openssl.git
13 months agoFix HMAC SHA3-224 and HMAC SHA3-256.
Pauli [Wed, 15 Aug 2018 22:54:35 +0000 (08:54 +1000)]
Fix HMAC SHA3-224 and HMAC SHA3-256.

Added NIST test cases for these two as well.

Additionally deprecate the public definiton of HMAC_MAX_MD_CBLOCK in 1.2.0.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6972)

13 months agodemos/evp: add make clean
Paulo Flabiano Smorigo [Wed, 29 Aug 2018 14:00:44 +0000 (11:00 -0300)]
demos/evp: add make clean

Add make clean for evp demos and remove whitespace from a line.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7072)

13 months agoMake OBJ_NAME case insensitive.
Pauli [Mon, 3 Sep 2018 21:35:45 +0000 (07:35 +1000)]
Make OBJ_NAME case insensitive.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7089)

13 months agohmac_init cleanup and fix key zeroization issue
Shane Lontis [Mon, 3 Sep 2018 04:15:13 +0000 (14:15 +1000)]
hmac_init cleanup and fix key zeroization issue

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7092)

13 months ago[test] throw error from wrapper function instead of an EC_METHOD specific one
Billy Brumley [Wed, 22 Aug 2018 09:27:34 +0000 (12:27 +0300)]
[test] throw error from wrapper function instead of an EC_METHOD specific one

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)

13 months ago[test] ECC: make sure negative tests pass for the right reasons
Billy Brumley [Wed, 22 Aug 2018 06:50:43 +0000 (09:50 +0300)]
[test] ECC: make sure negative tests pass for the right reasons

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)

13 months agoFix the comment of PEM_read_bio_ex
wzhang [Wed, 8 Aug 2018 08:04:18 +0000 (01:04 -0700)]
Fix the comment of PEM_read_bio_ex

Add one more unit test case

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6892)

13 months agoRename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list
Richard Levitte [Mon, 13 Aug 2018 05:11:47 +0000 (07:11 +0200)]
Rename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list

They add a single item, so the names give a false impression of what
they do, making them hard to remember.  Better to give them a somewhat
better name.

Fixes #6930

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6931)

13 months agoadd docs for OCSP_resp_get0_signature
Paul Kehrer [Sat, 1 Sep 2018 14:50:28 +0000 (10:50 -0400)]
add docs for OCSP_resp_get0_signature

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

13 months agoadd getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
Paul Kehrer [Sat, 1 Sep 2018 04:05:55 +0000 (00:05 -0400)]
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP

fixes #7081

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

13 months agoCheck the return from BN_sub() in BN_X931_generate_Xpq().
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)

13 months agoCheck for a failure return from EVP_MD_CTX_new() in OCSP_basic_sign().
Pauli [Sun, 2 Sep 2018 21:29:45 +0000 (07:29 +1000)]
Check for a failure return from EVP_MD_CTX_new() in OCSP_basic_sign().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7087)

13 months agoRemove redundant ASN1_INTEGER_set call
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call

This trivial patch removes a duplicated call to ASN1_INTEGER_set.

Fixes Issue #6977

Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)

13 months agoAdd a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3
Matt Caswell [Thu, 23 Aug 2018 13:37:01 +0000 (14:37 +0100)]
Add a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3

Fixes #6490

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7044)

13 months agoFix ssl/t1_trce.c to parse certificate chains
Erik Forsberg [Sun, 19 Aug 2018 17:24:44 +0000 (10:24 -0700)]
Fix ssl/t1_trce.c to parse certificate chains

Fixes #6994

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7009)

13 months agoTLSv1.3 related changes to man pages
Hubert Kario [Sat, 1 Sep 2018 00:40:51 +0000 (08:40 +0800)]
TLSv1.3 related changes to man pages

Add or update the documentation of the different man pages in relation to TLSv1.3 behaviour.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6939)

13 months agoRevert ".travis.yml: omit linux-ppc64le target."
Andy Polyakov [Tue, 28 Aug 2018 20:06:26 +0000 (22:06 +0200)]
Revert ".travis.yml: omit linux-ppc64le target."

IBM POWER Open Source Ecosystem division asserts commitment to providing
more reliable service. GH#7016.

This reverts commit 275bfc56a6c4efa7e80c8cbb11fda0c3f9be818d.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
13 months agoFree SSL object on an error path
Matt Caswell [Mon, 27 Aug 2018 14:04:28 +0000 (15:04 +0100)]
Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

13 months agoFix a mem leak on error in the PSK code
Matt Caswell [Mon, 27 Aug 2018 13:52:09 +0000 (14:52 +0100)]
Fix a mem leak on error in the PSK code

Thanks to @fangang190 for reporting this issue.

Fixes #7060

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

13 months agofix out-of-bounds write in sm2_crypt.c
ymlbright [Wed, 22 Aug 2018 03:22:11 +0000 (11:22 +0800)]
fix out-of-bounds write in sm2_crypt.c

asn1_encode has two form length octets: short form(1 byte), long form(1+n byte).

CLA: Trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7027)

13 months agox509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions.
Andy Polyakov [Fri, 17 Aug 2018 10:30:36 +0000 (12:30 +0200)]
x509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6996)

13 months agointernal/tsan_assist.h: add tsan_ld_acq and tsan_st_rel.
Andy Polyakov [Fri, 17 Aug 2018 10:13:01 +0000 (12:13 +0200)]
internal/tsan_assist.h: add tsan_ld_acq and tsan_st_rel.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6996)

13 months agoConfigurations/unix-Makefile.tmpl: address find portability issue.
Andy Polyakov [Sat, 18 Aug 2018 15:45:08 +0000 (17:45 +0200)]
Configurations/unix-Makefile.tmpl: address find portability issue.

-path is non-portable extension, fortunately it's possible to express
.git subdirectory exclusion with -prune.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7004)

13 months agoAdd semicolon at the end of the function prototypes
Paul Yang [Fri, 24 Aug 2018 12:38:04 +0000 (20:38 +0800)]
Add semicolon at the end of the function prototypes

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7041)

13 months agoDo not ignore EVP_PKEY_print_public/EVP_PKEY_print_private return values
Dmitry Belyavskiy [Sat, 18 Aug 2018 16:43:23 +0000 (19:43 +0300)]
Do not ignore EVP_PKEY_print_public/EVP_PKEY_print_private return values

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7007)

13 months agobn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

13 months agobn/bn_blind.c: use Montgomery multiplication when possible.
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

13 months agorsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
Andy Polyakov [Fri, 10 Aug 2018 17:46:03 +0000 (19:46 +0200)]
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."

In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

13 months agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_{mul|sqr}_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

13 months agoUpdate fuzz corpora
Kurt Roeckx [Wed, 22 Aug 2018 21:31:01 +0000 (23:31 +0200)]
Update fuzz corpora

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #7033

13 months agoFix typos in documentation.
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7038)

13 months agoExtend dladdr() for AIX, consequence from changes for openssl#6368.
Matthias Kraft [Fri, 15 Jun 2018 10:36:03 +0000 (12:36 +0200)]
Extend dladdr() for AIX, consequence from changes for openssl#6368.

The shared libraries are now stored as members of archives, as it is usual
on AIX. To correctly address this the custom dladdr()-implementation as
well as the dlfcn_load() routine need to be able to cope with such a
construct: libname.a(libname.so).

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

13 months agocrypto/init.c: improve destructor_key's portability.
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.

It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)

13 months agoman3/OBJ_nid2obj.pod: mention failure code for OBJ_create.
Andy Polyakov [Mon, 20 Aug 2018 07:38:36 +0000 (09:38 +0200)]
man3/OBJ_nid2obj.pod: mention failure code for OBJ_create.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

13 months agoasn1/asn_moid.c: overhaul do_create.
Andy Polyakov [Fri, 17 Aug 2018 21:04:03 +0000 (23:04 +0200)]
asn1/asn_moid.c: overhaul do_create.

Original could allocate nid and then bail out on malloc failure. Instead
allocate first *then* attempt to create object.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

14 months agoIgnore the digest in req app if using EdDSA
Matt Caswell [Thu, 9 Aug 2018 15:01:20 +0000 (16:01 +0100)]
Ignore the digest in req app if using EdDSA

This follows on from the previous commit, and makes the same change to
ignore the digest if we are using EdDSA.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

14 months agoImprove the usability of the ca app using EdDSA
Matt Caswell [Thu, 9 Aug 2018 12:31:20 +0000 (13:31 +0100)]
Improve the usability of the ca app using EdDSA

Previously you had to supply "null" as the digest to use EdDSA. This changes
things so that any digest is ignored.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

14 months agoFix BoringSSL external test failures
Matt Caswell [Wed, 22 Aug 2018 13:10:48 +0000 (14:10 +0100)]
Fix BoringSSL external test failures

We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

14 months agoDon't detect a downgrade where the server has a protocol version hole
Matt Caswell [Mon, 20 Aug 2018 17:05:28 +0000 (18:05 +0100)]
Don't detect a downgrade where the server has a protocol version hole

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

14 months agoTest that a client protocol "hole" doesn't get detected as a downgrade
Matt Caswell [Mon, 20 Aug 2018 16:44:58 +0000 (17:44 +0100)]
Test that a client protocol "hole" doesn't get detected as a downgrade

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

14 months agoUse the same min-max version range on the client consistently
Matt Caswell [Mon, 20 Aug 2018 14:12:39 +0000 (15:12 +0100)]
Use the same min-max version range on the client consistently

We need to ensure that the min-max version range we use when constructing
the ClientHello is the same range we use when we validate the version
selected by the ServerHello. Otherwise this may appear as a fallback or
downgrade.

Fixes #6964

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

14 months agorand_lib.c: Don't open random devices while cleaning up.
Dr. Matthias St. Pierre [Tue, 21 Aug 2018 20:51:28 +0000 (22:51 +0200)]
rand_lib.c: Don't open random devices while cleaning up.

Fixes #7022

In pull request #6432 a change was made to keep the handles to the
random devices opened in order to avoid reseeding problems for
applications in chroot environments.

As a consequence, the handles of the random devices were leaked at exit
if the random generator was not used by the application. This happened,
because the call to RAND_set_rand_method(NULL) in rand_cleanup_int()
triggered a call to the call_once function do_rand_init, which opened
the random devices via rand_pool_init().

Thanks to GitHub user @bwelling for reporting this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7023)

14 months agoFix typos in documentation
Jakub Wilk [Tue, 21 Aug 2018 16:30:34 +0000 (18:30 +0200)]
Fix typos in documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7021)

14 months agoAllow TLS-1.3 ciphersuites in @SECLEVEL=3 and above
Tomas Mraz [Tue, 14 Aug 2018 13:03:16 +0000 (15:03 +0200)]
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above

The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
though they are not explicitly marked as using DH/ECDH.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6959)

14 months agoZero memory in CRYPTO_secure_malloc.
Pauli [Tue, 21 Aug 2018 23:20:18 +0000 (09:20 +1000)]
Zero memory in CRYPTO_secure_malloc.

This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7011)

14 months agoPrepare for 1.1.1-pre10-dev
Matt Caswell [Tue, 21 Aug 2018 12:15:56 +0000 (13:15 +0100)]
Prepare for 1.1.1-pre10-dev

Reviewed-by: Tim Hudson <tjh@openssl.org>
14 months agoPrepare for 1.1.1-pre9 release OpenSSL_1_1_1-pre9
Matt Caswell [Tue, 21 Aug 2018 12:14:10 +0000 (13:14 +0100)]
Prepare for 1.1.1-pre9 release

Reviewed-by: Tim Hudson <tjh@openssl.org>
14 months agoFix a version error in CHANGES and NEWS
Matt Caswell [Tue, 21 Aug 2018 12:11:12 +0000 (13:11 +0100)]
Fix a version error in CHANGES and NEWS

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7019)

14 months agoReplace GFp ladder implementation with ladd-2002-it-4 from EFD
Nicola Tuveri [Fri, 17 Aug 2018 20:00:44 +0000 (23:00 +0300)]
Replace GFp ladder implementation with ladd-2002-it-4 from EFD

The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)

14 months agoAdd support for SSL_CTX_set_post_handshake_auth()
Matt Caswell [Mon, 13 Aug 2018 14:53:42 +0000 (15:53 +0100)]
Add support for SSL_CTX_set_post_handshake_auth()

We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

14 months agoChange Post Handshake auth so that it is opt-in
Matt Caswell [Mon, 13 Aug 2018 14:23:27 +0000 (15:23 +0100)]
Change Post Handshake auth so that it is opt-in

Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.

Fixes #6933.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

14 months agoCheck getauxval on systems that have it when checking for setuid execution.
Pauli [Fri, 17 Aug 2018 04:35:37 +0000 (14:35 +1000)]
Check getauxval on systems that have it when checking for setuid execution.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6993)

14 months agoFix typos and errors in Ed25519.pod documentation
parasssh [Sat, 18 Aug 2018 08:08:52 +0000 (01:08 -0700)]
Fix typos and errors in Ed25519.pod documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7005)

14 months agoAdd a helper routine so that evp_test can compare memory without producing
Pauli [Wed, 8 Aug 2018 23:27:42 +0000 (09:27 +1000)]
Add a helper routine so that evp_test can compare memory without producing
spurious output when checking for error conditions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6899)

14 months agorand_unix.c: don't discard entropy bytes from /dev/*random
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:34:37 +0000 (21:34 +0200)]
rand_unix.c: don't discard entropy bytes from /dev/*random

Don't discard partial reads from /dev/*random and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

14 months agorand_unix.c: don't discard entropy bytes from syscall_random()
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:05:47 +0000 (21:05 +0200)]
rand_unix.c: don't discard entropy bytes from syscall_random()

Fixes #6978

Don't discard partial reads from syscall_random() and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

14 months agorand_unix.c: assimilate syscall_random() with getrandom(2)
Dr. Matthias St. Pierre [Fri, 17 Aug 2018 21:29:19 +0000 (23:29 +0200)]
rand_unix.c: assimilate syscall_random() with getrandom(2)

Change return value type to ssize_t and ensure that a negative value
is returned only if a corresponding errno is set.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

14 months agoConfigure: don't probe for --noexecstack assembler option on Darwin.
Andy Polyakov [Fri, 17 Aug 2018 12:29:59 +0000 (14:29 +0200)]
Configure: don't probe for --noexecstack assembler option on Darwin.

The option has no meaning on Darwin, but it can bail out in combination
with -fembed-bitcode or -no-integrated-as...

Reviewed-by: Richard Levitte <levitte@openssl.org>
14 months agotest/recipes/30-test_evp_data: fix two typos
Dr. Matthias St. Pierre [Sat, 18 Aug 2018 04:57:42 +0000 (06:57 +0200)]
test/recipes/30-test_evp_data: fix two typos

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7001)

14 months agoAvoid shadowing 'free' in X509_LOOKUP_met_set_free
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free

gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)

14 months agocrypto/threads_*: remove CRYPTO_atomic_{read|write}.
Andy Polyakov [Mon, 13 Aug 2018 20:53:14 +0000 (22:53 +0200)]
crypto/threads_*: remove CRYPTO_atomic_{read|write}.

CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6883)

14 months agoConfigure: warn when 'none' is the chosen seed source
Richard Levitte [Thu, 16 Aug 2018 14:01:58 +0000 (16:01 +0200)]
Configure: warn when 'none' is the chosen seed source

Fixes #6980

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6981)

14 months agointernal/refcount.h: overhaul fencing and add _MSC_VER section.
Andy Polyakov [Wed, 8 Aug 2018 09:10:11 +0000 (11:10 +0200)]
internal/refcount.h: overhaul fencing and add _MSC_VER section.

Relax memory_order on counter decrement itself, because mutable
members of the reference-counted structure should be visible on all
processors independently on counter. [Even re-format and minimize
dependency on other headers.]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6900)

14 months agoFix a bug in test_sslversions
Matt Caswell [Wed, 18 Jul 2018 15:19:05 +0000 (16:19 +0100)]
Fix a bug in test_sslversions

The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

14 months agoTurn on TLSv1.3 downgrade protection by default
Matt Caswell [Wed, 18 Jul 2018 15:13:14 +0000 (16:13 +0100)]
Turn on TLSv1.3 downgrade protection by default

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

14 months agoUpdate code for the final RFC version of TLSv1.3 (RFC8446)
Matt Caswell [Wed, 18 Jul 2018 15:05:49 +0000 (16:05 +0100)]
Update code for the final RFC version of TLSv1.3 (RFC8446)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

14 months agoAdd SHA3 HMAC test vectors from NIST.
Pauli [Wed, 15 Aug 2018 01:43:34 +0000 (11:43 +1000)]
Add SHA3 HMAC test vectors from NIST.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)

14 months agoDeallocate previously loaded SSL CONF module data
Tomas Mraz [Tue, 14 Aug 2018 21:43:36 +0000 (17:43 -0400)]
Deallocate previously loaded SSL CONF module data

If application explicitly calls CONF_modules_load_file() the SSL
conf module will be initialized twice and the module data would leak.
We need to free it before initializing it again.

Fixes #6835

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6948)

14 months agoTravis: don't generate git clone progress for logs
Philip Prindeville [Tue, 14 Aug 2018 21:37:33 +0000 (17:37 -0400)]
Travis: don't generate git clone progress for logs

The logs are usually not looked at, and when they are it's almost
always after they've completed and returned a status.  That being
the case, "progress" output is useless if it's always seen after
the fact.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6928)

14 months agoMove SSL_DEBUG md fprintf after assignment
Dmitry Yakovlev [Tue, 14 Aug 2018 11:24:46 +0000 (07:24 -0400)]
Move SSL_DEBUG md fprintf after assignment

To avoid crash (same as #5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6937)

14 months agoUpdates to CHANGES and NEWS for the new release.
Matt Caswell [Tue, 14 Aug 2018 09:43:29 +0000 (10:43 +0100)]
Updates to CHANGES and NEWS for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)

14 months agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

14 months agoConfiguration/15-android.conf: slightly move NDK canonisation
Richard Levitte [Sun, 12 Aug 2018 12:22:16 +0000 (14:22 +0200)]
Configuration/15-android.conf: slightly move NDK canonisation

This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)

14 months agoConfigurations/15-android.conf: Make sure that the NDK path is canonical
Richard Levitte [Sun, 12 Aug 2018 08:14:06 +0000 (10:14 +0200)]
Configurations/15-android.conf: Make sure that the NDK path is canonical

Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes #6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)

14 months agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

14 months agoChange the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
Pauli [Thu, 9 Aug 2018 22:41:00 +0000 (08:41 +1000)]
Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)

14 months agoFix no-comp
Matt Caswell [Wed, 8 Aug 2018 10:00:55 +0000 (11:00 +0100)]
Fix no-comp

Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)

14 months agoRevert "stack/stack.c: omit redundant NULL checks."
Matt Caswell [Wed, 8 Aug 2018 15:53:36 +0000 (16:53 +0100)]
Revert "stack/stack.c: omit redundant NULL checks."

This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)

14 months agoAdd a test for TLSv1.3 fallback
Matt Caswell [Wed, 8 Aug 2018 14:29:33 +0000 (15:29 +0100)]
Add a test for TLSv1.3 fallback

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

14 months agoImprove fallback protection
Matt Caswell [Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)]
Improve fallback protection

A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

14 months agoAdd a test for unencrypted alert
Matt Caswell [Tue, 7 Aug 2018 15:22:31 +0000 (16:22 +0100)]
Add a test for unencrypted alert

Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

14 months agoTolerate encrypted or plaintext alerts
Matt Caswell [Tue, 7 Aug 2018 11:40:08 +0000 (12:40 +0100)]
Tolerate encrypted or plaintext alerts

At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

14 months agoEnsure that we write out alerts correctly after early_data
Matt Caswell [Tue, 7 Aug 2018 09:25:54 +0000 (10:25 +0100)]
Ensure that we write out alerts correctly after early_data

If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

14 months agoFix a missing call to SSLfatal
Matt Caswell [Mon, 6 Aug 2018 13:02:09 +0000 (14:02 +0100)]
Fix a missing call to SSLfatal

Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

14 months agotest/asn1_internal_test.c: silence the new check for the ASN1 method table
Dr. Matthias St. Pierre [Tue, 7 Aug 2018 15:49:28 +0000 (17:49 +0200)]
test/asn1_internal_test.c: silence the new check for the ASN1 method table

In 38eca7fed09a a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)

14 months agoIncrease CT_NUMBER values
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values

Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)

14 months agoFix setting of ssl_strings_inited.
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.

Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)

14 months agoCheck early that the config target exists and isn't a template
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)

14 months agoCHANGES: mention s390x assembly pack extensions
Patrick Steuer [Tue, 7 Aug 2018 10:50:06 +0000 (12:50 +0200)]
CHANGES: mention s390x assembly pack extensions

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6870)

14 months agocrypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.
Andy Polyakov [Fri, 3 Aug 2018 08:46:03 +0000 (10:46 +0200)]
crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.

Rationale is that it wasn't providing accurate statistics anyway.
For statistics to be accurate CRYPTO_get_alloc_counts should acquire
a lock and lock-free additions should not be an option.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agoengine/eng_lib.c: remove redundant #ifdef.
Andy Polyakov [Fri, 3 Aug 2018 08:20:59 +0000 (10:20 +0200)]
engine/eng_lib.c: remove redundant #ifdef.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agoman3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Andy Polyakov [Sun, 29 Jul 2018 13:21:38 +0000 (15:21 +0200)]
man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agox509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agossl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:12:53 +0000 (14:12 +0200)]
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agolhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:11:49 +0000 (14:11 +0200)]
lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agoAdd internal/tsan_assist.h.
Andy Polyakov [Sun, 29 Jul 2018 12:10:20 +0000 (14:10 +0200)]
Add internal/tsan_assist.h.

Goal here is to facilitate writing "thread-opportunistic" code that
withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when
exact result is not required, e.g. some statistics, or execution flow
doesn't have to be unambiguous.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

14 months agostack/stack.c: omit redundant NULL checks.
Andy Polyakov [Sun, 5 Aug 2018 14:56:54 +0000 (16:56 +0200)]
stack/stack.c: omit redundant NULL checks.

Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num.
This is because these are used as "opportunistic" readers, pulling
whatever datai, if any, set by somebody else. All calls that add data
don't check for stack being NULL, because caller should have checked
if stack was actually created.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

14 months agoHarmonize use of sk_TYPE_find's return value.
Andy Polyakov [Sun, 5 Aug 2018 14:50:41 +0000 (16:50 +0200)]
Harmonize use of sk_TYPE_find's return value.

In some cases it's about redundant check for return value, in some
cases it's about replacing check for -1 with comparison to 0.
Otherwise compiler might generate redundant check for <-1. [Even
formatting and readability fixes.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

14 months agox509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Andy Polyakov [Sun, 5 Aug 2018 09:51:37 +0000 (11:51 +0200)]
x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.

Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)