Commit graph

10381 commits

Author SHA1 Message Date
David Benjamin
6f52dbb68f Avoid leaking intermediate states in point doubling special case.
Cherry picked from
12d9ed670d

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 2baea7c7e0896658b74956cac6084dd7e82e8c1b)
2020-01-05 08:39:22 +02:00
Nicola Tuveri
1f60c1c788 Fix potential SCA vulnerability in some EC_METHODs
This commit addresses a potential side-channel vulnerability in the
internals of some elliptic curve low level operations.
The side-channel leakage appears to be tiny, so the severity of this
issue is rather low.

The issue was reported by David Schrammel and Samuel Weiser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 3cb914c463ed1c9e32cfb773d816139a61b6ad5f)
2020-01-05 08:39:22 +02:00
Matt Caswell
2c52a36400 Run make update
The New Year has caused various files to appear out of date to "make
update". This causes Travis to fail. Therefore we update those files.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10739)
2020-01-02 14:45:04 +00:00
Bernd Edlinger
112afa6db6 Add some missing cfi frame info in rc4-md5-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10679)

(cherry picked from commit b2a00f62209add348deb8283c588ddbd572dc216)
2019-12-23 20:30:23 +01:00
Bernd Edlinger
65b7de10c9 Add some missing cfi frame info in poly1305-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10678)

(cherry picked from commit 048fa13e5ef4ccd730561f79a6c91f38365994d1)
2019-12-23 20:27:46 +01:00
Bernd Edlinger
a3d0b3c3a1 Add some missing cfi frame info in aesni-gcm-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10677)

(cherry picked from commit 275a048ffc1585a731e39d7e8e3f53766e8f48d7)
2019-12-23 20:24:55 +01:00
Bernd Edlinger
3d8d8b861e Add some missing cfi frame info in x25519-x86_64.pl
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10676)

(cherry picked from commit 9d079f2744b9b624c6fe75f95fc0f766ef88ffcf)
2019-12-23 17:03:46 +01:00
Bernd Edlinger
1ef6389827 Fix aesni_cbc_sha256_enc_avx2 backtrace info
We store a secondary frame pointer info for the debugger
in the red zone.  This fixes a crash in the unwinder when
this function is interrupted.

Additionally the missing cfi function annotation is added
to aesni_cbc_sha256_enc_shaext.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10674)

(cherry picked from commit 665de4d48aef2507022a7d74f5c7f6e339d5e6bc)
2019-12-23 17:00:15 +01:00
Bernd Edlinger
b6d0a1c7f0 Add some missing cfi frame info in ecp_nistz256-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10672)

(cherry picked from commit eff5076a78502d1ac04669e44127d4bd7c0a9ce7)
2019-12-23 16:55:36 +01:00
Bernd Edlinger
2b2faf730a Add some missing cfi frame info in aesni-sha and sha-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10655)

(cherry picked from commit b0d3442efc10b635863b915c2d014345f6e5a219)
2019-12-20 23:15:49 +01:00
Bernd Edlinger
2b2833af3e Add some missing cfi frame info in keccak1600-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10654)

(cherry picked from commit 95bbe6eff7aadc681e282ec957379b49d6f80ca8)
2019-12-20 23:13:20 +01:00
Bernd Edlinger
572351b9cc Add some missing cfi frame info in aesni-x86_64.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10653)

(cherry picked from commit a5fe7825b970a6c937118a4f707f9ad367413794)
2019-12-20 23:10:27 +01:00
Bernd Edlinger
da26d627c7 Add some missing cfi frame info in rsaz-x86_64
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10652)

(cherry picked from commit 013c2e8d1a272df444f47b8b54de1d51bc499887)
2019-12-20 23:07:03 +01:00
Bernd Edlinger
3ea129209f Add some missing cfi frame info in x86_64-mont5.pl
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10651)

(cherry picked from commit 0190c52ab8b4cdf5fe577b3d924576167c892a15)
2019-12-20 22:58:43 +01:00
Bernd Edlinger
062acbc3a9 Add some missing cfi frame info in camellia-x86_64.pl
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10642)

(cherry picked from commit 6b913be708f98b1d971586d38e608218ee6de6fa)
2019-12-20 22:44:03 +01:00
Bernd Edlinger
7540f7bdc2 Fix unwind info for some trivial functions
While stack unwinding works with gdb here, the
function _Unwind_Backtrace gives up when something outside
.cfi_startproc/.cfi_endproc is found in the call stack, like
OPENSSL_cleanse, OPENSSL_atomic_add, OPENSSL_rdtsc, CRYPTO_memcmp
and other trivial functions which don't save anything in the stack.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10635)

(cherry picked from commit 8913378a552e470c66277c47b19699f20b84aa3b)
2019-12-18 14:28:49 +01:00
Matt Caswell
c1ebe0509a Backport the RSA_get0_pss_params() function from master
This is a missing accessor in order to obtain PSS parameters from an
RSA key, which should also be available in 1.1.1.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10568)
2019-12-16 14:50:07 +00:00
Matt Caswell
e6d06e11e9 Ensure EVP_PKEY_set1_DH detects X9.42 keys
OpenSSL supports both PKCS#3 and X9.42 DH keys. By default we use PKCS#3
keys. The function `EVP_PKEY_set1_DH` was assuming that the supplied DH
key was a PKCS#3 key. It should detect what type of key it is and assign
the correct type as appropriate.

Fixes #10592

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10593)

(cherry picked from commit 32c869ffaba67822602ea9fec611272ff8e8db58)
2019-12-16 14:34:26 +00:00
Dr. Matthias St. Pierre
f9fdb9d2f5 rand_lib.c: fix null pointer dereferences after RAND_get_rand_method() failure
RAND_get_rand_method() can return a NULL method pointer in the case of a
malloc failure, so don't dereference it without a check.

Reported-by: Zu-Ming Jiang (detected by FIFUZZ)

Fixes #10480

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10490)
2019-12-15 15:25:18 +01:00
Veres Lajos
3986b9bb6b Fix some typos
Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10544)

(cherry picked from commit 79c44b4e3044aee9dc9618850d4f1ce067757b4b)
2019-12-11 19:17:00 +01:00
Bernd Edlinger
46ac489a13 Improve the overflow handling in rsaz_512_sqr
We have always a carry in %rcx or %rbx in range 0..2
from the previous stage, that is added to the result
of the 64-bit square, but the low nibble of any square
can only be 0, 1, 4, 9.

Therefore one "adcq $0, %rdx" can be removed.
Likewise in the ADX code we can remove one
"adcx %rbp, $out" since %rbp is always 0, and carry is
also zero, therefore that is a no-op.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10575)
2019-12-06 13:36:16 +01:00
Andy Polyakov
419102400a Fix an overflow bug in rsaz_512_sqr
There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

CVE-2019-1551

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10575)
2019-12-06 13:36:16 +01:00
Matt Caswell
420cb707b8 EVP_*Update: ensure that input NULL with length 0 isn't passed
Even with custom ciphers, the combination in == NULL && inl == 0
should not be passed down to the backend cipher function.  The reason
is that these are the values passed by EVP_*Final, and some of the
backend cipher functions do check for these to see if a "final" call
is made.

An exception is made for CCM mode which has special handling for the case
where inl == 0: this may mean the total plaintext or ciphertext length is 0.

This is based on an original commit by Richard Levitte.

Fixes #8675

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9057)
2019-11-29 11:05:35 +00:00
Richard Levitte
d4f094a04a i2b_PVK(): Use Encrypt, not Decrypt
We used EVP_EncryptInit_ex() to initialise, but EVP_DecryptUpdate()
and EVP_DecryptFinal_ex() to actually perform encryption.  This worked
long ago, when the Encrypt and Decrypt variants were the same, but
doesn't now (actually haven't for a very long time).

This shows how seldom PVK is actually used.

Fixes #9338

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10521)
2019-11-27 20:34:13 +01:00
Richard Levitte
984cff6ba5 UI_UTIL_wrap_read_pem_callback(): when |cb| is NULL, use PEM_def_callback
Fixes #10444

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10447)

(cherry picked from commit 72a5412b4858cc7c5627a121f78685a2a4065521)
2019-11-22 15:22:37 +01:00
Pauli
f6f371d472 EVP p_lib: Add NULL check to EVP_PKEY_missing_parameters.
Check for NULL and return error if so.
This can possibly be called from apps/ca.c with a NULL argument.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/10474)

(cherry picked from commit ab5c77b4766e0992751d86560193ca42b49cf316)
2019-11-21 14:35:37 +10:00
Pauli
333853fae6 Engine: Add NULL check.
Add NULL check for return from pkey_asn1_meths.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10473)

(cherry picked from commit 9bada854de16bcc1a9dc199b4b352b19ab6897fc)
2019-11-21 14:32:54 +10:00
Pauli
cf5afa4d28 ECDSA: don't clear free memory after verify.
Verifications are public, there is no need to clear the used storage before
freeing it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10475)

(cherry picked from commit cff7d199e0dc51ae939de5fb7702aab2a9ef30fc)
2019-11-21 14:29:54 +10:00
Bernd Edlinger
1ae28ac781 Fix sha512_block_data_order_avx2 backtrace info
We store a secondary frame pointer info for the debugger
in the red zone.

Fixes #8853

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9624)

(cherry picked from commit 9ce91035bcf7d74fe15c94650f3bc1f89b7c0f07)
2019-11-20 14:11:24 +01:00
Patrick Steuer
a13dddea6b Allow specifying the tag after AAD in CCM mode (2)
In addition to 67c81ec3 which introduced this behavior in CCM mode
docs but only implemented it for AES-CCM.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10331)

(cherry picked from commit f7382fbbd846dd3bdea6b8c03b6af22faf0ab94f)

Conflicts:
	test/recipes/30-test_evp_data/evpciph.txt
2019-11-20 11:07:07 +01:00
Patrick Steuer
62c20887be s390x assembly pack: fix bn_mul_comba4
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10454)

(cherry picked from commit 97a986f78289fef71bf8778dc4763458e983750c)
2019-11-17 13:55:28 +01:00
Anthony Hu
460a0b2b13 Add missing EVP_PKEY_METHOD accessors for digestsign and digestverify
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10388)

(cherry picked from commit 2555285fa5e4248ad4a5a0bc14ae4606443856c2)
2019-11-17 11:51:10 +01:00
Joerg Schmidbauer
1e5565ddc2 chacha_enc.c: fix for EBCDIC platforms
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10417)

(cherry picked from commit c31950b964a2f3f7b9e6ad98076954178ee1e77d)
2019-11-13 18:08:55 +01:00
Nicola Tuveri
6f6adf1d7b Fix EC_POINT_bn2point() for BN_zero()
EC_POINT_bn2point() rejected BIGNUMs with a zero value.

This behavior indirectly caused failures when converting a point
at infinity through EC_POINT_point2hex() and then back to a point with
EC_POINT_hex2point().

With this change such BIGNUMs are treated like any other and exported to
an octet buffer filled with zero.
It is then EC_POINT_oct2point() (either the default implementation or
the custom one in group->meth->oct2point) to determine if such encoding
maps to a valid point (generally the point at infinity is encoded as
0x00).

Fixes #10258

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10329)

(cherry picked from commit d47c10875656790d146f62ac3c437db54c58dbf7)
2019-11-13 18:11:50 +02:00
Bernd Edlinger
eb67b2616c Fix a -Warray-bounds gcc warning in OPENSSL_DIR_read
'__builtin_strncpy' offset [275, 4095] from the object at
'direntry' is out of the bounds of referenced subobject 'd_name'
with type 'char[256]' at offset 19

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10343)

(cherry picked from commit db5cf86535b305378308c58c52596994e1ece1e6)
2019-11-09 10:51:43 +01:00
raniervf
30bd3e5160 conf_def.c: Avoid calling strlen() in a loop
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10361)

(cherry picked from commit d1c1fb2d41a627293483d832aaffcb6eca9075f9)
2019-11-09 09:17:34 +01:00
Richard Levitte
f6483fc2db BIO_s_connect: add an error state and use it
If no connection could be made, addr_iter will eventually end up being
NULL, and if the user didn't check the returned error value, the
BIO_CONN_S_CONNECT code will be performed again and will crash.

So instead, we add a state BIO_CONN_S_CONNECT_ERROR that we enter into
when we run out of addresses to try.  That state will just simply say
"error" back, until the user does something better with the BIO, such
as free it or reset it.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10333)
2019-11-05 22:17:12 +01:00
Matt Caswell
7bb50cbc4a Don't leak memory in the event of a failure in i2v_GENERAL_NAMES
i2v_GENERAL_NAMES call i2v_GENERAL_NAME repeatedly as required. Each
time i2v_GENERAL_NAME gets called it allocates adds data to the passed in
stack and then returns a pointer to the stack, or NULL on failure. If
the passed in stack is itself NULL then it allocates one.

i2v_GENERAL_NAMES was not correctly handling the case where a NULL gets
returned from i2v_GENERAL_NAME. If a stack had already been allocated then
it just leaked it.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10300)

(cherry picked from commit 45b244620a74248b46ebe1c85e86437b9641447a)
2019-11-04 12:54:36 +00:00
Patrick Steuer
72f4d2f8eb s390x assembly pack: enable clang build
clang imposes some restrictions on the assembler code that
gcc does not.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10330)

(cherry picked from commit 6f93f06135cbbd36c3fe98d63717e8303a5d559b)

Conflicts:
	crypto/perlasm/s390x.pm (non-existant)
	crypto/s390xcpuid.pl (code to be changed non-existant)
2019-11-03 11:48:57 +01:00
Richard Levitte
0a71b62107 VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
This system services is based on FreeBSD 12's getentropy(), and is
therefore treated the same way as getentropy() with regards to amount
of entropy bits per data bit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8926)

(cherry picked from commit 8b9896eb293a0861f0b8c191b7a278f176b729e6)
2019-11-02 11:28:57 +01:00
Patrick Steuer
ef0be09e04 md4/md5: macros should not include the line following them
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10311)

(cherry picked from commit 351ba5bd27645d5b5a2bc643b2709bd30bcdf09c)
2019-11-01 15:59:40 +01:00
Scott Wilson
c38761171f Fix potential memory leak in dh_ameth.c
Free dukm in error handling of dh_cms_encrypt()

Fixes #10294

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/10310)

(cherry picked from commit 6624e1f7b6a397948561e9cc2774f0c8af1d2c79)
2019-11-01 12:47:13 +01:00
Billy Brumley
4f75d1d0ca [crypto/bn] fix a few small timing leaks in BN_lshift1 and BN_rshift1
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10209)

(cherry picked from commit 305bf9c8668aff78e668131061f4eb088457be5f)
2019-10-31 11:09:56 +00:00
Paul Yang
9cebf0d179 Suppress an error when doing SM2 sign/verify ops
This was fixed in #8321 right after the 1.1.1 was released but never
back ported to 1.1.1. Now fix it.

Issue reported from lua-openssl project.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10278)
2019-10-29 20:36:05 +08:00
Tobias Nießen
4088b92636 Allow EVP_PKEY_get0_RSA for RSA-PSS keys
RSA-PSS keys use the same internal structure as RSA keys but do not
allow accessing it through EVP_PKEY_get0_RSA. This commit changes that
behavior.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10217)

(cherry picked from commit 465a58b117d5a85623f3998d6fbf2fe8712a5604)
2019-10-28 11:11:34 +00:00
Cesar Pereida Garcia
85728d08ae Update control logic for BN_gcd
PR https://github.com/openssl/openssl/pull/10122 introduced changes to
the BN_gcd function and the control logic inside it accessed `g->d[0]`
irrespective of `g->top`.

When BN_add is called, in case the result is zero, `BN_zero` is called.
The latter behaves differently depending on the API compatibility level
flag: normally `g->d[0]` is cleared but in `no-deprecated` builds only
`g->top` is set to zero.

This commit uses bitwise logic to ensure that `g` is treated as zero if
`g->top` is zero, irrespective of `g->d[0]`.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>

(cherry picked from commit 8aca4bfe8213402c80abc06fe25121461f79128d)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10232)
2019-10-23 12:16:13 +03:00
Dr. Matthias St. Pierre
7b18d1a53f Move random-related defines from e_os.h to rand_unix.c
Fixes #10049

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10050)

(cherry picked from commit 01036e2afbe116d608be048ed15930fc885ab2a8)
2019-10-19 00:08:07 +02:00
Dr. Matthias St. Pierre
10cb54d75b rand_unix.c: correct include guard comments
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10050)

(cherry picked from commit 2a7e6ed86be20bd472696a3eafe5d20ec9579dab)
2019-10-19 00:08:04 +02:00
Cesar Pereida Garcia
ef59960504 Constant-time GCD function.
This commit replaces the current `BN_gcd` function with a constant-time
GCD implementation.

(cherry picked from commit f3c4adfc7eb13e9eff514039b4c60b457bdba433)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10122)
2019-10-17 14:31:40 +03:00
Cesar Pereida Garcia
d63332a5f2 Unify BN_rshift design
This commit aims at refactoring the `BN_rshift` by making it a wrapper
around `bn_rshift_fixed_top`, in order to match the current design of
`BN_lshift`, as suggested in the discussion at
https://github.com/openssl/openssl/pull/10122#discussion_r332474277 .

As described in the code, by refactoring this function, `BN_rshift`
provides a constant-time behavior for sufficiently[!] zero-padded inputs
under the following assumptions: `|n < BN_BITS2|` or `|n / BN_BITS2|`
being non-secret.

Notice that `BN_rshift` returns a canonical representation of the
BIGNUM, if a `fixed_top` representation is required, the caller should
call `bn_rshift_fixed_top` instead.

(cherry picked from commit 8eba6de59e2b06f23c214344423a5a618d1c9ffd)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10196)
2019-10-17 14:31:28 +03:00