[openssl-commits] [openssl] master update
The branch master has been updated
via 5d1c09de1f2736e1d4b1877206d08455ec75f558 (commit)
from 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit)
- Log -
commit 5d1c09de1f2736e1d4b1877206d08455ec75f558
Author: Andy Polyakov
Date: Thu Jul 12 19:15:26 2018 +0200
bn/bn_lcl.h,bn_nist.c: addres strict warnings with -DBN_DEBUG.
Reviewed-by: Rich Salz
---
Summary of changes:
crypto/bn/bn_lcl.h | 9 -
crypto/bn/bn_nist.c | 2 +-
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 0d3a8bf..d74b590 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -151,7 +151,6 @@
* all operations manipulating the bit in question in non-BN_DEBUG build.
*/
# define BN_FLG_FIXED_TOP 0x1
-# include
# ifdef BN_DEBUG_RAND
# define bn_pollute(a) \
do { \
@@ -175,10 +174,10 @@
do { \
const BIGNUM *_bnum2 = (a); \
if (_bnum2 != NULL) { \
-int top = _bnum2->top; \
-assert((top == 0 && !_bnum2->neg) || \
- (top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \
-|| _bnum2->d[top - 1] != 0))); \
+int _top = _bnum2->top; \
+(void)ossl_assert((_top == 0 && !_bnum2->neg) || \
+ (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP)
\
+|| _bnum2->d[_top - 1] != 0))); \
bn_pollute(_bnum2); \
} \
} while(0)
diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c
index fcc2b77..4d71afd 100644
--- a/crypto/bn/bn_nist.c
+++ b/crypto/bn/bn_nist.c
@@ -254,7 +254,7 @@ static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG
*src, int top, int max)
int i;
#ifdef BN_DEBUG
-assert(top <= max);
+(void)ossl_assert(top <= max);
#endif
for (i = 0; i < top; i++)
dst[i] = src[i];
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit)
via 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 (commit)
from db9926ff007ad8cd999a4e7eff35b04505b744b8 (commit)
- Log -
commit 0b139e41b4ca03c1d36f4c93c6e9147e497029ca
Author: Andy Polyakov
Date: Sun Feb 4 15:24:54 2018 +0100
rsa/*: switch to BN_bn2binpad.
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205)
commit 75a67a036a041d9fdac0fd7fd5a461f48709a3d3
Author: Andy Polyakov
Date: Sun Feb 4 15:20:29 2018 +0100
bn/bn_lib.c: make BN_bn2binpad computationally constant-time.
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a)
---
Summary of changes:
crypto/bn/bn_lib.c| 23 +++
crypto/rsa/rsa_oaep.c | 38 +++---
crypto/rsa/rsa_ossl.c | 38 --
crypto/rsa/rsa_pk1.c | 39 +--
crypto/rsa/rsa_ssl.c | 8
5 files changed, 79 insertions(+), 67 deletions(-)
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 8fa9f2f..ebad255 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -12,6 +12,7 @@
#include "internal/cryptlib.h"
#include "bn_lcl.h"
#include
+#include "internal/constant_time_locl.h"
/* This stuff appears to be completely unused, so is deprecated */
#if OPENSSL_API_COMPAT < 0x00908000L
@@ -497,24 +498,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM
*ret)
/* ignore negative */
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
-int i;
+int i, j, top;
BN_ULONG l;
-bn_check_top(a);
i = BN_num_bytes(a);
if (tolen == -1)
tolen = i;
else if (tolen < i)
return -1;
-/* Add leading zeroes if necessary */
-if (tolen > i) {
-memset(to, 0, tolen - i);
-to += tolen - i;
+
+if (i == 0) {
+OPENSSL_cleanse(to, tolen);
+return tolen;
}
-while (i--) {
+
+top = a->top * BN_BYTES;
+for (i = 0, j = tolen; j > 0; i++) {
+unsigned int mask;
+
+mask = constant_time_lt(i, top);
+i -= 1 & ~mask; /* stay on top limb */
l = a->d[i / BN_BYTES];
-*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
}
+
return tolen;
}
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 4878d49..fbe65c4 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen);
-em = OPENSSL_malloc(num);
-if (db == NULL || em == NULL) {
+if (db == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
goto cleanup;
}
-/*
- * Always do this zero-padding copy (even when num == flen) to avoid
- * leaking that information. The copy still leaks some side-channel
- * information, but it's impossible to have a fixed memory access
- * pattern since we can't read out of the bounds of |from|.
- *
- * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
- */
-memset(em, 0, num);
-memcpy(em + num - flen, from, flen);
+if (flen != num) {
+em = OPENSSL_zalloc(num);
+if (em == NULL) {
+RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ ERR_R_MALLOC_FAILURE);
+goto cleanup;
+}
+
+/*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
+ * to avoid leaking that information. The copy still leaks some
+ * side-channel information, but it's impossible to have a fixed
+ * memory access pattern since we can't read out of the bounds of
+ * |from|.
+ */
+memcpy(em + num - flen, from, flen);
+from = em;
+}
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
-good =
[openssl-commits] [openssl] master update
The branch master has been updated
via 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit)
via 89d8aade5f4011ddeea7827f08ec544c914f275a (commit)
from 1e839545803107b230a8177875de5994f85984de (commit)
- Log -
commit 582ad5d4d9b7703eb089016935133e3a18ea8205
Author: Andy Polyakov
Date: Sun Feb 4 15:24:54 2018 +0100
rsa/*: switch to BN_bn2binpad.
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/5254)
commit 89d8aade5f4011ddeea7827f08ec544c914f275a
Author: Andy Polyakov
Date: Sun Feb 4 15:20:29 2018 +0100
bn/bn_lib.c: make BN_bn2binpad computationally constant-time.
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/5254)
---
Summary of changes:
crypto/bn/bn_lib.c| 23 +++
crypto/rsa/rsa_oaep.c | 38 +++---
crypto/rsa/rsa_ossl.c | 38 --
crypto/rsa/rsa_pk1.c | 39 +--
crypto/rsa/rsa_ssl.c | 8
5 files changed, 79 insertions(+), 67 deletions(-)
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index b42df82..a582ce5 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -12,6 +12,7 @@
#include "internal/cryptlib.h"
#include "bn_lcl.h"
#include
+#include "internal/constant_time_locl.h"
/* This stuff appears to be completely unused, so is deprecated */
#if OPENSSL_API_COMPAT < 0x00908000L
@@ -416,24 +417,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM
*ret)
/* ignore negative */
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
-int i;
+int i, j, top;
BN_ULONG l;
-bn_check_top(a);
i = BN_num_bytes(a);
if (tolen == -1)
tolen = i;
else if (tolen < i)
return -1;
-/* Add leading zeroes if necessary */
-if (tolen > i) {
-memset(to, 0, tolen - i);
-to += tolen - i;
+
+if (i == 0) {
+OPENSSL_cleanse(to, tolen);
+return tolen;
}
-while (i--) {
+
+top = a->top * BN_BYTES;
+for (i = 0, j = tolen; j > 0; i++) {
+unsigned int mask;
+
+mask = constant_time_lt(i, top);
+i -= 1 & ~mask; /* stay on top limb */
l = a->d[i / BN_BYTES];
-*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
}
+
return tolen;
}
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d4de71d..dfea063 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -150,32 +150,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen);
-em = OPENSSL_malloc(num);
-if (db == NULL || em == NULL) {
+if (db == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
goto cleanup;
}
-/*
- * Always do this zero-padding copy (even when num == flen) to avoid
- * leaking that information. The copy still leaks some side-channel
- * information, but it's impossible to have a fixed memory access
- * pattern since we can't read out of the bounds of |from|.
- *
- * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
- */
-memset(em, 0, num);
-memcpy(em + num - flen, from, flen);
+if (flen != num) {
+em = OPENSSL_zalloc(num);
+if (em == NULL) {
+RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ ERR_R_MALLOC_FAILURE);
+goto cleanup;
+}
+
+/*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
+ * to avoid leaking that information. The copy still leaks some
+ * side-channel information, but it's impossible to have a fixed
+ * memory access pattern since we can't read out of the bounds of
+ * |from|.
+ */
+memcpy(em + num - flen, from, flen);
+from = em;
+}
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
-good = constant_time_is_zero(em[0]);
+good = constant_time_is_zero(from[0]);
-maskedseed = em + 1;
-maskeddb = em + 1 + mdlen;
+maskedseed = from + 1;
+
