16 months ago[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
Billy Brumley [Fri, 6 Sep 2019 16:34:53 +0000 (19:34 +0300)]
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it

The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.


Reviewed-by: Nicola Tuveri <>
Reviewed-by: Matt Caswell <>
(Merged from

16 months ago[ec/ecp_nistp*.c] restyle: use {} around `else` too
Nicola Tuveri [Fri, 6 Sep 2019 11:05:26 +0000 (14:05 +0300)]
[ec/ecp_nistp*.c] restyle: use {} around `else` too

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119)

16 months ago[ec/ecp_nistp*.c] remove flip_endian()
Nicola Tuveri [Thu, 5 Sep 2019 22:31:45 +0000 (01:31 +0300)]
[ec/ecp_nistp*.c] remove flip_endian()

Replace flip_endian() by using the little endian specific
BN_bn2lebinpad() and BN_lebin2bn().

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef)

16 months agoUniform BN_bn2binpad() and BN_bn2lebinpad() implementations
Nicola Tuveri [Thu, 5 Sep 2019 21:18:36 +0000 (00:18 +0300)]
Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)

16 months agoMake BN_num_bits() consttime upon BN_FLG_CONSTTIME
Nicola Tuveri [Thu, 1 Aug 2019 23:08:34 +0000 (02:08 +0300)]
Make BN_num_bits() consttime upon BN_FLG_CONSTTIME

This issue was partially addressed by commit
972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.

BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and

Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.

With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.

Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238)

16 months agoFix a SCA leak using BN_bn2bin()
Nicola Tuveri [Thu, 1 Aug 2019 22:33:05 +0000 (01:33 +0300)]
Fix a SCA leak using BN_bn2bin()

BN_bn2bin() is not constant-time and leaks the number of bits in the
processed BIGNUM.

The specialized methods in ecp_nistp224.c, ecp_nistp256.c and
ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the
internal fixed length representation.

This can leak during ECDSA/ECDH key generation or handling the nonce
while generating an ECDSA signature, when using these implementations.
The amount and risk of leaked information useful for a SCA attack
varies for each of the three curves, as it depends mainly on the
ratio between the bitlength of the curve subgroup order (governing the
size of the secret nonce/key) and the limb size for the internal BIGNUM
representation (which depends on the compilation target architecture).

To fix this, we replace BN_bn2bin() with BN_bn2binpad(), bounding the
output length to the width of the internal representation buffer: this
length is public.

Internally the final implementation of both BN_bn2binpad() and
BN_bn2bin() already has masking in place to avoid leaking bn->top
through memory access patterns.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this is already done at the top level alongside
setting the BN_FLG_CONSTTIME.

Finally, the internal implementation of BN_bn2binpad() indirectly calls
BN_num_bits() via BN_num_bytes(): the current implementation of
BN_num_bits() can leak information to a SCA attacker, and is addressed
in the next commit.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 805315d3a20f7274195eed75b06c391dacf3b197)

16 months agoFix a SCA leak in BN_generate_dsa_nonce
Bernd Edlinger [Fri, 6 Sep 2019 06:46:46 +0000 (08:46 +0200)]
Fix a SCA leak in BN_generate_dsa_nonce

Reviewed-by: Matt Caswell <>
Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)

16 months ago[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
Cesar Pereida Garcia [Thu, 5 Sep 2019 09:13:11 +0000 (12:13 +0300)]
[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.

This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Bernd Edlinger <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 311e903d8468e2a380d371609a10eda71de16c0e)

16 months agoFix SCA vulnerability when using PVK and MSBLOB key formats
Cesar Pereida Garcia [Wed, 14 Aug 2019 07:17:06 +0000 (10:17 +0300)]
Fix SCA vulnerability when using PVK and MSBLOB key formats

This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Bernd Edlinger <>
Reviewed-by: Paul Dale <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 724339ff44235149c4e8ddae614e1dda6863e23e)

17 months agoFix error handling in X509_chain_up_ref
Bernd Edlinger [Fri, 16 Aug 2019 13:18:51 +0000 (15:18 +0200)]
Fix error handling in X509_chain_up_ref

Reviewed-by: Kurt Roeckx <>
Reviewed-by: Tomas Mraz <>
(Merged from

(cherry picked from commit cae665dfa6ccec743a7f39cf80676d7d2d787e56)

17 months agoMakefile.shared: fix to allow strings and spaces in passed variables
Richard Levitte [Sat, 27 Jul 2019 06:40:46 +0000 (08:40 +0200)]
Makefile.shared: fix to allow strings and spaces in passed variables

The previous change for mingw, which now defaults to OPENSSLDIR and
ENGINESDIR definitions that include a space, a long standing issue was
revealed again; our builds for Unix like environment were never very
tolerant of spaces in these definitions, because the quotes were
interpreted along the way.

New analysis of Makefile.shared showed that our use of quotes in there
wasn't quite right.  A lot of double quotes could safely be replaced
with single quotes, thus protecting the diverse values we pass down to
this build file (remember that make variables are expanded before
passing the command to the shell, unconditionally), reserving double
quotes to the places where absolutely needed (to protect the expansion
of shell variables to commands).


Reviewed-by: Matt Caswell <>
(Merged from

18 months agoFix default installation paths on mingw
Richard Levitte [Sat, 6 Jul 2019 07:38:59 +0000 (09:38 +0200)]
Fix default installation paths on mingw

Mingw config targets assumed that resulting programs and libraries are
installed in a Unix-like environment and the default installation
prefix was therefore set to '/usr/local'.

However, mingw programs are installed in a Windows environment, and
the installation directories should therefore have Windows defaults,
i.e. the same kind of defaults as the VC config targets.

A difficulty is, however, that a "cross compiled" build can't figure
out the system defaults from environment the same way it's done when
building "natively", so we have to fall back to hard coded defaults in
that case.

Tests can still be performed when cross compiled on a non-Windows
platform, since all tests only depend on the source and build
directory, and otherwise relies on normal local paths.


Reviewed-by: Matt Caswell <>
(Merged from

18 months agoAdd value_barriers in constant time select functions
Bernd Edlinger [Fri, 21 Jun 2019 19:26:19 +0000 (21:26 +0200)]
Add value_barriers in constant time select functions

The barriers prevent the compiler from narrowing down the
possible value range of the mask and ~mask in the select
statements, which avoids the recognition of the select
and turning it into a conditional load or branch.

Reviewed-by: Paul Dale <>
(Merged from

18 months agoFix wrong lock claimed in x509 dir lookup.
Krists Krilovs [Mon, 8 Jul 2019 20:43:09 +0000 (13:43 -0700)]
Fix wrong lock claimed in x509 dir lookup.

x509 store's objects cache can get corrupted when using dir lookup
method in multithreaded application. Claim x509 store's lock when
accessing objects cache.

CLA: trivial

Reviewed-by: Richard Levitte <>
Reviewed-by: Tomas Mraz <>
Reviewed-by: Bernd Edlinger <>
Reviewed-by: Paul Dale <>
Reviewed-by: Shane Lontis <>
(Merged from

18 months agoAvoid NULL pointer dereference.
Pauli [Mon, 8 Jul 2019 03:39:20 +0000 (13:39 +1000)]
Avoid NULL pointer dereference.

[manual merge from #9059 to 1.1.0]

Fixes: #9043

Reviewed-by: Dmitry Belyavskiy <>
(Merged from

19 months agoPrepare for 1.1.0l-dev
Richard Levitte [Tue, 28 May 2019 12:59:22 +0000 (14:59 +0200)]
Prepare for 1.1.0l-dev

Reviewed-by: Matt Caswell <>
19 months agoPrepare for 1.1.0k release OpenSSL_1_1_0k
Richard Levitte [Tue, 28 May 2019 12:59:16 +0000 (14:59 +0200)]
Prepare for 1.1.0k release

Reviewed-by: Matt Caswell <>
19 months agoUpdate copyright year
Richard Levitte [Tue, 28 May 2019 12:47:54 +0000 (14:47 +0200)]
Update copyright year

Reviewed-by: Matt Caswell <>
(Merged from

19 months agoAdd CHANGES and NEWS for 1.1.0k
Richard Levitte [Mon, 27 May 2019 19:34:05 +0000 (21:34 +0200)]
Add CHANGES and NEWS for 1.1.0k

Reviewed-by: Matt Caswell <>
(Merged from

20 months agoChange default RSA, DSA and DH size to 2048 bit
Kurt Roeckx [Sat, 13 Apr 2019 10:32:48 +0000 (12:32 +0200)]
Change default RSA, DSA and DH size to 2048 bit

Fixes: #8737

Reviewed-by: Bernd Edlinger <>
Reviewed-by: Richard Levitte <>
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)

21 months agofixed public range check in ec_GF2m_simple_oct2point
Shane Lontis [Wed, 27 Mar 2019 07:38:28 +0000 (17:38 +1000)]
fixed public range check in ec_GF2m_simple_oct2point

Reviewed-by: Matt Caswell <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit cad8347be23c5e0c0d9eea02d090d42daf2dd7a9)

22 months agoModify the RSA_private_decrypt functions to check the padding in
Bernd Edlinger [Wed, 20 Mar 2019 21:02:58 +0000 (22:02 +0100)]
Modify the RSA_private_decrypt functions to check the padding in
constant time with a memory access pattern that does not depend
on secret information.

[extended tests]

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5)

22 months agoMake err_clear_constant_time really constant time
Bernd Edlinger [Wed, 20 Mar 2019 19:01:12 +0000 (20:01 +0100)]
Make err_clear_constant_time really constant time

[extended tests]

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 94dc53a3f7549040dd9e61a25485070c14b41c49)

22 months agoClear the point S before freeing in ec_mul_consttime
Bernd Edlinger [Sun, 17 Mar 2019 16:28:24 +0000 (17:28 +0100)]
Clear the point S before freeing in ec_mul_consttime

The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <>
(Merged from

22 months agoClear the secret point in ecdh_simple_compute_key
Bernd Edlinger [Sun, 17 Mar 2019 08:48:15 +0000 (09:48 +0100)]
Clear the secret point in ecdh_simple_compute_key

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 1ff2c992c24c330c0d40708b4169b862563d6aab)

22 months agoFix memory overrun in rsa padding check functions
Bernd Edlinger [Thu, 28 Feb 2019 09:08:18 +0000 (10:08 +0100)]
Fix memory overrun in rsa padding check functions

Fixes #8364 and #8357

Reviewed-by: Kurt Roeckx <>
(Merged from

(cherry picked from commit d7f5e5ae6d53f1387a42d210806cf5e9ed0882d6)

22 months agoAvoid an underflow in ecp_nistp521.c
Matt Caswell [Tue, 5 Mar 2019 13:26:45 +0000 (13:26 +0000)]
Avoid an underflow in ecp_nistp521.c

The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.

It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.

This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure

With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.

Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit 13fbce17fc9f02e2401fc3868f3f8e02d6647e5f)

22 months agoTest an overlong ChaCha20-Poly1305 nonce
Matt Caswell [Tue, 5 Mar 2019 14:51:07 +0000 (14:51 +0000)]
Test an overlong ChaCha20-Poly1305 nonce

Reviewed-by: Paul Dale <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)

22 months agoPrevent over long nonces in ChaCha20-Poly1305
Matt Caswell [Tue, 5 Mar 2019 14:39:15 +0000 (14:39 +0000)]
Prevent over long nonces in ChaCha20-Poly1305

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.


Fixes #8345

Reviewed-by: Paul Dale <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)

22 months agoClarify that SSL_shutdown() must not be called after a fatal error
Matt Caswell [Wed, 20 Feb 2019 14:21:36 +0000 (14:21 +0000)]
Clarify that SSL_shutdown() must not be called after a fatal error

Follow on from CVE-2019-1559

Reviewed-by: Richard Levitte <>
22 months agoGo into the error state if a fatal alert is sent or received
Matt Caswell [Thu, 13 Dec 2018 17:16:55 +0000 (17:16 +0000)]
Go into the error state if a fatal alert is sent or received

1.1.0 is not impacted by CVE-2019-1559, but this commit is a follow on
from that. That CVE was a result of applications calling SSL_shutdown
after a fatal alert has occurred. By chance 1.1.0 is not vulnerable to
that issue, but this change is additional hardening to prevent other
similar issues.

Reviewed-by: Richard Levitte <>
22 months agoEnsure bn_cmp_words can handle the case where n == 0
Matt Caswell [Mon, 25 Feb 2019 11:28:32 +0000 (11:28 +0000)]
Ensure bn_cmp_words can handle the case where n == 0

Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.

This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:

- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.

Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:

- OpenSSL may crash if the buffers are page-aligned and the previous page is
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.

The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.

Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.

Reviewed-by: Paul Dale <>
Reviewed-by: Viktor Dukhovni <>
(Merged from

(cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)

23 months agoapps/speed: fix segfault while looking up algorithm name
Jeff Mahoney [Sun, 24 Feb 2019 08:56:28 +0000 (16:56 +0800)]
apps/speed: fix segfault while looking up algorithm name

The backport of master commit 5c6a69f539a (apps/speed: fix possible OOB
access in some EC arrays) as 1.1.0 commit 4e07941373a introduced a
regression.  The ecdh_choices array is iterated using an element count
but is NULL terminated.  This means that running 'openssl speed somealgo'
will result in a segfault when opt_found hits the NULL entry.

Fixes #8243

CLA: trivial

Signed-off-by: Jeff Mahoney <>
Reviewed-by: Paul Yang <>
Reviewed-by: Matt Caswell <>
(Merged from

23 months agoClear BN_FLG_CONSTTIME on BN_CTX_get()
Nicola Tuveri [Fri, 8 Feb 2019 10:42:25 +0000 (12:42 +0200)]

(cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8)

Reviewed-by: Matt Caswell <>
(Merged from

23 months agoTest for constant-time flag leakage in BN_CTX
Nicola Tuveri [Mon, 11 Feb 2019 22:37:25 +0000 (00:37 +0200)]
Test for constant-time flag leakage in BN_CTX

This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object. The process is run twice, once with a "normal"
  BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)

Reviewed-by: Matt Caswell <>
(Merged from

23 months ago[test] unit test for field_inv function pointer in EC_METHOD
Nicola Tuveri [Mon, 18 Feb 2019 01:46:54 +0000 (03:46 +0200)]
[test] unit test for field_inv function pointer in EC_METHOD

This is a rewrite of commit 8f58ede09572dcc6a7e6c01280dd348240199568 for
the 1.1.0-stable branch.

Co-authored-by: Billy Brumley <>
Reviewed-by: Matt Caswell <>
(Merged from

23 months agoSCA hardening for mod. field inversion in EC_GROUP
Billy Brumley [Sat, 2 Feb 2019 08:53:29 +0000 (10:53 +0200)]
SCA hardening for mod. field inversion in EC_GROUP

This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.

The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.

Three implementations are included, each including specific SCA
  - `ec_GFp_simple_field_inv()`, featuring SCA hardening through
  - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
    Little Theorem (FLT) inversion.
  - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
    already features SCA hardening through blinding.

From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.

This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack

Co-authored-by: Nicola Tuveri <>
(cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1)

Reviewed-by: Matt Caswell <>
Reviewed-by: Nicola Tuveri <>
(Merged from

23 months agocygwin: drop explicit O_TEXT
Corinna Vinschen [Mon, 18 Feb 2019 21:37:37 +0000 (22:37 +0100)]
cygwin: drop explicit O_TEXT

Cygwin binaries should not enforce text mode these days, just
use text mode if the underlying mount point requests it

Signed-off-by: Corinna Vinschen <>
Reviewed-by: Matt Caswell <>
Reviewed-by: Richard Levitte <>
(Merged from

23 months agocrypto/engine/eng_cryptodev.c: fix bignum<->crp conversion
Richard Levitte [Mon, 11 Feb 2019 11:22:02 +0000 (12:22 +0100)]
crypto/engine/eng_cryptodev.c: fix bignum<->crp conversion

bn2crparam() incorrectly delivered a big endian byte string to cryptodev.
Using BN_bn2lebinpad() instead of BN_bn2bin() fixes this.

crparam2bn() had a hack that avoided this issue in the other direction,
but allocated an intermediary chunk of memory to get correct endianness.
Using BN_lebin2bn() avoids this allocation.

Fixes #8202

Reviewed-by: Matt Caswell <>
(Merged from

23 months agoFix a crash in reuse of d2i_X509_PUBKEY
Bernd Edlinger [Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)]
Fix a crash in reuse of d2i_X509_PUBKEY

If the second PUBKEY is malformed there is use after free.

Reviewed-by: Matt Caswell <>
(Merged from

2 years agoFixed typo (vi leftover).
Tobias Stoeckmann [Tue, 11 Dec 2018 19:34:21 +0000 (20:34 +0100)]
Fixed typo (vi leftover).

There was a trailing :w at a line, which didn't make sense in context
of the sentence/styling. Removed it, because I think it's a leftover
vi command.

CLA: trivial
Signed-off-by: Tobias Stoeckmann <>
Reviewed-by: Matt Caswell <>
Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396)

2 years agoerr/err.c: improve err_clear_last_constant_time's portability.
Andy Polyakov [Fri, 7 Dec 2018 21:19:57 +0000 (22:19 +0100)]
err/err.c: improve err_clear_last_constant_time's portability.

Reviewed-by: Kurt Roeckx <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 91d0fd1c2753f0f7d6e0953eed3cfb6eb96d8ff4)

2 years agorsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
Andy Polyakov [Fri, 14 Sep 2018 15:24:13 +0000 (17:24 +0200)]
rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.

Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
if nul delimiter is preceded by 8 consecutive 0x03 bytes.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c)

Resolved conflicts:

(Merged from

2 years agorsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
Andy Polyakov [Thu, 6 Sep 2018 19:54:23 +0000 (21:54 +0200)]
rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.

And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06)

(Merged from

2 years agorsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
Andy Polyakov [Sat, 1 Sep 2018 10:00:33 +0000 (12:00 +0200)]
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.

And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)

(Merged from

2 years agorsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
Andy Polyakov [Fri, 14 Sep 2018 10:17:43 +0000 (12:17 +0200)]
rsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1)

(Merged from

2 years agoerr/err.c: add err_clear_last_constant_time.
Andy Polyakov [Sat, 1 Sep 2018 10:19:30 +0000 (12:19 +0200)]
err/err.c: add err_clear_last_constant_time.

Expected usage pattern is to unconditionally set error and then
wipe it if there was no actual error.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b)

Resolved conflicts:

(Merged from

2 years agoMake EVP_PKEY_asn1_add0() stricter about its input
Richard Levitte [Fri, 7 Dec 2018 08:26:04 +0000 (09:26 +0100)]
Make EVP_PKEY_asn1_add0() stricter about its input

It turns out that the strictness that was implemented in
EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed
for some usages, and that it's better to do this check only when the
method is getting registered.

Fixes #7758

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit a86003162138031137727147c9b642d99db434b1)

2 years agoHave util/ display the absolute path to the tarball
Richard Levitte [Sat, 24 Nov 2018 16:51:24 +0000 (17:51 +0100)]
Have util/ display the absolute path to the tarball

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 3be389435fc7b94623d972b622dbd9f0cd5c34f7)

2 years agoMake sure to run util/ from the source directory
Richard Levitte [Sat, 24 Nov 2018 10:27:50 +0000 (11:27 +0100)]
Make sure to run util/ from the source directory

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit b741f153b2f24139d7210b1b0c9caf561f4900e8)

2 years agoDon't export the submodules 'boringssl', 'krb5' and 'pyca-cryptography'
Richard Levitte [Fri, 23 Nov 2018 23:59:33 +0000 (00:59 +0100)]
Don't export the submodules 'boringssl', 'krb5' and 'pyca-cryptography'

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 76bc401cc63219a462224884cb4af787e17725ed)

2 years agoDon't export util/
Richard Levitte [Fri, 23 Nov 2018 13:43:16 +0000 (14:43 +0100)]
Don't export util/

When creating a tarball, it's pointless to include scripts that assume
a git workspace.

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit b9a694717902af796639e1dff641ba620703303b)

2 years agoDocument the removed 'dist' target
Richard Levitte [Fri, 23 Nov 2018 13:40:39 +0000 (14:40 +0100)]
Document the removed 'dist' target

Also adds missing copyright boilerplate to util/

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit b42922ea2f605fd6c42faad1743fb27be5f7f1f3)

2 years agorsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier.
Andy Polyakov [Wed, 7 Nov 2018 21:07:22 +0000 (22:07 +0100)]
rsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier.

Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.

Reviewed-by: Matt Caswell <>
Reviewed-by: Richard Levitte <>
(cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575)

Reviewed-by: Matthias St. Pierre <>
(Merged from

2 years agoRemove all 'make dist' artifacts
Richard Levitte [Thu, 22 Nov 2018 20:29:02 +0000 (21:29 +0100)]
Remove all 'make dist' artifacts

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 8d9535ec3e317641b8e551973c8cfe2ee1c89296)

2 years agoChange tarball making procedure
Richard Levitte [Thu, 22 Nov 2018 20:17:47 +0000 (21:17 +0100)]
Change tarball making procedure

Since recently, OpenSSL tarballs are produced with 'make tar' rather
than 'make dist', as the latter has turned out to be more troublesome
than useful.

The next step to look at is why we would need to configure at all to
produce a Makefile just to produce a tarball.  After all, the tarball
should now only contain source files that are present even without

Furthermore, the current method for producing tarballs is a bit
complex, and can be greatly simplified with the right tools.  Since we
have everything versioned with git, we might as well use the tool that
comes with it.

Added: util/, a simple script to produce OpenSSL tarballs.  It
takes the options --name to modify the prefix of the distribution, and
--tarfile tp modify the tarball file name specifically.

This also adds a few entries in .gitattributes to specify files that
should never end up in a distribution tarball.

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 8c209eeef426ded66ce99048f535f35d08b88462)

2 years agoPrepare for 1.1.0k-dev
Matt Caswell [Tue, 20 Nov 2018 13:42:16 +0000 (13:42 +0000)]
Prepare for 1.1.0k-dev

Reviewed-by: Richard Levitte <>
2 years agoPrepare for 1.1.0j release OpenSSL_1_1_0j
Matt Caswell [Tue, 20 Nov 2018 13:41:22 +0000 (13:41 +0000)]
Prepare for 1.1.0j release

Reviewed-by: Richard Levitte <>
2 years agoUpdate copyright year
Matt Caswell [Tue, 20 Nov 2018 13:21:36 +0000 (13:21 +0000)]
Update copyright year

Reviewed-by: Richard Levitte <>
(Merged from

2 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <>
Reviewed-by: Nicola Tuveri <>
(Merged from

2 years agoFix typo in util/perl/OpenSSL/
Richard Levitte [Tue, 13 Nov 2018 16:57:45 +0000 (17:57 +0100)]
Fix typo in util/perl/OpenSSL/

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 2dc37bc2b4c678462a24d2904604e58c0c5ac1cb)

2 years agotest/recipes/90-test_shlibload.t needs $target{shared_extension}
Richard Levitte [Tue, 13 Nov 2018 17:28:41 +0000 (18:28 +0100)]
test/recipes/90-test_shlibload.t needs $target{shared_extension}

We therefore must add defaults.

Reviewed-by: Viktor Dukhovni <>
(Merged from

2 years agoFix rpath-related Linux "test_shlibload" failure.
Richard Levitte [Tue, 13 Nov 2018 14:57:34 +0000 (15:57 +0100)]
Fix rpath-related Linux "test_shlibload" failure.

When libssl and libcrypto are compiled on Linux with "-rpath", but
not "--enable-new-dtags", the RPATH takes precedence over
LD_LIBRARY_PATH, and we end up running with the wrong libraries.
This is resolved by using full (or at least relative, rather than
just the filename to be found on LD_LIBRARY_PATH) paths to the
shared objects.

Reviewed-by: Viktor Dukhovni <>
(Merged from

2 years agoConfiguration: make sure the shared_sources table doesn't contain empty elements
Richard Levitte [Tue, 13 Nov 2018 17:49:21 +0000 (18:49 +0100)]
Configuration: make sure the shared_sources table doesn't contain empty elements

Fixes #7634

Reviewed-by: Viktor Dukhovni <>
(Merged from

(cherry picked from commit 0c594ccc29f6ba241627f436ba3d05fc400d1066)

2 years agoWindows build: build foo.d after foo.obj
Richard Levitte [Wed, 31 Oct 2018 08:02:00 +0000 (09:02 +0100)]
Windows build: build foo.d after foo.obj

We made the build of foo.obj depend on foo.d, meaning the latter gets
built first.  Unfortunately, the way the compiler works, we are forced
to redirect all output to foo.d, meaning that if the source contains
an error, the build fails without showing those errors.

We therefore remove the dependency and force the build of foo.d to
always happen after build of foo.obj.

Reviewed-by: Tim Hudson <>
(Merged from

2 years ago[crypto/bn] swap BN_FLG_FIXED_TOP too
Billy Brumley [Fri, 9 Nov 2018 07:25:43 +0000 (09:25 +0200)]
[crypto/bn] swap BN_FLG_FIXED_TOP too

Reviewed-by: Matt Caswell <>
Reviewed-by: Richard Levitte <>
Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit dd41956d80686638d74fd203bd67060f90966280)

2 years agoFix cherry-pick error
Richard Levitte [Fri, 9 Nov 2018 11:08:08 +0000 (12:08 +0100)]
Fix cherry-pick error

A couple of $(ECHO) sneaked in from patches in newer branches

Fixes #7600

Reviewed-by: Matt Caswell <>
(Merged from

2 years agoVMS build: colon after target must be separated with a space
Richard Levitte [Fri, 9 Nov 2018 11:23:53 +0000 (12:23 +0100)]
VMS build: colon after target must be separated with a space

... otherwise, it's taken to be part of a device name.

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3)

2 years agoHave install targets depend on more precise build targets
Richard Levitte [Wed, 7 Nov 2018 15:13:57 +0000 (16:13 +0100)]
Have install targets depend on more precise build targets

We only had the main 'install' target depend on 'all'.  This changes
the dependencies so targets like install_dev, install_runtime_libs,
install_engines and install_programs depend on build targets that are
correspond to them more specifically.  This increases the parallel

Fixes #7466

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f)

2 years agoAllow parallel install
Richard Levitte [Thu, 25 Oct 2018 07:09:20 +0000 (09:09 +0200)]
Allow parallel install

When trying 'make -j{n} install', you may occasionally run into
trouble because to sub-targets (install_dev and install_runtime) try
to install the same shared libraries.  That makes parallel install

This is solved by dividing install_runtime into two parts, one for
libraries and one for programs, and have install_dev depend on
install_runtime_libs instead of installing the shared runtime
libraries itself.

Fixes #7466

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d)

2 years agoAdd a constant time flag to one of the bignums to avoid a timing leak.
Pauli [Wed, 31 Oct 2018 22:44:11 +0000 (08:44 +1000)]
Add a constant time flag to one of the bignums to avoid a timing leak.

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

2 years agoRemove brace from bad cherry-pick of DSA reallocation fix
Rod Vagg [Mon, 29 Oct 2018 09:43:53 +0000 (20:43 +1100)]
Remove brace from bad cherry-pick of DSA reallocation fix

Commit 56fb454 backported the DSA reallocation fix to 1.1.0, however a
code block that has multiple statements in 1.1.1+ only has a `goto` in
1.1.0 so introduces a brace that causes a compile failure.


Reviewed-by: Richard Levitte <>
Reviewed-by: Paul Dale <>
(Merged from

2 years agoTiming vulnerability in ECDSA signature generation (CVE-2018-0735)
Pauli [Fri, 26 Oct 2018 00:54:58 +0000 (10:54 +1000)]
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)

2 years agoTiming vulnerability in DSA signature generation (CVE-2018-0734).
Pauli [Tue, 23 Oct 2018 21:42:46 +0000 (07:42 +1000)]
Timing vulnerability in DSA signature generation (CVE-2018-0734).

Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized.  Increasing the size of the BNs
prior to doing anything with them suppresses the attack.

Thanks due to Samuel Weiser for finding and locating this.

Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)

2 years agoDSA mod inverse fix
Pauli [Sun, 28 Oct 2018 20:50:51 +0000 (06:50 +1000)]
DSA mod inverse fix

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)

2 years agomd_rand.c: don't stop polling until properly initialized
Dr. Matthias St. Pierre [Thu, 18 Oct 2018 21:04:32 +0000 (23:04 +0200)]
md_rand.c: don't stop polling until properly initialized

Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.

This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.

Reviewed-by: Paul Dale <>
(Merged from

2 years agoarch/async_posix.h: improve portability.
Andy Polyakov [Wed, 17 Oct 2018 08:09:33 +0000 (10:09 +0200)]
arch/async_posix.h: improve portability.

{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.

Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f)

2 years agoApply self-imposed path length also to root CAs
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs

Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <>
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)

2 years agoOnly CA certificates can be self-issued
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued

At the bottom of and
top of (last paragraph
of above, we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <>
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)

2 years agossl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
Andy Polyakov [Fri, 12 Oct 2018 20:17:51 +0000 (22:17 +0200)]
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.

(back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51)

Reviewed-by: Matt Caswell <>
(Merged from

2 years agoapps: allow empty attribute values with -subj
Benjamin Kaduk [Thu, 4 Oct 2018 18:49:21 +0000 (13:49 -0500)]
apps: allow empty attribute values with -subj

Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

(cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142)
(cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439)

Reviewed-by: Matt Caswell <>
(Merged from

2 years agoFix copy&paste error found in Coverity scan
Tomas Mraz [Tue, 9 Oct 2018 16:37:10 +0000 (18:37 +0200)]
Fix copy&paste error found in Coverity scan

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 628ee796389b555ddb5fc28355e16e9417ab1724)

2 years agorsa/rsa_ossl.c: fix and extend commentary [skip ci].
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].

Reviewed-by: Richard Levitte <>
Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849)

2 years agoClean out aliases in include/openssl/symhacks.h
Richard Levitte [Sun, 30 Sep 2018 00:18:47 +0000 (02:18 +0200)]
Clean out aliases in include/openssl/symhacks.h

Only a few clashing ones remain

Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit b44882a0bd0717e0aab84f5dc3ef81ab673155e9)

2 years agoSmall cleanup (util/, crypto/bio/bss_log.c, include/openssl/ocsp.h)
Richard Levitte [Sat, 29 Sep 2018 23:59:11 +0000 (01:59 +0200)]
Small cleanup (util/, crypto/bio/bss_log.c, include/openssl/ocsp.h)

BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented.  Also, it had explicit platform limitations in
util/ that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.

include/openssl/ocsp.h had a few duplicate declarations.

Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f)

2 years agoImplement coordinate blinding for EC_POINT
Sohaib ul Hassan [Sat, 16 Jun 2018 14:07:40 +0000 (17:07 +0300)]
Implement coordinate blinding for EC_POINT

This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.

This commit is derived from the patch by Billy Brumley.

Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.

For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.

For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.

Co-authored-by: Nicola Tuveri <>
Co-authored-by: Billy Brumley <>
Reviewed-by: Tim Hudson <>
Reviewed-by: Nicola Tuveri <>
Reviewed-by: Andy Polyakov <>
(Merged from

2 years ago[test] ECC: make sure negative tests pass for the right reasons
Billy Brumley [Wed, 22 Aug 2018 06:50:43 +0000 (09:50 +0300)]
[test] ECC: make sure negative tests pass for the right reasons

This is a backport of #7028 to 1.1.0.

It squashes the two original commits and applies changes for
compatibility with 1.1.0.

1. cherry picked from commit 30c41bfb158c0f595809d0eaf032926a3c2cf236
    [test] ECC: make sure negative tests pass for the right reasons
2. cherry picked from commit bfb10b975818d1887d676d309fcc21a765611f6d
    [test] throw error from wrapper function instead of an EC_METHOD specific one

Given that in 1.1.0 `EC_POINT_get_affine_coordinates_GFp` and
`EC_POINT_get_affine_coordinates_GF2m` have not been unified, in this
backport the tests distinguish between the 2 different functions as the
cause of the expected error.

[extended tests] to trigger sanitizer checks and coverage analysis.

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Paul Dale <>
(Merged from

2 years agoMore EVP ECC testing: positive and negative
Billy Brumley [Thu, 28 Jun 2018 07:59:08 +0000 (10:59 +0300)]
More EVP ECC testing: positive and negative

This is a backport of #6608 to 1.1.0.

1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
   ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative

There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).

"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:

1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)

The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.

(cherry picked from commit 249330de0250bc598d20d383bab37d150cdad239)

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Paul Dale <>
(Merged from

2 years agoMove evp test programs input data to its own data dir
Nicola Tuveri [Fri, 7 Sep 2018 15:27:56 +0000 (18:27 +0300)]
Move evp test programs input data to its own data dir

This is a manual backport of #3472 to 1.1.0.
This is a partial backport, limited only to evptests, as #3472 also
affected bntests, which has a completely different form in 1.1.0.

Reviewed-by: Paul Dale <>
(Merged from

2 years agoSplit test/evptests.txt into separate files.
Nicola Tuveri [Fri, 7 Sep 2018 15:14:30 +0000 (18:14 +0300)]
Split test/evptests.txt into separate files.

This is a manual port of #3443 (and the related bugfix PR #3452) to

Reviewed-by: Paul Dale <>
(Merged from

2 years agoDocument OPENSSL_VERSION_TEXT macro
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]

This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165)

2 years agoUse secure_getenv(3) when available.
Pauli [Mon, 24 Sep 2018 01:21:18 +0000 (11:21 +1000)]
Use secure_getenv(3) when available.

Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.

CPU processor override flags are unchanged.

Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.

Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)

2 years agocrypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG

This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72)

2 years agocrypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too

These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067)

2 years agoUse 'i' as parameter name not 'I'.
Pauli [Sun, 16 Sep 2018 21:47:42 +0000 (07:47 +1000)]
Use 'i' as parameter name not 'I'.

The latter causes problems when complex.h is #included.

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46)

2 years agoAdd a compile time test to verify that openssl/rsa.h and complex.h can
Pauli [Sun, 16 Sep 2018 22:09:25 +0000 (08:09 +1000)]
Add a compile time test to verify that openssl/rsa.h and complex.h can

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit da5fac72b1cba5651b871902eea234e693cf01e5)

2 years agoAdd an explicit cast to time_t
Matt Caswell [Wed, 12 Sep 2018 15:49:19 +0000 (16:49 +0100)]
Add an explicit cast to time_t

Caused a compilation failure in some environments

Fixes #7204

Reviewed-by: Viktor Dukhovni <>
(Merged from

(cherry picked from commit bc278f30f0b766bfb82426c641dc1d51ace4a994)

2 years agominor fixes for Windows
Viktor Szakats [Tue, 11 Sep 2018 22:34:00 +0000 (22:34 +0000)]
minor fixes for Windows

- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable

CLA: trivial

Reviewed-by: Richard Levitte <>
Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

2 years agoMake the config script fail with an error code if Configure failed
Bernd Edlinger [Mon, 10 Sep 2018 12:18:23 +0000 (14:18 +0200)]
Make the config script fail with an error code if Configure failed

Reviewed-by: Richard Levitte <>
(Merged from

2 years agoFix typos in documentation.
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.

CLA: trivial

(cherry picked from commit fa332bba919d094c1654bbb3be0528b3df6e9023)

Reviewed-by: Paul Dale <>
Reviewed-by: Richard Levitte <>
(Merged from