openssl.git
16 months ago[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
Billy Brumley [Sat, 7 Sep 2019 07:50:58 +0000 (10:50 +0300)]
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it

The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.

CVE-2019-1547

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9799)

16 months ago[crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation.
Cesar Pereida Garcia [Thu, 5 Sep 2019 14:47:40 +0000 (17:47 +0300)]
[crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation.

This commit addresses multiple side-channel vulnerabilities present during RSA key validation.
Private key parameters are re-computed using variable-time functions.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9785)

16 months agoConfigure: clang: add -Wno-unknown-warning-option
Dr. Matthias St. Pierre [Tue, 23 Jul 2019 18:18:43 +0000 (20:18 +0200)]
Configure: clang: add -Wno-unknown-warning-option

Fixes travis build errors due to clang

    error: unknown warning option '-Wno-extended-offsetof'

It seems like '-Wextended-offsetof' was removed from clang in version 6.0.0,
(see [1], [2]). While gcc ignores unknown options of the type '-Wno-xxx',
clang by default issues a warning [-Wunknown-warning-option] (see [3]), which
together with '-Werror' causes the build to fail.

This commit adds the '-Wno-unknown-warning-option' option to make clang
behave more relaxed like gcc.

[1] https://reviews.llvm.org/D40267
[2] https://github.com/llvm/llvm-project/commit/52a3ca9e2909
[3] https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9446)

16 months ago[ec/ecp_nistp*.c] restyle: use {} around `else` too
Nicola Tuveri [Fri, 6 Sep 2019 11:05:26 +0000 (14:05 +0300)]
[ec/ecp_nistp*.c] restyle: use {} around `else` too

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9793)

16 months ago[ec/ecp_nistp*.c] remove flip_endian()
Nicola Tuveri [Thu, 5 Sep 2019 22:31:45 +0000 (01:31 +0300)]
[ec/ecp_nistp*.c] remove flip_endian()

Replace flip_endian() by using the little endian specific
bn_bn2lebinpad() and bn_lebin2bn().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9793)

16 months agoUniform bn_bn2binpad() and bn_bn2lebinpad() implementations
Nicola Tuveri [Thu, 5 Sep 2019 21:18:36 +0000 (00:18 +0300)]
Uniform bn_bn2binpad() and bn_bn2lebinpad() implementations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9793)

16 months agoMake BN_num_bits() consttime upon BN_FLG_CONSTTIME
Nicola Tuveri [Thu, 1 Aug 2019 23:08:34 +0000 (02:08 +0300)]
Make BN_num_bits() consttime upon BN_FLG_CONSTTIME

This issue was partially addressed by commit
972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.

BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and
ecp_nistz256.c).

Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.

With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.

Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9793)

16 months agoFix a SCA leak using BN_bn2bin()
Nicola Tuveri [Thu, 1 Aug 2019 22:33:05 +0000 (01:33 +0300)]
Fix a SCA leak using BN_bn2bin()

BN_bn2bin() is not constant-time and leaks the number of bits in the
processed BIGNUM.

The specialized methods in ecp_nistp224.c, ecp_nistp256.c and
ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the
internal fixed length representation.

This can leak during ECDSA/ECDH key generation or handling the nonce
while generating an ECDSA signature, when using these implementations.
The amount and risk of leaked information useful for a SCA attack
varies for each of the three curves, as it depends mainly on the
ratio between the bitlength of the curve subgroup order (governing the
size of the secret nonce/key) and the limb size for the internal BIGNUM
representation (which depends on the compilation target architecture).

To fix this, we replace BN_bn2bin() with bn_bn2binpad(), bounding the
output length to the width of the internal representation buffer: this
length is public.

Internally the final implementation of both bn_bn2binpad() and
BN_bn2bin() already has masking in place to avoid leaking bn->top
through memory access patterns.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this is already done at the top level alongside
setting the BN_FLG_CONSTTIME.

Finally, the internal implementation of bn_bn2binpad() indirectly calls
BN_num_bits() via BN_num_bytes(): the current implementation of
BN_num_bits() can leak information to a SCA attacker, and is addressed
in the next commit.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9793)

16 months agoFix SCA vulnerability when using PVK and MSBLOB key formats
Cesar Pereida Garcia [Mon, 19 Aug 2019 07:33:14 +0000 (10:33 +0300)]
Fix SCA vulnerability when using PVK and MSBLOB key formats

This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9638)

17 months agoFix error handling in X509_chain_up_ref
Bernd Edlinger [Fri, 16 Aug 2019 13:32:32 +0000 (15:32 +0200)]
Fix error handling in X509_chain_up_ref

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9615)

17 months agoDocument issue with default installation paths on diverse Windows targets
Richard Levitte [Thu, 25 Jul 2019 10:21:33 +0000 (12:21 +0200)]
Document issue with default installation paths on diverse Windows targets

For all config targets (except VMS, because it has a completely different
set of scripts), '/usr/local/ssl' is the default prefix for installation
of programs and libraries, as well as the path for OpenSSL run-time
configuration.

For programs built to run in a Windows environment, this default is
unsafe, and the user should set a different prefix.  This has been hinted
at in some documentation but not all, and the danger of leaving the
default as is hasn't been documented at all.

This change documents the issue as a caveat lector, and all configuration
examples now include an example --prefix.

CVE-2019-1552

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9456)

18 months agoUse trusty for travis builds
Bernd Edlinger [Sun, 21 Jul 2019 08:41:39 +0000 (10:41 +0200)]
Use trusty for travis builds

this works around build failures due to clang
error: unknown warning option '-Wno-extended-offsetof'

[extended tests]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9425)

18 months agoAdd value_barriers in constant time select functions
Bernd Edlinger [Fri, 21 Jun 2019 19:26:19 +0000 (21:26 +0200)]
Add value_barriers in constant time select functions

The barriers prevent the compiler from narrowing down the
possible value range of the mask and ~mask in the select
statements, which avoids the recognition of the select
and turning it into a conditional load or branch.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9419)

19 months agoFix a warning about missing prototype on arm
Bernd Edlinger [Thu, 19 Apr 2018 20:17:24 +0000 (22:17 +0200)]
Fix a warning about missing prototype on arm

(cherry picked from commit 5fc89c1af837026b5812526ef6f519bf7ca42f16)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8243)

19 months agoFix building linux-armv4 with --strict-warnings
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings

(cherry picked from commit 0e0f8116e247912f5c48f8b3786e543f37fc1f87)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8243)

19 months agoReplace BIO_printf with ASN1_STRING_print in GENERAL_NAME_print
Acheev Bhagat [Fri, 7 Jun 2019 00:05:49 +0000 (20:05 -0400)]
Replace BIO_printf with ASN1_STRING_print in GENERAL_NAME_print

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9101)

19 months agoPrepare for 1.0.2t-dev
Richard Levitte [Tue, 28 May 2019 12:56:42 +0000 (14:56 +0200)]
Prepare for 1.0.2t-dev

Reviewed-by: Matt Caswell <matt@openssl.org>
19 months agoPrepare for 1.0.2s release OpenSSL_1_0_2s
Richard Levitte [Tue, 28 May 2019 12:56:29 +0000 (14:56 +0200)]
Prepare for 1.0.2s release

Reviewed-by: Matt Caswell <matt@openssl.org>
19 months agoUpdate copyright year
Richard Levitte [Tue, 28 May 2019 12:41:38 +0000 (14:41 +0200)]
Update copyright year

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9032)

19 months agoAdd CHANGES for 1.0.2s
Richard Levitte [Mon, 27 May 2019 19:38:00 +0000 (21:38 +0200)]
Add CHANGES for 1.0.2s

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9019)

20 months agoChange default RSA, DSA and DH size to 2048 bit
Kurt Roeckx [Sat, 13 Apr 2019 10:32:48 +0000 (12:32 +0200)]
Change default RSA, DSA and DH size to 2048 bit

Fixes: #8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)

20 months agoRT 4242: reject invalid EC point coordinates
Emilia Kasper [Fri, 3 Jun 2016 12:42:04 +0000 (14:42 +0200)]
RT 4242: reject invalid EC point coordinates

This is a backport of commit 1e2012b7 to 1.0.2. This hardening change
was made to 1.1.0 but was not backported to 1.0.2. Recent CVEs in user
applications have shown this additional hardening in 1.0.2 would be
beneficial.

E.g. see the patch for CVE-2019-9498
https://w1.fi/security/2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch

and CVE-2019-9499
https://w1.fi/security/2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch

The original commit had this description:

We already test in EC_POINT_oct2point that points are on the curve. To
be on the safe side, move this check to
EC_POINT_set_affine_coordinates_* so as to also check point coordinates
received through some other method.

We do not check projective coordinates, though, as
- it's unlikely that applications would be receiving this primarily
  internal representation from untrusted sources, and
- it's possible that the projective setters are used in a setting where
  performance matters.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8750)

21 months agoAdd FIPS support for Android Arm 64-bit
Dr. Matthias St. Pierre [Tue, 9 Apr 2019 13:04:29 +0000 (15:04 +0200)]
Add FIPS support for Android Arm 64-bit

Fixes #2490
Fixes #8711

In commit 6db8e3bdc9e, support for Android Arm 64-bit was added to
the OpenSSL FIPS Object Module. For some reason, the corresponding
target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it
could not be built with FIPS support on Android Arm 64-bit.
This commit adds the missing target.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8713)

21 months agofixed public range check in ec_GF2m_simple_oct2point
Shane Lontis [Wed, 27 Mar 2019 07:38:28 +0000 (17:38 +1000)]
fixed public range check in ec_GF2m_simple_oct2point

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8607)

(cherry picked from commit cad8347be23c5e0c0d9eea02d090d42daf2dd7a9)

22 months agoModify the RSA_private_decrypt functions to check the padding in
Bernd Edlinger [Wed, 20 Mar 2019 21:02:58 +0000 (22:02 +0100)]
Modify the RSA_private_decrypt functions to check the padding in
constant time with a memory access pattern that does not depend
on secret information.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8543)

(cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5)

22 months agoMake err_clear_constant_time really constant time
Bernd Edlinger [Wed, 20 Mar 2019 19:01:12 +0000 (20:01 +0100)]
Make err_clear_constant_time really constant time

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8558)

22 months agoClear the point S before freeing in ec_mul_consttime
Bernd Edlinger [Sun, 17 Mar 2019 16:28:24 +0000 (17:28 +0100)]
Clear the point S before freeing in ec_mul_consttime

The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8505)

(cherry picked from commit 502b871ad4eacc96a31f89d9a9470ca2858da998)

22 months agoClear the secret point in ecdh_compute_key
Bernd Edlinger [Sun, 17 Mar 2019 09:02:07 +0000 (10:02 +0100)]
Clear the secret point in ecdh_compute_key

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8502)

22 months agoFix memory overrun in rsa padding check functions
Bernd Edlinger [Thu, 28 Feb 2019 09:08:18 +0000 (10:08 +0100)]
Fix memory overrun in rsa padding check functions

Backported from d7f5e5ae6d5

Fixes #8364 and #8357

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8438)

22 months agoAvoid an underflow in ecp_nistp521.c
Matt Caswell [Tue, 5 Mar 2019 13:26:45 +0000 (13:26 +0000)]
Avoid an underflow in ecp_nistp521.c

The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.

It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.

This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.

With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 13fbce17fc9f02e2401fc3868f3f8e02d6647e5f)

22 months agoPrepare for 1.0.2s-dev
Matt Caswell [Tue, 26 Feb 2019 14:21:45 +0000 (14:21 +0000)]
Prepare for 1.0.2s-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agoPrepare for 1.0.2r release OpenSSL_1_0_2r
Matt Caswell [Tue, 26 Feb 2019 14:20:55 +0000 (14:20 +0000)]
Prepare for 1.0.2r release

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agoUpdates CHANGES and NEWS for the new release
Matt Caswell [Tue, 26 Feb 2019 10:21:24 +0000 (10:21 +0000)]
Updates CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agoClarify that SSL_shutdown() must not be called after a fatal error
Matt Caswell [Wed, 20 Feb 2019 14:21:36 +0000 (14:21 +0000)]
Clarify that SSL_shutdown() must not be called after a fatal error

Follow on from CVE-2019-1559

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agoGo into the error state if a fatal alert is sent or received
Matt Caswell [Fri, 14 Dec 2018 07:28:30 +0000 (07:28 +0000)]
Go into the error state if a fatal alert is sent or received

If an application calls SSL_shutdown after a fatal alert has occured and
then behaves different based on error codes from that function then the
application may be vulnerable to a padding oracle.

CVE-2019-1559

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agoUpdate copyright year
Matt Caswell [Tue, 26 Feb 2019 14:07:28 +0000 (14:07 +0000)]
Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8348)

22 months agoEnsure bn_cmp_words can handle the case where n == 0
Matt Caswell [Mon, 25 Feb 2019 11:28:32 +0000 (11:28 +0000)]
Ensure bn_cmp_words can handle the case where n == 0

Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.

This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:

- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.

Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:

- OpenSSL may crash if the buffers are page-aligned and the previous page is
non-existent.
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.

The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.

Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8326)

(cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)

22 months agoClear BN_FLG_CONSTTIME on BN_CTX_get()
Nicola Tuveri [Fri, 8 Feb 2019 10:42:25 +0000 (12:42 +0200)]
Clear BN_FLG_CONSTTIME on BN_CTX_get()

(cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)

22 months agoTest for constant-time flag leakage in BN_CTX
Nicola Tuveri [Mon, 11 Feb 2019 22:37:25 +0000 (00:37 +0200)]
Test for constant-time flag leakage in BN_CTX

This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)

23 months agoMove stray POD file into the fold
Richard Levitte [Mon, 18 Feb 2019 20:47:33 +0000 (21:47 +0100)]
Move stray POD file into the fold

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8273)

23 months agocygwin: drop explicit O_TEXT
Corinna Vinschen [Fri, 15 Feb 2019 11:22:07 +0000 (12:22 +0100)]
cygwin: drop explicit O_TEXT

Cygwin binaries should not enforce text mode these days, just
use text mode if the underlying mount point requests it

CLA: trivial

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8249)

2 years agotest/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD
Richard Levitte [Wed, 12 Dec 2018 10:22:52 +0000 (11:22 +0100)]
test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)

2 years agomake update
Richard Levitte [Mon, 10 Dec 2018 09:23:01 +0000 (10:23 +0100)]
make update

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)

2 years agoPrevent calling decryption in an encryption context and vice versa
Richard Levitte [Mon, 10 Dec 2018 09:18:10 +0000 (10:18 +0100)]
Prevent calling decryption in an encryption context and vice versa

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)

2 years agomake update
Matt Caswell [Wed, 2 Jan 2019 17:05:27 +0000 (17:05 +0000)]
make update

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7974)

2 years agoMakefile.org: prevent .bak files to become part of the tarball
Richard Levitte [Sat, 15 Dec 2018 10:06:00 +0000 (11:06 +0100)]
Makefile.org: prevent .bak files to become part of the tarball

Fixes #7903

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7910)

2 years agodoc/man3: remove copy&paste leftover
Dr. Matthias St. Pierre [Wed, 12 Dec 2018 06:38:07 +0000 (07:38 +0100)]
doc/man3: remove copy&paste leftover

Fixes #7883

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7884)

(cherry picked from commit 00eb879f74971e3c048286ef44f6f544676f90d7)

2 years agoFixed typo (vi leftover).
Tobias Stoeckmann [Tue, 11 Dec 2018 19:34:21 +0000 (20:34 +0100)]
Fixed typo (vi leftover).

There was a trailing :w at a line, which didn't make sense in context
of the sentence/styling. Removed it, because I think it's a leftover
vi command.

CLA: trivial
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7875)

(cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396)

2 years agoMake EVP_PKEY_asn1_add0() stricter about its input
Richard Levitte [Fri, 7 Dec 2018 08:26:04 +0000 (09:26 +0100)]
Make EVP_PKEY_asn1_add0() stricter about its input

It turns out that the strictness that was implemented in
EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed
for some usages, and that it's better to do this check only when the
method is getting registered.

Fixes #7758

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7847)

(cherry picked from commit a86003162138031137727147c9b642d99db434b1)

2 years agorsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
Andy Polyakov [Fri, 14 Sep 2018 15:24:13 +0000 (17:24 +0200)]
rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.

Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
if nul delimiter is preceded by 8 consecutive 0x03 bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c)

Resolved conflicts:
crypto/rsa/rsa_ssl.c

(Merged from https://github.com/openssl/openssl/pull/7737)

2 years agorsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
Andy Polyakov [Thu, 6 Sep 2018 19:54:23 +0000 (21:54 +0200)]
rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.

And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06)

Resolved conflicts:
crypto/rsa/rsa_oaep.c

(Merged from https://github.com/openssl/openssl/pull/7737)

2 years agorsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
Andy Polyakov [Sat, 1 Sep 2018 10:00:33 +0000 (12:00 +0200)]
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.

And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)

Resolved conflicts:
crypto/rsa/rsa_pk1.c

(Merged from https://github.com/openssl/openssl/pull/7737)

2 years agorsa/rsa_eay.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
Andy Polyakov [Fri, 30 Nov 2018 20:07:18 +0000 (21:07 +0100)]
rsa/rsa_eay.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1)

(Merged from https://github.com/openssl/openssl/pull/7737)

2 years agoerr/err.c: add err_clear_last_constant_time.
Andy Polyakov [Sat, 1 Sep 2018 10:19:30 +0000 (12:19 +0200)]
err/err.c: add err_clear_last_constant_time.

Expected usage pattern is to unconditionally set error and then
wipe it if there was no actual error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b)

Resolved conflicts:
crypto/err/err.c
crypto/constant_time_locl.h

(Merged from https://github.com/openssl/openssl/pull/7737)

2 years agoDocs fixup: some man3 pages had unindented code in SYNOPSIS
Richard Levitte [Mon, 3 Dec 2018 09:57:01 +0000 (10:57 +0100)]
Docs fixup: some man3 pages had unindented code in SYNOPSIS

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7744)

(cherry picked from commit 7b4a3515a4ddb567d48000e61d7cb640d0c5f261)

2 years agoHonour mandatory digest on private key in tls1_process_sigalgs()
David Woodhouse [Tue, 16 Oct 2018 14:59:46 +0000 (07:59 -0700)]
Honour mandatory digest on private key in tls1_process_sigalgs()

If the private key says it can only support one specific digest, then
don't ask it to perform a different one.

Fixes: #7348

(cherry picked from commit 2d263a4a73f852005b16359873475d48755999ad
 and reworked for 1.0.2)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7610)

2 years agoStop marking default digest for EC keys as mandatory
David Woodhouse [Tue, 16 Oct 2018 14:41:17 +0000 (07:41 -0700)]
Stop marking default digest for EC keys as mandatory

ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory
digest algorithm, when the key can't support any others. That isn't true
here, so return 1 instead.

Partially fixes #7348

(cherry picked from commit eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7610)

2 years agorsa/rsa_eay.c: cache MONT_CTX for public modulus earlier.
Andy Polyakov [Wed, 7 Nov 2018 21:07:22 +0000 (22:07 +0100)]
rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier.

Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(manually cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575)

(Merged from https://github.com/openssl/openssl/pull/7586)

2 years agoVMS: ensure x509_time_test is built
Richard Levitte [Thu, 22 Nov 2018 10:05:31 +0000 (11:05 +0100)]
VMS: ensure x509_time_test is built

A lacking DCL variable to indicate where it's located was missing.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7685)

2 years agoPrepare for 1.0.2r-dev
Matt Caswell [Tue, 20 Nov 2018 13:46:11 +0000 (13:46 +0000)]
Prepare for 1.0.2r-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoPrepare for 1.0.2q release OpenSSL_1_0_2q
Matt Caswell [Tue, 20 Nov 2018 13:45:20 +0000 (13:45 +0000)]
Prepare for 1.0.2q release

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agomake update
Matt Caswell [Tue, 20 Nov 2018 13:45:20 +0000 (13:45 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoUpdate copyright year
Matt Caswell [Tue, 20 Nov 2018 13:23:36 +0000 (13:23 +0000)]
Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7671)

2 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7667)

2 years agoVMS: ensure crypto/getenv.c is included in the build
Richard Levitte [Tue, 20 Nov 2018 11:11:38 +0000 (12:11 +0100)]
VMS: ensure crypto/getenv.c is included in the build

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7665)

2 years agoDSA: Check for sanity of input parameters
Vitezslav Cizek [Thu, 25 Oct 2018 11:53:26 +0000 (13:53 +0200)]
DSA: Check for sanity of input parameters

dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(cherry picked from commit 3afd38b277a806b901e039c6ad281c5e5c97ef67)

(Merged from https://github.com/openssl/openssl/pull/7493)

2 years agoCVE-2018-5407 fix: ECC ladder
Billy Brumley [Thu, 8 Nov 2018 11:57:54 +0000 (13:57 +0200)]
CVE-2018-5407 fix: ECC ladder

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7593)

2 years agoFix 'no-ecdh' build
Dr. Matthias St. Pierre [Fri, 9 Nov 2018 20:37:38 +0000 (21:37 +0100)]
Fix 'no-ecdh' build

Fixes #3302

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7606)

2 years agoProperly handle duplicated messages from the next epoch
Matt Caswell [Tue, 16 Oct 2018 16:08:11 +0000 (17:08 +0100)]
Properly handle duplicated messages from the next epoch

Since 3884b47b7c we may attempt to buffer a record from the next epoch
that has already been buffered. Prior to that this never occurred.

We simply ignore a failure to buffer a duplicated record.

Fixes #6902

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7415)

2 years agoAdd a constant time flag to one of the bignums to avoid a timing leak.
Pauli [Wed, 31 Oct 2018 22:44:11 +0000 (08:44 +1000)]
Add a constant time flag to one of the bignums to avoid a timing leak.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)

(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

2 years agoMerge to 1.0.2: DSA mod inverse fix.
Pauli [Sun, 28 Oct 2018 21:18:09 +0000 (07:18 +1000)]
Merge to 1.0.2: DSA mod inverse fix.

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7512)

2 years agoMerge DSA reallocation timing fix CVE-2018-0734.
Pauli [Sun, 28 Oct 2018 22:24:22 +0000 (08:24 +1000)]
Merge DSA reallocation timing fix CVE-2018-0734.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7513)

2 years agomd_rand.c: don't stop polling until properly initialized
Dr. Matthias St. Pierre [Thu, 18 Oct 2018 21:17:46 +0000 (23:17 +0200)]
md_rand.c: don't stop polling until properly initialized

Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.

This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7439)

2 years agoApply self-imposed path length also to root CAs
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs

Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)

2 years agoOnly CA certificates can be self-issued
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued

At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA
   certificate.)

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)

2 years agorsa/rsa_ossl.c: fix and extend commentary [skip ci].
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)

(cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849)

2 years agoutil/domd: omit superfluous shift in -MD handling.
Andy Polyakov [Sun, 23 Sep 2018 14:38:11 +0000 (16:38 +0200)]
util/domd: omit superfluous shift in -MD handling.

While reviewing last modification in GH#6261 Richard actually spotted
the inconsistency, but withdrew the remark, correct one in aftermath...

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7298)

2 years agoAccess `group->mont_data` conditionally in EC_GROUP_set_generator()
Nicola Tuveri [Thu, 6 Sep 2018 21:44:36 +0000 (00:44 +0300)]
Access `group->mont_data` conditionally in EC_GROUP_set_generator()

It appears that, in FIPS mode, `ec_precompute_mont_data()` always failed
but the error was ignored until commit e3ab8cc from #6810.

The actual problem lies in the fact that access to the `mont_data` field
of an `EC_GROUP` struct should always be guarded by an
`EC_GROUP_VERSION(group)` check to avoid OOB accesses, because `group`
might come from the FIPS module, which does not define the `mont_data`
field inside the EC_GROUP structure.

This commit adds the required check before any access to
`group->mont_data` in `EC_GROUP_set_generator()`.

Fixes #7127

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7135)

2 years agoMerge 1.0.2 setuid calls to getenv(3) safety.
Pauli [Mon, 24 Sep 2018 04:06:45 +0000 (14:06 +1000)]
Merge 1.0.2 setuid calls to getenv(3) safety.

Manual merge of #7047 to 1.0.2-stable.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7300)

2 years agoUse gethostbyname_r if available
Manikantan Subramanian [Tue, 18 Sep 2018 01:54:13 +0000 (18:54 -0700)]
Use gethostbyname_r if available

Fixes #7228

The function BIO_get_host_ip uses gethostbyname, which is not thread safe
and hence we grab a lock. In multi-threaded applications, this lock sometimes
causes performance bottlenecks.
This patch uses the function gethostbyname_r (thread safe version), when
available.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7250)

2 years agoDocument OPENSSL_VERSION_TEXT macro
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]
Document OPENSSL_VERSION_TEXT macro

This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7301)

(cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165)

2 years agocrypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG

This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)

(cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72)

2 years agodrbg_get_entropy: force a reseed before calling ssleay_rand_bytes()
Dr. Matthias St. Pierre [Mon, 17 Sep 2018 15:50:54 +0000 (17:50 +0200)]
drbg_get_entropy: force a reseed before calling ssleay_rand_bytes()

Fixes #7240

In FIPS mode, the default FIPS DRBG uses the drbg_get_entropy()
callback to reseed itself, which is provided by the wrapping
libcrypto library. This callback in turn uses ssleay_rand_bytes()
to generate random bytes.

Now ssleay_rand_bytes() calls RAND_poll() once on first call to
seed itself, but RAND_poll() is never called again (unless the
application calls RAND_poll() explicitely). This implies that
whenever the DRBG reseeds itself (which happens every 2^14
generate requests) this happens without obtaining fresh random
data from the operating system's entropy sources.

This patch forces a reseed from system entropy sources on every
call to drbg_get_entropy(). In contrary to the automatic reseeding
of the DRBG in master, this reseeding does not break applications
running in a chroot() environment (see c7504aeb640a), because the
SSLEAY PRNG does not maintain an error state. (It does not even
check the return value of RAND_poll() on its instantiation.)

In the worst case, if no random device is available for reseeding,
no fresh entropy will be added to the SSLEAY PRNG but it will happily
continue to generate random bytes as 'entropy' input for the DRBG's
reseeding, which is just as good (or bad) as before this patch.

To prevent ssleay_rand_bytes_from_system() (and hence RAND_poll())
from being called twice during instantiation, a separate
drbg_get_nonce() callback has been introduced, which is identical
with the previous implementation of drbg_get_entropy().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7259)

2 years agocrypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too

These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)

(cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067)
(cherry picked from commit ad1730359220cef5903d16c7f58b602fc3713414)

2 years agoMake the config script fail with an error code if Configure failed
Bernd Edlinger [Mon, 10 Sep 2018 12:18:23 +0000 (14:18 +0200)]
Make the config script fail with an error code if Configure failed

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7166)

(cherry picked from commit e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1)

2 years agoCAPI engine: add support for RSA_NO_PADDING
Richard Levitte [Thu, 6 Sep 2018 07:35:39 +0000 (09:35 +0200)]
CAPI engine: add support for RSA_NO_PADDING

Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable.  This change fixes that.

Fixes #7131

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7132)

2 years agoCheck the return value from ASN1_INTEGER_set
Matt Caswell [Mon, 10 Sep 2018 15:23:14 +0000 (16:23 +0100)]
Check the return value from ASN1_INTEGER_set

Found by Coverity

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)

(cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7)

2 years agoopenssl req: don't try to report bits
Richard Levitte [Mon, 3 Sep 2018 11:17:03 +0000 (13:17 +0200)]
openssl req: don't try to report bits

With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated.  Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information.  For the moment, it's better not
to try to report the number of bits at all.

Fixes #7086

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)

(cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039)

2 years agoVMS: add missing x509_time test to test scripts
Richard Levitte [Tue, 4 Sep 2018 10:05:39 +0000 (12:05 +0200)]
VMS: add missing x509_time test to test scripts

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7112)

2 years agoClarify the EVP_DigestSignInit docs
Matt Caswell [Thu, 23 Aug 2018 10:37:22 +0000 (11:37 +0100)]
Clarify the EVP_DigestSignInit docs

They did not make it clear how the memory management works for the |pctx|
parameter.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7043)

2 years agoFix example in crl(1) man page
Jakub Wilk [Mon, 3 Sep 2018 09:09:51 +0000 (11:09 +0200)]
Fix example in crl(1) man page

The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.

CLA: trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)

(cherry picked from commit 785e614a95a134831f213749332bcf40c4920f69)
(cherry picked from commit e25fc6b5b2b99ed02f8966192c94c820b6f69add)

2 years agoThe req documentation incorrectly states that we default to md5
Matt Caswell [Thu, 9 Aug 2018 15:25:29 +0000 (16:25 +0100)]
The req documentation incorrectly states that we default to md5

Just remove that statement. It's not been true since 2005.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/6906)

2 years agoCheck the return from BN_sub() in BN_X931_generate_Xpq().
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)

(cherry picked from commit 6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)

2 years agoRemove redundant ASN1_INTEGER_set call
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call

This trivial patch removes a duplicated call to ASN1_INTEGER_set.

Fixes Issue #6977

Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)

(cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3)

2 years agobn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.

(cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)

2 years agobn/bn_blind.c: use Montgomery multiplication when possible.
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.

(cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28)

Resolved conflicts:
crypto/bn/bn_blind.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)

2 years agorsa/rsa_eay.c: implement variant of "Smooth CRT-RSA."
Andy Polyakov [Mon, 13 Aug 2018 18:20:28 +0000 (20:20 +0200)]
rsa/rsa_eay.c: implement variant of "Smooth CRT-RSA."

In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...

(cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)

Resolved conflicts:
crypto/rsa/rsa_eay.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)

2 years agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

(cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9)

Resolved conflicts:
crypto/bn/bn_mod.c
crypto/bn_int.h

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)

2 years agodocument the -no_ecdhe option in s_server man page
Hubert Kario [Mon, 27 Aug 2018 13:21:18 +0000 (21:21 +0800)]
document the -no_ecdhe option in s_server man page

the option is provided in the -help message of the s_server utility
but it is not documented in the man page, this fixes it

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7046)

2 years agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6916)

(cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7)

Resolved conflicts:
crypto/x509v3/v3_purp.c