Commit graph

10377 commits

Author SHA1 Message Date
Richard Levitte
61cc715240 Define AESNI_ASM if AESNI assembler is included, and use it
Because we have cases where basic assembler support isn't present, but
AESNI asssembler support is, we need a separate macro that indicates
that, and use it.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10080)
2019-10-03 15:07:26 +02:00
Dr. Matthias St. Pierre
1a9a56865c rsa: replace magic number '11' by RSA_PKCS1_PADDING_SIZE
Suggested by Matt Hart

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10084)

(cherry picked from commit f1d1903dd3dd1d68a5eae190b8c2a88bfe0a68ac)
2019-10-03 14:38:57 +02:00
Bernd Edlinger
6f3ccda84f Fix iOS simulator build
Fixes #9999

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10002)
2019-10-03 08:48:17 +02:00
Michael Osipov
9e2747646d Fix long name of some Microsoft objects
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10029)

(cherry picked from commit 648b53b88ea55b4c2f2c8c57d041075731db5f95)
2019-10-03 08:26:27 +10:00
Kurt Roeckx
eee565ec4b Add defines for __NR_getrandom for all Linux architectures
Fixes: #10015

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
GH: #10044
(cherry picked from commit 4dcb150ea30f9bbfa7946e6b39c30a86aca5ed02)
2019-09-30 22:29:45 +02:00
Paul Yang
f5517d9521 Fix a bundle of mischecks of return values
Several EVP_PKEY_xxxx functions return 0 and a negative value for
indicating errors. Some places call these functions with a zero return
value check only, which misses the check for the negative scenarios.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10055)

(cherry picked from commit 7e3ae24832e0705583b1471febf3dc0eb1cc021f)
2019-09-30 17:19:05 +08:00
Dr. Matthias St. Pierre
fbbfd128c9 Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below

The public header files (in the 'include/openssl' directory) are not changed
in 1.1.1, because it is a stable release.

For the private header files files, the guard names try to match the path
specified in the include directives, with all letters converted to upper case
and '/' and '.' replaced by '_'. An extra 'OSSL_' is added as prefix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9681)
2019-09-27 23:58:12 +02:00
Dr. Matthias St. Pierre
b5acbf9148 Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like

  '*_lcl.h', '*_local.h', or '*_int.h'

This commit changes the different suffixes to '*_local.h' uniformly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9681)
2019-09-27 23:58:06 +02:00
Dr. Matthias St. Pierre
0c994d54af Reorganize private crypto header files
Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

  #include "internal/file.h"      # located in 'include/internal'
  #include "internal/file_int.h"  # located in 'crypto/include/internal'

This commit moves the private crypto headers from

  'crypto/include/internal'  to  'include/crypto'

As a result, the include directives become unambiguous

  #include "internal/file.h"       # located in 'include/internal'
  #include "crypto/file.h"         # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9681)
2019-09-27 23:57:58 +02:00
Kurt Roeckx
c8d66837ad Use the correct maximum indent
Found by OSS-Fuzz

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>

GH: #9959
(cherry picked from commit a6105ef40d65b35818f2b8ae8ca9e57ca6956d1d)
2019-09-21 10:59:13 +02:00
Bernd Edlinger
8dcd574619 Fix building statically without any dso support
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9889)
2019-09-16 18:27:50 +02:00
ManishPatidar1
94ae5d8283 clearing the ecx private key memory
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9830)

(cherry picked from commit 6ef03ea98fac501e6d6e33bac6ad3c92ea074712)
2019-09-16 14:40:26 +01:00
Bernd Edlinger
515c728dba Fix potential memory leaks with BN_to_ASN1_INTEGER
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9833)

(cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
2019-09-13 13:23:42 +02:00
Tomas Mraz
86ed78676c BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
There can be data to write in output buffer and data to read that were
not yet read in the input stream.

Fixes #9866

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9877)

(cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
2019-09-12 16:38:46 +02:00
Dr. Matthias St. Pierre
a44e1b2f20 crypto/threads_win.c: fix preprocessor indentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9860)
2019-09-11 10:40:18 +02:00
Dr. Matthias St. Pierre
c3656cc594 crypto/threads_none.c: fix syntax error in openssl_get_fork_id()
Fixes #9858

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9860)
2019-09-11 10:32:03 +02:00
Matt Caswell
1cb7eff45b Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9847)
2019-09-10 13:56:40 +01:00
Bernd Edlinger
08229ad838 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.

As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.

The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)

(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
2019-09-10 11:41:20 +01:00
Bernd Edlinger
79f5e2f4b9 Fix a potential crash in rand_unix.c
Due to the dynamic allocation that was added to rand_pool_add_begin
this function could now return a null pointer where it was previously
guaranteed to succeed. But the return value of this function does
not need to be checked by design.

Move rand_pool_grow from rand_pool_add_begin to rand_pool_bytes_needed.
Make an allocation error persistent to avoid falling back to less secure
or blocking entropy sources.

Fixes: a6a66e4511 ("Make rand_pool buffers more dynamic in their sizing.")

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)

(cherry picked from commit fa3eb248e29ca8031e6a14e8a2c6f3cd58b5450e)
2019-09-10 10:03:04 +01:00
Bernd Edlinger
1d36536457 Fix a strict warnings error in rand_pool_acquire_entropy
There was a warning about unused variables in this config:
./config --strict-warnings --with-rand-seed=rdcpu

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)

(cherry picked from commit e301c147a763f67dcc5ba63eb7e2ae40d83a68aa)
2019-09-10 10:03:04 +01:00
Dr. Matthias St. Pierre
63180182ec drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt)
Since commit 7c226dfc43 a chained DRBG does not add additional
data anymore when reseeding from its parent. The reason is that
the size of the additional data exceeded the allowed size when
no derivation function was used.

This commit provides an alternative fix: instead of adding the
entire DRBG's complete state, we just add the DRBG's address
in memory, thereby providing some distinction between the different
DRBG instances.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Dr. Matthias St. Pierre
5520695c73 drbg: add fork id to additional data on UNIX systems
Provides a little extra fork-safety on UNIX systems, adding to the
fact that all DRBGs reseed automatically when the fork_id changes.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Dr. Matthias St. Pierre
1b0fe00e27 drbg: ensure fork-safety without using a pthread_atfork handler
When the new OpenSSL CSPRNG was introduced in version 1.1.1,
it was announced in the release notes that it would be fork-safe,
which the old CSPRNG hadn't been.

The fork-safety was implemented using a fork count, which was
incremented by a pthread_atfork handler. Initially, this handler
was enabled by default. Unfortunately, the default behaviour
had to be changed for other reasons in commit b5319bdbd0, so
the new OpenSSL CSPRNG failed to keep its promise.

This commit restores the fork-safety using a different approach.
It replaces the fork count by a fork id, which coincides with
the process id on UNIX-like operating systems and is zero on other
operating systems. It is used to detect when an automatic reseed
after a fork is necessary.

To prevent a future regression, it also adds a test to verify that
the child reseeds after fork.

CVE-2019-1549

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9802)
2019-09-09 17:09:06 +01:00
Bernd Edlinger
827eab4cd7 Fix build with VS2008
crypto/rand/rand_win.c(70) : error C2065: 'BCRYPT_USE_SYSTEM_PREFERRED_RNG' : undeclared identifier

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9827)

(cherry picked from commit d3a1128bc25ec8bf835c81821e1be68fba39ab4b)
2019-09-09 16:45:22 +02:00
Bernd Edlinger
4bf9781adc Use BN_clear_free in DH_set0_key
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)

(cherry picked from commit fa01370f7dc8f0a379483bbe74de11225857e5fe)
2019-09-09 14:47:08 +02:00
Bernd Edlinger
8003138fa9 DH_check_pub_key_ex was accidentally calling DH_check,
so results were undefined.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)

(cherry picked from commit 2b95e8efcf8b99892106070d9ac745a0a369f503)
2019-09-09 14:46:30 +02:00
Bernd Edlinger
1f9dc86b55 Change DH_generate_parameters back to order 2q subgroup
For for G=2 and 5 DH_generate_parameters will continue to generate
the order 2q subgroup for compatibility with previous versions.

For G=3 DH_generate_parameters generates an order q subgroup, but it
will not pass the check in DH_check with previous OpenSSL versions.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9820)
2019-09-09 13:58:03 +02:00
Nicola Tuveri
9a43a73380 [ec] Match built-in curves on EC_GROUP_new_from_ecparameters
Description
-----------

Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any
of the built-in curves. If that is the case, return a new
`EC_GROUP_new_by_curve_name()` object instead of the explicit parameters
`EC_GROUP`.

This affects all users of `EC_GROUP_new_from_ecparameters()`:
- direct calls to `EC_GROUP_new_from_ecparameters()`
- direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit
  parameters argument
- ASN.1 parsing of explicit parameters keys (as it eventually
  ends up calling `EC_GROUP_new_from_ecpkparameters()`)

A parsed explicit parameter key will still be marked with the
`OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless
programmatically forced otherwise, if the key is eventually serialized
the output will still be encoded with explicit parameters, even if
internally it is treated as a named curve `EC_GROUP`.

Before this change, creating any `EC_GROUP` object using
`EC_GROUP_new_from_ecparameters()`, yielded an object associated with
the default generic `EC_METHOD`, but this was never guaranteed in the
documentation.
After this commit, users of the library that intentionally want to
create an `EC_GROUP` object using a specific `EC_METHOD` can still
explicitly call `EC_GROUP_new(foo_method)` and then manually set the
curve parameters using `EC_GROUP_set_*()`.

Motivation
----------

This has obvious performance benefits for the built-in curves with
specialized `EC_METHOD`s and subtle but important security benefits:
- the specialized methods have better security hardening than the
  generic implementations
- optional fields in the parameter encoding, like the `cofactor`, cannot
  be leveraged by an attacker to force execution of the less secure
  code-paths for single point scalar multiplication
- in general, this leads to reducing the attack surface

Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth
analysis of the issues related to this commit.

It should be noted that `libssl` does not allow to negotiate explicit
parameters (as per RFC 8422), so it is not directly affected by the
consequences of using explicit parameters that this commit fixes.
On the other hand, we detected external applications and users in the
wild that use explicit parameters by default (and sometimes using 0 as
the cofactor value, which is technically not a valid value per the
specification, but is tolerated by parsers for wider compatibility given
that the field is optional).
These external users of `libcrypto` are exposed to these vulnerabilities
and their security will benefit from this commit.

Related commits
---------------

While this commit is beneficial for users using built-in curves and
explicit parameters encoding for serialized keys, commit
b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the
1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the
invalid cofactor values more in general also for other curves
(CVE-2019-1547).

The following list covers commits in `master` that are related to the
vulnerabilities presented in the manuscript motivating this commit:

- d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too
- 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
- b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
- 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats

Note that the PRs that contributed the listed commits also include other
commits providing related testing and documentation, in addition to
links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and
1.1.1 branches.

This commit includes a partial backport of
https://github.com/openssl/openssl/pull/8555
(commit 8402cd5f75)
for which the main author is Shane Lontis.

Responsible Disclosure
----------------------

This and the other issues presented in https://arxiv.org/abs/1909.01785
were reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri,
Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the
NISEC group at Tampere University, FINLAND.

The OpenSSL Security Team evaluated the security risk for this
vulnerability as low, and encouraged to propose fixes using public Pull
Requests.

_______________________________________________________________________________

Co-authored-by: Shane Lontis <shane.lontis@oracle.com>

(Backport from https://github.com/openssl/openssl/pull/9808)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9809)
2019-09-09 14:16:18 +03:00
Bernd Edlinger
87bea6550a Remove x86/x86_64 BSAES and AES_ASM support
This leaves VPAES and AESNI support.
The VPAES performance is comparable but BSAES is not
completely constant time. There are table lookups
using secret key data in AES_set_encrypt/decrypt_key
and in ctr mode short data uses the non-constant
time AES_encrypt function instead of bit-slicing.
Furthermore the AES_ASM is by far outperformed
by recent GCC versions.
Since BSAES calls back to AES_ASM for short
data blocks the performance on those is also
worse than the pure software implementaion.

Fixes: #9640

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9675)
2019-09-07 10:26:48 +02:00
Billy Brumley
30c22fa8b1 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.

CVE-2019-1547

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
2019-09-07 03:57:52 +03:00
Nicola Tuveri
ed0ac11950 [ec/ecp_nistp*.c] restyle: use {} around else too
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 4fe2ee3a449a8ca2886584e221f34ff0ef5de119)
2019-09-07 02:21:13 +03:00
Nicola Tuveri
61387fd3a5 [ec/ecp_nistp*.c] remove flip_endian()
Replace flip_endian() by using the little endian specific
BN_bn2lebinpad() and BN_lebin2bn().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit e0b660c27d8d97b4ad9e2098cc957de26872c0ef)
2019-09-07 02:21:09 +03:00
Nicola Tuveri
2432e1291d Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)
2019-09-07 02:21:03 +03:00
Nicola Tuveri
b9a380f78c Make BN_num_bits() consttime upon BN_FLG_CONSTTIME
This issue was partially addressed by commit
972c87dfc7, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.

BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and
ecp_nistz256.c).

Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.

With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.

Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238)
2019-09-07 02:20:59 +03:00
Nicola Tuveri
083f297a48 Fix a SCA leak using BN_bn2bin()
BN_bn2bin() is not constant-time and leaks the number of bits in the
processed BIGNUM.

The specialized methods in ecp_nistp224.c, ecp_nistp256.c and
ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the
internal fixed length representation.

This can leak during ECDSA/ECDH key generation or handling the nonce
while generating an ECDSA signature, when using these implementations.
The amount and risk of leaked information useful for a SCA attack
varies for each of the three curves, as it depends mainly on the
ratio between the bitlength of the curve subgroup order (governing the
size of the secret nonce/key) and the limb size for the internal BIGNUM
representation (which depends on the compilation target architecture).

To fix this, we replace BN_bn2bin() with BN_bn2binpad(), bounding the
output length to the width of the internal representation buffer: this
length is public.

Internally the final implementation of both BN_bn2binpad() and
BN_bn2bin() already has masking in place to avoid leaking bn->top
through memory access patterns.
Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this is already done at the top level alongside
setting the BN_FLG_CONSTTIME.

Finally, the internal implementation of BN_bn2binpad() indirectly calls
BN_num_bits() via BN_num_bytes(): the current implementation of
BN_num_bits() can leak information to a SCA attacker, and is addressed
in the next commit.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 805315d3a20f7274195eed75b06c391dacf3b197)
2019-09-07 02:20:43 +03:00
Bernd Edlinger
9e1403d91a Fix a SCA leak in BN_generate_dsa_nonce
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9782)

(cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)
2019-09-06 18:41:12 +02:00
Cesar Pereida Garcia
1bb2acb998 [crypto/rsa] Set the constant-time flag in multi-prime RSA too
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
2019-09-06 16:15:55 +01:00
Cesar Pereida Garcia
2f18596c32 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
2019-09-06 16:15:55 +01:00
Bernd Edlinger
5d16346679 Fix error handling in x509_lu.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9639)

(cherry picked from commit c70e2ec33943d3bd46d3d9950f774307feda832b)
2019-09-05 08:40:24 +02:00
Bernd Edlinger
ce1ab24163 Cleanup includes in rand_unix.c
Fixes #9757

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9761)

(cherry picked from commit 41ffd2ab09d24692c71850ccd7d5ff154196fe01)
2019-09-05 08:33:48 +02:00
Bernd Edlinger
aa24cc0195 Remove ifndef FIPS_MODE from rand_unix.c
This will never be the case for 1.1.1 so removed.

Fixes: comment 1 of #9757

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9762)
2019-09-05 08:25:18 +02:00
Pauli
f493bd6f94 Fix NITs in comments and CHANGES for DEVRANDOM seeded check.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9734)

(cherry picked from commit 46a9cc9451213039fd53f62733b2ccd04e853bb2)
2019-08-30 07:57:55 +10:00
Cesar Pereida Garcia
51e236df41 Fix SCA vulnerability when using PVK and MSBLOB key formats
This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9587)

(cherry picked from commit 724339ff44)
2019-08-27 09:13:34 +01:00
Pauli
4bdab25717 Avoid overflowing FDSET when using select(2).
There is a problem in the rand_unix.c code when the random seed fd is greater
than or equal to FD_SETSIZE and the FDSET overruns its limit and walks the
stack.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9686)

(cherry picked from commit e1f8584d47)
2019-08-24 16:45:53 +10:00
Pauli
3ff98f5581 Start up DEVRANDOM entropy improvement for older Linux devices.
Improve handling of low entropy at start up from /dev/urandom by waiting for
a read(2) call on /dev/random to succeed.  Once one such call has succeeded,
a shared memory segment is created and persisted as an indicator to other
processes that /dev/urandom is properly seeded.

This does not fully prevent against attacks weakening the entropy source.
An attacker who has control of the machine early in its boot sequence
could create the shared memory segment preventing detection of low entropy
conditions.  However, this is no worse than the current situation.

An attacker would also be capable of removing the shared memory segment
and causing seeding to reoccur resulting in a denial of service attack.
This is partially mitigated by keeping the shared memory alive for the
duration of the process's existence.  Thus, an attacker would not only need
to have called call shmctl(2) with the IPC_RMID command but the system
must subsequently enter a state where no instances of libcrypto exist in
any process.  Even one long running process will prevent this attack.

The System V shared memory calls used here go back at least as far as
Linux kernel 2.0.  Linux kernels 4.8 and later, don't have a reliable way
to detect that /dev/urandom has been properly seeded, so a failure is raised
for this case (i.e. the getentropy(2) call has already failed).

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9595)

[manual merge]
2019-08-20 16:19:20 +10:00
Bernd Edlinger
84814f7734 Add a fallback definition for __NR_getrandom for x86 linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9639)

(cherry picked from commit 038b381ecf)
2019-08-19 16:06:39 +02:00
Bernd Edlinger
31dd6414a0 Add a fallback definition for __NR_getrandom for ARM linux
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9619)

(cherry picked from commit 24d932ec84)
2019-08-19 07:06:56 +02:00
Patrick Steuer
6087d4a6fb Directly return from final sha3/keccak_final if no bytes are requested
Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)

(cherry picked from commit a890ef833d)
2019-08-18 21:33:49 +02:00
Bernd Edlinger
2403153c95 Fix error handling in X509_chain_up_ref
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9614)

(cherry picked from commit cae665dfa6)
2019-08-17 16:51:13 +02:00
Omid Najafi
562740788e Fix syntax error for the armv4 assembler
The error was from the alignment syntax of the code.
More details:
https://stackoverflow.com/questions/57316823/arm-assembly-syntax-in-vst-vld-commands?noredirect=1#comment101133590_57316823

CLA: trivial

Fixes: #9518

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9518)

(cherry picked from commit 2a17758940)
2019-08-15 14:24:27 +02:00
Richard Levitte
7b72912c37 crypto/engine/eng_openssl.c: define TEST_ENG_OPENSSL_RC4_P_INIT conditionally
When OpenSSL is configured with 'no-stdio', TEST_ENG_OPENSSL_RC4_P_INIT
shouldn't be defined, as that test uses stdio.

Fixes #9597

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9598)

(cherry picked from commit 9f643f5423)
2019-08-15 11:23:12 +02:00
opensslonzos-github
cd5e2b0a68 Add missing EBCDIC strings
Fix a few places where calling ossl_isdigit does the wrong thing on
EBCDIC based systems.
Replaced with ascii_isdigit.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9556)

(cherry picked from commit 48102247ff)
2019-08-14 10:52:31 +01:00
Tomas Mraz
8ab99435c0 BIO_lookup_ex: Do not retry on EAI_MEMORY
We should not retry on EAI_MEMORY as that error is most probably
fatal and not depending on AI_ADDRCONFIG hint.

Also report the error from the first call if the second call fails
as that one would be most probably the more interesting one.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9535)

(cherry picked from commit 91cb81d40a)
2019-08-13 11:44:45 +02:00
Tomas Mraz
63be1415bf BIO_lookup_ex: Always retry the lookup on failure with AI_NUMERICHOST set
Do not try to discern the error return value on
getaddrinfo() failure but when retrying set the AI_NUMERICHOST
to avoid DNS lookups.

Fixes: #9053

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9535)

(cherry picked from commit 7f616a00e9)
2019-08-13 11:44:15 +02:00
Matt Caswell
7467c87c6e Ensure RSA PSS correctly returns the right default digest
A default digest of SHA256 was being returned for RSA PSS even if the
PSS parameters indicated a different digest must be used. We change this
so that the correct default digest is returned and additionally mark this
as mandatory for PSS.

This bug had an impact on sig alg selection in libssl. Due to this issue
an incorrect sig alg might be selected in the event that a server is
configured with an RSA-PSS cert with parameter restrictions.

Fixes #9545

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)

(cherry picked from commit 9bcc9f973b)
2019-08-09 13:24:14 +01:00
Vladimir Kotal
c762f5fa35 make ecp_nistz256_point_add_vis3() local
fixes #8936

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9132)

(cherry picked from commit 861335001b)
2019-08-09 09:12:42 +01:00
Shane Lontis
728f9449c3 Change EVP_CIPHER_CTX_iv_length() to return current ivlen for some modes
Note a flag needed to be added since some ssl tests fail if they output any error
(even if the error is ignored). Only ciphers that handle the GET_IV_LEN control set this flag.

Fixes #8330

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9499)
2019-08-08 13:19:23 +10:00
Dr. Matthias St. Pierre
74b9ce2d84 Add missing accessors for X509 AuthorityKeyIdentifier
Complements commit b383aa2081, which added X509_get0_authority_key_id().

 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);      [NEW]
 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);       [NEW]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9494)
2019-08-01 12:13:37 +02:00
Antoine Cœur
a5c83db4ae Fix Typos
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9295)
2019-07-31 19:48:30 +02:00
joe2018Outlookcom
ca33a43fe2 Fix warning C4164 in MSVC.
Fix: crypto\whrlpool\wp_block.c(90) : warning C4164: '_rotl64' : intrinsic function not declared.
Fixes #9487

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9488)

(cherry picked from commit 0c789f59f1)
2019-07-31 17:32:16 +01:00
David von Oheimb
ffc2b6373a make RSA and DSA operations throw MISSING_PRIVATE_KEY if needed, adapt ECDSA
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9466)

(cherry picked from commit 7408f6759f)
2019-07-31 17:07:44 +03:00
Pauli
b4b42d441d Make rand_pool buffers more dynamic in their sizing.
The rand pool support allocates maximal sized buffers -- this is typically
12288 bytes in size.  These pools are allocated in secure memory which is a
scarse resource.  They are also allocated per DRBG of which there are up to two
per thread.

This change allocates 64 byte pools and grows them dynamically if required.
64 is chosen to be sufficiently large so that pools do not normally need to
grow.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9428)

(cherry picked from commit a6a66e4511)
2019-07-23 23:30:12 +10:00
Bernd Edlinger
e8d866dcb1 Allocate DRBG additional data pool from non-secure memory
The additional data allocates 12K per DRBG instance in the
secure memory, which is not necessary. Also nonces are not
considered secret.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9424)
2019-07-23 23:14:14 +10:00
Dr. Matthias St. Pierre
19b7b64c72 Remove OPENSSL_X509V3_H include detector from openssl/cms.h
The check is redundant, because <openssl/x509v3.h> is included.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Dr. Matthias St. Pierre
ca066211a8 Remove HEADER_BSS_FILE_C module include guard
This include guard inside an object file comes as a surprise and
serves no purpose anymore. It seems like this object file was
included by crypto/threads/mttest.c at some time, but the include
directive was removed in commit bb8abd6.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Bernd Edlinger
ddd16c2fe9 Change DH parameters to generate the order q subgroup instead of 2q
This avoids leaking bit 0 of the private key.

Backport-of: #9363

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9435)
2019-07-24 14:59:52 +02:00
Pauli
8e74733859 Avoid double clearing some BIGNUMs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9438)

(cherry picked from commit 82925f9dd0)
2019-07-23 16:55:40 +10:00
Richard Levitte
12bd8f4631 Cygwin: enable the use of Dl_info and dladdr()
These weren't available in Cygwin at the time our DSO code was
written, but things have changed since.

Fixes #9385

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9402)

(cherry picked from commit 38f6f99cdf)
2019-07-21 11:08:56 +02:00
Shane Lontis
0a9a7540d4 Cleanup use of X509 STORE locks
Cosmetic changes to use the X509_STORE_lock/unlock functions.
Renamed some ctx variables to store.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9366)

(cherry picked from commit 7a9abccde7)
2019-07-18 15:19:46 +10:00
Patrick Steuer
0f6fd61459 s390x assembly pack: fix restoring of SIGILL action
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9381)

(cherry picked from commit c17d60ea29)
2019-07-17 20:15:38 +02:00
Krists Krilovs
b4f55c6f6c Fix wrong lock claimed in x509 dir lookup.
x509 store's objects cache can get corrupted when using dir lookup
method in multithreaded application. Claim x509 store's lock when
accessing objects cache.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9326)

(cherry picked from commit a161738a70)
2019-07-15 11:39:53 +10:00
Dmitry Belyavskiy
a48cd0c5b9 Avoid NULL pointer dereference. Fixes #9043.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9059)

(cherry picked from commit 9fd6f7d1cd)
2019-07-08 20:15:44 +10:00
Lei Maohui
5a63e155ff Fix build error for aarch64 big endian.
Modified rev to rev64, because rev only takes integer registers.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90827
Otherwise, the following error will occur.

Error: operand 1 must be an integer register -- `rev v31.16b,v31.16b'

CLA: trivial

Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9151)

(cherry picked from commit 7b0fceed21)
2019-07-08 10:54:46 +02:00
Bernd Edlinger
9fd44200fe Fix an endless loop in BN_generate_prime_ex
Happens when trying to generate 4 or 5 bit safe primes.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9311)

(cherry picked from commit 291f616ced)
2019-07-07 08:07:25 +02:00
Bernd Edlinger
42180a229e Check for V_ASN1_BOOLEAN/V_ASN1_NULL in X509_ATTRIBUTE_get0_data
The member value.ptr is undefined for those ASN1 types.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9278)

(cherry picked from commit 94f4d58a87)
2019-07-02 16:25:00 +02:00
Bernd Edlinger
261ec72d58 Fix ASN1_TYPE_get/set with type=V_ASN1_BOOLEAN
BOOLEAN does not have valid data in the value.ptr member,
thus don't use it here.

Fixes #9276

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9278)

(cherry picked from commit 6335f837cf)
2019-07-02 16:24:19 +02:00
Dr. Matthias St. Pierre
3003d2dba9 Add regenerated header files
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9281)
2019-07-02 10:06:15 +02:00
Matt Caswell
26675d1cf4 Ensure that rc5 doesn't try to use a key longer than 2040 bits
The maximum key length for rc5 is 2040 bits so we should not attempt to
use keys longer than this.

Issue found by OSS-Fuzz and Guido Vranken.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8834)

(cherry picked from commit 792cb4ee8d)
2019-07-01 10:23:54 +01:00
Antoine Cœur
25ccb5896b Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 02:02:06 +08:00
Pauli
58ae5a47da Excise AES-XTS FIPS check.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9255)
2019-06-25 03:37:17 +10:00
Pauli
2a5f63c9a6 Allow AES XTS decryption using duplicate keys.
This feature is enabled by default outside of FIPS builds
which ban such actions completely.

Encryption is always disallowed and will generate an error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)

(cherry picked from commit 2c840201e5)
2019-06-24 17:58:57 +10:00
Bernd Edlinger
a7581949e4 Handle CTRL-C as non-redoable abort signal
This is a bit annoying, if for instance "openssl genrsa -aes128"
tries to read a 4+ character size password, but CTRL-C does no longer
work after a RETURN key, since the flag UI_FLAG_REDOABLE is set by
UI_set_result_ex, together with the error "You must type in 4 to 1023 characters".
Thus remove the REDOABLE flag to allow CTRL-C to work.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9170)

(cherry picked from commit f8922b5107)
2019-06-21 12:22:10 +02:00
Rebecca Cran
444ec8d5e7 Fix UEFI build on FreeBSD by not including system headers
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9149)
2019-06-19 14:39:45 +02:00
Tomas Mraz
c6991655c4 Fix and document BIO_FLAGS_NONCLEAR_RST behavior on memory BIO
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)

(cherry picked from commit 8b7b32921e)
2019-06-19 14:30:57 +02:00
Bernd Edlinger
2459dc1bd0 Fix error handling at openssl_strerror_r
When bufsize == 0, openssl_strerror_r should return 0 (if _GNU_SOURCE is defined),
to be consistent with non-_GNU_SOURCE variants, which exhibit the same behavior.
Fix a few cases, where the return value of openssl_strerror_r was ignored.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9163)

(cherry picked from commit e7a4682d0b)
2019-06-18 13:58:52 +02:00
Rebecca Cran
10bf506819 Swap #if blocks in uid.c so target platform gets checked before host
This avoids the case where a UEFI build on FreeBSD tries to call the system
issetugid function instead of returning 0 as it should do.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9158)
2019-06-18 12:53:27 +10:00
Matt Caswell
c4376aed02 Move a fall through comment
When compiling with --strict-warnings using gcc 7.4.0 the compiler
complains that a case falls through, even though there is an explicit
comment stating this. Moving the comment outside of the conditional
compilation section resolves this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9131)

(cherry picked from commit a2e520447e)
2019-06-11 15:23:13 +01:00
Bernd Edlinger
b658421823 Fix a URL to the NMBRTHRY list archive
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9123)

(cherry picked from commit e98e586b31)
2019-06-11 13:51:48 +02:00
Tomas Mraz
81ce7cc8d6 BIO_lookup_ex: Retry with AI_ADDRCONFIG cleared if getaddrinfo fails
The lookup for ::1 with getaddrinfo() might return error even if
the ::1 would work if AI_ADDRCONFIG flag is used.

Fixes: #9053

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9108)

(cherry picked from commit 3f91ede9ae)
2019-06-10 16:29:34 +02:00
Dr. Matthias St. Pierre
ad416c8058 Revert the DEVRANDOM_WAIT feature
The DEVRANDOM_WAIT feature added a select() call to wait for the
`/dev/random` device to become readable before reading from the
`/dev/urandom` device. It was introduced in commit 38023b87f0
in order to mitigate the fact that the `/dev/urandom` device
does not block until the initial seeding of the kernel CSPRNG
has completed, contrary to the behaviour of the `getrandom()`
system call.

It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.

Fixes #9078

This partially reverts commit 38023b87f0.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

(cherry picked from commit a08714e181)

(Merged from https://github.com/openssl/openssl/pull/9118)
2019-06-09 09:53:39 +02:00
Acheev Bhagat
7febec9485 Replace BIO_printf with ASN1_STRING_print in GENERAL_NAME_print
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9101)

(cherry picked from commit bab6046146)
2019-06-07 09:09:48 +02:00
Vitezslav Cizek
a069bdf0aa build_SYS_str_reasons: Fix a crash caused by overlong locales
The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales.
The Russian locales consume 6856 bytes, Ukrainian even 7000.

build_SYS_str_reasons() contains an overflow check:

if (cnt > sizeof(strerror_pool))
    cnt = sizeof(strerror_pool);

But since commit 9f15e5b911 it no longer
works as cnt is incremented once more after the condition.

cnt greater than sizeof(strerror_pool) results in an unbounded
OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash.

When the first received error string was empty or contained only
spaces, cur would move in front of the start of the strerror_pool.

Also don't call openssl_strerror_r when the pool is full.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8966)

(cherry picked from commit fac9200a88)
2019-06-04 13:30:36 +02:00
Shane Lontis
d63d841fb5 Add the content type attribute to additional CMS signerinfo.
Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8944)

(cherry picked from commit 19e512a824)
2019-06-03 15:25:10 +10:00
David Benjamin
9517295b7f Fix various mistakes in ec_GFp_nistp_recode_scalar_bits comment.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9050)

(cherry picked from commit 8be6a4ed02)
2019-05-31 18:26:19 -04:00
Retropotenza
3268087d2c Fix CHECK_BSD_STYLE_MACROS for OpenBSD and cryptodev-linux
CLA: trivial

Fixes #8911

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8866)

(cherry picked from commit fdbb3a8655)
2019-05-31 12:52:10 +02:00
Pauli
15d7e7997e Fix broken change from b3d113e.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8606)

(cherry picked from commit 711a161f03)
2019-05-30 11:47:59 +02:00
Dr. Matthias St. Pierre
23373fea19 crypto/conf: openssl_config_int() returns unitialized value
openssl_config_int() returns the uninitialized variable `ret`
when compiled with OPENSSL_SYS_UEFI.

Fixes #9026

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9029)

(cherry picked from commit f4a96507fb)
2019-05-29 10:47:40 +10:00
Tomas Mraz
871c675b85 The SHA256 is not a mandatory digest for DSA.
The #7408 implemented mandatory digest checking in TLS.
However this broke compatibility of DSS support with GnuTLS
which supports only SHA1 with DSS.

There is no reason why SHA256 would be a mandatory digest
for DSA as other digests in SHA family can be used as well.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9015)

(cherry picked from commit cd4c83b524)
2019-05-28 17:22:14 +02:00
Richard Levitte
35fd99538a Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9034)
2019-05-28 14:49:38 +02:00
FdaSilvaYY
9f084451a3 OCSP: fix memory leak in OCSP_url_svcloc_new method.
Add a few coverage test case.

Fixes #8949

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8959)

(cherry picked from commit 5b3accde60)
2019-05-27 08:12:35 +10:00