Commit graph

22390 commits

Author SHA1 Message Date
Billy Brumley
a766aab93a [crypto/ec] don't assume points are of order group->order
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6535)
2018-06-21 13:33:42 +02:00
Matt Caswell
27232cc338 Don't use OPENSSL_strdup() for copying alpn_selected
An alpn_selected value containing NUL bytes in it will result in
ext.alpn_selected_len having a larger value than the number of bytes
allocated in ext.alpn_selected.

Issue found by OSS-fuzz.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6507)
2018-06-21 11:07:45 +01:00
Nicola Tuveri
4f1b96f9fc Use DEPRECATEDIN_1_2_0 macro for DSA_sign_setup declaration
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6467)
2018-06-21 11:01:32 +01:00
Matt Caswell
7f9822a482 Add blinding to a DSA signature
This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6522)
2018-06-21 10:15:57 +01:00
Matt Caswell
95aec8641f Document no-sm2
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6532)
2018-06-21 10:14:06 +01:00
Richard Levitte
63871d9f81 openssl ca: open the output file as late as possible
Fixes #6544

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)
2018-06-21 06:56:23 +02:00
Pauli
6e501c4719 Fix spelling errors in documentation.
Also fix some clumsy wording.

[skip_ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6545)
2018-06-21 14:54:27 +10:00
Richard Levitte
445bc80861 NOTES.UNIX: expand the description of RPATHs
Hopefully, this will make it more clear that it isn't only ELF
specific, even though there is a part that is (or even more
restrictively GNU ld.so specific).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6520)
2018-06-20 22:38:57 +02:00
Matt Caswell
8d983739bb Prepare for 1.1.1-pre9-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-06-20 15:49:35 +01:00
Matt Caswell
3098c3bd12 Prepare for 1.1.1-pre8 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-06-20 15:48:08 +01:00
Matt Caswell
fd38836ba8 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
2018-06-20 15:29:23 +01:00
Paul Kehrer
c4a8eb624f update pyca/cryptography submodule
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6528)
2018-06-20 14:34:47 +01:00
Matt Caswell
c86acc9f83 Fix no-sm2
Fixes #6525

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6531)
2018-06-20 14:29:31 +01:00
Bernd Edlinger
f73164ca1e Fix test sm2 test failure with ec blinding
[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6529)
2018-06-20 14:22:59 +01:00
Matt Caswell
fee33643a8 Fix enable-ssl3 enable-ssl3-method
Commit 4aa5a5669 accidentally missed off the catch all case of ignoring all
warning alerts that are otherwise unhandled. This breaks the SSLv3 tests
which send a "no certificate" warning alert.

Fixes #6496

[extended tests]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6509)
2018-06-19 18:21:38 +01:00
Dr. Matthias St. Pierre
c4fad5d348 Improve the output of make doc-nits
- Print positive feedback in the case when 'make doc-nits' finds no errors.
- Other than before, keep the 'doc-nits' output file only in case of errors
  and remove it if it is empty.
- Declare 'doc-nits' as a phony make target to facilitate rerunning
  'make doc-nits' without having to remove the output file first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6517)
2018-06-19 17:13:03 +02:00
Nicola Tuveri
b26befb541 Fix & update documentation about RAND_priv_bytes()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6514)
2018-06-19 17:06:38 +02:00
Sohaib ul Hassan
f667820c16 Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.

This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.

Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.

For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.

For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6501)
2018-06-19 11:43:59 +01:00
Jack Lloyd
ddb634fe6f Move SM2 algos to SM2 specific PKEY method
Use EVP_PKEY_set_alias_type to access

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
Jack Lloyd
2f2e6b6278 Add EVP_PKEY_set_alias_type
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
Richard Levitte
a9091c137b Convert our own check of OPENSSL_NO_DEPRECATED
... to the check OPENSSL_API_COMPAT < 0x10100000L, to correspond with
how it's declared.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6470)
2018-06-19 10:33:01 +02:00
Richard Levitte
973abf5230 Configure option 'no-deprecated' means '-DOPENSSL_API_COMPAT=0x10100000L'
(that is, until 1.2.0 comes along)

Since we allow future deprecation (and that shouldn't be affected
by 'no-deprecated'), we need to distinguish what to have deprecated
on the value of OPENSSL_API_COMPAT, not the existence of
OPENSSL_NO_DEPRECATED.

Note that the macro OPENSSL_NO_DEPRECATED still exists, in case
someone still uses it.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6470)
2018-06-19 10:33:01 +02:00
Andy Polyakov
575045f59f ec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
2018-06-18 19:59:11 +02:00
Andy Polyakov
27635a4ecb {chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
2018-06-18 19:59:07 +02:00
Andy Polyakov
b55e21b357 sha/asm/sha{1|256}-586.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
2018-06-18 19:59:03 +02:00
Andy Polyakov
9e97f61dec bn/asm/rsaz-avx2.pl: harmonize clang version detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
2018-06-18 19:58:35 +02:00
Matt Caswell
a47f0a8507 Fix error number clash
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6511)
2018-06-18 14:34:04 +01:00
David von Oheimb
8263e6cb98 add cast in test/x509aux.c preventing compiler warning for VC-WIN64A architecture
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:45:35 +01:00
David von Oheimb
49c9c1b3d0 add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:45:35 +01:00
David von Oheimb
f2950a46a6 remove needless and misleading malloc failure error messages of PKCS12_SAFEBAG_create_pkcs8_encrypt
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:44:32 +01:00
Dr. Matthias St. Pierre
748eb991f4 RAND_POOL: Add missing implementations for djgpp
Calling the functions rand_pool_add_{additional,nonce}_data()
in crypto/rand/rand_lib.c with no implementation for djgpp/MSDOS
causees unresolved symbols when linking with djgpp.

Reported and fixed by Gisle Vanem

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6421)
2018-06-15 08:13:03 +02:00
Eric S. Raymond
86a92bcb13 Repair broken C syntax (missing close parens) in a manual page.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6491)
2018-06-15 10:32:41 +10:00
David Cooper
741f0c32b5 Update certificates in demos/bio, demos/cms, demos/smime
This commit replaces the certificates in demos/bio with new certificates that don't expire until 2118.
The same certificates appear in both demos/smime and demos/cms. This commit copies the new certificates and keys from demos/smime to demos/cms.
This PR Fixes #6412 by updating cacert.pem and signer.pem in the openssl/demos/smime/ directory. It also updates all of the keys with longer key lengths.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6483)
2018-06-15 09:10:30 +10:00
Andy Polyakov
3f0c3d2263 bn/bn_exp.c: harmonize all code paths with last commit.
848113a30b added mitigation for a
side-channel attack. This commit extends approach to all code
paths for consistency.

[It also removes redundant white spaces introduced in last commit.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6480)
2018-06-14 21:27:08 +02:00
Andy Polyakov
82b6b0848c Configurations/10-main.conf: improve Makefile readability on AIX and Solaris.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6477)
2018-06-14 21:24:38 +02:00
Andy Polyakov
0ef40b76e7 Configurations/10-main.conf: move hpux-shared flags to hpux-common.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6477)
2018-06-14 21:23:40 +02:00
Eric S. Raymond
17e822e9f8 Fix manpage problems
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #6472
2018-06-13 20:12:45 +02:00
Matt Caswell
a3e9d5aa98 Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-06-13 16:19:22 +01:00
Andy Polyakov
d3273ef6c5 Configurations/10-main.conf: replace -bexpall with explicit list on AIX.
[omit even -b:SRE, as it's implied by -G flag.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6453)
2018-06-13 10:48:27 +02:00
Andy Polyakov
10aafed3ec Configurations/10-main.conf: AIX configs unification.
Add aix-common template that covers even aix-shared from shared-info.pl,
add -bsymbolic to shared_ldflags.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6453)
2018-06-13 10:48:14 +02:00
Andy Polyakov
60aa6c1a59 Configure: add shared() to facilitate shared-specific flags.
This allows to specify flags specific to shared build, e.g.
'bin_lflags => shared("-Wl,-bsvr4")'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6453)
2018-06-13 10:47:43 +02:00
Andy Polyakov
dbb85890a8 Configurations/10-main.conf: reinstate soname on Solaris.
The flag was apparently omitted in switch from Makefile.shared to
shared-info.pl. Do put it back! And in the process move all
solaris-shared flags from shared-info.pl to solaris-common.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6446)
2018-06-13 10:43:37 +02:00
Richard Levitte
55c5c1b63a doc/man7/passphrase-encoding.pod: Make consistent
The man name didn't match the file name, and some places had
'password' instead of 'pass phrase'.

Fixes #6474

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6476)
2018-06-13 10:27:03 +02:00
Viktor Dukhovni
0df65d82db Document return value of X509_add_ext
and also X509_delete_ext()

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-06-12 12:23:51 -04:00
Nicola Tuveri
8fe4c0b001 Deprecate DSA_sign_setup() in the documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6460)
2018-06-12 13:28:35 +01:00
Richard Levitte
3ccfcd8a85 Make ck_errf.pl ignore commented out error generation
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6461)
2018-06-12 12:31:45 +02:00
Richard Levitte
caf12bd675 .travis.yml: give make update exit code meaning again
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6461)
2018-06-12 12:31:45 +02:00
Richard Levitte
aa6cc8d33c make errors: use the new util/ck_errf.pl options
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6461)
2018-06-12 12:31:45 +02:00
Richard Levitte
b9def672b1 util/ck_errf.pl: add functionality that brings it closer to util/mkerr.pl
There was no option to give other config files than the default
crypto/err/openssl.ec, and yet it tried to check the errors generated
in engines (and failing, of course).

Also added the same '-internal' option as util/mkerr.pl.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6461)
2018-06-12 12:31:45 +02:00
Guido Vranken
91f7361f47 Reject excessively large primes in DH key generation.
CVE-2018-0732

Signed-off-by: Guido Vranken <guidovranken@gmail.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
2018-06-12 10:06:46 +01:00