Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10576)
Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10576)
Fix an s_server arbitrary file read issue on Windows Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10215) (cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)
[crypto/asn1/x_bignum.c] Explicit test against NULL As a fixup to https://github.com/openssl/openssl/pull/9779 to better conform to the project code style guidelines, this commit amends the original changeset to explicitly test against NULL, i.e. writing ``` if (p != NULL) ``` rather than ``` if (!p) ``` (This is a backport of https://github.com/openssl/openssl/pull/9881) Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9882)
[ec_asn1.c] Avoid injecting seed when built-in matches An unintended consequence of https://github.com/openssl/openssl/pull/9808 is that when an explicit parameters curve is matched against one of the well-known builtin curves we automatically inherit also the associated seed parameter, even if the input parameters excluded such parameter. This later affects the serialization of such parsed keys, causing their input DER encoding and output DER encoding to differ due to the additional optional field. This does not cause problems internally but could affect external applications, as reported in https://github.com/openssl/openssl/pull/9811#issuecomment-536153288 This commit fixes the issue by conditionally clearing the seed field if the original input parameters did not include it. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10141)
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9849)
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)