Skip to content
  1. Nov 20, 2018
  2. Oct 17, 2018
  3. Oct 16, 2018
    • Dr. Matthias St. Pierre's avatar
      DRBG: fix reseeding via RAND_add()/RAND_seed() with large input · dbf0a496
      Dr. Matthias St. Pierre authored
      
      
      In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
      was implemented by buffering the data in a random pool where it is
      picked up later by the rand_drbg_get_entropy() callback. This buffer
      was limited to the size of 4096 bytes.
      
      When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
      the reseeding failed, but the error returned by the DRBG was ignored
      by the two calling functions, which both don't return an error code.
      As a consequence, the data provided by the application was effectively
      ignored.
      
      This commit fixes the problem by a more efficient implementation which
      does not copy the data in memory and by raising the buffer the size limit
      to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
      but it was chosen intentionally to avoid platform dependent problems
      like integer sizes and/or signed/unsigned conversion.
      
      Additionally, the DRBG is now less permissive on errors: In addition to
      pushing a message to the openssl error stack, it enters the error state,
      which forces a reinstantiation on next call.
      
      Thanks go to Dr. Falko Strenzke for reporting this issue to the
      openssl-security mailing list. After internal discussion the issue
      has been categorized as not being security relevant, because the DRBG
      reseeds automatically and is fully functional even without additional
      randomness provided by the application.
      
      Fixes #7381
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7382)
      
      (cherry picked from commit 3064b55134434a0b2850f07eff57120f35bb269a)
      dbf0a496
  4. Sep 11, 2018
  5. Sep 10, 2018
  6. Aug 21, 2018
  7. Aug 15, 2018
  8. Aug 14, 2018
  9. Aug 07, 2018
  10. Jul 26, 2018
  11. Jul 23, 2018
  12. Jul 18, 2018
  13. Jul 16, 2018
    • Nicola Tuveri's avatar
      EC2M Lopez-Dahab ladder implementation · f45846f5
      Nicola Tuveri authored
      This commit uses the new ladder scaffold to implement a specialized
      ladder step based on differential addition-and-doubling in mixed
      Lopez-Dahab projective coordinates, modified to independently blind the
      operands.
      
      The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
      auto generated with tooling:
      - see, e.g., "Guide to ECC" Alg 3.40 for reference about the
        `ladder_pre` implementation;
      - see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
      
      
        for the differential addition-and-doubling formulas implemented in
        `ladder_step`;
      - see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
        without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
        for the `ladder_post` implementation to recover the `(x,y)` result in
        affine coordinates.
      
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      f45846f5
    • Nicola Tuveri's avatar
      EC point multiplication: add `ladder` scaffold · 37124360
      Nicola Tuveri authored
      
      for specialized Montgomery ladder implementations
      
      PR #6009 and #6070 replaced the default EC point multiplication path for
      prime and binary curves with a unified Montgomery ladder implementation
      with various timing attack defenses (for the common paths when a secret
      scalar is feed to the point multiplication).
      The newly introduced default implementation directly used
      EC_POINT_add/dbl in the main loop.
      
      The scaffolding introduced by this commit allows EC_METHODs to define a
      specialized `ladder_step` function to improve performances by taking
      advantage of efficient formulas for differential addition-and-doubling
      and different coordinate systems.
      
      - `ladder_pre` is executed before the main loop of the ladder: by
        default it copies the input point P into S, and doubles it into R.
        Specialized implementations could, e.g., use this hook to transition
        to different coordinate systems before copying and doubling;
      - `ladder_step` is the core of the Montgomery ladder loop: by default it
        computes `S := R+S; R := 2R;`, but specific implementations could,
        e.g., implement a more efficient formula for differential
        addition-and-doubling;
      - `ladder_post` is executed after the Montgomery ladder loop: by default
        it's a noop, but specialized implementations could, e.g., use this
        hook to transition back from the coordinate system used for optimizing
        the differential addition-and-doubling or recover the y coordinate of
        the result point.
      
      This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
      as it better corresponds to what this function does: nothing can be
      truly said about the constant-timeness of the overall execution of this
      function, given that the underlying operations are not necessarily
      constant-time themselves.
      What this implementation ensures is that the same fixed sequence of
      operations is executed for each scalar multiplication (for a given
      EC_GROUP), with no dependency on the value of the input scalar.
      
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      37124360
  14. Jul 08, 2018
  15. Jun 26, 2018
  16. Jun 22, 2018
  17. Jun 21, 2018
  18. Jun 19, 2018
    • Sohaib ul Hassan's avatar
      Implement coordinate blinding for EC_POINT · f667820c
      Sohaib ul Hassan authored
      This commit implements coordinate blinding, i.e., it randomizes the
      representative of an elliptic curve point in its equivalence class, for
      prime curves implemented through EC_GFp_simple_method,
      EC_GFp_mont_method, and EC_GFp_nist_method.
      
      This commit is derived from the patch
      https://marc.info/?l=openssl-dev&m=131194808413635
      
       by Billy Brumley.
      
      Coordinate blinding is a generally useful side-channel countermeasure
      and is (mostly) free. The function itself takes a few field
      multiplicationss, but is usually only necessary at the beginning of a
      scalar multiplication (as implemented in the patch). When used this way,
      it makes the values that variables take (i.e., field elements in an
      algorithm state) unpredictable.
      
      For instance, this mitigates chosen EC point side-channel attacks for
      settings such as ECDH and EC private key decryption, for the
      aforementioned curves.
      
      For EC_METHODs using different coordinate representations this commit
      does nothing, but the corresponding coordinate blinding function can be
      easily added in the future to extend these changes to such curves.
      
      Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6501)
      f667820c
  19. Jun 13, 2018
    • Matt Caswell's avatar
      Add blinding to an ECDSA signature · a3e9d5aa
      Matt Caswell authored
      
      
      Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
      ECDSA signature operation. During signing the signer calculates:
      
      s:= k^-1 * (m + r * priv_key) mod order
      
      The addition operation above provides a sufficient signal for a
      flush+reload attack to derive the private key given sufficient signature
      operations.
      
      As a mitigation (based on a suggestion from Keegan) we add blinding to
      the operation so that:
      
      s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
      
      Since this attack is a localhost side channel only no CVE is assigned.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a3e9d5aa
  20. May 24, 2018
  21. May 22, 2018
    • Kurt Roeckx's avatar
      Enable SSL_MODE_AUTO_RETRY by default · 693cf80c
      Kurt Roeckx authored
      
      
      Because TLS 1.3 sends more non-application data records some clients run
      into problems because they don't expect SSL_read() to return and set
      SSL_ERROR_WANT_READ after processing it.
      
      This can cause problems for clients that use blocking I/O and use
      select() to see if data is available. It can be cleared using
      SSL_CTX_clear_mode().
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      GH: #6260
      693cf80c
  22. May 12, 2018
  23. May 09, 2018
  24. Apr 19, 2018
  25. Apr 17, 2018
  26. Apr 05, 2018
  27. Apr 04, 2018
  28. Apr 03, 2018
    • Matt Caswell's avatar
      Fix a text canonicalisation bug in CMS · bcc63714
      Matt Caswell authored
      
      
      Where a CMS detached signature is used with text content the text goes
      through a canonicalisation process first prior to signing or verifying a
      signature. This process strips trailing space at the end of lines, converts
      line terminators to CRLF and removes additional trailing line terminators
      at the end of a file. A bug in the canonicalisation process meant that
      some characters, such as form-feed, were incorrectly treated as whitespace
      and removed. This is contrary to the specification (RFC5485). This fix
      could mean that detached text data signed with an earlier version of
      OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
      signed with a fixed OpenSSL may fail to verify with an earlier version of
      OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
      and use the "-binary" flag (for the "cms" command line application) or set
      the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5790)
      bcc63714