Build failed: openssl OpenSSL_1_1_1-stable.27419
Build openssl OpenSSL_1_1_1-stable.27419 failed Commit 3e0508128f by Dr. Matthias St. Pierre on 5/30/2019 4:37 PM: drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt) Configure your notification preferences
Build completed: openssl OpenSSL_1_1_1-stable.27415
Build openssl OpenSSL_1_1_1-stable.27415 completed Commit 95803917ad by Nicola Tuveri on 9/7/2019 12:44 PM: Append CVE-2019-1547 to related CHANGES entry Configure your notification preferences
Build failed: openssl OpenSSL_1_1_1-stable.27414
Build openssl OpenSSL_1_1_1-stable.27414 failed Commit c84c49f371 by Dr. Matthias St. Pierre on 5/30/2019 4:37 PM: drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt) Configure your notification preferences
Still Failing: openssl/openssl#27988 (OpenSSL_1_1_1-stable - 9580391)
Build Update for openssl/openssl - Build: #27988 Status: Still Failing Duration: 18 mins and 0 secs Commit: 9580391 (OpenSSL_1_1_1-stable) Author: Nicola Tuveri Message: Append CVE-2019-1547 to related CHANGES entry This amends the entry added in a6186f39802f94937a46f7a41ef0c86b6334b592 with the relevant CVE. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9800) View the changeset: https://github.com/openssl/openssl/compare/87bea6550ae0...95803917ad1f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/582039400?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Failed: openssl/openssl#27986 (master - a1a0e6f)
Build Update for openssl/openssl - Build: #27986 Status: Failed Duration: 20 mins and 26 secs Commit: a1a0e6f (master) Author: Billy Brumley Message: CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it This is a forward port from https://github.com/openssl/openssl/pull/9781 of the CHANGES entry for the functionality added in https://github.com/openssl/openssl/pull/9727 (cherry picked from commit 4b965086cb56c24cb5d2197fc04869b95f209a11) Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9797) View the changeset: https://github.com/openssl/openssl/compare/e97bab6929bb...a1a0e6f28580 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/582037956?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 95803917ad1f4e719212cb59d44be2e547b6d8c8 (commit) from 87bea6550ae0dda7c40937cff2e86cc2b0b09491 (commit) - Log - commit 95803917ad1f4e719212cb59d44be2e547b6d8c8 Author: Nicola Tuveri Date: Sat Sep 7 12:10:24 2019 +0300 Append CVE-2019-1547 to related CHANGES entry This amends the entry added in a6186f39802f94937a46f7a41ef0c86b6334b592 with the relevant CVE. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9800) --- Summary of changes: CHANGES | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES b/CHANGES index d34bba83fe..1c8716074b 100644 --- a/CHANGES +++ b/CHANGES @@ -13,6 +13,7 @@ this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. + (CVE-2019-1547) [Billy Bob Brumley] *) Early start up entropy quality from the DEVRANDOM seed source has been
[openssl] master update
The branch master has been updated via a1a0e6f28580d6a79762188128e23cca559993a8 (commit) via 5041ea38c96c9c8d7fc207a7fd25969f167f0f76 (commit) from e97bab6929bbbc5b8364b25ca2ef4fcb02dd6e2a (commit) - Log - commit a1a0e6f28580d6a79762188128e23cca559993a8 Author: Billy Brumley Date: Fri Sep 6 17:26:40 2019 +0300 CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it This is a forward port from https://github.com/openssl/openssl/pull/9781 of the CHANGES entry for the functionality added in https://github.com/openssl/openssl/pull/9727 (cherry picked from commit 4b965086cb56c24cb5d2197fc04869b95f209a11) Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9797) commit 5041ea38c96c9c8d7fc207a7fd25969f167f0f76 Author: Billy Brumley Date: Fri Sep 6 17:26:08 2019 +0300 [test] computing ECC cofactors: regression test This is a forward port from https://github.com/openssl/openssl/pull/9781 for the test logic introduced by https://github.com/openssl/openssl/pull/9727 As @mattcaswell commented (https://github.com/openssl/openssl/pull/9781#discussion_r321621541): > These `TEST_true` calls should be `!TEST_false` because we are > *expecting* a failure. > The difference is that the test framework will print error details if > the test doesn't give the expected answer. > So by using `TEST_true` instead of `!TEST_false` we'll get error > details printed, but the test will succeed anyway. (cherry picked from commit e8aafc891d9bd7fa1cce0401d858ef842f09b49e) Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9797) --- Summary of changes: CHANGES | 7 +++ test/ectest.c | 10 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 369b32756c..9599c64545 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,13 @@ Changes between 1.1.1 and 3.0.0 [xx XXX ] + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + *) Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. diff --git a/test/ectest.c b/test/ectest.c index 2cbbd4e340..b51a3b1207 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -1914,19 +1914,19 @@ static int cardinality_test(int n) /* negative test for invalid cofactor */ || !TEST_true(BN_set_word(g2_cf, 0)) || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) -|| TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) +|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) /* negative test for NULL order */ -|| TEST_true(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) +|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) /* negative test for zero order */ || !TEST_true(BN_set_word(g1_order, 0)) -|| TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) +|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) /* negative test for negative order */ || !TEST_true(BN_set_word(g2_cf, 0)) || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) -|| TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) +|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) /* negative test for too large order */ || !TEST_true(BN_lshift(g1_order, g1_p, 2)) -|| TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) +|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) goto err; ret = 1; err:
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c31be97c64ab61d44d80fccce4deff976d4f9bbb (commit) via 7c1709c2da5414f5b6133d00a03fc8c5bf996c7a (commit) from 207a56437916a715bcf6e299c868c75a17ad8fc0 (commit) - Log - commit c31be97c64ab61d44d80fccce4deff976d4f9bbb Author: Billy Brumley Date: Fri Sep 6 20:11:32 2019 +0300 [test/recipes/30-test_evp_data] computing ECC cofactors: regression test Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9795) commit 7c1709c2da5414f5b6133d00a03fc8c5bf996c7a Author: Billy Brumley Date: Fri Sep 6 19:34:53 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9795) --- Summary of changes: CHANGES | 8 ++- crypto/ec/ec_err.c| 1 + crypto/ec/ec_lib.c| 103 -- include/openssl/ec.h | 1 + test/recipes/30-test_evp_data/evppkey.txt | 50 +++ 5 files changed, 155 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 2c89717497..1b6c1830e8 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,13 @@ Changes between 1.1.0k and 1.1.0l [xx XXX ] + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + *) Use Windows installation paths in the mingw builds Mingw isn't a POSIX environment per se, which means that Windows @@ -16,7 +23,6 @@ (CVE-2019-1552) [Richard Levitte] - Changes between 1.1.0j and 1.1.0k [28 May 2019] *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index aeee2e8f4c..fe747d8cde 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -273,6 +273,7 @@ static ERR_STRING_DATA EC_str_reasons[] = { {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, +{ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index a7be03b627..eaf44ccef9 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -257,6 +257,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth) return meth->field_type; } +/*- + * Try computing cofactor from the generator order (n) and field cardinality (q). + * This works for all curves of cryptographic interest. + * + * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) + * h_min = (q + 1 - 2*sqrt(q))/n + * h_max = (q + 1 + 2*sqrt(q))/n + * h_max - h_min = 4*sqrt(q)/n + * So if n > 4*sqrt(q) holds, there is only one possible value for h: + * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil + * + * Otherwise, zero cofactor and return success. + */ +static int ec_guess_cofactor(EC_GROUP *group) { +int ret = 0; +BN_CTX *ctx = NULL; +BIGNUM *q = NULL; + +/*- + * If the cofactor is too large, we cannot guess it. + * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) + */ +if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) { +/* default to 0 */ +
Still Failing: openssl/openssl#27979 (OpenSSL_1_1_1-stable - 87bea65)
Build Update for openssl/openssl - Build: #27979 Status: Still Failing Duration: 16 mins and 52 secs Commit: 87bea65 (OpenSSL_1_1_1-stable) Author: Bernd Edlinger Message: Remove x86/x86_64 BSAES and AES_ASM support This leaves VPAES and AESNI support. The VPAES performance is comparable but BSAES is not completely constant time. There are table lookups using secret key data in AES_set_encrypt/decrypt_key and in ctr mode short data uses the non-constant time AES_encrypt function instead of bit-slicing. Furthermore the AES_ASM is by far outperformed by recent GCC versions. Since BSAES calls back to AES_ASM for short data blocks the performance on those is also worse than the pure software implementaion. Fixes: #9640 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9675) View the changeset: https://github.com/openssl/openssl/compare/a6186f39802f...87bea6550ae0 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581987755?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a6186f39802f94937a46f7a41ef0c86b6334b592 (commit) via eb1ec38b266340710cb97c90b08fc90edd06262c (commit) via 30c22fa8b1d840036b8e203585738df62a03cec8 (commit) from ed0ac119506ac8cbbaa23a1a1347d74a7bf4da47 (commit) - Log - commit a6186f39802f94937a46f7a41ef0c86b6334b592 Author: Billy Brumley Date: Fri Sep 6 17:26:40 2019 +0300 CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9781) commit eb1ec38b266340710cb97c90b08fc90edd06262c Author: Billy Brumley Date: Thu Sep 5 21:25:52 2019 +0300 [test] computing ECC cofactors: regression test Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9781) commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9781) --- Summary of changes: CHANGES| 6 crypto/ec/ec_lib.c | 103 + test/ectest.c | 84 +++ 3 files changed, 186 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 8f732cb303..d34bba83fe 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,12 @@ Changes between 1.1.1c and 1.1.1d [xx XXX ] + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + [Billy Bob Brumley] + *) Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 8cab5a5061..1289c8608e 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth) static int ec_precompute_mont_data(EC_GROUP *); +/*- + * Try computing cofactor from the generator order (n) and field cardinality (q). + * This works for all curves of cryptographic interest. + * + * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) + * h_min = (q + 1 - 2*sqrt(q))/n + * h_max = (q + 1 + 2*sqrt(q))/n + * h_max - h_min = 4*sqrt(q)/n + * So if n > 4*sqrt(q) holds, there is only one possible value for h: + * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil + * + * Otherwise, zero cofactor and return success. + */ +static int ec_guess_cofactor(EC_GROUP *group) { +int ret = 0; +BN_CTX *ctx = NULL; +BIGNUM *q = NULL; + +/*- + * If the cofactor is too large, we cannot guess it. + * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) + */ +if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) { +/* default to 0 */ +BN_zero(group->cofactor); +/* return success */ +return 1; +} + +if ((ctx = BN_CTX_new()) == NULL) +return 0; + +BN_CTX_start(ctx); +if ((q = BN_CTX_get(ctx)) == NULL) +goto err; + +/* set q = 2**m for binary fields; q = p otherwise */ +if (group->meth->field_type == NID_X9_62_characteristic_two_field) { +BN_zero(q); +if
Errored: openssl/openssl#27950 (master - d2baf88)
Build Update for openssl/openssl - Build: #27950 Status: Errored Duration: 23 mins and 20 secs Commit: d2baf88 (master) Author: Cesar Pereida Garcia Message: [crypto/rsa] Set the constant-time flag in multi-prime RSA too Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) View the changeset: https://github.com/openssl/openssl/compare/c7bfb138acf6...d2baf88c43e5 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581727106?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#27941 (master - c7bfb13)
Build Update for openssl/openssl - Build: #27941 Status: Errored Duration: 14 mins and 57 secs Commit: c7bfb13 (master) Author: Pauli Message: libcrypto.num entries for KDFs Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9662) View the changeset: https://github.com/openssl/openssl/compare/dc5bcb88d819...c7bfb138acf6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581593159?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#27965 (OpenSSL_1_1_1-stable - ed0ac11)
Build Update for openssl/openssl - Build: #27965 Status: Still Failing Duration: 19 mins and 36 secs Commit: ed0ac11 (OpenSSL_1_1_1-stable) Author: Nicola Tuveri Message: [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119) View the changeset: https://github.com/openssl/openssl/compare/9e1403d91a42...ed0ac119506a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581897452?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 (commit) from 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b (commit) - Log - commit f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 Author: Bernd Edlinger Date: Fri Sep 6 08:46:46 2019 +0200 Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) (cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4) --- Summary of changes: crypto/bn/bn_rand.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 9ce4c5f606..bff1d249af 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -215,8 +215,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ -todo = sizeof(priv->d[0]) * priv->top; -if (todo > sizeof(private_bytes)) { +if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -225,8 +224,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } -memcpy(private_bytes, priv->d, todo); -memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)
[openssl] master update
The branch master has been updated via 31ca19403d56ad71d823cf62990518dfc6905bb4 (commit) from d2baf88c43e5a40cfc3bcd4ca35cbae53161941c (commit) - Log - commit 31ca19403d56ad71d823cf62990518dfc6905bb4 Author: Bernd Edlinger Date: Fri Sep 6 08:46:46 2019 +0200 Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) --- Summary of changes: crypto/bn/bn_rand.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index fa75a3b10e..2b3e6f2076 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -264,8 +264,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ -todo = sizeof(priv->d[0]) * priv->top; -if (todo > sizeof(private_bytes)) { +if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -274,8 +273,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } -memcpy(private_bytes, priv->d, todo); -memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); md = EVP_MD_fetch(libctx, "SHA512", NULL); if (md == NULL) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9e1403d91a42d917e684a37a99fa98a0025253c0 (commit) from 1bb2acb9987cc9d7f638b066ef396ca7f3243955 (commit) - Log - commit 9e1403d91a42d917e684a37a99fa98a0025253c0 Author: Bernd Edlinger Date: Fri Sep 6 08:46:46 2019 +0200 Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) (cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4) --- Summary of changes: crypto/bn/bn_rand.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index c0d1a32292..214768311a 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -225,8 +225,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ -todo = sizeof(priv->d[0]) * priv->top; -if (todo > sizeof(private_bytes)) { +if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -235,8 +234,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } -memcpy(private_bytes, priv->d, todo); -memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 920e37e3a7d6bb935dba446eb80cacb4c34e7488 (commit) via e3679b1547fc3b2d8e01943004d473c323b6f20d (commit) via bde4a001b3ad4b90a4dbf5d31b18e30e42230e69 (commit) via 853950f7bfc71b61a2e62db2563748b350b715cb (commit) via 2e9d293447b95c2a69eb5ff07fe974361d779444 (commit) from 55611d549bcf65e0de04938adbf403ccf02f241b (commit) - Log - commit 920e37e3a7d6bb935dba446eb80cacb4c34e7488 Author: Nicola Tuveri Date: Fri Sep 6 14:05:26 2019 +0300 [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit e3679b1547fc3b2d8e01943004d473c323b6f20d Author: Nicola Tuveri Date: Fri Sep 6 01:31:45 2019 +0300 [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific bn_bn2lebinpad() and bn_lebin2bn(). Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit bde4a001b3ad4b90a4dbf5d31b18e30e42230e69 Author: Nicola Tuveri Date: Fri Sep 6 00:18:36 2019 +0300 Uniform bn_bn2binpad() and bn_bn2lebinpad() implementations Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit 853950f7bfc71b61a2e62db2563748b350b715cb Author: Nicola Tuveri Date: Fri Aug 2 02:08:34 2019 +0300 Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit 2e9d293447b95c2a69eb5ff07fe974361d779444 Author: Nicola Tuveri Date: Fri Aug 2 01:33:05 2019 +0300 Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the internal BIGNUM representation (which depends on the compilation target architecture). To fix this, we replace BN_bn2bin() with bn_bn2binpad(), bounding the output length to the width of the internal representation buffer: this length is public. Internally the final implementation
Build completed: openssl master.27342
Build openssl master.27342 completed Commit b80de23685 by Bernd Edlinger on 9/6/2019 6:46 AM: Fix a SCA leak in BN_generate_dsa_nonce Configure your notification preferences
Errored: openssl/openssl#27964 (master - 4fe2ee3)
Build Update for openssl/openssl - Build: #27964 Status: Errored Duration: 25 mins and 27 secs Commit: 4fe2ee3 (master) Author: Nicola Tuveri Message: [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) View the changeset: https://github.com/openssl/openssl/compare/31ca19403d56...4fe2ee3a449a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581893898?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 207a56437916a715bcf6e299c868c75a17ad8fc0 (commit) via e6f559f9de74a0f861d7de2786c64b62fe4ea3ed (commit) via 212a75004207234fa677f73e71a1c42b541b009e (commit) via 84930232519ae6506101c65d4389619173b6cded (commit) via f7546d64699dc6090d3a9359945cbe785404506e (commit) from f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 (commit) - Log - commit 207a56437916a715bcf6e299c868c75a17ad8fc0 Author: Nicola Tuveri Date: Fri Sep 6 14:05:26 2019 +0300 [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119) commit e6f559f9de74a0f861d7de2786c64b62fe4ea3ed Author: Nicola Tuveri Date: Fri Sep 6 01:31:45 2019 +0300 [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific BN_bn2lebinpad() and BN_lebin2bn(). Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef) commit 212a75004207234fa677f73e71a1c42b541b009e Author: Nicola Tuveri Date: Fri Sep 6 00:18:36 2019 +0300 Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d) commit 84930232519ae6506101c65d4389619173b6cded Author: Nicola Tuveri Date: Fri Aug 2 02:08:34 2019 +0300 Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238) commit f7546d64699dc6090d3a9359945cbe785404506e Author: Nicola Tuveri Date: Fri Aug 2 01:33:05 2019 +0300 Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 1bb2acb9987cc9d7f638b066ef396ca7f3243955 (commit) via 2f18596c32d145f194c3d1eac9b9e77b560aad71 (commit) from 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f (commit) - Log - commit 1bb2acb9987cc9d7f638b066ef396ca7f3243955 Author: Cesar Pereida Garcia Date: Fri Sep 6 10:48:00 2019 +0300 [crypto/rsa] Set the constant-time flag in multi-prime RSA too Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) commit 2f18596c32d145f194c3d1eac9b9e77b560aad71 Author: Cesar Pereida Garcia Date: Thu Sep 5 12:13:11 2019 +0300 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. This commit addresses multiple side-channel vulnerabilities present during RSA key validation. Private key parameters are re-computed using variable-time functions. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) --- Summary of changes: crypto/asn1/x_bignum.c | 17 ++--- crypto/rsa/rsa_lib.c | 15 --- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index da57e77a7a..c1e3e523a0 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { -if (!*pval) -bn_secure_new(pval, it); -return bn_c2i(pval, cont, len, utype, free_cont, it); +int ret; +BIGNUM *bn; + +if (!*pval && !bn_secure_new(pval, it)) +return 0; + +ret = bn_c2i(pval, cont, len, utype, free_cont, it); +if (!ret) +return 0; + +/* Set constant-time flag for all secure BIGNUMS */ +bn = (BIGNUM *)*pval; +BN_set_flags(bn, BN_FLG_CONSTTIME); +return ret; } static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 49c34b7c36..2e9effeefa 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -198,6 +198,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) if (d != NULL) { BN_clear_free(r->d); r->d = d; +BN_set_flags(r->d, BN_FLG_CONSTTIME); } return 1; @@ -215,10 +216,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) if (p != NULL) { BN_clear_free(r->p); r->p = p; +BN_set_flags(r->p, BN_FLG_CONSTTIME); } if (q != NULL) { BN_clear_free(r->q); r->q = q; +BN_set_flags(r->q, BN_FLG_CONSTTIME); } return 1; @@ -237,14 +240,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if (dmp1 != NULL) { BN_clear_free(r->dmp1); r->dmp1 = dmp1; +BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); } if (dmq1 != NULL) { BN_clear_free(r->dmq1); r->dmq1 = dmq1; +BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); } if (iqmp != NULL) { BN_clear_free(r->iqmp); r->iqmp = iqmp; +BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); } return 1; @@ -276,12 +282,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], if (pinfo == NULL) goto err; if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { -BN_free(pinfo->r); -BN_free(pinfo->d); -BN_free(pinfo->t); +BN_clear_free(pinfo->r); +BN_clear_free(pinfo->d); +BN_clear_free(pinfo->t); pinfo->r = primes[i]; pinfo->d = exps[i]; pinfo->t = coeffs[i]; +BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); +BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); +BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); } else { rsa_multip_info_free(pinfo); goto err;
[openssl] master update
The branch master has been updated via d2baf88c43e5a40cfc3bcd4ca35cbae53161941c (commit) via 311e903d8468e2a380d371609a10eda71de16c0e (commit) from c7bfb138acf6103ae6fd178eb212b110bfb39c0d (commit) - Log - commit d2baf88c43e5a40cfc3bcd4ca35cbae53161941c Author: Cesar Pereida Garcia Date: Fri Sep 6 10:48:00 2019 +0300 [crypto/rsa] Set the constant-time flag in multi-prime RSA too Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) commit 311e903d8468e2a380d371609a10eda71de16c0e Author: Cesar Pereida Garcia Date: Thu Sep 5 12:13:11 2019 +0300 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. This commit addresses multiple side-channel vulnerabilities present during RSA key validation. Private key parameters are re-computed using variable-time functions. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) --- Summary of changes: crypto/asn1/x_bignum.c | 17 ++--- crypto/rsa/rsa_lib.c | 15 --- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index d7abca6c76..c5e892900e 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { -if (!*pval) -bn_secure_new(pval, it); -return bn_c2i(pval, cont, len, utype, free_cont, it); +int ret; +BIGNUM *bn; + +if (!*pval && !bn_secure_new(pval, it)) +return 0; + +ret = bn_c2i(pval, cont, len, utype, free_cont, it); +if (!ret) +return 0; + +/* Set constant-time flag for all secure BIGNUMS */ +bn = (BIGNUM *)*pval; +BN_set_flags(bn, BN_FLG_CONSTTIME); +return ret; } static int bn_print(BIO *out, const ASN1_VALUE **pval, const ASN1_ITEM *it, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index f337a0df08..c6e570089f 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -325,6 +325,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) if (d != NULL) { BN_clear_free(r->d); r->d = d; +BN_set_flags(r->d, BN_FLG_CONSTTIME); } return 1; @@ -342,10 +343,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) if (p != NULL) { BN_clear_free(r->p); r->p = p; +BN_set_flags(r->p, BN_FLG_CONSTTIME); } if (q != NULL) { BN_clear_free(r->q); r->q = q; +BN_set_flags(r->q, BN_FLG_CONSTTIME); } return 1; @@ -364,14 +367,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if (dmp1 != NULL) { BN_clear_free(r->dmp1); r->dmp1 = dmp1; +BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); } if (dmq1 != NULL) { BN_clear_free(r->dmq1); r->dmq1 = dmq1; +BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); } if (iqmp != NULL) { BN_clear_free(r->iqmp); r->iqmp = iqmp; +BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); } return 1; @@ -403,12 +409,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], if (pinfo == NULL) goto err; if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { -BN_free(pinfo->r); -BN_free(pinfo->d); -BN_free(pinfo->t); +BN_clear_free(pinfo->r); +BN_clear_free(pinfo->d); +BN_clear_free(pinfo->t); pinfo->r = primes[i]; pinfo->d = exps[i]; pinfo->t = coeffs[i]; +BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); +BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); +BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); } else { rsa_multip_info_free(pinfo); goto err;
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b (commit) from 04882f77a8bb5df8bc9f3f9f82191f487d350be1 (commit) - Log - commit 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b Author: Cesar Pereida Garcia Date: Thu Sep 5 12:13:11 2019 +0300 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. This commit addresses multiple side-channel vulnerabilities present during RSA key validation. Private key parameters are re-computed using variable-time functions. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) (cherry picked from commit 311e903d8468e2a380d371609a10eda71de16c0e) --- Summary of changes: crypto/asn1/x_bignum.c | 17 ++--- crypto/rsa/rsa_lib.c | 6 ++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index da57e77a7a..c1e3e523a0 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { -if (!*pval) -bn_secure_new(pval, it); -return bn_c2i(pval, cont, len, utype, free_cont, it); +int ret; +BIGNUM *bn; + +if (!*pval && !bn_secure_new(pval, it)) +return 0; + +ret = bn_c2i(pval, cont, len, utype, free_cont, it); +if (!ret) +return 0; + +/* Set constant-time flag for all secure BIGNUMS */ +bn = (BIGNUM *)*pval; +BN_set_flags(bn, BN_FLG_CONSTTIME); +return ret; } static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index d99d04916d..4a1250127c 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -184,6 +184,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) if (d != NULL) { BN_free(r->d); r->d = d; +BN_set_flags(r->d, BN_FLG_CONSTTIME); } return 1; @@ -201,10 +202,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) if (p != NULL) { BN_free(r->p); r->p = p; +BN_set_flags(r->p, BN_FLG_CONSTTIME); } if (q != NULL) { BN_free(r->q); r->q = q; +BN_set_flags(r->q, BN_FLG_CONSTTIME); } return 1; @@ -223,14 +226,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if (dmp1 != NULL) { BN_free(r->dmp1); r->dmp1 = dmp1; +BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); } if (dmq1 != NULL) { BN_free(r->dmq1); r->dmq1 = dmq1; +BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); } if (iqmp != NULL) { BN_free(r->iqmp); r->iqmp = iqmp; +BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); } return 1;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ed0ac119506ac8cbbaa23a1a1347d74a7bf4da47 (commit) via 61387fd3a5e5e1393d329be3b7e43d4e32c0192a (commit) via 2432e1291d9a8808bee9505815072ee755b9c362 (commit) via b9a380f78cd7dbb414bccb38f0904a32d8384fca (commit) via 083f297a48e8c1dd5e02a5fa7be00586f8cb7dff (commit) from 9e1403d91a42d917e684a37a99fa98a0025253c0 (commit) - Log - commit ed0ac119506ac8cbbaa23a1a1347d74a7bf4da47 Author: Nicola Tuveri Date: Fri Sep 6 14:05:26 2019 +0300 [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119) commit 61387fd3a5e5e1393d329be3b7e43d4e32c0192a Author: Nicola Tuveri Date: Fri Sep 6 01:31:45 2019 +0300 [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific BN_bn2lebinpad() and BN_lebin2bn(). Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef) commit 2432e1291d9a8808bee9505815072ee755b9c362 Author: Nicola Tuveri Date: Fri Sep 6 00:18:36 2019 +0300 Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d) commit b9a380f78cd7dbb414bccb38f0904a32d8384fca Author: Nicola Tuveri Date: Fri Aug 2 02:08:34 2019 +0300 Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) (cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238) commit 083f297a48e8c1dd5e02a5fa7be00586f8cb7dff Author: Nicola Tuveri Date: Fri Aug 2 01:33:05 2019 +0300 Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the
Still Failing: openssl/openssl#27954 (OpenSSL_1_1_1-stable - 9e1403d)
Build Update for openssl/openssl - Build: #27954 Status: Still Failing Duration: 9 mins and 8 secs Commit: 9e1403d (OpenSSL_1_1_1-stable) Author: Bernd Edlinger Message: Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) (cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4) View the changeset: https://github.com/openssl/openssl/compare/1bb2acb9987c...9e1403d91a42 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581762881?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Build completed: openssl master.27361
Build openssl master.27361 completed Commit 036c5d82de by Matt Caswell on 9/6/2019 8:51 AM: fixup! Revise EVP_PKEY param handling Configure your notification preferences
Errored: openssl/openssl#27975 (master - e97bab6)
Build Update for openssl/openssl - Build: #27975 Status: Errored Duration: 20 mins and 7 secs Commit: e97bab6 (master) Author: Pauli Message: Use common digest getter for X942 KDF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) View the changeset: https://github.com/openssl/openssl/compare/4fe2ee3a449a...e97bab6929bb View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581964469?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#27970 (OpenSSL_1_1_1-stable - a6186f3)
Build Update for openssl/openssl - Build: #27970 Status: Still Failing Duration: 18 mins and 14 secs Commit: a6186f3 (OpenSSL_1_1_1-stable) Author: Billy Brumley Message: CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9781) View the changeset: https://github.com/openssl/openssl/compare/ed0ac119506a...a6186f39802f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581920154?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via dc5bcb88d819de55eb37460c122e02fec91c6d86 (commit) via debb64a0ca43969eb3f043aa8895a4faa7f12b6e (commit) from 7e8c3381937354cf171ceaf4c69315e9a45d4858 (commit) - Log - commit dc5bcb88d819de55eb37460c122e02fec91c6d86 Author: Matt Caswell Date: Thu Sep 5 16:21:56 2019 +0100 Teach TLSProxy how to parse CertificateRequest messages We also use this in test_tls13messages to check that the extensions we expect to see in a CertificateRequest are there. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e Author: Matt Caswell Date: Thu Sep 5 16:43:57 2019 +0100 Don't send a status_request extension in a CertificateRequest message If a TLSv1.3 server configured to respond to the status_request extension also attempted to send a CertificateRequest then it was incorrectly inserting a non zero length status_request extension into that message. The TLSv1.3 RFC does allow that extension in that message but it must always be zero length. In fact we should not be sending the extension at all in that message because we don't support it. Fixes #9767 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) --- Summary of changes: ssl/statem/extensions_srvr.c | 4 + test/recipes/70-test_sslmessages.t | 25 +- test/recipes/70-test_tls13kexmodes.t | 36 - test/recipes/70-test_tls13messages.t | 89 +- ...ncryptedExtensions.pm => CertificateRequest.pm} | 45 +-- util/perl/TLSProxy/Message.pm | 14 util/perl/TLSProxy/Proxy.pm| 1 + util/perl/checkhandshake.pm| 18 +++-- 8 files changed, 181 insertions(+), 51 deletions(-) copy util/perl/TLSProxy/{EncryptedExtensions.pm => CertificateRequest.pm} (65%) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index e16722cbeb..1c023fc6c4 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { +/* We don't currently support this extension inside a CertificateRequest */ +if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) +return EXT_RETURN_NOT_SENT; + if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index 6fb1f8557e..9f8c3226e6 100644 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -95,58 +95,81 @@ my $proxy = TLSProxy::Proxy->new( @extensions = ( [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, +TLSProxy::Message::CLIENT, checkhandshake::SERVER_NAME_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, +TLSProxy::Message::CLIENT, checkhandshake::STATUS_REQUEST_CLI_EXTENSION], (disabled("ec") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, + TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), (disabled("ec") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), (disabled("tls1_2") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, +TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, +TLSProxy::Message::CLIENT, checkhandshake::ALPN_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, +TLSProxy::Message::CLIENT, checkhandshake::SCT_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, +TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, +TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, +TLSProxy::Message::CLIENT,
Errored: openssl/openssl#27953 (master - 31ca194)
Build Update for openssl/openssl - Build: #27953 Status: Errored Duration: 14 mins and 17 secs Commit: 31ca194 (master) Author: Bernd Edlinger Message: Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) View the changeset: https://github.com/openssl/openssl/compare/d2baf88c43e5...31ca19403d56 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581762501?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f (commit) via f8affa299534532b42b09eac5457f8bbf5216941 (commit) from 5d16346679d72a4770ec01508ead7f61cf7cbf34 (commit) - Log - commit 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f Author: Matt Caswell Date: Thu Sep 5 16:21:56 2019 +0100 Teach TLSProxy how to parse CertificateRequest messages We also use this in test_tls13messages to check that the extensions we expect to see in a CertificateRequest are there. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) (cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86) commit f8affa299534532b42b09eac5457f8bbf5216941 Author: Matt Caswell Date: Thu Sep 5 16:43:57 2019 +0100 Don't send a status_request extension in a CertificateRequest message If a TLSv1.3 server configured to respond to the status_request extension also attempted to send a CertificateRequest then it was incorrectly inserting a non zero length status_request extension into that message. The TLSv1.3 RFC does allow that extension in that message but it must always be zero length. In fact we should not be sending the extension at all in that message because we don't support it. Fixes #9767 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) (cherry picked from commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e) --- Summary of changes: ssl/statem/extensions_srvr.c | 4 + test/recipes/70-test_sslmessages.t | 25 +- test/recipes/70-test_tls13kexmodes.t | 36 - test/recipes/70-test_tls13messages.t | 89 +- ...ncryptedExtensions.pm => CertificateRequest.pm} | 49 ++-- util/perl/TLSProxy/Message.pm | 14 util/perl/TLSProxy/Proxy.pm| 1 + util/perl/checkhandshake.pm| 18 +++-- 8 files changed, 183 insertions(+), 53 deletions(-) copy util/perl/TLSProxy/{EncryptedExtensions.pm => CertificateRequest.pm} (60%) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index ff4287c584..ab5453f63e 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { +/* We don't currently support this extension inside a CertificateRequest */ +if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) +return EXT_RETURN_NOT_SENT; + if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index 1e4676973a..5ee99feab8 100644 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -95,58 +95,81 @@ my $proxy = TLSProxy::Proxy->new( @extensions = ( [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, +TLSProxy::Message::CLIENT, checkhandshake::SERVER_NAME_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, +TLSProxy::Message::CLIENT, checkhandshake::STATUS_REQUEST_CLI_EXTENSION], (disabled("ec") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, + TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), (disabled("ec") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), (disabled("tls1_2") ? () : [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, +TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS]), [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, +TLSProxy::Message::CLIENT, checkhandshake::ALPN_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, +TLSProxy::Message::CLIENT, checkhandshake::SCT_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, +TLSProxy::Message::CLIENT, checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, +TLSProxy::Message::CLIENT,
Errored: openssl/openssl#27937 (master - dc5bcb8)
Build Update for openssl/openssl - Build: #27937 Status: Errored Duration: 15 mins and 14 secs Commit: dc5bcb8 (master) Author: Matt Caswell Message: Teach TLSProxy how to parse CertificateRequest messages We also use this in test_tls13messages to check that the extensions we expect to see in a CertificateRequest are there. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) View the changeset: https://github.com/openssl/openssl/compare/7e8c33819373...dc5bcb88d819 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581585424?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 4fe2ee3a449a8ca2886584e221f34ff0ef5de119 (commit) via e0b660c27d8d97b4ad9e2098cc957de26872c0ef (commit) via 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d (commit) via 8b44198b916015f77bef1befa26edb48ad8a0238 (commit) via 805315d3a20f7274195eed75b06c391dacf3b197 (commit) from 31ca19403d56ad71d823cf62990518dfc6905bb4 (commit) - Log - commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119 Author: Nicola Tuveri Date: Fri Sep 6 14:05:26 2019 +0300 [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef Author: Nicola Tuveri Date: Fri Sep 6 01:31:45 2019 +0300 [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific BN_bn2lebinpad() and BN_lebin2bn(). Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d Author: Nicola Tuveri Date: Fri Sep 6 00:18:36 2019 +0300 Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) commit 8b44198b916015f77bef1befa26edb48ad8a0238 Author: Nicola Tuveri Date: Fri Aug 2 02:08:34 2019 +0300 Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9511) commit 805315d3a20f7274195eed75b06c391dacf3b197 Author: Nicola Tuveri Date: Fri Aug 2 01:33:05 2019 +0300 Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the internal BIGNUM representation (which depends on the compilation target architecture). To fix this, we replace BN_bn2bin() with BN_bn2binpad(), bounding the output length to the width of the internal representation buffer: this length is public. Internally the final implementation of both
Still Failing: openssl/openssl#27938 (OpenSSL_1_1_1-stable - 6f34a16)
Build Update for openssl/openssl - Build: #27938 Status: Still Failing Duration: 8 mins and 55 secs Commit: 6f34a16 (OpenSSL_1_1_1-stable) Author: Matt Caswell Message: Teach TLSProxy how to parse CertificateRequest messages We also use this in test_tls13messages to check that the extensions we expect to see in a CertificateRequest are there. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9780) (cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86) View the changeset: https://github.com/openssl/openssl/compare/5d16346679d7...6f34a16ea9a4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581585531?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#27951 (OpenSSL_1_1_1-stable - 1bb2acb)
Build Update for openssl/openssl - Build: #27951 Status: Still Failing Duration: 9 mins and 19 secs Commit: 1bb2acb (OpenSSL_1_1_1-stable) Author: Cesar Pereida Garcia Message: [crypto/rsa] Set the constant-time flag in multi-prime RSA too Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9779) View the changeset: https://github.com/openssl/openssl/compare/6f34a16ea9a4...1bb2acb9987c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/581727135?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via e97bab6929bbbc5b8364b25ca2ef4fcb02dd6e2a (commit) via a1de4680fbf53b0feffd27baca3c6b4caf0c6c45 (commit) via 0f0db4dc2520777b889968c93e054693c5c58fdc (commit) via 7e149b39288fdfc8d57c881536b272fae78df038 (commit) via e957226a0cf2150003b5b2d0b46ab9a89011f66f (commit) via 86f17ed64cb881a97801405906f4da7041a6edf8 (commit) via cb74317b4f525feca9129944f82e74e23b2e381f (commit) via c69561de00a032f85ec92d30c1e0bfa761b81dfd (commit) via 96d7e2733ef66e364f89aa394a6bdd49df48f2ae (commit) via 103d8b0be434c293c661861bda505f35f04d288f (commit) via 76497acf522578827f390891cf45c87280423d32 (commit) via 1dcc7ee6cf816e5fba8b99d278829031d71ee9df (commit) via 2f17cc493cfaa5c77a77d4f174dd2403188c41da (commit) from 4fe2ee3a449a8ca2886584e221f34ff0ef5de119 (commit) - Log - commit e97bab6929bbbc5b8364b25ca2ef4fcb02dd6e2a Author: Pauli Date: Sat Sep 7 10:50:46 2019 +1000 Use common digest getter for X942 KDF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit a1de4680fbf53b0feffd27baca3c6b4caf0c6c45 Author: Pauli Date: Sat Sep 7 10:50:14 2019 +1000 Use common digest getter for SSH KDF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 0f0db4dc2520777b889968c93e054693c5c58fdc Author: Pauli Date: Sat Sep 7 10:49:53 2019 +1000 Use common digest getter for TLS1 PRF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 7e149b39288fdfc8d57c881536b272fae78df038 Author: Pauli Date: Sat Sep 7 10:49:36 2019 +1000 Use common digest getter for single step KDF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit e957226a0cf2150003b5b2d0b46ab9a89011f66f Author: Pauli Date: Sat Sep 7 10:49:18 2019 +1000 Use common digest getter for PBKDF2 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 86f17ed64cb881a97801405906f4da7041a6edf8 Author: Pauli Date: Sat Sep 7 10:48:56 2019 +1000 Use common digest getter for HKDF Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit cb74317b4f525feca9129944f82e74e23b2e381f Author: Pauli Date: Sat Sep 7 10:48:07 2019 +1000 Use common define for properties, engine, cipher and digest params Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit c69561de00a032f85ec92d30c1e0bfa761b81dfd Author: Pauli Date: Sat Sep 7 10:47:37 2019 +1000 Add 'engine' param to KDFs Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 96d7e2733ef66e364f89aa394a6bdd49df48f2ae Author: Pauli Date: Thu Sep 5 13:55:04 2019 +1000 KMAC using common digest get code Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 103d8b0be434c293c661861bda505f35f04d288f Author: Pauli Date: Thu Sep 5 13:54:53 2019 +1000 HMAC using common digest get code Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 76497acf522578827f390891cf45c87280423d32 Author: Pauli Date: Thu Sep 5 14:24:44 2019 +1000 GMAC using common cipher get code Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 1dcc7ee6cf816e5fba8b99d278829031d71ee9df Author: Pauli Date: Thu Sep 5 14:15:02 2019 +1000 CMAC using common cipher get code Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) commit 2f17cc493cfaa5c77a77d4f174dd2403188c41da Author: Pauli Date: Thu Sep 5 13:53:20 2019 +1000 Unify the digest getting code inside providers. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9770) --- Summary of changes: doc/man3/EVP_KDF.pod | 20 +-- include/openssl/core_names.h | 23 +++- providers/common/build.info| 5 +- providers/common/include/internal/provider_util.h | 79 +++ providers/common/include/internal/providercommon.h | 1 + providers/common/kdfs/hkdf.c | 44 ++ providers/common/kdfs/pbkdf2.c | 41 ++ providers/common/kdfs/sskdf.c | 50 +++ providers/common/kdfs/tls1_prf.c | 68 -- providers/common/macs/cmac_prov.c | 97 ++--- providers/common/macs/gmac_prov.c
Build failed: openssl master.27341
Build openssl master.27341 failed Commit 22daa9c6f8 by Pauli on 9/6/2019 6:12 AM: fixup! Unify the digest getting code inside providers. Configure your notification preferences
Build failed: openssl master.27360
Build openssl master.27360 failed Commit 4b6c929254 by Pauli on 9/6/2019 8:28 AM: fixup! CMAC using common cipher get code Configure your notification preferences