Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Kurt Roeckx <[email protected]>
(Merged from openssl#10676)

(cherry picked from commit 9d079f2)

Reviewed-by: Kurt Roeckx <[email protected]>
(Merged from openssl#10677)

(cherry picked from commit 275a048)

Reviewed-by: Kurt Roeckx <[email protected]>
(Merged from openssl#10678)

(cherry picked from commit 048fa13)

Reviewed-by: Kurt Roeckx <[email protected]>
(Merged from openssl#10679)

(cherry picked from commit b2a00f6)

The timer alarm sets run = 0, while the benchmark
does run = 1 in the initialization code.  That is
a race condition, if the timer goes off too early
the benchmark runs forever.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#10680)

(cherry picked from commit f3fdfbf)

Bring us up to date with upstream's 1.17.1 release.  Among other
things, it includes commit c2497d46b4bad473e164943d67b58cd1ae261c3a
which fixes several issues that affect running the test suite under
Travis CI.  Hopefully those will work transitively for us as well.

[extended tests]

Reviewed-by: Matt Caswell <[email protected]>

(cherry picked from commit 3e73f55)

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#10690)

The pyca-cryptography external test has been failing for a long time.
It looks like upstream needs to make some changes to adapt to 1.1.1.

Backported from openssl#10689

[extended tests]

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#10722)

Fix double + in hkdflabel declaration (FIXES openssl#10675)
CLA: trivial

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Kurt Roeckx <[email protected]>
Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#10700)

(cherry picked from commit 2de5a5f)

The New Year has caused various files to appear out of date to "make
update". This causes Travis to fail. Therefore we update those files.

Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#10739)

This commit addresses a potential side-channel vulnerability in the
internals of some elliptic curve low level operations.
The side-channel leakage appears to be tiny, so the severity of this
issue is rather low.

The issue was reported by David Schrammel and Samuel Weiser.

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit 3cb914c463ed1c9e32cfb773d816139a61b6ad5f)

Cherry picked from
google/boringssl@12d9ed6

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit 2baea7c7e0896658b74956cac6084dd7e82e8c1b)

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit 0de3399b691f025153c8001045d5eeb0909dfd7a)

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit 3d139746ca72f0906c036d0a4a3e176c7b61ed1b)

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit e9fe87950db2e6169029b2ecf3ed09d64265bc9c)

This is only used if configured with
./config -DECP_NISTZ256_REFERENCE_IMPLEMENTATION

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit 7d4716648e8348dea862e198b9395478fae01907)

This change addresses a potential side-channel vulnerability in
the internals of nistz256 low level operations for armv8.

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
(Merged from openssl#9239)

(cherry picked from commit f5a659b6dfcc735a62c712dcca64d116d2289b97)

This came from f3fdfbf. run = 1 should be done in pkey_print_message
as well, otherwise other tests printed with pkey_print_message won't run.

Change-Id: I0ba0b05256ad6509ada4735b26d10f8a73fd89ec

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
(Merged from openssl#10710)

(cherry picked from commit 6e49b51)

ECDSA_do_verify() is a function that verifies a ECDSA signature given a hash and a public EC key. The function is supposed to return 1 on valid signature, 0 on invalid signature and -1 on error. Previously, we returned 0 if the key did not have a verify_sig method. This is actually an error case and not an invalid signature. Consequently, this patch updates the return code to -1.

Fixes openssl#8766

Reviewed-by: Nicola Tuveri <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#10693)

(cherry picked from commit 26583f6)

The HMAC_CTX structure stores the original key in case the ctx is reused
without changing the key.

However, HMAC_Init_ex() checks its parameters such that the only code path
where the stored key is ever used is in the case where HMAC_Init_ex is
called with a NULL key and an explicit md is provided which is the same as
the md that was provided previously. But in that case we can actually reuse
the pre-digested key that we calculated last time, so we can refactor the
code not to use the stored key at all.

With that refactor done it is no longer necessary to store the key in the
ctx at all. This means that long running ctx's will not keep the key in
memory for any longer than required. Note though that the digested key
*is* still kept in memory for the duration of the life of the ctx.

Fixes openssl#10743

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#10763)

This reverts commit 7b18d1a, which moved the
DEVRANDOM and DEVRANDOM_EGD defines into rand_unix.c. That change introduced
the regression that the compiler complains about missing declarations in
apps/version.c when OpenSSL is configured using `--with-rand-seed=devrandom`
(resp. `--with-rand-seed=egd`):

apps/version.c:173:42: error: 'DEVRANDOM' undeclared
             static const char *dev[] = { DEVRANDOM, NULL };
                                          ^~~~~~~~~

Fixes openssl#10759

Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
(Merged from openssl#10764)

When performing a pkeyutl -verifyrecover operation the input file is not
a hash - it is the signature itself. Therefore don't do the check to make
sure it looks like a hash.

Fixes openssl#9658

Reviewed-by: Richard Levitte <[email protected]>
(Merged from openssl#9731)

(cherry picked from commit 5ffc332)

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#10713)

This regexp was used a bit too uncontrolled, which had it split flag
values where it should not have.

Fixes openssl#10792

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#10793)

(cherry picked from commit bbe486c)

CLA: trivial

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Matthias St. Pierre <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#10794)

(cherry picked from commit 6a165fa)

They never returned the negative values that the documentation stated.

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#10847)

The existing documentation for the new-session callback was unclear
about the requirements on the callback with respect to reference-handling
of the session object being created.  Be more explicit about the
(non-)requirements on the callback code for "success" (1) and "ignore"
(0) return values.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#10848)

(cherry picked from commit 188d4ec)

Fixes openssl#10853

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#10857)

Move .cfi_startproc to the right place for RC4.  Add missing
.cfi_startproc and .cfi_endproc to RC4_options.

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
(Merged from openssl#10872)

(cherry picked from commit 967ef73)

AES_ASM was repaced by AESNI_ASM, so use that.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#10892)

Fix EVP_EncodeBlock description using incorrect parameter name for encoding length

CLA: trivial

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from openssl#12518)

(cherry picked from commit 1660c8f)

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#12370)

A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#12561)

Fixes openssl#12588

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#12594)

(cherry picked from commit dffeec1)

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#12594)

(cherry picked from commit ea9f689)

For example, FreeBSD prepends "FreeBSD" to version string, e.g.,

FreeBSD clang version 11.0.0 ([email protected]:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin

This prevented us from properly detecting AVX support, etc.

CLA: trivial

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Ben Kaduk <[email protected]>
(Merged from openssl#12725)

(cherry picked from commit cd84d88)

PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER.  However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers.  If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that.  If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.

To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added.  If it is NULL, an error is returned.

Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#12729)

x_algor.c: Explicit null dereferenced
cms_sd.c: Resource leak
ts_rsp_sign.c Resource Leak
extensions_srvr.c: Resourse Leak
v3_alt.c: Resourse Leak
pcy_data.c: Resource Leak
cms_lib.c: Resource Leak
drbg_lib.c: Unchecked return code

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#12531)

Fixes openssl#12471
CLA: trivial

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#12533)

(cherry picked from commit 4348995)

In a nutshell, reseed propagation is a compatibility feature with the sole
purpose to support the traditional way of (re-)seeding manually by calling
'RAND_add()' before 'RAND_bytes(). It ensures that the former has an immediate
effect on the latter *within the same thread*, but it does not care about
immediate reseed propagation to other threads. The implementation is lock-free,
i.e., it works without taking the lock of the primary DRBG.

Pull request openssl#7399 not only fixed the data race issue openssl#7394 but also changed
the original implementation of the seed propagation unnecessarily.
This commit reverts most of the changes of commit 1f98527 and intends to
fix the data race while retaining the original simplicity of the seed propagation.

- use atomics with relaxed semantics to load and store the seed counter
- add a new member drbg->enable_reseed_propagation to simplify the
  overflow treatment of the seed propagation counter
- don't handle races between different threads

This partially reverts commit 1f98527.

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#12759)

The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).

    reseed_gen_counter  -> generate_counter
    reseed_prop_counter -> reseed_counter

This partially reverts commit 35a3450.

Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#12759)

Fix this error:

crypto/ec/ecp_nistz256-armv4.S:3853: Error: bad arguments to instruction -- `orr r11,r10'
crypto/ec/ecp_nistz256-armv4.S:3854: Error: bad arguments to instruction -- `orr r11,r12'
crypto/ec/ecp_nistz256-armv4.S:3855: Error: bad arguments to instruction -- `orrs r11,r14'

CLA: trivial

Fixes openssl#12848

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Kurt Roeckx <[email protected]>
GH: openssl#12854
(cherry picked from commit b5f8256)

The function returns 1 when the encoding of a decoded EC key used
explicit encoding of the curve parameters.

Reviewed-by: David von Oheimb <[email protected]>
Reviewed-by: Nicola Tuveri <[email protected]>
(Merged from openssl#12909)

The check is applied only with X509_V_FLAG_X509_STRICT.

Fixes openssl#12139

Reviewed-by: David von Oheimb <[email protected]>
Reviewed-by: Nicola Tuveri <[email protected]>
(Merged from openssl#12909)

OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.

The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#12419)

CLA: trivial

Reviewed-by: Kurt Roeckx <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
GH: openssl#12205
(cherry picked from commit 434343f)

Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#12949)

Reviewed-by: Matthias St. Pierre <[email protected]>
(Merged from openssl#12949)

Reviewed-by: Matthias St. Pierre <[email protected]>

OpenSSL 1.1.1h release tag