Commit graph

21565 commits

Author SHA1 Message Date
Kurt Roeckx
60595292ae Check return value of time() when getting additional data for the DRBG
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #5400
2018-02-21 20:44:11 +01:00
Kurt Roeckx
32bda2b2e4 Switch the DRBGs from AES-128-CTR to AES-256-CTR
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5401
2018-02-21 20:40:34 +01:00
Viktor Dukhovni
649cfb5cbb Use malloc to avoid alignment problems.
Thanks to Norm Green for reporting this issue.

Signed-off-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5423)
2018-02-21 08:25:49 -05:00
EasySec
405988f2cc Add support for PBKDF2 for enc command
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2083)
2018-02-21 12:36:21 +00:00
Pavel Kopyl
59053968e7 do_body: fix heap-use-after-free.
The memory pointed to by the 'push' is freed by the
X509_NAME_ENTRY_free() in do_body(). The second time
it is referenced to (indirectly) in certify_cert:X509_REQ_free().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4698)
2018-02-21 12:18:56 +00:00
Pavel Kopyl
abcf241114 X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling
X509v3_add_ext: free 'sk' if the memory pointed to by it
was malloc-ed inside this function.
X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails.
This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4698)
2018-02-21 12:18:48 +00:00
Samuel Weiser
8db7946ee8 Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5161)
2018-02-21 11:56:44 +00:00
Matt Caswell
ee76349525 Sanity check the ticket length before using key name/IV
This could in theory result in an overread - but due to the over allocation
of the underlying buffer does not represent a security issue.

Thanks to Fedor Indutny for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5414)
2018-02-21 11:19:11 +00:00
Matt Caswell
c7a47adca2 Fix no-ec build
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5418)
2018-02-21 11:13:15 +00:00
Matt Caswell
7876dbffce Fix some undefined behaviour in the Curve448 code
We can't add NULL data into a hash

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5418)
2018-02-21 11:13:14 +00:00
Matt Caswell
6c61b27496 Remove a spurious TLSProxy byte in TLSv1.3
When the proxy re-encrypted a TLSv1.3 record it was adding a spurious
byte onto the end. This commit removes that.

The "extra" byte was intended to be the inner content type of the record.
However, TLSProxy was actually adding the original encrypted data into the
record (which already has the inner content type in it) and then adding
the spurious additional content type byte on the end (and adjusting the
record length accordingly).

It is interesting to look at why this didn't cause a failure:

The receiving peer first attempts to decrypt the data. Because this is
TLSProxy we always use a GCM based ciphersuite with a 16 byte tag. When
we decrypt this it actually gets diverted to the ossltest engine. All this
does is go through the motions of encrypting/decrypting but just passes
back the original data. Crucially it will never fail because of a bad tag!
The receiving party thinks the spurious additional byte is part of the
tag and the ossltest engine ignores it.

This means the data that gets passed back to the record layer still has
an additional spurious byte on it - but because the 16 byte tag has been
removed, this is actually the first byte of the original tag. Again
because we are using ossltest engine we aren't actually creating "real"
tags - we only ever emit 16, 0 bytes for the tag. So the spurious
additional byte always has the value 0. The TLSv1.3 spec says that records
can have additional 0 bytes on the end of them - this is "padding". So the
record layer interprets this 0 byte as padding and strips it off to end up
with the originally transmitted record data - which it can now process
successfully.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5370)
2018-02-21 11:07:34 +00:00
Richard Levitte
b8a3f39b89 VMS: Fix curve448 internal test program
The internals test programs access header files that aren't guarded by
the public __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H
files, and therefore have no idea what the naming convention is.
Therefore, we need to specify that explicitely in the internals test
programs, since they aren't built with the same naming convention as
the library they belong with.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5425)
2018-02-21 10:50:35 +01:00
Andy Polyakov
d4c499f562 test/recipes/80-test_pkcs12.t: handle lack of Win32::API.
So far check for availability of Win32::API served as implicit check
for $^O being MSWin32. Reportedly it's not safe assumption, and check
for MSWin32 has to be explicit.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5416)
2018-02-21 10:17:44 +01:00
Andy Polyakov
0e5c8d5660 Configure: engage x25519 assembly support.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:14:09 +01:00
Andy Polyakov
c521e4392f ec/curve25519.c: facilitate assembly implementations.
Currently it's limited to 64-bit platforms only as minimum radix
expected in assembly is 2^51.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:14:04 +01:00
Andy Polyakov
42efffcb70 Add x25519-x86_64.pl module, mod 2^255-19 primitives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:13:59 +01:00
Andy Polyakov
127d6cf747 crypto/ec/curve25519.c: remove redundant fe[51]_cswap.
3 least significant bits of the input scalar are explicitly cleared,
hence swap variable has fixed value [of zero] upon exit from the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:12:55 +01:00
Matt Caswell
59bf467cca Add tests for newly added constant time functions
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:52 +00:00
Matt Caswell
dd8796c551 Some more cleanups of curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
a4e6dd819a fixup! More style fixes for the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
18985129eb fixup! Improve readability of f_impl.c and f_impl.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
8e32ec7a56 Improve readability of f_impl.c and f_impl.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
cb5ed32665 Remove unrolled loops
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
909c68ae72 Yet more style updates to the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
c1f15b76ef Further style changes to curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
9c9d6ff41c Simplify some code
The original curve448 code was templated to allow for a 25519
implementation. We've just imported the 448 stuff - but a remnant of
the original templated approach remained. This just simplifies that.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
a7232276fe Remove some unneccessary use of constant time code in curve448
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
434149c744 Fix a travis failure in the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
2abe3cad23 Remove the curve448 vector code
We removed various platform specific optimisation files in an earlier
commit. The vector code was related to that and therefore is no longer
required. It may be resurrected at a later point if we reintroduce the
opimtisations.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
53ef3252fa More style fixes for the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
9fd3c858b4 Remove a strict aliasing issue with pre-computed curve448 constants
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
68b20c0065 More style fixes to Curve448 code based on review feedback
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
04ebd4e17e Some style fixes
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
e411822318 Formatting tweak based on review feedback
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
756b5af71c Use NLIMBS where appropriate to simplify the code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
8855a9a110 Remove cplusplus guards in internal headers
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
f918504f91 Remove the curve448 specific constant time implementation
Instead we should use the standard OpenSSL constant time routines.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
e0fa632420 Add some new constant time functions needed by curve448
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7114a5a17a Use the NLIMBS macro rather than try and calculate the number of limbs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
bd74eae1be Rename a function to avoid a clash
We already have a constant_time_select() function so, to avoid
confusion/clashing we shouldn't have a second one.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7e492f3372 Remove curve448 architecture specific files
Remove all architecture specific files except for the reference arch_32
version. These files provide archicture specific performance optimisation.
However they have not been integrated yet. In order to avoid review issues
they are removed for now. They may be reintroduced at a later time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
0cdcdacc33 Fix AppVeyor failure in eddsa.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
dd03fd7e3a Fix travis failure in f_impl.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
06d72c2c64 Fix a typo in a comment
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
f53c77648c Update Curve448 copyright for 2018
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
bce3108161 Code tidy up
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7d9e120fea Fixes for compilation using clang
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
e54f5f397a Update the curve448 internal test to use testutil.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
2c9def25b1 Move curve448_test.c to be a full internal test
This ensures that this test is run as part of the test suite

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
52a9587c78 Fix build errors for Curve448 code on Windows (VC-WIN32 and VC-WIN64A)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00