CVS commit: [netbsd-6-0] src/crypto/external/bsd/openssl/dist/crypto/evp
Module Name:src Committed By: snj Date: Sun Feb 5 05:52:42 UTC 2017 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/evp [netbsd-6-0]: e_rc4_hmac_md5.c Log Message: Apply patch (requested by spz in ticket #1355): Fix CVE-2017-3731. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.2.4.2 -r1.1.1.1.2.2.4.3 \ src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c:1.1.1.1.2.2.4.2 src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c:1.1.1.1.2.2.4.3 --- src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c:1.1.1.1.2.2.4.2 Sun Jul 12 18:40:55 2015 +++ src/crypto/external/bsd/openssl/dist/crypto/evp/e_rc4_hmac_md5.c Sun Feb 5 05:52:41 2017 @@ -267,6 +267,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_ len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { +if (len < MD5_DIGEST_LENGTH) +return -1; len -= MD5_DIGEST_LENGTH; p[arg - 2] = len >> 8; p[arg - 1] = len;
CVS commit: [netbsd-6-0] src/crypto/external/bsd/openssl/dist/crypto
Module Name:src Committed By: snj Date: Sun Oct 26 19:54:53 UTC 2014 Added Files: src/crypto/external/bsd/openssl/dist/crypto [netbsd-6-0]: constant_time_locl.h Log Message: Apply patch (requested by spz in ticket 1170): update of openssl to the next higher version, 1.0.1j Upstream condensed log: Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] o Fix for CVE-2014-3513 o Fix for CVE-2014-3567 o Mitigation for CVE-2014-3566 (SSL protocol vulnerability) o Fix for CVE-2014-3568 To generate a diff of this commit: cvs rdiff -u -r0 -r1.1.4.2 \ src/crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h diff -u /dev/null src/crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h:1.1.4.2 --- /dev/null Sun Oct 26 19:54:53 2014 +++ src/crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h Sun Oct 26 19:54:53 2014 @@ -0,0 +1,216 @@ +/* crypto/constant_time_locl.h */ +/* + * Utilities for constant-time cryptography. + * + * Author: Emilia Kasper (emi...@openssl.org) + * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley + * (Google). + * + * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + *must display the following acknowledgement: + *This product includes cryptographic software written by + * Eric Young (e...@cryptsoft.com) + *The word 'cryptographic' can be left out if the rouines from the library + *being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + *the apps directory (application code) you must include an acknowledgement: + *This product includes software written by Tim Hudson (t...@cryptsoft.com) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#ifndef HEADER_CONSTANT_TIME_LOCL_H +#define HEADER_CONSTANT_TIME_LOCL_H + +#include e_os.h /* For 'inline' */ + +#ifdef __cplusplus +extern C { +#endif + +/* + * The boolean methods return a bitmask of all ones (0xff...f) for true + * and 0 for false. This is useful for choosing a value based on the result + * of a conditional in constant time. For example, + * + * if (a b) { + * c = a; + * } else { + * c = b; + * } + * + * can be written as + * + * unsigned int lt = constant_time_lt(a, b); + * c = constant_time_select(lt, a, b); + */ + +/* + * Returns the given value with the MSB copied to all the other + * bits. Uses the fact that arithmetic shift shifts-in the sign bit. + * However, this is not ensured by the C standard so you may need to + * replace this with something else on odd CPUs. + */ +static inline unsigned int constant_time_msb(unsigned int a); + +/* + * Returns 0xff..f if a b and 0 otherwise. + */ +static inline unsigned int constant_time_lt(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b); + +/* + * Returns 0xff..f if a = b and 0 otherwise. + */ +static inline unsigned int constant_time_ge(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */
CVS commit: [netbsd-6-0] src/crypto/external/bsd/openssl/dist/crypto
Module Name:src Committed By: bouyer Date: Thu Apr 3 19:02:00 UTC 2014 Modified Files: src/crypto/external/bsd/openssl/dist/crypto/bn [netbsd-6-0]: bn.h bn_lib.c src/crypto/external/bsd/openssl/dist/crypto/ec [netbsd-6-0]: ec2_mult.c Log Message: Pull up following revision(s) (requested by tron in ticket #1041): crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c: revision 1.2 crypto/external/bsd/openssl/dist/crypto/bn/bn.h: revision 1.2 crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c: revision 1.2 Add fix for CVE-2014-0076 taken from OpenSSL GIT repository: Fix for the attack described in the paper Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 To generate a diff of this commit: cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.1.4.1 \ src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h cvs rdiff -u -r1.1.1.2 -r1.1.1.2.10.1 \ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.1.4.1 \ src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h:1.1.1.2.4.1 src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h:1.1.1.2.4.1.4.1 --- src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h:1.1.1.2.4.1 Tue Aug 14 07:56:09 2012 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn.h Thu Apr 3 19:02:00 2014 @@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret, BIGNUM *BN_mod_sqrt(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); +void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); + /* Deprecated versions */ #ifndef OPENSSL_NO_DEPRECATED BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, @@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf #define bn_fix_top(a) bn_check_top(a) +#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) +#define bn_wcheck_size(bn, words) \ + do { \ + const BIGNUM *_bnum2 = (bn); \ + assert(words = (_bnum2)-dmax words = (_bnum2)-top); \ + } while(0) + #else /* !BN_DEBUG */ #define bn_pollute(a) #define bn_check_top(a) #define bn_fix_top(a) bn_correct_top(a) +#define bn_check_size(bn, bits) +#define bn_wcheck_size(bn, words) #endif Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.1.1.2 src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.1.1.2.10.1 --- src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.1.1.2 Sun Jun 5 14:57:56 2011 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c Thu Apr 3 19:02:00 2014 @@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, } return bn_cmp_words(a,b,cl); } + +/* + * Constant-time conditional swap of a and b. + * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. + * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, + * and that no more than nwords are used by either a or b. + * a and b cannot be the same number + */ +void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) + { + BN_ULONG t; + int i; + + bn_wcheck_size(a, nwords); + bn_wcheck_size(b, nwords); + + assert(a != b); + assert((condition (condition - 1)) == 0); + assert(sizeof(BN_ULONG) = sizeof(int)); + + condition = ((condition - 1) (BN_BITS2 - 1)) - 1; + + t = (a-top^b-top) condition; + a-top ^= t; + b-top ^= t; + +#define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a-d[ind] ^ b-d[ind]) condition; \ + a-d[ind] ^= t; \ + b-d[ind] ^= t; \ + } while (0) + + + switch (nwords) { + default: + for (i = 10; i nwords; i++) + BN_CONSTTIME_SWAP(i); + /* Fallthrough */ + case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ + case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ + case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ + case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ + case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ + case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ + case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ + case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ + case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ + case 1: BN_CONSTTIME_SWAP(0); + } +#undef BN_CONSTTIME_SWAP +} Index: src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c:1.1.1.2.4.1 src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c:1.1.1.2.4.1.4.1 --- src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c:1.1.1.2.4.1 Tue Aug 14 07:56:23 2012 +++ src/crypto/external/bsd/openssl/dist/crypto/ec/ec2_mult.c Thu Apr 3