Age | Commit message (Collapse) | Author |
|
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 680b9d45b005c2d0a48fd574db903bf4486b49ae)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)
(cherry picked from commit 3d3cbce550ff5d6172cf28dbbf80bda93f6577a9)
|
|
Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)
(cherry picked from commit 35c9408108f3608eb572acd7f64a93cf4f43f4f6)
|
|
FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.
Fixes: #6748
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
(cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd)
|
|
Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)
(cherry picked from commit 80ae7285e1994d35c84519bf9e038b11d9942875)
Resolved conflicts:
crypto/init.c
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6799)
(cherry picked from commit b86d57bb0b23253c720db38ab18ca97cb888f701)
Resolved conflicts:
crypto/cryptlib.c
|
|
New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit 37132c9702328940a99b1307f742ab094ef754a7)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d)
|
|
Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6796)
(cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f)
Resolved conflicts:
crypto/ec/ecdsa_ossl.c
|
|
Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)
(cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b)
Resolved conflicts:
crypto/bn/bn_exp.c
crypto/bn/bn_mont.c
crypto/include/internal/bn_int.h
|
|
The new flag marks vectors that were not treated with bn_correct_top,
in other words such vectors are permitted to be zero padded. For now
it's BN_DEBUG-only flag, as initial use case for zero-padded vectors
would be controlled Montgomery multiplication/exponentiation, not
general purpose. For general purpose use another type might be more
appropriate. Advantage of this suggestion is that it's possible to
back-port it...
bn/bn_div.c: fix memory sanitizer problem.
bn/bn_sqr.c: harmonize with BN_mul.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6707)
(cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb)
Resolved conflicts:
crypto/bn/bn_lcl.h
|
|
Thanks to Jiecheng Wu, Zuxing Gu for the report.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
(cherry picked from commit 037241bf046be8cfc7e9216959393dd20b06fc21)
|
|
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
(cherry picked from commit 9e4a1c3f65863b0175ddc534e232e63c4f82ea5c)
|
|
ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit 8fc4aeb9521270ac74b29ce7f569939b0b39e685)
|
|
The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit 87a75b3e5c04a1696208c279f32d1114b862cfed)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
(cherry picked from commit f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1)
|
|
As per RFC 7292.
Fixes #6665
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
(cherry picked from commit b709babbca0498cd2b05f543b09f57f4a670298e)
|
|
It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205)
|
|
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit 6c90182a5f87af1a1e462536e7123ad2afb84c43)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit 3c97e4121ecec20cfac433883cd4709580a05620)
|
|
Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit e42395e637c3507b80b25c7ed63236898822d2f1)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6615)
(cherry picked from commit ce5eb5e8149d8d03660575f4b8504c993851988a)
|
|
Fixes uninitialized memory read reported by Nick Mathewson
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit 10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)
(cherry picked from commit dc6c374bdb4872f6d5d727e73a2ed834e972842c)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2e51557bc93f90ca2274230b042acb53cc3a268d)
|
|
(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
|
|
Triggered by Coverity analysis.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7d859d1c8868b81c5d810021af0b40f355af4e1f)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
|
|
This extends the recently added ECDSA signature blinding to blind DSA too.
This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.
Normally, as in ECDSA, during signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 575045f59fc393abc9d49604d82ccd17c82925fa)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 27635a4ecb1bc4852ccf456a9374a68931dc330f)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 693be9a2cb0fc79fe856259feea54772c18a3637)
(Merged from https://github.com/openssl/openssl/pull/5750)
|
|
Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb
differently.
Fixes: #6493
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6494)
|
|
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
CVE-2018-0732
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
|
|
This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6440)
(cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231)
|
|
Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or
indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent
variables in the OCB_CTX.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6420)
(cherry picked from commit bbb02a5b6d27f76931c3385321b2c594781c7a1b)
|
|
Just because an engine implements algorithm methods, that doesn't mean
it also implements the ASN1 method. Therefore, be careful when looking
for an ASN1 method among all engines, don't try to use one that doesn't
exist.
Fixes #6381
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6383)
(cherry picked from commit 1ac3cd6277f880fac4df313702d5e3b3814e56e2)
|
|
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.
This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
(cherry picked from commit 0124f32a01b2b4f4f7146f226b6a9dfe227c4008)
|
|
Thanks to Guido Vranken and OSSFuzz for finding this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
(cherry picked from commit 4aa5b725d549b3ebc3a4f2f1c44e44a11f68752b)
|
|
TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.
Fixes #6299.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2de108dfa343c3e06eb98beb122cd06306bb12fd)
(Merged from https://github.com/openssl/openssl/pull/6349)
|
|
We check that the curve name associated with the point is the same as that
for the curve.
Fixes #6302
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6323)
(cherry picked from commit b14e60155009f4f1d168e220fa01cd2b75557b72)
|
|
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.
Add pertinent documentation, and touch up some stale text about
name checks and DANE.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.
Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names. Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label. In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
If the lengths of both names is 0 then don't attempt to do a memcmp.
Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6291)
(cherry picked from commit 511190b691183a1fb160e7e05e2974dc73cab0c6)
|
|
A previous change of this function introduced a fragility when the
destination happens to be the same as the source. Such alias isn't
recommended, but could still happen, for example in this kind of code:
X509_NAME *subject = X509_get_issuer_name(x);
/* ... some code passes ... */
X509_set_issuer_name(x, subject);
Fixes #4710
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)
(cherry picked from commit c1c1783d45a5e91951e6328a820939d0256c841c)
|