Build failed: openssl master.22701
Build openssl master.22701 failed Commit c6c219c691 by Matt Caswell on 2/20/2019 8:53 PM: Deprecate SSL_dup Configure your notification preferences
[openssl] master update
The branch master has been updated via 459217237640369a092084ccb80175b5758f40b1 (commit) from 54d00677f305375eee65a0c9edb5f0980c5f020f (commit) - Log - commit 459217237640369a092084ccb80175b5758f40b1 Author: Markus Stockhausen Date: Mon Feb 11 18:38:46 2019 +0100 MIPS32R3 provides the EXT instruction to extract bits from registers. As the AES table is already 1K aligned we can use it everywhere and speedup table address calculation by 10%. Performance numbers: decryption 16B 64B 256B 1024B 8192B --- aes-256-cbc 5636.84k 6443.26k 6689.02k 6752.94k 6766.59k bef. aes-256-cbc 6200.31k 7195.71k 7504.30k 7585.11k 7599.45k aft. --- aes-128-cbc 7313.85k 8653.67k 9079.55k 9188.35k 9205.08k bef. aes-128-cbc 7925.38k 9557.99k 10092.37k 10232.15k 10272.77k aft. encryption 16B 64B 256B 1024B 8192B --- aes-256 cbc 6009.65k 6592.70k 6766.59k 6806.87k 6815.74k bef. aes-256 cbc 6643.93k 7388.69k 7605.33k 7657.81k 7675.90k aft. --- aes-128 cbc 7862.09k 8892.48k 9214.04k 9291.78k 9311.57k bef. aes-128 cbc 8639.29k 9881.17k 10265.86k 10363.56k 10392.92k aft. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8206) --- Summary of changes: crypto/aes/asm/aes-mips.pl | 134 - 1 file changed, 85 insertions(+), 49 deletions(-) diff --git a/crypto/aes/asm/aes-mips.pl b/crypto/aes/asm/aes-mips.pl index 66c97cd..c93edc6 100644 --- a/crypto/aes/asm/aes-mips.pl +++ b/crypto/aes/asm/aes-mips.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -34,6 +34,11 @@ # instead, code path is chosen upon pre-process time, pass -mips32r2 # or/and -msmartmips. +# February 2019 +# +# Normalize MIPS32R2 AES table address calculation by always using EXT +# instruction. This reduces the standard codebase by another 10%. + ## # There is a number of MIPS ABI in use, O32 and N32/64 are most # widely used. Then there is a new contender: NUBI. It appears that if @@ -224,6 +229,33 @@ _mips_AES_encrypt: _xtr$i0,$s1,16-2 #else +#if defined(_MIPS_ARCH_MIPS32R2) || defined(_MIPS_ARCH_MIPS64R2) + move$i0,$Tbl + move$i1,$Tbl + move$i2,$Tbl + move$i3,$Tbl + ext $t0,$s1,16,8 +.Loop_enc: + ext $t1,$s2,16,8 + ext $t2,$s3,16,8 + ext $t3,$s0,16,8 + $PTR_INS $i0,$t0,2,8 + $PTR_INS $i1,$t1,2,8 + $PTR_INS $i2,$t2,2,8 + $PTR_INS $i3,$t3,2,8 + lw $t0,0($i0) # Te1[s1>>16] + ext $t4,$s2,8,8 + lw $t1,0($i1) # Te1[s2>>16] + ext $t5,$s3,8,8 + lw $t2,0($i2) # Te1[s3>>16] + ext $t6,$s0,8,8 + lw $t3,0($i3) # Te1[s0>>16] + ext $t7,$s1,8,8 + $PTR_INS $i0,$t4,2,8 + $PTR_INS $i1,$t5,2,8 + $PTR_INS $i2,$t6,2,8 + $PTR_INS $i3,$t7,2,8 +#else _xtr$i0,$s1,16-2 .Loop_enc: _xtr$i1,$s2,16-2 @@ -237,16 +269,6 @@ _mips_AES_encrypt: $PTR_ADD $i1,$Tbl $PTR_ADD $i2,$Tbl $PTR_ADD $i3,$Tbl -#if defined(_MIPS_ARCH_MIPS32R2) || defined(_MIPS_ARCH_MIPS64R2) - lw $t0,0($i0) # Te1[s1>>16] - _xtr$i0,$s2,8-2 - lw $t1,0($i1) # Te1[s2>>16] - _xtr$i1,$s3,8-2 - lw $t2,0($i2) # Te1[s3>>16] - _xtr$i2,$s0,8-2 - lw $t3,0($i3) # Te1[s0>>16] - _xtr$i3,$s1,8-2 -#else lwl $t0,3($i0) # Te1[s1>>16] lwl $t1,3($i1) # Te1[s2>>16] lwl $t2,3($i2) # Te1[s3>>16] @@ -259,7 +281,6 @@ _mips_AES_encrypt: _xtr$i2,$s0,8-2 lwr $t3,2($i3) # Te1[s0>>16] _xtr$i3,$s1,8-2 -#endif and $i0,0x3fc and $i1,0x3fc and $i2,0x3fc @@ -268,6 +289,7 @@ _mips_AES_encrypt: $PTR_ADD $i1,$Tbl $PTR_ADD $i2,$Tbl $PTR_ADD $i3,$Tbl +#endif #if
[openssl] master update
The branch master has been updated via 54d00677f305375eee65a0c9edb5f0980c5f020f (commit) from c8147d37ccaaf28c430d3fb45a14af36597e48b8 (commit) - Log - commit 54d00677f305375eee65a0c9edb5f0980c5f020f Author: Shane Lontis Date: Tue Feb 19 13:56:33 2019 +1000 cfi build fixes in x86-64 ghash assembly Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8281) --- Summary of changes: crypto/modes/asm/ghash-x86_64.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/modes/asm/ghash-x86_64.pl b/crypto/modes/asm/ghash-x86_64.pl index d6d0d75..a5d216a 100644 --- a/crypto/modes/asm/ghash-x86_64.pl +++ b/crypto/modes/asm/ghash-x86_64.pl @@ -1155,6 +1155,7 @@ ___ } else { $code.=<<___; jmp .L_init_clmul +.cfi_endproc .size gcm_init_avx,.-gcm_init_avx ___ } @@ -1594,6 +1595,7 @@ ___ } else { $code.=<<___; jmp .L_ghash_clmul +.cfi_endproc .size gcm_ghash_avx,.-gcm_ghash_avx ___ }
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via e2e69dce151462e05acd00bd0e56fea56144d485 (commit) via 3c97136e82ecd61f7fcc9032c3159070aeb43475 (commit) from d11e4bcddd3b235e0ca87eb0251a1e5136d95c70 (commit) - Log - commit e2e69dce151462e05acd00bd0e56fea56144d485 Author: Nicola Tuveri Date: Fri Feb 8 12:42:25 2019 +0200 Clear BN_FLG_CONSTTIME on BN_CTX_get() (cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8253) commit 3c97136e82ecd61f7fcc9032c3159070aeb43475 Author: Nicola Tuveri Date: Tue Feb 12 00:37:25 2019 +0200 Test for constant-time flag leakage in BN_CTX This commit adds a simple unit test to make sure that the constant-time flag does not "leak" among BN_CTX frames: - test_ctx_consttime_flag() initializes (and later frees before returning) a BN_CTX object, then it calls in sequence test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same BN_CTX object. The process is run twice, once with a "normal" BN_CTX_new() object, then with a BN_CTX_secure_new() one. - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame before ending it. - test_ctx_check_ct_flag() then starts a new frame and gets a number of BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. In actual BN_CTX usage inside libcrypto the leak could happen at any depth level in the BN_CTX stack, with varying results depending on the patterns of sibling trees of nested function calls sharing the same BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the called BN_* functions. This simple unit test abstracts away this complexity and verifies that the leak does not happen between two sibling functions sharing the same BN_CTX object at the same level of nesting. (cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8253) --- Summary of changes: crypto/bn/bn_ctx.c | 4 +- test/bntest.c | 161 - 2 files changed, 125 insertions(+), 40 deletions(-) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 228c853..54b7999 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } /* OK, make sure the returned bignum is "zero" */ BN_zero(ret); +/* clear BN_FLG_CONSTTIME if leaked from previous frames */ +ret->flags &= (~BN_FLG_CONSTTIME); ctx->used++; CTXDBG_RET(ctx, ret); return ret; diff --git a/test/bntest.c b/test/bntest.c index 720fd62..077f5e8 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,7 +123,7 @@ static int getint(STANZA *s, int *out, const char *attribute) *out = (int)word; st = 1; -err: + err: BN_free(ret); return st; } @@ -138,7 +138,6 @@ static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual) return 0; } - /* * Return a "random" flag for if a BN should be negated. */ @@ -150,7 +149,6 @@ static int rand_neg(void) return sign[(neg++) % 8]; } - static int test_swap(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; @@ -166,7 +164,7 @@ static int test_swap(void) BN_bntest_rand(b, 1024, 1, 0); BN_copy(c, a); BN_copy(d, b); -top = BN_num_bits(a)/BN_BITS2; +top = BN_num_bits(a) / BN_BITS2; /* regular swap */ BN_swap(a, b); @@ -252,14 +250,13 @@ static int test_sub(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); return st; } - static int test_div_recip(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -293,7 +290,7 @@ static int test_div_recip(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b);
Fixed: openssl/openssl#23294 (master - 0b76ce9)
Build Update for openssl/openssl - Build: #23294 Status: Fixed Duration: 18 mins and 14 secs Commit: 0b76ce9 (master) Author: Richard Levitte Message: test/context_internal_test.c: don't initialize as a separate test Because test order can be randomized, running foo_init() as a separate test is unsafe practice. Instead, we make it possible to call it multiple times, and call it at the start of each separate test. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8288) View the changeset: https://github.com/openssl/openssl/compare/7dec815ecde2...0b76ce99aaa5 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/496117112?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via c8147d37ccaaf28c430d3fb45a14af36597e48b8 (commit) via fe16ae5f95fa86ddb049a8d1e2caee0b80b32282 (commit) from 0b76ce99aaa5678b44cb99df464e977975747928 (commit) - Log - commit c8147d37ccaaf28c430d3fb45a14af36597e48b8 Author: Nicola Tuveri Date: Fri Feb 8 12:42:25 2019 +0200 Clear BN_FLG_CONSTTIME on BN_CTX_get() Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8253) commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282 Author: Nicola Tuveri Date: Tue Feb 12 00:37:25 2019 +0200 Test for constant-time flag leakage in BN_CTX This commit adds a simple unit test to make sure that the constant-time flag does not "leak" among BN_CTX frames: - test_ctx_consttime_flag() initializes (and later frees before returning) a BN_CTX object, then it calls in sequence test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same BN_CTX object. The process is run twice, once with a "normal" BN_CTX_new() object, then with a BN_CTX_secure_new() one. - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame before ending it. - test_ctx_check_ct_flag() then starts a new frame and gets a number of BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. In actual BN_CTX usage inside libcrypto the leak could happen at any depth level in the BN_CTX stack, with varying results depending on the patterns of sibling trees of nested function calls sharing the same BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the called BN_* functions. This simple unit test abstracts away this complexity and verifies that the leak does not happen between two sibling functions sharing the same BN_CTX object at the same level of nesting. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8253) --- Summary of changes: crypto/bn/bn_ctx.c | 4 +- test/bntest.c | 161 - 2 files changed, 125 insertions(+), 40 deletions(-) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 5106878..d6e7605 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } /* OK, make sure the returned bignum is "zero" */ BN_zero(ret); +/* clear BN_FLG_CONSTTIME if leaked from previous frames */ +ret->flags &= (~BN_FLG_CONSTTIME); ctx->used++; CTXDBG_RET(ctx, ret); return ret; diff --git a/test/bntest.c b/test/bntest.c index e4b71e2..8c8acb6 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,7 +123,7 @@ static int getint(STANZA *s, int *out, const char *attribute) *out = (int)word; st = 1; -err: + err: BN_free(ret); return st; } @@ -138,7 +138,6 @@ static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual) return 0; } - /* * Return a "random" flag for if a BN should be negated. */ @@ -150,7 +149,6 @@ static int rand_neg(void) return sign[(neg++) % 8]; } - static int test_swap(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; @@ -166,7 +164,7 @@ static int test_swap(void) BN_bntest_rand(b, 1024, 1, 0); BN_copy(c, a); BN_copy(d, b); -top = BN_num_bits(a)/BN_BITS2; +top = BN_num_bits(a) / BN_BITS2; /* regular swap */ BN_swap(a, b); @@ -252,14 +250,13 @@ static int test_sub(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); return st; } - static int test_div_recip(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -293,7 +290,7 @@ static int test_div_recip(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -303,7 +300,6 @@ err: return st; } - static int test_mod(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -328,7
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b7fc0784c4cfe81db8728f814925c6f98dd948d1 (commit) via 09c11fe59b3d45d35e61d95d0f3a5a371f96a19d (commit) from 68be523db761867cde2c5476cf43f8766c593b2a (commit) - Log - commit b7fc0784c4cfe81db8728f814925c6f98dd948d1 Author: Nicola Tuveri Date: Mon Feb 18 03:46:54 2019 +0200 [test] unit test for field_inv function pointer in EC_METHOD This is a rewrite of commit 8f58ede09572dcc6a7e6c01280dd348240199568 for the 1.1.0-stable branch. Co-authored-by: Billy Brumley Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8263) commit 09c11fe59b3d45d35e61d95d0f3a5a371f96a19d Author: Billy Brumley Date: Sat Feb 2 10:53:29 2019 +0200 SCA hardening for mod. field inversion in EC_GROUP This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by: Nicola Tuveri (cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1) Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8263) --- Summary of changes: CHANGES| 6 + crypto/ec/ec2_smpl.c | 140 --- crypto/ec/ec_err.c | 6 +- crypto/ec/ec_lcl.h | 13 ++- crypto/ec/ecp_mont.c | 51 - crypto/ec/ecp_nist.c | 3 +- crypto/ec/ecp_nistp224.c | 3 +- crypto/ec/ecp_nistp256.c | 3 +- crypto/ec/ecp_nistp521.c | 3 +- crypto/ec/ecp_nistz256.c | 3 +- crypto/ec/ecp_smpl.c | 51 - include/openssl/ec.h | 6 +- test/build.info| 9 ++ test/ec_internal_test.c| 220 + test/recipes/03-test_internal_ec.t | 19 15 files changed, 462 insertions(+), 74 deletions(-) create mode 100644 test/ec_internal_test.c create mode 100644 test/recipes/03-test_internal_ec.t diff --git a/CHANGES b/CHANGES index d634252..d0b6fd7 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,12 @@ Changes between 1.1.0j and 1.1.0k [xx XXX ] + *) Added SCA hardening for modular field inversion in EC_GROUP through + a new dedicated field_inv() pointer in EC_METHOD. + This also addresses a leakage affecting conversions from projective + to affine coordinates. + [Billy Bob Brumley, Nicola Tuveri] + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a re-used X509_PUBKEY object if the second PUBKEY is malformed. [Bernd Edlinger] diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index cdacce6..6cb6d1b 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,67 +29,6 @@ #ifndef OPENSSL_NO_EC2M -const EC_METHOD *EC_GF2m_simple_method(void) -{ -static const EC_METHOD ret = { -EC_FLAGS_DEFAULT_OCT, -NID_X9_62_characteristic_two_field, -ec_GF2m_simple_group_init, -ec_GF2m_simple_group_finish, -ec_GF2m_simple_group_clear_finish, -ec_GF2m_simple_group_copy, -ec_GF2m_simple_group_set_curve, -ec_GF2m_simple_group_get_curve, -ec_GF2m_simple_group_get_degree, -
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via d11e4bcddd3b235e0ca87eb0251a1e5136d95c70 (commit) via 48e82c8e22f8ac16ad0666d99172f6dbaf33953a (commit) from 70fa3aa108320d15536228656b120d3e08de0e40 (commit) - Log - commit d11e4bcddd3b235e0ca87eb0251a1e5136d95c70 Author: Billy Brumley Date: Tue Feb 12 16:00:20 2019 +0200 [test] unit test for field_inv function pointer in EC_METHOD (cherry picked from commit 8f58ede09572dcc6a7e6c01280dd348240199568) Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8262) commit 48e82c8e22f8ac16ad0666d99172f6dbaf33953a Author: Billy Brumley Date: Sat Feb 2 10:53:29 2019 +0200 SCA hardening for mod. field inversion in EC_GROUP This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by: Nicola Tuveri (cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1) Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8262) --- Summary of changes: CHANGES| 6 + crypto/ec/ec2_smpl.c | 20 +- crypto/ec/ec_err.c | 9 +- crypto/ec/ec_lcl.h | 13 +- crypto/ec/ecp_mont.c | 51 - crypto/ec/ecp_nist.c | 3 +- crypto/ec/ecp_nistp224.c | 3 +- crypto/ec/ecp_nistp256.c | 3 +- crypto/ec/ecp_nistp521.c | 3 +- crypto/ec/ecp_nistz256.c | 3 +- crypto/ec/ecp_smpl.c | 51 - crypto/err/openssl.txt | 4 + include/openssl/ecerr.h| 6 +- test/build.info| 6 +- test/ec_internal_test.c| 205 + ...t_internal_curve448.t => 03-test_internal_ec.t} | 8 +- 16 files changed, 375 insertions(+), 19 deletions(-) create mode 100644 test/ec_internal_test.c copy test/recipes/{03-test_internal_curve448.t => 03-test_internal_ec.t} (62%) diff --git a/CHANGES b/CHANGES index ff77c1b..cc7502d 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,12 @@ Changes between 1.1.1a and 1.1.1b [xx XXX ] + *) Added SCA hardening for modular field inversion in EC_GROUP through + a new dedicated field_inv() pointer in EC_METHOD. + This also addresses a leakage affecting conversions from projective + to affine coordinates. + [Billy Bob Brumley, Nicola Tuveri] + *) Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 87f7ce5..0a05a7a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -810,7 +810,7 @@ int ec_GF2m_simple_ladder_post(const EC_GROUP *group, || !group->meth->field_mul(group, t2, t2, t0, ctx) || !BN_GF2m_add(t1, t2, t1) ||
[openssl] master update
The branch master has been updated via 0b76ce99aaa5678b44cb99df464e977975747928 (commit) from 7dec815ecde29c1eabed6b5832c7025c4eafad19 (commit) - Log - commit 0b76ce99aaa5678b44cb99df464e977975747928 Author: Richard Levitte Date: Wed Feb 20 08:21:02 2019 +0100 test/context_internal_test.c: don't initialize as a separate test Because test order can be randomized, running foo_init() as a separate test is unsafe practice. Instead, we make it possible to call it multiple times, and call it at the start of each separate test. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8288) --- Summary of changes: test/context_internal_test.c | 20 +--- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/test/context_internal_test.c b/test/context_internal_test.c index 7052de2..aca3db3 100644 --- a/test/context_internal_test.c +++ b/test/context_internal_test.c @@ -46,8 +46,10 @@ static const OPENSSL_CTX_METHOD foo_method = { foo_free }; -static int foo_init(void) { -foo_index = openssl_ctx_new_index(_method); +static int foo_init(void) +{ +if (foo_index == -1) +foo_index = openssl_ctx_new_index(_method); return foo_index != -1; } @@ -61,15 +63,20 @@ static int test_context(OPENSSL_CTX *ctx) { FOO *data = NULL; -return (TEST_ptr(data = openssl_ctx_get_data(ctx, foo_index)) -/* OPENSSL_zalloc in foo_new() initialized it to zero */ -&& TEST_int_eq(data->i, 42)); +return +TEST_true(foo_init()) +&& TEST_ptr(data = openssl_ctx_get_data(ctx, foo_index)) +/* OPENSSL_zalloc in foo_new() initialized it to zero */ +&& TEST_int_eq(data->i, 42); } static int test_app_context(void) { OPENSSL_CTX *ctx = NULL; -int result = (TEST_ptr(ctx = OPENSSL_CTX_new()) && test_context(ctx)); +int result = +TEST_true(foo_init()) +&& TEST_ptr(ctx = OPENSSL_CTX_new()) +&& test_context(ctx); OPENSSL_CTX_free(ctx); return result; @@ -82,7 +89,6 @@ static int test_def_context(void) int setup_tests(void) { -ADD_TEST(foo_init); ADD_TEST(test_app_context); ADD_TEST(test_def_context); return 1;
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 68be523db761867cde2c5476cf43f8766c593b2a (commit) from 54a622697eced33a6029fd5e7dd452cfb99bb72e (commit) - Log - commit 68be523db761867cde2c5476cf43f8766c593b2a Author: Corinna Vinschen Date: Mon Feb 18 22:37:37 2019 +0100 cygwin: drop explicit O_TEXT Cygwin binaries should not enforce text mode these days, just use text mode if the underlying mount point requests it Signed-off-by: Corinna Vinschen Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8275) --- Summary of changes: crypto/bio/bss_file.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index 2edf244..0240a0d 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -255,9 +255,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) } # elif defined(OPENSSL_SYS_WIN32_CYGWIN) int fd = fileno((FILE *)ptr); -if (num & BIO_FP_TEXT) -setmode(fd, O_TEXT); -else +if (!(num & BIO_FP_TEXT)) setmode(fd, O_BINARY); # endif } @@ -281,11 +279,14 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) if (!(num & BIO_FP_TEXT)) strcat(p, "b"); else strcat(p, "t"); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) +if (!(num & BIO_FP_TEXT)) +strcat(p, "b"); # endif fp = openssl_fopen(ptr, p); if (fp == NULL) {
Build completed: openssl master.22685
Build openssl master.22685 completed Commit a2a55907d0 by Antonio Iacono on 2/20/2019 12:40 PM: code optimization Configure your notification preferences
Build failed: openssl master.22684
Build openssl master.22684 failed Commit 14f5ba2ff3 by Matt Caswell on 2/20/2019 11:11 AM: Fix dasync engine Configure your notification preferences
Build completed: openssl master.22681
Build openssl master.22681 completed Commit 68f5f44576 by Tobias Klotz on 2/20/2019 7:58 AM: remarks Configure your notification preferences