[openssl-commits] [openssl] master update
The branch master has been updated via 5d1c09de1f2736e1d4b1877206d08455ec75f558 (commit) from 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit) - Log - commit 5d1c09de1f2736e1d4b1877206d08455ec75f558 Author: Andy Polyakov Date: Thu Jul 12 19:15:26 2018 +0200 bn/bn_lcl.h,bn_nist.c: addres strict warnings with -DBN_DEBUG. Reviewed-by: Rich Salz --- Summary of changes: crypto/bn/bn_lcl.h | 9 - crypto/bn/bn_nist.c | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index 0d3a8bf..d74b590 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -151,7 +151,6 @@ * all operations manipulating the bit in question in non-BN_DEBUG build. */ # define BN_FLG_FIXED_TOP 0x1 -# include # ifdef BN_DEBUG_RAND # define bn_pollute(a) \ do { \ @@ -175,10 +174,10 @@ do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ -int top = _bnum2->top; \ -assert((top == 0 && !_bnum2->neg) || \ - (top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ -|| _bnum2->d[top - 1] != 0))); \ +int _top = _bnum2->top; \ +(void)ossl_assert((_top == 0 && !_bnum2->neg) || \ + (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ +|| _bnum2->d[_top - 1] != 0))); \ bn_pollute(_bnum2); \ } \ } while(0) diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index fcc2b77..4d71afd 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -254,7 +254,7 @@ static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max) int i; #ifdef BN_DEBUG -assert(top <= max); +(void)ossl_assert(top <= max); #endif for (i = 0; i < top; i++) dst[i] = src[i]; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit) via 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 (commit) from db9926ff007ad8cd999a4e7eff35b04505b744b8 (commit) - Log - commit 0b139e41b4ca03c1d36f4c93c6e9147e497029ca Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) commit 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: make BN_bn2binpad computationally constant-time. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) --- Summary of changes: crypto/bn/bn_lib.c| 23 +++ crypto/rsa/rsa_oaep.c | 38 +++--- crypto/rsa/rsa_ossl.c | 38 -- crypto/rsa/rsa_pk1.c | 39 +-- crypto/rsa/rsa_ssl.c | 8 5 files changed, 79 insertions(+), 67 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 8fa9f2f..ebad255 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -497,24 +498,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i; +int i, j, top; BN_ULONG l; -bn_check_top(a); i = BN_num_bytes(a); if (tolen == -1) tolen = i; else if (tolen < i) return -1; -/* Add leading zeroes if necessary */ -if (tolen > i) { -memset(to, 0, tolen - i); -to += tolen - i; + +if (i == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; } -while (i--) { + +top = a->top * BN_BYTES; +for (i = 0, j = tolen; j > 0; i++) { +unsigned int mask; + +mask = constant_time_lt(i, top); +i -= 1 & ~mask; /* stay on top limb */ l = a->d[i / BN_BYTES]; -*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); } + return tolen; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 4878d49..fbe65c4 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); -em = OPENSSL_malloc(num); -if (db == NULL || em == NULL) { +if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } -/* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ -memset(em, 0, num); -memcpy(em + num - flen, from, flen); +if (flen != num) { +em = OPENSSL_zalloc(num); +if (em == NULL) { +RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); +goto cleanup; +} + +/* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ +memcpy(em + num - flen, from, flen); +from = em; +} /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ -good =
[openssl-commits] [openssl] master update
The branch master has been updated via 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit) via 89d8aade5f4011ddeea7827f08ec544c914f275a (commit) from 1e839545803107b230a8177875de5994f85984de (commit) - Log - commit 582ad5d4d9b7703eb089016935133e3a18ea8205 Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) commit 89d8aade5f4011ddeea7827f08ec544c914f275a Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: make BN_bn2binpad computationally constant-time. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) --- Summary of changes: crypto/bn/bn_lib.c| 23 +++ crypto/rsa/rsa_oaep.c | 38 +++--- crypto/rsa/rsa_ossl.c | 38 -- crypto/rsa/rsa_pk1.c | 39 +-- crypto/rsa/rsa_ssl.c | 8 5 files changed, 79 insertions(+), 67 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index b42df82..a582ce5 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -416,24 +417,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i; +int i, j, top; BN_ULONG l; -bn_check_top(a); i = BN_num_bytes(a); if (tolen == -1) tolen = i; else if (tolen < i) return -1; -/* Add leading zeroes if necessary */ -if (tolen > i) { -memset(to, 0, tolen - i); -to += tolen - i; + +if (i == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; } -while (i--) { + +top = a->top * BN_BYTES; +for (i = 0, j = tolen; j > 0; i++) { +unsigned int mask; + +mask = constant_time_lt(i, top); +i -= 1 & ~mask; /* stay on top limb */ l = a->d[i / BN_BYTES]; -*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); } + return tolen; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index d4de71d..dfea063 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -150,32 +150,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); -em = OPENSSL_malloc(num); -if (db == NULL || em == NULL) { +if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } -/* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ -memset(em, 0, num); -memcpy(em + num - flen, from, flen); +if (flen != num) { +em = OPENSSL_zalloc(num); +if (em == NULL) { +RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); +goto cleanup; +} + +/* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ +memcpy(em + num - flen, from, flen); +from = em; +} /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ -good = constant_time_is_zero(em[0]); +good = constant_time_is_zero(from[0]); -maskedseed = em + 1; -maskeddb = em + 1 + mdlen; +maskedseed = from + 1; +