Commit graph

23158 commits

Author SHA1 Message Date
Vitezslav Cizek
a7e1cb8cbb apps/speed.c: properly address NO_EC2M on systems without SIGALRM
The ecdh_c array is allocated of the same size as ecdh_choices,
whose size depends on whether the support for binary curves is enabled
or not.  (The same goes for ecdsa_c).
On systems without SIGALRM, ecdh_c is indexed by predefined constants
intended for representing the index of the ciphers in the ecdh_choices
array.
However, in case of NO_EC2M some of the #defined constants won't match
and would actually access the ecdh_c out-of-bounds.

Use enum instead of a macro to define the curve indexes so they're
within the bounds of the ecdh_c array.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)

(cherry picked from commit f5c9916742)
2019-03-19 10:30:27 +00:00
Vitezslav Cizek
958beb89b3 apps/speed.c: skip binary curves when compiling with OPENSSL_NO_EC2M
openssl speed doesn't take into account that the library could be
compiled without the support for the binary curves and happily uses
them, which results in EC_GROUP_new_by_curve_name() errors.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)

(cherry picked from commit d61f489b5a)
2019-03-19 10:30:27 +00:00
Dr. Matthias St. Pierre
5f702f16e7 Configure: untabify indentation
The indentation in the Configure file is currently very strange when
viewed in an editor with a tab width of four spaces, because it has
mixed tab-and-whitespace indentation, which was apparently done with
a tab width of eight spaces.

This commit converts all tabs to spaces using expand(1) with default
    settings. To verify that there are only whitespace changes, use

   git show --ignore-space-change  <this commit>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8512)
2019-03-19 09:16:03 +01:00
Hua Zhang
0d0d12b804 Fix compiling error for mips32r6 and mips64r6
There are some compiling errors for mips32r6 and mips64r6:

crypto/bn/bn-mips.S:56: Error: opcode not supported on this processor: mips2 (mips2) `mulu $1,$12,$7'
crypto/mips_arch.h: Assembler messages:
crypto/mips_arch.h:15: Error: junk at end of line, first unrecognized character is `&'

Signed-off-by: Hua Zhang <hua.zhang1974@hotmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8464)

(cherry picked from commit 1b9c5f2e2f)
2019-03-19 07:37:45 +01:00
Richard Levitte
0584ce737e Add missing '.text' in crypto/bn/asm/ppc.pl
Fixes #8495

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8496)

(cherry picked from commit 2864df8f9d)
2019-03-19 07:34:54 +01:00
Shane Lontis
c8a9fa6910 Added NULL check to BN_clear() & BN_CTX_end()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8518)

(cherry picked from commit ce1415ed2c)
2019-03-19 07:28:39 +01:00
Bernd Edlinger
202f7c5659 Clear the point S before freeing in ec_scalar_mul_ladder
The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8504)

(cherry picked from commit 8a74bb5c7b)
2019-03-18 22:42:23 +01:00
Bernd Edlinger
18c1f9997a Clear the secret point in ecdh_simple_compute_key
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8501)

(cherry picked from commit 1ff2c992c2)
2019-03-18 22:30:50 +01:00
Daniel Axtens
5dcfd6c50a PPC assembly pack: fix copy-paste error in CTR mode
There are two copy-paste errors in handling CTR mode. When dealing
with a 2 or 3 block tail, the code branches to the CBC decryption exit
path, rather than to the CTR exit path.

This can lead to data corruption: in the Linux kernel we have a copy
of this file, and the bug leads to corruption of the IV, which leads
to data corruption when we call the encryption function again later to
encrypt subsequent blocks.

Originally reported to the Linux kernel by Ondrej Mosnáček <omosnacek@gmail.com>

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8510)

(cherry picked from commit f643deac41)
2019-03-18 20:07:57 +10:00
Shane Lontis
87d9429c7e coverity fixes for bntest.c
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8508)

(cherry picked from commit e2f5081116)
2019-03-18 13:39:43 +10:00
Dr. Matthias St. Pierre
b8caae27f1 VMS: only use the high precision on VMS v8.4 and up
Fixes #8487
Amends #7230

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8488)

(cherry picked from commit 355417eb46)
2019-03-15 08:46:29 +01:00
Nicola Tuveri
45956011b9 Fix memory leak in ectest
Fixes #8462

(cherry picked from commit 81d61a62fa)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8466)
2019-03-13 20:48:09 +02:00
Matt Caswell
cd61ad38b5 Fix memory leaks in pkread.c demo file
Also make various changes to bring the file into line with current coding
style.

Fixes #8456

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8457)

(cherry picked from commit 81cd023f1d)
2019-03-13 09:55:54 +00:00
Shane Lontis
191570d0b9 fix truncation of integers on 32bit AIX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8417)

(cherry picked from commit 98f29466dc)
2019-03-11 14:47:00 +01:00
A. Schulze
d38ef8c89e Fix two spelling errors
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8447)

(cherry picked from commit 3dcbb6c4a3)
2019-03-10 21:01:52 +01:00
Bernd Edlinger
f1006f188c Update documentation of RSA_padding_check_PKCS1_OAEP_mgf1
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit f0e4a860d0)
2019-03-07 23:00:42 +01:00
Bernd Edlinger
930e031052 Do the error handling in pkey_rsa_decrypt in constant time
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit 049e64cbb0)
2019-03-07 22:59:48 +01:00
Bernd Edlinger
25e410ee3c Add a simple test for RSA_SSLV23_PADDING
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit ac6fff700a)
2019-03-07 22:58:15 +01:00
Bernd Edlinger
50788b8b36 Update documentation regarding required output buffer memory size
of RSA_private_decrypt/RSA_public_encrypt.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit b89fdeb2f7)
2019-03-07 22:54:31 +01:00
Bernd Edlinger
f61c68043d Fix memory overrun in rsa padding check functions
Fixes #8364 and #8357

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit d7f5e5ae6d)
2019-03-07 22:52:20 +01:00
Bernd Edlinger
35eecd173e Limit DEVRANDOM_WAIT to linux
Fixes #8416

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8428)

(cherry picked from commit 596521f488)
2019-03-07 22:39:33 +01:00
Matt Caswell
acd9b16b01 Add a test for underflow in ecp_nistp521.c
The previous commit fixed an underflow that may occur in ecp_nistp521.c.
This commit adds a test for that condition. It is heavily based on an
original test harness by Billy Brumley.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 6855b496b2)
2019-03-07 14:47:39 +00:00
Matt Caswell
d49b888910 Avoid an underflow in ecp_nistp521.c
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.

It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.

This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.

With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 13fbce17fc)
2019-03-07 14:47:39 +00:00
Matt Caswell
f7a6d1122b Update ChaCha20-Poly1305 documentation
Correctly describe the maximum IV length.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 27d5631236)
2019-03-06 13:30:39 +00:00
Matt Caswell
9b10d1bf77 Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit a4f0b50eaf)
2019-03-06 13:30:39 +00:00
Matt Caswell
f426625b6a Prevent over long nonces in ChaCha20-Poly1305
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

CVE-2019-1543

Fixes #8345

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 2a3d0ee9d5)
2019-03-06 13:30:39 +00:00
Matt Caswell
c9a826d28f Don't write the tick_identity to the session
Sessions must be immutable once they can be shared with multiple threads.
We were breaking that rule by writing the ticket index into it during the
handshake. This can lead to incorrect behaviour, including failed
connections in multi-threaded environments.

Reported by David Benjamin.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8383)

(cherry picked from commit c96ce52ce2)
2019-03-05 14:28:27 +00:00
Vitezslav Cizek
99f0c7a8a6 openssl_strerror_r: Fix handling of GNU strerror_r
GNU strerror_r may return either a pointer to a string that the function
stores in buf, or a pointer to some (immutable) static string in which case
buf is unused.

In such a case we need to set buf manually.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8371)

(cherry picked from commit e3b35d2b29)
2019-03-04 10:11:05 +00:00
Bernd Edlinger
c352bd07ed Fix seeding from random device w/o getrandom syscall
Use select to wait for /dev/random in readable state,
but do not actually read anything from /dev/random,
use /dev/urandom first.

Use linux define __NR_getrandom instead of the
glibc define SYS_getrandom, in case the kernel headers
are more current than the glibc headers.

Fixes #8215

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8251)

(cherry picked from commit 38023b87f0)
2019-03-01 18:29:56 +01:00
Shigeki Ohtsu
de4fb434c7 deps: add s390 asm rules for OpenSSL-1.1.1
Generate asm files with Makefile rules.

From:
- 0d9a86c7cb

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8351)
2019-03-01 08:41:26 +01:00
Richard Levitte
0342e42d86 Configure: support a few more "make variables" defaulting from env
CFLAGS, CXXFLAGS, CPPFLAGS, LDFLAGS, and LDLIBS

(cherry picked from commit 8e7984e578)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:05 +01:00
Richard Levitte
3dee23a684 .travis.yml: change -std=c89 to -ansi
For C, -ansi is equivalent to -std=c90
For C++, -ansi is equivalent to -std=c++98

We also place -ansi in CPPFLAGS instead of the usual command line config,
to avoid getting it when linking (clang complains)

(cherry picked from commit 874f785988)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Richard Levitte
d1d0598b7f Configuration: divide devteam flags into language specific sets
Some of the devteam flags are not for C++

(cherry picked from commit e373c70a3e)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Richard Levitte
ed8a604958 Do buildtests on our public header files with C++ as well
This ensures that we don't mistakenly use C++ keywords anywhere public.

Related to #8313

(cherry picked from commit 9f27d4bf32)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Richard Levitte
cd7dc67c44 Configure: make --strict-warnings a regular user provided compiler option
This makes `--strict-warnings` into a compiler pseudo-option, i.e. it
gets treated the same way as any other compiler option given on the
configuration command line, but is retroactively replaced by actual
compiler warning options, depending on what compiler is used.

This makes it easier to see in what order options are given to the
compiler from the configuration command line, i.e. this:

    ./config -Wall --strict-warnings

would give the compiler flags in the same order as they're given,
i.e.:

    -Wall -Werror -Wno-whatever ...

instead of what we got previously:

    -Werror -Wno-whatever ... -Wall

(cherry picked from commit fcee53948b)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Shane Lontis
dbb1340314 cfi build fixes in x86-64 ghash assembly
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8281)

(cherry picked from commit 54d00677f3)
2019-02-27 22:44:46 +01:00
Richard Levitte
e8926acfe2 Make the padlock engine build correctly
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)

(cherry picked from commit 149c12d5e4)
2019-02-27 11:34:40 +01:00
Richard Levitte
5dcfd143e1 Ensure configured module specific and application specific defines are used
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)

(cherry picked from commit 2fce15b58b)
2019-02-27 11:34:40 +01:00
Richard Levitte
9c8516b63c Add PADLOCK_ASM to dso_defines rather than lib_defines
Since the padlock code is an engine, the assembler is for a module,
not a library link to when building a program...  there's a
distinction.

Fixes #2311

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)

(cherry picked from commit 88780b1c5f)
2019-02-27 11:34:39 +01:00
Paul Yang
9c6d536f53 Fix the default digest algorthm of SM2
Currently SM2 shares the ameth with EC, so the current default digest
algorithm returned is SHA256. This fixes the default digest algorithm of
SM2 to SM3, which is the only valid digest algorithm for SM2 signature.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)

(cherry picked from commit e766f4a053)
2019-02-27 10:09:54 +08:00
Richard Levitte
e8dc658036 Revert "Configure: stop forcing use of DEFINE macros in headers"
Github PR #8246 provides a better solution to the problem.

This reverts commit f11ffa505f.

[extended tests]

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8247)

(cherry picked from commit 4089b43407)
2019-02-26 22:49:14 +01:00
Billy Brumley
555b2593f7 [test] modernize ecdsatest and extend ECDSA sign KATs
(cherry picked from commit 1a31d8017e)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8314)
2019-02-26 18:01:52 +02:00
Nicola Tuveri
4045f68837 Fix trivial typo in EVP_DigestVerifyInit doc
(cherry picked from commit b3883f77df)

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8319)
2019-02-26 17:54:08 +02:00
Matt Caswell
69fc126cfd Prepare for 1.1.1c-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2019-02-26 14:17:50 +00:00
Matt Caswell
50eaac9f33 Prepare for 1.1.1b release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2019-02-26 14:15:30 +00:00
Matt Caswell
ab874dfd3e Clarify that SSL_shutdown() must not be called after a fatal error
Follow on from CVE-2019-1559

Reviewed-by: Richard Levitte <levitte@openssl.org>
2019-02-26 14:12:48 +00:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Eneas U de Queiroz
047463833e e_devcrypto: set digest input_blocksize
This restores the behavior of previous versions of the /dev/crypto
engine, in alignment with the default implementation.

Reported-by: Gerard Looije <lglooije@hotmail.com>
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8306)
2019-02-26 13:38:53 +00:00
Eneas U de Queiroz
02f84c3e4a eng_devcrypto: close open session on init
cipher_init may be called on an already initialized context, without a
necessary cleanup.  This separates cleanup from initialization, closing
an eventual open session before creating a new one.

Move the /dev/crypto session cleanup code to its own function.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8306)
2019-02-26 13:38:53 +00:00
Matt Caswell
86f1d6ca3a Update NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8344)
2019-02-26 10:46:41 +00:00