Bernd Edlinger [Fri, 13 Sep 2019 07:24:53 +0000 (09:24 +0200)]
Add a minimal linux build target for Travis
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9888)
Bernd Edlinger [Fri, 13 Sep 2019 07:05:08 +0000 (09:05 +0200)]
Add a minimal windows build config for AppVeyor
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9886)
Bernd Edlinger [Mon, 9 Sep 2019 17:12:25 +0000 (19:12 +0200)]
Fix potential memory leaks with BN_to_ASN1_INTEGER
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9833)
(cherry picked from commit
f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
Tomas Mraz [Thu, 12 Sep 2019 10:27:36 +0000 (12:27 +0200)]
BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
There can be data to write in output buffer and data to read that were
not yet read in the input stream.
Fixes #9866
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9877)
(cherry picked from commit
6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
Dr. Matthias St. Pierre [Wed, 11 Sep 2019 08:40:18 +0000 (10:40 +0200)]
crypto/threads_win.c: fix preprocessor indentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9860)
Dr. Matthias St. Pierre [Wed, 11 Sep 2019 08:25:43 +0000 (10:25 +0200)]
crypto/threads_none.c: fix syntax error in openssl_get_fork_id()
Fixes #9858
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9860)
Matt Caswell [Tue, 10 Sep 2019 13:14:31 +0000 (14:14 +0100)]
Prepare for 1.1.1e-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Sep 2019 13:13:07 +0000 (14:13 +0100)]
Prepare for 1.1.1d release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Sep 2019 12:56:40 +0000 (13:56 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9847)
Matt Caswell [Tue, 10 Sep 2019 10:51:59 +0000 (11:51 +0100)]
Remove duplicate CHANGES entry
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9844)
Bernd Edlinger [Sat, 31 Aug 2019 22:16:28 +0000 (00:16 +0200)]
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit
5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
Matt Caswell [Tue, 10 Sep 2019 09:26:07 +0000 (10:26 +0100)]
Update CHANGES and NEWS for the new release
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9841)
Bernd Edlinger [Fri, 6 Sep 2019 19:54:13 +0000 (21:54 +0200)]
Fix a potential crash in rand_unix.c
Due to the dynamic allocation that was added to rand_pool_add_begin
this function could now return a null pointer where it was previously
guaranteed to succeed. But the return value of this function does
not need to be checked by design.
Move rand_pool_grow from rand_pool_add_begin to rand_pool_bytes_needed.
Make an allocation error persistent to avoid falling back to less secure
or blocking entropy sources.
Fixes:
a6a66e4511ee ("Make rand_pool buffers more dynamic in their sizing.")
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)
(cherry picked from commit
fa3eb248e29ca8031e6a14e8a2c6f3cd58b5450e)
Bernd Edlinger [Sat, 24 Aug 2019 09:38:32 +0000 (11:38 +0200)]
Fix a strict warnings error in rand_pool_acquire_entropy
There was a warning about unused variables in this config:
./config --strict-warnings --with-rand-seed=rdcpu
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)
(cherry picked from commit
e301c147a763f67dcc5ba63eb7e2ae40d83a68aa)
Dr. Matthias St. Pierre [Thu, 30 May 2019 16:37:29 +0000 (18:37 +0200)]
drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt)
Since commit
7c226dfc434d a chained DRBG does not add additional
data anymore when reseeding from its parent. The reason is that
the size of the additional data exceeded the allowed size when
no derivation function was used.
This commit provides an alternative fix: instead of adding the
entire DRBG's complete state, we just add the DRBG's address
in memory, thereby providing some distinction between the different
DRBG instances.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
Dr. Matthias St. Pierre [Thu, 30 May 2019 16:52:39 +0000 (18:52 +0200)]
drbg: add fork id to additional data on UNIX systems
Provides a little extra fork-safety on UNIX systems, adding to the
fact that all DRBGs reseed automatically when the fork_id changes.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
Dr. Matthias St. Pierre [Mon, 27 May 2019 19:03:09 +0000 (21:03 +0200)]
drbg: ensure fork-safety without using a pthread_atfork handler
When the new OpenSSL CSPRNG was introduced in version 1.1.1,
it was announced in the release notes that it would be fork-safe,
which the old CSPRNG hadn't been.
The fork-safety was implemented using a fork count, which was
incremented by a pthread_atfork handler. Initially, this handler
was enabled by default. Unfortunately, the default behaviour
had to be changed for other reasons in commit
b5319bdbd095, so
the new OpenSSL CSPRNG failed to keep its promise.
This commit restores the fork-safety using a different approach.
It replaces the fork count by a fork id, which coincides with
the process id on UNIX-like operating systems and is zero on other
operating systems. It is used to detect when an automatic reseed
after a fork is necessary.
To prevent a future regression, it also adds a test to verify that
the child reseeds after fork.
CVE-2019-1549
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
Billy Brumley [Mon, 9 Sep 2019 08:29:09 +0000 (11:29 +0300)]
[test] ECC: check the bounds for auto computing cofactor
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9821)
(cherry picked from commit
1d3cd983f56e0a580ee4216692ee3c9c7bf14de9)
Bernd Edlinger [Mon, 9 Sep 2019 09:42:56 +0000 (11:42 +0200)]
Fix build with VS2008
crypto/rand/rand_win.c(70) : error C2065: 'BCRYPT_USE_SYSTEM_PREFERRED_RNG' : undeclared identifier
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9827)
(cherry picked from commit
d3a1128bc25ec8bf835c81821e1be68fba39ab4b)
Bernd Edlinger [Fri, 6 Sep 2019 22:53:24 +0000 (00:53 +0200)]
Use BN_clear_free in DH_set0_key
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
(cherry picked from commit
fa01370f7dc8f0a379483bbe74de11225857e5fe)
Bernd Edlinger [Fri, 6 Sep 2019 22:58:31 +0000 (00:58 +0200)]
DH_check_pub_key_ex was accidentally calling DH_check,
so results were undefined.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
(cherry picked from commit
2b95e8efcf8b99892106070d9ac745a0a369f503)
Bernd Edlinger [Mon, 9 Sep 2019 07:59:54 +0000 (09:59 +0200)]
Change DH_generate_parameters back to order 2q subgroup
For for G=2 and 5 DH_generate_parameters will continue to generate
the order 2q subgroup for compatibility with previous versions.
For G=3 DH_generate_parameters generates an order q subgroup, but it
will not pass the check in DH_check with previous OpenSSL versions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9820)
Nicola Tuveri [Mon, 9 Sep 2019 00:52:00 +0000 (03:52 +0300)]
Fix spacing nit in test/ectest.c
(cherry picked from commit
65936a56461fe09e8c81bca45122af5adcfabb00)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9813)
Nicola Tuveri [Sat, 7 Sep 2019 15:05:31 +0000 (18:05 +0300)]
[ec] Match built-in curves on EC_GROUP_new_from_ecparameters
Description
-----------
Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any
of the built-in curves. If that is the case, return a new
`EC_GROUP_new_by_curve_name()` object instead of the explicit parameters
`EC_GROUP`.
This affects all users of `EC_GROUP_new_from_ecparameters()`:
- direct calls to `EC_GROUP_new_from_ecparameters()`
- direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit
parameters argument
- ASN.1 parsing of explicit parameters keys (as it eventually
ends up calling `EC_GROUP_new_from_ecpkparameters()`)
A parsed explicit parameter key will still be marked with the
`OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless
programmatically forced otherwise, if the key is eventually serialized
the output will still be encoded with explicit parameters, even if
internally it is treated as a named curve `EC_GROUP`.
Before this change, creating any `EC_GROUP` object using
`EC_GROUP_new_from_ecparameters()`, yielded an object associated with
the default generic `EC_METHOD`, but this was never guaranteed in the
documentation.
After this commit, users of the library that intentionally want to
create an `EC_GROUP` object using a specific `EC_METHOD` can still
explicitly call `EC_GROUP_new(foo_method)` and then manually set the
curve parameters using `EC_GROUP_set_*()`.
Motivation
----------
This has obvious performance benefits for the built-in curves with
specialized `EC_METHOD`s and subtle but important security benefits:
- the specialized methods have better security hardening than the
generic implementations
- optional fields in the parameter encoding, like the `cofactor`, cannot
be leveraged by an attacker to force execution of the less secure
code-paths for single point scalar multiplication
- in general, this leads to reducing the attack surface
Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth
analysis of the issues related to this commit.
It should be noted that `libssl` does not allow to negotiate explicit
parameters (as per RFC 8422), so it is not directly affected by the
consequences of using explicit parameters that this commit fixes.
On the other hand, we detected external applications and users in the
wild that use explicit parameters by default (and sometimes using 0 as
the cofactor value, which is technically not a valid value per the
specification, but is tolerated by parsers for wider compatibility given
that the field is optional).
These external users of `libcrypto` are exposed to these vulnerabilities
and their security will benefit from this commit.
Related commits
---------------
While this commit is beneficial for users using built-in curves and
explicit parameters encoding for serialized keys, commit
b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the
1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the
invalid cofactor values more in general also for other curves
(CVE-2019-1547).
The following list covers commits in `master` that are related to the
vulnerabilities presented in the manuscript motivating this commit:
-
d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too
-
311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
-
b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
-
724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats
Note that the PRs that contributed the listed commits also include other
commits providing related testing and documentation, in addition to
links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and
1.1.1 branches.
This commit includes a partial backport of
https://github.com/openssl/openssl/pull/8555
(commit
8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38)
for which the main author is Shane Lontis.
Responsible Disclosure
----------------------
This and the other issues presented in https://arxiv.org/abs/1909.01785
were reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri,
Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the
NISEC group at Tampere University, FINLAND.
The OpenSSL Security Team evaluated the security risk for this
vulnerability as low, and encouraged to propose fixes using public Pull
Requests.
_______________________________________________________________________________
Co-authored-by: Shane Lontis <shane.lontis@oracle.com>
(Backport from https://github.com/openssl/openssl/pull/9808)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9809)
Dr. Matthias St. Pierre [Tue, 23 Jul 2019 18:54:03 +0000 (20:54 +0200)]
Configure: clang: move -Wno-unknown-warning-option to the front
While gcc ignores unknown options of the type '-Wno-xxx', clang by default issues
a warning [-Wunknown-warning-option] (see [3]), which together with '-Werror'
causes the build to fail. This turned out to be a problem on the 1.0.2 stable branch
in the case of the '-Wextended-offsetof' option, which was removed in version 6.0.0,
but needs to be kept here in order to support older clang versions, too (see #9446).
Incidentally, master and 1.1.1 branch already contained the -Wno-unknown-warning-option
option. Due to its special role and its importance, this commit adds an explaining
commit message and moves the option to the front.
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9447)
(cherry picked from commit
03e5668343078b963cc6544ad7270743de13e514)
Nicola Tuveri [Sat, 7 Sep 2019 09:10:24 +0000 (12:10 +0300)]
Append CVE-2019-1547 to related CHANGES entry
This amends the entry added in
a6186f39802f94937a46f7a41ef0c86b6334b592
with the relevant CVE.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9800)
Bernd Edlinger [Fri, 23 Aug 2019 08:17:31 +0000 (10:17 +0200)]
Remove x86/x86_64 BSAES and AES_ASM support
This leaves VPAES and AESNI support.
The VPAES performance is comparable but BSAES is not
completely constant time. There are table lookups
using secret key data in AES_set_encrypt/decrypt_key
and in ctr mode short data uses the non-constant
time AES_encrypt function instead of bit-slicing.
Furthermore the AES_ASM is by far outperformed
by recent GCC versions.
Since BSAES calls back to AES_ASM for short
data blocks the performance on those is also
worse than the pure software implementaion.
Fixes: #9640
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9675)
Billy Brumley [Fri, 6 Sep 2019 14:26:40 +0000 (17:26 +0300)]
CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
Billy Brumley [Thu, 5 Sep 2019 18:25:52 +0000 (21:25 +0300)]
[test] computing ECC cofactors: regression test
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
Billy Brumley [Thu, 5 Sep 2019 18:25:37 +0000 (21:25 +0300)]
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
Nicola Tuveri [Fri, 6 Sep 2019 11:05:26 +0000 (14:05 +0300)]
[ec/ecp_nistp*.c] restyle: use {} around `else` too
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit
4fe2ee3a449a8ca2886584e221f34ff0ef5de119)
Nicola Tuveri [Thu, 5 Sep 2019 22:31:45 +0000 (01:31 +0300)]
[ec/ecp_nistp*.c] remove flip_endian()
Replace flip_endian() by using the little endian specific
BN_bn2lebinpad() and BN_lebin2bn().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit
e0b660c27d8d97b4ad9e2098cc957de26872c0ef)
Nicola Tuveri [Thu, 5 Sep 2019 21:18:36 +0000 (00:18 +0300)]
Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit
1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)
Nicola Tuveri [Thu, 1 Aug 2019 23:08:34 +0000 (02:08 +0300)]
Make BN_num_bits() consttime upon BN_FLG_CONSTTIME
This issue was partially addressed by commit
972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.
BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and
ecp_nistz256.c).
Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.
With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.
Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit
8b44198b916015f77bef1befa26edb48ad8a0238)
Nicola Tuveri [Thu, 1 Aug 2019 22:33:05 +0000 (01:33 +0300)]
Fix a SCA leak using BN_bn2bin()
BN_bn2bin() is not constant-time and leaks the number of bits in the
processed BIGNUM.
The specialized methods in ecp_nistp224.c, ecp_nistp256.c and
ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the
internal fixed length representation.
This can leak during ECDSA/ECDH key generation or handling the nonce
while generating an ECDSA signature, when using these implementations.
The amount and risk of leaked information useful for a SCA attack
varies for each of the three curves, as it depends mainly on the
ratio between the bitlength of the curve subgroup order (governing the
size of the secret nonce/key) and the limb size for the internal BIGNUM
representation (which depends on the compilation target architecture).
To fix this, we replace BN_bn2bin() with BN_bn2binpad(), bounding the
output length to the width of the internal representation buffer: this
length is public.
Internally the final implementation of both BN_bn2binpad() and
BN_bn2bin() already has masking in place to avoid leaking bn->top
through memory access patterns.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this is already done at the top level alongside
setting the BN_FLG_CONSTTIME.
Finally, the internal implementation of BN_bn2binpad() indirectly calls
BN_num_bits() via BN_num_bytes(): the current implementation of
BN_num_bits() can leak information to a SCA attacker, and is addressed
in the next commit.
Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)
(cherry picked from commit
805315d3a20f7274195eed75b06c391dacf3b197)
Bernd Edlinger [Fri, 6 Sep 2019 06:46:46 +0000 (08:46 +0200)]
Fix a SCA leak in BN_generate_dsa_nonce
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9782)
(cherry picked from commit
31ca19403d56ad71d823cf62990518dfc6905bb4)
Cesar Pereida Garcia [Fri, 6 Sep 2019 07:48:00 +0000 (10:48 +0300)]
[crypto/rsa] Set the constant-time flag in multi-prime RSA too
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
Cesar Pereida Garcia [Thu, 5 Sep 2019 09:13:11 +0000 (12:13 +0300)]
[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
Matt Caswell [Thu, 5 Sep 2019 15:21:56 +0000 (16:21 +0100)]
Teach TLSProxy how to parse CertificateRequest messages
We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)
(cherry picked from commit
dc5bcb88d819de55eb37460c122e02fec91c6d86)
Matt Caswell [Thu, 5 Sep 2019 15:43:57 +0000 (16:43 +0100)]
Don't send a status_request extension in a CertificateRequest message
If a TLSv1.3 server configured to respond to the status_request extension
also attempted to send a CertificateRequest then it was incorrectly
inserting a non zero length status_request extension into that message.
The TLSv1.3 RFC does allow that extension in that message but it must
always be zero length.
In fact we should not be sending the extension at all in that message
because we don't support it.
Fixes #9767
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)
(cherry picked from commit
debb64a0ca43969eb3f043aa8895a4faa7f12b6e)
Bernd Edlinger [Mon, 19 Aug 2019 15:12:22 +0000 (17:12 +0200)]
Fix error handling in x509_lu.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9639)
(cherry picked from commit
c70e2ec33943d3bd46d3d9950f774307feda832b)
Bernd Edlinger [Wed, 4 Sep 2019 09:39:54 +0000 (11:39 +0200)]
Cleanup includes in rand_unix.c
Fixes #9757
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9761)
(cherry picked from commit
41ffd2ab09d24692c71850ccd7d5ff154196fe01)
Bernd Edlinger [Wed, 4 Sep 2019 09:50:54 +0000 (11:50 +0200)]
Remove ifndef FIPS_MODE from rand_unix.c
This will never be the case for 1.1.1 so removed.
Fixes: comment 1 of #9757
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9762)
Billy Brawner [Wed, 28 Aug 2019 00:07:17 +0000 (17:07 -0700)]
Suppress 'No server certificate CA names sent' message
Fixes #9080
Signed-off-by: Billy Brawner <billy@wbrawner.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9710)
(cherry picked from commit
1e8e75d18be8856e753a57771754b9926c3f4264)
raja-ashok [Fri, 31 May 2019 03:20:54 +0000 (08:50 +0530)]
Test SSL_set_ciphersuites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9621)
raja-ashok [Thu, 30 May 2019 18:21:18 +0000 (23:51 +0530)]
Fix SSL_set_ciphersuites to set even if no call to SSL_set_cipher_list
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9621)
David Woodhouse [Thu, 22 Aug 2019 17:42:05 +0000 (18:42 +0100)]
Fix bogus check for EVP_PKEY mandatory digest in check_cert_usable()
In commit
6aca8d1a5 ("Honour mandatory digest on private key in
has_usable_cert()") I added two checks for the capabilities of the
EVP_PKEY being used. One of them was wrong, as it should only be
checking the signature of the X.509 cert (by its issuer) against the
sigalgs given in a TLS v1.3 signature_algorithms_cert extension.
Remove it.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9705)
Pauli [Fri, 30 Aug 2019 09:16:43 +0000 (19:16 +1000)]
Remove duplicate CHANGES text.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9738)
Pauli [Thu, 29 Aug 2019 21:38:58 +0000 (07:38 +1000)]
Don't include the DEVRANDOM being seeded logic on Android.
It lacks exposure of the `shm*` functions and should prefer the GETRANDOM
source.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9735)
(cherry picked from commit
280cc0180862ae6664b88d5ea12cb5f599000d36)
Pauli [Thu, 29 Aug 2019 21:29:35 +0000 (07:29 +1000)]
Fix NITs in comments and CHANGES for DEVRANDOM seeded check.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9734)
(cherry picked from commit
46a9cc9451213039fd53f62733b2ccd04e853bb2)
Cesar Pereida Garcia [Wed, 14 Aug 2019 07:17:06 +0000 (10:17 +0300)]
Fix SCA vulnerability when using PVK and MSBLOB key formats
This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9587)
(cherry picked from commit
724339ff44235149c4e8ddae614e1dda6863e23e)
Pauli [Sat, 24 Aug 2019 06:13:24 +0000 (16:13 +1000)]
Avoid overflowing FDSET when using select(2).
There is a problem in the rand_unix.c code when the random seed fd is greater
than or equal to FD_SETSIZE and the FDSET overruns its limit and walks the
stack.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9686)
(cherry picked from commit
e1f8584d47a499301fba781086af6885fcf21fec)
Richard Levitte [Fri, 23 Aug 2019 15:41:23 +0000 (17:41 +0200)]
test/evp_test.c: distinguish parsing errors from processing errors
Parsing functions are at liberty to return:
1: when parsing on processing of the parsed value succeeded
0: when the parsed keyword is unknown
-1: when the parsed value processing failed
Some parsing functions didn't do this quite right, they returned 0
when they should have returned -1, causing a message like this:
Line 123: unknown keyword PeerKey
When this message (which is displayed when the parsing function
returns -1) would have been more appropriate:
Line 123: error processing keyword PeerKey = ffdhe2048-2-pub
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9682)
(cherry picked from commit
f42c225d7f9a0bce0bf46103343402d3f0ad742f)
Richard Levitte [Thu, 22 Aug 2019 11:34:16 +0000 (13:34 +0200)]
openssl dgst, openssl enc: check for end of input
The input reading loop in 'openssl dgst' and 'openssl enc' doesn't
check for end of input, and because of the way BIO works, it thereby
won't detect that the end is reached before the read is an error.
With the FILE BIO, an error occurs when trying to read past EOF, which
is fairly much ok, except when the command is used interactively, at
least on Unix. The result in that case is that the user has to press
Ctrl-D twice for the command to terminate.
The issue is further complicated because both these commands use
filter BIOs on top of the FILE BIO, so a naïve attempt to check
BIO_eof() doesn't quite solve it, since that only checks the state of
the source/sink BIO, and the filter BIO may have some buffered data
that still needs to be read. Fortunately, there's BIO_pending() that
checks exactly that, if any filter BIO has pending data that needs to
be processed.
We end up having to check both BIO_pending() and BIO_eof().
Thanks to Zsigmond Lőrinczy for the initial effort and inspiration.
Fixes #9355
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9668)
(cherry picked from commit
8ed7bbb411d2a9e0edef928958ad955e0be3d6dd)
Johannes [Tue, 20 Aug 2019 06:13:47 +0000 (16:13 +1000)]
Correct documented return value for BIO_get_mem_data()
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9643)
(cherry picked from commit
797a5b7af9d9bbfbcbff4607c10ad5c5595ac785)
Pauli [Tue, 20 Aug 2019 06:19:20 +0000 (16:19 +1000)]
Start up DEVRANDOM entropy improvement for older Linux devices.
Improve handling of low entropy at start up from /dev/urandom by waiting for
a read(2) call on /dev/random to succeed. Once one such call has succeeded,
a shared memory segment is created and persisted as an indicator to other
processes that /dev/urandom is properly seeded.
This does not fully prevent against attacks weakening the entropy source.
An attacker who has control of the machine early in its boot sequence
could create the shared memory segment preventing detection of low entropy
conditions. However, this is no worse than the current situation.
An attacker would also be capable of removing the shared memory segment
and causing seeding to reoccur resulting in a denial of service attack.
This is partially mitigated by keeping the shared memory alive for the
duration of the process's existence. Thus, an attacker would not only need
to have called call shmctl(2) with the IPC_RMID command but the system
must subsequently enter a state where no instances of libcrypto exist in
any process. Even one long running process will prevent this attack.
The System V shared memory calls used here go back at least as far as
Linux kernel 2.0. Linux kernels 4.8 and later, don't have a reliable way
to detect that /dev/urandom has been properly seeded, so a failure is raised
for this case (i.e. the getentropy(2) call has already failed).
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9595)
[manual merge]
Bernd Edlinger [Mon, 19 Aug 2019 06:25:07 +0000 (08:25 +0200)]
Add a fallback definition for __NR_getrandom for x86 linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9639)
(cherry picked from commit
038b381ecf2a988eee4c7bb21074ed0603303bd1)
Rich Salz [Mon, 19 Aug 2019 00:20:37 +0000 (20:20 -0400)]
Fix some pod-page ordering nits
Backport of https://github.com/openssl/openssl/pull/9602
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9632)
Mykola Baibuz [Sun, 18 Aug 2019 08:17:03 +0000 (11:17 +0300)]
doc: fix link in BN_new.pod
Fixes #9622
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9627)
(cherry picked from commit
faee6b21048623a422d537cdbad24f50c5c21937)
Bernd Edlinger [Sat, 17 Aug 2019 11:22:07 +0000 (13:22 +0200)]
Add a fallback definition for __NR_getrandom for ARM linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9619)
(cherry picked from commit
24d932ec842bc5fdbd5e9b519cecf15a56bc74e6)
Patrick Steuer [Mon, 5 Aug 2019 14:56:14 +0000 (16:56 +0200)]
Test for out-of-bounds write when requesting zero bytes from shake
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)
(cherry picked from commit
3ce46435e6ebed69bec0fa3454cc195ced426d42)
Patrick Steuer [Mon, 5 Aug 2019 14:53:16 +0000 (16:53 +0200)]
Directly return from final sha3/keccak_final if no bytes are requested
Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)
(cherry picked from commit
a890ef833d114da3430c2f2efd95e01714704d34)
Rich Salz [Sat, 17 Aug 2019 16:49:50 +0000 (12:49 -0400)]
.travis.yml: Use travis_terminate on failure
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9620)
(cherry picked from commit
5be78a88aa922a6c43a83a18dbe252c6a358b8e9)
Bernd Edlinger [Fri, 16 Aug 2019 13:18:51 +0000 (15:18 +0200)]
Fix error handling in X509_chain_up_ref
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9614)
(cherry picked from commit
cae665dfa6ccec743a7f39cf80676d7d2d787e56)
Dr. Matthias St. Pierre [Thu, 15 Aug 2019 11:45:04 +0000 (13:45 +0200)]
INSTALL: clarify documentation of the --api=x.y.z deprecation option
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9599)
(cherry picked from commit
bf9d6bb83d009923ceb65753c6dd9fa880e8ba92)
Omid Najafi [Fri, 2 Aug 2019 21:40:19 +0000 (17:40 -0400)]
Fix syntax error for the armv4 assembler
The error was from the alignment syntax of the code.
More details:
https://stackoverflow.com/questions/
57316823/arm-assembly-syntax-in-vst-vld-commands?noredirect=1#comment101133590_57316823
CLA: trivial
Fixes: #9518
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9518)
(cherry picked from commit
2a17758940657cc3a97b032104a92f0aa304f863)
Richard Levitte [Thu, 15 Aug 2019 08:20:13 +0000 (10:20 +0200)]
crypto/engine/eng_openssl.c: define TEST_ENG_OPENSSL_RC4_P_INIT conditionally
When OpenSSL is configured with 'no-stdio', TEST_ENG_OPENSSL_RC4_P_INIT
shouldn't be defined, as that test uses stdio.
Fixes #9597
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9598)
(cherry picked from commit
9f643f54236d6cf0d0d24327acd3b858883f0686)
Matt Caswell [Tue, 23 Jul 2019 16:10:05 +0000 (17:10 +0100)]
Extend tests of SSL_check_chain()
Actually supply a chain and then test:
1) A successful check of both the ee and chain certs
2) A failure to check the ee cert
3) A failure to check a chain cert
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9443)
Matt Caswell [Tue, 23 Jul 2019 14:14:29 +0000 (15:14 +0100)]
Fix SSL_check_chain()
The function SSL_check_chain() can be used by applications to check that
a cert and chain is compatible with the negotiated parameters. This could
be useful (for example) from the certificate callback. Unfortunately this
function was applying TLSv1.2 sig algs rules and did not work correctly if
TLSv1.3 was negotiated.
We refactor tls_choose_sigalg to split it up and create a new function
find_sig_alg which can (optionally) take a certificate and key as
parameters and find an appropriate sig alg if one exists. If the cert and
key are not supplied then we try to find a cert and key from the ones we
have available that matches the shared sig algs.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9443)
opensslonzos-github [Thu, 8 Aug 2019 18:11:38 +0000 (14:11 -0400)]
Add missing EBCDIC strings
Fix a few places where calling ossl_isdigit does the wrong thing on
EBCDIC based systems.
Replaced with ascii_isdigit.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9556)
(cherry picked from commit
48102247ff513d4c57b40b19c1d432f37b9e4b02)
Paul Yang [Wed, 14 Aug 2019 02:28:07 +0000 (10:28 +0800)]
Add description in X509_STORE manipulation
Add memory management description in X509_STORE_add_cert, otherwise
users will not be aware that they are leaking memory...
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9484)
(cherry picked from commit
86333b6e0c5c488130ab237e95b8520891b81bf6)
Tomas Mraz [Mon, 12 Aug 2019 14:43:59 +0000 (16:43 +0200)]
BIO_lookup_ex: Do not retry on EAI_MEMORY
We should not retry on EAI_MEMORY as that error is most probably
fatal and not depending on AI_ADDRCONFIG hint.
Also report the error from the first call if the second call fails
as that one would be most probably the more interesting one.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9535)
(cherry picked from commit
91cb81d40a8102c3d8667629661be8d6937db82b)
Tomas Mraz [Mon, 5 Aug 2019 17:11:07 +0000 (19:11 +0200)]
BIO_lookup_ex: Always retry the lookup on failure with AI_NUMERICHOST set
Do not try to discern the error return value on
getaddrinfo() failure but when retrying set the AI_NUMERICHOST
to avoid DNS lookups.
Fixes: #9053
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9535)
(cherry picked from commit
7f616a00e9232392927099dca1eca70d0d058665)
Richard Levitte [Mon, 12 Aug 2019 09:46:23 +0000 (11:46 +0200)]
Configurations/unit-Makefile.tmpl: Don't clean away dotted files
A local 'make clean' did some sweeping removals of files execpt for
the .git directory. This is a little too sweeping, as other dotted
files might be cleaned away if they happen to match the pattern that's
searched for.
An example is a symlink .dir-locals.el that would keep disappearing if
you build in the source tree and do a make clean...
So we change this to leave all dotted files alone. Our builds do not
produce such files anyway, so this is a harmless (or rather, less
harmful) change.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9573)
(cherry picked from commit
853094dbe15a49b334f3488fc99a557abf021c09)
Richard Levitte [Mon, 12 Aug 2019 09:27:16 +0000 (11:27 +0200)]
engines/build.info: if the padlock engine is disabled, don't build it!
Fixes #9244
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9572)
Denis Ovsienko [Fri, 9 Aug 2019 21:14:04 +0000 (22:14 +0100)]
Remove some duplicate words from the documentation
Fixup INSTALL and a couple man pages to get rid of "the the" and "in the
in the".
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9563)
(cherry picked from commit
3c74e77bd89e3d5400ab4d640149e27863756579)
Matt Caswell [Thu, 8 Aug 2019 10:41:18 +0000 (11:41 +0100)]
Add TLS tests for RSA-PSS Restricted certificates
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
(cherry picked from commit
20946b94658416d2fed0b9d9c7adfbe4b7d70515)
Matt Caswell [Thu, 8 Aug 2019 10:08:14 +0000 (11:08 +0100)]
Add Restricted PSS certificate and key
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
(cherry picked from commit
39d9ea5e502114a204750f641ca76ff5b4912401)
Matt Caswell [Thu, 8 Aug 2019 08:13:51 +0000 (09:13 +0100)]
Ensure RSA PSS correctly returns the right default digest
A default digest of SHA256 was being returned for RSA PSS even if the
PSS parameters indicated a different digest must be used. We change this
so that the correct default digest is returned and additionally mark this
as mandatory for PSS.
This bug had an impact on sig alg selection in libssl. Due to this issue
an incorrect sig alg might be selected in the event that a server is
configured with an RSA-PSS cert with parameter restrictions.
Fixes #9545
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
(cherry picked from commit
9bcc9f973b2a216461dd6f140e47ef647eb733b4)
Vladimir Kotal [Fri, 19 Jul 2019 14:01:13 +0000 (16:01 +0200)]
mention what happens if OPENSSL_NO_RC2 is defined
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9415)
(cherry picked from commit
8c47e55ee69500e31e80458682c6e022294cd0be)
Vladimir Kotal [Tue, 11 Jun 2019 14:21:00 +0000 (16:21 +0200)]
make ecp_nistz256_point_add_vis3() local
fixes #8936
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9132)
(cherry picked from commit
861335001b99cfd665030c50ad37a663536a5c0f)
Martin Ukrop [Mon, 5 Aug 2019 12:14:54 +0000 (14:14 +0200)]
Fix reversed meaning of error codes
The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were still reversed in the X509_STORE_CTX_get_error function documentation.
This used to be the problem also in the verify application documentation, but was fixed on 2010-02-23 in
7d3d178.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9529)
(cherry picked from commit
6d5aa88d74b67b1bc108e121dea687a4ca67e329)
Matt Caswell [Fri, 28 Jun 2019 11:07:55 +0000 (12:07 +0100)]
Clarify the INSTALL instructions
Ensure users understand that they need to have appropriate permissions
to write to the install location.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9268)
(cherry picked from commit
7c03bb9fff02b7f08d4654f51f8667584a92cf72)
Shane Lontis [Thu, 8 Aug 2019 03:19:23 +0000 (13:19 +1000)]
Change EVP_CIPHER_CTX_iv_length() to return current ivlen for some modes
Note a flag needed to be added since some ssl tests fail if they output any error
(even if the error is ignored). Only ciphers that handle the GET_IV_LEN control set this flag.
Fixes #8330
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9499)
Matt Caswell [Mon, 5 Aug 2019 15:13:24 +0000 (16:13 +0100)]
Fix ECDSA_SIG docs
They incorrectly said that i2d_ECDSA_SIG returns 0 on error. In fact it
returns a negative value on error.
We fix this by moving the i2d_ECDSA_SIG/d2i_ECDSA_SIG docs onto the same
page as all the other d2i/i2d docs.
Fixes #9517
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9533)
(cherry picked from commit
bbda79976b5c5095c5e6557311c86c623ba335f1)
Matt Caswell [Mon, 22 Jul 2019 10:02:46 +0000 (11:02 +0100)]
Correct the Extended Master Secret string for EBCDIC
The macro TLS_MD_MASTER_SECRET_CONST is supposed to hold the ascii string
"extended master secret". On EBCDIC machines it actually contained the
value "extecded master secret"
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9430)
(cherry picked from commit
c1a3f16f735057b45df1803d58f40e4e17b233e5)
Matt Caswell [Thu, 1 Aug 2019 13:55:25 +0000 (14:55 +0100)]
Fix SSL_MODE_RELEASE_BUFFERS functionality
At some point in the past do_ssl3_write() used to return the number of
bytes written, or a value <= 0 on error. It now just returns a success/
error code and writes the number of bytes written to |tmpwrit|.
The SSL_MODE_RELEASE_BUFFERS code was still looking at the return code
for the number of bytes written rather than |tmpwrit|. This has the effect
that the buffers are not released when they are supposed to be.
Fixes #9490
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9505)
(cherry picked from commit
8bbf63e48f27c5edaa03e6d87d969c9b6a207f3c)
Dr. Matthias St. Pierre [Wed, 31 Jul 2019 15:02:45 +0000 (17:02 +0200)]
Add missing accessors for X509 AuthorityKeyIdentifier
Complements commit
b383aa208146, which added X509_get0_authority_key_id().
const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x); [NEW]
const ASN1_INTEGER *X509_get0_authority_serial(X509 *x); [NEW]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9494)
raja-ashok [Sun, 28 Jul 2019 07:53:00 +0000 (13:23 +0530)]
Use allow_early_data_cb from SSL instead of SSL_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9471)
(cherry picked from commit
59b2cb2638dda3e07385ad36a41f0e141b36987b)
Antoine Cœur [Tue, 2 Jul 2019 14:29:29 +0000 (22:29 +0800)]
Fix Typos
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9295)
joe2018Outlookcom [Wed, 31 Jul 2019 05:46:02 +0000 (13:46 +0800)]
Fix warning C4164 in MSVC.
Fix: crypto\whrlpool\wp_block.c(90) : warning C4164: '_rotl64' : intrinsic function not declared.
Fixes #9487
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9488)
(cherry picked from commit
0c789f59f117ccbb30ffc621216ba776117c7c61)
David von Oheimb [Fri, 26 Jul 2019 09:03:12 +0000 (11:03 +0200)]
make RSA and DSA operations throw MISSING_PRIVATE_KEY if needed, adapt ECDSA
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9466)
(cherry picked from commit
7408f6759f1b0100438ca236ea8f549454aaf2d5)
Bernd Edlinger [Mon, 29 Jul 2019 09:39:34 +0000 (11:39 +0200)]
Use OPENSSL_strlcpy instead of strncpy in e_afalg.c
This avoids a spurious gcc warning:
./config enable-asan --strict-warnings
=>
In function 'afalg_create_sk',
inlined from 'afalg_cipher_init' at engines/e_afalg.c:545:11:
engines/e_afalg.c:376:5: error: '__builtin_strncpy' output may be
truncated copying 63 bytes from a string of length 63 [-Werror=stringop-truncation]
376 | strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME);
| ^~~~~~~
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9478)
(cherry picked from commit
62cc845fc955c8d4de7b703f57bfd8e5854f00f4)
Pauli [Fri, 26 Jul 2019 02:56:01 +0000 (12:56 +1000)]
Add weak platform independent PRNG to test framework.
Implement the GNU C library's random(3) pseudorandom number generator.
The algorithm is described: https://www.mscs.dal.ca/~selinger/random/
The rationale is to make the tests repeatable across differing platforms with
different underlying implementations of the random(3) library call.
More specifically: when executing tests with random ordering.
[extended tests]
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9463)
(cherry picked from commit
e9a5932d04f6b7dd25b39a8ff9dc162d64a78c22)
David Benjamin [Tue, 23 Jul 2019 18:14:48 +0000 (14:14 -0400)]
Don't generate an unnecessary Diffie-Hellman key in TLS 1.3 clients.
tls_parse_stoc_key_share was generating a new EVP_PKEY public/private
keypair and then overrides it with the server public key, so the
generation was a waste anyway. Instead, it should create a
parameters-only EVP_PKEY.
(This is a consequence of OpenSSL using the same type for empty key,
empty key with key type, empty key with key type + parameters, public
key, and private key. As a result, it's easy to mistakenly mix such
things up, as happened here.)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9445)
(cherry picked from commit
166c0b98fd6e8b1bb341397642527a9396468f6c)
Richard Levitte [Sat, 6 Jul 2019 07:38:59 +0000 (09:38 +0200)]
Fix default installation paths on mingw
Mingw config targets assumed that resulting programs and libraries are
installed in a Unix-like environment and the default installation
prefix was therefore set to '/usr/local'.
However, mingw programs are installed in a Windows environment, and
the installation directories should therefore have Windows defaults,
i.e. the same kind of defaults as the VC config targets.
A difficulty is, however, that a "cross compiled" build can't figure
out the system defaults from environment the same way it's done when
building "natively", so we have to fall back to hard coded defaults in
that case.
Tests can still be performed when cross compiled on a non-Windows
platform, since all tests only depend on the source and build
directory, and otherwise relies on normal local paths.
CVE-2019-1552
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9400)
Pauli [Tue, 23 Jul 2019 08:07:19 +0000 (18:07 +1000)]
Make rand_pool buffers more dynamic in their sizing.
The rand pool support allocates maximal sized buffers -- this is typically
12288 bytes in size. These pools are allocated in secure memory which is a
scarse resource. They are also allocated per DRBG of which there are up to two
per thread.
This change allocates 64 byte pools and grows them dynamically if required.
64 is chosen to be sufficiently large so that pools do not normally need to
grow.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9428)
(cherry picked from commit
a6a66e4511eec0f4ecc2943117a42b3723eb2222)
Bernd Edlinger [Tue, 23 Jul 2019 13:14:14 +0000 (23:14 +1000)]
Allocate DRBG additional data pool from non-secure memory
The additional data allocates 12K per DRBG instance in the
secure memory, which is not necessary. Also nonces are not
considered secret.
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9424)
Dr. Matthias St. Pierre [Fri, 12 Jul 2019 20:49:42 +0000 (22:49 +0200)]
Remove HEADER_X509_H include detector from apps
The HEADER_X509_H check is redundant, because <openssl/x509.h>
is already included.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
Dr. Matthias St. Pierre [Fri, 5 Jul 2019 13:50:50 +0000 (15:50 +0200)]
Remove OPENSSL_X509V3_H include detector from openssl/cms.h
The check is redundant, because <openssl/x509v3.h> is included.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)