[openssl-commits] [web] master update
The branch master has been updated via ecf0f6ced3b30e616932d3ccd7609e7e63520c8c (commit) from 61572af57041195c7654c0485f8f323baec0ab66 (commit) - Log - commit ecf0f6ced3b30e616932d3ccd7609e7e63520c8c Author: Pauli Date: Mon Oct 29 10:54:02 2018 +1000 update vulnerability information again, this is the published version --- Summary of changes: news/vulnerabilities.xml | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index b2979db..6067c1e 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -10,7 +10,7 @@ - + @@ -22,6 +22,12 @@ + + + + + + Constant time issue Timing attack against ECDSA signature generation _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl OpenSSL_1_0_2-stable.20612
Build openssl OpenSSL_1_0_2-stable.20612 completed Commit dce84a7267 by Pauli on 10/28/2018 10:24 PM: Merge DSA reallocation timing fix CVE-2018-0734. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 61572af57041195c7654c0485f8f323baec0ab66 (commit) from c35854b022239196048f9bbd5418fb77dd4f7ee0 (commit) - Log - commit 61572af57041195c7654c0485f8f323baec0ab66 Author: Pauli Date: Mon Oct 29 10:01:23 2018 +1000 fix vulnerability entry --- Summary of changes: news/vulnerabilities.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 605f354..b2979db 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -10,7 +10,7 @@ - + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via c35854b022239196048f9bbd5418fb77dd4f7ee0 (commit) from 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit) - Log - commit c35854b022239196048f9bbd5418fb77dd4f7ee0 Author: Pauli Date: Mon Oct 29 09:58:52 2018 +1000 fix vulnerability entry --- Summary of changes: news/vulnerabilities.xml | 50 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index a2a2de0..605f354 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,31 @@ - + + + + + + + + + + + + + + + +Constant time issue +Timing attack against ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be + vulnerable to a timing side channel attack. An attacker could use + variations in the signing algorithm to recover the private key. + + + + @@ -54,30 +78,6 @@ - - - - - - - - - - - - - - -Constant time issue -Timing attack against ECDSA signature generation - - The OpenSSL ECDSA signature algorithm has been shown to be - vulnerable to a timing side channel attack. An attacker could use - variations in the signing algorithm to recover the private key. - - - - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl OpenSSL_1_1_0-stable.20611
Build openssl OpenSSL_1_1_0-stable.20611 failed Commit 56fb454d28 by Pauli on 10/28/2018 10:05 PM: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit) via 911cdb11d835a00d901d3e9c1a728ed2613f84a6 (commit) from fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 (commit) - Log - commit 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 Merge: 911cdb1 fbf2414 Author: Pauli Date: Mon Oct 29 09:06:01 2018 +1000 Merge branch 'master' of git.openssl.org:openssl-web commit 911cdb11d835a00d901d3e9c1a728ed2613f84a6 Author: Pauli Date: Mon Oct 29 09:03:42 2018 +1000 Update for ECDSA vulnerability CVS-2018-0735 --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20181029.txt | 31 +++ news/vulnerabilities.xml | 24 3 files changed, 56 insertions(+) create mode 100644 news/secadv/20181029.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 1a0f0fb..311c39b 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +29-Oct-2018: Security Advisory: one low severity fix 11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade! 21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes diff --git a/news/secadv/20181029.txt b/news/secadv/20181029.txt new file mode 100644 index 000..2194ef0 --- /dev/null +++ b/news/secadv/20181029.txt @@ -0,0 +1,31 @@ +OpenSSL Security Advisory [29 October 2018] +=== + +Timing vulnerability in ECDSA signature generation (CVE-2018-0735) +== + +Severity: Low + +The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a +timing side channel attack. An attacker could use variations in the signing +algorithm to recover the private key. + +Due to the low severity of this issue we are not issuing a new release +of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in +OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix +is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28 +(for 1.1.0) in the OpenSSL git repository. + +This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20181029.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 6ef9c56..a2a2de0 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -54,6 +54,30 @@ + + + + + + + + + + + + + + +Constant time issue +Timing attack against ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be + vulnerable to a timing side channel attack. An attacker could use + variations in the signing algorithm to recover the private key. + + + + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Broken: openssl/openssl#21338 (OpenSSL_1_1_0-stable - 56fb454)
Build Update for openssl/openssl - Build: #21338 Status: Broken Duration: 7 mins and 15 secs Commit: 56fb454 (OpenSSL_1_1_0-stable) Author: Pauli Message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) View the changeset: https://github.com/openssl/openssl/compare/ef11e19d1365...56fb454d281a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/447541255?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 040a03470c7c5bf95fe8e6143db7bef357a22833 (commit) from 99540ec79491f59ed8b46b4edf130e17dc907f52 (commit) - Log - commit 040a03470c7c5bf95fe8e6143db7bef357a22833 Author: Dr. Matthias St. Pierre Date: Sun Oct 28 13:32:11 2018 +0100 randfile.c: fix a Coverity warning Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7510) --- Summary of changes: crypto/rand/randfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 45d20e5..1b737d1 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -110,7 +110,7 @@ int RAND_load_file(const char *file, long bytes) if (bytes < 0) { if (S_ISREG(sb.st_mode)) -bytes = (sb.st_size <= LONG_MAX) ? sb.st_size : LONG_MAX; +bytes = sb.st_size; else bytes = RAND_DRBG_STRENGTH; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 56fb454d281a023b3f950d969693553d3f3ceea1 (commit) from ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit) - Log - commit 56fb454d281a023b3f950d969693553d3f3ceea1 Author: Pauli Date: Fri Oct 26 10:54:58 2018 +1000 Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) --- Summary of changes: crypto/ec/ec_mult.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 22bb30f..ff882cc 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, */ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); -if ((bn_wexpand(k, group_top + 1) == NULL) -|| (bn_wexpand(lambda, group_top + 1) == NULL)) +if ((bn_wexpand(k, group_top + 2) == NULL) +|| (bn_wexpand(lambda, group_top + 2) == NULL)) { goto err; if (!BN_copy(k, scalar)) @@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, * k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); -BN_consttime_swap(kbit, k, lambda, group_top + 1); +BN_consttime_swap(kbit, k, lambda, group_top + 2); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit) from 84862c0979737b591acb689aef41ae2644176f32 (commit) - Log - commit ef11e19d1365eea2b1851e6f540a0bf365d303e7 Author: Pauli Date: Wed Oct 24 07:42:46 2018 +1000 Timing vulnerability in DSA signature generation (CVE-2018-0734). Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6) --- Summary of changes: crypto/dsa/dsa_ossl.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 3b657d5..be58625 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -11,6 +11,7 @@ #include #include "internal/cryptlib.h" +#include "internal/bn_int.h" #include #include #include "dsa_locl.h" @@ -182,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, { BN_CTX *ctx = NULL; BIGNUM *k, *kinv = NULL, *r = *rp; -BIGNUM *l, *m; +BIGNUM *l; int ret = 0; -int q_bits; +int q_bits, q_words; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); @@ -193,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, k = BN_new(); l = BN_new(); -m = BN_new(); -if (k == NULL || l == NULL || m == NULL) +if (k == NULL || l == NULL) goto err; if (ctx_in == NULL) { @@ -205,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->q); -if (!BN_set_bit(k, q_bits) -|| !BN_set_bit(l, q_bits) -|| !BN_set_bit(m, q_bits)) +q_words = bn_get_top(dsa->q); +if (!bn_wexpand(k, q_words + 2) +|| !bn_wexpand(l, q_words + 2)) goto err; /* Get random k */ @@ -242,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic - * conditional copy. + * There are some concerns about the efficacy of doing this. More + * specificly refer to the discussion starting with: + * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 + * The fix is to rework BN so these gymnastics aren't required. */ if (!BN_add(l, k, dsa->q) -|| !BN_add(m, l, dsa->q) -|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) +|| !BN_add(k, l, dsa->q)) goto err; +BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); + if ((dsa)->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) @@ -262,7 +265,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_mod(r, r, dsa->q, ctx)) goto err; -/* Compute part of 's = inv(k) (m + xr) mod q' */ +/* Compute part of 's = inv(k) (m + xr) mod q' */ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; @@ -277,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BN_CTX_free(ctx); BN_clear_free(k); BN_clear_free(l); -BN_clear_free(m); return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 (commit) from 8abfe72e8c1de1b95f50aa0d9134803b4d00070f (commit) - Log - commit b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Author: Pauli Date: Fri Oct 26 10:54:58 2018 +1000 Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) --- Summary of changes: crypto/ec/ec_mult.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 7e1b365..0e0a5e1 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, */ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); -if ((bn_wexpand(k, group_top + 1) == NULL) -|| (bn_wexpand(lambda, group_top + 1) == NULL)) { +if ((bn_wexpand(k, group_top + 2) == NULL) +|| (bn_wexpand(lambda, group_top + 2) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } @@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, * k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); -BN_consttime_swap(kbit, k, lambda, group_top + 1); +BN_consttime_swap(kbit, k, lambda, group_top + 2); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 8abfe72e8c1de1b95f50aa0d9134803b4d00070f (commit) from f1b12b8713a739f27d74e6911580b2e70aea2fa4 (commit) - Log - commit 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Author: Pauli Date: Wed Oct 24 07:42:46 2018 +1000 Timing vulnerability in DSA signature generation (CVE-2018-0734). Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6) --- Summary of changes: crypto/dsa/dsa_ossl.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index ca20811..2dd2d74 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -9,6 +9,7 @@ #include #include "internal/cryptlib.h" +#include "internal/bn_int.h" #include #include #include "dsa_locl.h" @@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, { BN_CTX *ctx = NULL; BIGNUM *k, *kinv = NULL, *r = *rp; -BIGNUM *l, *m; +BIGNUM *l; int ret = 0; -int q_bits; +int q_bits, q_words; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); @@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, k = BN_new(); l = BN_new(); -m = BN_new(); -if (k == NULL || l == NULL || m == NULL) +if (k == NULL || l == NULL) goto err; if (ctx_in == NULL) { @@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->q); -if (!BN_set_bit(k, q_bits) -|| !BN_set_bit(l, q_bits) -|| !BN_set_bit(m, q_bits)) +q_words = bn_get_top(dsa->q); +if (!bn_wexpand(k, q_words + 2) +|| !bn_wexpand(l, q_words + 2)) goto err; /* Get random k */ @@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic - * conditional copy. + * There are some concerns about the efficacy of doing this. More + * specificly refer to the discussion starting with: + * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 + * The fix is to rework BN so these gymnastics aren't required. */ if (!BN_add(l, k, dsa->q) -|| !BN_add(m, l, dsa->q) -|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) +|| !BN_add(k, l, dsa->q)) goto err; +BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); + if ((dsa)->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) @@ -260,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_mod(r, r, dsa->q, ctx)) goto err; -/* Compute part of 's = inv(k) (m + xr) mod q' */ +/* Compute part of 's = inv(k) (m + xr) mod q' */ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; @@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BN_CTX_free(ctx); BN_clear_free(k); BN_clear_free(l); -BN_clear_free(m); return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 99540ec79491f59ed8b46b4edf130e17dc907f52 (commit) via a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6 (commit) from 415c33563528667868c3c653a612e6fc8736fd79 (commit) - Log - commit 99540ec79491f59ed8b46b4edf130e17dc907f52 Author: Pauli Date: Fri Oct 26 10:54:58 2018 +1000 Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6 Author: Pauli Date: Wed Oct 24 07:42:46 2018 +1000 Timing vulnerability in DSA signature generation (CVE-2018-0734). Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) --- Summary of changes: crypto/dsa/dsa_ossl.c | 28 +++- crypto/ec/ec_mult.c | 6 +++--- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index ca20811..2dd2d74 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -9,6 +9,7 @@ #include #include "internal/cryptlib.h" +#include "internal/bn_int.h" #include #include #include "dsa_locl.h" @@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, { BN_CTX *ctx = NULL; BIGNUM *k, *kinv = NULL, *r = *rp; -BIGNUM *l, *m; +BIGNUM *l; int ret = 0; -int q_bits; +int q_bits, q_words; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); @@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, k = BN_new(); l = BN_new(); -m = BN_new(); -if (k == NULL || l == NULL || m == NULL) +if (k == NULL || l == NULL) goto err; if (ctx_in == NULL) { @@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->q); -if (!BN_set_bit(k, q_bits) -|| !BN_set_bit(l, q_bits) -|| !BN_set_bit(m, q_bits)) +q_words = bn_get_top(dsa->q); +if (!bn_wexpand(k, q_words + 2) +|| !bn_wexpand(l, q_words + 2)) goto err; /* Get random k */ @@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic - * conditional copy. + * There are some concerns about the efficacy of doing this. More + * specificly refer to the discussion starting with: + * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 + * The fix is to rework BN so these gymnastics aren't required. */ if (!BN_add(l, k, dsa->q) -|| !BN_add(m, l, dsa->q) -|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) +|| !BN_add(k, l, dsa->q)) goto err; +BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); + if ((dsa)->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) @@ -260,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_mod(r, r, dsa->q, ctx)) goto err; -/* Compute part of 's = inv(k) (m + xr) mod q' */ +/* Compute part of 's = inv(k) (m + xr) mod q' */ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; @@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BN_CTX_free(ctx); BN_clear_free(k); BN_clear_free(l); -BN_clear_free(m); return ret; } diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 7e1b365..0e0a5e1 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, */ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); -if ((bn_wexpand(k, group_top + 1) == NULL) -|| (bn_wexpand(lambda, group_top + 1) == NULL)) { +if ((bn_wexpand(k, group_top + 2) == NULL) +|| (bn_wexpand(lambda, group_top + 2) == NULL)) { ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); goto err; } @@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 84862c0979737b591acb689aef41ae2644176f32 (commit) from bd04577743ec3b1e605039ee31e10616fee5f05f (commit) - Log - commit 84862c0979737b591acb689aef41ae2644176f32 Author: Pauli Date: Mon Oct 29 06:50:51 2018 +1000 DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7487) (cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79) --- Summary of changes: crypto/dsa/dsa_ossl.c | 32 +++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 4aa49f5..3b657d5 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -25,6 +25,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -261,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ -if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) +if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -395,3 +397,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return (1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ +BIGNUM *res = NULL; +BIGNUM *r, *e; + +if ((r = BN_new()) == NULL) +return NULL; + +BN_CTX_start(ctx); +if ((e = BN_CTX_get(ctx)) != NULL +&& BN_set_word(r, 2) +&& BN_sub(e, q, r) +&& BN_mod_exp_mont(r, k, e, q, ctx, NULL)) +res = r; +else +BN_free(r); +BN_CTX_end(ctx); +return res; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via f1b12b8713a739f27d74e6911580b2e70aea2fa4 (commit) from d2953e5e7d8be6e83b35683f41bc0ae971782d16 (commit) - Log - commit f1b12b8713a739f27d74e6911580b2e70aea2fa4 Author: Pauli Date: Mon Oct 29 06:50:51 2018 +1000 DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7487) (cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79) --- Summary of changes: crypto/dsa/dsa_ossl.c | 32 +++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index ac1f65a..ca20811 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -23,6 +23,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -259,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ -if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) +if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -393,3 +395,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return 1; } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ +BIGNUM *res = NULL; +BIGNUM *r, *e; + +if ((r = BN_new()) == NULL) +return NULL; + +BN_CTX_start(ctx); +if ((e = BN_CTX_get(ctx)) != NULL +&& BN_set_word(r, 2) +&& BN_sub(e, q, r) +&& BN_mod_exp_mont(r, k, e, q, ctx, NULL)) +res = r; +else +BN_free(r); +BN_CTX_end(ctx); +return res; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 415c33563528667868c3c653a612e6fc8736fd79 (commit) from 59f90557dd6e35cf72ac72016609d759ac78fcb9 (commit) - Log - commit 415c33563528667868c3c653a612e6fc8736fd79 Author: Pauli Date: Mon Oct 29 06:50:51 2018 +1000 DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7487) --- Summary of changes: crypto/dsa/dsa_ossl.c | 32 +++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index ac1f65a..ca20811 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -23,6 +23,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -259,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ -if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) +if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -393,3 +395,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return 1; } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ +BIGNUM *res = NULL; +BIGNUM *r, *e; + +if ((r = BN_new()) == NULL) +return NULL; + +BN_CTX_start(ctx); +if ((e = BN_CTX_get(ctx)) != NULL +&& BN_set_word(r, 2) +&& BN_sub(e, q, r) +&& BN_mod_exp_mont(r, k, e, q, ctx, NULL)) +res = r; +else +BN_free(r); +BN_CTX_end(ctx); +return res; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via d2953e5e7d8be6e83b35683f41bc0ae971782d16 (commit) from 54dea92f0829584e194d1a930a309df95646f70d (commit) - Log - commit d2953e5e7d8be6e83b35683f41bc0ae971782d16 Author: Dr. Matthias St. Pierre Date: Sun Oct 28 13:46:35 2018 +0100 drbg_lib: avoid NULL pointer dereference in drbg_add Found by Coverity Scan Reviewed-by: Bernd Edlinger Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7511) (cherry picked from commit 59f90557dd6e35cf72ac72016609d759ac78fcb9) --- Summary of changes: crypto/rand/drbg_lib.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index f396f83..e7f383a 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -1010,7 +1010,7 @@ static int drbg_add(const void *buf, int num, double randomness) int ret = 0; RAND_DRBG *drbg = RAND_DRBG_get0_master(); size_t buflen; -size_t seedlen = rand_drbg_seedlen(drbg); +size_t seedlen; if (drbg == NULL) return 0; @@ -1018,6 +1018,8 @@ static int drbg_add(const void *buf, int num, double randomness) if (num < 0 || randomness < 0.0) return 0; +seedlen = rand_drbg_seedlen(drbg); + buflen = (size_t)num; if (buflen < seedlen || randomness < (double) seedlen) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 59f90557dd6e35cf72ac72016609d759ac78fcb9 (commit) from 04e3f9a114c2c142356ef1639d68397a72e0c7f8 (commit) - Log - commit 59f90557dd6e35cf72ac72016609d759ac78fcb9 Author: Dr. Matthias St. Pierre Date: Sun Oct 28 13:46:35 2018 +0100 drbg_lib: avoid NULL pointer dereference in drbg_add Found by Coverity Scan Reviewed-by: Bernd Edlinger Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7511) --- Summary of changes: crypto/rand/drbg_lib.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index ec4aa69..796ab67 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -1086,7 +1086,7 @@ static int drbg_add(const void *buf, int num, double randomness) int ret = 0; RAND_DRBG *drbg = RAND_DRBG_get0_master(); size_t buflen; -size_t seedlen = rand_drbg_seedlen(drbg); +size_t seedlen; if (drbg == NULL) return 0; @@ -1094,6 +1094,8 @@ static int drbg_add(const void *buf, int num, double randomness) if (num < 0 || randomness < 0.0) return 0; +seedlen = rand_drbg_seedlen(drbg); + buflen = (size_t)num; if (buflen < seedlen || randomness < (double) seedlen) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 54dea92f0829584e194d1a930a309df95646f70d (commit) from a14174acc84db2348dfd8669db869c8e17e0c346 (commit) - Log - commit 54dea92f0829584e194d1a930a309df95646f70d Author: Richard Levitte Date: Mon Oct 15 18:37:18 2018 +0200 iOS config targets: disable "async" by default This also gave enough reason to collect the stuff that's common for all iOS config targets into the template "ios-common". Fixes #7318 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7403) (cherry picked from commit 04e3f9a114c2c142356ef1639d68397a72e0c7f8) --- Summary of changes: Configurations/15-ios.conf | 22 ++ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/Configurations/15-ios.conf b/Configurations/15-ios.conf index aff9096..1bb9f48 100644 --- a/Configurations/15-ios.conf +++ b/Configurations/15-ios.conf @@ -6,31 +6,31 @@ # work... # my %targets = ( +"ios-common" => { +template => 1, +inherit_from => [ "darwin-common" ], +sys_id => "iOS", +disable => [ "engine", "async" ], +}, "ios-xcrun" => { -inherit_from => [ "darwin-common", asm("armv4_asm") ], +inherit_from => [ "ios-common", asm("armv4_asm") ], # It should be possible to go below iOS 6 and even add -arch armv6, # thus targeting iPhone pre-3GS, but it's assumed to be irrelevant # at this point. CC => "xcrun -sdk iphoneos cc", cflags => add("-arch armv7 -mios-version-min=6.0.0 -fno-common"), -sys_id => "iOS", perlasm_scheme => "ios32", -disable => [ "engine" ], }, "ios64-xcrun" => { -inherit_from => [ "darwin-common", asm("aarch64_asm") ], +inherit_from => [ "ios-common", asm("aarch64_asm") ], CC => "xcrun -sdk iphoneos cc", cflags => add("-arch arm64 -mios-version-min=7.0.0 -fno-common"), -sys_id => "iOS", bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", perlasm_scheme => "ios64", -disable => [ "engine" ], }, "iossimulator-xcrun" => { -inherit_from => [ "darwin-common" ], +inherit_from => [ "ios-common" ], CC => "xcrun -sdk iphonesimulator cc", -sys_id => "iOS", -disable => [ "engine" ], }, # It takes three prior-set environment variables to make it work: # @@ -46,10 +46,8 @@ my %targets = ( # CROSS_SDK=iPhoneOS.sdk # "iphoneos-cross" => { -inherit_from => [ "darwin-common" ], +inherit_from => [ "ios-common" ], cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), -sys_id => "iOS", -disable => [ "engine" ], }, "ios-cross" => { inherit_from => [ "ios-xcrun" ], _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 04e3f9a114c2c142356ef1639d68397a72e0c7f8 (commit) from caa8595276c60f009c8621ad466338d2ae39fb86 (commit) - Log - commit 04e3f9a114c2c142356ef1639d68397a72e0c7f8 Author: Richard Levitte Date: Mon Oct 15 18:37:18 2018 +0200 iOS config targets: disable "async" by default This also gave enough reason to collect the stuff that's common for all iOS config targets into the template "ios-common". Fixes #7318 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7403) --- Summary of changes: Configurations/15-ios.conf | 22 ++ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/Configurations/15-ios.conf b/Configurations/15-ios.conf index aff9096..1bb9f48 100644 --- a/Configurations/15-ios.conf +++ b/Configurations/15-ios.conf @@ -6,31 +6,31 @@ # work... # my %targets = ( +"ios-common" => { +template => 1, +inherit_from => [ "darwin-common" ], +sys_id => "iOS", +disable => [ "engine", "async" ], +}, "ios-xcrun" => { -inherit_from => [ "darwin-common", asm("armv4_asm") ], +inherit_from => [ "ios-common", asm("armv4_asm") ], # It should be possible to go below iOS 6 and even add -arch armv6, # thus targeting iPhone pre-3GS, but it's assumed to be irrelevant # at this point. CC => "xcrun -sdk iphoneos cc", cflags => add("-arch armv7 -mios-version-min=6.0.0 -fno-common"), -sys_id => "iOS", perlasm_scheme => "ios32", -disable => [ "engine" ], }, "ios64-xcrun" => { -inherit_from => [ "darwin-common", asm("aarch64_asm") ], +inherit_from => [ "ios-common", asm("aarch64_asm") ], CC => "xcrun -sdk iphoneos cc", cflags => add("-arch arm64 -mios-version-min=7.0.0 -fno-common"), -sys_id => "iOS", bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", perlasm_scheme => "ios64", -disable => [ "engine" ], }, "iossimulator-xcrun" => { -inherit_from => [ "darwin-common" ], +inherit_from => [ "ios-common" ], CC => "xcrun -sdk iphonesimulator cc", -sys_id => "iOS", -disable => [ "engine" ], }, # It takes three prior-set environment variables to make it work: # @@ -46,10 +46,8 @@ my %targets = ( # CROSS_SDK=iPhoneOS.sdk # "iphoneos-cross" => { -inherit_from => [ "darwin-common" ], +inherit_from => [ "ios-common" ], cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), -sys_id => "iOS", -disable => [ "engine" ], }, "ios-cross" => { inherit_from => [ "ios-xcrun" ], _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a14174acc84db2348dfd8669db869c8e17e0c346 (commit) from 1f98527659b8290d442c4e1532452b9ba6463f1e (commit) - Log - commit a14174acc84db2348dfd8669db869c8e17e0c346 Author: Dr. Matthias St. Pierre Date: Sun Oct 28 12:38:49 2018 +0100 Configure: Improve warning if no random seed source was configured The new Configure summary box (41349b5e6db) now hides the warning about the missing seed source (2805ee1e095) too much. To make it more visible again, add warning markers. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7509) (cherry picked from commit caa8595276c60f009c8621ad466338d2ae39fb86) --- Summary of changes: Configure | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/Configure b/Configure index 3f1d409..1c1fd51 100755 --- a/Configure +++ b/Configure @@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) { if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; warn <<_ if scalar(@seed_sources) == 1; -You have selected the --with-rand-seed=none option, which effectively disables -automatic reseeding of the OpenSSL random generator. All operations depending -on the random generator such as creating keys will not work unless the random -generator is seeded manually by the application. -Please read the 'Note on random number generation' section in the INSTALL -instructions and the RAND_DRBG(7) manual page for more details. +== WARNING === +You have selected the --with-rand-seed=none option, which effectively +disables automatic reseeding of the OpenSSL random generator. +All operations depending on the random generator such as creating keys +will not work unless the random generator is seeded manually by the +application. + +Please read the 'Note on random number generation' section in the +INSTALL instructions and the RAND_DRBG(7) manual page for more details. +== WARNING === + _ } push @{$config{openssl_other_defines}}, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via caa8595276c60f009c8621ad466338d2ae39fb86 (commit) from c23e497da7815bf6ef84461f92339442d3702eda (commit) - Log - commit caa8595276c60f009c8621ad466338d2ae39fb86 Author: Dr. Matthias St. Pierre Date: Sun Oct 28 12:38:49 2018 +0100 Configure: Improve warning if no random seed source was configured The new Configure summary box (41349b5e6db) now hides the warning about the missing seed source (2805ee1e095) too much. To make it more visible again, add warning markers. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7509) --- Summary of changes: Configure | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/Configure b/Configure index 732220e..46218f7 100755 --- a/Configure +++ b/Configure @@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) { if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; warn <<_ if scalar(@seed_sources) == 1; -You have selected the --with-rand-seed=none option, which effectively disables -automatic reseeding of the OpenSSL random generator. All operations depending -on the random generator such as creating keys will not work unless the random -generator is seeded manually by the application. -Please read the 'Note on random number generation' section in the INSTALL -instructions and the RAND_DRBG(7) manual page for more details. +== WARNING === +You have selected the --with-rand-seed=none option, which effectively +disables automatic reseeding of the OpenSSL random generator. +All operations depending on the random generator such as creating keys +will not work unless the random generator is seeded manually by the +application. + +Please read the 'Note on random number generation' section in the +INSTALL instructions and the RAND_DRBG(7) manual page for more details. +== WARNING === + _ } push @{$config{openssl_other_defines}}, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEeuRTZVWU4ku8PUBnVPw8PQ-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I0OH7R0RvQt3AptMSbbS0yBmeCqBRzCOevPIPaYplO48vFK7GavE5LAgELRoLsr8nr-2FzucZ-2BdeW3ic-2BY2FHS0Pf6XMPFbr7tZ0C-2BG3marZKp5q-2FQQJpgtKaSKZUO-2FRCIiC5EIIsMTNJR5lbh5CG5DBNchXMenU1vw0gzf7bqMiP3S-2BLyUu-2B3ysnkDCk-2B7TAqgM-3D Build ID: 234521 Analysis Summary: New defects found: 0 Defects eliminated: 0 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEcf-2B75FkFkxwwFKGZV8c1xA-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I0ubX0YYAjK9tyXdyzU0V8soVzOmbgryWcFqRj28zq8smyvQtkkn9wyxSaBwg-2FeQPVCKyGLEqRQeWB1khXgMnDkB1ZFYTrGHi-2FVTYMOi76VIEPRAmerFcmJqx5LihzmgOsDM7sMAkZ-2BSmsLMT5FFqr9NgmYU0ELSFMq8BsgooP5tmJulwNGDs9EW-2B583kveOGM-3D Build ID: 234517 Analysis Summary: New defects found: 3 Defects eliminated: 1 If you have difficulty understanding any defects, email us at scan-ad...@coverity.com, or post your question to StackOverflow at https://u2389337.ct.sendgrid.net/wf/click?upn=OgIsEqWzmIl4S-2FzEUMxLXL-2BukuZt9UUdRZhgmgzAKchwAzH1nH3073xDEXNRgHN6q227lMNIWoOb8ZgSjAjKcg-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I0ubX0YYAjK9tyXdyzU0V8soVzOmbgryWcFqRj28zq8st2aoczC0Kv32gT6fxiMfZX4A-2FwIIl4VeuIM1K9BYLMHK1TRcU56Su1IdF-2B9NX8gRuMsmKMFjP7xOQsxryiWKETnic3XTm6-2FZ4njGoh-2BLWU5KxQsF6QIUa1spzL5m6obSKifq89b86M9DL7Bz38SbfM-3D _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits