[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 12ad22dd16ffe47f8cde3cddb84a160e8cdb3e30 (commit) via e818b74be2170fbe957a07b0da4401c2b694b3b8 (commit) from 7e0b689f2369f78e55e9f6363b3de556d8688beb (commit) - Log - commit 12ad22dd16ffe47f8cde3cddb84a160e8cdb3e30 Author: Matt Caswell Date: Fri Dec 20 13:10:12 2019 + Prepare for 1.0.2v-dev Reviewed-by: Paul Yang commit e818b74be2170fbe957a07b0da4401c2b694b3b8 Author: Matt Caswell Date: Fri Dec 20 13:09:21 2019 + Prepare for 1.0.2u release Reviewed-by: Paul Yang --- Summary of changes: CHANGES | 6 +- NEWS | 6 +- README| 2 +- crypto/opensslv.h | 6 +++--- openssl.spec | 2 +- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index f28ff6eab6..22e9327352 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2t and 1.0.2u [xx XXX ] + Changes between 1.0.2u and 1.0.2v [xx XXX ] + + *) + + Changes between 1.0.2t and 1.0.2u [20 Dec 2019] *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are diff --git a/NEWS b/NEWS index 87fd610a6b..855902d3fc 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [under development] + Major changes between OpenSSL 1.0.2u and OpenSSL 1.0.2v [under development] + + o + + Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019] o Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) diff --git a/README b/README index 949262f2bd..ee7cc5cdd7 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2u-dev + OpenSSL 1.0.2v-dev Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 6cd4fffb59..61bc41b004 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10002150L +# define OPENSSL_VERSION_NUMBER 0x10002160L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2u-fips-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2v-fips-dev xx XXX " # else -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2u-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2v-dev xx XXX " # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 9c23c4e1a5..ec59211227 100644 --- a/openssl.spec +++ b/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2u +Version: 1.0.2v Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 7e0b689f2369f78e55e9f6363b3de556d8688beb (commit) from b10ccf7f8a9efa3404348bafd20747a50d7e88bc (commit) - Log - commit 7e0b689f2369f78e55e9f6363b3de556d8688beb Author: Matt Caswell Date: Thu Dec 19 17:29:26 2019 + Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10664) --- Summary of changes: apps/s_server.c| 2 +- crypto/asn1/x_bignum.c | 2 +- crypto/cryptlib.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 97b65046bb..a122b39070 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index f2de3de4de..71b733bf47 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -4,7 +4,7 @@ * 2000. */ /* - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 8a793cad9b..79770626fb 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -1,6 +1,6 @@ /* crypto/cryptlib.c */ /* - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b10ccf7f8a9efa3404348bafd20747a50d7e88bc (commit) from 4975571a5dee8957f43aff70272dd9ab89f582cf (commit) - Log - commit b10ccf7f8a9efa3404348bafd20747a50d7e88bc Author: Matt Caswell Date: Thu Dec 19 14:33:26 2019 + Updates NEWS for new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10663) --- Summary of changes: NEWS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 44add13f6a..87fd610a6b 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [under development] - o + o Fixed an an overflow bug in the x64_64 Montgomery squaring procedure +used in exponentiation with 512-bit moduli (CVE-2019-1551) Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019]
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 4975571a5dee8957f43aff70272dd9ab89f582cf (commit) via ec8fcae925cca769cfdae4e4dd5ec62d32110982 (commit) via f1c5eea8a817075d31e43f5876993c6710238c98 (commit) from b39c0475a671879e2dd6c7a29de1127139f2dc0d (commit) - Log - commit 4975571a5dee8957f43aff70272dd9ab89f582cf Author: Bernd Edlinger Date: Thu Dec 5 01:20:14 2019 +0100 Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10576) commit ec8fcae925cca769cfdae4e4dd5ec62d32110982 Author: Bernd Edlinger Date: Wed Dec 4 12:57:41 2019 +0100 Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10576) commit f1c5eea8a817075d31e43f5876993c6710238c98 Author: Andy Polyakov Date: Wed Dec 4 12:48:21 2019 +0100 Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/10576) --- Summary of changes: CHANGES | 12 +- crypto/bn/asm/rsaz-x86_64.pl | 401 ++- 2 files changed, 218 insertions(+), 195 deletions(-) diff --git a/CHANGES b/CHANGES index df613740a9..f28ff6eab6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,17 @@ Changes between 1.0.2t and 1.0.2u [xx XXX ] - *) + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] Changes between 1.0.2s and 1.0.2t [10 Sep 2019] diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl index 87ce2c34d9..faa9083ce7 100755 --- a/crypto/bn/asm/rsaz-x86_64.pl +++ b/crypto/bn/asm/rsaz-x86_64.pl @@ -140,7 +140,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul subq\$128+24, %rsp .Lsqr_body: - movq$mod, %rbp # common argument + movq$mod, %xmm1 # common off-load movq($inp), %rdx movq8($inp), %rax movq$n0, 128(%rsp) @@ -158,7 +158,8 @@ $code.=<<___; .Loop_sqr: movl$times,128+8(%rsp) #first iteration - movq%rdx, %rbx + movq%rdx, %rbx # 0($inp) + mov %rax, %rbp # 8($inp) mulq%rdx movq%rax, %r8 movq16($inp), %rax @@ -197,31 +198,29 @@ $code.=<<___; mulq%rbx addq%rax, %r14 movq%rbx, %rax - movq%rdx, %r15 - adcq\$0, %r15 + adcq\$0, %rdx - addq%r8, %r8#shlq \$1, %r8 - movq%r9, %rcx - adcq%r9, %r9#shld \$1, %r8, %r9 + xorq%rcx,%rcx # rcx:r8 = r8 << 1 + addq%r8, %r8 +movq %rdx, %r15 + adcq\$0, %rcx mulq%rax - movq%rax, (%rsp) - addq%rdx, %r8 - adcq\$0, %r9 + addq%r8, %rdx + adcq\$0, %rcx - movq%r8, 8(%rsp) - shrq\$63, %rcx + movq%rax, (%rsp) + movq%rdx, 8(%rsp) #second
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b39c0475a671879e2dd6c7a29de1127139f2dc0d (commit) from 0159a1bb41b385a00836e9e7baeadad2f014b788 (commit) - Log - commit b39c0475a671879e2dd6c7a29de1127139f2dc0d Author: Matt Caswell Date: Fri Oct 18 16:40:44 2019 +0100 Fix an s_server arbitrary file read issue on Windows Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10215) (cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9) --- Summary of changes: apps/s_server.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index ce7a1d64b6..97b65046bb 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3045,6 +3045,12 @@ static int www_body(int s, int stype, unsigned char *context) if (e[0] == ' ') break; +if (e[0] == ':') { +/* Windows drive. We treat this the same way as ".." */ +dot = -1; +break; +} + switch (dot) { case 1: dot = (e[0] == '.') ? 2 : 0; @@ -3053,11 +3059,11 @@ static int www_body(int s, int stype, unsigned char *context) dot = (e[0] == '.') ? 3 : 0; break; case 3: -dot = (e[0] == '/') ? -1 : 0; +dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0; break; } if (dot == 0) -dot = (e[0] == '/') ? 1 : 0; +dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0; } dot = (dot == 3) || (dot == -1); /* filename contains ".." * component */ @@ -3071,11 +3077,11 @@ static int www_body(int s, int stype, unsigned char *context) if (dot) { BIO_puts(io, text); -BIO_printf(io, "'%s' contains '..' reference\r\n", p); +BIO_printf(io, "'%s' contains '..' or ':'\r\n", p); break; } -if (*p == '/') { +if (*p == '/' || *p == '\\') { BIO_puts(io, text); BIO_printf(io, "'%s' is an invalid path\r\n", p); break;
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 0159a1bb41b385a00836e9e7baeadad2f014b788 (commit) from 4e545c6a256fb1ab08cc5a3aabb00963dac3191b (commit) - Log - commit 0159a1bb41b385a00836e9e7baeadad2f014b788 Author: Cesar Pereida Garcia Date: Thu Sep 12 17:09:51 2019 +0300 [crypto/asn1/x_bignum.c] Explicit test against NULL As a fixup to https://github.com/openssl/openssl/pull/9779 to better conform to the project code style guidelines, this commit amends the original changeset to explicitly test against NULL, i.e. writing ``` if (p != NULL) ``` rather than ``` if (!p) ``` (This is a backport of https://github.com/openssl/openssl/pull/9881) Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9882) --- Summary of changes: crypto/asn1/x_bignum.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index c644199c9f..f2de3de4de 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -102,7 +102,7 @@ ASN1_ITEM_end(CBIGNUM) static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { *pval = (ASN1_VALUE *)BN_new(); -if (*pval) +if (*pval != NULL) return 1; else return 0; @@ -110,7 +110,7 @@ static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it) static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { -if (!*pval) +if (*pval == NULL) return; if (it->size & BN_SENSITIVE) BN_clear_free((BIGNUM *)*pval); @@ -124,7 +124,7 @@ static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, { BIGNUM *bn; int pad; -if (!*pval) +if (*pval == NULL) return -1; bn = (BIGNUM *)*pval; /* If MSB set in an octet we need a padding byte */
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 4e545c6a256fb1ab08cc5a3aabb00963dac3191b (commit) from 1c10029a68e910d936f9bf011f8c3bb18a05ff8b (commit) - Log - commit 4e545c6a256fb1ab08cc5a3aabb00963dac3191b Author: Nicola Tuveri Date: Thu Oct 10 20:30:58 2019 +0300 [ec_asn1.c] Avoid injecting seed when built-in matches An unintended consequence of https://github.com/openssl/openssl/pull/9808 is that when an explicit parameters curve is matched against one of the well-known builtin curves we automatically inherit also the associated seed parameter, even if the input parameters excluded such parameter. This later affects the serialization of such parsed keys, causing their input DER encoding and output DER encoding to differ due to the additional optional field. This does not cause problems internally but could affect external applications, as reported in https://github.com/openssl/openssl/pull/9811#issuecomment-536153288 This commit fixes the issue by conditionally clearing the seed field if the original input parameters did not include it. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10141) --- Summary of changes: crypto/ec/ec_asn1.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 865130f67e..30b3ebfbe0 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -973,6 +973,20 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) * 0x0 = OPENSSL_EC_EXPLICIT_CURVE */ EC_GROUP_set_asn1_flag(ret, 0x0); + +/* + * If the input params do not contain the optional seed field we make + * sure it is not added to the returned group. + * + * The seed field is not really used inside libcrypto anyway, and + * adding it to parsed explicit parameter keys would alter their DER + * encoding output (because of the extra field) which could impact + * applications fingerprinting keys by their DER encoding. + */ +if (params->curve->seed == NULL) { +if (EC_GROUP_set_seed(ret, NULL, 0) != 1) +goto err; +} } ok = 1;
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 1c10029a68e910d936f9bf011f8c3bb18a05ff8b (commit) from fc437d8dd388753ffb7cc0fd4413c449747616fa (commit) - Log - commit 1c10029a68e910d936f9bf011f8c3bb18a05ff8b Author: Bernd Edlinger Date: Fri Sep 13 06:37:50 2019 +0200 Fix no-asm build in windows Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9885) --- Summary of changes: crypto/cryptlib.c | 5 + 1 file changed, 5 insertions(+) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 5fab45b2ec..8a793cad9b 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -745,6 +745,11 @@ int OPENSSL_NONPIC_relocated = 0; void OPENSSL_cpuid_setup(void) { } + +unsigned long OPENSSL_rdtsc(void) +{ +return 0; +} #endif #if (defined(_WIN32) || defined(__CYGWIN__)) && defined(_WINDLL)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via fc437d8dd388753ffb7cc0fd4413c449747616fa (commit) from a1ff24ad2ced610716635b31c41aad0b11238e88 (commit) - Log - commit fc437d8dd388753ffb7cc0fd4413c449747616fa Author: Bernd Edlinger Date: Thu Sep 12 20:02:06 2019 +0200 Remove known to fail versions from matrix Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9883) --- Summary of changes: appveyor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appveyor.yml b/appveyor.yml index 8c38feae6d..7a325901bb 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -15,7 +15,7 @@ configuration: - shared matrix: -allow_failures: +exclude: - platform: x64 VSVER: 9 - platform: x64
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b5decf674be30a469e3863bd49bfedfbb32dfd0b (commit) from 32ef0494231971bb5be4ea9e5ad680a8d373a1d2 (commit) - Log - commit b5decf674be30a469e3863bd49bfedfbb32dfd0b Author: Matt Caswell Date: Tue Sep 10 14:32:15 2019 +0100 Fix the NEWS file The NEWS file was missing an entry for 1.0.2s. This confuses the release scripts - so add an empty entry. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9852) --- Summary of changes: NEWS | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 0d219d207c..9cf2ee8000 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,7 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] + Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [under development] o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) @@ -16,6 +16,10 @@ o Document issue with installation paths in diverse Windows builds (CVE-2019-1552) + Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] + + o None + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] o 0-byte record padding oracle (CVE-2019-1559)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 26080054209056b899fe677ee8393972a924cde5 (commit) from e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f (commit) - Log - commit 26080054209056b899fe677ee8393972a924cde5 Author: Matt Caswell Date: Tue Sep 10 11:58:18 2019 +0100 Remove duplicate CHANGES entry Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9846) --- Summary of changes: CHANGES | 13 + NEWS| 2 +- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index dbe5c1d043..867106458c 100644 --- a/CHANGES +++ b/CHANGES @@ -9,18 +9,6 @@ Changes between 1.0.2s and 1.0.2t [xx XXX ] - *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations - where an attacker receives automated notification of the success or failure - of a decryption attempt an attacker, after sending a very large number of - messages to be decrypted, can recover a CMS/PKCS7 transported encryption - key or decrypt any RSA encrypted message that was encrypted with the public - RSA key, using a Bleichenbacher padding oracle attack. Applications are not - affected if they use a certificate together with the private RSA key to the - CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info - to decrypt. - (CVE-2019-1563) - [Bernd Edlinger] - *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ @@ -51,6 +39,7 @@ certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. + (CVE-2019-1563) [Bernd Edlinger] *) Document issue with installation paths in diverse Windows builds diff --git a/NEWS b/NEWS index c8159993e9..0d219d207c 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] - o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() + o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) o For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 8bf7d77f33263c81b8e293347edc9a6e43f24d0e (commit) from 66fd724daa89996bb775ab8911479c11143b44df (commit) - Log - commit 8bf7d77f33263c81b8e293347edc9a6e43f24d0e Author: Matt Caswell Date: Tue Sep 10 10:26:07 2019 +0100 Update CHANGES and NEWS for the new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9843) --- Summary of changes: CHANGES | 12 NEWS| 9 - 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index e9b467bd04..eff1121106 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,18 @@ Changes between 1.0.2s and 1.0.2t [xx XXX ] + *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations + where an attacker receives automated notification of the success or failure + of a decryption attempt an attacker, after sending a very large number of + messages to be decrypted, can recover a CMS/PKCS7 transported encryption + key or decrypt any RSA encrypted message that was encrypted with the public + RSA key, using a Bleichenbacher padding oracle attack. Applications are not + affected if they use a certificate together with the private RSA key to the + CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info + to decrypt. + (CVE-2019-1563) + [Bernd Edlinger] + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ diff --git a/NEWS b/NEWS index 4bff4ae96a..c8159993e9 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,14 @@ Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] - o + o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() +(CVE-2019-1563) + o For built-in EC curves, ensure an EC_GROUP built from the curve name is +used even when parsing explicit parameters + o Compute ECC cofactors if not provided during EC_GROUP construction +(CVE-2019-1547) + o Document issue with installation paths in diverse Windows builds +(CVE-2019-1552) Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f (commit) from 8bf7d77f33263c81b8e293347edc9a6e43f24d0e (commit) - Log - commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Author: Bernd Edlinger Date: Sun Sep 1 00:16:28 2019 +0200 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) --- Summary of changes: CHANGES | 14 ++ crypto/cms/cms_env.c| 18 +- crypto/cms/cms_lcl.h| 2 ++ crypto/cms/cms_smime.c | 4 crypto/pkcs7/pk7_doit.c | 12 5 files changed, 45 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index eff1121106..dbe5c1d043 100644 --- a/CHANGES +++ b/CHANGES @@ -39,6 +39,20 @@ (CVE-2019-1547) [Billy Bob Brumley] + *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + An attack is simple, if the first CMS_recipientInfo is valid but the + second CMS_recipientInfo is chosen ciphertext. If the second + recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct + encryption key will be replaced by garbage, and the message cannot be + decoded, but if the RSA decryption fails, the correct encryption key is + used and the recipient will not notice the attack. + As a work around for this potential attack the length of the decrypted + key must be equal to the cipher default key length, in case the + certifiate is not given and all recipientInfo are tried out. + The old behaviour can be re-enabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag. + [Bernd Edlinger] + *) Document issue with installation paths in diverse Windows builds '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 93c06cb00a..77c8f0a483 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, unsigned char *ek = NULL; size_t eklen; int ret = 0; +size_t fixlen = 0; CMS_EncryptedContentInfo *ec; ec = cms->d.envelopedData->encryptedContentInfo; @@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, return 0; } +if (cms->d.envelopedData->encryptedContentInfo->havenocert +&& !cms->d.envelopedData->encryptedContentInfo->debug) { +X509_ALGOR *calg = ec->contentEncryptionAlgorithm; +const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); + +if (ciph == NULL) { +CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); +return 0; +} + +fixlen = EVP_CIPHER_key_length(ciph); +} + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); if (!ktri->pctx) return 0; @@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (EVP_PKEY_decrypt(ktri->pctx, ek, , ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) { + ktri->encryptedKey->length) <= 0 +|| eklen == 0 +|| (fixlen != 0 && eklen != fixlen)) { CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); goto err; } diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index 20f2c25f5a..f1f78e6a47 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st { size_t keylen; /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ int debug; +/* Set to 1 if we have no cert and need extra safety measures for MMA */ +int havenocert; }; struct CMS_RecipientInfo_st { diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 07e3472e10..0b3d96ca62 100644 --- a/crypto/cms/cms_smime.c +++
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 32ef0494231971bb5be4ea9e5ad680a8d373a1d2 (commit) from 26080054209056b899fe677ee8393972a924cde5 (commit) - Log - commit 32ef0494231971bb5be4ea9e5ad680a8d373a1d2 Author: Matt Caswell Date: Tue Sep 10 14:01:06 2019 +0100 Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9849) --- Summary of changes: crypto/cms/cms_env.c| 2 +- crypto/cms/cms_lcl.h| 2 +- crypto/cms/cms_smime.c | 2 +- crypto/constant_time_locl.h | 2 +- crypto/ec/ec.h | 2 +- crypto/ec/ec_asn1.c | 2 +- crypto/ec/ec_curve.c| 2 +- crypto/ec/ec_lcl.h | 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/rsa/rsa_chk.c| 2 +- crypto/x509v3/v3_alt.c | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 77c8f0a483..e46348fd4f 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -4,7 +4,7 @@ * project. */ /* - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index f1f78e6a47..9ec13f5a4a 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -4,7 +4,7 @@ * project. */ /* - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 0b3d96ca62..f2d81bd2dc 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -4,7 +4,7 @@ * project. */ /* - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 2008-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index 94e20bcfc8..f322e7823a 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -6,7 +6,7 @@ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley * (Google). * - * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 2014-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index b62613da55..012703666e 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -7,7 +7,7 @@ * \author Originally written by Bodo Moeller for the OpenSSL project */ /* - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index a9b90787c5..865130f67e 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* - * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 9d4c71637b..a6c5083286 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via a1ff24ad2ced610716635b31c41aad0b11238e88 (commit) via cd7c7fc20b9feeb900632389401f514ac6b82f16 (commit) via c98ce139b5f7956bbab33b7e182ea4bcee1192d8 (commit) from b5decf674be30a469e3863bd49bfedfbb32dfd0b (commit) - Log - commit a1ff24ad2ced610716635b31c41aad0b11238e88 Author: Matt Caswell Date: Tue Sep 10 14:37:06 2019 +0100 Prepare for 1.0.2u-dev Reviewed-by: Richard Levitte commit cd7c7fc20b9feeb900632389401f514ac6b82f16 Author: Matt Caswell Date: Tue Sep 10 14:36:07 2019 +0100 Prepare for 1.0.2t release Reviewed-by: Richard Levitte commit c98ce139b5f7956bbab33b7e182ea4bcee1192d8 Author: Matt Caswell Date: Tue Sep 10 14:36:07 2019 +0100 make update Reviewed-by: Richard Levitte --- Summary of changes: CHANGES| 6 +- NEWS | 6 +- README | 2 +- crypto/bn/Makefile | 4 ++-- crypto/ec/Makefile | 2 +- crypto/opensslv.h | 6 +++--- openssl.spec | 2 +- util/libeay.num| 1 + 8 files changed, 19 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 867106458c..df613740a9 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2s and 1.0.2t [xx XXX ] + Changes between 1.0.2t and 1.0.2u [xx XXX ] + + *) + + Changes between 1.0.2s and 1.0.2t [10 Sep 2019] *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key diff --git a/NEWS b/NEWS index 9cf2ee8000..44add13f6a 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [under development] + Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [under development] + + o + + Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) diff --git a/README b/README index a9e3121f8c..949262f2bd 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2t-dev + OpenSSL 1.0.2u-dev Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile index 9fc4447cfc..7a3bf5d059 100644 --- a/crypto/bn/Makefile +++ b/crypto/bn/Makefile @@ -297,8 +297,8 @@ bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h -bn_lib.o: bn_lib.c +bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h +bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/ec/Makefile b/crypto/ec/Makefile index 6628390ba4..e9d65e3e3d 100644 --- a/crypto/ec/Makefile +++ b/crypto/ec/Makefile @@ -156,7 +156,7 @@ ec_curve.o: ../../include/openssl/err.h ../../include/openssl/lhash.h ec_curve.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h ec_curve.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ec_curve.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -ec_curve.o: ../../include/openssl/symhacks.h ec_curve.c ec_lcl.h +ec_curve.o: ../../include/openssl/symhacks.h ../bn_int.h ec_curve.c ec_lcl.h ec_cvt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h ec_cvt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 4f725bb02d..6cd4fffb59 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10002140L +# define OPENSSL_VERSION_NUMBER 0x10002150L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2t-fips-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2u-fips-dev xx XXX " # else -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2t-dev xx XXX " +# define
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 66fd724daa89996bb775ab8911479c11143b44df (commit) from 21c856b75d81eff61aa63b4f036bb64a85bf6d46 (commit) - Log - commit 66fd724daa89996bb775ab8911479c11143b44df Author: Nicola Tuveri Date: Sat Sep 7 18:05:31 2019 +0300 [ec] Match built-in curves on EC_GROUP_new_from_ecparameters Description --- Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any of the built-in curves. If that is the case, return a new `EC_GROUP_new_by_curve_name()` object instead of the explicit parameters `EC_GROUP`. This affects all users of `EC_GROUP_new_from_ecparameters()`: - direct calls to `EC_GROUP_new_from_ecparameters()` - direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit parameters argument - ASN.1 parsing of explicit parameters keys (as it eventually ends up calling `EC_GROUP_new_from_ecpkparameters()`) A parsed explicit parameter key will still be marked with the `OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless programmatically forced otherwise, if the key is eventually serialized the output will still be encoded with explicit parameters, even if internally it is treated as a named curve `EC_GROUP`. Before this change, creating any `EC_GROUP` object using `EC_GROUP_new_from_ecparameters()`, yielded an object associated with the default generic `EC_METHOD`, but this was never guaranteed in the documentation. After this commit, users of the library that intentionally want to create an `EC_GROUP` object using a specific `EC_METHOD` can still explicitly call `EC_GROUP_new(foo_method)` and then manually set the curve parameters using `EC_GROUP_set_*()`. Motivation -- This has obvious performance benefits for the built-in curves with specialized `EC_METHOD`s and subtle but important security benefits: - the specialized methods have better security hardening than the generic implementations - optional fields in the parameter encoding, like the `cofactor`, cannot be leveraged by an attacker to force execution of the less secure code-paths for single point scalar multiplication - in general, this leads to reducing the attack surface Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth analysis of the issues related to this commit. It should be noted that `libssl` does not allow to negotiate explicit parameters (as per RFC 8422), so it is not directly affected by the consequences of using explicit parameters that this commit fixes. On the other hand, we detected external applications and users in the wild that use explicit parameters by default (and sometimes using 0 as the cofactor value, which is technically not a valid value per the specification, but is tolerated by parsers for wider compatibility given that the field is optional). These external users of `libcrypto` are exposed to these vulnerabilities and their security will benefit from this commit. Related commits --- While this commit is beneficial for users using built-in curves and explicit parameters encoding for serialized keys, commit b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the 1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the invalid cofactor values more in general also for other curves (CVE-2019-1547). The following list covers commits in `master` that are related to the vulnerabilities presented in the manuscript motivating this commit: - d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too - 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. - b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it - 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats Note that the PRs that contributed the listed commits also include other commits providing related testing and documentation, in addition to links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and 1.1.1 branches. This commit includes a partial backport of https://github.com/openssl/openssl/pull/8555 (commit 8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38) for which the main author is Shane Lontis. Responsible Disclosure -- This and the other issues presented in https://arxiv.org/abs/1909.01785 were reported by Cesar Pereida GarcĂa, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the NISEC group at Tampere University, FINLAND. The OpenSSL Security Team evaluated
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 21c856b75d81eff61aa63b4f036bb64a85bf6d46 (commit) from adaebd81a01e2926a3106feec0476db7c8d7b362 (commit) - Log - commit 21c856b75d81eff61aa63b4f036bb64a85bf6d46 Author: Billy Brumley Date: Sat Sep 7 10:50:58 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9799) --- Summary of changes: CHANGES| 7 crypto/ec/ec.h | 6 ++-- crypto/ec/ec_err.c | 3 +- crypto/ec/ec_lib.c | 102 + 4 files changed, 108 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index d804f325b4..ee272f2266 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,13 @@ Changes between 1.0.2s and 1.0.2t [xx XXX ] + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + *) Document issue with installation paths in diverse Windows builds '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 81e6faf6c5..b62613da55 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ + void ERR_load_EC_strings(void); /* Error codes for the EC functions. */ @@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void); # define EC_R_SLOT_FULL 108 # define EC_R_UNDEFINED_GENERATOR 113 # define EC_R_UNDEFINED_ORDER 128 +# define EC_R_UNKNOWN_COFACTOR152 # define EC_R_UNKNOWN_GROUP 129 # define EC_R_UNKNOWN_ORDER 114 # define EC_R_UNSUPPORTED_FIELD 131 # define EC_R_WRONG_CURVE_PARAMETERS 145 # define EC_R_WRONG_ORDER 130 -#ifdef __cplusplus +# ifdef __cplusplus } -#endif +# endif #endif diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 6fe5baafd4..220541161e 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] = { {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, +{ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index cd2c420176..15302322f7 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -294,6 +294,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth) return meth->field_type; } +/*- + * Try computing cofactor from the
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via adaebd81a01e2926a3106feec0476db7c8d7b362 (commit) from 6a7bad0fd7a2125d075e459b33145d4ce5ee0de9 (commit) - Log - commit adaebd81a01e2926a3106feec0476db7c8d7b362 Author: Cesar Pereida Garcia Date: Thu Sep 5 17:47:40 2019 +0300 [crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation. This commit addresses multiple side-channel vulnerabilities present during RSA key validation. Private key parameters are re-computed using variable-time functions. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9785) --- Summary of changes: crypto/rsa/rsa_chk.c | 8 1 file changed, 8 insertions(+) diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c index 475dfc5628..3ea4e02974 100644 --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -63,6 +63,10 @@ int RSA_check_key(const RSA *key) return 0; } +/* Set consant-time flag on private parameters */ +BN_set_flags(key->p, BN_FLG_CONSTTIME); +BN_set_flags(key->q, BN_FLG_CONSTTIME); +BN_set_flags(key->d, BN_FLG_CONSTTIME); i = BN_new(); j = BN_new(); k = BN_new(); @@ -141,6 +145,10 @@ int RSA_check_key(const RSA *key) } if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { +/* Set consant-time flag on CRT parameters */ +BN_set_flags(key->dmp1, BN_FLG_CONSTTIME); +BN_set_flags(key->dmq1, BN_FLG_CONSTTIME); +BN_set_flags(key->iqmp, BN_FLG_CONSTTIME); /* dmp1 = d mod (p-1)? */ if (!BN_sub(i, key->p, BN_value_one())) { ret = -1;
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 920e37e3a7d6bb935dba446eb80cacb4c34e7488 (commit) via e3679b1547fc3b2d8e01943004d473c323b6f20d (commit) via bde4a001b3ad4b90a4dbf5d31b18e30e42230e69 (commit) via 853950f7bfc71b61a2e62db2563748b350b715cb (commit) via 2e9d293447b95c2a69eb5ff07fe974361d779444 (commit) from 55611d549bcf65e0de04938adbf403ccf02f241b (commit) - Log - commit 920e37e3a7d6bb935dba446eb80cacb4c34e7488 Author: Nicola Tuveri Date: Fri Sep 6 14:05:26 2019 +0300 [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit e3679b1547fc3b2d8e01943004d473c323b6f20d Author: Nicola Tuveri Date: Fri Sep 6 01:31:45 2019 +0300 [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific bn_bn2lebinpad() and bn_lebin2bn(). Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit bde4a001b3ad4b90a4dbf5d31b18e30e42230e69 Author: Nicola Tuveri Date: Fri Sep 6 00:18:36 2019 +0300 Uniform bn_bn2binpad() and bn_bn2lebinpad() implementations Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit 853950f7bfc71b61a2e62db2563748b350b715cb Author: Nicola Tuveri Date: Fri Aug 2 02:08:34 2019 +0300 Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9793) commit 2e9d293447b95c2a69eb5ff07fe974361d779444 Author: Nicola Tuveri Date: Fri Aug 2 01:33:05 2019 +0300 Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the internal BIGNUM representation (which depends on the compilation target architecture). To fix this, we replace BN_bn2bin() with bn_bn2binpad(), bounding the output length to the width of the internal representation buffer: this length is public. Internally the final implementation
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 55611d549bcf65e0de04938adbf403ccf02f241b (commit) from 7fafaf27c2c2990fde2798424a38ce8443dae595 (commit) - Log - commit 55611d549bcf65e0de04938adbf403ccf02f241b Author: Cesar Pereida Garcia Date: Mon Aug 19 10:33:14 2019 +0300 Fix SCA vulnerability when using PVK and MSBLOB key formats This commit addresses a side-channel vulnerability present when PVK and MSBLOB key formats are loaded into OpenSSL. The public key was not computed using a constant-time exponentiation function. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Nicola Tuveri Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9638) --- Summary of changes: crypto/pem/pvkfmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index f376f594b1..ff5674a99f 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -327,6 +327,8 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length, } else { if (!read_lebn(, 20, >priv_key)) goto memerr; +/* Set constant time flag before public key calculation */ +BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME); /* Calculate public key */ if (!(dsa->pub_key = BN_new())) goto memerr;
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 7fafaf27c2c2990fde2798424a38ce8443dae595 (commit) from d333ebaf9c77332754a9d5e111e2f53e1de54fdd (commit) - Log - commit 7fafaf27c2c2990fde2798424a38ce8443dae595 Author: Bernd Edlinger Date: Fri Aug 16 15:32:32 2019 +0200 Fix error handling in X509_chain_up_ref Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/9615) --- Summary of changes: crypto/x509/x509_cmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 2d82f8fa8b..a7b90e6a42 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -490,6 +490,8 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) STACK_OF(X509) *ret; int i; ret = sk_X509_dup(chain); +if (ret == NULL) +return NULL; for (i = 0; i < sk_X509_num(ret); i++) { X509 *x = sk_X509_value(ret, i); CRYPTO_add(>references, 1, CRYPTO_LOCK_X509);
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d333ebaf9c77332754a9d5e111e2f53e1de54fdd (commit) from 0bc650d58a58a8b4af97639b952eac3558bb982e (commit) - Log - commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd Author: Richard Levitte Date: Thu Jul 25 12:21:33 2019 +0200 Document issue with default installation paths on diverse Windows targets For all config targets (except VMS, because it has a completely different set of scripts), '/usr/local/ssl' is the default prefix for installation of programs and libraries, as well as the path for OpenSSL run-time configuration. For programs built to run in a Windows environment, this default is unsafe, and the user should set a different prefix. This has been hinted at in some documentation but not all, and the danger of leaving the default as is hasn't been documented at all. This change documents the issue as a caveat lector, and all configuration examples now include an example --prefix. CVE-2019-1552 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9456) --- Summary of changes: CHANGES | 7 ++- INSTALL.DJGPP | 14 -- INSTALL.W32 | 24 +--- INSTALL.W64 | 12 ++-- INSTALL.WCE | 13 - 5 files changed, 61 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 137b629..d804f32 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,12 @@ Changes between 1.0.2s and 1.0.2t [xx XXX ] - *) + *) Document issue with installation paths in diverse Windows builds + + '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL + binaries and run-time config file. + (CVE-2019-1552) + [Richard Levitte] Changes between 1.0.2r and 1.0.2s [28 May 2019] diff --git a/INSTALL.DJGPP b/INSTALL.DJGPP index 1047ec9..ecbf493 100644 --- a/INSTALL.DJGPP +++ b/INSTALL.DJGPP @@ -33,8 +33,18 @@ running in a DOS box under Windows. If so, just close the BASH shell, go back to Windows, and restart BASH. Then run "make" again. - RUN-TIME CAVEAT LECTOR - -- + CAVEAT LECTOR + - + + ### Default install and config paths + + ./Configure defaults to '/usr/local/ssl' as installation top. This is + suitable for Unix, but not for Windows, where this usually is a world + writable directory and therefore accessible for change by untrusted users. + It is therefore recommended to set your own --prefix or --openssldir to + some location that is not world writeable (see the example above) + + ### Entropy Quoting FAQ: diff --git a/INSTALL.W32 b/INSTALL.W32 index bd10187..b97a3d0 100644 --- a/INSTALL.W32 +++ b/INSTALL.W32 @@ -34,6 +34,17 @@ get it all to work. See the trouble shooting section later on for if (when?) it goes wrong. + CAVEAT LECTOR + - + + ### Default install and config paths + + ./Configure defaults to '/usr/local/ssl' as installation top. This is + suitable for Unix, but not for Windows, where this usually is a world + writable directory and therefore accessible for change by untrusted users. + It is therefore recommended to set your own --prefix or --openssldir to + some location that is not world writeable (see the example above) + Visual C++ -- @@ -104,7 +115,7 @@ - * Configure for building with Borland Builder: - > perl Configure BC-32 + > perl Configure BC-32 --prefix=c:\some\openssl\dir * Create the appropriate makefile > ms\do_nasm @@ -196,7 +207,7 @@ * Compile OpenSSL: - $ ./config + $ ./config --prefix=c:/some/openssl/dir [...] $ make [...] @@ -206,7 +217,11 @@ and openssl.exe application in apps directory. It is also possible to cross-compile it on Linux by configuring - with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'. + like this: + + $ ./Configure --cross-compile-prefix=i386-mingw32- \ + --prefix=c:/some/openssl/dir mingw ... + 'make test' is naturally not applicable then. libcrypto.a and libssl.a are the static libraries. To use the DLLs, @@ -240,6 +255,9 @@ $ copy /b out32dll\libeay32.dll c:\openssl\bin $ copy /b out32dll\openssl.exe c:\openssl\bin + ("c:\openssl" should be whatever you specified to --prefix when + configuring the build) + Of course, you can choose another device than c:. C: is used here because that's usually the first (and often only) harddisk device. Note: in the modssl INSTALL.Win32, p: is used rather than c:. diff --git a/INSTALL.W64 b/INSTALL.W64 index 9fa7a19..3f5bf80 100644 --- a/INSTALL.W64 +++ b/INSTALL.W64 @@ -30,6 +30,14 @@ Neither of these is actually big deal and hardly encountered in real-life applications. + ### Default install and
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 0bc650d58a58a8b4af97639b952eac3558bb982e (commit) from aa8b244e5c22193078e3e80fad1f5b27bf62c73b (commit) - Log - commit 0bc650d58a58a8b4af97639b952eac3558bb982e Author: Bernd Edlinger Date: Sun Jul 21 10:41:39 2019 +0200 Use trusty for travis builds this works around build failures due to clang error: unknown warning option '-Wno-extended-offsetof' [extended tests] Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/9425) --- Summary of changes: .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c3e035e..0a50db1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +dist: trusty language: c addons:
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via aa8b244e5c22193078e3e80fad1f5b27bf62c73b (commit) from 7a7afc559ebc0ad88390cc62bfc34c221d595831 (commit) - Log - commit aa8b244e5c22193078e3e80fad1f5b27bf62c73b Author: Bernd Edlinger Date: Fri Jun 21 21:26:19 2019 +0200 Add value_barriers in constant time select functions The barriers prevent the compiler from narrowing down the possible value range of the mask and ~mask in the select statements, which avoids the recognition of the select and turning it into a conditional load or branch. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9419) --- Summary of changes: crypto/constant_time_locl.h | 20 +++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index a5734f2..94e20bc 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -185,11 +185,29 @@ static inline unsigned char constant_time_eq_int_8(int a, int b) return constant_time_eq_8((unsigned)(a), (unsigned)(b)); } +/* + * Returns the value unmodified, but avoids optimizations. + * The barriers prevent the compiler from narrowing down the + * possible value range of the mask and ~mask in the select + * statements, which avoids the recognition of the select + * and turning it into a conditional load or branch. + */ +static inline unsigned int value_barrier(unsigned int a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) +unsigned int r; +__asm__("" : "=r"(r) : "0"(a)); +#else +volatile unsigned int r = a; +#endif +return r; +} + static inline unsigned int constant_time_select(unsigned int mask, unsigned int a, unsigned int b) { -return (mask & a) | (~mask & b); +return (value_barrier(mask) & a) | (value_barrier(~mask) & b); } static inline unsigned char constant_time_select_8(unsigned char mask,
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 7a7afc559ebc0ad88390cc62bfc34c221d595831 (commit) via 3750879c117fddf583ef5d46069bac2b4d6523b8 (commit) from 8479e9e97354add3c562670db66b5f8151dc3b2e (commit) - Log - commit 7a7afc559ebc0ad88390cc62bfc34c221d595831 Author: Bernd Edlinger Date: Thu Apr 19 22:17:24 2018 +0200 Fix a warning about missing prototype on arm (cherry picked from commit 5fc89c1af837026b5812526ef6f519bf7ca42f16) Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8243) commit 3750879c117fddf583ef5d46069bac2b4d6523b8 Author: Bernd Edlinger Date: Thu Apr 19 20:56:46 2018 +0200 Fix building linux-armv4 with --strict-warnings (cherry picked from commit 0e0f8116e247912f5c48f8b3786e543f37fc1f87) Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8243) --- Summary of changes: crypto/arm_arch.h | 2 +- crypto/armcap.c | 1 + crypto/cryptlib.h | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index 9d6e588..de592de 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -64,7 +64,7 @@ # endif # endif -# if !__ASSEMBLER__ +# ifndef __ASSEMBLER__ extern unsigned int OPENSSL_armcap_P; # endif diff --git a/crypto/armcap.c b/crypto/armcap.c index 356fa15..6283e37 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -5,6 +5,7 @@ #include #include +#include "cryptlib.h" #include "arm_arch.h" unsigned int OPENSSL_armcap_P = 0; diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h index cdbddf1..2f9eced 100644 --- a/crypto/cryptlib.h +++ b/crypto/cryptlib.h @@ -106,6 +106,8 @@ extern int OPENSSL_NONPIC_relocated; char *ossl_safe_getenv(const char *); +unsigned long OPENSSL_rdtsc(void); + #ifdef __cplusplus } #endif
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via ec36b3298502fe71110a14197c54555b6cf6ca75 (commit) via cf9143f945a67f3d540e2704fdbdf1bdc985233d (commit) from 66c236c44060366a9f2c87f30fc648e47898af27 (commit) - Log - commit ec36b3298502fe71110a14197c54555b6cf6ca75 Author: Richard Levitte Date: Tue May 28 14:56:42 2019 +0200 Prepare for 1.0.2t-dev Reviewed-by: Matt Caswell commit cf9143f945a67f3d540e2704fdbdf1bdc985233d Author: Richard Levitte Date: Tue May 28 14:56:29 2019 +0200 Prepare for 1.0.2s release Reviewed-by: Matt Caswell --- Summary of changes: CHANGES | 6 +- NEWS | 4 README| 2 +- crypto/opensslv.h | 6 +++--- openssl.spec | 2 +- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 1b62a06..137b629 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2r and 1.0.2s [xx XXX ] + Changes between 1.0.2s and 1.0.2t [xx XXX ] + + *) + + Changes between 1.0.2r and 1.0.2s [28 May 2019] *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It diff --git a/NEWS b/NEWS index 4d4e9df..4bff4ae 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] + + o + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] o 0-byte record padding oracle (CVE-2019-1559) diff --git a/README b/README index 3da00c2..a9e3121 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2s-dev + OpenSSL 1.0.2t-dev Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 752c66d..4f725bb 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10002130L +# define OPENSSL_VERSION_NUMBER 0x10002140L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2s-fips-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2t-fips-dev xx XXX " # else -# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2s-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2t-dev xx XXX " # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 7e94a22..475ddcf 100644 --- a/openssl.spec +++ b/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2s +Version: 1.0.2t Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 66c236c44060366a9f2c87f30fc648e47898af27 (commit) from bb36ec5f5bc6a34370e821260ad4f620dd16ecec (commit) - Log - commit 66c236c44060366a9f2c87f30fc648e47898af27 Author: Richard Levitte Date: Tue May 28 14:41:38 2019 +0200 Update copyright year Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9032) --- Summary of changes: README | 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_pmeth.c | 2 +- crypto/ec/ec2_oct.c| 2 +- crypto/ec/ec_lib.c | 2 +- crypto/ec/ec_mult.c| 2 +- crypto/ec/ecp_oct.c| 2 +- crypto/ec/ectest.c | 2 +- crypto/ecdh/ech_ossl.c | 2 +- crypto/err/err.c | 2 +- crypto/err/err.h | 2 +- crypto/rsa/rsa_eay.c | 2 +- crypto/rsa/rsa_pmeth.c | 2 +- ssl/d1_pkt.c | 2 +- ssl/s3_pkt.c | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/README b/README index 93d66d7..3da00c2 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ OpenSSL 1.0.2s-dev - Copyright (c) 1998-2018 The OpenSSL Project + Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 30777c8..924a5ae 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 51e382d..cdf7320 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index b3e71c4..5da3cd8 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -14,7 +14,7 @@ * */ /* - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index c01e0f0..cd2c420 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index fce8882..a784a99 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 941f0ec..6943cee 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -5,7 +5,7 @@ * OpenSSL project. */ /* - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index c3cdac1..73f7374 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /*
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via bb36ec5f5bc6a34370e821260ad4f620dd16ecec (commit) from 0f283c9a665c5dc5cd2b89a3373da34f144ebd64 (commit) - Log - commit bb36ec5f5bc6a34370e821260ad4f620dd16ecec Author: Richard Levitte Date: Mon May 27 21:38:00 2019 +0200 Add CHANGES for 1.0.2s Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9019) --- Summary of changes: CHANGES | 9 + NEWS| 4 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 38864c1..1b62a06 100644 --- a/CHANGES +++ b/CHANGES @@ -17,10 +17,11 @@ *) Add FIPS support for Android Arm 64-bit - Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in - Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' - was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on - Android Arm 64-bit. This omission has been fixed. + Support for Android Arm 64-bit was added to the OpenSSL FIPS Object + Module in Version 2.0.10. For some reason, the corresponding target + 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be + built with FIPS support on Android Arm 64-bit. This omission has been + fixed. [Matthias St. Pierre] Changes between 1.0.2q and 1.0.2r [26 Feb 2019] diff --git a/NEWS b/NEWS index a92af92..4d4e9df 100644 --- a/NEWS +++ b/NEWS @@ -5,10 +5,6 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [under development] - - o - Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] o 0-byte record padding oracle (CVE-2019-1559)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 0f283c9a665c5dc5cd2b89a3373da34f144ebd64 (commit) from cea83f9f7825309379db3fea77f19edf0c5b1e13 (commit) - Log - commit 0f283c9a665c5dc5cd2b89a3373da34f144ebd64 Author: Kurt Roeckx Date: Sat Apr 13 12:32:48 2019 +0200 Change default RSA, DSA and DH size to 2048 bit Fixes: #8737 Reviewed-by: Bernd Edlinger Reviewed-by: Richard Levitte GH: #8741 (cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e) --- Summary of changes: CHANGES| 6 ++ crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_pmeth.c | 8 crypto/rsa/rsa_pmeth.c | 2 +- doc/apps/genpkey.pod | 8 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 78c7b59..38864c1 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,12 @@ Changes between 1.0.2r and 1.0.2s [xx XXX ] + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + *) Add FIPS support for Android Arm 64-bit Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 162753a..30777c8 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX)); if (!dctx) return 0; -dctx->prime_len = 1024; +dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->use_dsa = 0; diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 7f00e97..51e382d 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -69,8 +69,8 @@ typedef struct { /* Parameter gen parameters */ -int nbits; /* size of p in bits (default: 1024) */ -int qbits; /* size of q in bits (default: 160) */ +int nbits; /* size of p in bits (default: 2048) */ +int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX)); if (!dctx) return 0; -dctx->nbits = 1024; -dctx->qbits = 160; +dctx->nbits = 2048; +dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 00e730f..b0a51ee 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); if (!rctx) return 0; -rctx->nbits = 1024; +rctx->nbits = 2048; rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; rctx->md = NULL; diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index 2e24400..2a86c68 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -111,7 +111,7 @@ below. =item B -The number of bits in the generated key. If not specified 1024 is used. +The number of bits in the generated key. If not specified 2048 is used. =item B @@ -149,12 +149,12 @@ below. =item B -The number of bits in the generated prime. If not specified 1024 is used. +The number of bits in the generated prime. If not specified 2048 is used. =item B The number of bits in the q parameter. Must be one of 160, 224 or 256. If not -specified 160 is used. +specified 224 is used. =item B @@ -173,7 +173,7 @@ or B if it is 256. =item B -The number of bits in the prime parameter B. The default is 1024. +The number of bits in the prime parameter B. The default is 2048. =item B
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via cea83f9f7825309379db3fea77f19edf0c5b1e13 (commit) from f937540ec40a5e838460b8f19d2eb722529126b8 (commit) - Log - commit cea83f9f7825309379db3fea77f19edf0c5b1e13 Author: Emilia Kasper Date: Fri Jun 3 14:42:04 2016 +0200 RT 4242: reject invalid EC point coordinates This is a backport of commit 1e2012b7 to 1.0.2. This hardening change was made to 1.1.0 but was not backported to 1.0.2. Recent CVEs in user applications have shown this additional hardening in 1.0.2 would be beneficial. E.g. see the patch for CVE-2019-9498 https://w1.fi/security/2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch and CVE-2019-9499 https://w1.fi/security/2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch The original commit had this description: We already test in EC_POINT_oct2point that points are on the curve. To be on the safe side, move this check to EC_POINT_set_affine_coordinates_* so as to also check point coordinates received through some other method. We do not check projective coordinates, though, as - it's unlikely that applications would be receiving this primarily internal representation from untrusted sources, and - it's possible that the projective setters are used in a setting where performance matters. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8750) --- Summary of changes: crypto/ec/ec2_oct.c | 10 +++--- crypto/ec/ec_lib.c | 20 +-- crypto/ec/ecp_oct.c | 10 +++--- crypto/ec/ectest.c | 96 + 4 files changed, 116 insertions(+), 20 deletions(-) diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 6f2f7ca..b3e71c4 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -383,16 +383,14 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } } +/* + * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; } -/* test required by X9.62 */ -if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { -ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); -goto err; -} - ret = 1; err: diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index df56484..c01e0f0 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -872,7 +872,15 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_R_INCOMPATIBLE_OBJECTS); return 0; } -return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); +if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) +return 0; + +if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { +ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, + EC_R_POINT_IS_NOT_ON_CURVE); +return 0; +} +return 1; } #ifndef OPENSSL_NO_EC2M @@ -890,7 +898,15 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_R_INCOMPATIBLE_OBJECTS); return 0; } -return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); +if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) +return 0; + +if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { +ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, + EC_R_POINT_IS_NOT_ON_CURVE); +return 0; +} +return 1; } #endif diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 1bc3f39..941f0ec 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -408,16 +408,14 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } } +/* + * EC_POINT_set_affine_coordinates_GFp is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; } -/* test required by X9.62 */ -if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { -ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); -goto err; -} - ret = 1; err: diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index 5e1ef50..c3cdac1 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -325,7 +325,7 @@ static void prime_field_tests(void) EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; EC_POINT *P, *Q, *R; -BIGNUM *x,
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via f937540ec40a5e838460b8f19d2eb722529126b8 (commit) from d3299a33e5acdf61502755d807d5885c17c46003 (commit) - Log - commit f937540ec40a5e838460b8f19d2eb722529126b8 Author: Dr. Matthias St. Pierre Date: Tue Apr 9 15:04:29 2019 +0200 Add FIPS support for Android Arm 64-bit Fixes #2490 Fixes #8711 In commit 6db8e3bdc9e, support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This commit adds the missing target. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8713) --- Summary of changes: CHANGES | 8 +++- Configure | 1 + TABLE | 34 ++ config| 1 + 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7080ac2..78c7b59 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,13 @@ Changes between 1.0.2r and 1.0.2s [xx XXX ] - *) + *) Add FIPS support for Android Arm 64-bit + + Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in + Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' + was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on + Android Arm 64-bit. This omission has been fixed. + [Matthias St. Pierre] Changes between 1.0.2q and 1.0.2r [26 Feb 2019] diff --git a/Configure b/Configure index c7066dc..3846c91 100755 --- a/Configure +++ b/Configure @@ -475,6 +475,7 @@ my %table=( "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"android64-aarch64","gcc:-mandroid -fPIC -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-pie%-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", *BSD [do see comment about ${BSDthreads} above!] "BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/TABLE b/TABLE index 47bdbf8..a8277f7 100644 --- a/TABLE +++ b/TABLE @@ -1190,6 +1190,40 @@ $ranlib = $arflags = $multilib = +*** android64-aarch64 +$cc = gcc +$cflags = -mandroid -fPIC -I$(ANDROID_DEV)/include -B$(ANDROID_DEV)/lib -O3 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$sys_id = +$lflags = -pie%-ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR +$cpuid_obj= armcap.o arm64cpuid.o mem_clr.o +$bn_obj = +$ec_obj = +$des_obj = +$aes_obj = aes_core.o aes_cbc.o aesv8-armx.o +$bf_obj = +$md5_obj = +$sha1_obj = sha1-armv8.o sha256-armv8.o sha512-armv8.o +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$wp_obj = +$cmll_obj = +$modes_obj= ghashv8-armx.o +$engines_obj = +$perlasm_scheme = linux64 +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = +$shared_ldflag = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = +$arflags = +$multilib = + *** aux3-gcc $cc = gcc $cflags = -O2 -DTERMIO diff --git a/config b/config index 6214c4b..c8a3b58 100755 --- a/config +++ b/config @@ -871,6 +871,7 @@ case "$GUESSOS" in *-*-qnx6) OUT="QNX6" ;; x86-*-android|i?86-*-android) OUT="android-x86" ;; armv[7-9]*-*-android) OUT="android-armv7" ;; + aarch64-*-android) OUT="android64-aarch64" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d3299a33e5acdf61502755d807d5885c17c46003 (commit) from c3e7beab2a302e3eff45b156751240d0897d50f5 (commit) - Log - commit d3299a33e5acdf61502755d807d5885c17c46003 Author: Shane Lontis Date: Wed Mar 27 17:38:28 2019 +1000 fixed public range check in ec_GF2m_simple_oct2point Reviewed-by: Matt Caswell Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/8607) (cherry picked from commit cad8347be23c5e0c0d9eea02d090d42daf2dd7a9) --- Summary of changes: crypto/ec/ec2_oct.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 0d04cc6..6f2f7ca 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -299,7 +299,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { point_conversion_form_t form; -int y_bit; +int y_bit, m; BN_CTX *new_ctx = NULL; BIGNUM *x, *y, *yxi; size_t field_len, enc_len; @@ -332,7 +332,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, return EC_POINT_set_to_infinity(group, point); } -field_len = (EC_GROUP_get_degree(group) + 7) / 8; +m = EC_GROUP_get_degree(group); +field_len = (m + 7) / 8; enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; @@ -357,7 +358,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, if (!BN_bin2bn(buf + 1, field_len, x)) goto err; -if (BN_ucmp(x, >field) >= 0) { +if (BN_num_bits(x) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -369,7 +370,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err; -if (BN_ucmp(y, >field) >= 0) { +if (BN_num_bits(y) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; }
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via c3e7beab2a302e3eff45b156751240d0897d50f5 (commit) from d284d277707f9985e69bdba1511ecfbb1e53ac46 (commit) - Log - commit c3e7beab2a302e3eff45b156751240d0897d50f5 Author: Bernd Edlinger Date: Wed Mar 20 22:02:58 2019 +0100 Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) --- Summary of changes: crypto/rsa/rsa_oaep.c | 32 crypto/rsa/rsa_pk1.c | 32 crypto/rsa/rsa_ssl.c | 32 3 files changed, 48 insertions(+), 48 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index acba7f1..41e9c3b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -235,25 +235,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), dblen - mdlen - 1, tlen); -msg_index = constant_time_select_int(good, msg_index, dblen - tlen); -mlen = dblen - msg_index; -for (mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(msg_index, dblen); - -msg_index -= tlen & equals; /* rewind at EOF */ -mask &= ~equals; /* mask = 0 at EOF */ -to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); +for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { +mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); +for (i = mdlen + 1; i < dblen - msg_index; i++) +db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); +} +for (i = 0; i < tlen; i++) { +mask = good & constant_time_lt(i, mlen); +to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 2c43a54..86e0deb 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -275,25 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), num - 11, tlen); -msg_index
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d284d277707f9985e69bdba1511ecfbb1e53ac46 (commit) from 94eb7d07c0c14bf18bd3a4e4d6c1ef1e6633d447 (commit) - Log - commit d284d277707f9985e69bdba1511ecfbb1e53ac46 Author: Bernd Edlinger Date: Wed Mar 20 20:01:12 2019 +0100 Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8558) --- Summary of changes: crypto/err/err.c | 47 +++ crypto/err/err.h | 1 + crypto/rsa/rsa_eay.c | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 5ce774a..d02e8ff 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } +while (es->bottom != es->top) { +if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { +err_clear(es, es->top); +es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; +continue; +} +i = (es->bottom + 1) % ERR_NUM_ERRORS; +if (es->err_flags[i] & ERR_FLAG_CLEAR) { +es->bottom = i; +err_clear(es, es->bottom); +continue; +} +break; +} + if (es->bottom == es->top) return 0; + if (top) i = es->top;/* last error */ else @@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unformtunately we can't assume that all - * compilers supported by 1.0.2 have it :-( - */ -#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear) top = es->top; -es->err_flags[top] &= ~(0 - clear); -es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); -es->err_line[top] |= 0 - clear; - -es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +/* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ +clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); +es->err_flags[top] |= clear; } diff --git a/crypto/err/err.h b/crypto/err/err.h index f423656..c12524d 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -143,6 +143,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 7f20fd6..1c798a0 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); -err_clear_last_constant_time(r >= 0); +err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) {
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 94eb7d07c0c14bf18bd3a4e4d6c1ef1e6633d447 (commit) from dbf71ae457dfa5632518612b58efccd40f528f26 (commit) - Log - commit 94eb7d07c0c14bf18bd3a4e4d6c1ef1e6633d447 Author: Bernd Edlinger Date: Sun Mar 17 17:28:24 2019 +0100 Clear the point S before freeing in ec_mul_consttime The secret point R can be recovered from S using the equation R = S - P. The X and Z coordinates should be sufficient for that. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8505) (cherry picked from commit 502b871ad4eacc96a31f89d9a9470ca2858da998) --- Summary of changes: crypto/ec/ec_mult.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index da71526..fce8882 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -519,7 +519,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ret = 1; err: -EC_POINT_free(s); +EC_POINT_clear_free(s); BN_CTX_end(ctx); BN_CTX_free(new_ctx);
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via dbf71ae457dfa5632518612b58efccd40f528f26 (commit) from 6555a8941bd6be5790d3b45c41de23234a8e527f (commit) - Log - commit dbf71ae457dfa5632518612b58efccd40f528f26 Author: Bernd Edlinger Date: Sun Mar 17 10:02:07 2019 +0100 Clear the secret point in ecdh_compute_key Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8502) --- Summary of changes: crypto/ecdh/ech_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c index d3b0524..8b69ce5 100644 --- a/crypto/ecdh/ech_ossl.c +++ b/crypto/ecdh/ech_ossl.c @@ -207,7 +207,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, err: if (tmp) -EC_POINT_free(tmp); +EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); if (ctx)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 6555a8941bd6be5790d3b45c41de23234a8e527f (commit) from d5e37fc871be6910db931790b70323c78b332dff (commit) - Log - commit 6555a8941bd6be5790d3b45c41de23234a8e527f Author: Bernd Edlinger Date: Thu Feb 28 10:08:18 2019 +0100 Fix memory overrun in rsa padding check functions Backported from d7f5e5ae6d5 Fixes #8364 and #8357 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/8438) --- Summary of changes: crypto/rsa/rsa_oaep.c | 24 crypto/rsa/rsa_pk1.c | 22 +++--- crypto/rsa/rsa_ssl.c | 33 ++--- 3 files changed, 41 insertions(+), 38 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 033ea5a..acba7f1 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -144,7 +144,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * |num| is the length of the modulus; |flen| is the length of the * encoded message. Therefore, for any |from| that was obtained by * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, - * num < 2 * mdlen + 2 must hold for the modulus irrespective of + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ @@ -180,17 +180,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } -from = em; /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ -good = constant_time_is_zero(from[0]); +good = constant_time_is_zero(em[0]); -maskedseed = from + 1; -maskeddb = from + 1 + mdlen; +maskedseed = em + 1; +maskeddb = em + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; @@ -231,7 +230,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, mlen = dblen - msg_index; /* - * For good measure, do this check in constant tine as well. + * For good measure, do this check in constant time as well. */ good &= constant_time_ge(tlen, mlen); @@ -245,15 +244,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * should be noted that failure is indistinguishable from normal * operation if |tlen| is fixed by protocol. */ -tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); +tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), +dblen - mdlen - 1, tlen); msg_index = constant_time_select_int(good, msg_index, dblen - tlen); mlen = dblen - msg_index; -for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { -unsigned int equals = constant_time_eq(i, mlen); +for (mask = good, i = 0; i < tlen; i++) { +unsigned int equals = constant_time_eq(msg_index, dblen); -from -= dblen & equals; /* if (i == dblen) rewind */ -mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ -to[i] = constant_time_select_8(mask, from[i], to[i]); +msg_index -= tlen & equals; /* rewind at EOF */ +mask &= ~equals; /* mask = 0 at EOF */ +to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 074bc0a..2c43a54 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } -from = em; -good = constant_time_is_zero(from[0]); -good &= constant_time_eq(from[1], 2); +good = constant_time_is_zero(em[0]); +good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { -unsigned int equals0 = constant_time_is_zero(from[i]); +unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d5e37fc871be6910db931790b70323c78b332dff (commit) from 56ff0f643482b19f7b2d7ed532dfb94ed3a4e294 (commit) - Log - commit d5e37fc871be6910db931790b70323c78b332dff Author: Matt Caswell Date: Tue Mar 5 13:26:45 2019 + Avoid an underflow in ecp_nistp521.c The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in| from |out| mod p. In order to avoid underflow it first adds 32p mod p (which is equivalent to 0 mod p) to |out|. The comments and variable naming suggest that the original author intended to add 64p mod p. In fact it has been shown that with certain unusual co-ordinates it is possible to cause an underflow in this function when only adding 32p mod p while performing a point double operation. By changing this to 64p mod p the underflow is avoided. It turns out to be quite difficult to construct points that satisfy the underflow criteria although this has been done and the underflow demonstrated. However none of these points are actually on the curve. Finding points that satisfy the underflow criteria and are also *on* the curve is considered significantly more difficult. For this reason we do not believe that this issue is currently practically exploitable and therefore no CVE has been assigned. This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure option. With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant help in investigating this issue. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8405) (cherry picked from commit 13fbce17fc9f02e2401fc3868f3f8e02d6647e5f) --- Summary of changes: crypto/ec/ecp_nistp521.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 90989c5..1a42068 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -356,10 +356,15 @@ static void felem_diff64(felem out, const felem in) static void felem_diff_128_64(largefelem out, const felem in) { /* - * In order to prevent underflow, we add 0 mod p before subtracting. + * In order to prevent underflow, we add 64p mod p (which is equivalent + * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 + * digit number with all bits set to 1. See "The representation of field + * elements" comment above for a description of how limbs are used to + * represent a number. 64p is represented with 8 limbs containing a number + * with 58 bits set and one limb with a number with 57 bits set. */ -static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); -static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); +static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); +static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); out[0] += two63m6 - in[0]; out[1] += two63m5 - in[1];
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 56ff0f643482b19f7b2d7ed532dfb94ed3a4e294 (commit) via b34cf4eb616446a1ee7bd0db0a625edf25047342 (commit) via 28c43df9288c50be6e03ee5b52dfc0e261d9eb60 (commit) via 48c8bcf5bca0ce7751f49599381e143de1b61786 (commit) via e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e (commit) from c81f16952bca7793074ac926b17aed3364db2c84 (commit) - Log - commit 56ff0f643482b19f7b2d7ed532dfb94ed3a4e294 Author: Matt Caswell Date: Tue Feb 26 14:21:45 2019 + Prepare for 1.0.2s-dev Reviewed-by: Richard Levitte commit b34cf4eb616446a1ee7bd0db0a625edf25047342 Author: Matt Caswell Date: Tue Feb 26 14:20:55 2019 + Prepare for 1.0.2r release Reviewed-by: Richard Levitte commit 28c43df9288c50be6e03ee5b52dfc0e261d9eb60 Author: Matt Caswell Date: Tue Feb 26 10:21:24 2019 + Updates CHANGES and NEWS for the new release Reviewed-by: Richard Levitte commit 48c8bcf5bca0ce7751f49599381e143de1b61786 Author: Matt Caswell Date: Wed Feb 20 14:21:36 2019 + Clarify that SSL_shutdown() must not be called after a fatal error Follow on from CVE-2019-1559 Reviewed-by: Richard Levitte commit e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Author: Matt Caswell Date: Fri Dec 14 07:28:30 2018 + Go into the error state if a fatal alert is sent or received If an application calls SSL_shutdown after a fatal alert has occured and then behaves different based on error codes from that function then the application may be vulnerable to a padding oracle. CVE-2019-1559 Reviewed-by: Richard Levitte --- Summary of changes: CHANGES | 28 +++- NEWS | 6 +- README| 2 +- crypto/opensslv.h | 6 +++--- doc/ssl/SSL_get_error.pod | 13 - doc/ssl/SSL_shutdown.pod | 4 openssl.spec | 2 +- ssl/d1_pkt.c | 1 + ssl/s3_pkt.c | 10 +++--- 9 files changed, 57 insertions(+), 15 deletions(-) diff --git a/CHANGES b/CHANGES index bc805bf..7080ac2 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,33 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2q and 1.0.2r [xx XXX ] + Changes between 1.0.2r and 1.0.2s [xx XXX ] + + *) + + Changes between 1.0.2q and 1.0.2r [26 Feb 2019] + + *) 0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) + then OpenSSL can respond differently to the calling application if a 0 byte + record is received with invalid padding compared to if a 0 byte record is + received with an invalid MAC. If the application then behaves differently + based on that in a way that is detectable to the remote peer, then this + amounts to a padding oracle that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in + use. Stitched ciphersuites are optimised implementations of certain + commonly used ciphersuites. Also the application must call SSL_shutdown() + twice even if a protocol error has occurred (applications should not do + this but some do anyway). + + This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod + Aviram, with additional investigation by Steven Collison and Andrew + Hourselt. It was reported to OpenSSL on 10th December 2018. + (CVE-2019-1559) + [Matt Caswell] *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/NEWS b/NEWS index 566ce43..a92af92 100644 --- a/NEWS +++ b/NEWS @@ -5,10 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [under development] + Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [under development] o + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] + + o 0-byte record padding oracle (CVE-2019-1559) + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) diff --git a/README b/README index a288fd6..93d66d7 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2r-dev + OpenSSL 1.0.2s-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/opensslv.h b/crypto/opensslv.h index f808f1e..752c66d 100644 --- a/crypto/opensslv.h +++
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via c81f16952bca7793074ac926b17aed3364db2c84 (commit) from b250f2a431ab0cc03a8a1cc4cdc1a7e9ecb052a6 (commit) - Log - commit c81f16952bca7793074ac926b17aed3364db2c84 Author: Matt Caswell Date: Tue Feb 26 14:07:28 2019 + Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8348) --- Summary of changes: crypto/bn/bn_ctx.c | 2 +- crypto/evp/evp_err.c | 2 +- crypto/evp/evp_test.c| 2 +- doc/crypto/X509_cmp_time.pod | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 3391134..d18eedb 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,7 +1,7 @@ /* crypto/bn/bn_ctx.c */ /* Written by Ulf Moeller for the OpenSSL project. */ /* - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 85f5729..11647b9 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* - * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index 059cd49..28544a6 100755 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -1,6 +1,6 @@ /* Written by Ben Laurie, 2001 */ /* - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/doc/crypto/X509_cmp_time.pod b/doc/crypto/X509_cmp_time.pod index 5bf5111..f3c0750 100644 --- a/doc/crypto/X509_cmp_time.pod +++ b/doc/crypto/X509_cmp_time.pod @@ -29,7 +29,7 @@ B, and 1 otherwise. It returns 0 on error. =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b250f2a431ab0cc03a8a1cc4cdc1a7e9ecb052a6 (commit) from 9acdddf1acd6f6be41ddb711b6b55fe7f5481320 (commit) - Log - commit b250f2a431ab0cc03a8a1cc4cdc1a7e9ecb052a6 Author: Matt Caswell Date: Mon Feb 25 11:28:32 2019 + Ensure bn_cmp_words can handle the case where n == 0 Thanks to David Benjamin who reported this, performed the analysis and suggested the patch. I have incorporated some of his analysis in the comments below. This issue can cause an out-of-bounds read. It is believed that this was not reachable until the recent "fixed top" changes. Analysis has so far only identified one code path that can encounter this - although it is possible that others may be found. The one code path only impacts 1.0.2 in certain builds. The fuzzer found a path in RSA where iqmp is too large. If the input is all zeros, the RSA CRT logic will multiply a padded zero by iqmp. Two mitigating factors: - Private keys which trip this are invalid (iqmp is not reduced mod p). Only systems which take untrusted private keys care. - In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp, so the bug is only reproducible in 1.0.2 so far. Fortunately, the bug appears to be relatively harmless. The consequences of bn_cmp_word's misbehavior are: - OpenSSL may crash if the buffers are page-aligned and the previous page is non-existent. - OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they are equal. - Side channel concerns. The first is indeed a concern and is a DoS bug. The second is fine in this context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1) in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or a1 - a0. The third would be worth thinking about, but it is overshadowed by the entire Karatsuba implementation not being constant time. Due to the difficulty of tripping this and the low impact no CVE is felt necessary for this issue. Reviewed-by: Paul Dale Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/8326) (cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d) --- Summary of changes: crypto/bn/bn_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9b95e5f..2a84698 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -836,6 +836,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) int i; BN_ULONG aa, bb; +if (n == 0) +return 0; + aa = a[n - 1]; bb = b[n - 1]; if (aa != bb)
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 9acdddf1acd6f6be41ddb711b6b55fe7f5481320 (commit) via d769ce09b690237c35c32032edbaf0339c480e85 (commit) from e30dfbebe7fa3af40fd840fc89b004376fc2b21f (commit) - Log - commit 9acdddf1acd6f6be41ddb711b6b55fe7f5481320 Author: Nicola Tuveri Date: Fri Feb 8 12:42:25 2019 +0200 Clear BN_FLG_CONSTTIME on BN_CTX_get() (cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8295) commit d769ce09b690237c35c32032edbaf0339c480e85 Author: Nicola Tuveri Date: Tue Feb 12 00:37:25 2019 +0200 Test for constant-time flag leakage in BN_CTX This commit adds a simple unit test to make sure that the constant-time flag does not "leak" among BN_CTX frames: - test_ctx_consttime_flag() initializes (and later frees before returning) a BN_CTX object, then it calls in sequence test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same BN_CTX object. - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame before ending it. - test_ctx_check_ct_flag() then starts a new frame and gets a number of BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. In actual BN_CTX usage inside libcrypto the leak could happen at any depth level in the BN_CTX stack, with varying results depending on the patterns of sibling trees of nested function calls sharing the same BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the called BN_* functions. This simple unit test abstracts away this complexity and verifies that the leak does not happen between two sibling functions sharing the same BN_CTX object at the same level of nesting. (manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8295) --- Summary of changes: crypto/bn/bn_ctx.c | 2 ++ crypto/bn/bntest.c | 101 + 2 files changed, 103 insertions(+) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 526c6a0..3391134 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } /* OK, make sure the returned bignum is "zero" */ BN_zero(ret); +/* clear BN_FLG_CONSTTIME if leaked from previous frames */ +ret->flags &= (~BN_FLG_CONSTTIME); ctx->used++; CTXDBG_RET(ctx, ret); return ret; diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index abe5dbe..75aa707 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -89,6 +89,10 @@ #include #include +#ifndef OSSL_NELEM +# define OSSL_NELEM(x)(sizeof(x)/sizeof(x[0])) +#endif + const int num0 = 100; /* number of tests */ const int num1 = 50;/* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx); int test_kron(BIO *bp, BN_CTX *ctx); int test_sqrt(BIO *bp, BN_CTX *ctx); int rand_neg(void); +static int test_ctx_consttime_flag(void); static int results = 0; static unsigned char lst[] = @@ -330,6 +335,15 @@ int main(int argc, char *argv[]) goto err; (void)BIO_flush(out); #endif + +/* silently flush any pre-existing error on the stack */ +ERR_clear_error(); + +message(out, "BN_CTX_get BN_FLG_CONSTTIME"); +if (!test_ctx_consttime_flag()) +goto err; +(void)BIO_flush(out); + BN_CTX_free(ctx); BIO_free(out); @@ -2158,3 +2172,90 @@ int rand_neg(void) return (sign[(neg++) % 8]); } + +static int test_ctx_set_ct_flag(BN_CTX *c) +{ +int st = 0; +size_t i; +BIGNUM *b[15]; + +BN_CTX_start(c); +for (i = 0; i < OSSL_NELEM(b); i++) { +if (NULL == (b[i] = BN_CTX_get(c))) { +fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); +goto err; +} +if (i % 2 == 1) +BN_set_flags(b[i], BN_FLG_CONSTTIME); +} + +st = 1; + err: +BN_CTX_end(c); +return st; +} + +static int test_ctx_check_ct_flag(BN_CTX *c) +{ +int st = 0; +size_t i; +BIGNUM *b[30]; + +BN_CTX_start(c); +for (i = 0; i < OSSL_NELEM(b); i++) { +if (NULL == (b[i] = BN_CTX_get(c))) { +fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); +goto err; +} +if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) { +fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via e30dfbebe7fa3af40fd840fc89b004376fc2b21f (commit) from 3077dd40588e1ff5b7a1fda87ba845c291bb8055 (commit) - Log - commit e30dfbebe7fa3af40fd840fc89b004376fc2b21f Author: Richard Levitte Date: Mon Feb 18 21:47:33 2019 +0100 Move stray POD file into the fold Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8273) --- Summary of changes: doc/{man3 => crypto}/X509_cmp_time.pod | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename doc/{man3 => crypto}/X509_cmp_time.pod (100%) diff --git a/doc/man3/X509_cmp_time.pod b/doc/crypto/X509_cmp_time.pod similarity index 100% rename from doc/man3/X509_cmp_time.pod rename to doc/crypto/X509_cmp_time.pod
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 3077dd40588e1ff5b7a1fda87ba845c291bb8055 (commit) from fff469b269d8309377291ff86767314d7489fd84 (commit) - Log - commit 3077dd40588e1ff5b7a1fda87ba845c291bb8055 Author: Corinna Vinschen Date: Fri Feb 15 12:22:07 2019 +0100 cygwin: drop explicit O_TEXT Cygwin binaries should not enforce text mode these days, just use text mode if the underlying mount point requests it CLA: trivial Signed-off-by: Corinna Vinschen Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8249) --- Summary of changes: crypto/bio/bss_file.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index bbf906f..024d0cf 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -361,12 +361,16 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) } else _setmode(fd, _O_BINARY); } -# elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# elif defined(OPENSSL_SYS_OS2) int fd = fileno((FILE *)ptr); if (num & BIO_FP_TEXT) setmode(fd, O_TEXT); else setmode(fd, O_BINARY); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) +int fd = fileno((FILE *)ptr); +if (!(num & BIO_FP_TEXT)) +setmode(fd, O_BINARY); # endif } break; @@ -389,11 +393,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) if (!(num & BIO_FP_TEXT)) strcat(p, "b"); else strcat(p, "t"); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) +if (!(num & BIO_FP_TEXT)) +strcat(p, "b"); # endif # if defined(OPENSSL_SYS_NETWARE) if (!(num & BIO_FP_TEXT))
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via fff469b269d8309377291ff86767314d7489fd84 (commit) via 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9 (commit) via cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb (commit) from eed51aa8270dd3feb1fce049aeae505cbfe806f5 (commit) - Log - commit fff469b269d8309377291ff86767314d7489fd84 Author: Richard Levitte Date: Wed Dec 12 11:22:52 2018 +0100 test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) commit 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9 Author: Richard Levitte Date: Mon Dec 10 10:23:01 2018 +0100 make update Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) commit cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb Author: Richard Levitte Date: Mon Dec 10 10:18:10 2018 +0100 Prevent calling decryption in an encryption context and vice versa Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) --- Summary of changes: crypto/evp/evp.h | 2 ++ crypto/evp/evp_enc.c | 40 crypto/evp/evp_err.c | 4 +++- crypto/evp/evp_test.c | 2 +- 4 files changed, 42 insertions(+), 6 deletions(-) diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index cf1de15..883a943 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void); # define EVP_F_EVP_CIPHER_CTX_CTRL124 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 # define EVP_F_EVP_DECRYPTFINAL_EX101 +# define EVP_F_EVP_DECRYPTUPDATE 181 # define EVP_F_EVP_DIGESTINIT_EX 128 # define EVP_F_EVP_ENCRYPTFINAL_EX127 +# define EVP_F_EVP_ENCRYPTUPDATE 180 # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE162 # define EVP_F_EVP_OPENINIT 102 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0c740d1..c63fb53 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } -int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - const unsigned char *in, int inl) +static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, +unsigned char *out, int *outl, +const unsigned char *in, int inl) { int i, j, bl; @@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl) +{ +/* Prevent accidental use of decryption context when encrypting */ +if (!ctx->encrypt) { +EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION); +return 0; +} + +return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); +} + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; @@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int n, ret; unsigned int i, b, bl; +/* Prevent accidental use of decryption context when encrypting */ +if (!ctx->encrypt) { +EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION); +return 0; +} + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { ret = M_do_cipher(ctx, out, NULL, 0); if (ret < 0) @@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int fix_len; unsigned int b; +/* Prevent accidental use of encryption context when decrypting */ +if (ctx->encrypt) { +EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION); +return 0; +} + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { fix_len = M_do_cipher(ctx, out, in, inl); if (fix_len < 0) { @@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->flags & EVP_CIPH_NO_PADDING) -return EVP_EncryptUpdate(ctx, out, outl, in, inl); +return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); b = ctx->cipher->block_size; OPENSSL_assert(b <= sizeof(ctx->final)); @@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } else fix_len = 0; -
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via eed51aa8270dd3feb1fce049aeae505cbfe806f5 (commit) from 668d643eabb4e365e8d393da7b44b53e5cf7cc08 (commit) - Log - commit eed51aa8270dd3feb1fce049aeae505cbfe806f5 Author: Matt Caswell Date: Wed Jan 2 17:05:27 2019 + make update Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7974) --- Summary of changes: crypto/err/Makefile | 2 +- crypto/rsa/Makefile | 6 -- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/err/Makefile b/crypto/err/Makefile index b6f3ef1..a09312b 100644 --- a/crypto/err/Makefile +++ b/crypto/err/Makefile @@ -82,7 +82,7 @@ err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -err.o: ../cryptlib.h err.c +err.o: ../constant_time_locl.h ../cryptlib.h err.c err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h err_all.o: ../../include/openssl/cms.h ../../include/openssl/comp.h diff --git a/crypto/rsa/Makefile b/crypto/rsa/Makefile index 6be73ed..b083e29 100644 --- a/crypto/rsa/Makefile +++ b/crypto/rsa/Makefile @@ -153,7 +153,8 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c +rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h +rsa_eay.o: ../cryptlib.h rsa_eay.c rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h @@ -299,7 +300,8 @@ rsa_ssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c +rsa_ssl.o: ../../include/openssl/symhacks.h ../constant_time_locl.h +rsa_ssl.o: ../cryptlib.h rsa_ssl.c rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 668d643eabb4e365e8d393da7b44b53e5cf7cc08 (commit) from ab061e75b7b3e01fac00dd3751280c2198f50f9c (commit) - Log - commit 668d643eabb4e365e8d393da7b44b53e5cf7cc08 Author: Richard Levitte Date: Sat Dec 15 11:06:00 2018 +0100 Makefile.org: prevent .bak files to become part of the tarball Fixes #7903 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7910) --- Summary of changes: Makefile.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.org b/Makefile.org index f51f0a7..8089d3f 100644 --- a/Makefile.org +++ b/Makefile.org @@ -519,7 +519,7 @@ $(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ + \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \ | sort > $(TARFILE).list tar: $(TARFILE).list _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via ab061e75b7b3e01fac00dd3751280c2198f50f9c (commit) from 4960e84b7b6e98c58dccf7c49795c9b0fc1069ba (commit) - Log - commit ab061e75b7b3e01fac00dd3751280c2198f50f9c Author: Dr. Matthias St. Pierre Date: Wed Dec 12 07:38:07 2018 +0100 doc/man3: remove copy leftover Fixes #7883 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7884) (cherry picked from commit 00eb879f74971e3c048286ef44f6f544676f90d7) --- Summary of changes: doc/crypto/X509_NAME_ENTRY_get_object.pod | 3 --- 1 file changed, 3 deletions(-) diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod index 4716e7e..403725f 100644 --- a/doc/crypto/X509_NAME_ENTRY_get_object.pod +++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod @@ -44,9 +44,6 @@ X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be used to examine an B function as returned by X509_NAME_get_entry() for example. -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an - X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() are seldom used in practice because B structures _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 4960e84b7b6e98c58dccf7c49795c9b0fc1069ba (commit) from e42e531846c6c6c26941a9f938504e114753fbee (commit) - Log - commit 4960e84b7b6e98c58dccf7c49795c9b0fc1069ba Author: Tobias Stoeckmann Date: Tue Dec 11 20:34:21 2018 +0100 Fixed typo (vi leftover). There was a trailing :w at a line, which didn't make sense in context of the sentence/styling. Removed it, because I think it's a leftover vi command. CLA: trivial Signed-off-by: Tobias Stoeckmann Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7875) (cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396) --- Summary of changes: doc/apps/ca.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 8d94ecb..7658605 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -214,7 +214,7 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w +is present (even if it is empty), then a V3 certificate is created. See the L manual page for details of the extension section format. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via e42e531846c6c6c26941a9f938504e114753fbee (commit) from 110ef88b99f1acc6b976f2e49153734924181db2 (commit) - Log - commit e42e531846c6c6c26941a9f938504e114753fbee Author: Richard Levitte Date: Fri Dec 7 09:26:04 2018 +0100 Make EVP_PKEY_asn1_add0() stricter about its input It turns out that the strictness that was implemented in EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed for some usages, and that it's better to do this check only when the method is getting registered. Fixes #7758 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7847) (cherry picked from commit a86003162138031137727147c9b642d99db434b1) --- Summary of changes: CHANGES | 3 ++- crypto/asn1/ameth_lib.c | 27 +++ 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index ab5cdf6..bc805bf 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,8 @@ Changes between 1.0.2q and 1.0.2r [xx XXX ] - *) + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). + [Richard Levitte] Changes between 1.0.2p and 1.0.2q [20 Nov 2018] diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index cc8f9a8..d04f786 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -234,6 +234,21 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth) { +/* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ +if (!((ameth->pem_str == NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0) + || (ameth->pem_str != NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) { +return 0; +} + if (app_methods == NULL) { app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp); if (!app_methods) @@ -305,18 +320,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, } else ameth->info = NULL; -/* - * One of the following must be true: - * - * pem_str == NULL AND ASN1_PKEY_ALIAS is set - * pem_str != NULL AND ASN1_PKEY_ALIAS is clear - * - * Anything else is an error and may lead to a corrupt ASN1 method table - */ -if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) - || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) -goto err; - if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 110ef88b99f1acc6b976f2e49153734924181db2 (commit) via b29b91bc7ea8dfe47d873d7953175c57556a4488 (commit) via 47f8fba64353a637cacdd8751cab25a9f3be3715 (commit) via 3b776fd785efb1c0af4b28ad0b8036b23071904d (commit) via 8db50d6dafc67fbaa0380420fc1f74f977d16606 (commit) from 02354431e2a09d705082f986babf14c056f47b78 (commit) - Log - commit 110ef88b99f1acc6b976f2e49153734924181db2 Author: Andy Polyakov Date: Fri Sep 14 17:24:13 2018 +0200 rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time. Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding if nul delimiter is preceded by 8 consecutive 0x03 bytes. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c) Resolved conflicts: crypto/rsa/rsa_ssl.c (Merged from https://github.com/openssl/openssl/pull/7737) commit b29b91bc7ea8dfe47d873d7953175c57556a4488 Author: Andy Polyakov Date: Thu Sep 6 21:54:23 2018 +0200 rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP. And make RSAErr call unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06) Resolved conflicts: crypto/rsa/rsa_oaep.c (Merged from https://github.com/openssl/openssl/pull/7737) commit 47f8fba64353a637cacdd8751cab25a9f3be3715 Author: Andy Polyakov Date: Sat Sep 1 12:00:33 2018 +0200 rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2. And make RSAErr call unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c) Resolved conflicts: crypto/rsa/rsa_pk1.c (Merged from https://github.com/openssl/openssl/pull/7737) commit 3b776fd785efb1c0af4b28ad0b8036b23071904d Author: Andy Polyakov Date: Fri Nov 30 21:07:18 2018 +0100 rsa/rsa_eay.c: make RSAerr call in rsa_ossl_private_decrypt unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1) (Merged from https://github.com/openssl/openssl/pull/7737) commit 8db50d6dafc67fbaa0380420fc1f74f977d16606 Author: Andy Polyakov Date: Sat Sep 1 12:19:30 2018 +0200 err/err.c: add err_clear_last_constant_time. Expected usage pattern is to unconditionally set error and then wipe it if there was no actual error. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b) Resolved conflicts: crypto/err/err.c crypto/constant_time_locl.h (Merged from https://github.com/openssl/openssl/pull/7737) --- Summary of changes: crypto/constant_time_locl.h | 6 ++ crypto/err/err.c| 38 crypto/rsa/rsa_eay.c| 5 +- crypto/rsa/rsa_oaep.c | 96 +++- crypto/rsa/rsa_pk1.c| 98 ++-- crypto/rsa/rsa_ssl.c| 134 doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 +- 7 files changed, 258 insertions(+), 126 deletions(-) diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index c786aea..a5734f2 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -204,6 +204,12 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } +/* + * Expected usage pattern is to unconditionally set error and then + * wipe it if there was no actual error. |clear| is 1 or 0. + */ +void err_clear_last_constant_time(int clear); + #ifdef __cplusplus } #endif diff --git a/crypto/err/err.c b/crypto/err/err.c index e9ef215..5ce774a 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -118,6 +118,7 @@ #include #include #include +#include "constant_time_locl.h" DECLARE_LHASH_OF(ERR_STRING_DATA); DECLARE_LHASH_OF(ERR_STATE); @@ -1156,3 +1157,40 @@ int ERR_pop_to_mark(void) es->err_flags[es->top] &= ~ERR_FLAG_MARK; return 1; } + +#ifdef UINTPTR_T +# undef UINTPTR_T +#endif +/* + * uintptr_t is the answer, but unformtunately we can't assume that all + * compilers supported by 1.0.2 have it :-( + */ +#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 +/* + * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 + * even in 64-bit builds, which means that it won't work as mask.
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 02354431e2a09d705082f986babf14c056f47b78 (commit) from 63262bd2768797e140f7d0328fb6ccf81aba87b0 (commit) - Log - commit 02354431e2a09d705082f986babf14c056f47b78 Author: Richard Levitte Date: Mon Dec 3 10:57:01 2018 +0100 Docs fixup: some man3 pages had unindented code in SYNOPSIS Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7744) (cherry picked from commit 7b4a3515a4ddb567d48000e61d7cb640d0c5f261) --- Summary of changes: doc/crypto/PKCS12_parse.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod index c54cf2a..cd648d3 100644 --- a/doc/crypto/PKCS12_parse.pod +++ b/doc/crypto/PKCS12_parse.pod @@ -8,7 +8,8 @@ PKCS12_parse - parse a PKCS#12 structure #include -int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); + int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, + STACK_OF(X509) **ca); =head1 DESCRIPTION _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 63262bd2768797e140f7d0328fb6ccf81aba87b0 (commit) via cf68eb3687e271d02e55af2c132ea7527d76bcac (commit) from 23bfb5b556a4e534fd61fb30719851d4b7b1fc82 (commit) - Log - commit 63262bd2768797e140f7d0328fb6ccf81aba87b0 Author: David Woodhouse Date: Tue Oct 16 07:59:46 2018 -0700 Honour mandatory digest on private key in tls1_process_sigalgs() If the private key says it can only support one specific digest, then don't ask it to perform a different one. Fixes: #7348 (cherry picked from commit 2d263a4a73f852005b16359873475d48755999ad and reworked for 1.0.2) Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7610) commit cf68eb3687e271d02e55af2c132ea7527d76bcac Author: David Woodhouse Date: Tue Oct 16 07:41:17 2018 -0700 Stop marking default digest for EC keys as mandatory ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory digest algorithm, when the key can't support any others. That isn't true here, so return 1 instead. Partially fixes #7348 (cherry picked from commit eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6) Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7610) --- Summary of changes: crypto/ec/ec_ameth.c | 2 +- ssl/t1_lib.c | 20 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index aa5f305..db7e791 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -601,7 +601,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; -return 2; +return 1; default: return -2; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 55f918d..8c1f3ae 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3697,6 +3697,12 @@ int tls12_get_sigid(const EVP_PKEY *pk) sizeof(tls12_sig) / sizeof(tls12_lookup)); } +static int tls12_get_hash_nid(unsigned char hash_alg) +{ +return tls12_find_nid(hash_alg, tls12_md, + sizeof(tls12_md) / sizeof(tls12_lookup)); +} + const EVP_MD *tls12_get_hash(unsigned char hash_alg) { switch (hash_alg) { @@ -3887,6 +3893,8 @@ int tls1_process_sigalgs(SSL *s) const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; +int mandatory_mdnid; + if (!tls1_set_shared_sigalgs(s)) return 0; @@ -3918,6 +3926,18 @@ int tls1_process_sigalgs(SSL *s) for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { idx = tls12_get_pkey_idx(sigptr->rsign); +if (s->cert->pkeys[idx].privatekey) { +ERR_set_mark(); +if (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey, +_mdnid) == 2 && +mandatory_mdnid != tls12_get_hash_nid(sigptr->rhash)) +continue; +/* + * If EVP_PKEY_get_default_digest_nid() failed, don't pollute + * the error stack. + */ +ERR_pop_to_mark(); +} if (idx > 0 && c->pkeys[idx].digest == NULL) { md = tls12_get_hash(sigptr->rhash); c->pkeys[idx].digest = md; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 23bfb5b556a4e534fd61fb30719851d4b7b1fc82 (commit) from 8bfde2578ce28f2f24bc5d53c374b14290436c0b (commit) - Log - commit 23bfb5b556a4e534fd61fb30719851d4b7b1fc82 Author: Andy Polyakov Date: Wed Nov 7 22:07:22 2018 +0100 rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier. Blinding is performed more efficiently and securely if MONT_CTX for public modulus is available by the time blinding parameter are instantiated. So make sure it's the case. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre (manually cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575) (Merged from https://github.com/openssl/openssl/pull/7586) --- Summary of changes: crypto/rsa/rsa_eay.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index be948a4..1155583 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -397,6 +397,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } +if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +if (!BN_MONT_CTX_set_locked(>_method_mod_n, CRYPTO_LOCK_RSA, +rsa->n, ctx)) +goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, _blinding, ctx); if (blinding == NULL) { @@ -431,11 +436,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } else d = rsa->d; -if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -if (!BN_MONT_CTX_set_locked(>_method_mod_n, CRYPTO_LOCK_RSA, -rsa->n, ctx)) -goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 8bfde2578ce28f2f24bc5d53c374b14290436c0b (commit) from 49d07eb3cc85b5ea8877f7cdfadc8c20497eb09a (commit) - Log - commit 8bfde2578ce28f2f24bc5d53c374b14290436c0b Author: Richard Levitte Date: Thu Nov 22 11:05:31 2018 +0100 VMS: ensure x509_time_test is built A lacking DCL variable to indicate where it's located was missing. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7685) --- Summary of changes: test/maketests.com | 1 + 1 file changed, 1 insertion(+) diff --git a/test/maketests.com b/test/maketests.com index c0e1730..a440c07 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -198,6 +198,7 @@ $ T_D_BAD_DTLS_TEST := [-.ssl] $ T_D_SSLV2CONFTEST := [-.ssl] $ T_D_DTLSTEST := [-.ssl] $ T_D_FATALERRTEST := [-.ssl] +$ T_D_X509_TIME_TEST := [] $ $ EXOBJ_DTLSTEST := SSLTESTLIB $ EXOBJ_FATALERRTEST := SSLTESTLIB _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 49d07eb3cc85b5ea8877f7cdfadc8c20497eb09a (commit) via 5707219a6aae8052cb98aa361d115be01b8fd894 (commit) via d98ff540df55b6ef4e29df9590e082afa7ad65b4 (commit) from 8ea167207d2a014bf592eb21b7e33ed2204d5063 (commit) - Log - commit 49d07eb3cc85b5ea8877f7cdfadc8c20497eb09a Author: Matt Caswell Date: Tue Nov 20 13:46:11 2018 + Prepare for 1.0.2r-dev Reviewed-by: Richard Levitte commit 5707219a6aae8052cb98aa361d115be01b8fd894 Author: Matt Caswell Date: Tue Nov 20 13:45:20 2018 + Prepare for 1.0.2q release Reviewed-by: Richard Levitte commit d98ff540df55b6ef4e29df9590e082afa7ad65b4 Author: Matt Caswell Date: Tue Nov 20 13:45:20 2018 + make update Reviewed-by: Richard Levitte --- Summary of changes: CHANGES | 6 +- NEWS | 6 +- README | 2 +- crypto/Makefile | 7 +++ crypto/conf/Makefile | 7 --- crypto/opensslv.h| 6 +++--- crypto/rand/Makefile | 9 + openssl.spec | 2 +- util/libeay.num | 1 + 9 files changed, 32 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 11d7232..ab5cdf6 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2p and 1.0.2q [xx XXX ] + Changes between 1.0.2q and 1.0.2r [xx XXX ] + + *) + + Changes between 1.0.2p and 1.0.2q [20 Nov 2018] *) Microarchitecture timing vulnerability in ECC scalar multiplication diff --git a/NEWS b/NEWS index 38fe668..566ce43 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development] + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [under development] + + o + + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) o Timing vulnerability in DSA signature generation (CVE-2018-0734) diff --git a/README b/README index 3f5f81e..a288fd6 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2q-dev + OpenSSL 1.0.2r-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/Makefile b/crypto/Makefile index 72c96f6..180707e 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -180,6 +180,13 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h ex_data.o: ex_data.c fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c +getenv.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h +getenv.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +getenv.o: ../include/openssl/err.h ../include/openssl/lhash.h +getenv.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +getenv.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h +getenv.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h +getenv.o: getenv.c mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem.o: ../include/openssl/err.h ../include/openssl/lhash.h diff --git a/crypto/conf/Makefile b/crypto/conf/Makefile index d5f5c58..cd436f7 100644 --- a/crypto/conf/Makefile +++ b/crypto/conf/Makefile @@ -80,12 +80,13 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. conf_api.o: ../../e_os.h ../../include/openssl/bio.h -conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h -conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +conf_api.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h +conf_api.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h conf_api.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -conf_api.o: ../../include/openssl/symhacks.h conf_api.c +conf_api.o: ../../include/openssl/symhacks.h ../cryptlib.h conf_api.c conf_def.o: ../../e_os.h ../../include/openssl/bio.h conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 8509228..f808f1e 100644 --- a/crypto/opensslv.h
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 8ea167207d2a014bf592eb21b7e33ed2204d5063 (commit) from 548cce63dd401b89e26d049152e3f9465f82720f (commit) - Log - commit 8ea167207d2a014bf592eb21b7e33ed2204d5063 Author: Matt Caswell Date: Tue Nov 20 13:23:36 2018 + Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7671) --- Summary of changes: crypto/bn/bn_blind.c | 2 +- crypto/bn/bn_x931p.c | 2 +- crypto/conf/conf_mod.c | 2 +- crypto/ec/ec_lcl.h | 2 +- crypto/ec/ec_mult.c | 2 +- crypto/engine/eng_list.c | 2 +- crypto/pkcs12/p12_init.c | 2 +- crypto/rand/md_rand.c| 2 +- crypto/rand/rand_lcl.h | 2 +- engines/e_capi.c | 2 +- ssl/ssl_ciph.c | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 40e1bb6..a1e5e13 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -1,6 +1,6 @@ /* crypto/bn/bn_blind.c */ /* - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 116620a..e40241f 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -4,7 +4,7 @@ * 2005. */ /* - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 2a7a27b..1df463d 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -4,7 +4,7 @@ * 2001. */ /* - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 2d604fa..8665a4c 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index c573d4b..da71526 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 9e64b9d..5d7eee4 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -4,7 +4,7 @@ * 2000. */ /* - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 8275a23..a074b94 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -4,7 +4,7 @@ * 1999. */ /* - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 0c273ad..2983a3f 100644 --- a/crypto/rand/md_rand.c +++
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 548cce63dd401b89e26d049152e3f9465f82720f (commit) from d88ff8962c2fd86aeb7ca7297ca9526d0916787e (commit) - Log - commit 548cce63dd401b89e26d049152e3f9465f82720f Author: Matt Caswell Date: Tue Nov 20 10:52:53 2018 + Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7667) --- Summary of changes: CHANGES | 10 ++ NEWS| 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index fde66b5..11d7232 100644 --- a/CHANGES +++ b/CHANGES @@ -22,6 +22,16 @@ (CVE-2018-5407) [Billy Brumley] + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode. diff --git a/NEWS b/NEWS index 2c5f5f8..38fe668 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development] - o + o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) + o Timing vulnerability in DSA signature generation (CVE-2018-0734) Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d88ff8962c2fd86aeb7ca7297ca9526d0916787e (commit) from 84b4759dbd0d7917091d20cd78712a20afb57d9b (commit) - Log - commit d88ff8962c2fd86aeb7ca7297ca9526d0916787e Author: Richard Levitte Date: Tue Nov 20 12:11:38 2018 +0100 VMS: ensure crypto/getenv.c is included in the build Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7665) --- Summary of changes: crypto/crypto-lib.com | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 37dc418..efed110 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -214,7 +214,8 @@ $! The contents of these variables are copied from the LIBOBJ variable in the $! corresponding Makefile from each corresponding subdirectory, with .o stripped $! and spaces replaced with commas. $ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,cpt_err,ebcdic,"+ - - "uid,o_time,o_str,o_dir,o_fips,o_init,fips_ers,mem_clr" + "uid,o_time,o_str,o_dir,o_fips,o_init,fips_ers,mem_clr,"+ - + "getenv" $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err,obj_xref" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 84b4759dbd0d7917091d20cd78712a20afb57d9b (commit) from b18162a7c9bbfb57112459a4d6631fa258fd8c0c (commit) - Log - commit 84b4759dbd0d7917091d20cd78712a20afb57d9b Author: Vitezslav Cizek Date: Thu Oct 25 13:53:26 2018 +0200 DSA: Check for sanity of input parameters dsa_builtin_paramgen2 expects the L parameter to be greater than N, otherwise the generation will get stuck in an infinite loop. Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre (cherry picked from commit 3afd38b277a806b901e039c6ad281c5e5c97ef67) (Merged from https://github.com/openssl/openssl/pull/7493) --- Summary of changes: crypto/dsa/dsa_gen.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index db52a38..e55d585 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -435,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, EVP_MD_CTX_init(); +/* make sure L > N, otherwise we'll get trapped in an infinite loop */ +if (L <= N) { +DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); +goto err; +} + if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b18162a7c9bbfb57112459a4d6631fa258fd8c0c (commit) from 59b9c67fcaf1c1e2c0e30de6facca85910ac361a (commit) - Log - commit b18162a7c9bbfb57112459a4d6631fa258fd8c0c Author: Billy Brumley Date: Thu Nov 8 13:57:54 2018 +0200 CVE-2018-5407 fix: ECC ladder Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7593) --- Summary of changes: CHANGES | 13 +++ crypto/bn/bn_lib.c | 32 +++ crypto/ec/ec_mult.c | 246 3 files changed, 291 insertions(+) diff --git a/CHANGES b/CHANGES index b574074..fde66b5 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,19 @@ Changes between 1.0.2p and 1.0.2q [xx XXX ] + *) Microarchitecture timing vulnerability in ECC scalar multiplication + + OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been + shown to be vulnerable to a microarchitecture timing side channel attack. + An attacker with sufficient access to mount local timing attacks during + ECDSA signature generation could recover the private key. + + This issue was reported to OpenSSL on 26th October 2018 by Alejandro + Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and + Nicola Tuveri. + (CVE-2018-5407) + [Billy Brumley] + *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode. diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 8f1042b..9b95e5f 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -903,6 +903,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) a->top ^= t; b->top ^= t; +t = (a->neg ^ b->neg) & condition; +a->neg ^= t; +b->neg ^= t; + +/*- + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it + */ + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + +t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; +a->flags ^= t; +b->flags ^= t; + #define BN_CONSTTIME_SWAP(ind) \ do { \ t = (a->d[ind] ^ b->d[ind]) & condition; \ diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 2231f99..c573d4b 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -310,6 +310,224 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) return r; } +#define EC_POINT_BN_set_flags(P, flags) do { \ +BN_set_flags(&(P)->X, (flags)); \ +BN_set_flags(&(P)->Y, (flags)); \ +BN_set_flags(&(P)->Z, (flags)); \ +} while(0) + +/*- + * This functions computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed scalar point multiplication + * (scalar * generator) + * when point is NULL, or a generic scalar point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, +const BIGNUM *scalar, const EC_POINT *point, +BN_CTX *ctx) +{ +int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; +EC_POINT *s = NULL; +BIGNUM *k = NULL; +BIGNUM *lambda = NULL; +BIGNUM *cardinality = NULL; +BN_CTX *new_ctx = NULL; +int ret = 0; + +if (ctx == NULL &&
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 59b9c67fcaf1c1e2c0e30de6facca85910ac361a (commit) from f1e5009c1c95b708b9ba21c23693f95468089419 (commit) - Log - commit 59b9c67fcaf1c1e2c0e30de6facca85910ac361a Author: Dr. Matthias St. Pierre Date: Fri Nov 9 21:37:38 2018 +0100 Fix 'no-ecdh' build Fixes #3302 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7606) --- Summary of changes: ssl/ssl_ciph.c | 8 +++- ssl/ssl_lib.c | 8 +--- ssl/t1_lib.c | 6 +- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ccdf00f..e5a500d 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1406,11 +1406,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str, static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { -unsigned int suiteb_flags = 0, suiteb_comb2 = 0; +unsigned int suiteb_flags = 0; +# ifndef OPENSSL_NO_ECDH +unsigned int suiteb_comb2 = 0; +#endif + if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) { +# ifndef OPENSSL_NO_ECDH suiteb_comb2 = 1; +# endif suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index aa0cbdb..cfcfe76 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2259,10 +2259,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int rsa_tmp_export, dh_tmp_export, kl; unsigned long mask_k, mask_a, emask_k, emask_a; #ifndef OPENSSL_NO_ECDSA -int have_ecc_cert, ecdsa_ok, ecc_pkey_size; +int have_ecc_cert, ecdsa_ok; #endif #ifndef OPENSSL_NO_ECDH -int have_ecdh_tmp, ecdh_ok; +int have_ecdh_tmp, ecdh_ok, ecc_pkey_size; #endif #ifndef OPENSSL_NO_EC X509 *x = NULL; @@ -2405,7 +2405,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (!(cpk->valid_flags & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); +# ifndef OPENSSL_NO_ECDH ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; +# endif EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); @@ -2467,7 +2469,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECDH int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8cb8816..55f918d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -500,7 +500,11 @@ static int tls1_get_curvelist(SSL *s, int sess, } else # endif { -if (!s->server || s->cert->ecdh_tmp_auto) { +if (!s->server +# ifndef OPENSSL_NO_ECDH +|| s->cert->ecdh_tmp_auto +# endif +) { *pcurves = eccurves_auto; pcurveslen = sizeof(eccurves_auto); } else { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via f1e5009c1c95b708b9ba21c23693f95468089419 (commit) from 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 (commit) - Log - commit f1e5009c1c95b708b9ba21c23693f95468089419 Author: Matt Caswell Date: Tue Oct 16 17:08:11 2018 +0100 Properly handle duplicated messages from the next epoch Since 3884b47b7c we may attempt to buffer a record from the next epoch that has already been buffered. Prior to that this never occurred. We simply ignore a failure to buffer a duplicated record. Fixes #6902 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7415) --- Summary of changes: ssl/d1_pkt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index f5deddf..23aa9db 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -293,14 +293,12 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (-1); } -/* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { -SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); +/* Must be a duplicate so ignore it */ if (rdata->rbuf.buf != NULL) OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); -return (-1); } return (1); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 (commit) from ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 (commit) - Log - commit 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) --- Summary of changes: crypto/dsa/dsa_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 80daf60..c887c3c 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -295,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(, BN_FLG_CONSTTIME); +BN_set_flags(, BN_FLG_CONSTTIME); } - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(>method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 (commit) from 43e6a58d4991a451daf4891ff05a48735df871ac (commit) - Log - commit ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 Author: Pauli Date: Mon Oct 29 07:18:09 2018 +1000 Merge to 1.0.2: DSA mod inverse fix. There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7512) --- Summary of changes: crypto/dsa/dsa_ossl.c | 34 -- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 100e269..80daf60 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -333,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_mod(r, r, dsa->q, ctx)) goto err; -/* Compute part of 's = inv(k) (m + xr) mod q' */ -if ((kinv = BN_mod_inverse(NULL, , dsa->q, ctx)) == NULL) +/* Compute part of 's = inv(k) (m + xr) mod q' */ +if ((kinv = dsa_mod_inverse_fermat(, dsa->q, ctx)) == NULL) goto err; if (*kinvp != NULL) @@ -468,3 +470,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return (1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ +BIGNUM *res = NULL; +BIGNUM *r, e; + +if ((r = BN_new()) == NULL) +return NULL; + +BN_init(); + +if (BN_set_word(r, 2) +&& BN_sub(, q, r) +&& BN_mod_exp_mont(r, k, , q, ctx, NULL)) +res = r; +else +BN_free(r); +BN_free(); +return res; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 43e6a58d4991a451daf4891ff05a48735df871ac (commit) from 896e8c5713b50ff2ef1478d5c6709874ce57cf05 (commit) - Log - commit 43e6a58d4991a451daf4891ff05a48735df871ac Author: Pauli Date: Mon Oct 29 08:24:22 2018 +1000 Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7513) --- Summary of changes: crypto/dsa/dsa_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 2dcfede..100e269 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -279,7 +279,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; /* Preallocate space */ -q_bits = BN_num_bits(dsa->q); +q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; if (!BN_set_bit(, q_bits) || !BN_set_bit(, q_bits) || !BN_set_bit(, q_bits)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 896e8c5713b50ff2ef1478d5c6709874ce57cf05 (commit) from 35cf781c20b65e51c6d0d3e9a199e74534b60b4a (commit) - Log - commit 896e8c5713b50ff2ef1478d5c6709874ce57cf05 Author: Dr. Matthias St. Pierre Date: Thu Oct 18 23:17:46 2018 +0200 md_rand.c: don't stop polling until properly initialized Previously, the RNG sets `initialized=1` after the first call to RAND_poll(), although its criterion for being initialized actually is whether condition `entropy >= ENTROPY_NEEDED` is true. This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`, which has the effect that on the next call, RAND_poll() will be called again, if it previously failed to obtain enough entropy. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7439) --- Summary of changes: crypto/rand/md_rand.c | 14 ++ 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index abca70f..0c273ad 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -345,7 +345,6 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) static volatile int stirred_pool = 0; int i, j, k; size_t num_ceil, st_idx, st_num; -int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX m; @@ -400,14 +399,13 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) if (!initialized) { RAND_poll(); -initialized = 1; +initialized = (entropy >= ENTROPY_NEEDED); } if (!stirred_pool) do_stir_pool = 1; -ok = (entropy >= ENTROPY_NEEDED); -if (!ok) { +if (!initialized) { /* * If the PRNG state is not yet unpredictable, then seeing the PRNG * output may help attackers to determine the new state; thus we have @@ -446,7 +444,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); n -= MD_DIGEST_LENGTH; } -if (ok) +if (initialized) stirred_pool = 1; } @@ -539,7 +537,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_cleanup(); -if (ok) +if (initialized) return (1); else if (pseudo) return 0; @@ -612,10 +610,10 @@ static int ssleay_rand_status(void) if (!initialized) { RAND_poll(); -initialized = 1; +initialized = (entropy >= ENTROPY_NEEDED); } -ret = entropy >= ENTROPY_NEEDED; +ret = initialized; if (!do_not_lock) { /* before unlocking, we must clear 'crypto_lock_rand' */ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 35cf781c20b65e51c6d0d3e9a199e74534b60b4a (commit) via c8ce9e50d50af58d878d81522a3d592c00a17ba0 (commit) from b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe (commit) - Log - commit 35cf781c20b65e51c6d0d3e9a199e74534b60b4a Author: Viktor Dukhovni Date: Mon Oct 8 12:05:14 2018 -0400 Apply self-imposed path length also to root CAs Also, some readers of the code find starting the count at 1 for EE cert confusing (since RFC5280 counts only non-self-issued intermediate CAs, but we also counted the leaf). Therefore, never count the EE cert, and adjust the path length comparison accordinly. This may be more clear to the reader. Reviewed-by: Matt Caswell (cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6) commit c8ce9e50d50af58d878d81522a3d592c00a17ba0 Author: Viktor Dukhovni Date: Thu Oct 4 23:53:01 2018 -0400 Only CA certificates can be self-issued At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph of above https://tools.ietf.org/html/rfc5280#section-3.3), we see: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. that the term "self-issued" is only applicable to CAs, not end-entity certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9 the description of path length constraints says: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) This makes it clear that exclusion of self-issued certificates from the path length count applies only to some *intermediate* CA certificates. A leaf certificate whether it has identical issuer and subject or whether it is a CA or not is never part of the intermediate certificate count. The handling of all leaf certificates must be the same, in the case of our code to post-increment the path count by 1, so that we ultimately reach a non-self-issued intermediate it will be the first one (not zeroth) in the chain of intermediates. Reviewed-by: Matt Caswell (cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f) --- Summary of changes: crypto/x509/x509_vfy.c | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 749768e..da778d4 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -694,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } } -/* Check pathlen if not self issued */ -if ((i > 1) && !(x->ex_flags & EXFLAG_SI) -&& (x->ex_pathlen != -1) -&& (plen > (x->ex_pathlen + proxy_path_length + 1))) { +/* Check pathlen */ +if ((i > 1) && (x->ex_pathlen != -1) +&& (plen > (x->ex_pathlen + proxy_path_length))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; @@ -705,8 +704,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } -/* Increment path length if not self issued */ -if (!(x->ex_flags & EXFLAG_SI)) +/* Increment
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe (commit) from 6be3286fee187edb3c133910c6ec27d21a75976b (commit) - Log - commit b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_eay.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 1bb121f..be948a4 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -783,10 +783,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 6be3286fee187edb3c133910c6ec27d21a75976b (commit) from fff1da43be2236995cdf5ef2f3e2a51be232ba85 (commit) - Log - commit 6be3286fee187edb3c133910c6ec27d21a75976b Author: Andy Polyakov Date: Sun Sep 23 16:38:11 2018 +0200 util/domd: omit superfluous shift in -MD handling. While reviewing last modification in GH#6261 Richard actually spotted the inconsistency, but withdrew the remark, correct one in aftermath... Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7298) --- Summary of changes: util/domd | 1 - 1 file changed, 1 deletion(-) diff --git a/util/domd b/util/domd index 6eb019e..849e271 100755 --- a/util/domd +++ b/util/domd @@ -11,7 +11,6 @@ if [ "$1" = "-MD" ]; then MAKEDEPEND="$MAKEDEPEND $1" shift done -shift fi if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via fff1da43be2236995cdf5ef2f3e2a51be232ba85 (commit) from 788d2fa0cf38420fd729b336bdb88d5a6e9d68ac (commit) - Log - commit fff1da43be2236995cdf5ef2f3e2a51be232ba85 Author: Nicola Tuveri Date: Fri Sep 7 00:44:36 2018 +0300 Access `group->mont_data` conditionally in EC_GROUP_set_generator() It appears that, in FIPS mode, `ec_precompute_mont_data()` always failed but the error was ignored until commit e3ab8cc from #6810. The actual problem lies in the fact that access to the `mont_data` field of an `EC_GROUP` struct should always be guarded by an `EC_GROUP_VERSION(group)` check to avoid OOB accesses, because `group` might come from the FIPS module, which does not define the `mont_data` field inside the EC_GROUP structure. This commit adds the required check before any access to `group->mont_data` in `EC_GROUP_set_generator()`. Fixes #7127 Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7135) --- Summary of changes: CHANGES| 5 - crypto/ec/ec_lcl.h | 3 +-- crypto/ec/ec_lib.c | 41 + 3 files changed, 34 insertions(+), 15 deletions(-) diff --git a/CHANGES b/CHANGES index bfcd7b3..b574074 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,10 @@ Changes between 1.0.2p and 1.0.2q [xx XXX ] - *) + *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object + Module, accidentally introduced while backporting security fixes from the + development branch and hindering the use of ECC in FIPS mode. + [Nicola Tuveri] Changes between 1.0.2o and 1.0.2p [14 Aug 2018] diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 969fd14..2d604fa 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -214,7 +214,7 @@ struct ec_group_st { int asn1_flag; /* flag to control the asn1 encoding */ /* * Kludge: upper bit of ans1_flag is used to denote structure - * version. Is set, then last field is present. This is done + * version. If set, then last field is present. This is done * for interoperation with FIPS code. */ #define EC_GROUP_ASN1_FLAG_MASK 0x7fff @@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in); #endif -int ec_precompute_mont_data(EC_GROUP *); #ifdef ECP_NISTZ256_ASM /** Returns GFp methods using montgomery multiplication, with x86-64 optimized diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 9337452..df56484 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -70,6 +70,10 @@ const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT; +/* local function prototypes */ + +static int ec_precompute_mont_data(EC_GROUP *group); + /* functions for EC_GROUP objects */ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) @@ -318,17 +322,25 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, } else BN_zero(>cofactor); -/* - * Some groups have an order with - * factors of two, which makes the Montgomery setup fail. - * |group->mont_data| will be NULL in this case. +/*- + * Access to the `mont_data` field of an EC_GROUP struct should always be + * guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the + * group might come from the FIPS module, which does not define the + * `mont_data` field inside the EC_GROUP structure. */ -if (BN_is_odd(>order)) { -return ec_precompute_mont_data(group); +if (EC_GROUP_VERSION(group)) { +/*- + * Some groups have an order with + * factors of two, which makes the Montgomery setup fail. + * |group->mont_data| will be NULL in this case. + */ +if (BN_is_odd(>order)) +return ec_precompute_mont_data(group); + +BN_MONT_CTX_free(group->mont_data); +group->mont_data = NULL; } -BN_MONT_CTX_free(group->mont_data); -group->mont_data = NULL; return 1; } @@ -1098,18 +1110,23 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group) * been performed */ } -/* +/*- * ec_precompute_mont_data sets |group->mont_data| from |group->order| and * returns one on success. On error it returns zero. + * + * Note: this function must be called only after verifying that + * EC_GROUP_VERSION(group) returns true. + * The reason for this is that access to the `mont_data` field of an EC_GROUP + * struct should always be guarded by an EC_GROUP_VERSION(group) check to avoid + * OOB
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 2b872562f56b6039179104657edddac22712d994 (commit) from 7a6d121e9d7bbd3a0db0a7b8020cfa224fe3aaa5 (commit) - Log - commit 2b872562f56b6039179104657edddac22712d994 Author: Manikantan Subramanian Date: Mon Sep 17 18:54:13 2018 -0700 Use gethostbyname_r if available Fixes #7228 The function BIO_get_host_ip uses gethostbyname, which is not thread safe and hence we grab a lock. In multi-threaded applications, this lock sometimes causes performance bottlenecks. This patch uses the function gethostbyname_r (thread safe version), when available. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7250) --- Summary of changes: crypto/bio/b_sock.c | 23 ++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index 5bad0a2..d32b76b 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -56,6 +56,9 @@ * [including the GNU Public Licence.] */ +#define _DEFAULT_SOURCE +#define _BSD_SOURCE + #include #include #include @@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT static int wsa_init_done = 0; # endif +# if defined(__GLIBC__) +# define HAVE_GETHOSTBYNAME_R +# define GETHOSTNAME_R_BUF (2 * 1024) +# endif + /* * WSAAPI specifier is required to make indirect calls to run-time * linked WinSock 2 functions used in this module, to be specific @@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) int i; int err = 1; int locked = 0; -struct hostent *he; +struct hostent *he = NULL; +# ifdef HAVE_GETHOSTBYNAME_R +char buf[GETHOSTNAME_R_BUF]; +struct hostent hostent; +int h_errnop; +# endif i = get_ip(str, ip); if (i < 0) { @@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) if (i > 0) return (1); +/* if gethostbyname_r is supported, use it. */ +# ifdef HAVE_GETHOSTBYNAME_R +memset(, 0x00, sizeof(hostent)); +/* gethostbyname_r() sets |he| to NULL on error, we check it further down */ +gethostbyname_r(str, , buf, sizeof(buf), , _errnop); +# else /* do a gethostbyname */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); locked = 1; he = BIO_gethostbyname(str); +# endif + if (he == NULL) { BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP); goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 7a6d121e9d7bbd3a0db0a7b8020cfa224fe3aaa5 (commit) from 459b128a2d0382e299b8318979c58cc6ff46fc4a (commit) - Log - commit 7a6d121e9d7bbd3a0db0a7b8020cfa224fe3aaa5 Author: Daniel Bevenius Date: Mon Sep 24 08:43:35 2018 +0200 Document OPENSSL_VERSION_TEXT macro This commit documents the OPENSSL_VERSION_TEXT which is currently missing in the man page. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7301) (cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165) --- Summary of changes: doc/crypto/OPENSSL_VERSION_NUMBER.pod | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f7ca7cb..02eabd7 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -2,12 +2,14 @@ =head1 NAME -OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version - get OpenSSL version number +OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, SSLeay, SSLeay_version +- get OpenSSL version number =head1 SYNOPSIS #include #define OPENSSL_VERSION_NUMBER 0xnL + #define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX " #include long SSLeay(void); @@ -43,9 +45,12 @@ Version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. - For backward compatibility, SSLEAY_VERSION_NUMBER is also defined. +OPENSSL_VERSION_TEXT is the text variant of the version number and the +release date. For example, +"OpenSSL 1.0.1a 15 Oct 2015". + SSLeay() returns this number. The return value can be compared to the macro to make sure that the correct version of the library has been loaded, especially when using DLLs on Windows systems. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 459b128a2d0382e299b8318979c58cc6ff46fc4a (commit) from f58001c35f39c50cb4aabcbc234d871ac740c179 (commit) - Log - commit 459b128a2d0382e299b8318979c58cc6ff46fc4a Author: Richard Levitte Date: Fri Sep 21 11:11:15 2018 +0200 crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG This module includes bn.h via other headers, so it picks up the definition from there and doesn't need to define them locally (any more?). Worst case scenario, the redefinition may be different and cause all sorts of compile errors. Fixes #7227 Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7287) (cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72) --- Summary of changes: crypto/bn/asm/x86_64-gcc.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index 1729b47..aa94a13 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -55,12 +55,6 @@ *machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via f58001c35f39c50cb4aabcbc234d871ac740c179 (commit) from 79951b1d4e219f60e474a589f21fc3b38023e8a8 (commit) - Log - commit f58001c35f39c50cb4aabcbc234d871ac740c179 Author: Dr. Matthias St. Pierre Date: Mon Sep 17 17:50:54 2018 +0200 drbg_get_entropy: force a reseed before calling ssleay_rand_bytes() Fixes #7240 In FIPS mode, the default FIPS DRBG uses the drbg_get_entropy() callback to reseed itself, which is provided by the wrapping libcrypto library. This callback in turn uses ssleay_rand_bytes() to generate random bytes. Now ssleay_rand_bytes() calls RAND_poll() once on first call to seed itself, but RAND_poll() is never called again (unless the application calls RAND_poll() explicitely). This implies that whenever the DRBG reseeds itself (which happens every 2^14 generate requests) this happens without obtaining fresh random data from the operating system's entropy sources. This patch forces a reseed from system entropy sources on every call to drbg_get_entropy(). In contrary to the automatic reseeding of the DRBG in master, this reseeding does not break applications running in a chroot() environment (see c7504aeb640a), because the SSLEAY PRNG does not maintain an error state. (It does not even check the return value of RAND_poll() on its instantiation.) In the worst case, if no random device is available for reseeding, no fresh entropy will be added to the SSLEAY PRNG but it will happily continue to generate random bytes as 'entropy' input for the DRBG's reseeding, which is just as good (or bad) as before this patch. To prevent ssleay_rand_bytes_from_system() (and hence RAND_poll()) from being called twice during instantiation, a separate drbg_get_nonce() callback has been introduced, which is identical with the previous implementation of drbg_get_entropy(). Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/7259) --- Summary of changes: crypto/rand/md_rand.c | 12 crypto/rand/rand_lcl.h | 2 +- crypto/rand/rand_lib.c | 22 -- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index a7af9f9..abca70f 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -555,6 +555,18 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) return (0); } +/* + * Returns ssleay_rand_bytes(), enforcing a reseeding from the + * system entropy sources using RAND_poll() before generating +`* the random bytes. + */ + +int ssleay_rand_bytes_from_system(unsigned char *buf, int num) +{ +initialized = 0; +return ssleay_rand_bytes(buf, num, 0, 0); +} + static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) { return ssleay_rand_bytes(buf, num, 0, 1); diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index f9fda3e..10ccdf0 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -154,5 +154,5 @@ # endif int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock); - +int ssleay_rand_bytes_from_system(unsigned char *buf, int num); #endif diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 88a78d3..6094c83 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -185,7 +185,7 @@ int RAND_status(void) /* * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather - * entropy internally through RAND_poll(). + * entropy internally through RAND_poll()). */ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, @@ -196,6 +196,24 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, *pout = OPENSSL_malloc(min_len); if (!*pout) return 0; + +/* Enforces a reseed of the SSLEAY PRNG before generating random bytes */ +if (ssleay_rand_bytes_from_system(*pout, min_len) <= 0) { +OPENSSL_free(*pout); +*pout = NULL; +return 0; +} +return min_len; +} + +static size_t drbg_get_nonce(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ +/* Round up request to multiple of block size */ +min_len = ((min_len + 19) / 20) * 20; +*pout = OPENSSL_malloc(min_len); +if (!*pout) +return 0; if (ssleay_rand_bytes(*pout, min_len, 0, 0) <= 0) { OPENSSL_free(*pout); *pout = NULL; @@ -281,7 +299,7 @@ int RAND_init_fips(void) FIPS_drbg_set_callbacks(dctx, drbg_get_entropy, drbg_free_entropy, 20, -drbg_get_entropy, drbg_free_entropy); +
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 79951b1d4e219f60e474a589f21fc3b38023e8a8 (commit) from 5a6fbf616e1da3ac8c8bc6a30dbcd9844f6726c7 (commit) - Log - commit 79951b1d4e219f60e474a589f21fc3b38023e8a8 Author: Richard Levitte Date: Wed Sep 19 21:33:45 2018 +0200 crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too These both indicate that the file descriptor we're trying to use as a terminal isn't, in fact, a terminal. Fixes #7271 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7272) (cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067) (cherry picked from commit ad1730359220cef5903d16c7f58b602fc3713414) --- Summary of changes: crypto/ui/ui_openssl.c | 18 ++ 1 file changed, 18 insertions(+) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 1ad0cfc..4b4eb81 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -509,6 +509,24 @@ static int open_console(UI *ui) is_a_tty = 0; else # endif +# ifdef ENXIO +/* + * Solaris can return ENXIO. + * This should be ok + */ +if (errno == ENXIO) +is_a_tty = 0; +else +# endif +# ifdef EIO +/* + * Linux can return EIO. + * This should be ok + */ +if (errno == EIO) +is_a_tty = 0; +else +# endif # ifdef ENODEV /* * MacOS X returns ENODEV (Operation not supported by device), _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 5a6fbf616e1da3ac8c8bc6a30dbcd9844f6726c7 (commit) from fb953d29b1775017c435000f180b75588684 (commit) - Log - commit 5a6fbf616e1da3ac8c8bc6a30dbcd9844f6726c7 Author: Bernd Edlinger Date: Mon Sep 10 14:18:23 2018 +0200 Make the config script fail with an error code if Configure failed Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7166) (cherry picked from commit e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1) --- Summary of changes: config | 1 + 1 file changed, 1 insertion(+) diff --git a/config b/config index 21534e0..6214c4b 100755 --- a/config +++ b/config @@ -992,5 +992,6 @@ if [ $? = "0" ]; then fi else echo "This system ($OUT) is not supported. See file INSTALL for details." + exit 1 fi ) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via fb953d29b1775017c435000f180b75588684 (commit) from 4a98bb0068cae9fbe5c6a6e513093d41969dad58 (commit) - Log - commit fb953d29b1775017c435000f180b75588684 Author: Richard Levitte Date: Thu Sep 6 09:35:39 2018 +0200 CAPI engine: add support for RSA_NO_PADDING Since the SSL code started using RSA_NO_PADDING, the CAPI engine became unusable. This change fixes that. Fixes #7131 Reviewed-by: Bernd Edlinger Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7132) --- Summary of changes: engines/e_capi.c | 32 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/engines/e_capi.c b/engines/e_capi.c index 8c08872..814a325 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -900,6 +900,8 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *tmpbuf; CAPI_KEY *capi_key; CAPI_CTX *ctx; +DWORD flags = 0; + ctx = ENGINE_get_ex_data(rsa->engine, capi_idx); CAPI_trace(ctx, "Called capi_rsa_priv_dec()\n"); @@ -910,12 +912,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, return -1; } -if (padding != RSA_PKCS1_PADDING) { -char errstr[10]; -BIO_snprintf(errstr, 10, "%d", padding); -CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); -ERR_add_error_data(2, "padding=", errstr); -return -1; +switch (padding) { +case RSA_PKCS1_PADDING: +/* Nothing to do */ +break; +#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK +case RSA_NO_PADDING: +flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK; +break; +#endif +default: +{ +char errstr[10]; +BIO_snprintf(errstr, 10, "%d", padding); +CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); +ERR_add_error_data(2, "padding=", errstr); +return -1; +} } /* Create temp reverse order version of input */ @@ -927,14 +940,17 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, tmpbuf[flen - i - 1] = from[i]; /* Finally decrypt it */ -if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, )) { +if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, )) { CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); capi_addlasterror(); +OPENSSL_cleanse(tmpbuf, flen); OPENSSL_free(tmpbuf); return -1; -} else +} else { memcpy(to, tmpbuf, flen); +} +OPENSSL_cleanse(tmpbuf, flen); OPENSSL_free(tmpbuf); return flen; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 4a98bb0068cae9fbe5c6a6e513093d41969dad58 (commit) from 6e873259029939657a297e9fe451196df4e3da48 (commit) - Log - commit 4a98bb0068cae9fbe5c6a6e513093d41969dad58 Author: Matt Caswell Date: Mon Sep 10 16:23:14 2018 +0100 Check the return value from ASN1_INTEGER_set Found by Coverity Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7169) (cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7) --- Summary of changes: crypto/pkcs12/p12_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 0322df9..8275a23 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -70,7 +70,8 @@ PKCS12 *PKCS12_init(int mode) PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE); return NULL; } -ASN1_INTEGER_set(pkcs12->version, 3); +if (!ASN1_INTEGER_set(pkcs12->version, 3)) +goto err; pkcs12->authsafes->type = OBJ_nid2obj(mode); switch (mode) { case NID_pkcs7_data: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 6e873259029939657a297e9fe451196df4e3da48 (commit) from 62025a4590baef6fc44ae36c6f90d233a79d36e9 (commit) - Log - commit 6e873259029939657a297e9fe451196df4e3da48 Author: Richard Levitte Date: Mon Sep 3 13:17:03 2018 +0200 openssl req: don't try to report bits With the introduction of -pkeyopt, the number of bits may change without |newkey| being updated. Unfortunately, there is no API to retrieve the information from a EVP_PKEY_CTX either, so chances are that we report incorrect information. For the moment, it's better not to try to report the number of bits at all. Fixes #7086 Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7096) (cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039) --- Summary of changes: apps/req.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apps/req.c b/apps/req.c index 7fcab18..5422cac 100644 --- a/apps/req.c +++ b/apps/req.c @@ -659,8 +659,7 @@ int MAIN(int argc, char **argv) } } -BIO_printf(bio_err, "Generating a %ld bit %s private key\n", - newkey, keyalgstr); +BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); EVP_PKEY_CTX_set_app_data(genctx, bio_err); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 62025a4590baef6fc44ae36c6f90d233a79d36e9 (commit) from 85d5a4e125bf6597e1663658fac51092b8f40a44 (commit) - Log - commit 62025a4590baef6fc44ae36c6f90d233a79d36e9 Author: Richard Levitte Date: Tue Sep 4 12:05:39 2018 +0200 VMS: add missing x509_time test to test scripts Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7112) --- Summary of changes: test/maketests.com | 2 +- test/tests.com | 8 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/test/maketests.com b/test/maketests.com index f4e418b..c0e1730 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -151,7 +151,7 @@ $ TEST_FILES = "BNTEST,ECTEST,ECDSATEST,ECDHTEST,IDEATEST,"+ - "ASN1TEST,V3NAMETEST,HEARTBEAT_TEST,"+ - "CONSTANT_TIME_TEST,VERIFY_EXTRA_TEST,"+ - "CLIENTHELLOTEST,SSLV2CONFTEST,DTLSTEST,"+ - - "BAD_DTLS_TEST,FATALERRTEST" + "BAD_DTLS_TEST,FATALERRTEST,X509_TIME_TEST" $! $! Additional directory information. $ T_D_BNTEST := [-.crypto.bn] diff --git a/test/tests.com b/test/tests.com index 27b01b6..21867bf 100644 --- a/test/tests.com +++ b/test/tests.com @@ -58,7 +58,7 @@ $ tests := - test_ss,test_ca,test_engine,test_evp,test_evp_extra,test_ssl,test_tsa,test_ige,- test_jpake,test_srp,test_cms,test_ocsp,test_v3name,test_heartbeat,- test_constant_time,test_verify_extra,test_clienthello,test_sslv2conftest,- - test_dtls,test_bad_dtls,test_fatalerr + test_dtls,test_bad_dtls,test_fatalerr,test_x509_time $ endif $ tests = f$edit(tests,"COLLAPSE") $ @@ -107,6 +107,7 @@ $ BADDTLSTEST := bad_dtls_test $ SSLV2CONFTEST :=sslv2conftest $ DTLSTEST := dtlstest $ FATALERRTEST := fatalerrtest +$ X509TIMETEST := x509_time_test $! $ tests_i = 0 $ loop_tests: @@ -415,6 +416,11 @@ $ write sys$output "''START' test_fatalerrtest" $ mcr 'texe_dir''fatalerrtest' 'ROOT'.APPS]server.pem 'ROOT'.APPS]server.pem $ return $ +$ test_x509_time: +$ write sys$output "''START' test_x509_time" +$ mcr 'texe_dir''x509timetest' +$ return +$ $ test_sslv2conftest: $ write sys$output "''START' test_sslv2conftest" $ mcr 'texe_dir''sslv2conftest' _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 85d5a4e125bf6597e1663658fac51092b8f40a44 (commit) from 3c55cb200a416fa796f117410c189c577b57a36f (commit) - Log - commit 85d5a4e125bf6597e1663658fac51092b8f40a44 Author: Matt Caswell Date: Thu Aug 23 11:37:22 2018 +0100 Clarify the EVP_DigestSignInit docs They did not make it clear how the memory management works for the |pctx| parameter. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7043) --- Summary of changes: doc/crypto/EVP_DigestSignInit.pod | 7 +-- doc/crypto/EVP_DigestVerifyInit.pod | 7 +-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index 83e6589..7a3e84d 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod @@ -19,9 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestSignInit() sets up signing context B to use digest B from ENGINE B and private key B. B must be initialized with -EVP_MD_CTX_init() before calling this function. If B is not NULL the +EVP_MD_CTX_init() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. +be used to set alternative signing options. Note that any existing value in +B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed +directly by the application (it will be freed automatically when the EVP_MD_CTX +is freed). The digest B may be NULL if the signing algorithm supports it. EVP_DigestSignUpdate() hashes B bytes of data at B into the signature context B. This function can be called several times on the diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index 347c511..2e2c0fd 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod @@ -19,9 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestVerifyInit() sets up verification context B to use digest B from ENGINE B and public key B. B must be initialized -with EVP_MD_CTX_init() before calling this function. If B is not NULL the +with EVP_MD_CTX_init() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this -can be used to set alternative verification options. +can be used to set alternative verification options. Note that any existing +value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be +freed directly by the application (it will be freed automatically when the +EVP_MD_CTX is freed). EVP_DigestVerifyUpdate() hashes B bytes of data at B into the verification context B. This function can be called several times on the _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 3c55cb200a416fa796f117410c189c577b57a36f (commit) from e121d5c7e7d1178d53fea3ffbfa37e2d3b2edc08 (commit) - Log - commit 3c55cb200a416fa796f117410c189c577b57a36f Author: Jakub Wilk Date: Mon Sep 3 11:09:51 2018 +0200 Fix example in crl(1) man page The default input format is PEM, so explicit "-inform DER" is needed to read DER-encoded CRL. CLA: trivial Reviewed-by: Paul Yang Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7094) (cherry picked from commit 785e614a95a134831f213749332bcf40c4920f69) (cherry picked from commit e25fc6b5b2b99ed02f8966192c94c820b6f69add) --- Summary of changes: doc/apps/crl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index cdced1c..92efbf4 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -115,7 +115,7 @@ Convert a CRL file from PEM to DER: Output the text form of a DER encoded certificate: - openssl crl -in crl.der -text -noout + openssl crl -in crl.der -inform DER -text -noout =head1 BUGS _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via e121d5c7e7d1178d53fea3ffbfa37e2d3b2edc08 (commit) from 78ca7b7b319c7027310c56eaa05b8c295624a357 (commit) - Log - commit e121d5c7e7d1178d53fea3ffbfa37e2d3b2edc08 Author: Matt Caswell Date: Thu Aug 9 16:25:29 2018 +0100 The req documentation incorrectly states that we default to md5 Just remove that statement. It's not been true since 2005. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/6906) --- Summary of changes: doc/apps/req.pod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 20b2f39..01c1c2e 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -393,8 +393,7 @@ option. For compatibility B is an equivalent option. =item B This option specifies the digest algorithm to use. Possible values -include B. If not present then MD5 is used. This -option can be overridden on the command line. +include B. This option can be overridden on the command line. =item B _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 78ca7b7b319c7027310c56eaa05b8c295624a357 (commit) from e24892ef83da5c363d39b52d0b459a26740b1ade (commit) - Log - commit 78ca7b7b319c7027310c56eaa05b8c295624a357 Author: Pauli Date: Mon Sep 3 07:37:38 2018 +1000 Check the return from BN_sub() in BN_X931_generate_Xpq(). Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7088) (cherry picked from commit 6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9) --- Summary of changes: crypto/bn/bn_x931p.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index f444af3..116620a 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) for (i = 0; i < 1000; i++) { if (!BN_rand(Xq, nbits, 1, 0)) goto err; + /* Check that |Xp - Xq| > 2^(nbits - 100) */ -BN_sub(t, Xp, Xq); +if (!BN_sub(t, Xp, Xq)) +goto err; if (BN_num_bits(t) > (nbits - 100)) break; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via e24892ef83da5c363d39b52d0b459a26740b1ade (commit) from bc251459adc14a1a56d0cbe2d372f3d6ffd20cf8 (commit) - Log - commit e24892ef83da5c363d39b52d0b459a26740b1ade Author: Eric Brown Date: Thu Aug 16 08:34:39 2018 -0700 Remove redundant ASN1_INTEGER_set call This trivial patch removes a duplicated call to ASN1_INTEGER_set. Fixes Issue #6977 Signed-off-by: Eric Brown Reviewed-by: Richard Levitte Reviewed-by: Andy Polyakov Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6984) (cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3) --- Summary of changes: crypto/pkcs7/pk7_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 0c5fcaa..866a863 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -185,7 +185,6 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; -ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via bc251459adc14a1a56d0cbe2d372f3d6ffd20cf8 (commit) via b6f773b8d6c41e86c107b57dabc637c91884150e (commit) via f9381fd323303316282331a8cced6e030e809794 (commit) via 387d170b32ceeac450bfa50b81db9db9179dc880 (commit) from 19096672b48b3282bb9f11c4adadbcdd545f54a3 (commit) - Log - commit bc251459adc14a1a56d0cbe2d372f3d6ffd20cf8 Author: Andy Polyakov Date: Wed Aug 15 15:46:35 2018 +0200 bn/bn_lib.c: conceal even memmory access pattern in bn2binpad. (cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit b6f773b8d6c41e86c107b57dabc637c91884150e Author: Andy Polyakov Date: Mon Aug 13 16:59:08 2018 +0200 bn/bn_blind.c: use Montgomery multiplication when possible. (cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28) Resolved conflicts: crypto/bn/bn_blind.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit f9381fd323303316282331a8cced6e030e809794 Author: Andy Polyakov Date: Mon Aug 13 20:20:28 2018 +0200 rsa/rsa_eay.c: implement variant of "Smooth CRT-RSA." In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... (cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59) Resolved conflicts: crypto/rsa/rsa_eay.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit 387d170b32ceeac450bfa50b81db9db9179dc880 Author: Andy Polyakov Date: Fri Aug 10 19:31:22 2018 +0200 crypto/bn: add more fixed-top routines. Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. (cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9) Resolved conflicts: crypto/bn/bn_mod.c crypto/bn_int.h Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) --- Summary of changes: crypto/bn/bn_blind.c | 63 ++-- crypto/bn/bn_lib.c | 34 - crypto/bn/bn_mod.c | 67 +- crypto/bn/bn_mont.c | 29 ++- crypto/bn/bn_mul.c | 12 +- crypto/bn/bn_sqr.c | 12 +- crypto/bn_int.h | 6 +++ crypto/rsa/rsa_eay.c | 101 ++- 8 files changed, 264 insertions(+), 60 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index d448daa..40e1bb6 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { -if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) -goto err; -if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) -goto err; +if (b->m_ctx != NULL) { +if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) +|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) +goto err; +} else { +if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) +|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) +goto err; +} } ret = 1; @@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return (0); -if (r != NULL) { -if (!BN_copy(r, b->Ai)) -ret = 0; -} +if (r != NULL && (BN_copy(r, b->Ai) == NULL)) +return 0; -if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) -ret = 0; +if (b->m_ctx != NULL) +ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); +else +ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); -if (r != NULL) -ret = BN_mod_mul(n, n, r, b->mod, ctx); -else { -if (b->Ai == NULL) { -BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); -return (0); +if (r == NULL && (r = b->Ai) == NULL) { +BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); +return 0; +} + +if (b->m_ctx != NULL) { +/* ensure that BN_mod_mul_montgomery takes
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 19096672b48b3282bb9f11c4adadbcdd545f54a3 (commit) from 9804228a4313fcdff1cface0f87ce8b8ed180259 (commit) - Log - commit 19096672b48b3282bb9f11c4adadbcdd545f54a3 Author: Hubert Kario Date: Mon Aug 27 21:21:18 2018 +0800 document the -no_ecdhe option in s_server man page the option is provided in the -help message of the s_server utility but it is not documented in the man page, this fixes it Reviewed-by: Nicola Tuveri Reviewed-by: Tim Hudson Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7046) --- Summary of changes: doc/apps/s_server.pod | 6 ++ 1 file changed, 6 insertions(+) diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 9916fc3..84777ee 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -49,6 +49,7 @@ B B [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] +[B<-no_ecdhe>] [B<-bugs>] [B<-hack>] [B<-www>] @@ -144,6 +145,11 @@ a static set of parameters hard coded into the s_server program will be used. if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. +=item B<-no_ecdhe> + +if this option is set then no ECDH parameters will be selected, effectively +disabling the ephemeral ECDH cipher suites. + =item B<-no_tmp_rsa> certain export cipher suites sometimes use a temporary RSA key, this option _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 9804228a4313fcdff1cface0f87ce8b8ed180259 (commit) from 8297ab58008e01f4b86c1b168118aaa3bb882234 (commit) - Log - commit 9804228a4313fcdff1cface0f87ce8b8ed180259 Author: Andy Polyakov Date: Sun Jul 29 14:13:32 2018 +0200 x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/6916) (cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7) Resolved conflicts: crypto/x509v3/v3_purp.c --- Summary of changes: crypto/x509v3/v3_purp.c | 4 1 file changed, 4 deletions(-) diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 7080a51..6d3aa8f 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -396,12 +396,8 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; -if (x->ex_flags & EXFLAG_SET) -return; - CRYPTO_w_lock(CRYPTO_LOCK_X509); if (x->ex_flags & EXFLAG_SET) { CRYPTO_w_unlock(CRYPTO_LOCK_X509); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 8297ab58008e01f4b86c1b168118aaa3bb882234 (commit) via e71ebf275da66dfd601c92e0e80a35114c32f6f8 (commit) via b9dd4b9eac68181660a43a3b7f7da0f2b84bb6f9 (commit) from 2d2fe4244eb554c9f5d3841830d0be3c7e16fb86 (commit) - Log - commit 8297ab58008e01f4b86c1b168118aaa3bb882234 Author: Matt Caswell Date: Tue Aug 14 14:01:59 2018 +0100 Prepare for 1.0.2q-dev Reviewed-by: Richard Levitte commit e71ebf275da66dfd601c92e0e80a35114c32f6f8 Author: Matt Caswell Date: Tue Aug 14 14:01:02 2018 +0100 Prepare for 1.0.2p release Reviewed-by: Richard Levitte commit b9dd4b9eac68181660a43a3b7f7da0f2b84bb6f9 Author: Matt Caswell Date: Tue Aug 14 14:01:02 2018 +0100 make update Reviewed-by: Richard Levitte --- Summary of changes: CHANGES | 6 - NEWS | 6 - README| 2 +- TABLE | 2 +- crypto/bn/Makefile| 71 +-- crypto/ecdsa/Makefile | 2 +- crypto/opensslv.h | 6 ++--- crypto/rsa/Makefile | 2 +- openssl.spec | 2 +- test/Makefile | 7 ++--- 10 files changed, 66 insertions(+), 40 deletions(-) diff --git a/CHANGES b/CHANGES index b25db02..bfcd7b3 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.0.2o and 1.0.2p [xx XXX ] + Changes between 1.0.2p and 1.0.2q [xx XXX ] + + *) + + Changes between 1.0.2o and 1.0.2p [14 Aug 2018] *) Client DoS due to large DH parameter diff --git a/NEWS b/NEWS index 7cf369a..2c5f5f8 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [under development] + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development] + + o + + Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] o Client DoS due to large DH parameter (CVE-2018-0732) o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) diff --git a/README b/README index e22d9ab..3f5f81e 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2p-dev + OpenSSL 1.0.2q-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/TABLE b/TABLE index 6163530..47bdbf8 100644 --- a/TABLE +++ b/TABLE @@ -444,7 +444,7 @@ $multilib = *** MPE/iX-gcc $cc = gcc -$cflags = -D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB +$cflags = -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB $unistd = $thread_cflag = (unknown) $sys_id = MPE diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile index 20e8ef0..9fc4447 100644 --- a/crypto/bn/Makefile +++ b/crypto/bn/Makefile @@ -197,21 +197,24 @@ bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_add.c bn_lcl.h +bn_add.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_add.c +bn_add.o: bn_lcl.h bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_asm.c bn_lcl.h +bn_asm.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_asm.c +bn_asm.o: bn_lcl.h bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -bn_blind.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_blind.c bn_lcl.h +bn_blind.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h +bn_blind.o: bn_blind.c bn_lcl.h bn_const.o:
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 2d2fe4244eb554c9f5d3841830d0be3c7e16fb86 (commit) from c24e2f1891c147be3c6e277cf09f2bee486a7812 (commit) - Log - commit 2d2fe4244eb554c9f5d3841830d0be3c7e16fb86 Author: Richard Levitte Date: Tue Aug 14 14:52:49 2018 +0200 i2d_ASN1_BOOLEAN(): correct error module Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6957) --- Summary of changes: crypto/asn1/a_bool.c | 2 +- crypto/asn1/asn1.h | 1 + crypto/asn1/asn1_err.c | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/a_bool.c b/crypto/asn1/a_bool.c index 98454f3..3bf676e 100644 --- a/crypto/asn1/a_bool.c +++ b/crypto/asn1/a_bool.c @@ -71,7 +71,7 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) if (*pp == NULL) { if ((p = allocated = OPENSSL_malloc(r)) == NULL) { -ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); +ASN1err(ASN1_F_I2D_ASN1_BOOLEAN, ERR_R_MALLOC_FAILURE); return 0; } } else { diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 0515292..36e79d5 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -1267,6 +1267,7 @@ void ERR_load_ASN1_strings(void); # define ASN1_F_D2I_X509_PKEY 159 # define ASN1_F_DO_BUF221 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_BOOLEAN 223 # define ASN1_F_I2D_ASN1_OBJECT 222 # define ASN1_F_I2D_ASN1_SET 188 # define ASN1_F_I2D_ASN1_TIME 160 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 475e80a..9e273dc 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -168,6 +168,7 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, {ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, +{ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"}, {ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via c24e2f1891c147be3c6e277cf09f2bee486a7812 (commit) from 0698c33a7b18a52a41de6800d1d2839fea540af5 (commit) - Log - commit c24e2f1891c147be3c6e277cf09f2bee486a7812 Author: Matt Caswell Date: Tue Aug 14 13:29:02 2018 +0100 Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6955) --- Summary of changes: README | 2 +- apps/apps.c | 2 +- apps/ocsp.c | 2 +- apps/s_apps.h| 2 +- apps/s_client.c | 2 +- apps/s_server.c | 2 +- crypto/asn1/a_strex.c| 2 +- crypto/asn1/ameth_lib.c | 2 +- crypto/asn1/tasn_enc.c | 2 +- crypto/bio/bss_log.c | 2 +- crypto/bn/bn.h | 2 +- crypto/bn/bn_gf2m.c | 2 +- crypto/bn/bn_lcl.h | 2 +- crypto/bn/bn_mod.c | 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_pmeth.c | 2 +- crypto/ec/ec_ameth.c | 2 +- crypto/ec/ec_lib.c | 2 +- crypto/ecdsa/ecdsatest.c | 2 +- crypto/ecdsa/ecs_ossl.c | 2 +- crypto/engine/eng_lib.c | 2 +- crypto/engine/tb_asnmth.c| 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/pkcs12/p12_asn.c | 2 +- crypto/rsa/rsa_eay.c | 2 +- crypto/ui/ui_openssl.c | 2 +- crypto/x509v3/v3_purp.c | 2 +- doc/man3/X509_cmp_time.pod | 2 +- ssl/d1_both.c| 2 +- ssl/s3_lib.c | 2 +- ssl/s3_srvr.c| 2 +- ssl/ssl.h| 2 +- ssl/ssl_lib.c| 2 +- ssl/ssl_locl.h | 2 +- ssl/t1_trce.c| 2 +- test/cms-test.pl | 2 +- test/recipes/60-test_x509_time.t | 2 +- test/x509_time_test.c| 2 +- 38 files changed, 38 insertions(+), 38 deletions(-) diff --git a/README b/README index 5719468..e22d9ab 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ OpenSSL 1.0.2p-dev - Copyright (c) 1998-2015 The OpenSSL Project + Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/apps/apps.c b/apps/apps.c index 07ffad1..fc1bae0 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/apps/ocsp.c b/apps/ocsp.c index 352bdf1..678e993 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -4,7 +4,7 @@ * 2000. */ /* - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/apps/s_apps.h b/apps/s_apps.h index bb0aba6..cbb61ba 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/apps/s_client.c b/apps/s_client.c index 9b09672..b455d90 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/apps/s_server.c b/apps/s_server.c index 9570f07..ce7a1d6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * *
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 0698c33a7b18a52a41de6800d1d2839fea540af5 (commit) from 7d4c97add12cfa5d4589880b09d6139c3203e2f4 (commit) - Log - commit 0698c33a7b18a52a41de6800d1d2839fea540af5 Author: Matt Caswell Date: Tue Aug 14 10:39:19 2018 +0100 Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6951) --- Summary of changes: CHANGES | 24 NEWS| 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 4f24046..b25db02 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,30 @@ Changes between 1.0.2o and 1.0.2p [xx XXX ] + *) Client DoS due to large DH parameter + + During key agreement in a TLS handshake using a DH(E) based ciphersuite a + malicious server can send a very large prime value to the client. This will + cause the client to spend an unreasonably long period of time generating a + key for this prime resulting in a hang until the client has finished. This + could be exploited in a Denial Of Service attack. + + This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken + (CVE-2018-0732) + [Guido Vranken] + + *) Cache timing vulnerability in RSA Key Generation + + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to + a cache timing side channel attack. An attacker with sufficient access to + mount cache timing attacks during the RSA key generation process could + recover the private key. + + This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera + Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. + (CVE-2018-0737) + [Billy Brumley] + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. diff --git a/NEWS b/NEWS index 0fb4724..7cf369a 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [under development] - o + o Client DoS due to large DH parameter (CVE-2018-0732) + o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 7d4c97add12cfa5d4589880b09d6139c3203e2f4 (commit) from 0971432f6f6d8b40d797133621809bd31eb7bf4e (commit) - Log - commit 7d4c97add12cfa5d4589880b09d6139c3203e2f4 Author: Richard Levitte Date: Mon Aug 13 20:37:43 2018 +0200 i2d_ASN1_BOOLEAN(): allocate memory if the user didn't provide a buffer Just as was done recently for i2d_ASN1_OBJECT, we also make i2d_ASN1_BOOLEAN comply with the documentation. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6943) --- Summary of changes: crypto/asn1/a_bool.c | 24 +++- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_bool.c b/crypto/asn1/a_bool.c index 1b85bc9..98454f3 100644 --- a/crypto/asn1/a_bool.c +++ b/crypto/asn1/a_bool.c @@ -63,17 +63,31 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) { int r; -unsigned char *p; +unsigned char *p, *allocated = NULL; r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN); if (pp == NULL) return (r); -p = *pp; + +if (*pp == NULL) { +if ((p = allocated = OPENSSL_malloc(r)) == NULL) { +ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); +return 0; +} +} else { +p = *pp; +} ASN1_put_object(, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL); -*(p++) = (unsigned char)a; -*pp = p; -return (r); +*p = (unsigned char)a; + + +/* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ +*pp = allocated != NULL ? allocated : p + 1; +return r; } int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 0971432f6f6d8b40d797133621809bd31eb7bf4e (commit) from ec3f996b3066ecaaec87ba5ad29c606aeac0740d (commit) - Log - commit 0971432f6f6d8b40d797133621809bd31eb7bf4e Author: Richard Levitte Date: Sat Aug 11 09:59:20 2018 +0200 i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/6918) (cherry picked from commit 6114041540d8d1fecaf23a861788c3c742d3b467) --- Summary of changes: crypto/asn1/a_object.c | 21 - crypto/asn1/asn1.h | 1 + crypto/asn1/asn1_err.c | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index ad6b12a..ce05cf4 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -66,7 +66,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) { -unsigned char *p; +unsigned char *p, *allocated = NULL; int objsize; if ((a == NULL) || (a->data == NULL)) @@ -76,13 +76,24 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) if (pp == NULL || objsize == -1) return objsize; -p = *pp; +if (*pp == NULL) { +if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { +ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); +return 0; +} +} else { +p = *pp; +} + ASN1_put_object(, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); -p += a->length; -*pp = p; -return (objsize); +/* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ +*pp = allocated != NULL ? allocated : p + a->length; +return objsize; } int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 256c531..0515292 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -1267,6 +1267,7 @@ void ERR_load_ASN1_strings(void); # define ASN1_F_D2I_X509_PKEY 159 # define ASN1_F_DO_BUF221 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_OBJECT 222 # define ASN1_F_I2D_ASN1_SET 188 # define ASN1_F_I2D_ASN1_TIME 160 # define ASN1_F_I2D_DSA_PUBKEY161 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index c144180..475e80a 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -168,6 +168,7 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, {ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, +{ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via ec3f996b3066ecaaec87ba5ad29c606aeac0740d (commit) via df6b67becc1f41c27e20ff10b5ec42ced58b (commit) via 6412738be390dd9bf680cef89f22e4c810ab065f (commit) from f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2 (commit) - Log - commit ec3f996b3066ecaaec87ba5ad29c606aeac0740d Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) Resolved conflicts: crypto/rsa/rsa_ossl.c crypto/rsa/rsa_pk1.c commit df6b67becc1f41c27e20ff10b5ec42ced58b Author: Andy Polyakov Date: Mon Jul 16 18:17:44 2018 +0200 bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec) commit 6412738be390dd9bf680cef89f22e4c810ab065f Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: add computationally constant-time bn_bn2binpad. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) Resolved conflicts: crypto/bn/bn_lib.c --- Summary of changes: crypto/bn/bn_lib.c| 35 + crypto/bn_int.h | 2 ++ crypto/rsa/rsa_eay.c | 39 +++- crypto/rsa/rsa_oaep.c | 39 +++- crypto/rsa/rsa_pk1.c | 62 +++ crypto/rsa/rsa_ssl.c | 8 +++ 6 files changed, 125 insertions(+), 60 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index c6005bf..03bd8cd 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -614,6 +614,41 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) } /* ignore negative */ +static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ +int n; +size_t i, inc, lasti, j; +BN_ULONG l; + +n = BN_num_bytes(a); +if (tolen == -1) +tolen = n; +else if (tolen < n) +return -1; + +if (n == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; +} + +lasti = n - 1; +for (i = 0, inc = 1, j = tolen; j > 0;) { +l = a->d[i / BN_BYTES]; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); +inc = (i - lasti) >> (8 * sizeof(i) - 1); +i += inc; /* stay on top limb */ +} + +return tolen; +} + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ +if (tolen < 0) +return -1; +return bn2binpad(a, to, tolen); +} + int BN_bn2bin(const BIGNUM *a, unsigned char *to) { int n, i; diff --git a/crypto/bn_int.h b/crypto/bn_int.h index 9683e5f..9c42d6f 100644 --- a/crypto/bn_int.h +++ b/crypto/bn_int.h @@ -11,3 +11,5 @@ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index b147fff..b9c6855 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -114,6 +114,7 @@ #include #include #include +#include "bn_int.h" #ifndef RSA_NULL @@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret; -int i, j, k, num = 0, r = -1; +int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ -j = BN_num_bytes(ret); -i = BN_bn2bin(ret, &(to[num - j])); -
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2 (commit) from 29d8bda90ce824263317eae5354388f79844dd51 (commit) - Log - commit f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2 Author: Richard Levitte Date: Tue Aug 7 06:21:43 2018 +0200 Make EVP_PKEY_asn1_new() stricter with its input Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6881) --- Summary of changes: CHANGES | 5 + crypto/asn1/ameth_lib.c | 12 2 files changed, 17 insertions(+) diff --git a/CHANGES b/CHANGES index b8e2f86..4f24046 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.0.2o and 1.0.2p [xx XXX ] + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str + parameter is no longer accepted, as it leads to a corrupt table. NULL + pem_str is reserved for alias entries only. + [Richard Levitte] + *) Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov] diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 43ddebb..8f49071 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, } else ameth->info = NULL; +/* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ +if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) + || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) +goto err; + if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 29d8bda90ce824263317eae5354388f79844dd51 (commit) via 983e1ad235caa45d710eaa5f0d2de504d782a348 (commit) via e3ab8cc460d1a43fe6310c8d9a92589db1d4f8a3 (commit) via 6a815969776e3329fdffcc12c77e047e3a15be78 (commit) via 83325a68ad5fdfc359ab9d82a0e0da8e5fe7ede1 (commit) via c9046a05ec0fc3377e1077b401652d76ee5ce908 (commit) via 327b2c011342280c7fd5e312a4fff2a01083d2d6 (commit) via c1c0e4f1a358072767860764cd43335fc7316176 (commit) via 7cca1f96bf82b22ab49f179bae7df1562d0a104b (commit) from d69f31fcc38878769c8c917f8724c5aef10fd847 (commit) - Log - commit 29d8bda90ce824263317eae5354388f79844dd51 Author: Andy Polyakov Date: Mon Jul 30 12:39:08 2018 +0200 CHANGES: mention blinding reverting in ECDSA. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit 983e1ad235caa45d710eaa5f0d2de504d782a348 Author: Andy Polyakov Date: Mon Jul 30 12:37:17 2018 +0200 ecdsa/ecs_ossl.c: switch to fixed-length Montgomery multiplication. (back-ported from commit 37132c9702328940a99b1307f742ab094ef754a7) Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit e3ab8cc460d1a43fe6310c8d9a92589db1d4f8a3 Author: Billy Brumley Date: Wed Jan 20 13:18:21 2016 +0200 Fix BN_gcd errors for some curves Those even order that do not play nicely with Montgomery arithmetic (back-ported from commit 3a6a4a93518fbb3d96632bfdcb538d340f29c56b) Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit 6a815969776e3329fdffcc12c77e047e3a15be78 Author: Andy Polyakov Date: Wed Jul 25 10:29:51 2018 +0200 bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e) commit 83325a68ad5fdfc359ab9d82a0e0da8e5fe7ede1 Author: Andy Polyakov Date: Fri Jul 6 15:55:34 2018 +0200 ecdsa/ecs_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f) Resolved onflicts: crypto/ec/ecdsa_ossl.c crypto/include/internal/bn_int.h commit c9046a05ec0fc3377e1077b401652d76ee5ce908 Author: Andy Polyakov Date: Fri Jul 6 15:13:15 2018 +0200 bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b) Resolved conflicts: crypto/bn/bn_exp.c crypto/bn/bn_lcl.h crypto/bn/bn_mont.c crypto/include/internal/bn_int.h commit 327b2c011342280c7fd5e312a4fff2a01083d2d6 Author: Andy Polyakov Date: Fri Jul 6 15:02:29 2018 +0200 bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb) Resolved conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_lib.c commit c1c0e4f1a358072767860764cd43335fc7316176 Author: Andy Polyakov Date: Fri Jul
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d69f31fcc38878769c8c917f8724c5aef10fd847 (commit) from be4e1f79f631e49c76d02fe4644b52f907c374b2 (commit) - Log - commit d69f31fcc38878769c8c917f8724c5aef10fd847 Author: Kurt Roeckx Date: Thu Jul 26 11:10:24 2018 +0200 Fix inconsistent use of bit vs bits Reviewed-by: Tim Hudson GH: #6794 (cherry picked from commit b9e54e98066c1ff8adab5d68b6c114b14d2f74e5) --- Summary of changes: doc/crypto/BN_generate_prime.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 0079f17..003d123 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -92,8 +92,8 @@ probabilistic primality test with B iterations. If B, a number of iterations is used that yields a false positive rate of at most 2^-64 for random input. The error rate depends on the size of the prime and goes down for bigger primes. -The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bit, 2^-128 at 1080 bits, -2^-192 at 3747 bit and 2^-256 at 6394 bit. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits, +2^-192 at 3747 bits and 2^-256 at 6394 bits. When the source of the prime is not random or not trusted, the number of checks needs to be much higher to reach the same level of assurance: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via be4e1f79f631e49c76d02fe4644b52f907c374b2 (commit) via 7a23bff90ef4466d741e46c5cf9e467b25c6ad4f (commit) from 9df990cdef581f7330205aef975055e23d8e8d43 (commit) - Log - commit be4e1f79f631e49c76d02fe4644b52f907c374b2 Author: Kurt Roeckx Date: Wed Jul 25 18:55:16 2018 +0200 Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale GH: #6075 Fixes: #6012 (cherry picked from commit feac7a1c8be49fbcb76fcb721ec9f02fdd91030e) commit 7a23bff90ef4466d741e46c5cf9e467b25c6ad4f Author: Kurt Roeckx Date: Wed Apr 25 21:47:20 2018 +0200 Change the number of Miller-Rabin test for DSA generation to 64 This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale GH: #6075 (cherry picked from commit 74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8) --- Summary of changes: CHANGES | 10 + crypto/bn/bn.h | 87 +++- crypto/dsa/dsa.h | 8 ++-- doc/crypto/BN_generate_prime.pod | 12 +- 4 files changed, 95 insertions(+), 22 deletions(-) diff --git a/CHANGES b/CHANGES index f9562dd..1bf0f0b 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,16 @@ Changes between 1.0.2o and 1.0.2p [xx XXX ] + *) Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + For larger primes this will result in more rounds of Miller-Rabin. + The maximal error rate for primes with more than 1080 bits is lowered + to 2^-128. + [Kurt Roeckx, Annie Yousar] + + *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. + [Kurt Roeckx] + *) Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell] diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 633d1b1..c056bba 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -375,25 +375,76 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b); * on the size of the number */ /* - * number of Miller-Rabin iterations for an error rate of less than 2^-80 for - * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of - * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error - * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) - * 177-194) + * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations + * that will be done for checking that a random number is probably prime. The + * error rate for accepting a composite number as prime depends on the size of + * the prime |b|. The error rates used are for calculating an RSA key with 2 primes, + * and so the level is what you would expect for a key of double the size of the + * prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section F.1, page 117. + * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) + * + * The following magma script was used to generate the output: + * securitybits:=125; + * k:=1024; + * for t:=1 to 65 do + * for M:=3 to Floor(2*Sqrt(k-1)-1) do + * S:=0; + * // Sum over m + * for m:=3 to M do + * s:=0; + * // Sum over j + * for j:=2 to m do + * s+:=(RealField(32)!2)^-(j+(k-1)/j); + * end for; + * S+:=2^(m-(m-1)*t)*s; + * end for; + * A:=2^(k-2-M*t); + * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; + * pkt:=2.00743*Log(2)*k*2^-k*(A+B); + * seclevel:=Floor(-Log(2,pkt)); + * if seclevel ge securitybits then + * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; + * break; + * end if; + * end for; + * if seclevel ge securitybits then break; end if; + * end for; + * + * It can be run online at: + * http://magma.maths.usyd.edu.au/calc + * + * And will output: + * k: 1024, security: 129 bits (t: 6, M: 23) + * + * k is the number of bits of the prime, securitybits is the level we want to + * reach. + * + * prime length | RSA key size | # MR tests | security level + *