[openssl] master update

Wed Oct 23 09:11:18 UTC 2019

The branch master has been updated
       via  c89799605b833f769ce4cfd879bb291f49b133be (commit)
       via  8aca4bfe8213402c80abc06fe25121461f79128d (commit)
      from  777182a0c77ee374e43b94546f49b25f37945c0e (commit)


- Log -----------------------------------------------------------------
commit c89799605b833f769ce4cfd879bb291f49b133be
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date:   Mon Oct 21 14:53:51 2019 +0300

    Enable runtime testing of no-deprecated builds in Travis
    
    Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10232)

commit 8aca4bfe8213402c80abc06fe25121461f79128d
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date:   Mon Oct 21 14:41:01 2019 +0300

    Update control logic for BN_gcd
    
    PR https://github.com/openssl/openssl/pull/10122 introduced changes to
    the BN_gcd function and the control logic inside it accessed `g->d[0]`
    irrespective of `g->top`.
    
    When BN_add is called, in case the result is zero, `BN_zero` is called.
    The latter behaves differently depending on the API compatibility level
    flag: normally `g->d[0]` is cleared but in `no-deprecated` builds only
    `g->top` is set to zero.
    
    This commit uses bitwise logic to ensure that `g` is treated as zero if
    `g->top` is zero, irrespective of `g->d[0]`.
    
    Co-authored-by: Nicola Tuveri <nic.tuv at gmail.com>
    
    Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10232)

-----------------------------------------------------------------------

Summary of changes:
 .travis.yml        | 2 +-
 crypto/bn/bn_gcd.c | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 9b655d84c8..9f616c7e00 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -46,7 +46,7 @@ matrix:
         - os: linux
           dist: trusty
           compiler: clang
-          env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES no-deprecated" BUILDONLY="yes"
+          env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES no-deprecated"
         - os: linux
           dist: bionic
           compiler: clang
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index fbefe4ab6a..bed9fca4d9 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -593,7 +593,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 
     for (i = 0; i < m; i++) {
         /* conditionally flip signs if delta is positive and g is odd */
-        cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1;
+        cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
+            /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+            & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
         delta = (-cond & -delta) | ((cond - 1) & delta);
         r->neg ^= cond;
         /* swap */
@@ -603,7 +605,10 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
         delta++;
         if (!BN_add(temp, g, r))
             goto err;
-        BN_consttime_swap(g->d[0] & 1, g, temp, top);
+        BN_consttime_swap(g->d[0] & 1 /* g is odd */
+                /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+                & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
+                g, temp, top);
         if (!BN_rshift1(g, g))
             goto err;
     }
