oweals/openssl.git
6 years agoThe req documentation incorrectly states that we default to md5
Matt Caswell [Thu, 9 Aug 2018 15:25:29 +0000 (16:25 +0100)]
The req documentation incorrectly states that we default to md5

Just remove that statement. It's not been true since 2005.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/6905)

6 years agoadd docs for OCSP_resp_get0_signature
Paul Kehrer [Sat, 1 Sep 2018 14:50:28 +0000 (10:50 -0400)]
add docs for OCSP_resp_get0_signature

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoadd getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
Paul Kehrer [Sat, 1 Sep 2018 04:05:55 +0000 (00:05 -0400)]
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP

fixes #7081

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoCheck the return from BN_sub() in BN_X931_generate_Xpq().
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)

(cherry picked from commit 6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)

6 years agoRemove redundant ASN1_INTEGER_set call
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call

This trivial patch removes a duplicated call to ASN1_INTEGER_set.

Fixes Issue #6977

Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)

(cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3)

6 years agoBackport #7007 to 1.1.0
Dmitry Belyavskiy [Fri, 24 Aug 2018 08:48:00 +0000 (11:48 +0300)]
Backport #7007 to 1.1.0

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7052)

6 years agoFree SSL object on an error path
Matt Caswell [Mon, 27 Aug 2018 14:04:28 +0000 (15:04 +0100)]
Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

6 years agobn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.

(cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agobn/bn_blind.c: use Montgomery multiplication when possible.
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.

(cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28)

Resolved conflicts:
crypto/bn/bn_blind.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agorsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
Andy Polyakov [Fri, 10 Aug 2018 17:46:03 +0000 (19:46 +0200)]
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."

In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...

(cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)

Resolved conflicts:
crypto/rsa/rsa_ossl.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

(cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)

6 years agoBackport #6648 to OpenSSL_1_1_0-stable
Nicola Tuveri [Mon, 20 Aug 2018 21:50:01 +0000 (00:50 +0300)]
Backport #6648 to OpenSSL_1_1_0-stable

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7015)

6 years agoZero memory in CRYPTO_secure_malloc.
Pauli [Wed, 22 Aug 2018 00:04:27 +0000 (10:04 +1000)]
Zero memory in CRYPTO_secure_malloc.

This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

[manual merge of #7011]

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7026)

6 years agocrypto/init.c: improve destructor_key's portability.
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.

It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)

(cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53)

6 years agoFix a warning from MSVC build
Bernd Edlinger [Fri, 17 Aug 2018 07:02:53 +0000 (09:02 +0200)]
Fix a warning from MSVC build

Apparently after internal/numbers.h defines INTx_MIN/MAX
stdint gets included and it defines those differently:

C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48):
 warning C4005: 'INT8_MIN': macro redefinition

Avoid that by changing the sequence in which the include files
appear in crypto/bio/b_print.c.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6995)

6 years agoAvoid shadowing 'free' in X509_LOOKUP_met_set_free
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free

gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)

(cherry picked from commit 50f3994b513ead4da94845bf38222bb71c440fb3)

6 years agoPrepare for 1.1.0j-dev
Matt Caswell [Tue, 14 Aug 2018 12:46:03 +0000 (13:46 +0100)]
Prepare for 1.1.0j-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoPrepare for 1.1.0i release OpenSSL_1_1_0i
Matt Caswell [Tue, 14 Aug 2018 12:45:05 +0000 (13:45 +0100)]
Prepare for 1.1.0i release

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoUpdate copyright year
Matt Caswell [Tue, 14 Aug 2018 12:25:55 +0000 (13:25 +0100)]
Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6954)

6 years agoUpdates to CHANGES and NEWS for the new release
Matt Caswell [Tue, 14 Aug 2018 09:39:19 +0000 (10:39 +0100)]
Updates to CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6950)

6 years agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

(cherry picked from commit 2369111fd94ebc9b7d37e68f3ea9629f2fe5fa2e)

6 years agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

(cherry picked from commit cba024dc685d13dbcbd0577bed028ee6b295b56a)

6 years agox509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)

(back-ported from commit f21b5b64cbbc279ef31389e6ae312690575187da)

6 years agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)

(cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7)

6 years agoIncrease CT_NUMBER values
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values

Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)
(cherry picked from commit b5ee517794cf546dc7e3d5a82b400955a7381053)

6 years agoFix setting of ssl_strings_inited.
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.

Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)
(cherry picked from commit 10281e83eac0fb96de3f14855154197aa33bb800)

6 years agoCheck early that the config target exists and isn't a template
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)

(cherry picked from commit 4e360445473c3da938703a8142a36cf6ee86a191)

6 years agoMake EVP_PKEY_asn1_new() stricter with its input
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)

(cherry picked from commit 38eca7fed09a57c1b7a05d651af2c667b3e87719)

6 years agoFix uninitialized value $s warning in windows static builds
Bernd Edlinger [Thu, 2 Aug 2018 17:47:42 +0000 (19:47 +0200)]
Fix uninitialized value $s warning in windows static builds

Fixes: #6826

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/pr6849)

6 years agoAvoid errors when loading a cert multiple times.
Pauli [Sun, 5 Aug 2018 21:31:49 +0000 (07:31 +1000)]
Avoid errors when loading a cert multiple times.
Manual backport of #2830 to 1.1.0

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6861)

6 years agoUse auto-null-initializer
Rich Salz [Fri, 3 Aug 2018 22:03:22 +0000 (18:03 -0400)]
Use auto-null-initializer

Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6853)

6 years agoasn1/tasn_utl.c: fix logical error in asn1_do_lock.
Andy Polyakov [Thu, 2 Aug 2018 07:02:47 +0000 (09:02 +0200)]
asn1/tasn_utl.c: fix logical error in asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)

6 years agoRevert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."
Andy Polyakov [Thu, 2 Aug 2018 06:59:48 +0000 (08:59 +0200)]
Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."

This reverts commit 24233a0f3c491919ee3a38e2567271ccc041ee1d.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)

6 years agoasn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 680b9d45b005c2d0a48fd574db903bf4486b49ae)

6 years agoCheck return from BN_sub
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)

(cherry picked from commit 3d3cbce550ff5d6172cf28dbbf80bda93f6577a9)

6 years agoCheck conversion return in ASN1_INTEGER_print_bio.
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.

Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)

(cherry picked from commit 35c9408108f3608eb572acd7f64a93cf4f43f4f6)

6 years agoRemove DSA digest length checks when no digest is passed
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed

FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

(cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd)

6 years agocrypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.

Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)

(cherry picked from commit 80ae7285e1994d35c84519bf9e038b11d9942875)

Resolved conflicts:
crypto/init.c

6 years agocrypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)

(cherry picked from commit b86d57bb0b23253c720db38ab18ca97cb888f701)

Resolved conflicts:
crypto/cryptlib.c

6 years agoCHANGES: mention blinding reverting in ECDSA.
Andy Polyakov [Thu, 26 Jul 2018 12:38:53 +0000 (14:38 +0200)]
CHANGES: mention blinding reverting in ECDSA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

6 years agobn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.

New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e)

6 years agoec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
Andy Polyakov [Thu, 12 Jul 2018 20:27:43 +0000 (22:27 +0200)]
ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 37132c9702328940a99b1307f742ab094ef754a7)

6 years agoec/ecdsa_ossl.c: formatting and readability fixes.
Andy Polyakov [Fri, 6 Jul 2018 14:13:29 +0000 (16:13 +0200)]
ec/ecdsa_ossl.c: formatting and readability fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d)

6 years agoec/ecdsa_ossl.c: revert blinding in ECDSA signature.
Andy Polyakov [Fri, 6 Jul 2018 13:55:34 +0000 (15:55 +0200)]
ec/ecdsa_ossl.c: revert blinding in ECDSA signature.

Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)

(cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f)

Resolved conflicts:
crypto/ec/ecdsa_ossl.c

6 years agobn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.
Andy Polyakov [Fri, 6 Jul 2018 13:13:15 +0000 (15:13 +0200)]
bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.

Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)

(cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b)

Resolved conflicts:
crypto/bn/bn_exp.c
crypto/bn/bn_mont.c
crypto/include/internal/bn_int.h

6 years agobn/bn_lib.c: add BN_FLG_FIXED_TOP flag.
Andy Polyakov [Fri, 6 Jul 2018 13:02:29 +0000 (15:02 +0200)]
bn/bn_lib.c: add BN_FLG_FIXED_TOP flag.

The new flag marks vectors that were not treated with bn_correct_top,
in other words such vectors are permitted to be zero padded. For now
it's BN_DEBUG-only flag, as initial use case for zero-padded vectors
would be controlled Montgomery multiplication/exponentiation, not
general purpose. For general purpose use another type might be more
appropriate. Advantage of this suggestion is that it's possible to
back-port it...

bn/bn_div.c: fix memory sanitizer problem.
bn/bn_sqr.c: harmonize with BN_mul.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)

(cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb)

Resolved conflicts:
crypto/bn/bn_lcl.h

6 years agoFix inconsistent use of bit vs bits
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsistent use of bit vs bits

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
(cherry picked from commit b9e54e98066c1ff8adab5d68b6c114b14d2f74e5)

6 years agoMake number of Miller-Rabin tests for a prime tests depend on the security level...
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime

The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
(cherry picked from commit feac7a1c8be49fbcb76fcb721ec9f02fdd91030e)

6 years agoChange the number of Miller-Rabin test for DSA generation to 64
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64

This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
(cherry picked from commit 74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8)

6 years agoCheck for failures, to avoid memory leak
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak

Thanks to Jiecheng Wu, Zuxing Gu for the report.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
(cherry picked from commit 037241bf046be8cfc7e9216959393dd20b06fc21)

6 years agocrypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
Andy Polyakov [Fri, 20 Jul 2018 11:19:11 +0000 (13:19 +0200)]
crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

(cherry picked from commit 9e4a1c3f65863b0175ddc534e232e63c4f82ea5c)

6 years agoapps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
Andy Polyakov [Mon, 23 Jul 2018 20:26:30 +0000 (22:26 +0200)]
apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d6b50b6e2ebc0c198877b5c56ae0a54cb9036088)

6 years agoConfigure death handler: instead of printing directly, amend the message
Richard Levitte [Tue, 24 Jul 2018 19:46:55 +0000 (21:46 +0200)]
Configure death handler: instead of printing directly, amend the message

This is done by calling die again, just make sure to reset the __DIE__
handler first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

(cherry picked from commit eb807d5383fd228a5c4cf9afc2fec487e0d22cee)

6 years agoConfigure death handler: remember to call original death handler
Richard Levitte [Tue, 24 Jul 2018 17:29:49 +0000 (19:29 +0200)]
Configure death handler: remember to call original death handler

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

(cherry picked from commit 88accfe6dccf904fec5a17db4a59cd2c4c480382)

6 years agoConfigure death handler: bail out early when run in eval block
Richard Levitte [Tue, 24 Jul 2018 17:29:06 +0000 (19:29 +0200)]
Configure death handler: bail out early when run in eval block

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

(cherry picked from commit 1a6c30029802179ebe0ec1eedfdc9d78bb6dc4dd)

6 years agoConfigure: print generic advice when dying
Richard Levitte [Tue, 24 Jul 2018 08:45:05 +0000 (10:45 +0200)]
Configure: print generic advice when dying

On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.

Fixes #6765

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)

(cherry picked from commit 8937a4ed8ac3fd64be61e9ce7a16bccccf3d2273)

6 years agoec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
Andy Polyakov [Wed, 18 Jul 2018 13:22:07 +0000 (15:22 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.

ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

(cherry picked from commit 8fc4aeb9521270ac74b29ce7f569939b0b39e685)

6 years agoec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
Andy Polyakov [Wed, 18 Jul 2018 13:14:44 +0000 (15:14 +0200)]
ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.

The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

(cherry picked from commit 87a75b3e5c04a1696208c279f32d1114b862cfed)

6 years agobn/bn_intern.c: const-ify bn_set_{static}_words.
Andy Polyakov [Wed, 18 Jul 2018 13:13:27 +0000 (15:13 +0200)]
bn/bn_intern.c: const-ify bn_set_{static}_words.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

(cherry picked from commit f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1)

6 years agoapps/dsaparam.c: fix -C output.
Andy Polyakov [Sat, 21 Jul 2018 11:50:14 +0000 (13:50 +0200)]
apps/dsaparam.c: fix -C output.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)

(cherry picked from commit 708c28f2f0598af6bccbeb60fb46086784aed7da)

6 years agoConfigure: Display error/warning on deprecated/unsupported options after loop
Richard Levitte [Sun, 22 Jul 2018 08:56:25 +0000 (10:56 +0200)]
Configure: Display error/warning on deprecated/unsupported options after loop

Fixes #6755

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)

(cherry picked from commit ddbe700e93e34694519d303e1b4e4525184c9dad)

6 years agoPKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF

As per RFC 7292.

Fixes #6665

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)

(cherry picked from commit b709babbca0498cd2b05f543b09f57f4a670298e)

6 years agobn/bn_lib.c address Coverity nit in bn2binpad.
Andy Polyakov [Mon, 16 Jul 2018 16:17:44 +0000 (18:17 +0200)]
bn/bn_lib.c address Coverity nit in bn2binpad.

It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec)

6 years agorsa/*: switch to BN_bn2binpad.
Andy Polyakov [Sun, 4 Feb 2018 14:24:54 +0000 (15:24 +0100)]
rsa/*: switch to BN_bn2binpad.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)

(cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205)

6 years agobn/bn_lib.c: make BN_bn2binpad computationally constant-time.
Andy Polyakov [Sun, 4 Feb 2018 14:20:29 +0000 (15:20 +0100)]
bn/bn_lib.c: make BN_bn2binpad computationally constant-time.

"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)

(cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a)

6 years agoDocumentation typo fix in BN_bn2bin.pod
Alexandre Perrin [Fri, 13 Jul 2018 08:32:42 +0000 (10:32 +0200)]
Documentation typo fix in BN_bn2bin.pod

Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)

6 years agobn/bn_mont.c: improve readability of post-condition code.
Andy Polyakov [Fri, 6 Jul 2018 12:54:34 +0000 (14:54 +0200)]
bn/bn_mont.c: improve readability of post-condition code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit 6c90182a5f87af1a1e462536e7123ad2afb84c43)

6 years agobn/bn_mont.c: move boundary condition check closer to caller.
Andy Polyakov [Fri, 6 Jul 2018 11:46:07 +0000 (13:46 +0200)]
bn/bn_mont.c: move boundary condition check closer to caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit 3c97e4121ecec20cfac433883cd4709580a05620)

6 years agobn/bn_lib.c: remove bn_check_top from bn_expand2.
Andy Polyakov [Fri, 6 Jul 2018 11:16:40 +0000 (13:16 +0200)]
bn/bn_lib.c: remove bn_check_top from bn_expand2.

Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit e42395e637c3507b80b25c7ed63236898822d2f1)

6 years agoAvoid __GNUC__ warnings when defining DECLARE_DEPRECATED
Richard Levitte [Tue, 10 Jul 2018 14:05:55 +0000 (16:05 +0200)]
Avoid __GNUC__ warnings when defining DECLARE_DEPRECATED

We need to check that __GNUC__ is defined before trying to use it.
This demands a slightly different way to define DECLARE_DEPRECATED.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6688)

6 years agoWindows: avoid using 'rem' in the nmake makefile
Richard Levitte [Wed, 11 Jul 2018 09:05:15 +0000 (11:05 +0200)]
Windows: avoid using 'rem' in the nmake makefile

To avoid the possibility that someone creates rem.exe, rem.bat or
rem.cmd, simply don't use it.  In the cases it was used, it was to
avoid empty lines, but it turns out that nmake handles those fine, so
no harm done.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)

(cherry picked from commit 1b6a0a261e22eb5a574bdb75da208817ffa2fbba)

6 years agoWindows: fix echo for nmake
Richard Levitte [Tue, 10 Jul 2018 12:12:33 +0000 (14:12 +0200)]
Windows: fix echo for nmake

It seems that nmake first tries to run executables on its own, and
only pass commands to cmd if that fails.  That means it's possible to
have nmake run something like 'echo.exe' when the builtin 'echo'
command was expected, which might give us unexpected results.

To get around this, we create our own echoing script and call it
explicitly from the nmake makefile.

Fixes #6670

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)

(cherry picked from commit 9abce88b4b0055d6238a838aa00360152e185f02)

6 years agoutil/dofile.pl: require Text::Template 1.46 or newer
Richard Levitte [Mon, 9 Jul 2018 19:10:10 +0000 (21:10 +0200)]
util/dofile.pl: require Text::Template 1.46 or newer

The reason is that we override Text::Template::append_text_to_output(),
and it didn't exist before Text::Template 1.46.

Fixes #6641

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit 4e351ca92e3a1f447cef3d2e330f13941f9412c6)

6 years agoExisting transfer modules must have a package and a $VERSION
Richard Levitte [Mon, 9 Jul 2018 19:09:30 +0000 (21:09 +0200)]
Existing transfer modules must have a package and a $VERSION

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit f7dce50f21c13520d36f51bed83d19d3eb0bf698)

6 years agoMake 'with_fallback' use 'use' instead of 'require'
Richard Levitte [Mon, 9 Jul 2018 19:07:25 +0000 (21:07 +0200)]
Make 'with_fallback' use 'use' instead of 'require'

This enables us to require module versions, and to fall back to a
bundled version if the system version is too low.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit e9bc5706744213a1a6748dbbcd1b43a6ad4ca09e)

6 years agoFix minor windows build issues
Bernd Edlinger [Thu, 5 Jul 2018 13:38:28 +0000 (15:38 +0200)]
Fix minor windows build issues

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6663)

6 years agoDocument more EVP_MD_CTX functions
Richard Levitte [Wed, 4 Jul 2018 07:26:05 +0000 (09:26 +0200)]
Document more EVP_MD_CTX functions

Fixes #6644

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6645)

(cherry picked from commit a9cf71a3716f8f624b711faa0d5ea391bb26d9f6)

6 years agoDon't create an invalid CertificateRequest
Matt Caswell [Mon, 2 Jul 2018 13:09:03 +0000 (14:09 +0100)]
Don't create an invalid CertificateRequest

We should validate that the various fields we put into the
CertificateRequest are not too long. Otherwise we will construct an
invalid message.

Fixes #6609

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6628)

6 years agoFix a NULL ptr deref in error path in tls_process_cke_dhe()
Matt Caswell [Tue, 26 Jun 2018 14:40:54 +0000 (15:40 +0100)]
Fix a NULL ptr deref in error path in tls_process_cke_dhe()

Fixes #6574

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6594)

6 years agotest/evp_test.c: address sanitizer errors in pderive_test_run.
Andy Polyakov [Sat, 30 Jun 2018 10:52:10 +0000 (12:52 +0200)]
test/evp_test.c: address sanitizer errors in pderive_test_run.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6614)

6 years agomodes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings.
Andy Polyakov [Fri, 29 Jun 2018 15:48:54 +0000 (17:48 +0200)]
modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6615)

(cherry picked from commit ce5eb5e8149d8d03660575f4b8504c993851988a)

6 years agoCheck return from BN_set_word.
Pauli [Thu, 28 Jun 2018 23:55:23 +0000 (09:55 +1000)]
Check return from BN_set_word.
In ssl/t1_lib.c.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6613)

(cherry picked from commit 8eab767a718f44ccba9888eeb81a5328cff47bab)

6 years agoZero-fill IV by default.
Rich Salz [Thu, 28 Jun 2018 22:13:54 +0000 (18:13 -0400)]
Zero-fill IV by default.

Fixes uninitialized memory read reported by Nick Mathewson

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit 10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c)

6 years agoMove documentation to its correct location for this branch
Richard Levitte [Mon, 25 Jun 2018 15:14:12 +0000 (17:14 +0200)]
Move documentation to its correct location for this branch

The 1.1.1 branch has a different location for documentation, this is
the obvious result of a cherry-pick from there.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6589)

6 years agoOpenSSL_add_ssl_algorithm-is-deprecated() is deprecated, make it so
Richard Levitte [Mon, 25 Jun 2018 15:08:20 +0000 (17:08 +0200)]
OpenSSL_add_ssl_algorithm-is-deprecated() is deprecated, make it so

This function is documented to be deprecated since OpenSSL 1.1.0.  We
need to make it so in openssl/ssl.h as well.

Fixes #6565

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6588)

(cherry picked from commit 71419442a279a12c2e19a097b5c7e01c29d1fc9c)

6 years agoFix a new gcc-9 warning [-Wstringop-truncation]
Bernd Edlinger [Sat, 23 Jun 2018 20:17:19 +0000 (22:17 +0200)]
Fix a new gcc-9 warning [-Wstringop-truncation]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)

(cherry picked from commit dc6c374bdb4872f6d5d727e73a2ed834e972842c)

6 years agoFix prototype of ASN1_INTEGER_get and ASN1_INTEGER_set
Kurt Roeckx [Sat, 23 Jun 2018 08:24:00 +0000 (10:24 +0200)]
Fix prototype of ASN1_INTEGER_get and ASN1_INTEGER_set

The parameters where switched

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6578
(cherry picked from commit eaf39a9fe6f55feb5251e235069e02f7f50d9a49)

6 years agoOpenSSL-II style for emacs: don't indent because of extern block
Richard Levitte [Fri, 22 Jun 2018 07:33:29 +0000 (09:33 +0200)]
OpenSSL-II style for emacs: don't indent because of extern block

We don't want an indentation step inside a 'extern "C" {' .. '}'
block.  Apparently, cc-mode has a c-offsets-alist keyword to allow
exactly this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6557)

(cherry picked from commit 8973112884e67feb46384b573db14e62ad18d4cb)

6 years agosha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest.
Andy Polyakov [Thu, 21 Jun 2018 11:52:04 +0000 (13:52 +0200)]
sha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2e51557bc93f90ca2274230b042acb53cc3a268d)

6 years agoadd documentation for OCSP_basic_verify()
David von Oheimb [Sat, 10 Feb 2018 14:45:11 +0000 (15:45 +0100)]
add documentation for OCSP_basic_verify()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6227)

(cherry picked from commit b8c32081e02b7008a90d878eccce46da256dfe86)

6 years agoImprove the example getpass() implementation to show an error return
Nick Mathewson [Thu, 24 May 2018 19:23:15 +0000 (15:23 -0400)]
Improve the example getpass() implementation to show an error return

Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)

(cherry picked from commit c8c250333cd254ab3f4d709ebc5ed86a7c065721)

6 years agoUpdate documentation for PEM callback: error is now -1.
Nick Mathewson [Wed, 16 May 2018 15:07:48 +0000 (11:07 -0400)]
Update documentation for PEM callback: error is now -1.

In previous versions of OpenSSL, the documentation for PEM_read_*
said:

   The callback B<must> return the number of characters in the
   passphrase or 0 if an error occurred.

But since c82c3462267afdbbaa5, 0 is now treated as a non-error
return value.  Applications that want to indicate an error need to
return -1 instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)

(cherry picked from commit bbbf752a3c8b5a966bcb48fc71a3dc03832e7b27)

6 years ago[crypto/ec] don't assume points are of order group->order
Billy Brumley [Wed, 20 Jun 2018 07:56:37 +0000 (10:56 +0300)]
[crypto/ec] don't assume points are of order group->order

(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)

6 years agoec/ec_mult.c: get BN_CTX_start,end sequence right.
Andy Polyakov [Mon, 7 May 2018 08:27:45 +0000 (10:27 +0200)]
ec/ec_mult.c: get BN_CTX_start,end sequence right.

Triggered by Coverity analysis.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7d859d1c8868b81c5d810021af0b40f355af4e1f)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)

6 years agoAdd blinding to a DSA signature
Matt Caswell [Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)]
Add blinding to a DSA signature

This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)

6 years agoopenssl ca: open the output file as late as possible
Richard Levitte [Thu, 21 Jun 2018 04:24:33 +0000 (06:24 +0200)]
openssl ca: open the output file as late as possible

Fixes #6544

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)

(cherry picked from commit 63871d9f810fec1e8a441d82c9ac79c58b19e2ad)

6 years agoec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection.
Andy Polyakov [Sat, 16 Jun 2018 14:25:40 +0000 (16:25 +0200)]
ec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 575045f59fc393abc9d49604d82ccd17c82925fa)

6 years ago{chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection.
Andy Polyakov [Sat, 16 Jun 2018 14:24:55 +0000 (16:24 +0200)]
{chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 27635a4ecb1bc4852ccf456a9374a68931dc330f)

6 years agosha/asm/sha{1|256}-586.pl: harmonize clang version detection.
Andy Polyakov [Sat, 16 Jun 2018 14:23:34 +0000 (16:23 +0200)]
sha/asm/sha{1|256}-586.pl: harmonize clang version detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515)

6 years agobn/asm/rsaz-avx2.pl: harmonize clang version detection.
Andy Polyakov [Sat, 16 Jun 2018 14:22:19 +0000 (16:22 +0200)]
bn/asm/rsaz-avx2.pl: harmonize clang version detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b)