Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit 6c90182a)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit 3c97e412)

Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)

(cherry picked from commit e42395e6)

We need to check that __GNUC__ is defined before trying to use it.
This demands a slightly different way to define DECLARE_DEPRECATED.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6688)

To avoid the possibility that someone creates rem.exe, rem.bat or
rem.cmd, simply don't use it.  In the cases it was used, it was to
avoid empty lines, but it turns out that nmake handles those fine, so
no harm done.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)

(cherry picked from commit 1b6a0a26)

It seems that nmake first tries to run executables on its own, and
only pass commands to cmd if that fails.  That means it's possible to
have nmake run something like 'echo.exe' when the builtin 'echo'
command was expected, which might give us unexpected results.

To get around this, we create our own echoing script and call it
explicitly from the nmake makefile.

Fixes #6670

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)

(cherry picked from commit 9abce88b)

The reason is that we override Text::Template::append_text_to_output(),
and it didn't exist before Text::Template 1.46.

Fixes #6641

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit 4e351ca9)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit f7dce50f)

This enables us to require module versions, and to fall back to a
bundled version if the system version is too low.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)

(cherry picked from commit e9bc5706)

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6663)

Fixes #6644

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6645)

(cherry picked from commit a9cf71a3)

We should validate that the various fields we put into the
CertificateRequest are not too long. Otherwise we will construct an
invalid message.

Fixes #6609

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6628)

Fixes #6574

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6594)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6614)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6615)

(cherry picked from commit ce5eb5e8)

In ssl/t1_lib.c.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6613)

(cherry picked from commit 8eab767a)

Fixes uninitialized memory read reported by Nick Mathewson

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit 10c3c1c1)

The 1.1.1 branch has a different location for documentation, this is
the obvious result of a cherry-pick from there.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6589)

This function is documented to be deprecated since OpenSSL 1.1.0.  We
need to make it so in openssl/ssl.h as well.

Fixes #6565

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6588)

(cherry picked from commit 71419442)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)

(cherry picked from commit dc6c374b)

The parameters where switched

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6578
(cherry picked from commit eaf39a9f)

We don't want an indentation step inside a 'extern "C" {' .. '}'
block.  Apparently, cc-mode has a c-offsets-alist keyword to allow
exactly this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6557)

(cherry picked from commit 89731128)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2e51557b)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6227)

(cherry picked from commit b8c32081)

Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)

(cherry picked from commit c8c25033)

In previous versions of OpenSSL, the documentation for PEM_read_*
said:

   The callback B<must> return the number of characters in the
   passphrase or 0 if an error occurred.

But since c82c3462

, 0 is now treated as a non-error
return value.  Applications that want to indicate an error need to
return -1 instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)

(cherry picked from commit bbbf752a)

(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)

Triggered by Coverity analysis.

Reviewed-by: Rich Salz <rsalz@openssl.org>

(cherry picked from commit 7d859d1c

)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)

This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)

Fixes #6544

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)

(cherry picked from commit 63871d9f)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 575045f5)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 27635a4e)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit b55e21b3)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)

(cherry picked from commit 9e97f61d)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 693be9a2)

(Merged from https://github.com/openssl/openssl/pull/5750)

Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4


differently.

Fixes: #6493

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6494)

Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6460)

(cherry picked from commit 8fe4c0b0)

CVE-2018-0732

Signed-off-by: Guido Vranken <guidovranken@gmail.com>

(cherry picked from commit 91f7361f

)

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)

Fixes #6449

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6450)