[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via a3b54f0f5de1ad17889fd23aee7c230eefc300cd (commit)
from 4eabf3d6541e83ae4443384ca3c4cf516930bfd8 (commit)
- Log -
commit a3b54f0f5de1ad17889fd23aee7c230eefc300cd
Author: Nicola Tuveri
Date: Thu Sep 12 01:57:47 2019 +0300
Fix no-ec2m in ec_curve.c (1.1.0)
I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and
inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this
fixes it.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9873)
---
Summary of changes:
crypto/ec/ec_curve.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
index 2d28d7f70b..6a58b3a23e 100644
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP
*group,
#ifndef OPENSSL_NO_EC2M
if (field_nid == NID_X9_62_characteristic_two_field) {
-return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
+return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
} else
#endif /* !def(OPENSSL_NO_EC2M) */
if (field_nid == NID_X9_62_prime_field) {
-return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
+return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
} else {
/* this should never happen */
return 0;
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 68dc4faeb395fb66448e310db6279e47dd879d23 (commit) from 631f94db0065c78181ca9ba5546ebc8bb3884b97 (commit) - Log - commit 68dc4faeb395fb66448e310db6279e47dd879d23 Author: Matt Caswell Date: Tue Sep 10 11:55:41 2019 +0100 Remove duplicate CHANGES entry (1.1.0) Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9845) --- Summary of changes: CHANGES | 13 + NEWS| 2 +- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index b12cf3ae07..4f3e51a0b0 100644 --- a/CHANGES +++ b/CHANGES @@ -9,18 +9,6 @@ Changes between 1.1.0k and 1.1.0l [xx XXX ] - *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations - where an attacker receives automated notification of the success or failure - of a decryption attempt an attacker, after sending a very large number of - messages to be decrypted, can recover a CMS/PKCS7 transported encryption - key or decrypt any RSA encrypted message that was encrypted with the public - RSA key, using a Bleichenbacher padding oracle attack. Applications are not - affected if they use a certificate together with the private RSA key to the - CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info - to decrypt. - (CVE-2019-1563) - [Bernd Edlinger] - *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ @@ -51,6 +39,7 @@ certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. + (CVE-2019-1563) [Bernd Edlinger] *) Use Windows installation paths in the mingw builds diff --git a/NEWS b/NEWS index 3d6d5a6f23..6218a9fc1b 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [under development] - o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() + o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) o For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d38234550ec4cdf10048dd26539d629cca7d6bcf (commit) from 78617373f2af1b735e66501a799969248251c54b (commit) - Log - commit d38234550ec4cdf10048dd26539d629cca7d6bcf Author: Matt Caswell Date: Tue Sep 10 10:26:07 2019 +0100 Update CHANGES and NEWS for the new release Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9842) --- Summary of changes: CHANGES | 12 NEWS| 8 +++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 3277a0dbd4..b4400d20cc 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,18 @@ Changes between 1.1.0k and 1.1.0l [xx XXX ] + *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations + where an attacker receives automated notification of the success or failure + of a decryption attempt an attacker, after sending a very large number of + messages to be decrypted, can recover a CMS/PKCS7 transported encryption + key or decrypt any RSA encrypted message that was encrypted with the public + RSA key, using a Bleichenbacher padding oracle attack. Applications are not + affected if they use a certificate together with the private RSA key to the + CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info + to decrypt. + (CVE-2019-1563) + [Bernd Edlinger] + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ diff --git a/NEWS b/NEWS index a27090521b..3d6d5a6f23 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,13 @@ Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [under development] - o + o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() +(CVE-2019-1563) + o For built-in EC curves, ensure an EC_GROUP built from the curve name is +used even when parsing explicit parameters + o Compute ECC cofactors if not provided during EC_GROUP construction +(CVE-2019-1547) + o Use Windows installation paths in the mingw builds (CVE-2019-1552) Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 631f94db0065c78181ca9ba5546ebc8bb3884b97 (commit)
from d38234550ec4cdf10048dd26539d629cca7d6bcf (commit)
- Log -
commit 631f94db0065c78181ca9ba5546ebc8bb3884b97
Author: Bernd Edlinger
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
---
Summary of changes:
CHANGES | 14 ++
crypto/cms/cms_env.c| 18 +-
crypto/cms/cms_lcl.h| 2 ++
crypto/cms/cms_smime.c | 4
crypto/pkcs7/pk7_doit.c | 12
5 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/CHANGES b/CHANGES
index b4400d20cc..b12cf3ae07 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,6 +39,20 @@
(CVE-2019-1547)
[Billy Bob Brumley]
+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [Bernd Edlinger]
+
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index fe5076ec02..269e97f3fa 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms,
unsigned char *ek = NULL;
size_t eklen;
int ret = 0;
+size_t fixlen = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms,
return 0;
}
+if (cms->d.envelopedData->encryptedContentInfo->havenocert
+&& !cms->d.envelopedData->encryptedContentInfo->debug) {
+X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+if (ciph == NULL) {
+CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+return 0;
+}
+
+fixlen = EVP_CIPHER_key_length(ciph);
+}
+
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ktri->pctx == NULL)
return 0;
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms,
if (EVP_PKEY_decrypt(ktri->pctx, ek, ,
ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0) {
+ ktri->encryptedKey->length) <= 0
+|| eklen == 0
+|| (fixlen != 0 && eklen != fixlen)) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
goto err;
}
diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
index d0c0e81363..671fd801b4 100644
--- a/crypto/cms/cms_lcl.h
+++ b/crypto/cms/cms_lcl.h
@@ -129,6 +129,8 @@ struct CMS_EncryptedContentInfo_st {
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
+/* Set to 1 if we have no cert and need extra safety measures for MMA */
+int havenocert;
};
struct CMS_RecipientInfo_st {
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 5dcf803f4b..3a26108b8c 100644
--- a/crypto/cms/cms_smime.c
+++
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f4764841dc100c7584c62c46b32ad11b7aa937c7 (commit) from 68dc4faeb395fb66448e310db6279e47dd879d23 (commit) - Log - commit f4764841dc100c7584c62c46b32ad11b7aa937c7 Author: Matt Caswell Date: Tue Sep 10 13:59:11 2019 +0100 Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9848) --- Summary of changes: Configure | 2 +- README| 2 +- apps/req.c| 2 +- crypto/asn1/x_bignum.c| 2 +- crypto/bn/bn_rand.c | 2 +- crypto/cms/cms_env.c | 2 +- crypto/cms/cms_lcl.h | 2 +- crypto/cms/cms_smime.c| 2 +- crypto/dh/dh_lib.c| 2 +- crypto/ec/ec_asn1.c | 2 +- crypto/ec/ec_curve.c | 2 +- crypto/ec/ec_lib.c| 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/pkcs7/pk7_doit.c | 2 +- crypto/rsa/rsa_lib.c | 2 +- crypto/x509/by_dir.c | 2 +- crypto/x509/t_req.c | 2 +- crypto/x509/x509_cmp.c| 2 +- include/internal/constant_time_locl.h | 2 +- include/openssl/opensslv.h| 2 +- include/openssl/x509.h| 2 +- test/recipes/30-test_evp_data/evppkey.txt | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/Configure b/Configure index cf5a8bec59..56e98f0b79 100755 --- a/Configure +++ b/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/README b/README index b3dc2c313e..f23492a120 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ OpenSSL 1.1.0l-dev - Copyright (c) 1998-2018 The OpenSSL Project + Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/apps/req.c b/apps/req.c index 863c2873a7..442d398701 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index c1e3e523a0..6c93ea7510 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index bff1d249af..6b469aefb9 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 269e97f3fa..6404f41c58 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index 671fd801b4..9c4f136956 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 3a26108b8c..10815639f8 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 4eabf3d6541e83ae4443384ca3c4cf516930bfd8 (commit)
via 7ea5bd2b52d0e81eaef3d109b3b12545306f201c (commit)
from f4764841dc100c7584c62c46b32ad11b7aa937c7 (commit)
- Log -
commit 4eabf3d6541e83ae4443384ca3c4cf516930bfd8
Author: Matt Caswell
Date: Tue Sep 10 14:17:46 2019 +0100
Prepare for 1.1.0m-dev
Reviewed-by: Richard Levitte
commit 7ea5bd2b52d0e81eaef3d109b3b12545306f201c
Author: Matt Caswell
Date: Tue Sep 10 14:16:54 2019 +0100
Prepare for 1.1.0l release
Reviewed-by: Richard Levitte
---
Summary of changes:
CHANGES| 6 +-
NEWS | 6 +-
README | 2 +-
include/openssl/opensslv.h | 6 +++---
4 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/CHANGES b/CHANGES
index 4f3e51a0b0..58825db187 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,11 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.0k and 1.1.0l [xx XXX ]
+ Changes between 1.1.0l and 1.1.0m [xx XXX ]
+
+ *)
+
+ Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
diff --git a/NEWS b/NEWS
index 6218a9fc1b..3914bc3014 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [under development]
+ Major changes between OpenSSL 1.1.0l and OpenSSL 1.1.0m [under development]
+
+ o
+
+ Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019]
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
diff --git a/README b/README
index f23492a120..9ef3cf9ed5 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.0l-dev
+ OpenSSL 1.1.0m-dev
Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 73f1ee3c97..bd577f8943 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101000c0L
+# define OPENSSL_VERSION_NUMBER 0x101000d0L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0l-fips-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0m-fips-dev xx XXX "
# else
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0l-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0m-dev xx XXX "
# endif
/*-
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 78617373f2af1b735e66501a799969248251c54b (commit)
from d4a5dac9f9242c580fb9d0a4389440eccd3494a7 (commit)
- Log -
commit 78617373f2af1b735e66501a799969248251c54b
Author: Bernd Edlinger
Date: Sat Sep 7 00:53:24 2019 +0200
Use BN_clear_free in DH_set0_key
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/9796)
(cherry picked from commit fa01370f7dc8f0a379483bbe74de11225857e5fe)
---
Summary of changes:
crypto/dh/dh_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 2e727df897..cac831da0b 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -233,11 +233,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
const BIGNUM **priv_key)
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
{
if (pub_key != NULL) {
-BN_free(dh->pub_key);
+BN_clear_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
-BN_free(dh->priv_key);
+BN_clear_free(dh->priv_key);
dh->priv_key = priv_key;
}
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d4a5dac9f9242c580fb9d0a4389440eccd3494a7 (commit) from d374a61bb702a8ae13699dfbdcbd819c78095cd5 (commit) - Log - commit d4a5dac9f9242c580fb9d0a4389440eccd3494a7 Author: Nicola Tuveri Date: Sat Sep 7 18:05:31 2019 +0300 [ec] Match built-in curves on EC_GROUP_new_from_ecparameters Description --- Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any of the built-in curves. If that is the case, return a new `EC_GROUP_new_by_curve_name()` object instead of the explicit parameters `EC_GROUP`. This affects all users of `EC_GROUP_new_from_ecparameters()`: - direct calls to `EC_GROUP_new_from_ecparameters()` - direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit parameters argument - ASN.1 parsing of explicit parameters keys (as it eventually ends up calling `EC_GROUP_new_from_ecpkparameters()`) A parsed explicit parameter key will still be marked with the `OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless programmatically forced otherwise, if the key is eventually serialized the output will still be encoded with explicit parameters, even if internally it is treated as a named curve `EC_GROUP`. Before this change, creating any `EC_GROUP` object using `EC_GROUP_new_from_ecparameters()`, yielded an object associated with the default generic `EC_METHOD`, but this was never guaranteed in the documentation. After this commit, users of the library that intentionally want to create an `EC_GROUP` object using a specific `EC_METHOD` can still explicitly call `EC_GROUP_new(foo_method)` and then manually set the curve parameters using `EC_GROUP_set_*()`. Motivation -- This has obvious performance benefits for the built-in curves with specialized `EC_METHOD`s and subtle but important security benefits: - the specialized methods have better security hardening than the generic implementations - optional fields in the parameter encoding, like the `cofactor`, cannot be leveraged by an attacker to force execution of the less secure code-paths for single point scalar multiplication - in general, this leads to reducing the attack surface Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth analysis of the issues related to this commit. It should be noted that `libssl` does not allow to negotiate explicit parameters (as per RFC 8422), so it is not directly affected by the consequences of using explicit parameters that this commit fixes. On the other hand, we detected external applications and users in the wild that use explicit parameters by default (and sometimes using 0 as the cofactor value, which is technically not a valid value per the specification, but is tolerated by parsers for wider compatibility given that the field is optional). These external users of `libcrypto` are exposed to these vulnerabilities and their security will benefit from this commit. Related commits --- While this commit is beneficial for users using built-in curves and explicit parameters encoding for serialized keys, commit b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the 1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the invalid cofactor values more in general also for other curves (CVE-2019-1547). The following list covers commits in `master` that are related to the vulnerabilities presented in the manuscript motivating this commit: - d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too - 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. - b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it - 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats Note that the PRs that contributed the listed commits also include other commits providing related testing and documentation, in addition to links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and 1.1.1 branches. This commit includes a partial backport of https://github.com/openssl/openssl/pull/8555 (commit 8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38) for which the main author is Shane Lontis. Responsible Disclosure -- This and the other issues presented in https://arxiv.org/abs/1909.01785 were reported by Cesar Pereida GarcĂa, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the NISEC group at Tampere University, FINLAND. The OpenSSL Security Team evaluated
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d374a61bb702a8ae13699dfbdcbd819c78095cd5 (commit) from c31be97c64ab61d44d80fccce4deff976d4f9bbb (commit) - Log - commit d374a61bb702a8ae13699dfbdcbd819c78095cd5 Author: Dr. Matthias St. Pierre Date: Tue Jul 23 20:54:03 2019 +0200 Configure: clang: add -Wno-unknown-warning-option Fixes travis build errors due to clang error: unknown warning option '-Wno-extended-offsetof' It seems like '-Wextended-offsetof' was removed from clang in version 6.0.0, (see [1], [2]). While gcc ignores unknown options of the type '-Wno-xxx', clang by default issues a warning [-Wunknown-warning-option] (see [3]), which together with '-Werror' causes the build to fail. This commit adds the '-Wno-unknown-warning-option' option to make clang behave more relaxed like gcc. [1] https://reviews.llvm.org/D40267 [2] https://github.com/llvm/llvm-project/commit/52a3ca9e2909 [3] https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option [extended tests] Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9804) --- Summary of changes: Configure | 1 + 1 file changed, 1 insertion(+) diff --git a/Configure b/Configure index a1ce65239e..cf5a8bec59 100755 --- a/Configure +++ b/Configure @@ -142,6 +142,7 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED" # -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc # -Wextended-offsetof -- no, needed in CMS ASN1 code my $clang_devteam_warn = "" +. " -Wno-unknown-warning-option" . " -Qunused-arguments" . " -Wno-language-extension-token" . " -Wno-extended-offsetof"
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via c31be97c64ab61d44d80fccce4deff976d4f9bbb (commit)
via 7c1709c2da5414f5b6133d00a03fc8c5bf996c7a (commit)
from 207a56437916a715bcf6e299c868c75a17ad8fc0 (commit)
- Log -
commit c31be97c64ab61d44d80fccce4deff976d4f9bbb
Author: Billy Brumley
Date: Fri Sep 6 20:11:32 2019 +0300
[test/recipes/30-test_evp_data] computing ECC cofactors: regression test
Reviewed-by: Nicola Tuveri
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9795)
commit 7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
Author: Billy Brumley
Date: Fri Sep 6 19:34:53 2019 +0300
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Nicola Tuveri
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9795)
---
Summary of changes:
CHANGES | 8 ++-
crypto/ec/ec_err.c| 1 +
crypto/ec/ec_lib.c| 103 --
include/openssl/ec.h | 1 +
test/recipes/30-test_evp_data/evppkey.txt | 50 +++
5 files changed, 155 insertions(+), 8 deletions(-)
diff --git a/CHANGES b/CHANGES
index 2c89717497..1b6c1830e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,13 @@
Changes between 1.1.0k and 1.1.0l [xx XXX ]
+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ (CVE-2019-1547)
+ [Billy Bob Brumley]
+
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
@@ -16,7 +23,6 @@
(CVE-2019-1552)
[Richard Levitte]
-
Changes between 1.1.0j and 1.1.0k [28 May 2019]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index aeee2e8f4c..fe747d8cde 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -273,6 +273,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {
{ERR_REASON(EC_R_SLOT_FULL), "slot full"},
{ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"},
{ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"},
+{ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"},
{ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"},
{ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"},
{ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"},
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index a7be03b627..eaf44ccef9 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -257,6 +257,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
return meth->field_type;
}
+/*-
+ * Try computing cofactor from the generator order (n) and field cardinality
(q).
+ * This works for all curves of cryptographic interest.
+ *
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
+ * h_min = (q + 1 - 2*sqrt(q))/n
+ * h_max = (q + 1 + 2*sqrt(q))/n
+ * h_max - h_min = 4*sqrt(q)/n
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
+ *
+ * Otherwise, zero cofactor and return success.
+ */
+static int ec_guess_cofactor(EC_GROUP *group) {
+int ret = 0;
+BN_CTX *ctx = NULL;
+BIGNUM *q = NULL;
+
+/*-
+ * If the cofactor is too large, we cannot guess it.
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
+ */
+if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
+/* default to 0 */
+
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 (commit)
from 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b (commit)
- Log -
commit f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91
Author: Bernd Edlinger
Date: Fri Sep 6 08:46:46 2019 +0200
Fix a SCA leak in BN_generate_dsa_nonce
Reviewed-by: Matt Caswell
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/9782)
(cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)
---
Summary of changes:
crypto/bn/bn_rand.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 9ce4c5f606..bff1d249af 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -215,8 +215,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
goto err;
/* We copy |priv| into a local buffer to avoid exposing its length. */
-todo = sizeof(priv->d[0]) * priv->top;
-if (todo > sizeof(private_bytes)) {
+if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
/*
* No reasonable DSA or ECDSA key should have a private key this
* large and we don't handle this case in order to avoid leaking the
@@ -225,8 +224,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
-memcpy(private_bytes, priv->d, todo);
-memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (done = 0; done < num_k_bytes;) {
if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 207a56437916a715bcf6e299c868c75a17ad8fc0 (commit)
via e6f559f9de74a0f861d7de2786c64b62fe4ea3ed (commit)
via 212a75004207234fa677f73e71a1c42b541b009e (commit)
via 84930232519ae6506101c65d4389619173b6cded (commit)
via f7546d64699dc6090d3a9359945cbe785404506e (commit)
from f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 (commit)
- Log -
commit 207a56437916a715bcf6e299c868c75a17ad8fc0
Author: Nicola Tuveri
Date: Fri Sep 6 14:05:26 2019 +0300
[ec/ecp_nistp*.c] restyle: use {} around `else` too
Reviewed-by: Matt Caswell
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119)
commit e6f559f9de74a0f861d7de2786c64b62fe4ea3ed
Author: Nicola Tuveri
Date: Fri Sep 6 01:31:45 2019 +0300
[ec/ecp_nistp*.c] remove flip_endian()
Replace flip_endian() by using the little endian specific
BN_bn2lebinpad() and BN_lebin2bn().
Reviewed-by: Matt Caswell
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef)
commit 212a75004207234fa677f73e71a1c42b541b009e
Author: Nicola Tuveri
Date: Fri Sep 6 00:18:36 2019 +0300
Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations
Reviewed-by: Matt Caswell
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)
commit 84930232519ae6506101c65d4389619173b6cded
Author: Nicola Tuveri
Date: Fri Aug 2 02:08:34 2019 +0300
Make BN_num_bits() consttime upon BN_FLG_CONSTTIME
This issue was partially addressed by commit
972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.
BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and
ecp_nistz256.c).
Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.
With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.
Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.
Reviewed-by: Matt Caswell
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238)
commit f7546d64699dc6090d3a9359945cbe785404506e
Author: Nicola Tuveri
Date: Fri Aug 2 01:33:05 2019 +0300
Fix a SCA leak using BN_bn2bin()
BN_bn2bin() is not constant-time and leaks the number of bits in the
processed BIGNUM.
The specialized methods in ecp_nistp224.c, ecp_nistp256.c and
ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the
internal fixed length representation.
This can leak during ECDSA/ECDH key generation or handling the nonce
while generating an ECDSA signature, when using these implementations.
The amount and risk of leaked information useful for a SCA attack
varies for each of the three curves, as it depends mainly on the
ratio between the bitlength of the curve subgroup order (governing the
size of the secret nonce/key) and the limb size for the
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b (commit)
from 04882f77a8bb5df8bc9f3f9f82191f487d350be1 (commit)
- Log -
commit 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b
Author: Cesar Pereida Garcia
Date: Thu Sep 5 12:13:11 2019 +0300
[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Bernd Edlinger
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9779)
(cherry picked from commit 311e903d8468e2a380d371609a10eda71de16c0e)
---
Summary of changes:
crypto/asn1/x_bignum.c | 17 ++---
crypto/rsa/rsa_lib.c | 6 ++
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c
index da57e77a7a..c1e3e523a0 100644
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char
*cont, int len,
static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, char *free_cont, const ASN1_ITEM *it)
{
-if (!*pval)
-bn_secure_new(pval, it);
-return bn_c2i(pval, cont, len, utype, free_cont, it);
+int ret;
+BIGNUM *bn;
+
+if (!*pval && !bn_secure_new(pval, it))
+return 0;
+
+ret = bn_c2i(pval, cont, len, utype, free_cont, it);
+if (!ret)
+return 0;
+
+/* Set constant-time flag for all secure BIGNUMS */
+bn = (BIGNUM *)*pval;
+BN_set_flags(bn, BN_FLG_CONSTTIME);
+return ret;
}
static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index d99d04916d..4a1250127c 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -184,6 +184,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_free(r->d);
r->d = d;
+BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@@ -201,10 +202,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_free(r->p);
r->p = p;
+BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_free(r->q);
r->q = q;
+BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@@ -223,14 +226,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM
*dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_free(r->dmp1);
r->dmp1 = dmp1;
+BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_free(r->dmq1);
r->dmq1 = dmq1;
+BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_free(r->iqmp);
r->iqmp = iqmp;
+BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 04882f77a8bb5df8bc9f3f9f82191f487d350be1 (commit) from b14c6d9af475858c60f3d04abe7d87bd9f71d578 (commit) - Log - commit 04882f77a8bb5df8bc9f3f9f82191f487d350be1 Author: Cesar Pereida Garcia Date: Wed Aug 14 10:17:06 2019 +0300 Fix SCA vulnerability when using PVK and MSBLOB key formats This commit addresses a side-channel vulnerability present when PVK and MSBLOB key formats are loaded into OpenSSL. The public key was not computed using a constant-time exponentiation function. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Nicola Tuveri Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9587) (cherry picked from commit 724339ff44235149c4e8ddae614e1dda6863e23e) --- Summary of changes: crypto/pem/pvkfmt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 96a82eb520..22e56d953d 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -274,6 +274,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, if (!read_lebn(, 20, _key)) goto memerr; +/* Set constant time flag before public key calculation */ +BN_set_flags(priv_key, BN_FLG_CONSTTIME); + /* Calculate public key */ pub_key = BN_new(); if (pub_key == NULL)
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b14c6d9af475858c60f3d04abe7d87bd9f71d578 (commit)
from b15a19c148384e73338aa7c5b12652138e35ed28 (commit)
- Log -
commit b14c6d9af475858c60f3d04abe7d87bd9f71d578
Author: Bernd Edlinger
Date: Fri Aug 16 15:18:51 2019 +0200
Fix error handling in X509_chain_up_ref
Reviewed-by: Kurt Roeckx
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/9614)
(cherry picked from commit cae665dfa6ccec743a7f39cf80676d7d2d787e56)
---
Summary of changes:
crypto/x509/x509_cmp.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 49b0368dfc..4e74a74a51 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -451,9 +451,17 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
STACK_OF(X509) *ret;
int i;
ret = sk_X509_dup(chain);
+if (ret == NULL)
+return NULL;
for (i = 0; i < sk_X509_num(ret); i++) {
X509 *x = sk_X509_value(ret, i);
-X509_up_ref(x);
+if (!X509_up_ref(x))
+goto err;
}
return ret;
+ err:
+while (i-- > 0)
+X509_free (sk_X509_value(ret, i));
+sk_X509_free(ret);
+return NULL;
}
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b15a19c148384e73338aa7c5b12652138e35ed28 (commit)
from e32bc855a81a2d48d215c506bdeb4f598045f7e9 (commit)
- Log -
commit b15a19c148384e73338aa7c5b12652138e35ed28
Author: Richard Levitte
Date: Sat Jul 27 08:40:46 2019 +0200
Makefile.shared: fix to allow strings and spaces in passed variables
The previous change for mingw, which now defaults to OPENSSLDIR and
ENGINESDIR definitions that include a space, a long standing issue was
revealed again; our builds for Unix like environment were never very
tolerant of spaces in these definitions, because the quotes were
interpreted along the way.
New analysis of Makefile.shared showed that our use of quotes in there
wasn't quite right. A lot of double quotes could safely be replaced
with single quotes, thus protecting the diverse values we pass down to
this build file (remember that make variables are expanded before
passing the command to the shell, unconditionally), reserving double
quotes to the places where absolutely needed (to protect the expansion
of shell variables to commands).
CVE-2019-1552
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9469)
---
Summary of changes:
Makefile.shared | 116
1 file changed, 58 insertions(+), 58 deletions(-)
diff --git a/Makefile.shared b/Makefile.shared
index 4f9550aaf1..f7d2ffccc3 100644
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -98,20 +98,20 @@ top:
LINK_APP= \
( $(SET_X); \
-LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
-LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS) $(LDFLAGS)}"; \
+LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \
+LDCMD=$${LDCMD:-'$(CC)'}; LDFLAGS=$${LDFLAGS:-'$(CFLAGS) $(LDFLAGS)'}; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d
| uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS)
$${LIBDEPS}; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
+eval "$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS)
$${LIBDEPS}" )
LINK_SO= \
( $(SET_X); \
-LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
-SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
-SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \
+SHAREDCMD=$${SHAREDCMD:-'$(CC)'}; \
+SHAREDFLAGS=$${SHAREDFLAGS:-'$(CFLAGS) $(SHARED_LDFLAGS)'}; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d
| uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
@@ -119,23 +119,23 @@ LINK_SO= \
-o $(SHLIBNAME_FULL) \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-$${SHAREDCMD} $${SHAREDFLAGS} \
+eval "$${SHAREDCMD} $${SHAREDFLAGS} \
-o $(SHLIBNAME_FULL) \
- $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
+ $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS" \
) && $(SYMLINK_SO)
SYMLINK_SO=\
if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
- if [ -n "$(SHLIBNAME_FULL)" -a -n "$(SHLIBNAME)" -a \
-"$(SHLIBNAME_FULL)" != "$(SHLIBNAME)" ]; then \
+ if [ -n '$(SHLIBNAME_FULL)' -a -n '$(SHLIBNAME)' -a \
+'$(SHLIBNAME_FULL)' != '$(SHLIBNAME)' ]; then \
( $(SET_X); \
rm -f $(SHLIBNAME); \
ln -s $(SHLIBNAME_FULL) $(SHLIBNAME) ); \
fi; \
fi
-LINK_SO_SHLIB= SHOBJECTS="$(STLIBNAME) $(LIBEXTRAS)"; $(LINK_SO)
-LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_SHLIB= SHOBJECTS='$(STLIBNAME) $(LIBEXTRAS)'; $(LINK_SO)
+LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS='$(LIBEXTRAS)'; $(LINK_SO)
LINK_SO_SHLIB_VIA_O= \
SHOBJECTS=$(STLIBNAME).o; \
@@ -147,21 +147,21 @@ LINK_SO_SHLIB_VIA_O= \
LINK_SO_SHLIB_UNPACKED=\
UNPACKDIR=link_tmp.; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
(cd $$UNPACKDIR; ar x ../$(STLIBNAME)) && \
- ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
+ ([ -z '$(LIBEXTRAS)' ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
SHOBJECTS=$$UNPACKDIR/*.o; \
$(LINK_SO) && rm -rf $$UNPACKDIR
DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
DO_GNU_SO_COMMON=\
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic
-Wl,-soname=$(SHLIBNAME_FULL)"
+
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via e32bc855a81a2d48d215c506bdeb4f598045f7e9 (commit)
from 92a2f01ea40ec52f8f77893ff433dc47c1f5b9ef (commit)
- Log -
commit e32bc855a81a2d48d215c506bdeb4f598045f7e9
Author: Richard Levitte
Date: Sat Jul 6 09:38:59 2019 +0200
Fix default installation paths on mingw
Mingw config targets assumed that resulting programs and libraries are
installed in a Unix-like environment and the default installation
prefix was therefore set to '/usr/local'.
However, mingw programs are installed in a Windows environment, and
the installation directories should therefore have Windows defaults,
i.e. the same kind of defaults as the VC config targets.
A difficulty is, however, that a "cross compiled" build can't figure
out the system defaults from environment the same way it's done when
building "natively", so we have to fall back to hard coded defaults in
that case.
Tests can still be performed when cross compiled on a non-Windows
platform, since all tests only depend on the source and build
directory, and otherwise relies on normal local paths.
CVE-2019-1552
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9460)
---
Summary of changes:
CHANGES | 8 +++-
Configurations/10-main.conf | 2 +
Configurations/unix-Makefile.tmpl | 96 +++
NOTES.WIN | 15 ++
4 files changed, 120 insertions(+), 1 deletion(-)
diff --git a/CHANGES b/CHANGES
index cb82dba..2c89717 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,13 @@
Changes between 1.1.0k and 1.1.0l [xx XXX ]
- *)
+ *) Use Windows installation paths in the mingw builds
+
+ Mingw isn't a POSIX environment per se, which means that Windows
+ paths should be used for installation.
+ (CVE-2019-1552)
+ [Richard Levitte]
+
Changes between 1.1.0j and 1.1.0k [28 May 2019]
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 6c05c28..b141be5 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -1444,6 +1444,7 @@ sub vms_info {
shared_extension => ".dll",
multilib => "",
apps_aux_src => add("win32_init.c"),
+build_scheme => add("mingw", { separator => undef }),
},
"mingw64" => {
# As for OPENSSL_USE_APPLINK. Applink makes it possible to use
@@ -1473,6 +1474,7 @@ sub vms_info {
shared_extension => ".dll",
multilib => "64",
apps_aux_src => add("win32_init.c"),
+build_scheme => add("mingw64", { separator => undef }),
},
UEFI
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index af84bd4..d7754f0 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -13,6 +13,28 @@
our $shlibextimport = $target{shared_import_extension} || "";
our $dsoext = $target{dso_extension} || ".so";
+ # $mingw_installroot and $mingw_commonroot is relevant for mingw only.
+ my $mingw_installenv =
+ $target{build_scheme}->[2] eq "mingw"
+ ? "ProgramFiles(x86)" : "ProgramW6432";
+ my $mingw_commonenv =
+ $target{build_scheme}->[2] eq "mingw"
+ ? "CommonProgramFiles(x86)" : "CommonProgramW6432";
+ our $mingw_installroot =
+ defined($ENV{$mingw_installenv})
+ ? $mingw_installenv : 'ProgramFiles';
+ our $mingw_commonroot =
+ defined($ENV{$mingw_commonenv})
+ ? $mingw_commonenv : 'CommonProgramFiles';
+ my $mingw_installdflt =
+ defined($ENV{$mingw_installenv})
+ ? "C:/Program Files (x86)" : "C:/Program Files";
+ my $mingw_commondflt = "$mingw_installdflt/Common Files";
+
+ # expand variables early
+ $mingw_installroot = $ENV{$mingw_installroot} // $mingw_installdflt;
+ $mingw_commonroot = $ENV{$mingw_commonroot} // $mingw_commondflt;
+
sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
our $sover = $config{target} =~ /^mingw/
@@ -121,6 +143,7 @@ APPS_OPENSSL={- use File::Spec::Functions;
# Normally it is left empty.
DESTDIR=
+{- output_off() if $config{target} =~ /^mingw/; "" -}
# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
@@ -159,6 +182,79 @@ ENGINESDIR={- use File::Spec::Functions;
# Convenience variable for those who want to set the rpath in shared
# libraries and applications
LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
+{- output_on() if $config{target} =~ /^mingw/;
+ output_off() if $config{target} !~ /^mingw/;
+
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 92a2f01ea40ec52f8f77893ff433dc47c1f5b9ef (commit)
from 69ae4153af5a6e62369611b694748c846a461d02 (commit)
- Log -
commit 92a2f01ea40ec52f8f77893ff433dc47c1f5b9ef
Author: Bernd Edlinger
Date: Fri Jun 21 21:26:19 2019 +0200
Add value_barriers in constant time select functions
The barriers prevent the compiler from narrowing down the
possible value range of the mask and ~mask in the select
statements, which avoids the recognition of the select
and turning it into a conditional load or branch.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/9418)
---
Summary of changes:
include/internal/constant_time_locl.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/include/internal/constant_time_locl.h
b/include/internal/constant_time_locl.h
index 18d2f56..b702675 100644
--- a/include/internal/constant_time_locl.h
+++ b/include/internal/constant_time_locl.h
@@ -158,11 +158,29 @@ static ossl_inline unsigned char
constant_time_eq_int_8(int a, int b)
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
+/*
+ * Returns the value unmodified, but avoids optimizations.
+ * The barriers prevent the compiler from narrowing down the
+ * possible value range of the mask and ~mask in the select
+ * statements, which avoids the recognition of the select
+ * and turning it into a conditional load or branch.
+ */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+unsigned int r;
+__asm__("" : "=r"(r) : "0"(a));
+#else
+volatile unsigned int r = a;
+#endif
+return r;
+}
+
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
-return (mask & a) | (~mask & b);
+return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 69ae4153af5a6e62369611b694748c846a461d02 (commit) from 04151456b9d896a7825a5ac77c0310c97fa5f650 (commit) - Log - commit 69ae4153af5a6e62369611b694748c846a461d02 Author: Krists Krilovs Date: Mon Jul 8 13:43:09 2019 -0700 Fix wrong lock claimed in x509 dir lookup. x509 store's objects cache can get corrupted when using dir lookup method in multithreaded application. Claim x509 store's lock when accessing objects cache. CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/9326) --- Summary of changes: crypto/x509/by_dir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 4fa1dd3..c3ab362 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -322,13 +322,13 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, /* * we have added it to the cache so now pull it out again */ -CRYPTO_THREAD_write_lock(ctx->lock); +X509_STORE_lock(xl->store_ctx); j = sk_X509_OBJECT_find(xl->store_ctx->objs, ); if (j != -1) tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); else tmp = NULL; -CRYPTO_THREAD_unlock(ctx->lock); +X509_STORE_unlock(xl->store_ctx); /* If a CRL, update the last file suffix added for this */
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 04151456b9d896a7825a5ac77c0310c97fa5f650 (commit)
from d9b6a51e926bfd1f86eac9de5dcbc28541fcf99f (commit)
- Log -
commit 04151456b9d896a7825a5ac77c0310c97fa5f650
Author: Pauli
Date: Mon Jul 8 13:39:20 2019 +1000
Avoid NULL pointer dereference.
[manual merge from #9059 to 1.1.0]
Fixes: #9043
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/9322)
---
Summary of changes:
apps/req.c | 14 --
crypto/x509/t_req.c| 4
crypto/x509/x509_err.c | 3 ++-
include/openssl/x509.h | 1 +
4 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index a20e7c1..863c287 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -743,9 +743,19 @@ int req_main(int argc, char **argv)
if (text) {
if (x509)
-X509_print_ex(out, x509ss, nmflag, reqflag);
+ret = X509_print_ex(out, x509ss, nmflag, reqflag);
else
-X509_REQ_print_ex(out, req, nmflag, reqflag);
+ret = X509_REQ_print_ex(out, req, nmflag, reqflag);
+
+if (ret == 0) {
+if (x509)
+BIO_printf(bio_err, "Error printing certificate\n");
+else
+BIO_printf(bio_err, "Error printing certificate request\n");
+
+ERR_print_errors(bio_err);
+goto end;
+}
}
if (subject) {
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index 77ce810..3207dfa 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -125,6 +125,10 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long
nmflags,
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
+if (count == 0) {
+X509err(X509_F_X509_REQ_PRINT_EX,
X509_R_INVALID_ATTRIBUTES);
+return 0;
+}
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 9f91188..e1a3364 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -97,6 +97,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_CRL_ALREADY_DELTA), "crl already delta"},
{ERR_REASON(X509_R_CRL_VERIFY_FAILURE), "crl verify failure"},
{ERR_REASON(X509_R_IDP_MISMATCH), "idp mismatch"},
+{ERR_REASON(X509_R_INVALID_ATTRIBUTES), "invalid attributes"},
{ERR_REASON(X509_R_INVALID_DIRECTORY), "invalid directory"},
{ERR_REASON(X509_R_INVALID_FIELD_NAME), "invalid field name"},
{ERR_REASON(X509_R_INVALID_TRUST), "invalid trust"},
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 780386d..75b39d1 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1092,6 +1092,7 @@ int ERR_load_X509_strings(void);
# define X509_R_CRL_ALREADY_DELTA 127
# define X509_R_CRL_VERIFY_FAILURE131
# define X509_R_IDP_MISMATCH 128
+# define X509_R_INVALID_ATTRIBUTES135
# define X509_R_INVALID_DIRECTORY 113
# define X509_R_INVALID_FIELD_NAME119
# define X509_R_INVALID_TRUST 123
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via d9b6a51e926bfd1f86eac9de5dcbc28541fcf99f (commit)
via fb83aaf6a163438149570b344c6c75a6aa977ae9 (commit)
from d742232027b92a18cfb71795211a5e660e1b9bbc (commit)
- Log -
commit d9b6a51e926bfd1f86eac9de5dcbc28541fcf99f
Author: Richard Levitte
Date: Tue May 28 14:59:22 2019 +0200
Prepare for 1.1.0l-dev
Reviewed-by: Matt Caswell
commit fb83aaf6a163438149570b344c6c75a6aa977ae9
Author: Richard Levitte
Date: Tue May 28 14:59:16 2019 +0200
Prepare for 1.1.0k release
Reviewed-by: Matt Caswell
---
Summary of changes:
CHANGES| 6 +-
NEWS | 6 +-
README | 2 +-
include/openssl/opensslv.h | 6 +++---
4 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/CHANGES b/CHANGES
index fb7d918..cb82dba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,11 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.0j and 1.1.0k [xx XXX ]
+ Changes between 1.1.0k and 1.1.0l [xx XXX ]
+
+ *)
+
+ Changes between 1.1.0j and 1.1.0k [28 May 2019]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
diff --git a/NEWS b/NEWS
index cf03be9..a270905 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [under development]
+ Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [under development]
+
+ o
+
+ Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
diff --git a/README b/README
index 51828a7..b3dc2c3 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.0k-dev
+ OpenSSL 1.1.0l-dev
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 0e2992e..94cb908 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101000b0L
+# define OPENSSL_VERSION_NUMBER 0x101000c0L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-fips-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0l-fips-dev xx XXX "
# else
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0l-dev xx XXX "
# endif
/*-
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d742232027b92a18cfb71795211a5e660e1b9bbc (commit) from 6db453c2ca261f663cecd1f05e388513cbcf6309 (commit) - Log - commit d742232027b92a18cfb71795211a5e660e1b9bbc Author: Richard Levitte Date: Tue May 28 14:47:54 2019 +0200 Update copyright year Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9033) --- Summary of changes: apps/speed.c | 2 +- crypto/bio/bss_file.c | 2 +- crypto/bn/bn_lib.c| 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_pmeth.c| 2 +- crypto/ec/ec2_oct.c | 2 +- crypto/ec/ec_mult.c | 2 +- crypto/ec/ecdh_ossl.c | 2 +- crypto/engine/eng_cryptodev.c | 2 +- crypto/err/err.c | 2 +- crypto/evp/e_chacha20_poly1305.c | 2 +- crypto/rsa/rsa_ossl.c | 2 +- crypto/rsa/rsa_pmeth.c| 2 +- crypto/x509/x_pubkey.c| 2 +- doc/apps/genpkey.pod | 2 +- doc/ssl/SSL_get_error.pod | 2 +- doc/ssl/SSL_shutdown.pod | 2 +- include/openssl/err.h | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 2 +- ssl/s3_msg.c | 2 +- ssl/statem/statem.c | 2 +- test/recipes/30-test_evp_data/evpciph.txt | 2 +- 23 files changed, 23 insertions(+), 23 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 4595cc6..90f04b5 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index 0240a0d..09bde01 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9885b0c..de46d0f 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 4b9e981..6c1a325 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index f5ba5fd..f0b7ea5 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 2b411e2..a1f47c3 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 47c0fc0..b96c404 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6db453c2ca261f663cecd1f05e388513cbcf6309 (commit) from ccbf148e30c5cb5f595c5d9e713c68768fe84248 (commit) - Log - commit 6db453c2ca261f663cecd1f05e388513cbcf6309 Author: Richard Levitte Date: Mon May 27 21:34:05 2019 +0200 Add CHANGES and NEWS for 1.1.0k Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9018) --- Summary of changes: CHANGES | 31 +++ NEWS| 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index de7a8a7..fb7d918 100644 --- a/CHANGES +++ b/CHANGES @@ -15,6 +15,37 @@ generation apps to use 2048 bits by default. [Kurt Roeckx] + *) Prevent over long nonces in ChaCha20-Poly1305. + + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input + for every encryption operation. RFC 7539 specifies that the nonce value + (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length + and front pads the nonce with 0 bytes if it is less than 12 + bytes. However it also incorrectly allows a nonce to be set of up to 16 + bytes. In this case only the last 12 bytes are significant and any + additional leading bytes are ignored. + + It is a requirement of using this cipher that nonce values are + unique. Messages encrypted using a reused nonce value are susceptible to + serious confidentiality and integrity attacks. If an application changes + the default nonce length to be longer than 12 bytes and then makes a + change to the leading bytes of the nonce expecting the new value to be a + new unique nonce then such an application could inadvertently encrypt + messages with a reused nonce. + + Additionally the ignored bytes in a long nonce are not covered by the + integrity guarantee of this cipher. Any application that relies on the + integrity of these ignored leading bytes of a long nonce may be further + affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, + is safe because no such use sets such a long nonce value. However user + applications that use this cipher directly and set a non-default nonce + length to be longer than 12 bytes may be vulnerable. + + This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk + Greef of Ronomon. + (CVE-2019-1543) + [Matt Caswell] + *) Added SCA hardening for modular field inversion in EC_GROUP through a new dedicated field_inv() pointer in EC_METHOD. This also addresses a leakage affecting conversions from projective diff --git a/NEWS b/NEWS index 188e9aa..cf03be9 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [under development] - o + o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via ccbf148e30c5cb5f595c5d9e713c68768fe84248 (commit)
from 3b5a079d6b454d6d46279e2d56d625495c597633 (commit)
- Log -
commit ccbf148e30c5cb5f595c5d9e713c68768fe84248
Author: Kurt Roeckx
Date: Sat Apr 13 12:32:48 2019 +0200
Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737
Reviewed-by: Bernd Edlinger
Reviewed-by: Richard Levitte
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)
---
Summary of changes:
CHANGES| 6 ++
crypto/dh/dh_pmeth.c | 2 +-
crypto/dsa/dsa_pmeth.c | 8
crypto/rsa/rsa_pmeth.c | 2 +-
doc/apps/genpkey.pod | 8
5 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/CHANGES b/CHANGES
index d0b6fd7..de7a8a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,12 @@
Changes between 1.1.0j and 1.1.0k [xx XXX ]
+ *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
+ [Kurt Roeckx]
+
*) Added SCA hardening for modular field inversion in EC_GROUP through
a new dedicated field_inv() pointer in EC_METHOD.
This also addresses a leakage affecting conversions from projective
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index c3e03c7..4b9e981 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -51,7 +51,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_zalloc(sizeof(*dctx));
if (dctx == NULL)
return 0;
-dctx->prime_len = 1024;
+dctx->prime_len = 2048;
dctx->subprime_len = -1;
dctx->generator = 2;
dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index d606316..f5ba5fd 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -20,8 +20,8 @@
typedef struct {
/* Parameter gen parameters */
-int nbits; /* size of p in bits (default: 1024) */
-int qbits; /* size of q in bits (default: 160) */
+int nbits; /* size of p in bits (default: 2048) */
+int qbits; /* size of q in bits (default: 224) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
@@ -35,8 +35,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_malloc(sizeof(*dctx));
if (dctx == NULL)
return 0;
-dctx->nbits = 1024;
-dctx->qbits = 160;
+dctx->nbits = 2048;
+dctx->qbits = 224;
dctx->pmd = NULL;
dctx->md = NULL;
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 2d1dffb..0037b91 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -48,7 +48,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
rctx = OPENSSL_zalloc(sizeof(*rctx));
if (rctx == NULL)
return 0;
-rctx->nbits = 1024;
+rctx->nbits = 2048;
rctx->pad_mode = RSA_PKCS1_PADDING;
rctx->saltlen = -2;
ctx->data = rctx;
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 91b12e2..27fee6e 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -116,7 +116,7 @@ below.
=item B
-The number of bits in the generated key. If not specified 1024 is used.
+The number of bits in the generated key. If not specified 2048 is used.
=item B
@@ -154,12 +154,12 @@ below.
=item B
-The number of bits in the generated prime. If not specified 1024 is used.
+The number of bits in the generated prime. If not specified 2048 is used.
=item B
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
-specified 160 is used.
+specified 224 is used.
=item B
@@ -178,7 +178,7 @@ or B if it is 256.
=item B
-The number of bits in the prime parameter B. The default is 1024.
+The number of bits in the prime parameter B. The default is 2048.
=item B
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 8f58aa0a5edad245e7103449b1639b4b9d4233ea (commit)
from 2a483a87e74ec33bfcd904dbaeaa017c658f0389 (commit)
- Log -
commit 8f58aa0a5edad245e7103449b1639b4b9d4233ea
Author: Bernd Edlinger
Date: Wed Mar 20 22:02:58 2019 +0100
Modify the RSA_private_decrypt functions to check the padding in
constant time with a memory access pattern that does not depend
on secret information.
[extended tests]
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8543)
(cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5)
---
Summary of changes:
crypto/rsa/rsa_oaep.c | 32
crypto/rsa/rsa_pk1.c | 32
crypto/rsa/rsa_ssl.c | 32
3 files changed, 48 insertions(+), 48 deletions(-)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 8c2bab4..75a88b0 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -240,25 +240,25 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
dblen - mdlen - 1, tlen);
-msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
-mlen = dblen - msg_index;
-for (mask = good, i = 0; i < tlen; i++) {
-unsigned int equals = constant_time_eq(msg_index, dblen);
-
-msg_index -= tlen & equals; /* rewind at EOF */
-mask &= ~equals; /* mask = 0 at EOF */
-to[i] = constant_time_select_8(mask, db[msg_index++], to[i]);
+for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
+mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
+for (i = mdlen + 1; i < dblen - msg_index; i++)
+db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
+}
+for (i = 0; i < tlen; i++) {
+mask = good & constant_time_lt(i, mlen);
+to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
}
/*
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index f63c65b..745d22e 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -226,25 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int
tlen,
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
num - 11, tlen);
-msg_index
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 2a483a87e74ec33bfcd904dbaeaa017c658f0389 (commit)
from 502b871ad4eacc96a31f89d9a9470ca2858da998 (commit)
- Log -
commit 2a483a87e74ec33bfcd904dbaeaa017c658f0389
Author: Bernd Edlinger
Date: Wed Mar 20 20:01:12 2019 +0100
Make err_clear_constant_time really constant time
[extended tests]
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8542)
(cherry picked from commit 94dc53a3f7549040dd9e61a25485070c14b41c49)
---
Summary of changes:
crypto/err/err.c | 49 +++--
crypto/rsa/rsa_ossl.c | 2 +-
include/openssl/err.h | 1 +
3 files changed, 25 insertions(+), 27 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index ba7577b..8cbf21f 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -464,8 +464,24 @@ static unsigned long get_error_values(int inc, int top,
const char **file,
return ERR_R_INTERNAL_ERROR;
}
+while (es->bottom != es->top) {
+if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
+err_clear(es, es->top);
+es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
+continue;
+}
+i = (es->bottom + 1) % ERR_NUM_ERRORS;
+if (es->err_flags[i] & ERR_FLAG_CLEAR) {
+es->bottom = i;
+err_clear(es, es->bottom);
+continue;
+}
+break;
+}
+
if (es->bottom == es->top)
return 0;
+
if (top)
i = es->top;/* last error */
else
@@ -824,25 +840,6 @@ int ERR_pop_to_mark(void)
return 1;
}
-#ifdef UINTPTR_T
-# undef UINTPTR_T
-#endif
-/*
- * uintptr_t is the answer, but unfortunately C89, current "least common
- * denominator" doesn't define it. Most legacy platforms typedef it anyway,
- * so that attempt to fill the gaps means that one would have to identify
- * that track these gaps, which would be undesirable. Macro it is...
- */
-#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
-/*
- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
- * even in 64-bit builds, which means that it won't work as mask.
- */
-# define UINTPTR_T unsigned long long
-#else
-# define UINTPTR_T size_t
-#endif
-
void err_clear_last_constant_time(int clear)
{
ERR_STATE *es;
@@ -854,11 +851,11 @@ void err_clear_last_constant_time(int clear)
top = es->top;
-es->err_flags[top] &= ~(0 - clear);
-es->err_buffer[top] &= ~(0UL - clear);
-es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
- ~((UINTPTR_T)0 - clear));
-es->err_line[top] |= 0 - clear;
-
-es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+/*
+ * Flag error as cleared but remove it elsewhere to avoid two errors
+ * accessing the same error stack location, revealing timing information.
+ */
+clear = constant_time_select_int(constant_time_eq_int(clear, 0),
+ 0, ERR_FLAG_CLEAR);
+es->err_flags[top] |= clear;
}
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index ed77fad..b48d708 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -472,7 +472,7 @@ static int rsa_ossl_private_decrypt(int flen, const
unsigned char *from,
goto err;
}
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
-err_clear_last_constant_time(r >= 0);
+err_clear_last_constant_time(1 & ~constant_time_msb(r));
err:
if (ctx != NULL)
diff --git a/include/openssl/err.h b/include/openssl/err.h
index 29a261c..779ed24 100644
--- a/include/openssl/err.h
+++ b/include/openssl/err.h
@@ -37,6 +37,7 @@ extern "C" {
# define ERR_TXT_STRING 0x02
# define ERR_FLAG_MARK 0x01
+# define ERR_FLAG_CLEAR 0x02
# define ERR_NUM_ERRORS 16
typedef struct err_state_st {
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 502b871ad4eacc96a31f89d9a9470ca2858da998 (commit) from c5bc42d7a131cf7a6a2ebd97a7a4a559d01af0f9 (commit) - Log - commit 502b871ad4eacc96a31f89d9a9470ca2858da998 Author: Bernd Edlinger Date: Sun Mar 17 17:28:24 2019 +0100 Clear the point S before freeing in ec_mul_consttime The secret point R can be recovered from S using the equation R = S - P. The X and Z coordinates should be sufficient for that. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8505) --- Summary of changes: crypto/ec/ec_mult.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 8350082..47c0fc0 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -325,7 +325,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ret = 1; err: -EC_POINT_free(s); +EC_POINT_clear_free(s); BN_CTX_end(ctx); BN_CTX_free(new_ctx);
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c5bc42d7a131cf7a6a2ebd97a7a4a559d01af0f9 (commit) from 7ebbb293e1d68c014e50dc49944aba0b72f35074 (commit) - Log - commit c5bc42d7a131cf7a6a2ebd97a7a4a559d01af0f9 Author: Bernd Edlinger Date: Sun Mar 17 09:48:15 2019 +0100 Clear the secret point in ecdh_simple_compute_key Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8501) (cherry picked from commit 1ff2c992c24c330c0d40708b4169b862563d6aab) --- Summary of changes: crypto/ec/ecdh_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c index a865145..2d620cb 100644 --- a/crypto/ec/ecdh_ossl.c +++ b/crypto/ec/ecdh_ossl.c @@ -138,7 +138,7 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, ret = 1; err: -EC_POINT_free(tmp); +EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); BN_CTX_free(ctx);
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 7ebbb293e1d68c014e50dc49944aba0b72f35074 (commit)
from a8e129a0923b17751655f2e98d5d4c2ae144e3fe (commit)
- Log -
commit 7ebbb293e1d68c014e50dc49944aba0b72f35074
Author: Bernd Edlinger
Date: Thu Feb 28 10:08:18 2019 +0100
Fix memory overrun in rsa padding check functions
Fixes #8364 and #8357
Reviewed-by: Kurt Roeckx
(Merged from https://github.com/openssl/openssl/pull/8365)
(cherry picked from commit d7f5e5ae6d53f1387a42d210806cf5e9ed0882d6)
---
Summary of changes:
crypto/rsa/rsa_oaep.c | 26 +-
crypto/rsa/rsa_pk1.c | 24
crypto/rsa/rsa_ssl.c | 35 +++
3 files changed, 44 insertions(+), 41 deletions(-)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 4958212..8c2bab4 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
* |num| is the length of the modulus; |flen| is the length of the
* encoded message. Therefore, for any |from| that was obtained by
* decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
- * num < 2 * mdlen + 2 must hold for the modulus irrespective of
+ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
@@ -185,17 +185,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
-from = em;
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
-good = constant_time_is_zero(from[0]);
+good = constant_time_is_zero(em[0]);
-maskedseed = from + 1;
-maskeddb = from + 1 + mdlen;
+maskedseed = em + 1;
+maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@@ -236,7 +235,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
mlen = dblen - msg_index;
/*
- * For good measure, do this check in constant tine as well.
+ * For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
@@ -250,15 +249,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
* should be noted that failure is indistinguishable from normal
* operation if |tlen| is fixed by protocol.
*/
-tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen,
tlen);
+tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+dblen - mdlen - 1, tlen);
msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
mlen = dblen - msg_index;
-for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
-unsigned int equals = constant_time_eq(i, mlen);
+for (mask = good, i = 0; i < tlen; i++) {
+unsigned int equals = constant_time_eq(msg_index, dblen);
-from -= dblen & equals; /* if (i == dblen) rewind */
-mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
-to[i] = constant_time_select_8(mask, from[i], to[i]);
+msg_index -= tlen & equals; /* rewind at EOF */
+mask &= ~equals; /* mask = 0 at EOF */
+to[i] = constant_time_select_8(mask, db[msg_index++], to[i]);
}
/*
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index 3f2dc6b..f63c65b 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int
tlen,
from -= 1 & mask;
*--em = *from & mask;
}
-from = em;
-good = constant_time_is_zero(from[0]);
-good &= constant_time_eq(from[1], 2);
+good = constant_time_is_zero(em[0]);
+good &= constant_time_eq(em[1], 2);
/* scan over
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via a8e129a0923b17751655f2e98d5d4c2ae144e3fe (commit)
from 09af525c2e8a11a0701d3d80e4d795e03be93606 (commit)
- Log -
commit a8e129a0923b17751655f2e98d5d4c2ae144e3fe
Author: Matt Caswell
Date: Tue Mar 5 13:26:45 2019 +
Avoid an underflow in ecp_nistp521.c
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.
It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.
This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.
With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/8405)
(cherry picked from commit 13fbce17fc9f02e2401fc3868f3f8e02d6647e5f)
---
Summary of changes:
crypto/ec/ecp_nistp521.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index ddfef91..6059c2e 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -357,10 +357,15 @@ static void felem_diff64(felem out, const felem in)
static void felem_diff_128_64(largefelem out, const felem in)
{
/*
- * In order to prevent underflow, we add 0 mod p before subtracting.
+ * In order to prevent underflow, we add 64p mod p (which is equivalent
+ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
+ * digit number with all bits set to 1. See "The representation of field
+ * elements" comment above for a description of how limbs are used to
+ * represent a number. 64p is represented with 8 limbs containing a number
+ * with 58 bits set and one limb with a number with 57 bits set.
*/
-static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
-static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
+static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
+static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
out[0] += two63m6 - in[0];
out[1] += two63m5 - in[1];
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 09af525c2e8a11a0701d3d80e4d795e03be93606 (commit)
via ee22257b1418438ebaf54df98af4e24f494d1809 (commit)
from c62896c2c0cbd47ab01693d403e37fe5fe15aab8 (commit)
- Log -
commit 09af525c2e8a11a0701d3d80e4d795e03be93606
Author: Matt Caswell
Date: Tue Mar 5 14:51:07 2019 +
Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8406)
(cherry picked from commit a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)
commit ee22257b1418438ebaf54df98af4e24f494d1809
Author: Matt Caswell
Date: Tue Mar 5 14:39:15 2019 +
Prevent over long nonces in ChaCha20-Poly1305
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.
It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.
Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
CVE-2019-1543
Fixes #8345
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8406)
(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
---
Summary of changes:
crypto/evp/e_chacha20_poly1305.c | 4 +++-
test/recipes/30-test_evp_data/evpciph.txt | 8
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index 7fd4f8d..4adc64c 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -30,6 +30,8 @@ typedef struct {
#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
+#define CHACHA20_POLY1305_MAX_IVLEN 12
+
static int chacha_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char user_key[CHACHA_KEY_SIZE],
const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -357,7 +359,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
-if (arg <= 0 || arg > CHACHA_CTR_SIZE)
+if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
return 0;
actx->nonce_len = arg;
return 1;
diff --git a/test/recipes/30-test_evp_data/evpciph.txt
b/test/recipes/30-test_evp_data/evpciph.txt
index 6236a9f..4cf011f 100644
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -2269,3 +2269,11 @@ Tag = e0723bce23528ce6ccb10ff9627038bf
Plaintext =
496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e2
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ad01b01c16b0b9d95de79c3b01398e3582a5105b (commit) from 3318493b85a8189f6385d5489f97f0e101471f92 (commit) - Log - commit ad01b01c16b0b9d95de79c3b01398e3582a5105b Author: Matt Caswell Date: Mon Feb 25 11:28:32 2019 + Ensure bn_cmp_words can handle the case where n == 0 Thanks to David Benjamin who reported this, performed the analysis and suggested the patch. I have incorporated some of his analysis in the comments below. This issue can cause an out-of-bounds read. It is believed that this was not reachable until the recent "fixed top" changes. Analysis has so far only identified one code path that can encounter this - although it is possible that others may be found. The one code path only impacts 1.0.2 in certain builds. The fuzzer found a path in RSA where iqmp is too large. If the input is all zeros, the RSA CRT logic will multiply a padded zero by iqmp. Two mitigating factors: - Private keys which trip this are invalid (iqmp is not reduced mod p). Only systems which take untrusted private keys care. - In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp, so the bug is only reproducible in 1.0.2 so far. Fortunately, the bug appears to be relatively harmless. The consequences of bn_cmp_word's misbehavior are: - OpenSSL may crash if the buffers are page-aligned and the previous page is non-existent. - OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they are equal. - Side channel concerns. The first is indeed a concern and is a DoS bug. The second is fine in this context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1) in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or a1 - a0. The third would be worth thinking about, but it is overshadowed by the entire Karatsuba implementation not being constant time. Due to the difficulty of tripping this and the low impact no CVE is felt necessary for this issue. Reviewed-by: Paul Dale Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/8326) (cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d) --- Summary of changes: crypto/bn/bn_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 3f3c7bb..9885b0c 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -780,6 +780,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) int i; BN_ULONG aa, bb; +if (n == 0) +return 0; + aa = a[n - 1]; bb = b[n - 1]; if (aa != bb)
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 3318493b85a8189f6385d5489f97f0e101471f92 (commit)
from f499873c2ff5a6da5f1a23c099730f97c822e90c (commit)
- Log -
commit 3318493b85a8189f6385d5489f97f0e101471f92
Author: Jeff Mahoney
Date: Sun Feb 24 16:56:28 2019 +0800
apps/speed: fix segfault while looking up algorithm name
The backport of master commit 5c6a69f539a (apps/speed: fix possible OOB
access in some EC arrays) as 1.1.0 commit 4e07941373a introduced a
regression. The ecdh_choices array is iterated using an element count
but is NULL terminated. This means that running 'openssl speed somealgo'
will result in a segfault when opt_found hits the NULL entry.
Fixes #8243
CLA: trivial
Signed-off-by: Jeff Mahoney
Reviewed-by: Paul Yang
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/8244)
---
Summary of changes:
apps/speed.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/apps/speed.c b/apps/speed.c
index 6672fe6..4595cc6 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -537,7 +537,6 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhb409", R_EC_B409},
{"ecdhb571", R_EC_B571},
{"ecdhx25519", R_EC_X25519},
-{NULL}
};
# define EC_NUM OSSL_NELEM(ecdh_choices)
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via f499873c2ff5a6da5f1a23c099730f97c822e90c (commit)
via c4e901dbdb217a78fcca75478dd8cf3720f6219c (commit)
from b7fc0784c4cfe81db8728f814925c6f98dd948d1 (commit)
- Log -
commit f499873c2ff5a6da5f1a23c099730f97c822e90c
Author: Nicola Tuveri
Date: Fri Feb 8 12:42:25 2019 +0200
Clear BN_FLG_CONSTTIME on BN_CTX_get()
(cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8)
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/8294)
commit c4e901dbdb217a78fcca75478dd8cf3720f6219c
Author: Nicola Tuveri
Date: Tue Feb 12 00:37:25 2019 +0200
Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:
- test_ctx_consttime_flag() initializes (and later frees before
returning) a BN_CTX object, then it calls in sequence
test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
BN_CTX object. The process is run twice, once with a "normal"
BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
frame should have BN_FLG_CONSTTIME set.
In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.
This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.
(manually cherry picked from commit
fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/8294)
---
Summary of changes:
crypto/bn/bn_ctx.c | 4 +-
test/bntest.c | 111 +++--
2 files changed, 111 insertions(+), 4 deletions(-)
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 68c0468..51db38b 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
+/* clear BN_FLG_CONSTTIME if leaked from previous frames */
+ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;
diff --git a/test/bntest.c b/test/bntest.c
index 686eab8..606cc11 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -85,6 +85,7 @@ int test_sqrt(BIO *bp, BN_CTX *ctx);
int test_small_prime(BIO *bp, BN_CTX *ctx);
int test_bn2dec(BIO *bp);
int rand_neg(void);
+static int test_ctx_consttime_flag(void);
static int results = 0;
static unsigned char lst[] =
@@ -312,11 +313,18 @@ int main(int argc, char *argv[])
goto err;
(void)BIO_flush(out);
#endif
+
+/* silently flush any pre-existing error on the stack */
+ERR_clear_error();
+
+message(out, "BN_CTX_get BN_FLG_CONSTTIME");
+if (!test_ctx_consttime_flag())
+goto err;
+(void)BIO_flush(out);
+
BN_CTX_free(ctx);
BIO_free(out);
-ERR_print_errors_fp(stderr);
-
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks_fp(stderr) <= 0)
EXIT(1);
@@ -2092,3 +2100,100 @@ int rand_neg(void)
return (sign[(neg++) % 8]);
}
+
+static int test_ctx_set_ct_flag(BN_CTX *c)
+{
+int st = 0;
+size_t i;
+BIGNUM *b[15];
+
+BN_CTX_start(c);
+for (i = 0; i < OSSL_NELEM(b); i++) {
+if (NULL == (b[i] = BN_CTX_get(c))) {
+fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+goto err;
+}
+if (i % 2 == 1)
+
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b7fc0784c4cfe81db8728f814925c6f98dd948d1 (commit)
via 09c11fe59b3d45d35e61d95d0f3a5a371f96a19d (commit)
from 68be523db761867cde2c5476cf43f8766c593b2a (commit)
- Log -
commit b7fc0784c4cfe81db8728f814925c6f98dd948d1
Author: Nicola Tuveri
Date: Mon Feb 18 03:46:54 2019 +0200
[test] unit test for field_inv function pointer in EC_METHOD
This is a rewrite of commit 8f58ede09572dcc6a7e6c01280dd348240199568 for
the 1.1.0-stable branch.
Co-authored-by: Billy Brumley
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/8263)
commit 09c11fe59b3d45d35e61d95d0f3a5a371f96a19d
Author: Billy Brumley
Date: Sat Feb 2 10:53:29 2019 +0200
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri
(cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1)
Reviewed-by: Matt Caswell
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/8263)
---
Summary of changes:
CHANGES| 6 +
crypto/ec/ec2_smpl.c | 140 ---
crypto/ec/ec_err.c | 6 +-
crypto/ec/ec_lcl.h | 13 ++-
crypto/ec/ecp_mont.c | 51 -
crypto/ec/ecp_nist.c | 3 +-
crypto/ec/ecp_nistp224.c | 3 +-
crypto/ec/ecp_nistp256.c | 3 +-
crypto/ec/ecp_nistp521.c | 3 +-
crypto/ec/ecp_nistz256.c | 3 +-
crypto/ec/ecp_smpl.c | 51 -
include/openssl/ec.h | 6 +-
test/build.info| 9 ++
test/ec_internal_test.c| 220 +
test/recipes/03-test_internal_ec.t | 19
15 files changed, 462 insertions(+), 74 deletions(-)
create mode 100644 test/ec_internal_test.c
create mode 100644 test/recipes/03-test_internal_ec.t
diff --git a/CHANGES b/CHANGES
index d634252..d0b6fd7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,12 @@
Changes between 1.1.0j and 1.1.0k [xx XXX ]
+ *) Added SCA hardening for modular field inversion in EC_GROUP through
+ a new dedicated field_inv() pointer in EC_METHOD.
+ This also addresses a leakage affecting conversions from projective
+ to affine coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
re-used X509_PUBKEY object if the second PUBKEY is malformed.
[Bernd Edlinger]
diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c
index cdacce6..6cb6d1b 100644
--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -29,67 +29,6 @@
#ifndef OPENSSL_NO_EC2M
-const EC_METHOD *EC_GF2m_simple_method(void)
-{
-static const EC_METHOD ret = {
-EC_FLAGS_DEFAULT_OCT,
-NID_X9_62_characteristic_two_field,
-ec_GF2m_simple_group_init,
-ec_GF2m_simple_group_finish,
-ec_GF2m_simple_group_clear_finish,
-ec_GF2m_simple_group_copy,
-ec_GF2m_simple_group_set_curve,
-ec_GF2m_simple_group_get_curve,
-ec_GF2m_simple_group_get_degree,
-
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 68be523db761867cde2c5476cf43f8766c593b2a (commit)
from 54a622697eced33a6029fd5e7dd452cfb99bb72e (commit)
- Log -
commit 68be523db761867cde2c5476cf43f8766c593b2a
Author: Corinna Vinschen
Date: Mon Feb 18 22:37:37 2019 +0100
cygwin: drop explicit O_TEXT
Cygwin binaries should not enforce text mode these days, just
use text mode if the underlying mount point requests it
Signed-off-by: Corinna Vinschen
Reviewed-by: Matt Caswell
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8275)
---
Summary of changes:
crypto/bio/bss_file.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
index 2edf244..0240a0d 100644
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -255,9 +255,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
}
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
int fd = fileno((FILE *)ptr);
-if (num & BIO_FP_TEXT)
-setmode(fd, O_TEXT);
-else
+if (!(num & BIO_FP_TEXT))
setmode(fd, O_BINARY);
# endif
}
@@ -281,11 +279,14 @@ static long file_ctrl(BIO *b, int cmd, long num, void
*ptr)
ret = 0;
break;
}
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) ||
defined(OPENSSL_SYS_WIN32_CYGWIN)
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
if (!(num & BIO_FP_TEXT))
strcat(p, "b");
else
strcat(p, "t");
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+if (!(num & BIO_FP_TEXT))
+strcat(p, "b");
# endif
fp = openssl_fopen(ptr, p);
if (fp == NULL) {
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 54a622697eced33a6029fd5e7dd452cfb99bb72e (commit)
from 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit)
- Log -
commit 54a622697eced33a6029fd5e7dd452cfb99bb72e
Author: Richard Levitte
Date: Mon Feb 11 12:22:02 2019 +0100
crypto/engine/eng_cryptodev.c: fix bignum<->crp conversion
bn2crparam() incorrectly delivered a big endian byte string to cryptodev.
Using BN_bn2lebinpad() instead of BN_bn2bin() fixes this.
crparam2bn() had a hack that avoided this issue in the other direction,
but allocated an intermediary chunk of memory to get correct endianness.
Using BN_lebin2bn() avoids this allocation.
Fixes #8202
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/8204)
---
Summary of changes:
crypto/engine/eng_cryptodev.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 5572735..1450fdd 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -1228,14 +1228,14 @@ static int bn2crparam(const BIGNUM *a, struct crparam
*crp)
crp->crp_p = (caddr_t) b;
crp->crp_nbits = bits;
-BN_bn2bin(a, b);
+BN_bn2lebinpad(a, b, bytes);
return (0);
}
/* Convert a /dev/crypto parameter to a BIGNUM */
static int crparam2bn(struct crparam *crp, BIGNUM *a)
{
-u_int8_t *pd;
+u_int8_t *b;
int i, bytes;
bytes = (crp->crp_nbits + 7) / 8;
@@ -1243,15 +1243,9 @@ static int crparam2bn(struct crparam *crp, BIGNUM *a)
if (bytes == 0)
return (-1);
-if ((pd = OPENSSL_malloc(bytes)) == NULL)
-return (-1);
-
-for (i = 0; i < bytes; i++)
-pd[i] = crp->crp_p[bytes - i - 1];
-
-BN_bin2bn(pd, bytes, a);
-free(pd);
+b = (u_int8_t *)crp->crp_p;
+BN_lebin2bn(b, bytes, a);
return (0);
}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit) from 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit) - Log - commit 152abc5522d869668f50deeb99cd0d948d0df4c1 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Fix a crash in reuse of d2i_X509_PUBKEY If the second PUBKEY is malformed there is use after free. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8135) --- Summary of changes: CHANGES| 4 crypto/x509/x_pubkey.c | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index b810a12..d634252 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0j and 1.1.0k [xx XXX ] + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index cc69283..03271cb 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, /* Attempt to decode public key and cache in pubkey structure. */ X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); +pubkey->pkey = NULL; /* * Opportunistically decode the key but remove any non fatal errors * from the queue. Subsequent explicit attempts to decode/use the key _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit) from e29dcc3794bdc3928942ffb38ee383328b0d6dc1 (commit) - Log - commit 47c55f881ffef8aa5fafcb88d4230700bb279449 Author: Tobias Stoeckmann Date: Tue Dec 11 20:34:21 2018 +0100 Fixed typo (vi leftover). There was a trailing :w at a line, which didn't make sense in context of the sentence/styling. Removed it, because I think it's a leftover vi command. CLA: trivial Signed-off-by: Tobias Stoeckmann Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7875) (cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396) --- Summary of changes: doc/apps/ca.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 9885bb2..5e183e1 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -223,7 +223,7 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w +is present (even if it is empty), then a V3 certificate is created. See the L manual page for details of the extension section format. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via e29dcc3794bdc3928942ffb38ee383328b0d6dc1 (commit)
from 6d405b64b77f29241b680f7edadd14d5dc0a8522 (commit)
- Log -
commit e29dcc3794bdc3928942ffb38ee383328b0d6dc1
Author: Andy Polyakov
Date: Fri Dec 7 22:19:57 2018 +0100
err/err.c: improve err_clear_last_constant_time's portability.
Reviewed-by: Kurt Roeckx
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7850)
(cherry picked from commit 91d0fd1c2753f0f7d6e0953eed3cfb6eb96d8ff4)
---
Summary of changes:
crypto/err/err.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 638cbf2..ba7577b 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -824,6 +824,25 @@ int ERR_pop_to_mark(void)
return 1;
}
+#ifdef UINTPTR_T
+# undef UINTPTR_T
+#endif
+/*
+ * uintptr_t is the answer, but unfortunately C89, current "least common
+ * denominator" doesn't define it. Most legacy platforms typedef it anyway,
+ * so that attempt to fill the gaps means that one would have to identify
+ * that track these gaps, which would be undesirable. Macro it is...
+ */
+#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
+/*
+ * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
+ * even in 64-bit builds, which means that it won't work as mask.
+ */
+# define UINTPTR_T unsigned long long
+#else
+# define UINTPTR_T size_t
+#endif
+
void err_clear_last_constant_time(int clear)
{
ERR_STATE *es;
@@ -837,8 +856,8 @@ void err_clear_last_constant_time(int clear)
es->err_flags[top] &= ~(0 - clear);
es->err_buffer[top] &= ~(0UL - clear);
-es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] &
- ~((uintptr_t)0 - clear));
+es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
+ ~((UINTPTR_T)0 - clear));
es->err_line[top] |= 0 - clear;
es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 6d405b64b77f29241b680f7edadd14d5dc0a8522 (commit)
via 437b7f059304f59a0fa96d329ca62cd8d748cbc8 (commit)
via 43d53fa19da6809e458ebdadba6016d5fbc780a2 (commit)
via b58c44a8c1b6c7354c9c8ce4631e27f9eb977b60 (commit)
via 0ba39c87aa386db3a97be9e11c77aac94176a2fa (commit)
from 7cbff94dff0b927e95be6fed991579ce8e98aa65 (commit)
- Log -
commit 6d405b64b77f29241b680f7edadd14d5dc0a8522
Author: Andy Polyakov
Date: Fri Sep 14 17:24:13 2018 +0200
rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
if nul delimiter is preceded by 8 consecutive 0x03 bytes.
Reviewed-by: Richard Levitte
Reviewed-by: Matt Caswell
(cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c)
Resolved conflicts:
crypto/rsa/rsa_ssl.c
(Merged from https://github.com/openssl/openssl/pull/7735)
commit 437b7f059304f59a0fa96d329ca62cd8d748cbc8
Author: Andy Polyakov
Date: Thu Sep 6 21:54:23 2018 +0200
rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte
Reviewed-by: Matt Caswell
(cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06)
(Merged from https://github.com/openssl/openssl/pull/7735)
commit 43d53fa19da6809e458ebdadba6016d5fbc780a2
Author: Andy Polyakov
Date: Sat Sep 1 12:00:33 2018 +0200
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte
Reviewed-by: Matt Caswell
(cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)
(Merged from https://github.com/openssl/openssl/pull/7735)
commit b58c44a8c1b6c7354c9c8ce4631e27f9eb977b60
Author: Andy Polyakov
Date: Fri Sep 14 12:17:43 2018 +0200
rsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
Reviewed-by: Richard Levitte
Reviewed-by: Matt Caswell
(cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1)
(Merged from https://github.com/openssl/openssl/pull/7735)
commit 0ba39c87aa386db3a97be9e11c77aac94176a2fa
Author: Andy Polyakov
Date: Sat Sep 1 12:19:30 2018 +0200
err/err.c: add err_clear_last_constant_time.
Expected usage pattern is to unconditionally set error and then
wipe it if there was no actual error.
Reviewed-by: Richard Levitte
Reviewed-by: Matt Caswell
(cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b)
Resolved conflicts:
crypto/err/err.c
(Merged from https://github.com/openssl/openssl/pull/7735)
---
Summary of changes:
crypto/err/err.c| 21 +
crypto/rsa/rsa_oaep.c | 82 ++---
crypto/rsa/rsa_ossl.c | 5 +-
crypto/rsa/rsa_pk1.c| 93 ++-
crypto/rsa/rsa_ssl.c| 133
doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 +-
include/internal/constant_time_locl.h | 6 ++
7 files changed, 234 insertions(+), 113 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 08c27a3..638cbf2 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -19,6 +19,7 @@
#include
#include
#include
+#include "internal/constant_time_locl.h"
static void err_load_strings(int lib, ERR_STRING_DATA *str);
@@ -822,3 +823,23 @@ int ERR_pop_to_mark(void)
es->err_flags[es->top] &= ~ERR_FLAG_MARK;
return 1;
}
+
+void err_clear_last_constant_time(int clear)
+{
+ERR_STATE *es;
+int top;
+
+es = ERR_get_state();
+if (es == NULL)
+return;
+
+top = es->top;
+
+es->err_flags[top] &= ~(0 - clear);
+es->err_buffer[top] &= ~(0UL - clear);
+es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] &
+ ~((uintptr_t)0 - clear));
+es->err_line[top] |= 0 - clear;
+
+es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+}
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index df08a2f..4958212 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -126,7 +126,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
const EVP_MD *mgf1md)
{
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
-unsigned int good, found_one_byte;
+unsigned int good = 0, found_one_byte, mask;
const unsigned char *maskedseed, *maskeddb;
/*
* |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -153,8 +153,11
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 403783ce05991e21a50d637398798a014e2c4f9d (commit)
via ffe7659f788300d924179209c854e6826f2c0332 (commit)
via 58381f26c288505766daac9e0f20f879fcd06631 (commit)
via 0e17281a9c35077263128f721e82199a89c36cb8 (commit)
via ed207080455147f76d575687f1a7743fa6b0ae0a (commit)
from 7dac8144a760f0d9780cd7eb0771894874becd78 (commit)
- Log -
commit 403783ce05991e21a50d637398798a014e2c4f9d
Author: Richard Levitte
Date: Sat Nov 24 17:51:24 2018 +0100
Have util/mktar.sh display the absolute path to the tarball
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7696)
(cherry picked from commit 3be389435fc7b94623d972b622dbd9f0cd5c34f7)
commit ffe7659f788300d924179209c854e6826f2c0332
Author: Richard Levitte
Date: Sat Nov 24 11:27:50 2018 +0100
Make sure to run util/mktar.sh from the source directory
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7696)
(cherry picked from commit b741f153b2f24139d7210b1b0c9caf561f4900e8)
commit 58381f26c288505766daac9e0f20f879fcd06631
Author: Richard Levitte
Date: Sat Nov 24 00:59:33 2018 +0100
Don't export the submodules 'boringssl', 'krb5' and 'pyca-cryptography'
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7696)
(cherry picked from commit 76bc401cc63219a462224884cb4af787e17725ed)
commit 0e17281a9c35077263128f721e82199a89c36cb8
Author: Richard Levitte
Date: Fri Nov 23 14:43:16 2018 +0100
Don't export util/mktar.sh
When creating a tarball, it's pointless to include scripts that assume
a git workspace.
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7696)
(cherry picked from commit b9a694717902af796639e1dff641ba620703303b)
commit ed207080455147f76d575687f1a7743fa6b0ae0a
Author: Richard Levitte
Date: Fri Nov 23 14:40:39 2018 +0100
Document the removed 'dist' target
Also adds missing copyright boilerplate to util/mktar.sh
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7696)
(cherry picked from commit b42922ea2f605fd6c42faad1743fb27be5f7f1f3)
---
Summary of changes:
.gitattributes| 4
CHANGES | 5 -
Configurations/unix-Makefile.tmpl | 3 ++-
util/mktar.sh | 11 ++-
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/.gitattributes b/.gitattributes
index 912b4ae..96e40b6 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,3 +6,7 @@
fuzz/corpora/** export-ignore
Configurations/*.norelease.conf export-ignore
.* export-ignore
+util/mktar.sh export-ignore
+boringssl export-ignore
+krb5export-ignore
+pyca-cryptography export-ignore
diff --git a/CHANGES b/CHANGES
index 60c0dd1..e19b976 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,10 @@
Changes between 1.1.0j and 1.1.0k [xx XXX ]
- *)
+ *) Remove the 'dist' target and add a tarball building script. The
+ 'dist' target has fallen out of use, and it shouldn't be
+ necessary to configure just to create a source distribution.
+ [Richard Levitte]
Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index b35db4f..af84bd4 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -201,6 +201,7 @@ MAKEDEPEND={- $config{makedepprog} -}
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
+# Relative to $(SRCDIR)
TARFILE=../$(NAME).tar
# We let the C compiler driver to take care of .s files. This is done in
@@ -666,7 +667,7 @@ tags TAGS: FORCE
# Release targets (note: only available on Unix) #
tar:
- $(SRCDIR)/util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)'
+ (cd $(SRCDIR); ./util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)')
# Helper targets #
diff --git a/util/mktar.sh b/util/mktar.sh
index 0848b7b..17115cf 100755
--- a/util/mktar.sh
+++ b/util/mktar.sh
@@ -1,4 +1,10 @@
#! /bin/sh
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
HERE=`dirname $0`
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 7dac8144a760f0d9780cd7eb0771894874becd78 (commit)
from b97cbe05a3a4bf18b6bd6262dbda04b87256a54c (commit)
- Log -
commit 7dac8144a760f0d9780cd7eb0771894874becd78
Author: Andy Polyakov
Date: Wed Nov 7 22:07:22 2018 +0100
rsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier.
Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.
Reviewed-by: Matt Caswell
Reviewed-by: Richard Levitte
(cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575)
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7586)
---
Summary of changes:
crypto/rsa/rsa_ossl.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 23f948f..a485c7e 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -280,6 +280,11 @@ static int rsa_ossl_private_encrypt(int flen, const
unsigned char *from,
goto err;
}
+if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+if (!BN_MONT_CTX_set_locked(>_method_mod_n, rsa->lock,
+rsa->n, ctx))
+goto err;
+
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, _blinding, ctx);
if (blinding == NULL) {
@@ -311,13 +316,6 @@ static int rsa_ossl_private_encrypt(int flen, const
unsigned char *from,
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
-if (!BN_MONT_CTX_set_locked(>_method_mod_n, rsa->lock,
-rsa->n, ctx)) {
-BN_free(d);
-goto err;
-}
-
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b97cbe05a3a4bf18b6bd6262dbda04b87256a54c (commit)
via f68bfdf62805f1f3af4330754c7f141fa521b6dd (commit)
from 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a (commit)
- Log -
commit b97cbe05a3a4bf18b6bd6262dbda04b87256a54c
Author: Richard Levitte
Date: Thu Nov 22 21:29:02 2018 +0100
Remove all 'make dist' artifacts
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7692)
(cherry picked from commit 8d9535ec3e317641b8e551973c8cfe2ee1c89296)
commit f68bfdf62805f1f3af4330754c7f141fa521b6dd
Author: Richard Levitte
Date: Thu Nov 22 21:17:47 2018 +0100
Change tarball making procedure
Since recently, OpenSSL tarballs are produced with 'make tar' rather
than 'make dist', as the latter has turned out to be more troublesome
than useful.
The next step to look at is why we would need to configure at all to
produce a Makefile just to produce a tarball. After all, the tarball
should now only contain source files that are present even without
configuring.
Furthermore, the current method for producing tarballs is a bit
complex, and can be greatly simplified with the right tools. Since we
have everything versioned with git, we might as well use the tool that
comes with it.
Added: util/mktar.sh, a simple script to produce OpenSSL tarballs. It
takes the options --name to modify the prefix of the distribution, and
--tarfile tp modify the tarball file name specifically.
This also adds a few entries in .gitattributes to specify files that
should never end up in a distribution tarball.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7692)
(cherry picked from commit 8c209eeef426ded66ce99048f535f35d08b88462)
---
Summary of changes:
.gitattributes| 5 +
.travis-create-release.sh | 10 +-
Configurations/dist.conf | 12
Configurations/unix-Makefile.tmpl | 30 +-
util/mktar.sh | 27 +++
5 files changed, 34 insertions(+), 50 deletions(-)
delete mode 100644 Configurations/dist.conf
create mode 100755 util/mktar.sh
diff --git a/.gitattributes b/.gitattributes
index 15121c8..912b4ae 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,8 @@
*.der binary
/fuzz/corpora/** binary
*.pfx binary
+
+# For git archive
+fuzz/corpora/** export-ignore
+Configurations/*.norelease.conf export-ignore
+.* export-ignore
diff --git a/.travis-create-release.sh b/.travis-create-release.sh
index 311cedd..3407de7 100644
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@@ -1,11 +1,3 @@
#! /bin/sh
-# $1 is expected to be $TRAVIS_OS_NAME
-
-./Configure dist
-if [ "$1" == osx ]; then
-make NAME='_srcdist' TARFILE='_srcdist.tar' \
- TAR_COMMAND='$(TAR) $(TARFLAGS) -cvf -' tar
-else
-make TARFILE='_srcdist.tar' NAME='_srcdist' dist
-fi
+./util/mktar.sh --name=_srcdist
diff --git a/Configurations/dist.conf b/Configurations/dist.conf
deleted file mode 100644
index 4f58dad..000
--- a/Configurations/dist.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-## -*- mode: perl; -*-
-## Build configuration targets for openssl-team members
-
-# This is to support 'make dist'
-%targets = (
-"dist" => {
-inherit_from => [ 'BASE_unix' ],
-cc => "cc",
-cflags => "-O",
-thread_scheme=> "(unknown)",
-},
-);
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index 7254478..b35db4f 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -665,36 +665,8 @@ tags TAGS: FORCE
# Release targets (note: only available on Unix) #
-# If your tar command doesn't support --owner and --group, make sure to
-# use one that does, for example GNU tar
-TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf -
-PREPARE_CMD=:
tar:
- set -e; \
- TMPDIR=/var/tmp/openssl-copy.; \
- DISTDIR=$(NAME); \
- mkdir -p $$TMPDIR/$$DISTDIR; \
- (cd $(SRCDIR); \
-excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \
-echo "$$excl_re"; \
-git ls-tree -r --name-only --full-tree HEAD \
-| egrep -v "$$excl_re" \
-| while read F; do \
- mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
- cp $$F $$TMPDIR/$$DISTDIR/$$F; \
- done); \
- (cd $$TMPDIR/$$DISTDIR; \
-$(PREPARE_CMD); \
-find . -type d -print | xargs chmod 755; \
-find . -type f -print | xargs chmod a+r; \
-
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a (commit)
via 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762 (commit)
from a8e613cc51beaeb181a322da3620a27ef8bcead3 (commit)
- Log -
commit 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a
Author: Matt Caswell
Date: Tue Nov 20 13:42:16 2018 +
Prepare for 1.1.0k-dev
Reviewed-by: Richard Levitte
commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762
Author: Matt Caswell
Date: Tue Nov 20 13:41:22 2018 +
Prepare for 1.1.0j release
Reviewed-by: Richard Levitte
---
Summary of changes:
CHANGES| 6 +-
NEWS | 6 +-
README | 2 +-
include/openssl/opensslv.h | 6 +++---
4 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/CHANGES b/CHANGES
index cb2e6b1..60c0dd1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,11 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.0i and 1.1.0j [xx XXX ]
+ Changes between 1.1.0j and 1.1.0k [xx XXX ]
+
+ *)
+
+ Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
*) Timing vulnerability in DSA signature generation
diff --git a/NEWS b/NEWS
index 88a0be4..188e9aa 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development]
+ Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [under development]
+
+ o
+
+ Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
diff --git a/README b/README
index 3af2619..51828a7 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.0j-dev
+ OpenSSL 1.1.0k-dev
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 72f09af..0e2992e 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101000a0L
+# define OPENSSL_VERSION_NUMBER 0x101000b0L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-fips-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-fips-dev xx XXX "
# else
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-dev xx XXX "
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-dev xx XXX "
# endif
/*-
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a8e613cc51beaeb181a322da3620a27ef8bcead3 (commit) from 503c18583a1c8910ad42d4426290f0a61daae7a6 (commit) - Log - commit a8e613cc51beaeb181a322da3620a27ef8bcead3 Author: Matt Caswell Date: Tue Nov 20 13:21:36 2018 + Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7670) --- Summary of changes: apps/pkey.c | 2 +- apps/req.c | 2 +- config | 2 +- crypto/bio/b_print.c| 2 +- crypto/bn/asm/x86_64-gcc.c | 2 +- crypto/bn/bn_blind.c| 2 +- crypto/bn/bn_mul.c | 2 +- crypto/bn/bn_x931p.c| 2 +- crypto/conf/conf_mod.c | 2 +- crypto/ct/ct_log.c | 2 +- crypto/dh/dh_lib.c | 2 +- crypto/dsa/dsa_lib.c| 2 +- crypto/ec/ec_key.c | 2 +- crypto/ec/ec_kmeth.c| 2 +- crypto/ec/ecp_mont.c| 2 +- crypto/ec/ecp_nist.c| 2 +- crypto/ec/ecp_nistp224.c| 2 +- crypto/ec/ecp_nistp521.c| 2 +- crypto/engine/eng_list.c| 2 +- crypto/kdf/hkdf.c | 2 +- crypto/lhash/lhash.c| 2 +- crypto/objects/o_names.c| 2 +- crypto/ocsp/ocsp_cl.c | 2 +- crypto/pkcs12/p12_init.c| 2 +- crypto/pkcs12/p12_mutl.c| 2 +- crypto/pkcs7/pk7_lib.c | 2 +- crypto/rand/md_rand.c | 2 +- crypto/rand/randfile.c | 2 +- crypto/rsa/rsa_lib.c| 2 +- crypto/x509/by_file.c | 2 +- doc/apps/crl.pod| 2 +- doc/apps/req.pod| 2 +- doc/crypto/EVP_DigestVerifyInit.pod | 2 +- engines/e_capi.c| 2 +- include/openssl/ec.h| 2 +- include/openssl/ocsp.h | 2 +- include/openssl/symhacks.h | 2 +- ssl/s3_enc.c| 2 +- test/ct_test.c | 2 +- test/recipes/30-test_evp.t | 2 +- test/secmemtest.c | 2 +- util/mkrc.pl| 2 +- 42 files changed, 42 insertions(+), 42 deletions(-) diff --git a/apps/pkey.c b/apps/pkey.c index 60e8581..5c13d8b 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/req.c b/apps/req.c index a691f93..a20e7c1 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/config b/config index 19c0071..ef0841d 100755 --- a/config +++ b/config @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index bf006d1..8f50cb8 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index cdb54fa..621be33 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 7a8237c..9474e21 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. *
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 503c18583a1c8910ad42d4426290f0a61daae7a6 (commit) from b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f (commit) - Log - commit 503c18583a1c8910ad42d4426290f0a61daae7a6 Author: Matt Caswell Date: Tue Nov 20 10:52:53 2018 + Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7666) --- Summary of changes: CHANGES | 20 NEWS| 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 28b9938..cb2e6b1 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,26 @@ Changes between 1.1.0i and 1.1.0j [xx XXX ] + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] + *) Add coordinate blinding for EC_POINT and implement projective coordinate blinding for generic prime curves as a countermeasure to chosen point SCA attacks. diff --git a/NEWS b/NEWS index ca3ed49..88a0be4 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development] - o + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f (commit) from 841303dad2d0bb28db2317d36ef430e73d137d3d (commit) - Log - commit b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f Author: Richard Levitte Date: Tue Nov 13 17:57:45 2018 +0100 Fix typo in util/perl/OpenSSL/Test.pm Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7633) (cherry picked from commit 2dc37bc2b4c678462a24d2904604e58c0c5ac1cb) --- Summary of changes: util/perl/OpenSSL/Test.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index a6be487..a77909c 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -704,7 +704,7 @@ Returns a list of two numbers, the first representing the build version, the second representing the library version. See opensslv.h for more information on those numbers. -= back +=back =cut _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 841303dad2d0bb28db2317d36ef430e73d137d3d (commit)
via 75711510f08c33f55c40b89b21cb71d1a1679abf (commit)
from 013aefc5f03c95f5366cc854ffb02b0df49af90d (commit)
- Log -
commit 841303dad2d0bb28db2317d36ef430e73d137d3d
Author: Richard Levitte
Date: Tue Nov 13 18:28:41 2018 +0100
test/recipes/90-test_shlibload.t needs $target{shared_extension}
We therefore must add defaults.
Reviewed-by: Viktor Dukhovni
(Merged from https://github.com/openssl/openssl/pull/7631)
commit 75711510f08c33f55c40b89b21cb71d1a1679abf
Author: Richard Levitte
Date: Tue Nov 13 15:57:34 2018 +0100
Fix rpath-related Linux "test_shlibload" failure.
When libssl and libcrypto are compiled on Linux with "-rpath", but
not "--enable-new-dtags", the RPATH takes precedence over
LD_LIBRARY_PATH, and we end up running with the wrong libraries.
This is resolved by using full (or at least relative, rather than
just the filename to be found on LD_LIBRARY_PATH) paths to the
shared objects.
Reviewed-by: Viktor Dukhovni
(Merged from https://github.com/openssl/openssl/pull/7631)
---
Summary of changes:
Configurations/00-base-templates.conf | 6 ++
test/recipes/90-test_shlibload.t | 27 +++
util/shlib_wrap.sh.in | 28 +++-
3 files changed, 44 insertions(+), 17 deletions(-)
diff --git a/Configurations/00-base-templates.conf
b/Configurations/00-base-templates.conf
index 3455b3a..8503c2f 100644
--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -68,6 +68,8 @@
}
return (); },
+shared_extension => ".so",
+
build_scheme=> [ "unified", "unix" ],
build_file => "Makefile",
},
@@ -99,6 +101,8 @@
mtinflag=> "-manifest ",
mtoutflag => "-outputresource:",
+shared_extension => ".dll",
+
build_file => "makefile",
build_scheme=> [ "unified", "windows" ],
},
@@ -107,6 +111,8 @@
inherit_from=> [ "BASE_common" ],
template=> 1,
+shared_extension => ".exe",
+
build_file => "descrip.mms",
build_scheme => [ "unified", "VMS" ],
},
diff --git a/test/recipes/90-test_shlibload.t b/test/recipes/90-test_shlibload.t
index 04d5265..78899f6 100644
--- a/test/recipes/90-test_shlibload.t
+++ b/test/recipes/90-test_shlibload.t
@@ -6,8 +6,7 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-
-use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
+use OpenSSL::Test qw/:DEFAULT bldtop_dir bldtop_file/;
use OpenSSL::Test::Utils;
#Load configdata.pm
@@ -22,12 +21,13 @@ plan skip_all => "Test only supported in a shared build" if
disabled("shared");
plan tests => 4;
-my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto";
-my $libssl_idx = $unified_info{rename}->{libssl} // "libssl";
-my $libcrypto =
-
$unified_info{sharednames}->{$libcrypto_idx}.$target{shared_extension_simple};
-my $libssl =
-$unified_info{sharednames}->{$libssl_idx}.$target{shared_extension_simple};
+# When libssl and libcrypto are compiled on Linux with "-rpath", but not
+# "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH,
+# and we end up running with the wrong libraries. This is resolved by
+# using paths to the shared objects, not just the names.
+
+my $libcrypto = bldtop_file(shlib('libcrypto'));
+my $libssl = bldtop_file(shlib('libssl'));
ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl])),
"running shlibloadtest -crypto_first");
@@ -38,3 +38,14 @@ ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto,
$libssl])),
ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])),
"running shlibloadtest -dso_ref");
+sub shlib {
+my $lib = shift;
+$lib = $unified_info{rename}->{$lib}
+if defined $unified_info{rename}->{$lib};
+$lib = $unified_info{sharednames}->{$lib}
+. ($target{shlib_variant} || "")
+. ($target{shared_extension} || ".so");
+$lib =~ s|\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\)
+ |.$config{shlib_version_number}|x;
+return $lib;
+}
diff --git a/util/shlib_wrap.sh.in b/util/shlib_wrap.sh.in
index 6c115ba..d030d33 100755
--- a/util/shlib_wrap.sh.in
+++ b/util/shlib_wrap.sh.in
@@ -1,5 +1,22 @@
#!/bin/sh
+{-
+use lib '.';
+use configdata;
+sub shlib {
+my $lib = shift;
+return "" if $disabled{shared};
+$lib = $unified_info{rename}->{$lib}
+if defined $unified_info{rename}->{$lib};
+$lib = $unified_info{sharednames}->{$lib}
+.
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 013aefc5f03c95f5366cc854ffb02b0df49af90d (commit)
from 5f16ab333142de832555d3265aad243eb119b195 (commit)
- Log -
commit 013aefc5f03c95f5366cc854ffb02b0df49af90d
Author: Richard Levitte
Date: Tue Nov 13 18:49:21 2018 +0100
Configuration: make sure the shared_sources table doesn't contain empty
elements
Fixes #7634
Reviewed-by: Viktor Dukhovni
(Merged from https://github.com/openssl/openssl/pull/7635)
(cherry picked from commit 0c594ccc29f6ba241627f436ba3d05fc400d1066)
---
Summary of changes:
Configure | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configure b/Configure
index d85ff6a..a1ce652 100755
--- a/Configure
+++ b/Configure
@@ -1906,8 +1906,8 @@ EOF
next unless defined($unified_info{includes}->{$dest}->{$k});
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
foreach my $obj (grep /\.o$/,
- (keys %{$unified_info{sources}->{$dest}},
- keys %{$unified_info{shared_sources}->{$dest}}))
{
+ (keys %{$unified_info{sources}->{$dest} // {}},
+ keys %{$unified_info{shared_sources}->{$dest} //
{}})) {
foreach my $inc (@incs) {
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
unless grep { $_ eq $inc }
@{$unified_info{includes}->{$obj}->{$k}};
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 5f16ab333142de832555d3265aad243eb119b195 (commit)
from 6ab937f2df403bdda7e25b6c62a93b061171250e (commit)
- Log -
commit 5f16ab333142de832555d3265aad243eb119b195
Author: Richard Levitte
Date: Wed Oct 31 09:02:00 2018 +0100
Windows build: build foo.d after foo.obj
We made the build of foo.obj depend on foo.d, meaning the latter gets
built first. Unfortunately, the way the compiler works, we are forced
to redirect all output to foo.d, meaning that if the source contains
an error, the build fails without showing those errors.
We therefore remove the dependency and force the build of foo.d to
always happen after build of foo.obj.
Reviewed-by: Tim Hudson
(Merged from https://github.com/openssl/openssl/pull/7533)
---
Summary of changes:
Configurations/windows-makefile.tmpl | 16 +++-
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/Configurations/windows-makefile.tmpl
b/Configurations/windows-makefile.tmpl
index ef5af42..5c8d3e8 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -461,22 +461,20 @@ $obj$objext: $deps
\$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs
EOF
}
- return <<"EOF"if (!$disabled{makedepend});
-$obj$depext: $deps
- \$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\
+ my $recipe = <<"EOF";
+$obj$objext: $deps
+ \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
+EOF
+ $recipe .= <<"EOF"unless $disabled{makedepend};
+ \$(CC) $incs \$(CFLAGS) $ecflags /Zs /showIncludes $srcs 2>&1 | \\
"\$(PERL)" -n << > $obj$depext
chomp;
s/^Note: including file: *//;
\$\$collect{\$\$_} = 1;
END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" }
<<
-$obj$objext: $obj$depext
- \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
-EOF
-return <<"EOF" if ($disabled{makedepend});
-$obj$objext: $deps
- \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs
EOF
+ return $recipe;
}
# On Unix, we build shlibs from static libs, so we're ignoring the
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6ab937f2df403bdda7e25b6c62a93b061171250e (commit) from 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit) - Log - commit 6ab937f2df403bdda7e25b6c62a93b061171250e Author: Billy Brumley Date: Fri Nov 9 09:25:43 2018 +0200 [crypto/bn] swap BN_FLG_FIXED_TOP too Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7599) (cherry picked from commit dd41956d80686638d74fd203bd67060f90966280) --- Summary of changes: crypto/bn/bn_lib.c | 42 +++--- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 80f8599..3f3c7bb 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -852,26 +852,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ -t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + +t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit)
from 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit)
- Log -
commit 4a498d0ed50f377584ebadce715fbcc2c0f53c23
Author: Richard Levitte
Date: Fri Nov 9 12:08:08 2018 +0100
Fix cherry-pick error
A couple of $(ECHO) sneaked in from patches in newer branches
Fixes #7600
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7601)
---
Summary of changes:
Configurations/unix-Makefile.tmpl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index 181b618..7254478 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -517,7 +517,7 @@ install_runtime_libs: build_libs
install_programs: install_runtime_libs build_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
- @$(ECHO) "*** Installing runtime programs"
+ @echo "*** Installing runtime programs"
@set -e; for x in dummy $(INSTALL_PROGRAMS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
@@ -558,7 +558,7 @@ uninstall_programs:
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
uninstall_runtime_libs:
- @$(ECHO) "*** Uninstalling runtime libraries"
+ @echo "*** Uninstalling runtime libraries"
@ : {- output_off() unless windowsdll(); "" -}
@set -e; for s in dummy $(INSTALL_SHLIBS); do \
if [ "$$s" = "dummy" ]; then continue; fi; \
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit)
from 2801f671288d592b29a38c6098f53e6f3221d27a (commit)
- Log -
commit 401e1c9d9d2202fff557f6286f47214803bf7e15
Author: Richard Levitte
Date: Fri Nov 9 12:23:53 2018 +0100
VMS build: colon after target must be separated with a space
... otherwise, it's taken to be part of a device name.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7602)
(cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3)
---
Summary of changes:
Configurations/descrip.mms.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 552decf..7399288 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -414,7 +414,7 @@ install_engines : check_INSTALLTOP install_runtime_libs
build_engines
@{$unified_info{install}->{engines}}) -}
@ {- output_on() unless scalar @{$unified_info{engines}}; "" -} !
-install_runtime: install_programs
+install_runtime : install_programs
install_runtime_libs : check_INSTALLTOP build_libs
@ {- output_off() if $disabled{shared}; "" -} !
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 2801f671288d592b29a38c6098f53e6f3221d27a (commit)
via 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c (commit)
from 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit)
- Log -
commit 2801f671288d592b29a38c6098f53e6f3221d27a
Author: Richard Levitte
Date: Wed Nov 7 16:13:57 2018 +0100
Have install targets depend on more precise build targets
We only had the main 'install' target depend on 'all'. This changes
the dependencies so targets like install_dev, install_runtime_libs,
install_engines and install_programs depend on build targets that are
correspond to them more specifically. This increases the parallel
possibilities.
Fixes #7466
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7583)
(cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f)
commit 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c
Author: Richard Levitte
Date: Thu Oct 25 09:09:20 2018 +0200
Allow parallel install
When trying 'make -j{n} install', you may occasionally run into
trouble because to sub-targets (install_dev and install_runtime) try
to install the same shared libraries. That makes parallel install
difficult.
This is solved by dividing install_runtime into two parts, one for
libraries and one for programs, and have install_dev depend on
install_runtime_libs instead of installing the shared runtime
libraries itself.
Fixes #7466
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7583)
(cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d)
---
Summary of changes:
Configurations/descrip.mms.tmpl | 53 +---
Configurations/unix-Makefile.tmpl| 27 --
Configurations/windows-makefile.tmpl | 17
3 files changed, 56 insertions(+), 41 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 7e3356f..552decf 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -368,12 +368,10 @@ descrip.mms : FORCE
# Install helper targets #
-install_sw : all install_shared _install_dev_ns -
- install_engines _install_runtime_ns -
+install_sw : install_dev install_engines install_runtime -
install_startup install_ivp
-uninstall_sw : uninstall_shared _uninstall_dev_ns -
- uninstall_engines _uninstall_runtime_ns -
+uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime -
uninstall_startup uninstall_ivp
install_docs : install_html_docs
@@ -396,17 +394,7 @@ install_ssldirs : check_INSTALLTOP
COPY/PROT=W:R {- sourcefile("apps", "openssl-vms.cnf") -} -
ossl_dataroot:[00]openssl.cnf
-install_shared : check_INSTALLTOP
-@ {- output_off() if $disabled{shared}; "" -} !
-@ WRITE SYS$OUTPUT "*** Installing shareable images"
-@ ! Install shared (runtime) libraries
-- CREATE/DIR ossl_installroot:[LIB.'arch']
-{- join("\n",
-map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" }
-@install_shlibs) -}
-@ {- output_on() if $disabled{shared}; "" -} !
-
-_install_dev_ns : check_INSTALLTOP
+install_dev : check_INSTALLTOP install_runtime_libs
@ WRITE SYS$OUTPUT "*** Installing development files"
@ ! Install header files
- CREATE/DIR ossl_installroot:[include.openssl]
@@ -417,9 +405,29 @@ _install_dev_ns : check_INSTALLTOP
map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" }
@{$unified_info{install}->{libraries}}) -}
-install_dev : install_shared _install_dev_ns
+install_engines : check_INSTALLTOP install_runtime_libs build_engines
+@ {- output_off() unless scalar @{$unified_info{engines}}; "" -} !
+@ WRITE SYS$OUTPUT "*** Installing engines"
+- CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size}
-}.'arch']
+{- join("\n",
+map { "COPY/PROT=W:RE $_.EXE
ossl_installroot:[ENGINES$sover$target{pointer_size}.'arch']" }
+@{$unified_info{install}->{engines}}) -}
+@ {- output_on() unless scalar @{$unified_info{engines}}; "" -} !
-_install_runtime_ns : check_INSTALLTOP
+install_runtime: install_programs
+
+install_runtime_libs : check_INSTALLTOP build_libs
+@ {- output_off() if $disabled{shared}; "" -} !
+@ WRITE SYS$OUTPUT "*** Installing shareable images"
+@ ! Install shared (runtime) libraries
+- CREATE/DIR ossl_installroot:[LIB.'arch']
+{- join("\n",
+
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit)
from 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee (commit)
- Log -
commit 26d7fce13d469f8d1a1b42131467ed4a65f8137b
Author: Pauli
Date: Thu Nov 1 08:44:11 2018 +1000
Add a constant time flag to one of the bignums to avoid a timing leak.
Reviewed-by: Tim Hudson
(Merged from https://github.com/openssl/openssl/pull/7549)
(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
---
Summary of changes:
crypto/dsa/dsa_ossl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index be58625..868283a 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -225,6 +225,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} while (BN_is_zero(k));
BN_set_flags(k, BN_FLG_CONSTTIME);
+BN_set_flags(l, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(>method_mont_p,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee (commit)
from 56fb454d281a023b3f950d969693553d3f3ceea1 (commit)
- Log -
commit 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee
Author: Rod Vagg
Date: Mon Oct 29 20:43:53 2018 +1100
Remove brace from bad cherry-pick of DSA reallocation fix
Commit 56fb454 backported the DSA reallocation fix to 1.1.0, however a
code block that has multiple statements in 1.1.1+ only has a `goto` in
1.1.0 so introduces a brace that causes a compile failure.
CLA:trivial
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7516)
---
Summary of changes:
crypto/ec/ec_mult.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index ff882cc..8350082 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -178,7 +178,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT
*r,
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 2) == NULL)
-|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
+|| (bn_wexpand(lambda, group_top + 2) == NULL))
goto err;
if (!BN_copy(k, scalar))
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 56fb454d281a023b3f950d969693553d3f3ceea1 (commit)
from ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit)
- Log -
commit 56fb454d281a023b3f950d969693553d3f3ceea1
Author: Pauli
Date: Fri Oct 26 10:54:58 2018 +1000
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a
reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
---
Summary of changes:
crypto/ec/ec_mult.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 22bb30f..ff882cc 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT
*r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
-if ((bn_wexpand(k, group_top + 1) == NULL)
-|| (bn_wexpand(lambda, group_top + 1) == NULL))
+if ((bn_wexpand(k, group_top + 2) == NULL)
+|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
goto err;
if (!BN_copy(k, scalar))
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT
*r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
-BN_consttime_swap(kbit, k, lambda, group_top + 1);
+BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit)
from 84862c0979737b591acb689aef41ae2644176f32 (commit)
- Log -
commit ef11e19d1365eea2b1851e6f540a0bf365d303e7
Author: Pauli
Date: Wed Oct 24 07:42:46 2018 +1000
Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
---
Summary of changes:
crypto/dsa/dsa_ossl.c | 28 +++-
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 3b657d5..be58625 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -11,6 +11,7 @@
#include
#include "internal/cryptlib.h"
+#include "internal/bn_int.h"
#include
#include
#include "dsa_locl.h"
@@ -182,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
-BIGNUM *l, *m;
+BIGNUM *l;
int ret = 0;
-int q_bits;
+int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -193,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
k = BN_new();
l = BN_new();
-m = BN_new();
-if (k == NULL || l == NULL || m == NULL)
+if (k == NULL || l == NULL)
goto err;
if (ctx_in == NULL) {
@@ -205,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
-if (!BN_set_bit(k, q_bits)
-|| !BN_set_bit(l, q_bits)
-|| !BN_set_bit(m, q_bits))
+q_words = bn_get_top(dsa->q);
+if (!bn_wexpand(k, q_words + 2)
+|| !bn_wexpand(l, q_words + 2))
goto err;
/* Get random k */
@@ -242,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
- * TODO: revisit the BN_copy aiming for a memory access agnostic
- * conditional copy.
+ * There are some concerns about the efficacy of doing this. More
+ * specificly refer to the discussion starting with:
+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+ * The fix is to rework BN so these gymnastics aren't required.
*/
if (!BN_add(l, k, dsa->q)
-|| !BN_add(m, l, dsa->q)
-|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+|| !BN_add(k, l, dsa->q))
goto err;
+BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
@@ -262,7 +265,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
if (!BN_mod(r, r, dsa->q, ctx))
goto err;
-/* Compute part of 's = inv(k) (m + xr) mod q' */
+/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;
@@ -277,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
BN_CTX_free(ctx);
BN_clear_free(k);
BN_clear_free(l);
-BN_clear_free(m);
return ret;
}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 84862c0979737b591acb689aef41ae2644176f32 (commit)
from bd04577743ec3b1e605039ee31e10616fee5f05f (commit)
- Log -
commit 84862c0979737b591acb689aef41ae2644176f32
Author: Pauli
Date: Mon Oct 29 06:50:51 2018 +1000
DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of
the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/7487)
(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)
---
Summary of changes:
crypto/dsa/dsa_ossl.c | 32 +++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 4aa49f5..3b657d5 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -25,6 +25,8 @@ static int dsa_do_verify(const unsigned char *dgst, int
dgst_len,
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
@@ -261,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
-if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;
BN_clear_free(*kinvp);
@@ -395,3 +397,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p);
return (1);
}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation. Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx)
+{
+BIGNUM *res = NULL;
+BIGNUM *r, *e;
+
+if ((r = BN_new()) == NULL)
+return NULL;
+
+BN_CTX_start(ctx);
+if ((e = BN_CTX_get(ctx)) != NULL
+&& BN_set_word(r, 2)
+&& BN_sub(e, q, r)
+&& BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+res = r;
+else
+BN_free(r);
+BN_CTX_end(ctx);
+return res;
+}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via bd04577743ec3b1e605039ee31e10616fee5f05f (commit)
from f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 (commit)
- Log -
commit bd04577743ec3b1e605039ee31e10616fee5f05f
Author: Dr. Matthias St. Pierre
Date: Thu Oct 18 23:04:32 2018 +0200
md_rand.c: don't stop polling until properly initialized
Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.
This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7438)
---
Summary of changes:
crypto/rand/md_rand.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 7d5fcb7..bc1b6fb 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -275,7 +275,6 @@ static int rand_bytes(unsigned char *buf, int num, int
pseudo)
static volatile int stirred_pool = 0;
int i, j, k;
size_t num_ceil, st_idx, st_num;
-int ok;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX *m;
@@ -362,14 +361,13 @@ static int rand_bytes(unsigned char *buf, int num, int
pseudo)
if (!initialized) {
RAND_poll();
-initialized = 1;
+initialized = (entropy >= ENTROPY_NEEDED);
}
if (!stirred_pool)
do_stir_pool = 1;
-ok = (entropy >= ENTROPY_NEEDED);
-if (!ok) {
+if (!initialized) {
/*
* If the PRNG state is not yet unpredictable, then seeing the PRNG
* output may help attackers to determine the new state; thus we have
@@ -408,7 +406,7 @@ static int rand_bytes(unsigned char *buf, int num, int
pseudo)
rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
n -= MD_DIGEST_LENGTH;
}
-if (ok)
+if (initialized)
stirred_pool = 1;
}
@@ -500,7 +498,7 @@ static int rand_bytes(unsigned char *buf, int num, int
pseudo)
CRYPTO_THREAD_unlock(rand_lock);
EVP_MD_CTX_free(m);
-if (ok)
+if (initialized)
return (1);
else if (pseudo)
return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 (commit)
from d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit)
- Log -
commit f2828a14fbe2ce56b5090f45b2a9a6e749d33b22
Author: Andy Polyakov
Date: Wed Oct 17 10:09:33 2018 +0200
arch/async_posix.h: improve portability.
{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7420)
(cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f)
---
Summary of changes:
crypto/async/arch/async_posix.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h
index 76937a9..939b4ab 100644
--- a/crypto/async/arch/async_posix.h
+++ b/crypto/async/arch/async_posix.h
@@ -17,7 +17,8 @@
# include
-# if _POSIX_VERSION >= 200112L
+# if _POSIX_VERSION >= 200112L \
+ && (_POSIX_VERSION < 200809L || defined(__GLIBC__))
# include
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit)
via cc54a2a0f5a2455205ee236bb44458cc39366065 (commit)
from a76a41655e57b72b30a373aae6e75afedf920076 (commit)
- Log -
commit d46f9173bbd62ffa7ae0b20bf05c600e14722cc6
Author: Viktor Dukhovni
Date: Mon Oct 8 12:05:14 2018 -0400
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)
commit cc54a2a0f5a2455205ee236bb44458cc39366065
Author: Viktor Dukhovni
Date: Thu Oct 4 23:53:01 2018 -0400
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
---
Summary of changes:
crypto/x509/x509_vfy.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f86871f..ba186d3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -515,15 +515,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
-/* Check pathlen if not self issued */
-if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-&& (x->ex_pathlen != -1)
-&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+/* Check pathlen */
+if ((i > 1) && (x->ex_pathlen != -1)
+&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
-/* Increment path length if not self issued */
-if (!(x->ex_flags & EXFLAG_SI))
+/* Increment path length if not a self issued intermediate
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via a76a41655e57b72b30a373aae6e75afedf920076 (commit)
from 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit)
- Log -
commit a76a41655e57b72b30a373aae6e75afedf920076
Author: Andy Polyakov
Date: Fri Oct 12 22:17:51 2018 +0200
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
(back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51)
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7392)
---
Summary of changes:
ssl/s3_enc.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index e08857d..89b7739 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -404,13 +404,14 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int
len, unsigned char *p)
}
if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) {
SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR);
-return 0;
+ret = 0;
+goto err;
}
ret = EVP_MD_CTX_size(ctx);
if (ret < 0) {
-EVP_MD_CTX_reset(ctx);
-return 0;
+ret = 0;
+goto err;
}
if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
@@ -422,6 +423,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int
len, unsigned char *p)
ret = 0;
}
+ err:
EVP_MD_CTX_free(ctx);
return ret;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit)
from 737a37f7f170121769875e8e6f5fe7389701dff8 (commit)
- Log -
commit 77078e6bbfa686dba00cf379f0c96bd2833133a6
Author: Benjamin Kaduk
Date: Thu Oct 4 13:49:21 2018 -0500
apps: allow empty attribute values with -subj
Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value. As a result, such strings are now treated as
hard errors and the operation fails.
Restore the check to skip empty attribute values and restore
the historical behavior.
Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.
(cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142)
(cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439)
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7368)
---
Summary of changes:
apps/apps.c | 6 ++
doc/apps/ca.pod | 6 --
doc/apps/req.pod | 6 --
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index a162b16..94efa5a 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1770,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
opt_getprog(), typestr);
continue;
}
+if (*valstr == '\0') {
+BIO_printf(bio_err,
+ "%s: No value provided for Subject Attribute %s,
skipped\n",
+ opt_getprog(), typestr);
+continue;
+}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0))
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 9918a13..9885bb2 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -243,8 +243,10 @@ for all available algorithms.
=item B<-subj arg>
supersedes subject name given in the request.
-The arg must be formatted as I,
-characters may be escaped by \ (backslash), no spaces are skipped.
+The arg must be formatted as I.
+Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included
+in the resulting certificate.
=item B<-utf8>
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 0a28aea..00ec1a8 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -213,8 +213,10 @@ see L.
sets subject name for new request or supersedes the subject name
when processing a request.
-The arg must be formatted as I,
-characters may be escaped by \ (backslash), no spaces are skipped.
+The arg must be formatted as I.
+Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included
+in the request.
=item B<-multivalue-rdn>
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 737a37f7f170121769875e8e6f5fe7389701dff8 (commit)
from f7cbb8a4c222807be19994167890e66630a70101 (commit)
- Log -
commit 737a37f7f170121769875e8e6f5fe7389701dff8
Author: Tomas Mraz
Date: Tue Oct 9 18:37:10 2018 +0200
Fix copy error found in Coverity scan
Reviewed-by: Nicola Tuveri
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7377)
(cherry picked from commit 628ee796389b555ddb5fc28355e16e9417ab1724)
---
Summary of changes:
apps/speed.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/speed.c b/apps/speed.c
index 3ef37b7..6672fe6 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2541,7 +2541,7 @@ int speed_main(int argc, char **argv)
if (rsa_count <= 1) {
/* if longer than 10s, don't do any more */
-for (testnum++; testnum < EC_NUM; testnum++)
+for (testnum++; testnum < ECDSA_NUM; testnum++)
ecdsa_doit[testnum] = 0;
}
}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f7cbb8a4c222807be19994167890e66630a70101 (commit) from d39b27749f7402127a0be1e8dfffd710db52bde6 (commit) - Log - commit f7cbb8a4c222807be19994167890e66630a70101 Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 5703411..23f948f 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -655,10 +655,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via d39b27749f7402127a0be1e8dfffd710db52bde6 (commit)
via 32451d8f861324697fc275593fbb830f80c1723b (commit)
from 875ba8b21ecc65ad9a6bdc66971e50461660fcbb (commit)
- Log -
commit d39b27749f7402127a0be1e8dfffd710db52bde6
Author: Richard Levitte
Date: Sun Sep 30 02:18:47 2018 +0200
Clean out aliases in include/openssl/symhacks.h
Only a few clashing ones remain
Reviewed-by: Paul Yang
(Merged from https://github.com/openssl/openssl/pull/7331)
(cherry picked from commit b44882a0bd0717e0aab84f5dc3ef81ab673155e9)
commit 32451d8f861324697fc275593fbb830f80c1723b
Author: Richard Levitte
Date: Sun Sep 30 01:59:11 2018 +0200
Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)
BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented. Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.
include/openssl/ocsp.h had a few duplicate declarations.
Reviewed-by: Paul Yang
(Merged from https://github.com/openssl/openssl/pull/7331)
(cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f)
---
Summary of changes:
crypto/bio/bss_log.c | 5 +
include/openssl/ocsp.h | 3 ---
include/openssl/symhacks.h | 15 ---
util/libcrypto.num | 2 +-
util/mkdef.pl | 10 --
5 files changed, 6 insertions(+), 29 deletions(-)
diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c
index 4719a5e..f090e82 100644
--- a/crypto/bio/bss_log.c
+++ b/crypto/bio/bss_log.c
@@ -404,4 +404,9 @@ static void xcloselog(BIO *bp)
# endif /* Unix */
+#else /* NO_SYSLOG */
+const BIO_METHOD *BIO_s_log(void)
+{
+return NULL;
+}
#endif /* NO_SYSLOG */
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index fd172fb..aa432f1 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -92,7 +92,6 @@ typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
# define V_OCSP_RESPID_KEY 1
DEFINE_STACK_OF(OCSP_RESPID)
-DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
@@ -159,8 +158,6 @@ int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM
*it,
int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, ASN1_VALUE **pval,
const ASN1_ITEM *it);
BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx);
-int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it,
- ASN1_VALUE *val);
int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path);
int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h
index caf1f1a..b6d68ef 100644
--- a/include/openssl/symhacks.h
+++ b/include/openssl/symhacks.h
@@ -28,21 +28,6 @@
# undef i2d_ECPKPARAMETERS
# define i2d_ECPKPARAMETERS i2d_UC_ECPKPARAMETERS
-/*
- * These functions do not seem to exist! However, I'm paranoid... Original
- * command in x509v3.h: These functions are being redefined in another
- * directory, and clash when the linker is case-insensitive, so let's hide
- * them a little, by giving them an extra 'o' at the beginning of the name...
- */
-# undef X509v3_cleanup_extensions
-# define X509v3_cleanup_extensions oX509v3_cleanup_extensions
-# undef X509v3_add_extension
-# define X509v3_add_extensionoX509v3_add_extension
-# undef X509v3_add_netscape_extensions
-# define X509v3_add_netscape_extensions
oX509v3_add_netscape_extensions
-# undef X509v3_add_standard_extensions
-# define X509v3_add_standard_extensions
oX509v3_add_standard_extensions
-
/* This one clashes with CMS_data_create */
# undef cms_Data_create
# define cms_Data_create priv_cms_Data_create
diff --git a/util/libcrypto.num b/util/libcrypto.num
index c0fe79d..2390fa0 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -282,7 +282,7 @@ TS_REQ_free 282 1_1_0
EXIST::FUNCTION:TS
PEM_read_DHparams 2831_1_0 EXIST::FUNCTION:DH,STDIO
RSA_private_decrypt 2841_1_0 EXIST::FUNCTION:RSA
X509V3_EXT_get_nid 2851_1_0 EXIST::FUNCTION:
-BIO_s_log 2861_1_0
EXIST:!WIN32,!macintosh:FUNCTION:
+BIO_s_log 2861_1_0 EXIST::FUNCTION:
EC_POINT_set_to_infinity287
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 908f7a1a1b73ec196efd6e12c9ee1e377f044033 (commit) from 1abdf08284af055f68c5ece4c7c0efa8f2bf323a (commit) - Log - commit 908f7a1a1b73ec196efd6e12c9ee1e377f044033 Author: Daniel Bevenius Date: Mon Sep 24 08:43:35 2018 +0200 Document OPENSSL_VERSION_TEXT macro This commit documents the OPENSSL_VERSION_TEXT which is currently missing in the man page. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7301) (cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165) --- Summary of changes: doc/crypto/OPENSSL_VERSION_NUMBER.pod | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f5429d2..01623ba 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -2,13 +2,14 @@ =head1 NAME -OPENSSL_VERSION_NUMBER, OpenSSL_version, +OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version, OpenSSL_version_num - get OpenSSL version number =head1 SYNOPSIS #include #define OPENSSL_VERSION_NUMBER 0xnL + #define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX " #include @@ -45,6 +46,10 @@ Version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. +OPENSSL_VERSION_TEXT is the text variant of the version number and the +release date. For example, +"OpenSSL 1.0.1a 15 Oct 2015". + OpenSSL_version_num() returns the version number. OpenSSL_version() returns different strings depending on B: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 1abdf08284af055f68c5ece4c7c0efa8f2bf323a (commit)
from 4aa1739c111e1390909533e7b2f485bc655c2489 (commit)
- Log -
commit 1abdf08284af055f68c5ece4c7c0efa8f2bf323a
Author: Pauli
Date: Mon Sep 24 11:21:18 2018 +1000
Use secure_getenv(3) when available.
Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.
CPU processor override flags are unchanged.
Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/7047)
(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)
---
Summary of changes:
crypto/build.info | 2 +-
crypto/conf/conf_api.c | 7 ---
crypto/conf/conf_mod.c | 3 +--
crypto/ct/ct_log.c | 2 +-
crypto/engine/eng_list.c | 2 +-
crypto/getenv.c| 31 +++
crypto/include/internal/cryptlib.h | 2 ++
crypto/pkcs12/p12_mutl.c | 18 +-
crypto/rand/randfile.c | 9 ++---
crypto/x509/by_dir.c | 3 ++-
crypto/x509/by_file.c | 2 +-
11 files changed, 55 insertions(+), 26 deletions(-)
create mode 100644 crypto/getenv.c
diff --git a/crypto/build.info b/crypto/build.info
index e693eba..8e15379 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -2,7 +2,7 @@ LIBS=../libcrypto
SOURCE[../libcrypto]=\
cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c \
-threads_pthread.c threads_win.c threads_none.c \
+threads_pthread.c threads_win.c threads_none.c getenv.c \
o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
{- $target{uplink_aux_src} -}
EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c
index 79e682a..36c91b1 100644
--- a/crypto/conf/conf_api.c
+++ b/crypto/conf/conf_api.c
@@ -9,11 +9,12 @@
/* Part of the code in here was originally in conf.c, which is now removed */
+#include "e_os.h"
+#include "internal/cryptlib.h"
#include
#include
#include
#include
-#include "e_os.h"
static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf);
static void value_free_stack_doall(CONF_VALUE *a);
@@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
if (v != NULL)
return (v->value);
if (strcmp(section, "ENV") == 0) {
-p = getenv(name);
+p = ossl_safe_getenv(name);
if (p != NULL)
return (p);
}
@@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
else
return (NULL);
} else
-return (getenv(name));
+return ossl_safe_getenv(name);
}
static unsigned long conf_value_hash(const CONF_VALUE *v)
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index 543a8ea..7314435 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -478,8 +478,7 @@ char *CONF_get1_default_config_file(void)
char *file;
int len;
-file = getenv("OPENSSL_CONF");
-if (file)
+if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
return OPENSSL_strdup(file);
len = strlen(X509_get_default_cert_area());
diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c
index d442322..881dc98 100644
--- a/crypto/ct/ct_log.c
+++ b/crypto/ct/ct_log.c
@@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF
*conf, const char *sec
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
{
-const char *fpath = getenv(CTLOG_FILE_EVP);
+const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
if (fpath == NULL)
fpath = CTLOG_FILE;
diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index 934389f..fcab415 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -322,7 +322,7 @@ ENGINE *ENGINE_by_id(const char *id)
* Prevent infinite recursion if we're looking for the dynamic engine.
*/
if (strcmp(id, "dynamic")) {
-if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff --git a/crypto/getenv.c b/crypto/getenv.c
new file mode 100644
index 000..7e98b64
--- /dev/null
+++ b/crypto/getenv.c
@@
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 4aa1739c111e1390909533e7b2f485bc655c2489 (commit) from ad1730359220cef5903d16c7f58b602fc3713414 (commit) - Log - commit 4aa1739c111e1390909533e7b2f485bc655c2489 Author: Richard Levitte Date: Fri Sep 21 11:11:15 2018 +0200 crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG This module includes bn.h via other headers, so it picks up the definition from there and doesn't need to define them locally (any more?). Worst case scenario, the redefinition may be different and cause all sorts of compile errors. Fixes #7227 Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7287) (cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72) --- Summary of changes: crypto/bn/asm/x86_64-gcc.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index 0ff3805..cdb54fa 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -64,12 +64,6 @@ *machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ad1730359220cef5903d16c7f58b602fc3713414 (commit) from ae59efc2f60bd839fe80ef50d889c74c4afbb703 (commit) - Log - commit ad1730359220cef5903d16c7f58b602fc3713414 Author: Richard Levitte Date: Wed Sep 19 21:33:45 2018 +0200 crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too These both indicate that the file descriptor we're trying to use as a terminal isn't, in fact, a terminal. Fixes #7271 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7272) (cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067) --- Summary of changes: crypto/ui/ui_openssl.c | 18 ++ 1 file changed, 18 insertions(+) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index bfe93a5..a25934c 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -436,6 +436,24 @@ static int open_console(UI *ui) is_a_tty = 0; else # endif +# ifdef ENXIO +/* + * Solaris can return ENXIO. + * This should be ok + */ +if (errno == ENXIO) +is_a_tty = 0; +else +# endif +# ifdef EIO +/* + * Linux can return EIO. + * This should be ok + */ +if (errno == EIO) +is_a_tty = 0; +else +# endif # ifdef ENODEV /* * MacOS X returns ENODEV (Operation not supported by device), _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via ae59efc2f60bd839fe80ef50d889c74c4afbb703 (commit)
from 55b1542ca57537e0899e8b82d4f0363db8f1d261 (commit)
- Log -
commit ae59efc2f60bd839fe80ef50d889c74c4afbb703
Author: Pauli
Date: Mon Sep 17 07:47:42 2018 +1000
Use 'i' as parameter name not 'I'.
The latter causes problems when complex.h is #included.
Reviewed-by: Tim Hudson
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7233)
(cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46)
---
Summary of changes:
crypto/rsa/rsa_meth.c | 4 ++--
doc/crypto/RSA_meth_new.pod | 4 ++--
include/openssl/rsa.h | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/rsa/rsa_meth.c b/crypto/rsa/rsa_meth.c
index 83de554..ba40cff 100644
--- a/crypto/rsa/rsa_meth.c
+++ b/crypto/rsa/rsa_meth.c
@@ -163,13 +163,13 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth,
/* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)
{
return meth->rsa_mod_exp;
}
int RSA_meth_set_mod_exp(RSA_METHOD *meth,
- int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx))
{
meth->rsa_mod_exp = mod_exp;
diff --git a/doc/crypto/RSA_meth_new.pod b/doc/crypto/RSA_meth_new.pod
index 9c89426..8f6d428 100644
--- a/doc/crypto/RSA_meth_new.pod
+++ b/doc/crypto/RSA_meth_new.pod
@@ -58,9 +58,9 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen
int padding));
/* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
- (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+ (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
- int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA
*rsa,
+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA
*rsa,
BN_CTX *ctx));
/* Can be null */
int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 790831b..9c28329 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -407,9 +407,9 @@ int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
unsigned char *to, RSA *rsa,
int padding));
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
- int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx));
int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 55b1542ca57537e0899e8b82d4f0363db8f1d261 (commit)
from 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0 (commit)
- Log -
commit 55b1542ca57537e0899e8b82d4f0363db8f1d261
Author: Pauli
Date: Mon Sep 17 08:09:25 2018 +1000
Add a compile time test to verify that openssl/rsa.h and complex.h can
coexist.
Reviewed-by: Tim Hudson
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7233)
(cherry picked from commit da5fac72b1cba5651b871902eea234e693cf01e5)
---
Summary of changes:
.gitignore | 1 +
test/build.info| 5 -
test/rsa_complex.c | 27 +++
3 files changed, 32 insertions(+), 1 deletion(-)
create mode 100644 test/rsa_complex.c
diff --git a/.gitignore b/.gitignore
index 3dee392..717aeb3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,6 +52,7 @@ Makefile
/test/x509aux
/test/v3ext
/test/versions
+/test/rsa_complex
# Certain files that get created by tests on the fly
/test/test-runs
diff --git a/test/build.info b/test/build.info
index d850b52..2367ab8 100644
--- a/test/build.info
+++ b/test/build.info
@@ -2,7 +2,7 @@ IF[{- !$disabled{tests} -}]
PROGRAMS_NO_INST=\
versions \
aborttest \
- sanitytest exdatatest bntest \
+ sanitytest rsa_complex exdatatest bntest \
ectest ecdsatest gmdifftest pbelutest ideatest \
md2test md4test md5test \
hmactest wp_test \
@@ -32,6 +32,9 @@ IF[{- !$disabled{tests} -}]
INCLUDE[sanitytest]=../include
DEPEND[sanitytest]=../libcrypto
+ SOURCE[rsa_complex]=rsa_complex.c
+ INCLUDE[rsa_complex]=../include
+
SOURCE[exdatatest]=exdatatest.c
INCLUDE[exdatatest]=../include
DEPEND[exdatatest]=../libcrypto
diff --git a/test/rsa_complex.c b/test/rsa_complex.c
new file mode 100644
index 000..fac5812
--- /dev/null
+++ b/test/rsa_complex.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Check to see if there is a conflict between complex.h and openssl/rsa.h.
+ * The former defines "I" as a macro and earlier versions of the latter use
+ * for function arguments.
+ */
+#if defined(__STDC_VERSION__)
+# if __STDC_VERSION__ >= 199901L
+# include
+# endif
+#endif
+#include
+#include
+
+int main(int argc, char *argv[])
+{
+/* There are explicitly no run time checks for this one */
+return EXIT_SUCCESS;
+}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0 (commit)
from 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa (commit)
- Log -
commit 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0
Author: Matt Caswell
Date: Wed Sep 12 16:49:19 2018 +0100
Add an explicit cast to time_t
Caused a compilation failure in some environments
Fixes #7204
Reviewed-by: Viktor Dukhovni
(Merged from https://github.com/openssl/openssl/pull/7205)
(cherry picked from commit bc278f30f0b766bfb82426c641dc1d51ace4a994)
---
Summary of changes:
test/ct_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/ct_test.c b/test/ct_test.c
index ea90923..88a8b77 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -542,8 +542,8 @@ static int test_default_ct_policy_eval_ctx_time_is_now()
{
int success = 0;
CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
-const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) /
-1000;
+const time_t default_time =
+(time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000);
const time_t time_tolerance = 600; /* 10 minutes */
if (fabs(difftime(time(NULL), default_time)) > time_tolerance) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa (commit)
from e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 (commit)
- Log -
commit 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa
Author: Viktor Szakats
Date: Tue Sep 11 22:34:00 2018 +
minor fixes for Windows
- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
CLA: trivial
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7189)
---
Summary of changes:
crypto/cryptlib.c | 2 +-
util/mkrc.pl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index 3b878cd..9e59e03 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -198,7 +198,7 @@ int OPENSSL_isservice(void)
if (_OPENSSL_isservice.p == NULL) {
HANDLE mod = GetModuleHandle(NULL);
-FARPROC f;
+FARPROC f = NULL;
if (mod != NULL)
f = GetProcAddress(mod, "_OPENSSL_isservice");
diff --git a/util/mkrc.pl b/util/mkrc.pl
index c177349..96f56f3 100755
--- a/util/mkrc.pl
+++ b/util/mkrc.pl
@@ -60,7 +60,7 @@ BEGIN
BLOCK "040904b0"
BEGIN
// Required:
-VALUE "CompanyName", "The OpenSSL Project,
http://www.openssl.org/\\0;
+VALUE "CompanyName", "The OpenSSL Project,
https://www.openssl.org/\\0;
VALUE "FileDescription", "$description\\0"
VALUE "FileVersion", "$version\\0"
VALUE "InternalName", "$basename\\0"
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 (commit) from aa4312d24492c977eb7d01014e23da61bf245de5 (commit) - Log - commit e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 Author: Bernd Edlinger Date: Mon Sep 10 14:18:23 2018 +0200 Make the config script fail with an error code if Configure failed Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7166) --- Summary of changes: config | 1 + 1 file changed, 1 insertion(+) diff --git a/config b/config index 35e849a..19c0071 100755 --- a/config +++ b/config @@ -929,5 +929,6 @@ if [ $? = "0" ]; then fi else echo "This system ($OUT) is not supported. See file INSTALL for details." + exit 1 fi ) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via aa4312d24492c977eb7d01014e23da61bf245de5 (commit) from f6c6c7c95caedb6046e751a3e24d1923a6554fa7 (commit) - Log - commit aa4312d24492c977eb7d01014e23da61bf245de5 Author: parasssh Date: Wed Aug 22 22:42:11 2018 -0700 Fix typos in documentation. CLA: trivial (cherry picked from commit fa332bba919d094c1654bbb3be0528b3df6e9023) Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7040) --- Summary of changes: doc/crypto/EVP_DigestInit.pod | 2 +- doc/crypto/EVP_DigestSignInit.pod | 10 +- doc/crypto/EVP_DigestVerifyInit.pod | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod index 1dc76cb..9fda29b 100644 --- a/doc/crypto/EVP_DigestInit.pod +++ b/doc/crypto/EVP_DigestInit.pod @@ -223,7 +223,7 @@ EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context instead of initializing and cleaning it up on each call and allow non default implementations of digests to be specified. -If digest contexts are not cleaned up after use +If digest contexts are not cleaned up after use, memory leaks will occur. EVP_MD_CTX_size(), EVP_MD_CTX_block_size(), EVP_MD_CTX_type(), diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index bec8e9d..a3938d5 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod @@ -28,7 +28,7 @@ is freed). The digest B may be NULL if the signing algorithm supports it. Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of -"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, +"signing". Built-in EVP_PKEY types supported by these functions are CMAC, DSA, ECDSA, HMAC and RSA. Not all digests can be used for all key types. The following combinations apply. @@ -71,17 +71,17 @@ signature context B. This function can be called several times on the same B to include additional data. This function is currently implemented using a macro. -EVP_DigestSignFinal() signs the data in B places the signature in B. +EVP_DigestSignFinal() signs the data in B and places the signature in B. If B is B then the maximum size of the output buffer is written to the B parameter. If B is not B then before the call the -B parameter should contain the length of the B buffer, if the +B parameter should contain the length of the B buffer. If the call is successful the signature is written to B and the amount of data written to B. =head1 RETURN VALUES EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return -1 for success and 0 or a negative value for failure. In particular a return +1 for success and 0 or a negative value for failure. In particular, a return value of -2 indicates the operation is not supported by the public key algorithm. @@ -105,7 +105,7 @@ The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and EVP_DigestSignFinal() can be called later to digest and sign additional data. -Since only a copy of the digest context is ever finalized the context must +Since only a copy of the digest context is ever finalized, the context must be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak will occur. diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index 6c3d070..2e1d00f 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod @@ -65,7 +65,7 @@ The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can be called later to digest and verify additional data. -Since only a copy of the digest context is ever finalized the context must +Since only a copy of the digest context is ever finalized, the context must be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak will occur. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via f6c6c7c95caedb6046e751a3e24d1923a6554fa7 (commit)
from 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 (commit)
- Log -
commit f6c6c7c95caedb6046e751a3e24d1923a6554fa7
Author: Richard Levitte
Date: Tue Sep 11 11:00:30 2018 +0200
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131
Reviewed-by: Tim Hudson
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7174)
(cherry picked from commit 37f4928701aa54937ce8eef422a2165afeec5cec)
---
Summary of changes:
engines/e_capi.c | 28 +---
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/engines/e_capi.c b/engines/e_capi.c
index 4660f1a..9d5e850 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *tmpbuf;
CAPI_KEY *capi_key;
CAPI_CTX *ctx;
+DWORD flags = 0;
DWORD dlen;
if (flen <= 0)
@@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
return -1;
}
-if (padding != RSA_PKCS1_PADDING) {
-char errstr[10];
-BIO_snprintf(errstr, 10, "%d", padding);
-CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
-ERR_add_error_data(2, "padding=", errstr);
-return -1;
+switch (padding) {
+case RSA_PKCS1_PADDING:
+/* Nothing to do */
+break;
+#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK
+case RSA_NO_PADDING:
+flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK;
+break;
+#endif
+default:
+{
+char errstr[10];
+BIO_snprintf(errstr, 10, "%d", padding);
+CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
+ERR_add_error_data(2, "padding=", errstr);
+return -1;
+}
}
/* Create temp reverse order version of input */
@@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
/* Finally decrypt it */
dlen = flen;
-if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, )) {
+if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, )) {
CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
capi_addlasterror();
+OPENSSL_cleanse(tmpbuf, dlen);
OPENSSL_free(tmpbuf);
return -1;
} else {
memcpy(to, tmpbuf, (flen = (int)dlen));
}
+OPENSSL_cleanse(tmpbuf, flen);
OPENSSL_free(tmpbuf);
return flen;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 (commit)
from 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 (commit)
- Log -
commit 1fa7e2ee06f24cdc7fe04599456a07f29db69d95
Author: Matt Caswell
Date: Mon Sep 10 16:23:14 2018 +0100
Check the return value from ASN1_INTEGER_set
Found by Coverity
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7169)
(cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7)
---
Summary of changes:
crypto/pkcs12/p12_init.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c
index a78e183..7b76909 100644
--- a/crypto/pkcs12/p12_init.c
+++ b/crypto/pkcs12/p12_init.c
@@ -22,7 +22,8 @@ PKCS12 *PKCS12_init(int mode)
PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
return NULL;
}
-ASN1_INTEGER_set(pkcs12->version, 3);
+if (!ASN1_INTEGER_set(pkcs12->version, 3))
+goto err;
pkcs12->authsafes->type = OBJ_nid2obj(mode);
switch (mode) {
case NID_pkcs7_data:
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 (commit)
from a842be9cf7bdf3cb3abbfe152d811cbc57dded27 (commit)
- Log -
commit 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6
Author: Shane Lontis
Date: Mon Sep 3 11:39:50 2018 +1000
RSA padding Zeroization fixes
Reviewed-by: Paul Yang
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7090)
(cherry picked from commit 82eba370daeb6d80b01b521d9e2963451487f0cb)
---
Summary of changes:
crypto/rsa/rsa_oaep.c | 33 +++--
crypto/rsa/rsa_pss.c | 4 ++--
2 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index f313519..df08a2f 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -43,10 +43,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int
tlen,
const unsigned char *param, int plen,
const EVP_MD *md, const EVP_MD *mgf1md)
{
+int rv = 0;
int i, emlen = tlen - 1;
unsigned char *db, *seed;
-unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];
-int mdlen;
+unsigned char *dbmask = NULL;
+unsigned char seedmask[EVP_MAX_MD_SIZE];
+int mdlen, dbmask_len = 0;
if (md == NULL)
md = EVP_sha1();
@@ -72,40 +74,41 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int
tlen,
db = to + mdlen + 1;
if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
-return 0;
+goto err;
memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
if (RAND_bytes(seed, mdlen) <= 0)
-return 0;
+goto err;
+
#ifdef PKCS_TESTVECT
memcpy(seed,
"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
20);
#endif
-dbmask = OPENSSL_malloc(emlen - mdlen);
+dbmask_len = emlen - mdlen;
+dbmask = OPENSSL_malloc(dbmask_len);
if (dbmask == NULL) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
-return 0;
+goto err;
}
-if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
+if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0)
goto err;
-for (i = 0; i < emlen - mdlen; i++)
+for (i = 0; i < dbmask_len; i++)
db[i] ^= dbmask[i];
-if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
+if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0)
goto err;
for (i = 0; i < mdlen; i++)
seed[i] ^= seedmask[i];
-
-OPENSSL_free(dbmask);
-return 1;
+rv = 1;
err:
-OPENSSL_free(dbmask);
-return 0;
+OPENSSL_cleanse(seedmask, sizeof(seedmask));
+OPENSSL_clear_free(dbmask, dbmask_len);
+return rv;
}
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
@@ -247,6 +250,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
int tlen,
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
cleanup:
+OPENSSL_cleanse(seed, sizeof(seed));
OPENSSL_clear_free(db, dblen);
OPENSSL_clear_free(em, num);
return mlen;
@@ -289,6 +293,7 @@ int PKCS1_MGF1(unsigned char *mask, long len,
}
rv = 0;
err:
+OPENSSL_cleanse(md, sizeof(md));
EVP_MD_CTX_free(c);
return rv;
}
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index f814338..4a1e599 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -242,7 +242,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char
*EM,
err:
EVP_MD_CTX_free(ctx);
-OPENSSL_free(salt);
+OPENSSL_clear_free(salt, sLen);
return ret;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via a842be9cf7bdf3cb3abbfe152d811cbc57dded27 (commit)
via c28a2ffd01dc1da932aa55d518b57a933cdc51be (commit)
from 374804bd0973e8af05046caecc40e6b906d1a375 (commit)
- Log -
commit a842be9cf7bdf3cb3abbfe152d811cbc57dded27
Author: Nicola Tuveri
Date: Wed Sep 5 12:08:12 2018 +0300
Harmonize the error handling codepath
Reviewed-by: Richard Levitte
Reviewed-by: Tim Hudson
Reviewed-by: Matt Caswell
Reviewed-by: Matthias St. Pierre
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7121)
commit c28a2ffd01dc1da932aa55d518b57a933cdc51be
Author: Nicola Tuveri
Date: Wed Sep 5 11:58:55 2018 +0300
Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).
For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.
If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.
This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.
Fixes #7102 .
Reviewed-by: Richard Levitte
Reviewed-by: Tim Hudson
Reviewed-by: Matt Caswell
Reviewed-by: Matthias St. Pierre
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7121)
---
Summary of changes:
crypto/dh/dh_lib.c | 10 ++
crypto/dsa/dsa_lib.c | 10 ++
crypto/ec/ec_key.c | 2 +-
crypto/ec/ec_kmeth.c | 2 +-
crypto/rsa/rsa_lib.c | 4 ++--
5 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 716f4a4..4bc62a6 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -82,12 +82,14 @@ DH *DH_new_method(ENGINE *engine)
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL);
-err:
-DH_free(ret);
-ret = NULL;
+goto err;
}
return ret;
+
+ err:
+DH_free(ret);
+return NULL;
}
void DH_free(DH *r)
@@ -103,7 +105,7 @@ void DH_free(DH *r)
return;
REF_ASSERT_ISNT(i < 0);
-if (r->meth->finish)
+if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index 9598846..9600c61 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -91,12 +91,14 @@ DSA *DSA_new_method(ENGINE *engine)
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_INIT_FAIL);
-err:
-DSA_free(ret);
-ret = NULL;
+goto err;
}
return ret;
+
+ err:
+DSA_free(ret);
+return NULL;
}
void DSA_free(DSA *r)
@@ -112,7 +114,7 @@ void DSA_free(DSA *r)
return;
REF_ASSERT_ISNT(i < 0);
-if (r->meth->finish)
+if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index f1f0afb..df35b64 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -55,7 +55,7 @@ void EC_KEY_free(EC_KEY *r)
return;
REF_ASSERT_ISNT(i < 0);
-if (r->meth->finish != NULL)
+if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c
index 5e5d1ae..decad65 100644
--- a/crypto/ec/ec_kmeth.c
+++ b/crypto/ec/ec_kmeth.c
@@ -119,7 +119,7 @@ EC_KEY *EC_KEY_new_method(ENGINE *engine)
}
return ret;
-err:
+ err:
EC_KEY_free(ret);
return NULL;
}
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index e1377a0..40dee36 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -94,7 +94,7 @@ RSA *RSA_new_method(ENGINE *engine)
return ret;
-err:
+ err:
RSA_free(ret);
return NULL;
}
@@ -112,7 +112,7 @@ void RSA_free(RSA *r)
return;
REF_ASSERT_ISNT(i < 0);
-if (r->meth->finish)
+if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 374804bd0973e8af05046caecc40e6b906d1a375 (commit)
from bfd752fe83c72f248a6905d971217e8a3e3a287d (commit)
- Log -
commit 374804bd0973e8af05046caecc40e6b906d1a375
Author: Pauli
Date: Wed Sep 5 07:50:17 2018 +1000
Key zeroization fix for EVP_SealInit.
Manual backport from master.
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/7116)
---
Summary of changes:
crypto/evp/p_seal.c | 21 ++---
test/evp_extra_test.c | 48 +++-
2 files changed, 61 insertions(+), 8 deletions(-)
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index faa2464..6f026e7 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
{
unsigned char key[EVP_MAX_KEY_LENGTH];
int i;
+int rv = 0;
if (type) {
EVP_CIPHER_CTX_reset(ctx);
@@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER
*type,
return 1;
if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
return 0;
+
if (EVP_CIPHER_CTX_iv_length(ctx)
-&& RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
-return 0;
+&& RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
+goto err;
if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
-return 0;
+goto err;
for (i = 0; i < npubk; i++) {
ekl[i] =
EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx),
pubk[i]);
-if (ekl[i] <= 0)
-return (-1);
+if (ekl[i] <= 0) {
+rv = -1;
+goto err;
+}
}
-return (npubk);
+rv = npubk;
+err:
+OPENSSL_cleanse(key, sizeof(key));
+return rv;
}
/*- MACRO
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9217f3a..bc02fad 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,6 +9,7 @@
#include
#include
+#include
#include
#include
#include
@@ -326,6 +327,46 @@ static int test_d2i_AutoPrivateKey(const unsigned char
*input,
return ret;
}
+static int test_EVP_Enveloped(void)
+{
+int ret = 0;
+EVP_CIPHER_CTX *ctx = NULL;
+EVP_PKEY *keypair = NULL;
+unsigned char *kek = NULL;
+int kek_len;
+unsigned char iv[EVP_MAX_IV_LENGTH];
+static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
+int len, ciphertext_len, plaintext_len;
+unsigned char ciphertext[32], plaintext[16];
+const EVP_CIPHER *type = EVP_aes_256_cbc();
+
+if ((keypair = load_example_rsa_key()) == NULL
+|| (kek = OPENSSL_zalloc(EVP_PKEY_size(keypair))) == NULL
+|| (ctx = EVP_CIPHER_CTX_new()) == NULL
+|| !EVP_SealInit(ctx, type, , _len, iv, , 1)
+|| !EVP_SealUpdate(ctx, ciphertext, _len,
+ msg, sizeof(msg))
+|| !EVP_SealFinal(ctx, ciphertext + ciphertext_len, ))
+goto err;
+
+ciphertext_len += len;
+if (!EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair)
+|| !EVP_OpenUpdate(ctx, plaintext, _len,
+ ciphertext, ciphertext_len)
+|| !EVP_OpenFinal(ctx, plaintext + plaintext_len, )
+|| (plaintext_len += len) != sizeof(msg)
+|| memcmp(msg, plaintext, sizeof(msg)) != 0)
+goto err;
+
+ret = 1;
+
+err:
+OPENSSL_free(kek);
+EVP_PKEY_free(keypair);
+EVP_CIPHER_CTX_free(ctx);
+return ret;
+}
+
#ifndef OPENSSL_NO_EC
/* Tests loading a bad key in PKCS8 format */
static int test_EVP_PKCS82PKEY(void)
@@ -386,6 +427,11 @@ int main(void)
return 1;
}
+if (!test_EVP_Enveloped()) {
+fprintf(stderr, "test_EVP_Enveloped failed\n");
+return 1;
+}
+
#ifndef OPENSSL_NO_EC
if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
EVP_PKEY_EC)) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via bfd752fe83c72f248a6905d971217e8a3e3a287d (commit)
from fe4de29d48d6f7125576a6f8ac73c5af5e832083 (commit)
- Log -
commit bfd752fe83c72f248a6905d971217e8a3e3a287d
Author: Eric Curtin
Date: Mon Sep 3 15:23:37 2018 +0100
New openssl subject parser hard to debug
-subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise
Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote
Device Access Test Local CA, emailAddress = r...@hpe.com'
was a valid subject in openssl 1.0. Error received in 1.1 is:
problems making Certificate Request
Not very informative, I only figured this out because I compiled the
code and added logging.
Reviewed-by: Tim Hudson
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7098)
(cherry picked from commit 2167640b0bf76ec50a397dd90444b97c242e3f04)
---
Summary of changes:
apps/apps.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/apps/apps.c b/apps/apps.c
index d52201f..a162b16 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1707,8 +1707,14 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
char *work;
X509_NAME *n;
-if (*cp++ != '/')
+if (*cp++ != '/') {
+BIO_printf(bio_err,
+ "name is expected to be in the format "
+ "/type0=value0/type1=value1/type2=... where characters may "
+ "be escaped by \\. This name is not in that format: '%s'\n",
+ --cp);
return NULL;
+}
n = X509_NAME_new();
if (n == NULL)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via fe4de29d48d6f7125576a6f8ac73c5af5e832083 (commit)
from b5b39779f3dfe811a64899bd8b33397647dda57a (commit)
- Log -
commit fe4de29d48d6f7125576a6f8ac73c5af5e832083
Author: Pauli
Date: Wed Sep 5 05:35:34 2018 +1000
Make OBJ_NAME case insensitive.
Reviewed-by: Richard Levitte
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/7101)
---
Summary of changes:
.../{conf/conf_lcl.h => include/internal/lhash.h} | 6 -
crypto/lhash/lhash.c | 23
crypto/objects/o_names.c | 31 +++---
test/evptests.txt | 30 +
4 files changed, 73 insertions(+), 17 deletions(-)
copy crypto/{conf/conf_lcl.h => include/internal/lhash.h} (74%)
diff --git a/crypto/conf/conf_lcl.h b/crypto/include/internal/lhash.h
similarity index 74%
copy from crypto/conf/conf_lcl.h
copy to crypto/include/internal/lhash.h
index 6e1f7fe..200ba86 100644
--- a/crypto/conf/conf_lcl.h
+++ b/crypto/include/internal/lhash.h
@@ -7,5 +7,9 @@
* https://www.openssl.org/source/license.html
*/
-void conf_add_ssl_module(void);
+#ifndef INTERNAL_LHASH_H
+# define INTERNAL_LHASH_H
+unsigned long openssl_lh_strcasehash(const char *);
+
+#endif
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index f485411..319dd49 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -12,6 +12,8 @@
#include
#include
#include
+#include
+#include "internal/lhash.h"
#include "lhash_lcl.h"
/*
@@ -351,6 +353,27 @@ unsigned long OPENSSL_LH_strhash(const char *c)
return ((ret >> 16) ^ ret);
}
+unsigned long openssl_lh_strcasehash(const char *c)
+{
+unsigned long ret = 0;
+long n;
+unsigned long v;
+int r;
+
+if (c == NULL || *c == '\0')
+return ret;
+
+for (n = 0x100; *c != '\0'; n += 0x100) {
+v = n | tolower(*c);
+r = (int)((v >> 2) ^ v) & 0x0f;
+ret = (ret << r) | (ret >> (32 - r));
+ret &= 0xL;
+ret ^= v * v;
+c++;
+}
+return (ret >> 16) ^ ret;
+}
+
unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh)
{
return lh ? lh->num_items : 0;
diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 15fe653..709b9c3 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -16,27 +16,26 @@
#include
#include
#include
-#include
+#include "internal/thread_once.h"
+#include "internal/lhash.h"
#include "obj_lcl.h"
+#include "e_os.h"
/*
* We define this wrapper for two reasons. Firstly, later versions of
* DEC C add linkage information to certain functions, which makes it
* tricky to use them as values to regular function pointers.
- * Secondly, in the EDK2 build environment, the strcmp function is
- * actually an external function (AsciiStrCmp) with the Microsoft ABI,
- * so we can't transparently assign function pointers to it.
- * Arguably the latter is a stupidity of the UEFI environment, but
- * since the wrapper solves the DEC C issue too, let's just use the
- * same solution.
+ * Secondly, in the EDK2 build environment, the strcasecmp function is
+ * actually an external function with the Microsoft ABI, so we can't
+ * transparently assign function pointers to it.
*/
#if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI)
-static int obj_strcmp(const char *a, const char *b)
+static int obj_strcasecmp(const char *a, const char *b)
{
-return strcmp(a, b);
+return strcasecmp(a, b);
}
#else
-#define obj_strcmp strcmp
+#define obj_strcasecmp strcasecmp
#endif
/*
@@ -111,8 +110,8 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const
char *),
ret = 0;
goto out;
}
-name_funcs->hash_func = OPENSSL_LH_strhash;
-name_funcs->cmp_func = obj_strcmp;
+name_funcs->hash_func = openssl_lh_strcasehash;
+name_funcs->cmp_func = obj_strcasecmp;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs);
@@ -149,7 +148,7 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME
*b)
ret = sk_NAME_FUNCS_value(name_funcs_stack,
a->type)->cmp_func(a->name, b->name);
} else
-ret = strcmp(a->name, b->name);
+ret = strcasecmp(a->name, b->name);
}
return ret;
}
@@ -164,7 +163,7 @@ static unsigned long obj_name_hash(const OBJ_NAME *a)
sk_NAME_FUNCS_value(name_funcs_stack,
a->type)->hash_func(a->name);
} else {
-ret = OPENSSL_LH_strhash(a->name);
+ret = openssl_lh_strcasehash(a->name);
}
ret ^= a->type;
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b5b39779f3dfe811a64899bd8b33397647dda57a (commit)
from febb025068f6c74f6776cc7faf1a8bcd55138f87 (commit)
- Log -
commit b5b39779f3dfe811a64899bd8b33397647dda57a
Author: Shane Lontis
Date: Tue Sep 4 14:01:37 2018 +1000
hkdf zeroization fix
Reviewed-by: Paul Yang
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7106)
(cherry picked from commit 64ed55ab033f1bfa795d46f0ecc61c313204b418)
---
Summary of changes:
crypto/kdf/hkdf.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c
index 00b95b5..6d38a2f 100644
--- a/crypto/kdf/hkdf.c
+++ b/crypto/kdf/hkdf.c
@@ -234,6 +234,7 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
unsigned char *okm, size_t okm_len)
{
HMAC_CTX *hmac;
+unsigned char *ret = NULL;
unsigned int i;
@@ -283,11 +284,10 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
done_len += copy_len;
}
-
-HMAC_CTX_free(hmac);
-return okm;
+ret = okm;
err:
+OPENSSL_cleanse(prev, sizeof(prev));
HMAC_CTX_free(hmac);
-return NULL;
+return ret;
}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via febb025068f6c74f6776cc7faf1a8bcd55138f87 (commit)
from b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit)
- Log -
commit febb025068f6c74f6776cc7faf1a8bcd55138f87
Author: Shane Lontis
Date: Tue Sep 4 15:00:21 2018 +1000
key zeroisation fix for p12
Reviewed-by: Paul Yang
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7109)
(cherry picked from commit f5cee414fa8e7e9a088d8d5ebe641f368df20801)
---
Summary of changes:
crypto/pkcs12/p12_mutl.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index a9e2202..02e529c 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -75,6 +75,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int
passlen,
unsigned char *out,
const EVP_MD *md_type))
{
+int ret = 0;
const EVP_MD *md_type;
HMAC_CTX *hmac = NULL;
unsigned char key[EVP_MAX_MD_SIZE], *salt;
@@ -116,24 +117,27 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass,
int passlen,
if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
md_size, key, md_type)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
-return 0;
+goto err;
}
} else
if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
iter, md_size, key, md_type)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
-return 0;
+goto err;
}
if ((hmac = HMAC_CTX_new()) == NULL
|| !HMAC_Init_ex(hmac, key, md_size, md_type, NULL)
|| !HMAC_Update(hmac, p12->authsafes->d.data->data,
p12->authsafes->d.data->length)
|| !HMAC_Final(hmac, mac, maclen)) {
-HMAC_CTX_free(hmac);
-return 0;
+goto err;
}
+ret = 1;
+
+err:
+OPENSSL_cleanse(key, sizeof(key));
HMAC_CTX_free(hmac);
-return 1;
+return ret;
}
int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit)
from 1018ba701368bdcdec7190bfcd2fb4076d0c1244 (commit)
- Log -
commit b4b651b09e738e8874c59f9fd24ec52d7258e5b4
Author: Shane Lontis
Date: Tue Sep 4 14:31:11 2018 +1000
key zeroisation for pvkfmt now done on all branch paths
Reviewed-by: Paul Yang
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7107)
(cherry picked from commit 0239283d99a37e8527199a62100fec867b9996cb)
---
Summary of changes:
crypto/pem/pvkfmt.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 63ce925..96a82eb 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -675,11 +675,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
const unsigned char *p = *in;
unsigned int magic;
unsigned char *enctmp = NULL, *q;
+unsigned char keybuf[20];
EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
if (saltlen) {
char psbuf[PEM_BUFSIZE];
-unsigned char keybuf[20];
int enctmplen, inlen;
if (cb)
inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
@@ -719,7 +719,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
memset(keybuf + 5, 0, 11);
if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
goto err;
-OPENSSL_cleanse(keybuf, 20);
if (!EVP_DecryptUpdate(cctx, q, , p, inlen))
goto err;
if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, ))
@@ -729,15 +728,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);
goto err;
}
-} else
-OPENSSL_cleanse(keybuf, 20);
+}
p = enctmp;
}
ret = b2i_PrivateKey(, keylen);
err:
EVP_CIPHER_CTX_free(cctx);
-OPENSSL_free(enctmp);
+if (enctmp != NULL) {
+OPENSSL_cleanse(keybuf, sizeof(keybuf));
+OPENSSL_free(enctmp);
+}
return ret;
}
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 1018ba701368bdcdec7190bfcd2fb4076d0c1244 (commit)
from 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 (commit)
- Log -
commit 1018ba701368bdcdec7190bfcd2fb4076d0c1244
Author: Richard Levitte
Date: Mon Sep 3 13:17:03 2018 +0200
openssl req: don't try to report bits
With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated. Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information. For the moment, it's better not
to try to report the number of bits at all.
Fixes #7086
Reviewed-by: Paul Yang
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7096)
(cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039)
---
Summary of changes:
apps/req.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index 2a21569..a691f93 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -509,8 +509,7 @@ int req_main(int argc, char **argv)
if (pkey_type == EVP_PKEY_EC) {
BIO_printf(bio_err, "Generating an EC private key\n");
} else {
-BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
- newkey, keyalgstr);
+BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
}
EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 (commit) from e25fc6b5b2b99ed02f8966192c94c820b6f69add (commit) - Log - commit 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 Author: Matt Caswell Date: Thu Aug 23 11:37:22 2018 +0100 Clarify the EVP_DigestSignInit docs They did not make it clear how the memory management works for the |pctx| parameter. Fixes #7037 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7042) (cherry picked from commit f097e8759820f6f9b78adb99eb4bfced2945d623) --- Summary of changes: doc/crypto/EVP_DigestSignInit.pod | 8 +--- doc/crypto/EVP_DigestVerifyInit.pod | 7 +-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index 5fadc82..bec8e9d 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod @@ -19,10 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestSignInit() sets up signing context B to use digest B from ENGINE B and private key B. B must be created with -EVP_MD_CTX_new() before calling this function. If B is not NULL the +EVP_MD_CTX_new() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. The digest B may be NULL if -the signing algorithm supports it. +be used to set alternative signing options. Note that any existing value in +B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed +directly by the application (it will be freed automatically when the EVP_MD_CTX +is freed). The digest B may be NULL if the signing algorithm supports it. Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index ce59422..6c3d070 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod @@ -19,9 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestVerifyInit() sets up verification context B to use digest B from ENGINE B and public key B. B must be created -with EVP_MD_CTX_new() before calling this function. If B is not NULL the +with EVP_MD_CTX_new() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this -can be used to set alternative verification options. +can be used to set alternative verification options. Note that any existing +value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be +freed directly by the application (it will be freed automatically when the +EVP_MD_CTX is freed). EVP_DigestVerifyUpdate() hashes B bytes of data at B into the verification context B. This function can be called several times on the _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e25fc6b5b2b99ed02f8966192c94c820b6f69add (commit) from fab16cd1476e047a2052ca418527b055faa988bd (commit) - Log - commit e25fc6b5b2b99ed02f8966192c94c820b6f69add Author: Jakub Wilk Date: Mon Sep 3 11:09:51 2018 +0200 Fix example in crl(1) man page The default input format is PEM, so explicit "-inform DER" is needed to read DER-encoded CRL. CLA: trivial Reviewed-by: Paul Yang Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7094) (cherry picked from commit 785e614a95a134831f213749332bcf40c4920f69) --- Summary of changes: doc/apps/crl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index fded397..8207ee9 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -120,7 +120,7 @@ Convert a CRL file from PEM to DER: Output the text form of a DER encoded certificate: - openssl crl -in crl.der -text -noout + openssl crl -in crl.der -inform DER -text -noout =head1 BUGS _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via fab16cd1476e047a2052ca418527b055faa988bd (commit) from b50c9f3be062f3af1f6261c87ddb0fbbcb682d09 (commit) - Log - commit fab16cd1476e047a2052ca418527b055faa988bd Author: Matt Caswell Date: Thu Aug 9 16:25:29 2018 +0100 The req documentation incorrectly states that we default to md5 Just remove that statement. It's not been true since 2005. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/6905) --- Summary of changes: doc/apps/req.pod | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/apps/req.pod b/doc/apps/req.pod index c5b5260..0a28aea 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -369,7 +369,6 @@ option. For compatibility B is an equivalent option. This option specifies the digest algorithm to use. Any digest supported by the OpenSSL B command can be used. -If not present then MD5 is used. This option can be overridden on the command line. =item B _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via b50c9f3be062f3af1f6261c87ddb0fbbcb682d09 (commit)
via 9ba3012387e9b7c93d864fe757290726f92cf6e9 (commit)
from f2ce14d6cfa83c16b36319d71b245a388ddcc1ce (commit)
- Log -
commit b50c9f3be062f3af1f6261c87ddb0fbbcb682d09
Author: Paul Kehrer
Date: Sat Sep 1 10:50:28 2018 -0400
add docs for OCSP_resp_get0_signature
Reviewed-by: Paul Dale
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7082)
commit 9ba3012387e9b7c93d864fe757290726f92cf6e9
Author: Paul Kehrer
Date: Sat Sep 1 00:05:55 2018 -0400
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
fixes #7081
Reviewed-by: Paul Dale
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7082)
---
Summary of changes:
crypto/ocsp/ocsp_cl.c| 10 ++
doc/crypto/OCSP_resp_find_status.pod | 12
include/openssl/ocsp.h | 2 ++
util/libcrypto.num | 2 ++
4 files changed, 26 insertions(+)
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index a42b80f..5d99ae3 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -166,6 +166,16 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const
OCSP_BASICRESP *bs)
return bs->signature;
}
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+{
+return >signatureAlgorithm;
+}
+
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+{
+return >tbsResponseData;
+}
+
/*
* Return number of OCSP_SINGLERESP responses present in a basic response.
*/
diff --git a/doc/crypto/OCSP_resp_find_status.pod
b/doc/crypto/OCSP_resp_find_status.pod
index e014df5..a4e3c1c 100644
--- a/doc/crypto/OCSP_resp_find_status.pod
+++ b/doc/crypto/OCSP_resp_find_status.pod
@@ -6,6 +6,9 @@ OCSP_resp_get0_certs,
OCSP_resp_get0_signer,
OCSP_resp_get0_id,
OCSP_resp_get0_produced_at,
+OCSP_resp_get0_signature,
+OCSP_resp_get0_tbs_sigalg,
+OCSP_resp_get0_respdata,
OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
OCSP_single_get0_status, OCSP_check_validity,
OCSP_basic_verify
@@ -32,6 +35,9 @@ OCSP_basic_verify
const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
const OCSP_BASICRESP* single);
+ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
+ const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
+ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
@@ -78,6 +84,12 @@ B<*revtime>, B<*thisupd> and B<*nextupd>.
OCSP_resp_get0_produced_at() extracts the B field from the
single response B.
+OCSP_resp_get0_signature() returns the signature from B.
+
+OCSP_resp_get0_tbs_sigalg() returns the B from B.
+
+OCSP_resp_get0_respdata() returns the B from B.
+
OCSP_resp_get0_certs() returns any certificates included in B.
OCSP_resp_get0_signer() attempts to retrieve the certificate that directly
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 90ebe5c..fd172fb 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -194,6 +194,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
STACK_OF(X509) *extra_certs);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 51f1d7d..c0fe79d 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4263,3 +4263,5 @@ X509_OBJECT_set1_X509 4514 1_1_0i
EXIST::FUNCTION:
X509_LOOKUP_meth_get_get_by_issuer_serial 4515 1_1_0i EXIST::FUNCTION:
X509_LOOKUP_meth_set_init 4516 1_1_0i EXIST::FUNCTION:
X509_OBJECT_set1_X509_CRL 4517 1_1_0i EXIST::FUNCTION:
+OCSP_resp_get0_tbs_sigalg 4529 1_1_0j EXIST::FUNCTION:OCSP
+OCSP_resp_get0_respdata 4530 1_1_0j EXIST::FUNCTION:OCSP
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via dfbc526e30b2e30cb574a727b3319e4a6125c9e3 (commit) from ac5090b780c5534963061f3e6554e2a59114ed75 (commit) - Log - commit dfbc526e30b2e30cb574a727b3319e4a6125c9e3 Author: Eric Brown Date: Thu Aug 16 08:34:39 2018 -0700 Remove redundant ASN1_INTEGER_set call This trivial patch removes a duplicated call to ASN1_INTEGER_set. Fixes Issue #6977 Signed-off-by: Eric Brown Reviewed-by: Richard Levitte Reviewed-by: Andy Polyakov Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6984) (cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3) --- Summary of changes: crypto/pkcs7/pk7_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 69c68cf..c7d7181 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -134,7 +134,6 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; -ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 521637702fa7bee89cb598fe9b1ba7ff0f60 (commit)
from 73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit)
- Log -
commit 521637702fa7bee89cb598fe9b1ba7ff0f60
Author: Matt Caswell
Date: Mon Aug 27 15:04:28 2018 +0100
Free SSL object on an error path
Thanks to @fangang190 for reporting this
Fixes #7061
Reviewed-by: Paul Yang
(Merged from https://github.com/openssl/openssl/pull/7065)
---
Summary of changes:
apps/s_server.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index e8aa323..8629833 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2660,8 +2660,10 @@ static int www_body(int s, int stype, unsigned char
*context)
if (context
&& !SSL_set_session_id_context(con, context,
- strlen((char *)context)))
+ strlen((char *)context))) {
+SSL_free(con);
goto err;
+}
sbio = BIO_new_socket(s, BIO_NOCLOSE);
if (s_nbio_test) {
@@ -2673,7 +2675,7 @@ static int www_body(int s, int stype, unsigned char
*context)
SSL_set_bio(con, sbio, sbio);
SSL_set_accept_state(con);
-/* SSL_set_fd(con,s); */
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
BIO_push(io, ssl_bio);
#ifdef CHARSET_EBCDIC
@@ -3030,6 +3032,7 @@ static int rev_body(int s, int stype, unsigned char
*context)
if (context
&& !SSL_set_session_id_context(con, context,
strlen((char *)context))) {
+SSL_free(con);
ERR_print_errors(bio_err);
goto err;
}
@@ -3038,6 +3041,7 @@ static int rev_body(int s, int stype, unsigned char
*context)
SSL_set_bio(con, sbio, sbio);
SSL_set_accept_state(con);
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
BIO_push(io, ssl_bio);
#ifdef CHARSET_EBCDIC
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit)
via c5c6915fba3f1becfd78ed2be032caa38ecadef3 (commit)
via db09fdc1a675bde167001a4f68e0f1e595e96dee (commit)
via a6d8fe92a601728138e645302fa8bab7ca54fb58 (commit)
from 5eee95a54de6854e60886c8e662a902184b12d04 (commit)
- Log -
commit 73bebc17a14da5278b01416b39e5c28a7d0c1861
Author: Andy Polyakov
Date: Wed Aug 15 15:46:35 2018 +0200
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
(cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9)
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/6940)
commit c5c6915fba3f1becfd78ed2be032caa38ecadef3
Author: Andy Polyakov
Date: Mon Aug 13 16:59:08 2018 +0200
bn/bn_blind.c: use Montgomery multiplication when possible.
(cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28)
Resolved conflicts:
crypto/bn/bn_blind.c
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/6940)
commit db09fdc1a675bde167001a4f68e0f1e595e96dee
Author: Andy Polyakov
Date: Fri Aug 10 19:46:03 2018 +0200
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...
(cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)
Resolved conflicts:
crypto/rsa/rsa_ossl.c
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/6940)
commit a6d8fe92a601728138e645302fa8bab7ca54fb58
Author: Andy Polyakov
Date: Fri Aug 10 19:31:22 2018 +0200
crypto/bn: add more fixed-top routines.
Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.
(cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9)
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/6940)
---
Summary of changes:
crypto/bn/bn_blind.c | 88 --
crypto/bn/bn_lib.c | 34 +++---
crypto/bn/bn_mod.c | 67 +++-
crypto/bn/bn_mont.c | 27 +---
crypto/bn/bn_mul.c | 12 +++-
crypto/bn/bn_sqr.c | 12 +++-
crypto/include/internal/bn_int.h | 6 ++
crypto/rsa/rsa_ossl.c| 130 ---
8 files changed, 287 insertions(+), 89 deletions(-)
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
index 24d1383..7a8237c 100644
--- a/crypto/bn/bn_blind.c
+++ b/crypto/bn/bn_blind.c
@@ -109,10 +109,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
goto err;
} else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
-if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
-goto err;
-if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
-goto err;
+if (b->m_ctx != NULL) {
+if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
+|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
+goto err;
+} else {
+if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
+|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
+goto err;
+}
}
ret = 1;
@@ -144,13 +149,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r,
BN_BLINDING *b, BN_CTX *ctx)
else if (!BN_BLINDING_update(b, ctx))
return (0);
-if (r != NULL) {
-if (!BN_copy(r, b->Ai))
-ret = 0;
-}
+if (r != NULL && (BN_copy(r, b->Ai) == NULL))
+return 0;
-if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
-ret = 0;
+if (b->m_ctx != NULL)
+ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
+else
+ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
return ret;
}
@@ -167,14 +172,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r,
BN_BLINDING *b,
bn_check_top(n);
-if (r != NULL)
-ret = BN_mod_mul(n, n, r, b->mod, ctx);
-else {
-if (b->Ai == NULL) {
-BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
-return (0);
+if (r == NULL && (r = b->Ai) == NULL) {
+BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
+return 0;
+}
+
+if (b->m_ctx != NULL) {
+/* ensure that BN_mod_mul_montgomery takes pre-defined path */
+if
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 5eee95a54de6854e60886c8e662a902184b12d04 (commit)
from 837017b4748d587912d9d218894644d6ca86721f (commit)
- Log -
commit 5eee95a54de6854e60886c8e662a902184b12d04
Author: Nicola Tuveri
Date: Tue Aug 21 00:50:01 2018 +0300
Backport #6648 to OpenSSL_1_1_0-stable
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7015)
---
Summary of changes:
crypto/ec/ec_mult.c | 46 --
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 56c7767..71ec910 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -382,30 +382,32 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const
BIGNUM *scalar,
return EC_POINT_set_to_infinity(group, r);
}
-/*-
- * Handle the common cases where the scalar is secret, enforcing a constant
- * time scalar multiplication algorithm.
- */
-if ((scalar != NULL) && (num == 0)) {
-/*-
- * In this case we want to compute scalar * GeneratorPoint: this
- * codepath is reached most prominently by (ephemeral) key generation
- * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
- * keygen/first half), where the scalar is always secret. This is why
- * we ignore if BN_FLG_CONSTTIME is actually set and we always call the
- * constant time version.
- */
-return ec_mul_consttime(group, r, scalar, NULL, ctx);
-}
-if ((scalar == NULL) && (num == 1)) {
+if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {
/*-
- * In this case we want to compute scalar * GenericPoint: this codepath
- * is reached most prominently by the second half of ECDH, where the
- * secret scalar is multiplied by the peer's public point. To protect
- * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
- * we always call the constant time version.
+ * Handle the common cases where the scalar is secret, enforcing a
constant
+ * time scalar multiplication algorithm.
*/
-return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+if ((scalar != NULL) && (num == 0)) {
+/*-
+ * In this case we want to compute scalar * GeneratorPoint: this
+ * codepath is reached most prominently by (ephemeral) key
generation
+ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
+ * keygen/first half), where the scalar is always secret. This is
why
+ * we ignore if BN_FLG_CONSTTIME is actually set and we always
call the
+ * constant time version.
+ */
+return ec_mul_consttime(group, r, scalar, NULL, ctx);
+}
+if ((scalar == NULL) && (num == 1)) {
+/*-
+ * In this case we want to compute scalar * GenericPoint: this
codepath
+ * is reached most prominently by the second half of ECDH, where
the
+ * secret scalar is multiplied by the peer's public point. To
protect
+ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually
set and
+ * we always call the constant time version.
+ */
+return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
+}
}
for (i = 0; i < num; i++) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 837017b4748d587912d9d218894644d6ca86721f (commit)
from 8255fd0f4f86fa4202962d4b27185c0d96f21d75 (commit)
- Log -
commit 837017b4748d587912d9d218894644d6ca86721f
Author: Pauli
Date: Wed Aug 22 10:04:27 2018 +1000
Zero memory in CRYPTO_secure_malloc.
This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks. This in turn helps prevent
information leakage from the secure memory area.
Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.
[manual merge of #7011]
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7026)
---
Summary of changes:
crypto/mem_sec.c | 16 +++-
test/secmemtest.c | 44
2 files changed, 55 insertions(+), 5 deletions(-)
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 25cdb47..1ccf68c 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -134,11 +134,12 @@ void *CRYPTO_secure_malloc(size_t num, const char *file,
int line)
void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
{
-void *ret = CRYPTO_secure_malloc(num, file, line);
-
-if (ret != NULL)
-memset(ret, 0, num);
-return ret;
+#ifdef IMPLEMENTED
+if (secure_mem_initialized)
+/* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
+return CRYPTO_secure_malloc(num, file, line);
+#endif
+return CRYPTO_zalloc(num, file, line);
}
void CRYPTO_secure_free(void *ptr, const char *file, int line)
@@ -574,6 +575,9 @@ static char *sh_malloc(size_t size)
OPENSSL_assert(WITHIN_ARENA(chunk));
+/* zero the free list header as a precaution against information leakage */
+memset(chunk, 0, sizeof(SH_LIST));
+
return chunk;
}
@@ -606,6 +610,8 @@ static void sh_free(char *ptr)
list--;
+/* Zero the higher addressed block's free list pointers */
+memset(ptr > buddy ? ptr : buddy, 0, sizeof(SH_LIST));
if (ptr > buddy)
ptr = buddy;
diff --git a/test/secmemtest.c b/test/secmemtest.c
index 9405f34..6077216 100644
--- a/test/secmemtest.c
+++ b/test/secmemtest.c
@@ -18,6 +18,8 @@ int main(int argc, char **argv)
{
#if defined(OPENSSL_SYS_LINUX) || defined(OPENSSL_SYS_UNIX)
char *p = NULL, *q = NULL, *r = NULL, *s = NULL;
+int i;
+const int size = 64;
s = OPENSSL_secure_malloc(20);
/* s = non-secure 20 */
@@ -128,6 +130,48 @@ int main(int argc, char **argv)
return 1;
}
+if (!CRYPTO_secure_malloc_init(32768, 16)) {
+perror_line();
+return 1;
+}
+
+/*
+ * Verify that secure memory gets zeroed properly.
+ */
+if ((p = OPENSSL_secure_malloc(size)) == NULL) {
+perror_line();
+return 1;
+}
+for (i = 0; i < size; i++)
+if (p[i] != 0) {
+perror_line();
+fprintf(stderr, "iteration %d\n", i);
+return 1;
+}
+
+for (i = 0; i < size; i++)
+p[i] = (unsigned char)(i + ' ' + 1);
+OPENSSL_secure_free(p);
+
+/*
+ * A deliberate use after free here to verify that the memory has been
+ * cleared properly. Since secure free doesn't return the memory to
+ * libc's memory pool, it technically isn't freed. However, the header
+ * bytes have to be skipped and these consist of two pointers in the
+ * current implementation.
+ */
+for (i = sizeof(void *) * 2; i < size; i++)
+if (p[i] != 0) {
+perror_line();
+fprintf(stderr, "iteration %d\n", i);
+return 1;
+}
+
+if (!CRYPTO_secure_malloc_done()) {
+perror_line();
+return 1;
+}
+
/*-
* There was also a possible infinite loop when the number of
* elements was 1<<31, as |int i| was set to that, which is a
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via 8255fd0f4f86fa4202962d4b27185c0d96f21d75 (commit)
from b2a73156186ec436f584a565e6d4a98b75734286 (commit)
- Log -
commit 8255fd0f4f86fa4202962d4b27185c0d96f21d75
Author: Andy Polyakov
Date: Thu Aug 16 09:26:12 2018 +0200
crypto/init.c: improve destructor_key's portability.
It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.
Reviewed-by: Kurt Roeckx
(Merged from https://github.com/openssl/openssl/pull/6976)
(cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53)
---
Summary of changes:
crypto/init.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/crypto/init.c b/crypto/init.c
index 00a9179..2ad946c 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -41,7 +41,10 @@ static int stopped = 0;
* key value and pull NULL past initialization in the first thread that
* intends to use libcrypto.
*/
-static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1;
+static union {
+long sane;
+CRYPTO_THREAD_LOCAL value;
+} destructor_key = { -1 };
static void ossl_init_thread_stop(struct thread_local_inits_st *locals);
@@ -53,17 +56,17 @@ static void ossl_init_thread_destructor(void *local)
static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc)
{
struct thread_local_inits_st *local =
-CRYPTO_THREAD_get_local(_key);
+CRYPTO_THREAD_get_local(_key.value);
if (alloc) {
if (local == NULL
&& (local = OPENSSL_zalloc(sizeof(*local))) != NULL
-&& !CRYPTO_THREAD_set_local(_key, local)) {
+&& !CRYPTO_THREAD_set_local(_key.value, local)) {
OPENSSL_free(local);
return NULL;
}
} else {
-CRYPTO_THREAD_set_local(_key, NULL);
+CRYPTO_THREAD_set_local(_key.value, NULL);
}
return local;
@@ -97,7 +100,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base)
#endif
OPENSSL_cpuid_setup();
-destructor_key = key;
+destructor_key.value = key;
base_inited = 1;
return 1;
@@ -396,7 +399,7 @@ static void ossl_init_thread_stop(struct
thread_local_inits_st *locals)
void OPENSSL_thread_stop(void)
{
-if (destructor_key != (CRYPTO_THREAD_LOCAL)-1)
+if (destructor_key.sane != -1)
ossl_init_thread_stop(ossl_init_get_thread_local(0));
}
@@ -493,8 +496,8 @@ void OPENSSL_cleanup(void)
err_free_strings_int();
}
-key = destructor_key;
-destructor_key = (CRYPTO_THREAD_LOCAL)-1;
+key = destructor_key.value;
+destructor_key.sane = -1;
CRYPTO_THREAD_cleanup_local();
#ifdef OPENSSL_INIT_DEBUG
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b2a73156186ec436f584a565e6d4a98b75734286 (commit) from dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 (commit) - Log - commit b2a73156186ec436f584a565e6d4a98b75734286 Author: Bernd Edlinger Date: Fri Aug 17 09:02:53 2018 +0200 Fix a warning from MSVC build Apparently after internal/numbers.h defines INTx_MIN/MAX stdint gets included and it defines those differently: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48): warning C4005: 'INT8_MIN': macro redefinition Avoid that by changing the sequence in which the include files appear in crypto/bio/b_print.c. [extended tests] Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6995) --- Summary of changes: crypto/bio/b_print.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index cdfe05f..bf006d1 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -10,9 +10,9 @@ #include #include #include -#include "internal/numbers.h" -#include "internal/cryptlib.h" #include +#include "internal/cryptlib.h" +#include "internal/numbers.h" /* * Copyright Patrick Powell 1995 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
