08:48 +1000)]
Add stack space reservations.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)

7 years agoAdd a reserve call to the stack data structure.
Pauli [Thu, 17 Aug 2017 00:10:07 +0000 (10:10 +1000)]
Add a reserve call to the stack data structure.

This allows the caller to guarantee that there is sufficient space for a
number of insertions without reallocation.

The expansion ratio when reallocating the array is reduced to 1.5 rather than 2.

Change bounds testing to use a single size rather than both INT_MAX and
SIZE_MAX.  This simplifies some of the tests.

Switch the stack pointers to data from char * to void *

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)

7 years agoBN_copy now propagates BN_FLG_CONSTTIME
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

7 years agoFixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could...
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

7 years agoAllow DH_set0_key with only private key.
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.

The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.

The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key.  (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4384)

7 years agoAdd and use function tls1_in_list to avoid code duplication.
Dr. Stephen Henson [Sun, 24 Sep 2017 20:59:39 +0000 (21:59 +0100)]
Add and use function tls1_in_list to avoid code duplication.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoUse tls1_group_id_lookup in tls1_curve_allowed
Dr. Stephen Henson [Sun, 24 Sep 2017 20:58:58 +0000 (21:58 +0100)]
Use tls1_group_id_lookup in tls1_curve_allowed

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoRename tls1_get_curvelist.
Dr. Stephen Henson [Sun, 24 Sep 2017 02:26:26 +0000 (03:26 +0100)]
Rename tls1_get_curvelist.

Rename tls1_get_curvelist to tls1_get_grouplist, change to void as
it can never fail and remove unnecessary return value checks. Clean
up the code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoRewrite compression and group checks.
Dr. Stephen Henson [Sun, 24 Sep 2017 00:45:27 +0000 (01:45 +0100)]
Rewrite compression and group checks.

Replace existing compression and groups check with two functions.

tls1_check_pkey_comp() checks a keys compression algorithms is consistent
with extensions.

tls1_check_group_id() checks is a group is consistent with extensions
and preferences.

Rename tls1_ec_nid2curve_id() to tls1_nid2group_id() and make it static.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoNew function ssl_generate_param_group
Dr. Stephen Henson [Sat, 23 Sep 2017 01:40:30 +0000 (02:40 +0100)]
New function ssl_generate_param_group

Setup EVP_PKEY structure from a group ID in ssl_generate_param_group,
replace duplicate code with this function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoReplace tls1_ec_curve_id2nid.
Dr. Stephen Henson [Fri, 22 Sep 2017 23:15:34 +0000 (00:15 +0100)]
Replace tls1_ec_curve_id2nid.

Replace tls1_ec_curve_id2nid() with tls_group_id_lookup() which returns
the TLS_GROUP_INFO for the group.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)