Richard Levitte [Wed, 12 Dec 2018 10:22:52 +0000 (11:22 +0100)]
test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)
Richard Levitte [Mon, 10 Dec 2018 09:23:01 +0000 (10:23 +0100)]
make update
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)
Richard Levitte [Mon, 10 Dec 2018 09:18:10 +0000 (10:18 +0100)]
Prevent calling decryption in an encryption context and vice versa
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7856)
Matt Caswell [Wed, 2 Jan 2019 17:05:27 +0000 (17:05 +0000)]
make update
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7974)
Richard Levitte [Sat, 15 Dec 2018 10:06:00 +0000 (11:06 +0100)]
Makefile.org: prevent .bak files to become part of the tarball
Fixes #7903
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7910)
Dr. Matthias St. Pierre [Wed, 12 Dec 2018 06:38:07 +0000 (07:38 +0100)]
doc/man3: remove copy&paste leftover
Fixes #7883
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7884)
(cherry picked from commit
00eb879f74971e3c048286ef44f6f544676f90d7)
Tobias Stoeckmann [Tue, 11 Dec 2018 19:34:21 +0000 (20:34 +0100)]
Fixed typo (vi leftover).
There was a trailing :w at a line, which didn't make sense in context
of the sentence/styling. Removed it, because I think it's a leftover
vi command.
CLA: trivial
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7875)
(cherry picked from commit
143b631639f95822e5e00768254fa35c787f6396)
Richard Levitte [Fri, 7 Dec 2018 08:26:04 +0000 (09:26 +0100)]
Make EVP_PKEY_asn1_add0() stricter about its input
It turns out that the strictness that was implemented in
EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed
for some usages, and that it's better to do this check only when the
method is getting registered.
Fixes #7758
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7847)
(cherry picked from commit
a86003162138031137727147c9b642d99db434b1)
Andy Polyakov [Fri, 14 Sep 2018 15:24:13 +0000 (17:24 +0200)]
rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
if nul delimiter is preceded by 8 consecutive 0x03 bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
603221407ddc6404f8c417c6beadebf84449074c)
Resolved conflicts:
crypto/rsa/rsa_ssl.c
(Merged from https://github.com/openssl/openssl/pull/7737)
Andy Polyakov [Thu, 6 Sep 2018 19:54:23 +0000 (21:54 +0200)]
rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
75f5e944be97f28867e7c489823c889d89d0bd06)
Resolved conflicts:
crypto/rsa/rsa_oaep.c
(Merged from https://github.com/openssl/openssl/pull/7737)
Andy Polyakov [Sat, 1 Sep 2018 10:00:33 +0000 (12:00 +0200)]
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
e875b0cf2f10bf2adf73e0c2ec81428290f4660c)
Resolved conflicts:
crypto/rsa/rsa_pk1.c
(Merged from https://github.com/openssl/openssl/pull/7737)
Andy Polyakov [Fri, 30 Nov 2018 20:07:18 +0000 (21:07 +0100)]
rsa/rsa_eay.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
89072e0c2a483f2ad678e723e112712567b0ceb1)
(Merged from https://github.com/openssl/openssl/pull/7737)
Andy Polyakov [Sat, 1 Sep 2018 10:19:30 +0000 (12:19 +0200)]
err/err.c: add err_clear_last_constant_time.
Expected usage pattern is to unconditionally set error and then
wipe it if there was no actual error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
f658a3b64d8750642f4975090740865f770c2a1b)
Resolved conflicts:
crypto/err/err.c
crypto/constant_time_locl.h
(Merged from https://github.com/openssl/openssl/pull/7737)
Richard Levitte [Mon, 3 Dec 2018 09:57:01 +0000 (10:57 +0100)]
Docs fixup: some man3 pages had unindented code in SYNOPSIS
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7744)
(cherry picked from commit
7b4a3515a4ddb567d48000e61d7cb640d0c5f261)
David Woodhouse [Tue, 16 Oct 2018 14:59:46 +0000 (07:59 -0700)]
Honour mandatory digest on private key in tls1_process_sigalgs()
If the private key says it can only support one specific digest, then
don't ask it to perform a different one.
Fixes: #7348
(cherry picked from commit
2d263a4a73f852005b16359873475d48755999ad
and reworked for 1.0.2)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7610)
David Woodhouse [Tue, 16 Oct 2018 14:41:17 +0000 (07:41 -0700)]
Stop marking default digest for EC keys as mandatory
ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory
digest algorithm, when the key can't support any others. That isn't true
here, so return 1 instead.
Partially fixes #7348
(cherry picked from commit
eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7610)
Andy Polyakov [Wed, 7 Nov 2018 21:07:22 +0000 (22:07 +0100)]
rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier.
Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(manually cherry picked from commit
2cc3f68cde77af23c61fbad65470602ee86f2575)
(Merged from https://github.com/openssl/openssl/pull/7586)
Richard Levitte [Thu, 22 Nov 2018 10:05:31 +0000 (11:05 +0100)]
VMS: ensure x509_time_test is built
A lacking DCL variable to indicate where it's located was missing.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7685)
Matt Caswell [Tue, 20 Nov 2018 13:46:11 +0000 (13:46 +0000)]
Prepare for 1.0.2r-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 20 Nov 2018 13:45:20 +0000 (13:45 +0000)]
Prepare for 1.0.2q release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 20 Nov 2018 13:45:20 +0000 (13:45 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 20 Nov 2018 13:23:36 +0000 (13:23 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7671)
Matt Caswell [Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7667)
Richard Levitte [Tue, 20 Nov 2018 11:11:38 +0000 (12:11 +0100)]
VMS: ensure crypto/getenv.c is included in the build
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7665)
Vitezslav Cizek [Thu, 25 Oct 2018 11:53:26 +0000 (13:53 +0200)]
DSA: Check for sanity of input parameters
dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(cherry picked from commit
3afd38b277a806b901e039c6ad281c5e5c97ef67)
(Merged from https://github.com/openssl/openssl/pull/7493)
Billy Brumley [Thu, 8 Nov 2018 11:57:54 +0000 (13:57 +0200)]
CVE-2018-5407 fix: ECC ladder
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7593)
Dr. Matthias St. Pierre [Fri, 9 Nov 2018 20:37:38 +0000 (21:37 +0100)]
Fix 'no-ecdh' build
Fixes #3302
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7606)
Matt Caswell [Tue, 16 Oct 2018 16:08:11 +0000 (17:08 +0100)]
Properly handle duplicated messages from the next epoch
Since
3884b47b7c we may attempt to buffer a record from the next epoch
that has already been buffered. Prior to that this never occurred.
We simply ignore a failure to buffer a duplicated record.
Fixes #6902
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7415)
Pauli [Wed, 31 Oct 2018 22:44:11 +0000 (08:44 +1000)]
Add a constant time flag to one of the bignums to avoid a timing leak.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)
(cherry picked from commit
00496b6423605391864fbbd1693f23631a1c5239)
Pauli [Sun, 28 Oct 2018 21:18:09 +0000 (07:18 +1000)]
Merge to 1.0.2: DSA mod inverse fix.
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7512)
Pauli [Sun, 28 Oct 2018 22:24:22 +0000 (08:24 +1000)]
Merge DSA reallocation timing fix CVE-2018-0734.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7513)
Dr. Matthias St. Pierre [Thu, 18 Oct 2018 21:17:46 +0000 (23:17 +0200)]
md_rand.c: don't stop polling until properly initialized
Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.
This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7439)
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
dc5831da59e9bfad61ba425d886a0b06ac160cd6)
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)
(cherry picked from commit
d1c008f66bad435b18aa45aa59f72bed7c682849)
Andy Polyakov [Sun, 23 Sep 2018 14:38:11 +0000 (16:38 +0200)]
util/domd: omit superfluous shift in -MD handling.
While reviewing last modification in GH#6261 Richard actually spotted
the inconsistency, but withdrew the remark, correct one in aftermath...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7298)
Nicola Tuveri [Thu, 6 Sep 2018 21:44:36 +0000 (00:44 +0300)]
Access `group->mont_data` conditionally in EC_GROUP_set_generator()
It appears that, in FIPS mode, `ec_precompute_mont_data()` always failed
but the error was ignored until commit
e3ab8cc from #6810.
The actual problem lies in the fact that access to the `mont_data` field
of an `EC_GROUP` struct should always be guarded by an
`EC_GROUP_VERSION(group)` check to avoid OOB accesses, because `group`
might come from the FIPS module, which does not define the `mont_data`
field inside the EC_GROUP structure.
This commit adds the required check before any access to
`group->mont_data` in `EC_GROUP_set_generator()`.
Fixes #7127
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7135)
Pauli [Mon, 24 Sep 2018 04:06:45 +0000 (14:06 +1000)]
Merge 1.0.2 setuid calls to getenv(3) safety.
Manual merge of #7047 to 1.0.2-stable.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7300)
Manikantan Subramanian [Tue, 18 Sep 2018 01:54:13 +0000 (18:54 -0700)]
Use gethostbyname_r if available
Fixes #7228
The function BIO_get_host_ip uses gethostbyname, which is not thread safe
and hence we grab a lock. In multi-threaded applications, this lock sometimes
causes performance bottlenecks.
This patch uses the function gethostbyname_r (thread safe version), when
available.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7250)
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]
Document OPENSSL_VERSION_TEXT macro
This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7301)
(cherry picked from commit
7c69495712e3dc9aa8db38271f0c3faeb2037165)
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?). Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.
Fixes #7227
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)
(cherry picked from commit
dda5396aaec315bdbcb080e42fb5cd0191f2ad72)
Dr. Matthias St. Pierre [Mon, 17 Sep 2018 15:50:54 +0000 (17:50 +0200)]
drbg_get_entropy: force a reseed before calling ssleay_rand_bytes()
Fixes #7240
In FIPS mode, the default FIPS DRBG uses the drbg_get_entropy()
callback to reseed itself, which is provided by the wrapping
libcrypto library. This callback in turn uses ssleay_rand_bytes()
to generate random bytes.
Now ssleay_rand_bytes() calls RAND_poll() once on first call to
seed itself, but RAND_poll() is never called again (unless the
application calls RAND_poll() explicitely). This implies that
whenever the DRBG reseeds itself (which happens every 2^14
generate requests) this happens without obtaining fresh random
data from the operating system's entropy sources.
This patch forces a reseed from system entropy sources on every
call to drbg_get_entropy(). In contrary to the automatic reseeding
of the DRBG in master, this reseeding does not break applications
running in a chroot() environment (see
c7504aeb640a), because the
SSLEAY PRNG does not maintain an error state. (It does not even
check the return value of RAND_poll() on its instantiation.)
In the worst case, if no random device is available for reseeding,
no fresh entropy will be added to the SSLEAY PRNG but it will happily
continue to generate random bytes as 'entropy' input for the DRBG's
reseeding, which is just as good (or bad) as before this patch.
To prevent ssleay_rand_bytes_from_system() (and hence RAND_poll())
from being called twice during instantiation, a separate
drbg_get_nonce() callback has been introduced, which is identical
with the previous implementation of drbg_get_entropy().
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7259)
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.
Fixes #7271
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)
(cherry picked from commit
276bf8620ce35a613c856f2b70348f65ffe94067)
(cherry picked from commit
ad1730359220cef5903d16c7f58b602fc3713414)
Bernd Edlinger [Mon, 10 Sep 2018 12:18:23 +0000 (14:18 +0200)]
Make the config script fail with an error code if Configure failed
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7166)
(cherry picked from commit
e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1)
Richard Levitte [Thu, 6 Sep 2018 07:35:39 +0000 (09:35 +0200)]
CAPI engine: add support for RSA_NO_PADDING
Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7132)
Matt Caswell [Mon, 10 Sep 2018 15:23:14 +0000 (16:23 +0100)]
Check the return value from ASN1_INTEGER_set
Found by Coverity
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)
(cherry picked from commit
512d811719fc955f574090af4c3586a9aba46fa7)
Richard Levitte [Mon, 3 Sep 2018 11:17:03 +0000 (13:17 +0200)]
openssl req: don't try to report bits
With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated. Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information. For the moment, it's better not
to try to report the number of bits at all.
Fixes #7086
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)
(cherry picked from commit
17147181bd3f97c53592e2a5c9319b854b954039)
Richard Levitte [Tue, 4 Sep 2018 10:05:39 +0000 (12:05 +0200)]
VMS: add missing x509_time test to test scripts
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7112)
Matt Caswell [Thu, 23 Aug 2018 10:37:22 +0000 (11:37 +0100)]
Clarify the EVP_DigestSignInit docs
They did not make it clear how the memory management works for the |pctx|
parameter.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7043)
Jakub Wilk [Mon, 3 Sep 2018 09:09:51 +0000 (11:09 +0200)]
Fix example in crl(1) man page
The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.
CLA: trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)
(cherry picked from commit
785e614a95a134831f213749332bcf40c4920f69)
(cherry picked from commit
e25fc6b5b2b99ed02f8966192c94c820b6f69add)
Matt Caswell [Thu, 9 Aug 2018 15:25:29 +0000 (16:25 +0100)]
The req documentation incorrectly states that we default to md5
Just remove that statement. It's not been true since 2005.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/6906)
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)
(cherry picked from commit
6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call
This trivial patch removes a duplicated call to ASN1_INTEGER_set.
Fixes Issue #6977
Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)
(cherry picked from commit
59701e6363531cddef5b2114c0127b8453deb1f3)
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
(cherry picked from commit
324b95605225410763fe63f7cff36eb46ca54ee9)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.
(cherry picked from commit
e02c519cd32a55e6ad39a0cfbeeda775f9115f28)
Resolved conflicts:
crypto/bn/bn_blind.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)
Andy Polyakov [Mon, 13 Aug 2018 18:20:28 +0000 (20:20 +0200)]
rsa/rsa_eay.c: implement variant of "Smooth CRT-RSA."
In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...
(cherry picked from commit
41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)
Resolved conflicts:
crypto/rsa/rsa_eay.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.
Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.
(cherry picked from commit
fcc4ee09473cac511eca90faa003661c7786e4f9)
Resolved conflicts:
crypto/bn/bn_mod.c
crypto/bn_int.h
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6942)
Hubert Kario [Mon, 27 Aug 2018 13:21:18 +0000 (21:21 +0800)]
document the -no_ecdhe option in s_server man page
the option is provided in the -help message of the s_server utility
but it is not documented in the man page, this fixes it
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7046)
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6916)
(cherry picked from commit
0da7358b0757fa35f2c3a8f51fa036466ae50fd7)
Resolved conflicts:
crypto/x509v3/v3_purp.c
Matt Caswell [Tue, 14 Aug 2018 13:01:59 +0000 (14:01 +0100)]
Prepare for 1.0.2q-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Aug 2018 13:01:02 +0000 (14:01 +0100)]
Prepare for 1.0.2p release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Aug 2018 13:01:02 +0000 (14:01 +0100)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 14 Aug 2018 12:52:49 +0000 (14:52 +0200)]
i2d_ASN1_BOOLEAN(): correct error module
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6957)
Matt Caswell [Tue, 14 Aug 2018 12:29:02 +0000 (13:29 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6955)
Matt Caswell [Tue, 14 Aug 2018 09:39:19 +0000 (10:39 +0100)]
Updates to CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6951)
Richard Levitte [Mon, 13 Aug 2018 18:37:43 +0000 (20:37 +0200)]
i2d_ASN1_BOOLEAN(): allocate memory if the user didn't provide a buffer
Just as was done recently for i2d_ASN1_OBJECT, we also make
i2d_ASN1_BOOLEAN comply with the documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6943)
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):
For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
allocated for a buffer and the encoded data written to it. In this
case B<*out> is not incremented and it points to the start of the
data just written.
i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.
Fixes #6914
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)
(cherry picked from commit
6114041540d8d1fecaf23a861788c3c742d3b467)
Andy Polyakov [Sun, 4 Feb 2018 14:24:54 +0000 (15:24 +0100)]
rsa/*: switch to BN_bn2binpad.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6889)
(cherry picked from commit
582ad5d4d9b7703eb089016935133e3a18ea8205)
Resolved conflicts:
crypto/rsa/rsa_ossl.c
crypto/rsa/rsa_pk1.c
Andy Polyakov [Mon, 16 Jul 2018 16:17:44 +0000 (18:17 +0200)]
bn/bn_lib.c address Coverity nit in bn2binpad.
It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6889)
(cherry picked from commit
83e034379fa3f6f0d308ec75fbcb137e26154aec)
Andy Polyakov [Sun, 4 Feb 2018 14:20:29 +0000 (15:20 +0100)]
bn/bn_lib.c: add computationally constant-time bn_bn2binpad.
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6889)
(cherry picked from commit
89d8aade5f4011ddeea7827f08ec544c914f275a)
Resolved conflicts:
crypto/bn/bn_lib.c
Richard Levitte [Tue, 7 Aug 2018 04:21:43 +0000 (06:21 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6881)
Andy Polyakov [Mon, 30 Jul 2018 10:39:08 +0000 (12:39 +0200)]
CHANGES: mention blinding reverting in ECDSA.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
Andy Polyakov [Mon, 30 Jul 2018 10:37:17 +0000 (12:37 +0200)]
ecdsa/ecs_ossl.c: switch to fixed-length Montgomery multiplication.
(back-ported from commit
37132c9702328940a99b1307f742ab094ef754a7)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
Billy Brumley [Wed, 20 Jan 2016 11:18:21 +0000 (13:18 +0200)]
Fix BN_gcd errors for some curves
Those even order that do not play nicely with Montgomery arithmetic
(back-ported from commit
3a6a4a93518fbb3d96632bfdcb538d340f29c56b)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
70a579ae2f37437a1e02331eeaa84e1b68ba021e)
Andy Polyakov [Fri, 6 Jul 2018 13:55:34 +0000 (15:55 +0200)]
ecdsa/ecs_ossl.c: revert blinding in ECDSA signature.
Originally suggested solution for "Return Of the Hidden Number Problem"
is arguably too expensive. While it has marginal impact on slower
curves, none to ~6%, optimized implementations suffer real penalties.
Most notably sign with P-256 went more than 2 times[!] slower. Instead,
just implement constant-time BN_mod_add_quick.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f)
Resolved onflicts:
crypto/ec/ecdsa_ossl.c
crypto/include/internal/bn_int.h
Andy Polyakov [Fri, 6 Jul 2018 13:13:15 +0000 (15:13 +0200)]
bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.
Note that exported functions maintain original behaviour, so that
external callers won't observe difference. While internally we can
now perform Montogomery multiplication on fixed-length vectors, fixed
at modulus size. The new functions, bn_to_mont_fixed_top and
bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use
them even outside bn, e.g. in RSA, DSA, ECDSA...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
71883868ea5b33416ae8283bcc38dd2d97e5006b)
Resolved conflicts:
crypto/bn/bn_exp.c
crypto/bn/bn_lcl.h
crypto/bn/bn_mont.c
crypto/include/internal/bn_int.h
Andy Polyakov [Fri, 6 Jul 2018 13:02:29 +0000 (15:02 +0200)]
bn/bn_lib.c: add BN_FLG_FIXED_TOP flag.
The new flag marks vectors that were not treated with bn_correct_top,
in other words such vectors are permitted to be zero padded. For now
it's BN_DEBUG-only flag, as initial use case for zero-padded vectors
would be controlled Montgomery multiplication/exponentiation, not
general purpose. For general purpose use another type might be more
appropriate. Advantage of this suggestion is that it's possible to
back-port it...
bn/bn_div.c: fix memory sanitizer problem.
bn/bn_sqr.c: harmonize with BN_mul.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb)
Resolved conflicts:
crypto/bn/bn_lcl.h
crypto/bn/bn_lib.c
Andy Polyakov [Fri, 6 Jul 2018 12:54:34 +0000 (14:54 +0200)]
bn/bn_mont.c: improve readability of post-condition code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
6c90182a5f87af1a1e462536e7123ad2afb84c43)
Andy Polyakov [Fri, 6 Jul 2018 11:16:40 +0000 (13:16 +0200)]
bn/bn_lib.c: remove bn_check_top from bn_expand2.
Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6810)
(cherry picked from commit
e42395e637c3507b80b25c7ed63236898822d2f1)
Resolved conflicts:
crypto/bn/bn_lib.c
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsistent use of bit vs bits
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
(cherry picked from commit
b9e54e98066c1ff8adab5d68b6c114b14d2f74e5)
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime
The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
(cherry picked from commit
feac7a1c8be49fbcb76fcb721ec9f02fdd91030e)
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64
This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
(cherry picked from commit
74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8)
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak
Thanks to Jiecheng Wu, Zuxing Gu for the report.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
(cherry picked from commit
037241bf046be8cfc7e9216959393dd20b06fc21)
(Only the EC part)
Andy Polyakov [Sun, 22 Jul 2018 14:28:20 +0000 (16:28 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6761)
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
As per RFC 7292.
Fixes #6665
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
(cherry picked from commit
b709babbca0498cd2b05f543b09f57f4a670298e)
Alexandre Perrin [Fri, 13 Jul 2018 08:32:42 +0000 (10:32 +0200)]
Documentation typo fix in BN_bn2bin.pod
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)
Matt Caswell [Mon, 2 Jul 2018 13:09:03 +0000 (14:09 +0100)]
Don't create an invalid CertificateRequest
We should validate that the various fields we put into the
CertificateRequest are not too long. Otherwise we will construct an
invalid message.
Fixes #6609
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6629)
Rich Salz [Thu, 28 Jun 2018 22:13:54 +0000 (18:13 -0400)]
Zero-fill IV by default.
Fixes uninitialized memory read reported by Nick Mathewson
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit
10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c)
Bernd Edlinger [Mon, 25 Jun 2018 07:53:46 +0000 (09:53 +0200)]
Fix some more gcc-9 warnings [-Wstringop-truncation]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6586)
Bernd Edlinger [Sat, 23 Jun 2018 20:17:19 +0000 (22:17 +0200)]
Fix a new gcc-9 warning [-Wstringop-truncation]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)
(cherry picked from commit
dc6c374bdb4872f6d5d727e73a2ed834e972842c)
Nick Mathewson [Thu, 24 May 2018 19:23:15 +0000 (15:23 -0400)]
Improve the example getpass() implementation to show an error return
Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit
c8c250333cd254ab3f4d709ebc5ed86a7c065721)
(cherry picked from commit
50d06d1c7d2682b0042e921a76beb509d7ea68e1)
Richard Levitte [Thu, 21 Jun 2018 17:01:28 +0000 (19:01 +0200)]
doc/crypto/pem.pod: modernise the example code
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6552)
Nick Mathewson [Wed, 16 May 2018 15:07:48 +0000 (11:07 -0400)]
Update documentation for PEM callback: error is now -1.
In previous versions of OpenSSL, the documentation for PEM_read_*
said:
The callback B<must> return the number of characters in the
passphrase or 0 if an error occurred.
But since
c82c3462267afdbbaa5, 0 is now treated as a non-error
return value. Applications that want to indicate an error need to
return -1 instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit
bbbf752a3c8b5a966bcb48fc71a3dc03832e7b27)
(cherry picked from commit
e4b47f7f19392e3be604e44f6999de2bc9e7ecf3)
Matt Caswell [Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)]
Add blinding to a DSA signature
This extends the recently added ECDSA signature blinding to blind DSA too.
This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.
Normally, as in ECDSA, during signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6524)
Matt Caswell [Mon, 18 Jun 2018 12:00:40 +0000 (13:00 +0100)]
Fix no-ssl3-method in 1.0.2
Fixes #5322
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6510)
Andy Polyakov [Sat, 16 Jun 2018 14:23:34 +0000 (16:23 +0200)]
sha/asm/sha{1|256}-586.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
b55e21b357902959ae8ec0255952402f5ccaa515)
Andy Polyakov [Sat, 16 Jun 2018 14:22:19 +0000 (16:22 +0200)]
bn/asm/rsaz-avx2.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit
9e97f61dec312084abe03226e5c962d818c9fc2b)
Nicola Tuveri [Tue, 12 Jun 2018 13:28:25 +0000 (16:28 +0300)]
Warn against nonce reuse in DSA_sign_setup() doc
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6465)
Matt Caswell [Fri, 25 May 2018 11:10:13 +0000 (12:10 +0100)]
Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>