Commit graph

9917 commits

Author SHA1 Message Date
Andy Polyakov
55bd917bc4 bio/b_addr.c: resolve HP-UX compiler warnings.
The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)
2018-04-09 22:32:59 +02:00
Kunxian Xia
eb8e052c4b Correct the equation for Y' in the comment of point_double function
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5908)
2018-04-09 08:38:51 -04:00
Dr. Matthias St. Pierre
a9b7a06ed8 Fix false positives of IS_*() macros for 8-bit ASCII characters
Fixes #5778, #5840

The various IS_*() macros did not work correctly for 8-bit ASCII
characters with the high bit set, because the CVT(a) preprocessor
macro and'ed the given ASCII value with 0x7F, effectively folding
the high value range 128-255 over the low value range 0-127.
As a consequence, some of the IS_*() erroneously returned TRUE.

This commit fixes the issue by adding range checks instead of
cutting off high order bits using a mask. In order avoid multiple
evaluation of macro arguments, most of the implementation was moved
from macros into a static function is_keytype().

Thanks to Румен Петров for reporting and analyzing the UTF-8 parsing
issue #5840.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5903)
2018-04-08 20:12:01 +02:00
Matt Caswell
a6f5b11634 Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
Adding support for these operations for the EdDSA implementations
makes pkeyutl usable for signing/verifying for these algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)
2018-04-06 10:10:05 +01:00
Rich Salz
bbf27cd583 Fix bugs in X509_NAME_ENTRY_set
The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN

Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.

Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)
2018-04-05 22:55:28 -04:00
Rich Salz
7de2b9c4af Set error code if alloc returns NULL
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5886)
2018-04-05 15:13:55 -04:00
Matt Caswell
d54897cf54 Pick a q size consistent with the digest for DSA param generation
There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.

These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.

dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:

            if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                goto err;
            if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                goto err;
            for (i = 0; i < qsize; i++)
                md[i] ^= buf2[i];

            /* step 3 */
            md[0] |= 0x80;
            md[qsize - 1] |= 0x01;
            if (!BN_bin2bn(md, qsize, q))
                goto err;

qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.

If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.

This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:24 +01:00
Matt Caswell
06d3b485db Don't crash if an unrecognised digest is used with dsa_paramgen_md
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:24 +01:00
Matt Caswell
d8f031e890 Move the loading of the ssl_conf module to libcrypto
The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.

Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.

This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.

Fixes #5809

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)
2018-04-05 15:30:12 +01:00
Richard Levitte
4845aeba4c Change rand_pool_add[_end] prototypes to match
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5877)
2018-04-04 20:47:11 +02:00
Andy Polyakov
b791355b5c rand/randfile.c: fix potential resource leak in RAND_load_file.
Found by Coverity.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5834)
2018-04-04 20:27:59 +02:00
Richard Levitte
8e2bec9b8a Remove ambiguity in rand_pool_add[_end] return value
When these two functions returned zero, it could mean:

1. that an error occured.  In their case, the error is an overflow of
   the pool, i.e. the correct response from the caller would be to
   stop trying to fill the pool.
2. that there isn't enought entropy acquired yet, i.e. the correct
   response from the caller would be to try and add more entropy to
   the pool.

Because of this ambiguity, the returned zero turns out to be useless.
This change makes the returned value more consistent.  1 means the
addition of new entropy was successful, 0 means it wasn't.  To know if
the pool has been filled enough, the caller will have to call some
other function, such as rand_pool_entropy_available().

Fixes #5846

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5876)
2018-04-04 20:14:51 +02:00
Bernd Edlinger
6b49b30811 Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4ef
differently.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5863)
2018-04-04 14:50:50 +02:00
Bernd Edlinger
284f4f6b70 Don't use getenv for critical functions when run as setuid/setgid
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)
2018-04-04 14:45:49 +02:00
David Benjamin
dc55e4f70f Fix a bug in ecp_nistp224.c.
felem_neg does not produce an output within the tight bounds suitable
for felem_contract. This affects build configurations which set
enable-ec_nistp_64_gcc_128.

point_double and point_add, in the non-z*_is_zero cases, tolerate and
fix up the wider bounds, so this only affects point_add calls where the
other point is infinity. Thus it only affects the final addition in
arbitrary-point multiplication, giving the wrong y-coordinate. This is a
no-op for ECDH and ECDSA, which only use the x-coordinate of
arbitrary-point operations.

Note: ecp_nistp521.c has the same issue in that the documented
preconditions are violated by the test case. I have not addressed this
in this PR. ecp_nistp521.c does not immediately produce the wrong
answer; felem_contract there appears to be a bit more tolerant than its
documented preconditions. However, I haven't checked the point_add
property above holds. ecp_nistp521.c should either get this same fix, to
be conservative, or have the bounds analysis and comments reworked for
the wider bounds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5779)
2018-04-03 16:09:20 -04:00
Pecio
b2b4dfcca6 Enabled OneCore Conf for Console Apps (removed nonUniversal API)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5625)
2018-04-03 18:39:22 +02:00
Richard Levitte
fc1d73bb0c VMS: stricter acquisition of entropy for the pool
Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't
delivering the required amount of entropy.  In release builds, this
produces an error with details.

We also take the opportunity to modernise the types used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5857)
2018-04-03 18:24:41 +02:00
Rich Salz
cdb10bae3f Set error code on alloc failures
Almost all *alloc failures now set an error code.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5842)
2018-04-03 11:31:16 -04:00
Matt Caswell
bcc6371443 Fix a text canonicalisation bug in CMS
Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5790)
2018-04-03 15:52:31 +01:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00
Kurt Roeckx
4cffafe967 Use the private RNG for data that is not public
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fixes: #4641
GH: #4665
2018-04-02 22:22:43 +02:00
Daniel Bevenius
0e34f37fb1 Remove import/use of File::Spec::Function
It looks like the usage of these functions were removed in
in commit 0a4edb931b ("Unified - adapt
the generation of cpuid, uplink and buildinf to use GENERATE").

This commit removes the import/use of File::Spec::Functions module as it
is no longer needed by crypto/build.info.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5832)
2018-04-01 22:41:04 +02:00
Kurt Roeckx
2a70d65b99 Make sure we use a nonce when a nonce is required
If a nonce is required and the get_nonce callback is NULL, request 50%
more entropy following NIST SP800-90Ar1 section 9.1.

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5503
2018-04-01 21:11:26 +02:00
Bernd Edlinger
f91e026e38 Fix a possible crash in BN_from_montgomery_word
Thanks to Darovskikh Andrei for for reporting this issue.

Fixes: #5785

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5793)
2018-03-31 16:31:37 +02:00
Rich Salz
6714cb1462 Remove some code
This commit removes the contribution of a user that we cannot
trace to gain their consent for the licence change.

I also cleaned up the return/error-return flow a bit.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5811)
2018-03-30 12:53:46 -04:00
Dr. Matthias St. Pierre
a73d990e2b Add documentation for the RAND_DRBG API
The RAND_DRBG API was added in PR #5462 and modified by PR #5547.
This commit adds the corresponding documention.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5461)
2018-03-30 00:10:38 +02:00
FdaSilvaYY
3484236d8d EVP,KDF: Add more error code along some return 0 in ...
methods :
 - EVP_PBE_scrypt
 - EVP_PKEY_meth_add0
 - EVP_PKEY_meth_new
 - EVP_PKEY_CTX_dup

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5783)
2018-03-29 22:46:10 +02:00
Benjamin Kaduk
f2633200eb Document RAND_DRBG fork-safety locking model
Add some more exposition on why unlocked access to the global rand_fork_count
is safe, and provide a comment for the struct rand_drbg_st fork_count field.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/4110)
2018-03-29 09:04:23 -05:00
Richard Levitte
5848be0488 Fix setbuf use for VMS C
The VMS C RTL has setbuf() working for short pointers only, probably
the FILE pointer will always be in P0 (the lower 4GB).  Fortunately,
this only generates a warning about possible data loss (doesn't apply
in this case) that we can simply turn off.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5789)
2018-03-29 10:34:11 +02:00
Patrick Steuer
8eb399fb25 crypto/e_aes.c: use S390X_AES_FC macro
... to compute s390x aes function code from keylength.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5250)
2018-03-28 23:31:09 +02:00
Patrick Steuer
258689931e crypto/evp/e_aes.c: add size_t casts to increase readability
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5250)
2018-03-28 23:31:05 +02:00
Patrick Steuer
74d38a8677 s390x assembly pack: add KMF code path for aes-cfb/cfb8
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5250)
2018-03-28 23:31:01 +02:00
Patrick Steuer
dacd2a87b5 s390x assembly pack: add KMO code path for aes-ofb
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5250)
2018-03-28 23:30:56 +02:00
Patrick Steuer
55bd169fd8 s390x assembly pack: add KM code path for aes-ecb
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5250)
2018-03-28 23:28:55 +02:00
Matt Caswell
92565101ca Remove some code
This commit removes the contribution of a user that we cannot trace to
gain their consent for the licence change.

After this commit the various IS_*() macros in the auto-generated file
conf_def.h may incorrectly return true if the supplied character has its
most significant bit set. The IS_*() macros should be able to correctly
handle 8-bit characters. Note that UTF-8 support is not a requirement.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5767)
2018-03-28 16:11:30 +01:00
Rich Salz
e6e9170d6e Allow NULL for some _free routines.
Based on the description in https://github.com/openssl/openssl/pull/5757,
this re-implements the "allow NULL to be passed" behavior of a number of
xxx_free routines.  I also fixed up some egregious formatting errors
that were nearby.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5761)
2018-03-27 16:25:08 -04:00
Miroslav Suk
98c03302fb o_time.c: use gmtime_s with MSVC
ts/ts_rsp_sign.c: change to OPENSSL_gmtime.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5720)
2018-03-27 20:12:34 +02:00
Andy Polyakov
242fcd695d rand/randfile.c: permit non-regular files in RAND_load_file.
Apparently applications rely on RAND_load_file's ability to work with
non-regular files, customarily with /dev/urandom, so that the ban was
not exactly appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5737)
2018-03-27 19:55:54 +02:00
Matt Caswell
320a81277e Remove some code for a contributor that we cannot find
This removes some code because we cannot trace the original contributor
to get their agreement for the licence change (original commit e03ddfae).

After this change there will be numerous failures in the test cases until
someone rewrites the missing code.

All *_free functions should accept a NULL parameter. After this change
the following *_free functions will fail if a NULL parameter is passed:

BIO_ACCEPT_free()
BIO_CONNECT_free()
BN_BLINDING_free()
BN_CTX_free()
BN_MONT_CTX_free()
BN_RECP_CTX_free()
BUF_MEM_free()
COMP_CTX_free()
ERR_STATE_free()
TXT_DB_free()
X509_STORE_free()
ssl3_free()
ssl_cert_free()
SSL_SESSION_free()
SSL_free()

[skip ci]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5757)
2018-03-27 17:15:24 +01:00
Matt Caswell
53c9818e97 Don't write out a bad OID
If we don't have OID data for an object then we should fail if we
are asked to encode the ASN.1 for that OID.

Fixes #5723

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5725)
2018-03-27 15:57:52 +01:00
Andy Polyakov
0b020b1488 pariscid.pl: fix nasty typo in CRYPTO_memcmp.
Comparison was effectively reduced to least significant bits.

CVE-2018-0733

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-27 10:22:49 +01:00
Matt Caswell
4cabbb9f48 Limit ASN.1 constructed types recursive definition depth
Constructed types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. Therefore we limit the stack depth.

CVE-2018-0739

Credit to OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-27 10:22:49 +01:00
Richard Levitte
b71fa7b32d Include "internal/dso_conf.h" where needed and appropriate
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 01:05:23 +01:00
Richard Levitte
c45bf277a1 Move the handling of dso_scheme to dso_conf.h
The macros resulting from the dso_scheme attribute were defined for
libraries only, but there's a test program that uses the macros as
well.  The easier way is to move the handling of this macro to
crypto/include/internal/dso_conf.h and having the modules that need it
include it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 01:02:08 +01:00
Andy Polyakov
f55fd7f2c6 curve448/field.h: relax alignment, as it doesn't work universally.
Some platforms, cough-DJGPP, fail to compile claiming that requested
alignment is greater than maximum possible. Supposedly original
alignment was result of an attempt to utilize AVX2...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5708)
2018-03-22 11:50:44 +01:00
Andy Polyakov
d10ca7aed0 bio/bss_log.c: on DJGPP syslog facility is part of sockets library.
In other words no-sock DJGPP build should suppress syslogging.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5708)
2018-03-22 11:49:17 +01:00
Andy Polyakov
96f1b64d8c o_fopen.c: compensate for e_os.h omission.
At earlier point e_os.h was omitted from a number of headers (in order
to emphasize OS neutrality), but this affected o_fopen.c, which is not
OS-neutral, and contains some DJGPP-specific code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5708)
2018-03-22 11:48:43 +01:00
Kurt Roeckx
dbdcc04f27 DRBG: Use the EVP layer to do AES encryption
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #5580
2018-03-21 21:32:47 +01:00
David Benjamin
ddc1caac2d Document EC_POINT_get_affine_coordinates_*.
In particular, x and y may be NULL, as used in ecdsa_ossl.c. Make use of
this in ecdh_ossl.c as well, to save an otherwise unnecessary temporary.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5532)
2018-03-21 12:39:36 -04:00
Jack Bates
693be9a2cb Convert _meth_get_ functions to const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2181)
2018-03-21 10:37:05 +00:00
Andy Polyakov
9d9dc6ac85 o_fopen.c,rand/randfile.c: compensate for e_os.h omission.
At earlier point e_os.h was omitted from a number of headers (in order
to emphasize OS neutrality), but this affected o_fopen.c and randfile.c
which are not OS-neutral, and contain some Win32-specific code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5676)
2018-03-21 10:12:36 +01:00
Matthias Kraft
4af14b7b01 Add dladdr() for AIX
Although it deviates from the actual prototype of DSO_dsobyaddr(), this
is now ISO C compliant and gcc -Wpedantic accepts the code.

Added DATA segment checking to catch ptrgl virtual addresses. Avoid
memleaks with every AIX/dladdr() call. Removed debug-fprintf()s.
Added test case for DSO_dsobyaddr(), which will eventually call dladdr().
Removed unecessary AIX ifdefs again.

The implementation can only lookup function symbols, no data symbols.
Added PIC-flag to aix*-cc build targets.

As AIX is missing a dladdr() implementation it is currently uncertain our
exit()-handlers can still be called when the application exits. After
dlclose() the whole library might have been unloaded already.

Signed-off-by: Matthias Kraft <makr@gmx.eu>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5668)
2018-03-20 21:33:50 -04:00
Matt Caswell
b0edda11cb Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 13:08:46 +00:00
Richard Levitte
93bf194584 crypto/rand/rand_vms.c: include "internal/rand_int.h"
Without it, the RAND_POOL typedef is missing

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5685)
2018-03-20 09:13:48 +00:00
Todd Short
27df459731 Fix no-sm3/no-sm2 (with strict-warnings)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5677)
2018-03-19 18:49:19 +00:00
Todd Short
98020023a4 Fix no-sm3 (and no-sm2)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5677)
2018-03-19 18:49:19 +00:00
Matt Caswell
1bf2cc237e Fix no-sm2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5673)
2018-03-19 17:12:19 +00:00
Rich Salz
69e2b8d67d Revise and cleanup; use strict,warnings
Use shorter names for some defines, so also had to change the .c file
that used them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5669)
2018-03-19 10:23:28 -04:00
Kurt Roeckx
16cfc2c90d Don't use a ssl specific DRBG anymore
Since the public and private DRBG are per thread we don't need one
per ssl object anymore. It could also try to get entropy from a DRBG
that's really from an other thread because the SSL object moved to an
other thread.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5547)
2018-03-19 15:04:40 +01:00
Kurt Roeckx
7caf122e71 Make the public and private DRBG thread local
This avoids lock contention.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5547)
2018-03-19 15:04:40 +01:00
Jack Lloyd
4e66475063 Handle evp_tests assumption of EVP_PKEY_FLAG_AUTOARGLEN
Without actually using EVP_PKEY_FLAG_AUTOARGLEN

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
2018-03-19 14:33:25 +01:00
Jack Lloyd
dceb99a5fb Support SM2 ECIES scheme via EVP
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
2018-03-19 14:33:25 +01:00
Jack Lloyd
3d328a445c Add SM2 signature and ECIES schemes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
2018-03-19 14:33:25 +01:00
Andy Polyakov
9d3cab4bdb MIPS assembly pack: default heuristic detection to little-endian.
Current endianness detection is somewhat opportunistic and can fail
in cross-compile scenario. Since we are more likely to cross-compile
for little-endian now, adjust the default accordingly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5613)
2018-03-19 14:31:30 +01:00
Bernd Edlinger
c911e5da3c Fix bio callback backward compatibility
Don't pass a pointer to uninitialized processed value
for BIO_CB_READ and BIO_CB_WRITE

Check the correct cmd code in BIO_callback_ctrl

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5516)
2018-03-19 14:20:53 +01:00
Matt Caswell
df6d51e2e4 Fix no-cmac
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5665)
2018-03-19 12:38:01 +00:00
Dr. Matthias St. Pierre
dd07e68b20 Fix miscellaneous typos in docs and source
- d2i_PKC8PrivateKey -> d2i_PKCS8PrivateKey
- bechmark -> benchmark
- ciperhsuite -> ciphersuite
- EncyptedPreMasterSecret -> EncryptedPreMasterSecret

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5570)
2018-03-17 18:24:03 +01:00
Richard Levitte
d597208c03 ts_RESP_sign: Don't try to use v2 signing when ESS digest isn't set
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5653)
2018-03-17 14:47:41 +01:00
Kurt Roeckx
311276ffe3 Return error when trying to use prediction resistance
There is a requirements of having access to a live entropy source
which we can't do with the default callbacks. If you need prediction
resistance you need to set up your own callbacks that follow the
requirements of NIST SP 800-90C.

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5402
2018-03-17 11:35:33 +01:00
Kurt Roeckx
eb238134e0 Propagate the request for prediction resistance to the get entropy call
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5402
2018-03-17 11:35:33 +01:00
Bernd Edlinger
f96ff4e908 Fixed a crash in error handing of rand_drbg_new
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5646)
2018-03-17 08:19:41 +01:00
Bernd Edlinger
d288d7fc7b Fix error handling in b2i_dss and b2i_rsa
Fixes: #5567

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5624)
2018-03-17 08:15:31 +01:00
Dr. Matthias St. Pierre
31393fd906 RAND_DRBG: add a function for setting the default DRBG type and flags
This commit adds a new api RAND_DRBG_set_defaults() which sets the
default type and flags for new DRBG instances. See also #5576.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5632)
2018-03-16 18:31:30 +01:00
Dr. Matthias St. Pierre
6decf9436f Publish the RAND_DRBG API
Fixes #4403

This commit moves the internal header file "internal/rand.h" to
<openssl/rand_drbg.h>, making the RAND_DRBG API public.
The RAND_POOL API remains private, its function prototypes were
moved to "internal/rand_int.h" and converted to lowercase.

Documentation for the new API is work in progress on GitHub #5461.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5462)
2018-03-15 18:58:38 +01:00
Matt Caswell
f929439f61 Rename EVP_PKEY_new_private_key()/EVP_PKEY_new_public_key()
Renamed to EVP_PKEY_new_raw_private_key()/EVP_new_raw_public_key() as per
feedback.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
e8f9f08f17 Add functions for setting the new EVP_PKEY_ASN1_METHOD functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
0bcc8ec9d3 Make sure all errors go on the stack in the EVP_PKEY_new*() functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
b3831fbb0b Add the function EVP_PKEY_new_CMAC_key()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
2621c8479e Add support for setting raw private Poly1305 keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
5539c5d634 Add support for setting raw private SIPHASH keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
e32b52a27e Add support for setting raw private HMAC keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
cc8b15c7e1 Add support for setting raw private/public 25519/448 keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
a08802ce29 Add functions to create an EVP_PKEY from raw private/public key data
Not all algorithms will support this, since their keys are not a simple
block of data. But many can.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Pauli
5cd42251ba Missings OIDs for XTS added.
Added two missing OIDs for AES-{128,256}-XTS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5622)
2018-03-15 11:09:20 +10:00
Matt Caswell
346149c164 Fix an error number clash
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5616)
2018-03-14 11:27:45 +00:00
Matt Caswell
f865b08143 Split configuration of TLSv1.3 ciphers from older ciphers
With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.

In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.

This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.

Fixes #5359

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
2018-03-14 10:15:50 +00:00
Andy Polyakov
b3e02d06ba ec/curve25519.c: resolve regression with Android NDK's arm64 gcc.
Unlike "upstream", Android NDK's arm64 gcc [but not clang] performs
64x64=128-bit multiplications with library calls, which appears to
have devastating impact on performance. [The condition is reduced to
__ANDROID__ [&& !__clang__], because x86_64 has corresponding
assembly module.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5589)
2018-03-13 19:31:53 +01:00
Andy Polyakov
7747a49f24 store/loader_file.c: rename variables causing conflicts with Android NDK.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5589)
2018-03-13 19:31:44 +01:00
Tim Hudson
3b855b1f89 update SRP copyright notice
As per discussion with Peter Sylvester

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5603)
2018-03-13 18:33:44 +10:00
Richard Levitte
a5829ae282 Adjust LPdir_unix.c on VMS for OpenSSL expectations
When OPENSSL_DIR_read implemented by LPdir_unix.c gets a Unixy path,
it will return file names like you'd expect them on Unix.

However, if given a path with VMS syntax, such as "[.foo]", it returns
file names with generation numbers, such as "bar.txt;1", which makes
sense for VMS expectations, but can be surprising for OpenSSL.

Our solution is to simply shave off the generation number if
OPENSSL_DIR_read() expects there should be one, and make sure not to
return the same file name twice.  Note that VMS filesystems are case
insensitive, so the check for duplicate file names are done without
regard to character case.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5587)
2018-03-12 23:01:02 +01:00
Richard Levitte
4f7c840a4d CONF: On VMS, treat VMS syntax inclusion paths correctly
non-VMS syntax inclusion paths get the same treatment as on Unix.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5587)
2018-03-12 23:01:02 +01:00
Matt Caswell
c130c0fe1d Free the correct type in OBJ_add_object()
We should be using ASN1_OBJECT_free() not OPENSSL_free().

Fixes #5568

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5597)
2018-03-12 19:49:44 +00:00
Matt Caswell
4718f449a3 Improve error handling in pk7_doit
If a mem allocation failed we would ignore it. This commit fixes it to
always check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5596)
2018-03-12 19:09:04 +00:00
gmile
e45b4dd292 Add OIDs for DSTU-4145
Original source:
2c5fc4c92b

Full list of OIDs is available on related enactment page
at http://zakon2.rada.gov.ua/laws/show/z0423-17

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5216)
2018-03-12 12:57:26 -04:00
Andy Polyakov
f1c00b93e2 mem_sec.c: portability fixup.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-12 11:03:17 +01:00
Dr. Matthias St. Pierre
4917e91160 RAND_DRBG: add a function for setting the reseeding defaults
The introduction of thread local public and private DRBG instances (#5547)
makes it very cumbersome to change the reseeding (time) intervals for
those instances. This commit provides a function to set the default
values for all subsequently created DRBG instances.

 int RAND_DRBG_set_reseed_defaults(
                                   unsigned int master_reseed_interval,
                                   unsigned int slave_reseed_interval,
                                   time_t master_reseed_time_interval,
                                   time_t slave_reseed_time_interval
                                   );

The function is intended only to be used during application initialization,
before any threads are created and before any random bytes are generated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5576)
2018-03-10 00:26:30 +01:00
Benjamin Kaduk
b0143b9752 Fix type error in PEM processing
The get_name() helper was using a variable of type size_t to hold the
result of BIO_gets(), but BIO_gets() returns int and makes use of negative
values to indicate error conditions.

Change the type of the local variable to match, and propagate that
through to other places in the file to avoid -Wsign-compare issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5211)
2018-03-09 10:51:05 -06:00
Todd Short
37933acbea Add SSL/SSL_CTX_use_cert_and_key()
Add functions that will do the work of assigning certificate, privatekey
and chain certs to an SSL or SSL_CTX. If no privatekey is given, use the
publickey. This will permit the keys to pass validation for both ECDSA
and RSA. If a private key has already been set for the certificate, it
is discarded. A real private key can be set later.

This is an all-or-nothing setting of these parameters. Unlike the
SSL/SSL_CTX_use_certificate() and SSL/SSL_CTX_use_PrivateKey() functions,
the existing cert or privatekey is not modified (i.e. parameters copied).
This permits the existing cert/privatekey to be replaced.

It replaces the sequence of:
* SSL_use_certificate()
* SSL_use_privatekey()
* SSL_set1_chain()
And may actually be faster, as multiple checks are consolidated.

The private key can be NULL, if so an ENGINE module needs to contain the
actual private key that is to be used.

Note that ECDH (using the certificate's ECDSA key) ciphers do not work
without the private key being present, based on how the private key is
used in ECDH. ECDH does not offer PFS; ECDHE ciphers should be used instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/1130)
2018-03-09 10:28:04 -06:00
Richard Levitte
58d6be5b5d Display the library building flags
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5560)
2018-03-09 14:07:59 +01:00
Matt Caswell
e440f51395 Give more information in the SSL_stateless return code
Allow users to distinguish between an error occurring and an HRR being
issued.

Fixes #5549

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5562)
2018-03-09 11:37:58 +00:00
Richard Levitte
2bd3b626dd Make a few more asm modules conform: last argument is output file
Fixes #5310

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5315)
2018-03-08 19:31:41 +01:00
Richard Levitte
abe256e795 Make "make variables" config attributes for overridable flags
With the support of "make variables" comes the possibility for the
user to override them.  However, we need to make a difference between
defaults that we use (and that should be overridable by the user) and
flags that are crucial for building OpenSSL (should not be
overridable).

Typically, overridable flags are those setting optimization levels,
warnings levels, that kind of thing, while non-overridable flags are,
for example, macros that indicate aspects of how the config target
should be treated, such as L_ENDIAN and B_ENDIAN.

We do that differentiation by allowing upper case attributes in the
config targets, named exactly like the "make variables" we support,
and reserving the lower case attributes for non-overridable project
flags.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Bryan Donlan
082193ef2b Fix issues in ia32 RDRAND asm leading to reduced entropy
This patch fixes two issues in the ia32 RDRAND assembly code that result in a
(possibly significant) loss of entropy.

The first, less significant, issue is that, by returning success as 0 from
OPENSSL_ia32_rdrand() and OPENSSL_ia32_rdseed(), a subtle bias was introduced.
Specifically, because the assembly routine copied the remaining number of
retries over the result when RDRAND/RDSEED returned 'successful but zero', a
bias towards values 1-8 (primarily 8) was introduced.

The second, more worrying issue was that, due to a mixup in registers, when a
buffer that was not size 0 or 1 mod 8 was passed to OPENSSL_ia32_rdrand_bytes
or OPENSSL_ia32_rdseed_bytes, the last (n mod 8) bytes were all the same value.
This issue impacts only the 64-bit variant of the assembly.

This change fixes both issues by first eliminating the only use of
OPENSSL_ia32_rdrand, replacing it with OPENSSL_ia32_rdrand_bytes, and fixes the
register mixup in OPENSSL_ia32_rdrand_bytes. It also adds a sanity test for
OPENSSL_ia32_rdrand_bytes and OPENSSL_ia32_rdseed_bytes to help catch problems
of this nature in the future.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5342)
2018-03-08 10:27:49 -05:00
Sergey Zhuravlev
3b5e517200 Add GOST OIDs for Edwards parameter sets
Add OIDs for parameter sets of Edwards elliptic curves.

CLA: trivial

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5380)
2018-03-07 13:14:59 -05:00
Viktor Dukhovni
c7d5ea2670 Prepare to detect index changes in OCSP responder.
Retain open file handle and previous stat data for the CA index
file, enabling detection and index reload (upcoming commit).

Check requirements before entering accept loop.

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-07 11:03:01 -05:00
Andy Polyakov
72983c0eab crypto/armcap.c: mask SHA512 hardware detection on iOS.
When running iOS application from command line it's impossible to
get past the failing capability detection. This is because it's
executed under debugger and iOS debugger is impossible to deal with.
[If Apple implements SHA512 in silicon, it would have to be detected
with sysctlbyname.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-06 23:18:24 +01:00
knekritz
41aede863b Avoid unconditional store in CRYPTO_malloc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5372)
2018-03-06 13:21:49 -05:00
Kurt Roeckx
35503b7cdc Check the parent DRBG's strength
We currently don't support the algorithm from NIST SP 800-90C
10.1.2 to use a weaker DRBG as source

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5506
2018-03-06 18:34:23 +01:00
Kurt Roeckx
3bc0ab06b0 bnrand_range: Always call bnrand() with the correct flag
It was calling the BN_rand() when it should have call BN_priv_rand()

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #5514
2018-03-06 18:32:35 +01:00
Tomas Mraz
b524b808a1 Add support for .include directive in config files
Either files or directories of *.cnf or *.conf files
can be included.
Recursive inclusion of directories is not supported.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5351)
2018-03-05 13:32:40 +00:00
Andy Polyakov
014cc4b27a mem_sec.c: portability fixup.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5493)
2018-03-03 22:14:19 +01:00
Andy Polyakov
9cbcea7e68 ec/curve448/f_generic.c: fix VC-WIN32 debug build failure.
Debugging asserts had implicit casts that triggered the warnings.
However, instead of making the casts explicit it's more appropriate
to perform checks that ensure that implicit casts were safe.

ec/curve448/scalar.c: size_t-fy scalar_decode_short.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5494)
2018-03-03 22:03:44 +01:00
Andy Polyakov
3ccbc5fff7 ec/curve448/curve448.c: fix undefined behaviour sanitizer failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5494)
2018-03-03 22:02:22 +01:00
Bernd Edlinger
55a7f77d72 Fix a possible memory leak in engine_table_register
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5489)
2018-03-03 19:58:18 +01:00
Matt Caswell
13735cfef6 Integrate X448 and Ed448 into libcrypto
This adds all of the relevant EVP plumbing required to make
X448 and Ed448 work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
2018-03-02 10:14:31 +00:00
Brad Spencer
178989b4a3 Test the result of CMS_RecipientInfo_ktri_get0_algs() before using its output in rsa_cms_encrypt().
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4966)
2018-03-01 09:05:42 -06:00
Andy Polyakov
e72bf96718 ec/asm/x25519-x86_64.pl: remove redundant carry chain.
Why is it redundant? We're looking at carry from addition of small,
11-bit number to 256-bit one. And carry would mean only one thing,
resulting first limb being small number and remaing ones - zeros.
Hence adding 38 to first limb can't carry.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5476)
2018-03-01 13:59:28 +01:00
Kurt Roeckx
d91f45688c Tell the ciphers which DRBG to use for generating random bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4672
2018-02-28 21:20:01 +01:00
David Benjamin
8a5d8bc4bc Always use adr with __thumb2__.
Thumb2 addresses are a bit a mess, depending on whether a label is
interpreted as a function pointer value (for use with BX and BLX) or as
a program counter value (for use with PC-relative addressing). Clang's
integrated assembler mis-assembles this code. See
https://crbug.com/124610#c54 for details.

Instead, use the ADR pseudo-instruction which has clear semantics and
should be supported by every assembler that handles the OpenSSL Thumb2
code. (In other files, the ADR vs SUB conditionals are based on
__thumb2__ already. For some reason, this one is based on __APPLE__, I'm
guessing to deal with an older version of clang assembler.)

It's unclear to me which of clang or binutils is "correct" or if this is
even a well-defined notion beyond "whatever binutils does". But I will
note that https://github.com/openssl/openssl/pull/4669 suggests binutils
has also changed behavior around this before.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5431)
2018-02-27 18:46:33 -05:00
Rich Salz
22defb4350 Make some perl scripts output to stdout
And only generate one output "file" at a time for objects.pl

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5432)
2018-02-27 16:06:12 -05:00
Richard Levitte
4c861b3816 crypto/ec/asm/x25519-x86_64.pl: close STDOUT, not $STDOUT
Fixes #5471

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5472)
2018-02-27 21:17:57 +01:00
Dr. Matthias St. Pierre
d070b4ae78 bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data
Fixes #5405, #1381

The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes.
When processing input in PEM format it can happen in rare cases that

- the trailing PEM marker crosses the boundary of a chunk, and
- the beginning of the following chunk contains valid base64 encoded data.

This happened in issue #5405, where the PEM marker was split into
"-----END CER" and "TIFICATE-----" at the end of the first chunk.

The decoding of the first chunk terminated correctly at the '-' character,
which is treated as an EOF marker, and b64_read() returned. However,
when called the second time, b64_read() read the next chunk and interpreted
the string "TIFICATE" as valid base64 encoded data, adding 6 extra bytes
'4c 81 48 08 04 c4'.

This patch restores the assignment of the error code to 'ctx->cont', which
was deleted accidentally in commit 5562cfaca4 and which prevents b64_read()
from reading additional data on subsequent calls.

This issue was observed and reported by Annie Yousar.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5422)
2018-02-27 18:38:33 +01:00
Matt Caswell
0d66475908 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-27 13:59:42 +00:00
Andy Polyakov
5839185cdd mem_sec.c: relax POSIX requirement.
Even though mlock(2) was standardized in POSIX.1-2001, vendors did
implement it prior that point.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5460)
2018-02-26 17:50:52 +01:00
Andy Polyakov
6afed267db ec/ecp_nistp{224,256,521}.c: harmonize usage of __uint128_t.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5449)
2018-02-24 14:13:59 +01:00
Andy Polyakov
11a9eacde9 {ec/curve25519,poly1305/poly1305}.c: relax pedantic constraint.
As it turns out gcc -pedantic doesn't seem to consider __uint128_t
as non-standard, unlike __int128 that is.

Fix even MSVC warnings in curve25519.c.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5449)
2018-02-24 14:12:48 +01:00
Andy Polyakov
ae1ffe0f65 ec/curve448: portability fixups.
SPARC condition in __SIZEOF_INT128__==16 is rather performance thing
than portability. Even though compiler advertises int128 capability,
corresponding operations are inefficient, because they are not
directly backed by instruction set.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5449)
2018-02-24 14:11:06 +01:00
Andy Polyakov
e8c42b9888 ec/asm/x25519-x86_64.pl: fix up ADCX/ADOX fallback.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5447)
2018-02-24 14:05:17 +01:00
Bernd Edlinger
604e591ed7 Fix some bugs with the cfb1 bitsize handling
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5426)
2018-02-23 14:10:46 +01:00
Richard Levitte
93d2f9fa4a STORE 'file' scheme loader: Add search capibility
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
fac8673b8a STORE: Add the possibility to search for specific information
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
6541d9e264 STORE 'file' scheme loader: Add info type expectation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
072bfcc90b STORE: Add the possibility to specify an expected info type
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
4eefdbda81 STORE: In preparation for coming work, mark when loading is started
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Rich Salz
1af563e374 Remove unused num.pl,segregnam scripts
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5433)
2018-02-22 15:36:27 -05:00
Kurt Roeckx
60595292ae Check return value of time() when getting additional data for the DRBG
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #5400
2018-02-21 20:44:11 +01:00
Pavel Kopyl
abcf241114 X509V3_EXT_add_nconf_sk, X509v3_add_ext: fix errors handling
X509v3_add_ext: free 'sk' if the memory pointed to by it
was malloc-ed inside this function.
X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails.
This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4698)
2018-02-21 12:18:48 +00:00
Samuel Weiser
8db7946ee8 Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5161)
2018-02-21 11:56:44 +00:00
Matt Caswell
7876dbffce Fix some undefined behaviour in the Curve448 code
We can't add NULL data into a hash

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5418)
2018-02-21 11:13:14 +00:00
Andy Polyakov
c521e4392f ec/curve25519.c: facilitate assembly implementations.
Currently it's limited to 64-bit platforms only as minimum radix
expected in assembly is 2^51.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:14:04 +01:00
Andy Polyakov
42efffcb70 Add x25519-x86_64.pl module, mod 2^255-19 primitives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:13:59 +01:00
Andy Polyakov
127d6cf747 crypto/ec/curve25519.c: remove redundant fe[51]_cswap.
3 least significant bits of the input scalar are explicitly cleared,
hence swap variable has fixed value [of zero] upon exit from the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5408)
2018-02-21 10:12:55 +01:00
Matt Caswell
dd8796c551 Some more cleanups of curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
a4e6dd819a fixup! More style fixes for the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
18985129eb fixup! Improve readability of f_impl.c and f_impl.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
8e32ec7a56 Improve readability of f_impl.c and f_impl.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
cb5ed32665 Remove unrolled loops
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
909c68ae72 Yet more style updates to the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
c1f15b76ef Further style changes to curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
9c9d6ff41c Simplify some code
The original curve448 code was templated to allow for a 25519
implementation. We've just imported the 448 stuff - but a remnant of
the original templated approach remained. This just simplifies that.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
a7232276fe Remove some unneccessary use of constant time code in curve448
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
434149c744 Fix a travis failure in the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
2abe3cad23 Remove the curve448 vector code
We removed various platform specific optimisation files in an earlier
commit. The vector code was related to that and therefore is no longer
required. It may be resurrected at a later point if we reintroduce the
opimtisations.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
53ef3252fa More style fixes for the curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:31 +00:00
Matt Caswell
9fd3c858b4 Remove a strict aliasing issue with pre-computed curve448 constants
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
68b20c0065 More style fixes to Curve448 code based on review feedback
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
04ebd4e17e Some style fixes
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
e411822318 Formatting tweak based on review feedback
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
756b5af71c Use NLIMBS where appropriate to simplify the code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
8855a9a110 Remove cplusplus guards in internal headers
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
f918504f91 Remove the curve448 specific constant time implementation
Instead we should use the standard OpenSSL constant time routines.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7114a5a17a Use the NLIMBS macro rather than try and calculate the number of limbs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
bd74eae1be Rename a function to avoid a clash
We already have a constant_time_select() function so, to avoid
confusion/clashing we shouldn't have a second one.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7e492f3372 Remove curve448 architecture specific files
Remove all architecture specific files except for the reference arch_32
version. These files provide archicture specific performance optimisation.
However they have not been integrated yet. In order to avoid review issues
they are removed for now. They may be reintroduced at a later time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
0cdcdacc33 Fix AppVeyor failure in eddsa.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
dd03fd7e3a Fix travis failure in f_impl.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
06d72c2c64 Fix a typo in a comment
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
f53c77648c Update Curve448 copyright for 2018
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
bce3108161 Code tidy up
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
7d9e120fea Fixes for compilation using clang
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
2c9def25b1 Move curve448_test.c to be a full internal test
This ensures that this test is run as part of the test suite

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
52a9587c78 Fix build errors for Curve448 code on Windows (VC-WIN32 and VC-WIN64A)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
575d5afcf8 Remove some gcc/clang specific attributes we don't support
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
db90b274a1 Remove duplicated 448 in the names of various things
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
001a093419 Merge f_field.h into field.h
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
b47758dbd0 Merge f_arithmetic.c into f_generic.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
aeeef83cb5 Remove references to libdecaf
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
35b7c85a22 Remove some unneeded code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
8d55f844b0 Manual formatting tweaks to Curve448 code
Following running openssl-format-source there were a lot of manual tweaks
that were requried.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
205fd63881 Run util/openssl-format-source on the Curve448 code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
1308e022e1 Update the imported curve448 code to use OpenSSL copyright headers
Some files talk about the MIT license. This code was contributed under
CLA and was relicensed to the OpenSSL licence when imported.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
22bcc9cb7f Fix the ED448 key lengths
Unlike X448 the key lengths for ED448 are 57 bytes (as opposed to 56)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
ff489fb472 Integrate Curve448 into the build system
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
094c071cbf Convert to C90 from C99
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
bb6e60adc5 Rename the decaf files to curve448 files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
c4148792cf Remove portable_endian.h
It is no longer used

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
2799d38540 Remove the old shake256 implementation
We have fully converted curve448 to use the OpenSSL shake256 implementation
so we can now remove the old one.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
a242839f75 Convert Curve448 internals to use OpenSSL shake256
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
c255e98ed2 Use OpenSSL shake256
Convert the curve448 test to use the OpenSSL implementation of shake256.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
6ea71cbabe Add tests for Ed448ph
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
4ea41daa07 Add Ed448 tests
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
6207b13983 Remove inclusion of header files that we can't rely on due to portability
Some non-portable includes are left because they are already suitably
guarded.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
ca42a316a8 Remove DECAF_NOINLINE
OpenSSL does not have this concept

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
91f2e94c00 Remove DECAF_NONNULL
OpenSSL does not currently have this concept. It only provides compiler
warnings so just remove it.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
09ffbc94f2 Remove all instances of DECAF_API_VIS
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:30 +00:00
Matt Caswell
9455aab4fe Replace DECAF_WARN_UNUSED with __owur
Most of these were in point_448.h. While I was at it I spotted some unused
declarations, so I deleted those too.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
aacf29b8aa Replace DECAF_INLINE with ossl_inline
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
88ba7e71e0 Remove some vestiges of the old decaf template approach
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
e777257746 Rename decaf_448_* to curve448_*
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
46b4183155 Remove some more unneeded code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
a469abf05e Remove some uneeded macros and conditionally compiled code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
67f1cccd7e Remove some unneeded stuff
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
6853d09368 Add a local test
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
ad0a8a5c9d Add the X448() and X448_public_from_private() functions
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
b6e388ba9a Remove the decaf_bzero function and replace with OPENSSL_cleanse()
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
f8385b0fc0 Remove the curve448/decaf sub-directory
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
893b7c4f17 Remove some unneeded code
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
4052e1de4c Remove some deprecated curve 448 code and remove some unneeded defines
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
a2039c87f5 Remove some unneeded files and further flatten the curve 448 structure
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
abcd22bf62 Flatten the Curve 448 source structure
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
Matt Caswell
7324473f89 Import Curve 448 support
This imports selected files from the src directory of this repository:

https://sourceforge.net/p/ed448goldilocks/code/ci/v0.9.4/tree/

This is from the version tagged as "v0.9.4" with commit id 7527e9.

This code was originally writting by Mike Hamburg and the import is done by
kind permission of Rambus and Mike Hamburg under CLA. As this is under CLA
the files are being relicensed under the OpenSSL licence. Subsequent
commits will correct any licence notices in the individual files.

These files should provide complete self-contained support for X448 and
Ed448. They are imported "as is" from the source repository and this
commit does not attempt to integrate them into the OpenSSL build system,
or modify them in any way to fit OpenSSL style guidelines. That will be
done by subsequent commits.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
2018-02-20 12:59:29 +00:00
John Hughes
ebc0168384 Add BIO_bind function to bind local address for a socket.
Add -bind option to s_client application to allow specification of
local address for connection.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5272)
2018-02-19 22:58:37 +01:00
Massimiliano Pala
b383aa2081 Add X509_get0_authority_key_id() function
This function makes it easier to retrieve a reference to the
  authority key identifier (akid->keyid) inside a certificate.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5271)
2018-02-19 15:47:02 -05:00
Andy Polyakov
b761ff4e77 sha/asm/keccak1600-armv8.pl: add hardware-assisted ARMv8.2 subroutines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5358)
2018-02-19 14:15:31 +01:00
Dr. Matthias St. Pierre
812b153706 DRBG: make locking api truly private
In PR #5295 it was decided that the locking api should remain private
and used only inside libcrypto. However, the locking functions were added
back to `libcrypto.num` by `mkdef.pl`, because the function prototypes
were still listed in `internal/rand.h`. (This header contains functions
which are internal, but shared between libcrypto and libssl.)

This commit moves the prototypes to `rand_lcl.h` and changes the names
to lowercase, following the convention therein. It also corrects an
outdated documenting comment.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5375)
2018-02-15 12:25:01 +01:00
Richard Levitte
4fd39122e5 OSSL_STORE: Add OSSL_STORE_vctrl()
It's a convenient complement to OSSL_STORE_ctrl()

Suggested by Norm Green

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5363)
2018-02-14 20:11:06 +01:00
Richard Levitte
6e652da4af VMS: modify crypto/bn/asm/ia64.S to build properly
On VMS, 'abort' is really 'decc$abort'

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5357)
2018-02-14 17:13:53 +01:00
Richard Levitte
722c9762f2 Harmonize the make variables across all known platforms families
The make variables LIB_CFLAGS, DSO_CFLAGS and so on were used in
addition to CFLAGS and so on.  This works without problem on Unix and
Windows, where options with different purposes (such as -D and -I) can
appear anywhere on the command line and get accumulated as they come.
This is not necessarely so on VMS.  For example, macros must all be
collected and given through one /DEFINE, and the same goes for
inclusion directories (/INCLUDE).

So, to harmonize all platforms, we repurpose make variables starting
with LIB_, DSO_ and BIN_ to be all encompassing variables that
collects the corresponding values from CFLAGS, CPPFLAGS, DEFINES,
INCLUDES and so on together with possible config target values
specific for libraries DSOs and programs, and use them instead of the
general ones everywhere.

This will, for example, allow VMS to use the exact same generators for
generated files that go through cpp as all other platforms, something
that has been impossible to do safely before now.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5357)
2018-02-14 17:13:53 +01:00
Matt Caswell
cb1c3d1a27 Make sure we check the return value of extract_min_max()
Commit 42d7d7dd6 turned this function from returning void to
returning an int error code. This instance of calling it was
missed.

Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5338)
2018-02-14 15:32:06 +00:00
Matt Caswell
62542d0464 Fix a memory leak in an error path
Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5336)
2018-02-14 15:30:15 +00:00
Viktor Dukhovni
babab8e7c9 Avoid fragile aliasing of SHA224/384 update/final
This is purported to save a few cycles, but makes the code less
obvious and more brittle, and in fact breaks on platforms where for
ABI continuity reasons there is a SHA2 implementation in libc, and
so EVP needs to call those to avoid conflicts.

A sufficiently good optimizer could simply generate the same entry
points for:

        foo(...) { ... }
    and
        bar(...) { return foo(...); }

but, even without that, the different is negligible, with the
"winner" varying from run to run (openssl speed -evp sha384):

    Old:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes 16384 bytes
    sha384           28864.28k   117362.62k   266469.21k   483258.03k   635144.87k 649123.16k

    New:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes 16384 bytes
    sha384           30055.18k   120725.98k   272057.26k   482847.40k   634585.09k 650308.27k

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-02-13 23:27:51 -05:00
Kurt Roeckx
7296027956 Use both getrandom() and /dev/urandom by default on Linux.
getrandom() is now used on Linux by default when using Linux >= 3.17
and glibc >= 2.25

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #5314
2018-02-13 21:15:30 +01:00
Richard Levitte
f11a023ada VMS: for testutil, make sure to use BIO_f_linebuffer
Without that, output comes one character per line.  It's the same
issue as has been observed before, this happens when using write()
on a record oriented stream (possibly unbuffered too).

This also uncovered a bug in BIO_f_linebuffer, where this would cause
an error:

    BIO_write(bio, "1\n", 1);

I.e. there's a \n just after the part of the string that we currently
ask to get written.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5352)
2018-02-13 21:14:07 +01:00
Patrick Steuer
19308587d4 s390x assembly pack: implement OPENSSL_rdtsc as STCKF
.. if avalable. STCK has an artificial delay to ensure uniqueness
which can result in a performance penalty if used heavily
concurrently.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5284)
2018-02-13 20:34:38 +01:00
Rich Salz
97d37b85d4 Generate copyright year properly
Output copyright year depends on any input file(s) and the script.
This is not perfect, but better than what we had.
Also run 'make update'

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5350)
2018-02-13 13:22:30 -05:00
Dr. Matthias St. Pierre
d7c402c4f2 OPENSSL_cleanup: cleanup secure memory
If the global DRBGs are allocated on the secure heap, then calling
CRYPTO_secure_malloc_done() inside main() will have no effect, unless
OPENSSL_cleanup() has been called explicitely before that, because
otherwise the DRBGs will still be allocated. So it is better to cleanup
the secure heap automatically at the end of OPENSSL_cleanup().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Dr. Matthias St. Pierre
8164d91d18 DRBG: make the derivation function the default for ctr_drbg
The NIST standard presents two alternative ways for seeding the
CTR DRBG, depending on whether a derivation function is used or not.
In Section 10.2.1 of NIST SP800-90Ar1 the following is assessed:

  The use of the derivation function is optional if either an
  approved RBG or an entropy source provides full entropy output
  when entropy input is requested by the DRBG mechanism.
  Otherwise, the derivation function shall be used.

Since the OpenSSL DRBG supports being reseeded from low entropy random
sources (using RAND_POOL), the use of a derivation function is mandatory.
For that reason we change the default and replace the opt-in flag
RAND_DRBG_FLAG_CTR_USE_DF with an opt-out flag RAND_DRBG_FLAG_CTR_NO_DF.
This change simplifies the RAND_DRBG_new() calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Dr. Matthias St. Pierre
4f9dabbfe3 DRBG: unify initialization and cleanup code
The functions drbg_setup() and drbg_cleanup() used to duplicate a lot of
code from RAND_DRBG_new() and RAND_DRBG_free(). This duplication has been
removed, which simplifies drbg_setup() and makes drbg_cleanup() obsolete.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Dr. Matthias St. Pierre
3ce1c27b56 DRBG: add locking api
This commit adds three new accessors to the internal DRBG lock

   int RAND_DRBG_lock(RAND_DRBG *drbg)
   int RAND_DRBG_unlock(RAND_DRBG *drbg)
   int RAND_DRBG_enable_locking(RAND_DRBG *drbg)

The three shared DRBGs are intended to be used concurrently, so they
have locking enabled by default. It is the callers responsibility to
guard access to the shared DRBGs by calls to RAND_DRBG_lock() and
RAND_DRBG_unlock().

All other DRBG instances don't have locking enabled by default, because
they are intendended to be used by a single thread. If it is desired,
locking can be enabled by using RAND_DRBG_enable_locking().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Bernd Edlinger
ada22597ce Remove code that prints "<SPACES/NULS>" in hexdumps
when the data block ends with SPACEs or NULs.

The problem is, you can't see if the data ends
with SPACE or NUL or a combination of both.

This can happen for instance with
openssl rsautl -decrypt -hexdump

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5328)
2018-02-12 15:15:27 +01:00
Andy Polyakov
af0fcf7b46 sha/asm/sha512-armv8.pl: add hardware-assisted SHA512 subroutine.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-02-12 14:05:05 +01:00
Andy Polyakov
77f3612e2b crypto/armcap.c: detect hardware-assisted SHA512 support.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-02-12 14:04:53 +01:00
Rich Salz
6dbe4dc475 Copy name string in BIO_meth_new
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5318)
2018-02-10 13:36:47 -05:00
Viktor Dukhovni
4e0752535e Avoid leaking peername data via accept BIOs
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-02-09 21:06:18 -05:00
Nick Mathewson
41e9afa945 In err_all.c, include the *err.h headers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
FdaSilvaYY
a699b8e4ca Small simplification in mkerr.pl
As suggested in https://github.com/openssl/openssl/pull/5275

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5288)
2018-02-09 07:04:32 -05:00
Pauli
4cd58771d8 Fix glibc version detection.
Simplify Posix timer detection.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5279)
2018-02-09 10:10:45 +01:00
Pauli
bed4afa81b Fix glibc specific conditional for Mac OS/X
MacOS seems to define __GLIBC__ but not __GLIBC_PREREQ.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5269)
2018-02-07 11:46:15 +10:00
Pauli
2b66fd5720 Unify timer code
Remove the timer and TSC additional input code and instead provide a single
routine that attempts to use the "best" timer/counter available on the
system.  It attempts to use TSC, then various OS dependent resources and
finally several tries to obtain the date.  If any of these timer/counters
is successful, the rest are skipped.

No randomness is credited for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5231)
2018-02-07 10:08:15 +10:00
Pauli
360fc9f412 Make OPENSSL_rdtsc universally available.
If such a timer/counter register is not available, the return value is always
zero.  This matches the assembly implementations' behaviour.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5231)
2018-02-07 10:08:15 +10:00
Rich Salz
a3a5d1b73d Remove unused file
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5267)
2018-02-06 15:27:26 -05:00
Patrick Steuer
5d2a6f4b71 crypto/evp/e_aes.c: add comments to s390x aes gcm implementation
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5230)
2018-02-06 19:41:21 +01:00
Patrick Steuer
39f5b069ac s390x assembly pack: add KMAC code path for aes-ccm
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5230)
2018-02-06 19:39:52 +01:00
Dr. Matthias St. Pierre
f61f62ea13 Use RAND_DRBG_bytes() for RAND_bytes() and RAND_priv_bytes()
The functions RAND_bytes() and RAND_priv_bytes() are now both based
on a common implementation using RAND_DRBG_bytes() (if the default
OpenSSL rand method is active). This not only simplifies the code
but also has the advantage that additional input from a high precision
timer is added on every generate call if the timer is available.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
Dr. Matthias St. Pierre
1648338ba1 Fix size limitation of RAND_DRBG_bytes()
When comparing the implementations of drbg_bytes() and RAND_DRBG_bytes(),
it was noticed that the former split the buffer into chunks when calling
RAND_DRBG_generate() to circumvent the size limitation of the buffer
to outlen <= drb->max_request. This loop was missing in RAND_DRBG_bytes(),
so it was adopted from drbg_bytes().

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
Dr. Matthias St. Pierre
58351fbd02 drbg_bytes: remove check for DRBG_UNINITIALIZED state
This check not only prevented the automatic reinstantiation of the
DRBG, which is implemented in RAND_DRBG_generate(), but also prevented
an error message from being generated in the case of failure.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
David Benjamin
f345b1f39d Fix timing leak in BN_from_montgomery_word.
BN_from_montgomery_word doesn't have a constant memory access pattern.
Replace the pointer trick with a constant-time select. There is, of
course, still the bn_correct_top leak pervasive in BIGNUM itself.

See also https://boringssl-review.googlesource.com/22904 from BoringSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5228)
2018-02-01 21:52:17 +01:00
David Benjamin
39eeb64f59 Don't leak the exponent bit width in BN_mod_exp_mont_consttime.
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its
bit length are both secret. The only public upper bound is the bit width
of the corresponding modulus (RSA n, p, and q, respectively).

Although BN_num_bits is constant-time (sort of; see bn_correct_top notes
in preceding patch), this does not fix the root problem, which is that
the windows are based on the minimal bit width, not the upper bound. We
could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API
and may be called with larger exponents. Instead, use all top*BN_BITS2
bits in the BIGNUM. This is still sensitive to the long-standing
bn_correct_top leak, but we need to fix that regardless.

This may cause us to do a handful of extra multiplications for RSA keys
which are just above a whole number of words, but that is not a standard
RSA key size.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)
2018-02-01 21:44:28 +01:00
David Benjamin
972c87dfc7 Make BN_num_bits_word constant-time.
(This patch was written by Andy Polyakov. I only wrote the commit
message. Mistakes in the analysis are my fault.)

BN_num_bits, by way of BN_num_bits_word, currently leaks the
most-significant word of its argument via branching and memory access
pattern.

BN_num_bits is called on RSA prime factors in various places. These have
public bit lengths, but all bits beyond the high bit are secret. This
fully resolves those cases.

There are a few places where BN_num_bits is called on an input where the
bit length is also secret. This does *not* fully resolve those cases as
we still only look at the top word. Today, that is guaranteed to be
non-zero, but only because of the long-standing bn_correct_top timing
leak. Once that is fixed, a constant-time BN_num_bits on such inputs
must count bits on each word.

Instead, those cases should not call BN_num_bits at all. In particular,
BN_mod_exp_mont_consttime uses the exponent bit width to pick windows,
but it should be using the maximum bit width. The next patch will fix
this.

Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu
for reporting this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)
2018-02-01 21:44:18 +01:00