- 21 Feb, 2019 1 commit
-
-
Nicola Tuveri authored
This commit adds a simple unit test to make sure that the constant-time flag does not "leak" among BN_CTX frames: - test_ctx_consttime_flag() initializes (and later frees before returning) a BN_CTX object, then it calls in sequence test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same BN_CTX object. The process is run twice, once with a "normal" BN_CTX_new() object, then with a BN_CTX_secure_new() one. - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame before ending it. - test_ctx_check_ct_flag() then starts a new frame and gets a number of BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. In actual BN_CTX usage inside libcrypto the leak could happen at any depth level in the BN_CTX stack, with varying results depending on the patterns of sibling trees of nested function calls sharing the same BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the called BN_* functions. This simple unit test abstracts away this complexity and verifies that the leak does not happen between two sibling functions sharing the same BN_CTX object at the same level of nesting. (manually cherry picked from commit fe16ae5f ) Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8294)
-
- 20 Feb, 2019 2 commits
-
-
Nicola Tuveri authored
This is a rewrite of commit 8f58ede0 for the 1.1.0-stable branch. Co-authored-by:
Billy Brumley <bbrumley@gmail.com> Reviewed-by:
-
Billy Brumley authored
This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by:Nicola Tuveri <nic.tuv@gmail.com> (cherry picked from commit e0033efc ) Reviewed-by:
-
- 18 Feb, 2019 1 commit
-
-
Corinna Vinschen authored
Cygwin binaries should not enforce text mode these days, just use text mode if the underlying mount point requests it Signed-off-by:
Corinna Vinschen <vinschen@redhat.com> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8275)
-
- 11 Feb, 2019 1 commit
-
-
Richard Levitte authored
bn2crparam() incorrectly delivered a big endian byte string to cryptodev. Using BN_bn2lebinpad() instead of BN_bn2bin() fixes this. crparam2bn() had a hack that avoided this issue in the other direction, but allocated an intermediary chunk of memory to get correct endianness. Using BN_lebin2bn() avoids this allocation. Fixes #8202 Reviewed-by:
-
- 31 Jan, 2019 1 commit
-
-
Bernd Edlinger authored
If the second PUBKEY is malformed there is use after free. Reviewed-by:
-
- 12 Dec, 2018 1 commit
-
-
Tobias Stoeckmann authored
There was a trailing :w at a line, which didn't make sense in context of the sentence/styling. Removed it, because I think it's a leftover vi command. CLA: trivial Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- 08 Dec, 2018 6 commits
-
-
Andy Polyakov authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Andy Polyakov authored
Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding if nul delimiter is preceded by 8 consecutive 0x03 bytes. Reviewed-by:
-
Andy Polyakov authored
And make RSAErr call unconditional. Reviewed-by:
-
Andy Polyakov authored
And make RSAErr call unconditional. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Expected usage pattern is to unconditionally set error and then wipe it if there was no actual error. Reviewed-by:
-
- 07 Dec, 2018 1 commit
-
-
Richard Levitte authored
It turns out that the strictness that was implemented in EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed for some usages, and that it's better to do this check only when the method is getting registered. Fixes #7758 Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7847) (cherry picked from commit a8600316)
-
- 24 Nov, 2018 5 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
When creating a tarball, it's pointless to include scripts that assume a git workspace. Reviewed-by:
-
Richard Levitte authored
Also adds missing copyright boilerplate to util/mktar.sh Reviewed-by:
-
- 23 Nov, 2018 3 commits
-
-
Andy Polyakov authored
Blinding is performed more efficiently and securely if MONT_CTX for public modulus is available by the time blinding parameter are instantiated. So make sure it's the case. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Since recently, OpenSSL tarballs are produced with 'make tar' rather than 'make dist', as the latter has turned out to be more troublesome than useful. The next step to look at is why we would need to configure at all to produce a Makefile just to produce a tarball. After all, the tarball should now only contain source files that are present even without configuring. Furthermore, the current method for producing tarballs is a bit complex, and can be greatly simplified with the right tools. Since we have everything versioned with git, we might as well use the tool that comes with it. Added: util/mktar.sh, a simple script to produce OpenSSL tarballs. It takes the options --name to modify the prefix of the distribution, and --tarfile tp modify the tarball file name specifically. This also adds a few entries in .gitattributes to specify files that should never end up in a distribution tarball. Reviewed-by:
-
- 20 Nov, 2018 4 commits
-
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
- 13 Nov, 2018 5 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
We therefore must add defaults. Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7631)
-
Richard Levitte authored
When libssl and libcrypto are compiled on Linux with "-rpath", but not "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, and we end up running with the wrong libraries. This is resolved by using full (or at least relative, rather than just the filename to be found on LD_LIBRARY_PATH) paths to the shared objects. Reviewed-by:
-
Richard Levitte authored
Fixes #7634 Reviewed-by:
-
Richard Levitte authored
We made the build of foo.obj depend on foo.d, meaning the latter gets built first. Unfortunately, the way the compiler works, we are forced to redirect all output to foo.d, meaning that if the source contains an error, the build fails without showing those errors. We therefore remove the dependency and force the build of foo.d to always happen after build of foo.obj. Reviewed-by:
-
- 10 Nov, 2018 1 commit
-
-
Billy Brumley authored
Reviewed-by:
-
- 09 Nov, 2018 4 commits
-
-
Richard Levitte authored
A couple of $(ECHO) sneaked in from patches in newer branches Fixes #7600 Reviewed-by:
-
Richard Levitte authored
... otherwise, it's taken to be part of a device name. Reviewed-by:
-
Richard Levitte authored
We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit e8d01a60)
-
Richard Levitte authored
When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by:
-
- 01 Nov, 2018 1 commit
-
-
Pauli authored
Reviewed-by:
-
- 30 Oct, 2018 1 commit
-
-
Rod Vagg authored
Commit 56fb454d backported the DSA reallocation fix to 1.1.0, however a code block that has multiple statements in 1.1.1+ only has a `goto` in 1.1.0 so introduces a brace that causes a compile failure. CLA:trivial Reviewed-by:
-
- 28 Oct, 2018 2 commits
-
-
Pauli authored
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit 99540ec7)
-
Pauli authored
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by:
-
