Still Failing: openssl/openssl#24243 (OpenSSL_1_1_1-stable - 683403b)
Build Update for openssl/openssl - Build: #24243 Status: Still Failing Duration: 24 mins and 16 secs Commit: 683403b (OpenSSL_1_1_1-stable) Author: Bernd Edlinger Message: Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) View the changeset: https://github.com/openssl/openssl/compare/33726188f40f...683403b3449c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/509922775?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 8f58aa0a5edad245e7103449b1639b4b9d4233ea (commit) from 2a483a87e74ec33bfcd904dbaeaa017c658f0389 (commit) - Log - commit 8f58aa0a5edad245e7103449b1639b4b9d4233ea Author: Bernd Edlinger Date: Wed Mar 20 22:02:58 2019 +0100 Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) --- Summary of changes: crypto/rsa/rsa_oaep.c | 32 crypto/rsa/rsa_pk1.c | 32 crypto/rsa/rsa_ssl.c | 32 3 files changed, 48 insertions(+), 48 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 8c2bab4..75a88b0 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -240,25 +240,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), dblen - mdlen - 1, tlen); -msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -mlen = dblen - msg_index; -for (mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(msg_index, dblen); - -msg_index -= tlen & equals; /* rewind at EOF */ -mask &= ~equals; /* mask = 0 at EOF */ -to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); +for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { +mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); +for (i = mdlen + 1; i < dblen - msg_index; i++) +db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); +} +for (i = 0; i < tlen; i++) { +mask = good & constant_time_lt(i, mlen); +to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index f63c65b..745d22e 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -226,25 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), num - 11, tlen); -msg_index
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via c3e7beab2a302e3eff45b156751240d0897d50f5 (commit) from d284d277707f9985e69bdba1511ecfbb1e53ac46 (commit) - Log - commit c3e7beab2a302e3eff45b156751240d0897d50f5 Author: Bernd Edlinger Date: Wed Mar 20 22:02:58 2019 +0100 Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) --- Summary of changes: crypto/rsa/rsa_oaep.c | 32 crypto/rsa/rsa_pk1.c | 32 crypto/rsa/rsa_ssl.c | 32 3 files changed, 48 insertions(+), 48 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index acba7f1..41e9c3b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -235,25 +235,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), dblen - mdlen - 1, tlen); -msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -mlen = dblen - msg_index; -for (mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(msg_index, dblen); - -msg_index -= tlen & equals; /* rewind at EOF */ -mask &= ~equals; /* mask = 0 at EOF */ -to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); +for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { +mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); +for (i = mdlen + 1; i < dblen - msg_index; i++) +db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); +} +for (i = 0; i < tlen; i++) { +mask = good & constant_time_lt(i, mlen); +to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 2c43a54..86e0deb 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -275,25 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), num - 11, tlen); -msg_index
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 683403b3449cd901ec9fa95667c92f6eb89d239b (commit) from 33726188f40fe0598849855778ce266f80d0751e (commit) - Log - commit 683403b3449cd901ec9fa95667c92f6eb89d239b Author: Bernd Edlinger Date: Wed Mar 20 22:02:58 2019 +0100 Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) --- Summary of changes: crypto/rsa/rsa_oaep.c | 32 crypto/rsa/rsa_pk1.c | 32 crypto/rsa/rsa_ssl.c | 32 3 files changed, 48 insertions(+), 48 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 8deefc3..48b888b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -234,25 +234,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), dblen - mdlen - 1, tlen); -msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -mlen = dblen - msg_index; -for (mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(msg_index, dblen); - -msg_index -= tlen & equals; /* rewind at EOF */ -mask &= ~equals; /* mask = 0 at EOF */ -to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); +for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { +mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); +for (i = mdlen + 1; i < dblen - msg_index; i++) +db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); +} +for (i = 0; i < tlen; i++) { +mask = good & constant_time_lt(i, mlen); +to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index cc7c4ea..5260d12 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -226,25 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), num - 11, tlen); -msg_index
[openssl] master update
The branch master has been updated via 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5 (commit) from 94dc53a3f7549040dd9e61a25485070c14b41c49 (commit) - Log - commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5 Author: Bernd Edlinger Date: Wed Mar 20 22:02:58 2019 +0100 Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) --- Summary of changes: crypto/rsa/rsa_oaep.c | 32 crypto/rsa/rsa_pk1.c | 32 crypto/rsa/rsa_ssl.c | 32 3 files changed, 48 insertions(+), 48 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 8fca4fa..9affabb 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -234,25 +234,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), dblen - mdlen - 1, tlen); -msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -mlen = dblen - msg_index; -for (mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(msg_index, dblen); - -msg_index -= tlen & equals; /* rewind at EOF */ -mask &= ~equals; /* mask = 0 at EOF */ -to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); +for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { +mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); +for (i = mdlen + 1; i < dblen - msg_index; i++) +db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); +} +for (i = 0; i < tlen; i++) { +mask = good & constant_time_lt(i, mlen); +to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 58ac992..ff1ca02 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -226,25 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), num - 11, tlen); -msg_index = constant_time_select_int(good, msg_index, num - tlen); -mlen = num - msg_index; -
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d284d277707f9985e69bdba1511ecfbb1e53ac46 (commit) from 94eb7d07c0c14bf18bd3a4e4d6c1ef1e6633d447 (commit) - Log - commit d284d277707f9985e69bdba1511ecfbb1e53ac46 Author: Bernd Edlinger Date: Wed Mar 20 20:01:12 2019 +0100 Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8558) --- Summary of changes: crypto/err/err.c | 47 +++ crypto/err/err.h | 1 + crypto/rsa/rsa_eay.c | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 5ce774a..d02e8ff 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } +while (es->bottom != es->top) { +if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { +err_clear(es, es->top); +es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; +continue; +} +i = (es->bottom + 1) % ERR_NUM_ERRORS; +if (es->err_flags[i] & ERR_FLAG_CLEAR) { +es->bottom = i; +err_clear(es, es->bottom); +continue; +} +break; +} + if (es->bottom == es->top) return 0; + if (top) i = es->top;/* last error */ else @@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unformtunately we can't assume that all - * compilers supported by 1.0.2 have it :-( - */ -#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear) top = es->top; -es->err_flags[top] &= ~(0 - clear); -es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); -es->err_line[top] |= 0 - clear; - -es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +/* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ +clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); +es->err_flags[top] |= clear; } diff --git a/crypto/err/err.h b/crypto/err/err.h index f423656..c12524d 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -143,6 +143,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 7f20fd6..1c798a0 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -err_clear_last_constant_time(r >= 0); +err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) {
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 2a483a87e74ec33bfcd904dbaeaa017c658f0389 (commit) from 502b871ad4eacc96a31f89d9a9470ca2858da998 (commit) - Log - commit 2a483a87e74ec33bfcd904dbaeaa017c658f0389 Author: Bernd Edlinger Date: Wed Mar 20 20:01:12 2019 +0100 Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8542) (cherry picked from commit 94dc53a3f7549040dd9e61a25485070c14b41c49) --- Summary of changes: crypto/err/err.c | 49 +++-- crypto/rsa/rsa_ossl.c | 2 +- include/openssl/err.h | 1 + 3 files changed, 25 insertions(+), 27 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index ba7577b..8cbf21f 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -464,8 +464,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } +while (es->bottom != es->top) { +if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { +err_clear(es, es->top); +es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; +continue; +} +i = (es->bottom + 1) % ERR_NUM_ERRORS; +if (es->err_flags[i] & ERR_FLAG_CLEAR) { +es->bottom = i; +err_clear(es, es->bottom); +continue; +} +break; +} + if (es->bottom == es->top) return 0; + if (top) i = es->top;/* last error */ else @@ -824,25 +840,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unfortunately C89, current "least common - * denominator" doesn't define it. Most legacy platforms typedef it anyway, - * so that attempt to fill the gaps means that one would have to identify - * that track these gaps, which would be undesirable. Macro it is... - */ -#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -854,11 +851,11 @@ void err_clear_last_constant_time(int clear) top = es->top; -es->err_flags[top] &= ~(0 - clear); -es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); -es->err_line[top] |= 0 - clear; - -es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +/* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ +clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); +es->err_flags[top] |= clear; } diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index ed77fad..b48d708 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -472,7 +472,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -err_clear_last_constant_time(r >= 0); +err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) diff --git a/include/openssl/err.h b/include/openssl/err.h index 29a261c..779ed24 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -37,6 +37,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 33726188f40fe0598849855778ce266f80d0751e (commit) from e3568508c387681f52764514db40def3009d7a14 (commit) - Log - commit 33726188f40fe0598849855778ce266f80d0751e Author: Bernd Edlinger Date: Wed Mar 20 20:01:12 2019 +0100 Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8542) (cherry picked from commit 94dc53a3f7549040dd9e61a25485070c14b41c49) --- Summary of changes: crypto/err/err.c | 49 +++-- crypto/rsa/rsa_ossl.c | 2 +- include/openssl/err.h | 1 + 3 files changed, 25 insertions(+), 27 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index c737b2a..eaf6712 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -523,8 +523,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } +while (es->bottom != es->top) { +if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { +err_clear(es, es->top); +es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; +continue; +} +i = (es->bottom + 1) % ERR_NUM_ERRORS; +if (es->err_flags[i] & ERR_FLAG_CLEAR) { +es->bottom = i; +err_clear(es, es->bottom); +continue; +} +break; +} + if (es->bottom == es->top) return 0; + if (top) i = es->top;/* last error */ else @@ -913,25 +929,6 @@ int ERR_clear_last_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unfortunately C89, current "least common - * denominator" doesn't define it. Most legacy platforms typedef it anyway, - * so that attempt to fill the gaps means that one would have to identify - * that track these gaps, which would be undesirable. Macro it is... - */ -#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -943,11 +940,11 @@ void err_clear_last_constant_time(int clear) top = es->top; -es->err_flags[top] &= ~(0 - clear); -es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); -es->err_line[top] |= 0 - clear; - -es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +/* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ +clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); +es->err_flags[top] |= clear; } diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 0c93f13..adf2836 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -479,7 +479,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -err_clear_last_constant_time(r >= 0); +err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: BN_CTX_end(ctx); diff --git a/include/openssl/err.h b/include/openssl/err.h index 6cae1a3..ea304b8 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -37,6 +37,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st {
[openssl] master update
The branch master has been updated via 94dc53a3f7549040dd9e61a25485070c14b41c49 (commit) from b3d113ed2993801ee643126118ccf6592ad18ef7 (commit) - Log - commit 94dc53a3f7549040dd9e61a25485070c14b41c49 Author: Bernd Edlinger Date: Wed Mar 20 20:01:12 2019 +0100 Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8542) --- Summary of changes: crypto/err/err.c | 49 +++-- crypto/rsa/rsa_ossl.c | 2 +- include/openssl/err.h | 1 + 3 files changed, 25 insertions(+), 27 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 63dcfc3..4548854 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -525,8 +525,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } +while (es->bottom != es->top) { +if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { +err_clear(es, es->top); +es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; +continue; +} +i = (es->bottom + 1) % ERR_NUM_ERRORS; +if (es->err_flags[i] & ERR_FLAG_CLEAR) { +es->bottom = i; +err_clear(es, es->bottom); +continue; +} +break; +} + if (es->bottom == es->top) return 0; + if (top) i = es->top;/* last error */ else @@ -915,25 +931,6 @@ int ERR_clear_last_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unfortunately C89, current "least common - * denominator" doesn't define it. Most legacy platforms typedef it anyway, - * so that attempt to fill the gaps means that one would have to identify - * that track these gaps, which would be undesirable. Macro it is... - */ -#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -945,11 +942,11 @@ void err_clear_last_constant_time(int clear) top = es->top; -es->err_flags[top] &= ~(0 - clear); -es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); -es->err_line[top] |= 0 - clear; - -es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +/* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ +clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); +es->err_flags[top] |= clear; } diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 189d3b7..e6876de 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -479,7 +479,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -err_clear_last_constant_time(r >= 0); +err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: BN_CTX_end(ctx); diff --git a/include/openssl/err.h b/include/openssl/err.h index fded82c..136b000 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -37,6 +37,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st {
Still Failing: openssl/openssl#24233 (OpenSSL_1_1_1-stable - e356850)
Build Update for openssl/openssl - Build: #24233 Status: Still Failing Duration: 28 mins and 34 secs Commit: e356850 (OpenSSL_1_1_1-stable) Author: Pauli Message: Cosmetic rand/drbg changes. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8554) (cherry picked from commit b3d113ed2993801ee643126118ccf6592ad18ef7) View the changeset: https://github.com/openssl/openssl/compare/d95fb70b0e78...e3568508c387 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/509777965?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via e3568508c387681f52764514db40def3009d7a14 (commit) from d95fb70b0e784d7c2a15d5ef5e42b0aa614e5045 (commit) - Log - commit e3568508c387681f52764514db40def3009d7a14 Author: Pauli Date: Fri Mar 22 10:49:57 2019 +1000 Cosmetic rand/drbg changes. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8554) (cherry picked from commit b3d113ed2993801ee643126118ccf6592ad18ef7) --- Summary of changes: crypto/rand/drbg_lib.c | 4 ++-- crypto/rand/rand_lib.c | 10 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index a132821..7ffba86 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -188,8 +188,8 @@ static RAND_DRBG *rand_drbg_new(int secure, unsigned int flags, RAND_DRBG *parent) { -RAND_DRBG *drbg = secure ? -OPENSSL_secure_zalloc(sizeof(*drbg)) : OPENSSL_zalloc(sizeof(*drbg)); +RAND_DRBG *drbg = secure ? OPENSSL_secure_zalloc(sizeof(*drbg)) + : OPENSSL_zalloc(sizeof(*drbg)); if (drbg == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index d8639c4..199a5dd 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -137,7 +137,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, size_t entropy_available = 0; RAND_POOL *pool; -if (drbg->parent && drbg->strength > drbg->parent->strength) { +if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source @@ -155,7 +155,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, return 0; } -if (drbg->parent) { +if (drbg->parent != NULL) { size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); @@ -235,7 +235,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, struct { void * instance; int count; -} data = { 0 }; +} data = { NULL, 0 }; pool = rand_pool_new(0, min_len, max_len); if (pool == NULL) @@ -402,7 +402,7 @@ int RAND_poll(void) } else { /* fill random pool and seed the current legacy RNG */ pool = rand_pool_new(RAND_DRBG_STRENGTH, - RAND_DRBG_STRENGTH / 8, + (RAND_DRBG_STRENGTH + 7) / 8, RAND_POOL_MAX_LENGTH); if (pool == NULL) return 0; @@ -689,7 +689,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) if (pool->buffer == NULL) { RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); -return 0; +return NULL; } return pool->buffer + pool->len;
[openssl] master update
The branch master has been updated via b3d113ed2993801ee643126118ccf6592ad18ef7 (commit) from fdf6c0b6b72756ba69be589b2aaecdd51e4ec12a (commit) - Log - commit b3d113ed2993801ee643126118ccf6592ad18ef7 Author: Pauli Date: Fri Mar 22 10:49:57 2019 +1000 Cosmetic rand/drbg changes. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8554) --- Summary of changes: crypto/rand/drbg_lib.c | 4 ++-- crypto/rand/rand_lib.c | 10 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 1944fbf..bd21797 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -241,8 +241,8 @@ static RAND_DRBG *rand_drbg_new(int secure, unsigned int flags, RAND_DRBG *parent) { -RAND_DRBG *drbg = secure ? -OPENSSL_secure_zalloc(sizeof(*drbg)) : OPENSSL_zalloc(sizeof(*drbg)); +RAND_DRBG *drbg = secure ? OPENSSL_secure_zalloc(sizeof(*drbg)) + : OPENSSL_zalloc(sizeof(*drbg)); if (drbg == NULL) { RANDerr(RAND_F_RAND_DRBG_NEW, ERR_R_MALLOC_FAILURE); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 671f215..23abbde 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -137,7 +137,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, size_t entropy_available = 0; RAND_POOL *pool; -if (drbg->parent && drbg->strength > drbg->parent->strength) { +if (drbg->parent != NULL && drbg->strength > drbg->parent->strength) { /* * We currently don't support the algorithm from NIST SP 800-90C * 10.1.2 to use a weaker DRBG as source @@ -155,7 +155,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, return 0; } -if (drbg->parent) { +if (drbg->parent != NULL) { size_t bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed); @@ -235,7 +235,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, struct { void * instance; int count; -} data = { 0 }; +} data = { NULL, 0 }; pool = rand_pool_new(0, min_len, max_len); if (pool == NULL) @@ -402,7 +402,7 @@ int RAND_poll(void) } else { /* fill random pool and seed the current legacy RNG */ pool = rand_pool_new(RAND_DRBG_STRENGTH, - RAND_DRBG_STRENGTH / 8, + (RAND_DRBG_STRENGTH + 7) / 8, RAND_POOL_MAX_LENGTH); if (pool == NULL) return 0; @@ -689,7 +689,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) if (pool->buffer == NULL) { RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); -return 0; +return NULL; } return pool->buffer + pool->len;