[openssl] OpenSSL_1_1_1-stable update

[nic.tuv at gmail.com]

The branch OpenSSL_1_1_1-stable has been updated
       via  432d6953d65e7229ac138c49357856cc494ff438 (commit)
       via  85728d08ae00f9b9305bee442988eb7d56ff1304 (commit)
      from  77f945bc9831862be7fdb35b438d494d054878c5 (commit)


- Log -----------------------------------------------------------------
commit 432d6953d65e7229ac138c49357856cc494ff438
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date:   Mon Oct 21 14:53:51 2019 +0300

    Enable runtime testing of no-deprecated builds in Travis
    
    (cherry picked from commit c89799605b833f769ce4cfd879bb291f49b133be)
    
    Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10232)

commit 85728d08ae00f9b9305bee442988eb7d56ff1304
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date:   Mon Oct 21 14:41:01 2019 +0300

    Update control logic for BN_gcd
    
    PR https://github.com/openssl/openssl/pull/10122 introduced changes to
    the BN_gcd function and the control logic inside it accessed `g->d[0]`
    irrespective of `g->top`.
    
    When BN_add is called, in case the result is zero, `BN_zero` is called.
    The latter behaves differently depending on the API compatibility level
    flag: normally `g->d[0]` is cleared but in `no-deprecated` builds only
    `g->top` is set to zero.
    
    This commit uses bitwise logic to ensure that `g` is treated as zero if
    `g->top` is zero, irrespective of `g->d[0]`.
    
    Co-authored-by: Nicola Tuveri <nic.tuv at gmail.com>
    
    (cherry picked from commit 8aca4bfe8213402c80abc06fe25121461f79128d)
    
    Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10232)

-----------------------------------------------------------------------

Summary of changes:
 .travis.yml        | 2 +-
 crypto/bn/bn_gcd.c | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index cc0d082b77..67ec1a1d21 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -52,7 +52,7 @@ matrix:
           env: CONFIG_OPTS="--strict-warnings" COMMENT="Move to the BORINGTEST build when interoperable"
         - os: linux
           compiler: clang
-          env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES no-deprecated" BUILDONLY="yes"
+          env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES no-deprecated"
         - os: linux
           addons:
               apt:
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 7305543b55..ef81acb77b 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -593,7 +593,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 
     for (i = 0; i < m; i++) {
         /* conditionally flip signs if delta is positive and g is odd */
-        cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1;
+        cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
+            /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+            & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
         delta = (-cond & -delta) | ((cond - 1) & delta);
         r->neg ^= cond;
         /* swap */
@@ -603,7 +605,10 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
         delta++;
         if (!BN_add(temp, g, r))
             goto err;
-        BN_consttime_swap(g->d[0] & 1, g, temp, top);
+        BN_consttime_swap(g->d[0] & 1 /* g is odd */
+                /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
+                & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
+                g, temp, top);
         if (!BN_rshift1(g, g))
             goto err;
     }