Skip to content
  1. Jun 30, 2019
  2. Jun 09, 2019
  3. May 28, 2019
  4. May 27, 2019
  5. May 21, 2019
  6. Feb 26, 2019
  7. Feb 20, 2019
    • Billy Brumley's avatar
      SCA hardening for mod. field inversion in EC_GROUP · 48e82c8e
      Billy Brumley authored
      
      
      This commit adds a dedicated function in `EC_METHOD` to access a modular
      field inversion implementation suitable for the specifics of the
      implemented curve, featuring SCA countermeasures.
      
      The new pointer is defined as:
      `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
      and computes the multiplicative inverse of `a` in the underlying field,
      storing the result in `r`.
      
      Three implementations are included, each including specific SCA
      countermeasures:
        - `ec_GFp_simple_field_inv()`, featuring SCA hardening through
          blinding.
        - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
          Little Theorem (FLT) inversion.
        - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
          already features SCA hardening through blinding.
      
      From a security point of view, this also helps addressing a leakage
      previously affecting conversions from projective to affine coordinates.
      
      This commit also adds a new error reason code (i.e.,
      `EC_R_CANNOT_INVERT`) to improve consistency between the three
      implementations as all of them could fail for the same reason but
      through different code paths resulting in inconsistent error stack
      states.
      
      Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
      
      (cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1)
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
      (Merged from https://github.com/openssl/openssl/pull/8262)
      48e82c8e
  8. Feb 14, 2019
    • Matt Caswell's avatar
      Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages · 37857e9b
      Matt Caswell authored
      
      
      The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
      SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
      exchange in TLSv1.3. Unfortunately experience has shown that this confuses
      some applications who mistake it for a TLSv1.2 renegotiation. This means
      that KeyUpdate messages are not handled properly.
      
      This commit removes the use of SSL_CB_HANDSHAKE_START and
      SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
      message exchange. Individual post-handshake messages are still signalled in
      the normal way.
      
      This is a potentially breaking change if there are any applications already
      written that expect to see these TLSv1.3 events. However, without it,
      KeyUpdate is not currently usable for many applications.
      
      Fixes #8069
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8096)
      
      (cherry picked from commit 4af5836b55442f31795eff6c8c81ea7a1b8cf94b)
      37857e9b
  9. Feb 02, 2019
  10. Feb 01, 2019
  11. Dec 07, 2018
  12. Nov 24, 2018
  13. Nov 20, 2018
  14. Oct 17, 2018
  15. Oct 16, 2018
    • Dr. Matthias St. Pierre's avatar
      DRBG: fix reseeding via RAND_add()/RAND_seed() with large input · dbf0a496
      Dr. Matthias St. Pierre authored
      
      
      In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
      was implemented by buffering the data in a random pool where it is
      picked up later by the rand_drbg_get_entropy() callback. This buffer
      was limited to the size of 4096 bytes.
      
      When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
      the reseeding failed, but the error returned by the DRBG was ignored
      by the two calling functions, which both don't return an error code.
      As a consequence, the data provided by the application was effectively
      ignored.
      
      This commit fixes the problem by a more efficient implementation which
      does not copy the data in memory and by raising the buffer the size limit
      to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
      but it was chosen intentionally to avoid platform dependent problems
      like integer sizes and/or signed/unsigned conversion.
      
      Additionally, the DRBG is now less permissive on errors: In addition to
      pushing a message to the openssl error stack, it enters the error state,
      which forces a reinstantiation on next call.
      
      Thanks go to Dr. Falko Strenzke for reporting this issue to the
      openssl-security mailing list. After internal discussion the issue
      has been categorized as not being security relevant, because the DRBG
      reseeds automatically and is fully functional even without additional
      randomness provided by the application.
      
      Fixes #7381
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7382)
      
      (cherry picked from commit 3064b551)
      dbf0a496
  16. Sep 11, 2018
  17. Sep 10, 2018
  18. Aug 21, 2018
  19. Aug 15, 2018
  20. Aug 14, 2018
  21. Aug 07, 2018
  22. Jul 26, 2018
  23. Jul 23, 2018
  24. Jul 18, 2018
  25. Jul 16, 2018
    • Nicola Tuveri's avatar
      EC2M Lopez-Dahab ladder implementation · f45846f5
      Nicola Tuveri authored
      This commit uses the new ladder scaffold to implement a specialized
      ladder step based on differential addition-and-doubling in mixed
      Lopez-Dahab projective coordinates, modified to independently blind the
      operands.
      
      The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
      auto generated with tooling:
      - see, e.g., "Guide to ECC" Alg 3.40 for reference about the
        `ladder_pre` implementation;
      - see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
      
      
        for the differential addition-and-doubling formulas implemented in
        `ladder_step`;
      - see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
        without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
        for the `ladder_post` implementation to recover the `(x,y)` result in
        affine coordinates.
      
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      f45846f5
    • Nicola Tuveri's avatar
      EC point multiplication: add `ladder` scaffold · 37124360
      Nicola Tuveri authored
      
      for specialized Montgomery ladder implementations
      
      PR #6009 and #6070 replaced the default EC point multiplication path for
      prime and binary curves with a unified Montgomery ladder implementation
      with various timing attack defenses (for the common paths when a secret
      scalar is feed to the point multiplication).
      The newly introduced default implementation directly used
      EC_POINT_add/dbl in the main loop.
      
      The scaffolding introduced by this commit allows EC_METHODs to define a
      specialized `ladder_step` function to improve performances by taking
      advantage of efficient formulas for differential addition-and-doubling
      and different coordinate systems.
      
      - `ladder_pre` is executed before the main loop of the ladder: by
        default it copies the input point P into S, and doubles it into R.
        Specialized implementations could, e.g., use this hook to transition
        to different coordinate systems before copying and doubling;
      - `ladder_step` is the core of the Montgomery ladder loop: by default it
        computes `S := R+S; R := 2R;`, but specific implementations could,
        e.g., implement a more efficient formula for differential
        addition-and-doubling;
      - `ladder_post` is executed after the Montgomery ladder loop: by default
        it's a noop, but specialized implementations could, e.g., use this
        hook to transition back from the coordinate system used for optimizing
        the differential addition-and-doubling or recover the y coordinate of
        the result point.
      
      This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
      as it better corresponds to what this function does: nothing can be
      truly said about the constant-timeness of the overall execution of this
      function, given that the underlying operations are not necessarily
      constant-time themselves.
      What this implementation ensures is that the same fixed sequence of
      operations is executed for each scalar multiplication (for a given
      EC_GROUP), with no dependency on the value of the input scalar.
      
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      37124360
  26. Jul 08, 2018
  27. Jun 26, 2018
  28. Jun 22, 2018