Commit graph

22057 commits

Author SHA1 Message Date
Matt Caswell
54f007af94 RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
Based on an original patch by Billy Brumley

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-04-16 16:14:57 +01:00
Bernd Edlinger
b0a97931fb Remove mandatory generated files too
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)
2018-04-15 08:13:38 +02:00
Bernd Edlinger
49bb4dd049 Fix cygwin make dependencies
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)
2018-04-15 08:13:37 +02:00
Andy Polyakov
4442061532 TLSProxy/Proxy.pm: straighten inner loop termination logic.
Original condition was susceptible to race condition...

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 20:00:04 +02:00
Andy Polyakov
de5b3a8645 TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 19:59:02 +02:00
Matthias Kraft
d47eb76cd5 openssl#5668: corrections after compiling with -qinfo=all:als.
The ongoing discussion about casting or not in PR #5626 had me compiling
again with above mentioned flags. Indeed the compiler had to say something
about it and I did these changes to silence it again.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5943)
2018-04-14 13:28:31 +02:00
Richard Levitte
560096f804 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5948)
2018-04-13 23:48:41 +02:00
Dr. Matthias St. Pierre
5bc6bcf82d DRBG: implement a get_nonce() callback
Fixes #5849

In pull request #5503 a fallback was added which adds a random nonce of
security_strength/2 bits if no nonce callback is provided. This change raised
the entropy requirements form 256 to 384 bit, which can cause problems on some
platforms (e.g. VMS, see issue #5849).

The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1:

  A nonce may be required in the construction of a seed during instantiation
  in order to provide a security cushion to block certain attacks.
  The nonce shall be either:

  a) A value with at least (security_strength/2) bits of entropy, or

  b) A value that is expected to repeat no more often than a
     (security_strength/2)-bit random string would be expected to repeat.

  Each nonce shall be unique to the cryptographic module in which instantiation
  is performed, but need not be secret. When used, the nonce shall be considered
  to be a critical security parameter.

This commit implements a nonce of type b) in order to lower the entropy
requirements during instantiation back to 256 bits.

The formulation "shall be unique to the cryptographic module" above implies
that the nonce needs to be unique among (with high probability) among all
DRBG instances in "space" and "time". We try to achieve this goal by creating a
nonce of the following form

    nonce = app-specific-data || high-resolution-utc-timestamp || counter

Where || denotes concatenation. The application specific data can be something
like the process or group id of the application. A utc timestamp is used because
it increases monotonically, provided the system time is synchronized. This approach
may not be perfect yet for a FIPS evaluation, but it should be good enough for the
moment.

This commit also harmonizes the implementation of the get_nonce() and the
get_additional_data() callbacks and moves the platform specific parts from
rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5920)
2018-04-13 20:49:28 +02:00
Bernd Edlinger
0e3ecaec3e Rework partial packet handling once more
Address the concern that commit c53c2fec raised differently.

The original direction of the traffic is encoded in bit 0
of the flight number.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5923)
2018-04-13 18:48:06 +02:00
Richard Levitte
1b9f41a0df test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits.  Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.

Partially fixes #5751

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)

(cherry picked from commit ec46830f8a)
2018-04-13 17:45:22 +02:00
Richard Levitte
a8ca496ddb Split the scrypt and RSA-PSS into man3 and man7 pages
The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout.  With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.

Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.

Fixes #5802

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)
2018-04-13 11:55:13 +02:00
Matt Caswell
76fd7a1d61 Add a test for SRP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
2018-04-13 09:37:39 +01:00
Matt Caswell
3fd5970035 Add support for the SRP base64 alphabet
Historically we used to implement standalone base64 code for SRP. This
was replaced by commit 3d3f21aa with the standard base64 processing code.

However, the SRP base64 code was designed to be compatible with other SRP
libraries (notably libsrp, but also others) that use a variant of standard
base64. Specifically a different alphabet is used and no padding '='
characters are used. Instead 0 padding is added to the front of the string.
By changing to standard base64 we change the behaviour of the API which may
impact interoperability. It also means that SRP verifier files created prior
to 1.1.1 would not be readable in 1.1.1 and vice versa.

Instead we expand our standard base64 processing with the capability to be
able to read and generate the SRP base64 variant.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
2018-04-13 09:37:38 +01:00
Matt Caswell
c080461448 Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions
Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
level functions that do not handle padding characters. This was causing
the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
it inserts newlines which is not what we need in SRP so we add a flag to
avoid that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
2018-04-13 09:37:38 +01:00
Richard Levitte
0320e8e286 Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.

Fixes #5939

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
2018-04-13 10:24:18 +02:00
Andy Polyakov
b4c1950d89 TLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server.
The failure is "impossible", because we have confirmation that s_server
listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout
on Travis CI.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
2018-04-13 10:14:27 +02:00
Andy Polyakov
6b3e8b9430 TLSProxy/Proxy.pm: handle -1 as return value from waitpid.
On rare occasion 's_server | perl -ne print' can complete before
corresponding waitpid, which on Windows can results in -1 return
value. This is not an error, don't treat it like one. Collect
even return value from s_server.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
2018-04-13 10:12:01 +02:00
Richard Levitte
362ff3c397 openssl rehash: use libcrypto variables for default dir
X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.

Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
2018-04-12 15:34:58 +02:00
Richard Levitte
adaf3cfad2 openssl rehash: document -compat
Fixes #5902

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
2018-04-12 15:34:58 +02:00
Andy Polyakov
18d1588268 Configurations/*.tmpl: refine build_all_generated.
Purpose of build_all_generated is to execute all the rules that require
perl, so that one can copy the tree to system with compiler but without
perl. This commit removes last dependencies on perl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5929)
2018-04-12 14:58:53 +02:00
Daniel Bevenius
0652e8a7fe Clarify default section in config.pod
This is a minor update which hopefully makes these particular lines
read a little easier.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)
2018-04-12 13:39:37 +02:00
Andy Polyakov
ad5c205c01 appveyor.yml: exercise build_all_generated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)
2018-04-11 20:52:14 +02:00
Richard Levitte
6197bc7c54 .travis.yml: exercise build_all_generated
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)
2018-04-11 20:52:14 +02:00
Richard Levitte
8258975c94 Configuration: Simplify generating list of generated files in build file templates
Computing the value of the GENERATED variable in the build file
templates is somewhat overcomplicated, and because of possible
duplication errors, changes are potentially error prone.

Looking more closely at how this list is determined, it can be
observed that the exact list of files to check is consistently
available in all the values found in the %unified_info tables
'depends', 'sources' and 'shared_sources', and all that's needed is to
filter those values so only those present as keys in the 'generate'
table are left.

This computation is also common for all build files, so due to its
apparent complexity, we move it to common0.tmpl, with the result left
in a global variable (@generated), to be consumed by all build file
templates.

common0.tmpl is included among the files to process when creating
build files, but unlike common.tmpl, it comes first of all.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)
2018-04-11 20:52:14 +02:00
Theo Buehler
c12a2d2728 EVP_MD_CTX_cleanup replaced with EVP_MD_CTX_reset
The EVP_MD_CTX_cleanup() function was merged into EVP_MD_CTX_reset()
which is called by EVP_MD_CTX_free().  Adjust the documentation to say
that the latter should be used to avoid leaking memory.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5921)
2018-04-11 12:59:25 -04:00
Daniel Bevenius
a8b2b52fe5 Fix minor typos in Configurations/README
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5774)
2018-04-11 12:58:06 -04:00
Dr. Matthias St. Pierre
f7bef277ea Minor corrections for the RAND_DRBG API documentation
- added some explaining text to a sentence that lost its context.
- removed mention of per-ssl drbg
- fix whitespace errors

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5804)
2018-04-11 18:56:03 +02:00
Richard Levitte
708a6a1759 OpenSSL::Test: add data_dir()
For test recipes that want to use the directory of the data directory
or a subdirectory thereof, rather than just individual files.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5928)
2018-04-11 12:04:18 +02:00
Dr. Matthias St. Pierre
63a65d16ac DRBG: fix memory leak on error in rand_drbg_get_entropy()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5918)
2018-04-10 10:33:17 +02:00
Andy Polyakov
55bd917bc4 bio/b_addr.c: resolve HP-UX compiler warnings.
The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)
2018-04-09 22:32:59 +02:00
Andy Polyakov
3c3badcf42 Configurations/10-main.conf: further HP-UX cleanups/unifications.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-04-09 21:51:56 +02:00
Kunxian Xia
eb8e052c4b Correct the equation for Y' in the comment of point_double function
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5908)
2018-04-09 08:38:51 -04:00
Dr. Matthias St. Pierre
a9b7a06ed8 Fix false positives of IS_*() macros for 8-bit ASCII characters
Fixes #5778, #5840

The various IS_*() macros did not work correctly for 8-bit ASCII
characters with the high bit set, because the CVT(a) preprocessor
macro and'ed the given ASCII value with 0x7F, effectively folding
the high value range 128-255 over the low value range 0-127.
As a consequence, some of the IS_*() erroneously returned TRUE.

This commit fixes the issue by adding range checks instead of
cutting off high order bits using a mask. In order avoid multiple
evaluation of macro arguments, most of the implementation was moved
from macros into a static function is_keytype().

Thanks to Румен Петров for reporting and analyzing the UTF-8 parsing
issue #5840.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5903)
2018-04-08 20:12:01 +02:00
Bernd Edlinger
5283e19f11 Fix the build_all_generated rule to include generated .map, .def and .opt files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5900)
2018-04-08 17:20:01 +02:00
Andy Polyakov
ceaa389445 TLSProxy/Record.pm: remove dead condition and improve readability.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:42:46 +02:00
Andy Polyakov
c53c2fec82 TLSProxy/Proxy.pm: refine partial packet handling.
Original logic was "if no records found *or* last one is truncated, then
leave complete records in queue." Trouble is that if we don't pass on
complete records and get complete packet in opposite direction, then
queued records will go back to sender. In other words complete records
should always be passed on. [Possible alternative would be to match
direction in reconstruct_record.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:42:41 +02:00
Andy Polyakov
f69d050ee3 apps/{s_client.c|s_socket}.c: omit usleep calls.
Even though removed calls were oiriginally added on Windows, problem
they tried to mitigate is not Windows-specific.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:42:35 +02:00
Andy Polyakov
dcf3d83faf apps/s_socket.c: disable the Nagle algorithm.
Without TCP_NODELAY alerts risk to be dropped between shutdown and close.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:42:30 +02:00
Andy Polyakov
55fd5d3fc5 TLSProxy/Proxy.pm: harmonize inner loop with the way sockets are.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:41:56 +02:00
Andy Polyakov
6e30190050 Configurations/10-main.conf: clean up HP-UX targets and add magic macros.
HP-UX provides sockets symbols with incompatible prototypes under same
name. This caused problems in 64-bit builds. Additional macros force
unambiguous symbols with unambiguous prototypes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)
2018-04-08 11:21:24 +02:00
Andy Polyakov
e14795f83b config: fix hpux64-parisc2-gcc detection.
hpux64-parisc2-gcc is chosen based on gcc's bitness, and it was overriden
unconditionally.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)
2018-04-08 11:18:22 +02:00
Andy Polyakov
f5e3115361 test/asn1_time_test.c: make it work on 64-bit HP-UX.
HP-UX gmtime fails with ERANGE past 19011213204552Z, so skip some tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)
2018-04-08 11:17:44 +02:00
Rich Salz
2876872ffe Updated to CONTRIBUTING to reflect GitHub, etc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)
2018-04-07 13:09:15 -04:00
Kaoru Toda
69b1500291 Duplicate code refactored
add_attribute_object and add_DN_object have similar code, so move
it into a common function build_data.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4566)
2018-04-06 08:42:31 -04:00
Matt Caswell
e65c959f1f Add a note and better error if using Ed25519/Ed448 in dgst
Fixes #5873

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)
2018-04-06 10:10:05 +01:00
Matt Caswell
a6f5b11634 Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
Adding support for these operations for the EdDSA implementations
makes pkeyutl usable for signing/verifying for these algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)
2018-04-06 10:10:05 +01:00
Rich Salz
bbf27cd583 Fix bugs in X509_NAME_ENTRY_set
The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN

Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.

Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)
2018-04-05 22:55:28 -04:00
Rich Salz
7de2b9c4af Set error code if alloc returns NULL
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5886)
2018-04-05 15:13:55 -04:00
Matt Caswell
77579510aa Update the genpkey documentation
Fixes #5739

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:43 +01:00
Matt Caswell
d54897cf54 Pick a q size consistent with the digest for DSA param generation
There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.

These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.

dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:

            if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                goto err;
            if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                goto err;
            for (i = 0; i < qsize; i++)
                md[i] ^= buf2[i];

            /* step 3 */
            md[0] |= 0x80;
            md[qsize - 1] |= 0x01;
            if (!BN_bin2bn(md, qsize, q))
                goto err;

qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.

If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.

This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:24 +01:00