diff options
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/dh/dh_pmeth.c | 4 | ||||
| -rw-r--r-- | crypto/dsa/dsa_pmeth.c | 10 | ||||
| -rw-r--r-- | crypto/ec/ec2_oct.c | 21 | ||||
| -rw-r--r-- | crypto/ec/ec_lib.c | 22 | ||||
| -rw-r--r-- | crypto/ec/ec_mult.c | 4 | ||||
| -rw-r--r-- | crypto/ec/ecp_nistp521.c | 11 | ||||
| -rw-r--r-- | crypto/ec/ecp_oct.c | 12 | ||||
| -rw-r--r-- | crypto/ec/ectest.c | 98 | ||||
| -rw-r--r-- | crypto/ecdh/ech_ossl.c | 4 | ||||
| -rw-r--r-- | crypto/err/err.c | 49 | ||||
| -rw-r--r-- | crypto/err/err.h | 3 | ||||
| -rw-r--r-- | crypto/opensslv.h | 6 | ||||
| -rw-r--r-- | crypto/rsa/rsa_eay.c | 4 | ||||
| -rw-r--r-- | crypto/rsa/rsa_oaep.c | 46 | ||||
| -rw-r--r-- | crypto/rsa/rsa_pk1.c | 44 | ||||
| -rw-r--r-- | crypto/rsa/rsa_pmeth.c | 4 | ||||
| -rw-r--r-- | crypto/rsa/rsa_ssl.c | 55 |
17 files changed, 251 insertions, 146 deletions
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 162753af071d..924a5ae64928 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX)); if (!dctx) return 0; - dctx->prime_len = 1024; + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->use_dsa = 0; diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 7f00e97036f2..cdf7320325cf 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -69,8 +69,8 @@ typedef struct { /* Parameter gen parameters */ - int nbits; /* size of p in bits (default: 1024) */ - int qbits; /* size of q in bits (default: 160) */ + int nbits; /* size of p in bits (default: 2048) */ + int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX)); if (!dctx) return 0; - dctx->nbits = 1024; - dctx->qbits = 160; + dctx->nbits = 2048; + dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 0d04cc692303..5da3cd8bf51c 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -299,7 +299,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { point_conversion_form_t form; - int y_bit; + int y_bit, m; BN_CTX *new_ctx = NULL; BIGNUM *x, *y, *yxi; size_t field_len, enc_len; @@ -332,7 +332,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, return EC_POINT_set_to_infinity(group, point); } - field_len = (EC_GROUP_get_degree(group) + 7) / 8; + m = EC_GROUP_get_degree(group); + field_len = (m + 7) / 8; enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; @@ -357,7 +358,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, if (!BN_bin2bn(buf + 1, field_len, x)) goto err; - if (BN_ucmp(x, &group->field) >= 0) { + if (BN_num_bits(x) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -369,7 +370,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err; - if (BN_ucmp(y, &group->field) >= 0) { + if (BN_num_bits(y) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -382,16 +383,14 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } } + /* + * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } - ret = 1; err: diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index df56484b5ee2..cd2c420176f7 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -872,7 +872,15 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #ifndef OPENSSL_NO_EC2M @@ -890,7 +898,15 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #endif diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index da71526818f8..a784a99ce91e 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -519,7 +519,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ret = 1; err: - EC_POINT_free(s); + EC_POINT_clear_free(s); BN_CTX_end(ctx); BN_CTX_free(new_ctx); diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 90989c5a0769..1a42068c01f9 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -356,10 +356,15 @@ static void felem_diff64(felem out, const felem in) static void felem_diff_128_64(largefelem out, const felem in) { /* - * In order to prevent underflow, we add 0 mod p before subtracting. + * In order to prevent underflow, we add 64p mod p (which is equivalent + * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 + * digit number with all bits set to 1. See "The representation of field + * elements" comment above for a description of how limbs are used to + * represent a number. 64p is represented with 8 limbs containing a number + * with 58 bits set and one limb with a number with 57 bits set. */ - static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); - static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); + static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); + static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); out[0] += two63m6 - in[0]; out[1] += two63m5 - in[1]; diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 1bc3f39ad15f..6943ceeec6d2 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -5,7 +5,7 @@ * OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -408,16 +408,14 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } } + /* + * EC_POINT_set_affine_coordinates_GFp is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; } - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; - } - ret = 1; err: diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index 5e1ef5093383..73f73744576a 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -325,7 +325,7 @@ static void prime_field_tests(void) EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z; + BIGNUM *x, *y, *z, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -405,7 +405,8 @@ static void prime_field_tests(void) x = BN_new(); y = BN_new(); z = BN_new(); - if (!x || !y || !z) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "D")) @@ -542,6 +543,14 @@ static void prime_field_tests(void) ABORT; if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; if (EC_POINT_is_on_curve(group, P, ctx) <= 0) @@ -613,6 +622,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 192) ABORT; @@ -668,6 +686,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 224) ABORT; @@ -728,6 +755,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 256) ABORT; @@ -783,6 +819,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 384) ABORT; @@ -844,6 +889,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 521) ABORT; @@ -858,6 +912,10 @@ static void prime_field_tests(void) /* more tests using the last curve */ + /* Restore the point that got mangled in the (x, y + 1) test. */ + if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) + ABORT; + if (!EC_POINT_copy(Q, P)) ABORT; if (EC_POINT_is_at_infinity(group, Q)) @@ -987,6 +1045,7 @@ static void prime_field_tests(void) BN_free(x); BN_free(y); BN_free(z); + BN_free(yplusone); if (P_160) EC_GROUP_free(P_160); @@ -1007,6 +1066,13 @@ static void prime_field_tests(void) # ifdef OPENSSL_EC_BIN_PT_COMP # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ + if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1025,6 +1091,12 @@ static void prime_field_tests(void) # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1062,7 +1134,7 @@ static void char2_field_tests(void) EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z, *cof; + BIGNUM *x, *y, *z, *cof, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -1076,7 +1148,7 @@ static void char2_field_tests(void) p = BN_new(); a = BN_new(); b = BN_new(); - if (!p || !a || !b) + if (p == NULL || a == NULL || b == NULL) ABORT; if (!BN_hex2bn(&p, "13")) @@ -1142,7 +1214,8 @@ static void char2_field_tests(void) y = BN_new(); z = BN_new(); cof = BN_new(); - if (!x || !y || !z || !cof) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "6")) @@ -1504,6 +1577,7 @@ static void char2_field_tests(void) BN_free(y); BN_free(z); BN_free(cof); + BN_free(yplusone); if (C2_K163) EC_GROUP_free(C2_K163); @@ -1672,7 +1746,7 @@ static const struct nistp_test_params nistp_tests_params[] = { static void nistp_single_test(const struct nistp_test_params *test) { BN_CTX *ctx; - BIGNUM *p, *a, *b, *x, *y, *n, *m, *order; + BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone; EC_GROUP *NISTP; EC_POINT *G, *P, *Q, *Q_CHECK; @@ -1687,6 +1761,7 @@ static void nistp_single_test(const struct nistp_test_params *test) m = BN_new(); n = BN_new(); order = BN_new(); + yplusone = BN_new(); NISTP = EC_GROUP_new(test->meth()); if (!NISTP) @@ -1709,6 +1784,14 @@ static void nistp_single_test(const struct nistp_test_params *test) ABORT; if (!BN_hex2bn(&y, test->Qy)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT; if (!BN_hex2bn(&x, test->Gx)) @@ -1811,6 +1894,7 @@ static void nistp_single_test(const struct nistp_test_params *test) BN_free(x); BN_free(y); BN_free(order); + BN_free(yplusone); BN_CTX_free(ctx); } diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c index d3b05247fe37..2185c3859c23 100644 --- a/crypto/ecdh/ech_ossl.c +++ b/crypto/ecdh/ech_ossl.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -207,7 +207,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, err: if (tmp) - EC_POINT_free(tmp); + EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); if (ctx) diff --git a/crypto/err/err.c b/crypto/err/err.c index 5ce774a3f567..e6138aa23859 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top, const char **file, return ERR_R_INTERNAL_ERROR; } + while (es->bottom != es->top) { + if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { + err_clear(es, es->top); + es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; + continue; + } + i = (es->bottom + 1) % ERR_NUM_ERRORS; + if (es->err_flags[i] & ERR_FLAG_CLEAR) { + es->bottom = i; + err_clear(es, es->bottom); + continue; + } + break; + } + if (es->bottom == es->top) return 0; + if (top) i = es->top; /* last error */ else @@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unformtunately we can't assume that all - * compilers supported by 1.0.2 have it :-( - */ -#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear) top = es->top; - es->err_flags[top] &= ~(0 - clear); - es->err_buffer[top] &= ~(0UL - clear); - es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); - es->err_line[top] |= 0 - clear; - - es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; + /* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ + clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); + es->err_flags[top] |= clear; } diff --git a/crypto/err/err.h b/crypto/err/err.h index f42365620db0..1862456e9bf7 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -143,6 +143,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 6eaa0d2bd844..8b4756989b1e 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000212fL +# define OPENSSL_VERSION_NUMBER 0x1000213fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-fips 28 May 2019" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s 28 May 2019" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 7f20fd6738a7..b7362ad7656d 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); - err_clear_last_constant_time(r >= 0); + err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) { diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 033ea5a520cb..41e9c3bfe3ba 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -144,7 +144,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * |num| is the length of the modulus; |flen| is the length of the * encoded message. Therefore, for any |from| that was obtained by * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, - * num < 2 * mdlen + 2 must hold for the modulus irrespective of + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ @@ -180,17 +180,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } - from = em; /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(from[0]); + good = constant_time_is_zero(em[0]); - maskedseed = from + 1; - maskeddb = from + 1 + mdlen; + maskedseed = em + 1; + maskeddb = em + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; @@ -231,29 +230,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, mlen = dblen - msg_index; /* - * For good measure, do this check in constant tine as well. + * For good measure, do this check in constant time as well. */ good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); - msg_index = constant_time_select_int(good, msg_index, dblen - tlen); - mlen = dblen - msg_index; - for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= dblen & equals; /* if (i == dblen) rewind */ - mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), + dblen - mdlen - 1, tlen); + for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); + for (i = mdlen + 1; i < dblen - msg_index; i++) + db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 074bc0a93947..86e0debc46bb 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -276,24 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_cleanse(em, num); diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 00e730ffa958..a798be5b3459 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -4,7 +4,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); if (!rctx) return 0; - rctx->nbits = 1024; + rctx->nbits = 2048; rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; rctx->md = NULL; diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index e9a5fe2385b3..6f25acdac47a 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -116,7 +116,10 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned int good, found_zero_byte, mask, threes_in_row; int zero_index = 0, msg_index, mlen = -1, err; - if (flen < 10) { + if (tlen <= 0 || flen <= 0) + return -1; + + if (flen > num || num < 11) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } @@ -138,10 +141,9 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); mask = ~good; @@ -149,18 +151,18 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, found_zero_byte = 0; threes_in_row = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); found_zero_byte |= equals0; threes_in_row += 1 & ~found_zero_byte; - threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); + threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -169,7 +171,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_lt(threes_in_row, 8); + good &= constant_time_ge(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; @@ -188,24 +190,25 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_cleanse(em, num); |