Commit graph

10257 commits

Author SHA1 Message Date
Daniel DeFreez
a12b338f06 Fix null pointer dereference in ssl_module_init
CLA: Trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8183)

(cherry picked from commit 758229f7d2)
2019-02-11 08:33:28 +10:00
Todd Short
3dbec21b46 Fix d2i_PublicKey() for EC keys
o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP.

o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the
o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with
an EVP_PKEY with an EC_KEY containing an EC_GROUP.

However, the call to EVP_PKEY_set_type() frees any existing key structure
inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that
o2i_ECPublicKey() needs.

This means you can't d2i_PublicKey() for an EC key...

The fix is to check to see if the type is already set appropriately, and
if so, not call EVP_PKEY_set_type().

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)

(cherry picked from commit 2aa2beb06c)
2019-02-08 10:04:13 +00:00
Sam Roberts
3b09585bd6 Remove unnecessary trailing whitespace
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.

Trailing whitespace remains in test data and external source.

Backport-of: https://github.com/openssl/openssl/pull/8092

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
2019-02-05 16:29:17 +01:00
Bernd Edlinger
1b66fc87da Fix a crash in reuse of i2d_X509_PUBKEY
If the second PUBKEY is malformed there is use after free.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8122)

(cherry picked from commit 5dc40a83c7)
2019-01-31 19:27:37 +01:00
Bernd Edlinger
df3b7b99a8 Fixed d2i_X509 in-place not re-hashing the ex_flags
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8116)

(cherry picked from commit 5364902250)
2019-01-31 19:20:03 +01:00
Bernd Edlinger
7193394aee Fix a memory leak with di2_X509_CRL reuse
Additionally avoid undefined behavior with
in-place memcpy in X509_CRL_digest.

Fixes #8099

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8112)

(cherry picked from commit a727627922)
2019-01-31 19:14:17 +01:00
Matt Caswell
9ed9875f05 Don't leak memory from ERR_add_error_vdata()
If the call the ERR_set_error_data() in ERR_add_error_vdata() fails then
a mem leak can occur. This commit checks that we successfully added the
error data, and if not frees the buffer.

Fixes #8085

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8105)

(cherry picked from commit fa6b1ee111)
2019-01-29 11:12:26 +00:00
David Asraf
eae1c647df crypto/bn: fix return value in BN_generate_prime
When the ret parameter is NULL the generated prime
is in rnd variable and not in ret.

CLA: trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8076)

(cherry picked from commit 3d43f9c809)
2019-01-27 12:18:50 +00:00
Klotz, Tobias
b6d41ff733 Cleanup vxworks support to be able to compile for VxWorks 7
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7569)

(cherry picked from commit 5c8b7b4caa)
2019-01-24 17:58:27 +01:00
Bernd Edlinger
b6769a3865 PPC: Try out if mftb works before using it
If this fails try out if mfspr268 works.

Use OPENSSL_ppccap=0x20 for enabling mftb,
OPENSSL_ppccap=0x40 for enabling mfspr268,
and OPENSSL_ppccap=0 for enabling neither.

Fixes #8012

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8043)

(cherry picked from commit c8f370485c)
2019-01-21 15:45:53 +01:00
Corey Minyard
492f70645c Fix a memory leak in the mem bio
If you use a BIO and set up your own buffer that is not freed, the
memory bio will leak the BIO_BUF_MEM object it allocates.

The trouble is that the BIO_BUF_MEM is allocated and kept around,
but it is not freed if BIO_NOCLOSE is set.

The freeing of BIO_BUF_MEM was fairly confusing, simplify things
so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM
in mem_free(), where it should be done.

Alse add a test for a leak in the memory bio
Setting a memory buffer caused a leak.

Signed-off-by: Corey Minyard <minyard@acm.org>

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8051)

(cherry picked from commit c6048af23c)
2019-01-21 17:50:04 +10:00
David Benjamin
781378daca Reduce inputs before the RSAZ code.
The RSAZ code requires the input be fully-reduced. To be consistent with the
other codepaths, move the BN_nnmod logic before the RSAZ check.

This fixes an oft-reported fuzzer bug.
https://github.com/google/oss-fuzz/issues/1761

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7187)

(cherry picked from commit 3afd537a3c)
2019-01-17 08:19:24 +10:00
Richard Levitte
b36b1632e2 crypto/armcap.c, crypto/ppccap.c: stricter use of getauxval()
Having a weak getauxval() and only depending on GNU C without looking
at the library we build against meant that it got picked up where not
really expected.

So we change this to check for the glibc version, and since we know it
exists from that version, there's no real need to make it weak.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8028)

(cherry picked from commit 5f40dd158c)
2019-01-16 18:04:22 +01:00
Richard Levitte
6ffcd10ade crypto/uid.c: use own macro as guard rather than AT_SECURE
It turns out that AT_SECURE may be defined through other means than
our inclusion of sys/auxv.h, so to be on the safe side, we define our
own guard and use that to determine if getauxval() should be used or
not.

Fixes #7932

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7933)

(cherry picked from commit aefb980c45)
2019-01-16 06:21:32 +01:00
Matt Caswell
46c853e03a Check more return values in the SRP code
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8019)

(cherry picked from commit d63bde7827)
2019-01-15 11:35:08 +00:00
Matt Caswell
d42c356882 Check a return value in the SRP code
Spotted by OSTIF audit

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8019)

(cherry picked from commit 0a5bda639f)
2019-01-15 11:35:08 +00:00
Viktor Dukhovni
25eb9299ce More configurable crypto and ssl library initialization
1.  In addition to overriding the default application name,
    one can now also override the configuration file name
    and flags passed to CONF_modules_load_file().

2.  By default we still keep going when configuration file
    processing fails.  But, applications that want to be
    strict about initialization errors can now make explicit
    flag choices via non-null OPENSSL_INIT_SETTINGS that omit
    the CONF_MFLAGS_IGNORE_RETURN_CODES flag (which had so far
    been both undocumented and unused).

3.  In OPENSSL_init_ssl() do not request OPENSSL_INIT_LOAD_CONFIG
    if the options already include OPENSSL_INIT_NO_LOAD_CONFIG.

4.  Don't set up atexit() handlers when called with opts equal to
    OPENSSL_INIT_BASE_ONLY (this flag should only be used alone).

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7969)
2019-01-07 13:53:52 -05:00
Viktor Dukhovni
1bfd76b3af Update generator copyright year.
Some Travis builds appear to fail because generated objects get
2019 copyrights now, and the diff complains.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7969)
2019-01-07 13:53:24 -05:00
Matt Caswell
56806f432b Support _onexit() in preference to atexit() on Windows
This enables cleanup to happen on DLL unload instead of at process exit.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
6b97cc6ec1 Introduce a no-pinshared option
This option prevents OpenSSL from pinning itself in memory.

Fixes #7598

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
c2b3db2454 Implement OPENSSL_INIT_NO_ATEXIT
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
f725fe5b4b Fix a RUN_ONCE bug
We have a number of instances where there are multiple "init" functions for
a single CRYPTO_ONCE variable, e.g. to load config automatically or to not
load config automatically. Unfortunately the RUN_ONCE mechanism was not
correctly giving the right return value where an alternative init function
was being used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
42c17f3a10 make update
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7973)
2019-01-03 09:26:34 +00:00
Bernd Edlinger
c25ae0fff7 Fix cert with rsa instead of rsaEncryption as public key algorithm
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7962)

(cherry picked from commit 1f483a69bc)
2018-12-31 09:51:04 +01:00
Jung-uk Kim
2988abe069 Do not complain when /dev/crypto does not exist.
FreeBSD does not enable cryptodev(4) by default.  OpenBSD disabled support
for /dev/crypto by default from 4.9 and removed it from 5.7.  Now the engine
is properly enabled by default on BSD platforms (see #7885), it continuously
complains:

Could not open /dev/crypto: No such file or directory

Hide the nagging error message behind ENGINE_DEVCRYPTO_DEBUG.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7896)

(cherry picked from commit c79a022da9)
2018-12-23 08:32:43 +01:00
Shreya Bhandare
92791b972c EVP_PKEY_size declared to take a const parameter
CLA: trivial
Function EVP_PKEY_size has been modified to take a const parameter

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7892)

(cherry picked from commit 47ec2367eb)
2018-12-23 00:27:23 +01:00
FdaSilvaYY
7d550561e3 Coverity fix in some crypto/asn1 code
Call to i2d method returns an int value.

Fix:
CID 1338183 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
CID 1371691 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
CID 1371692 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7359)

(cherry picked from commit da84249be6)
2018-12-22 18:13:56 +01:00
Ken Goldman
ea7d2c5808 Admit unknown pkey types at security level 0
The check_key_level() function currently fails when the public key
cannot be extracted from the certificate because its algorithm is not
supported.  However, the public key is not needed for the last
certificate in the chain.

This change moves the check for level 0 before the check for a
non-NULL public key.

For background, this is the TPM 1.2 endorsement key certificate.
I.e., this is a real application with millions of certificates issued.
The key is an RSA-2048 key.

The TCG (for a while) specified

     Public Key Algorithm: rsaesOaep

rather than the commonly used

     Public Key Algorithm: rsaEncryption

because the key is an encryption key rather than a signing key.
The X509 certificate parser fails to get the public key.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7906)
2018-12-20 03:10:55 -05:00
Richard Levitte
145419423e ERR: preserve system error number in a few more places
It turns out that intialization may change the error number, so we
need to preserve the system error number in functions where
initialization is called for.
These are ERR_get_state() and err_shelve_state()

Fixes #7897

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7902)

(cherry picked from commit 91c5473035)
2018-12-14 23:17:06 +01:00
Mansour Ahmadi
faafe140a8 Add missing OPENSSL_clear_free before using ec->key
Fixes #7657

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7877)

(cherry picked from commit 4128136a28)
2018-12-13 10:10:02 +00:00
Mansour Ahmadi
3b16099e0c add missing check for BN_mod_inverse
Fixes #7650

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7876)

(cherry picked from commit 55833a8de7)
2018-12-13 09:59:10 +00:00
Mansour Ahmadi
5db5edc99a fix inconsistent flen check in rsa_pk1 and rsa_oaep
Fixes #7117

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7880)

(cherry picked from commit 4fea7005c3)
2018-12-13 09:48:50 +00:00
Matt Caswell
f807ad17f3 Disallow Ed448 signature malleability
Check that s is less than the order before attempting to verify the
signature as per RFC8032 5.2.7

Fixes #7706

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)

(cherry picked from commit 08afd2f37a)
2018-12-11 11:58:40 +00:00
Eneas U de Queiroz
488521d77f eng_devcrypto: make sure digest can do copy
Digest must be able to do partial-state copy to be used.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit 16e252a01b)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
2887a5c8f9 eng_devcrypto: fix ctr mode
Make CTR mode behave like a stream cipher.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit b5015e834a)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
a19d1a1d37 eng_devcrypto: add cipher CTX copy function
The engine needs a custom cipher context copy function to open a new
/dev/crypto session.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit 6d99e23839)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
5378c582c8 eng_devcrypto: close session on cleanup, not final
Close the session in digest_cleanup instead of digest_final.  A failure
in closing the session does not mean a previous successful digest final
has failed as well.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit a67203a19d)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
68b02a8ab7 eng_devcrypto: fix copy of unitilialized digest
If the source ctx has not been initialized, don't initialize the copy
either.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit ae8183690f)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
add2ab1f28 eng_devcrypto: expand digest failure cases
Return failure when the digest_ctx is null in digest_update and
digest_final, and when md is null in digest_final.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit 4d9f996544)
2018-12-10 13:22:14 +01:00
Eneas U de Queiroz
be5cf61caa eng_devcrypto: don't leak methods tables
Call functions to prepare methods after confirming that /dev/crytpo was
sucessfully open and that the destroy function has been set.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)

(cherry picked from commit d9d4dff5c6)
2018-12-10 13:22:14 +01:00
Matt Caswell
ef97becf52 Preserve errno on dlopen
For the same reasons as in the previous commit we must preserve errno
across dlopen calls. Some implementations (e.g. solaris) do not preserve
errno even on a successful dlopen call.

Fixes #6953

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7680)

(cherry picked from commit 3cb4e7dc1c)
2018-12-10 10:22:05 +00:00
Matt Caswell
99992ad220 Make sure build_SYS_str_reasons() preserves errno
This function can end up being called during ERR_get_error() if we are
initialising. ERR_get_error() must preserve errno since it gets called via
SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are
supposed to inspect errno.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7680)

(cherry picked from commit 71b1ceffc4)
2018-12-10 10:22:05 +00:00
Richard Levitte
4bd0db1fea make update
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7852)

(cherry picked from commit f2f734d4f9)
2018-12-10 10:08:32 +01:00
Richard Levitte
fa75ee1aec Prevent calling decryption in an encryption context and vice versa
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7852)

(cherry picked from commit a8bf2f8f24)
2018-12-10 10:08:32 +01:00
Andy Polyakov
3c1b856236 err/err.c: improve err_clear_last_constant_time's portability.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7850)

(cherry picked from commit 91d0fd1c27)
2018-12-08 12:35:45 +01:00
Richard Levitte
673273c43e Make EVP_PKEY_asn1_add0() stricter about its input
It turns out that the strictness that was implemented in
EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed
for some usages, and that it's better to do this check only when the
method is getting registered.

Fixes #7758

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7847)

(cherry picked from commit a860031621)
2018-12-07 11:59:11 +01:00
Dr. Matthias St. Pierre
9478b1a095 curve25519.c: improve formula alignment
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7750)

(cherry picked from commit 425dde5d75)
2018-12-06 20:55:00 +01:00
Dr. Matthias St. Pierre
6a1ed7a321 curve25519.c: reformat code to follow coding guidelines
Fixes #7698

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7750)

(cherry picked from commit 3a17b9a46e)
2018-12-06 20:54:44 +01:00
Andy Polyakov
8df98cd988 bn/bn_{div|shift}.c: introduce fixed-top interfaces.
Fixed-top interfaces tolerate zero-padded inputs and facilitate
constant-time-ness. bn_div_fixed_top tolerates zero-padded dividend,
but not divisor. It's argued that divisor's length is public even
when value is secret.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7589)

(cherry picked from commit 3a4a88f436)
2018-12-05 10:38:22 +00:00
Andy Polyakov
a7e8ab41fd bn/bn_div.c: make conditional addition unconditional
and add template for constant-time bn_div_3_words.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7589)

(cherry picked from commit 3da2e9c4ee)
2018-12-05 10:38:22 +00:00
Andy Polyakov
9b2a219cae Configurations/10-main.conf: remove MIPS bn_div_3_words.
It's being replaced with constant-time alternative.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7589)

(cherry picked from commit b34446cca2)
2018-12-05 10:38:22 +00:00
Matt Caswell
f3243f2229 Disallow Ed25519 signature maleability
Check that s is less than the order before attempting to verify the
signature as per RFC8032 5.1.7

Fixes #7693

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7697)

(cherry picked from commit 0ac8f35c04)
2018-12-03 14:25:20 +00:00
Andy Polyakov
f1d91b8970 rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
if nul delimiter is preceded by 8 consecutive 0x03 bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 603221407d)
2018-11-30 12:51:58 +00:00
Andy Polyakov
f5ebe54c00 rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 75f5e944be)
2018-11-30 12:51:58 +00:00
Andy Polyakov
db1b63f45c rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
And make RSAErr call unconditional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e875b0cf2f)
2018-11-30 12:51:58 +00:00
Andy Polyakov
382448f337 rsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 89072e0c2a)
2018-11-30 12:51:58 +00:00
Andy Polyakov
d2cd28b99e err/err.c: add err_clear_last_constant_time.
Expected usage pattern is to unconditionally set error and then
wipe it if there was no actual error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f658a3b64d)
2018-11-30 12:51:58 +00:00
Billy Brumley
37b07c68ef Clean up BN_consttime_swap.
Updated "condition" logic lifted from Theo Buehler's LibreSSL commit 517358603b

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7619)

(cherry picked from commit 900fd8f375)
2018-11-26 17:54:08 +02:00
Richard Levitte
1119d4e7f4 VMS: fix collected error strings
It turns out that on VMS, strerror() returns messages with added
spaces at the end.

We wouldn't had noticed if it wasn't for perl trimming those spaces
off for its own sake and thereby having test/recipes/02-test_errstr.t
fail on VMS.

The safe fix is to do the same trimming ourselves.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7701)

(cherry picked from commit 9f15e5b911)
2018-11-24 17:43:30 +01:00
David Woodhouse
abaa2311ad Stop marking default digest for EC keys as mandatory
ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory
digest algorithm, when the key can't support any others. That isn't true
here, so return 1 instead.

Partially fixes #7348

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

(cherry picked from commit eb7eb1378c)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7609)
2018-11-24 08:49:32 +02:00
Richard Levitte
cae2a7ca42 Smarter build of system error text database
We stored copies of the system error texts in a fixed line size array,
which is a huge waste.  Instead, use a static memory pool and pack all
the string in there.  The wasted space at the end, if any, gives us
some leeway for longer strings than we have measured so far.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7681)

(cherry picked from commit 2c5b6bbb67)
2018-11-23 12:35:54 +01:00
Andy Polyakov
5970d48093 rsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier.
Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7586)

(cherry picked from commit 2cc3f68cde)
2018-11-22 09:49:48 +00:00
Matt Caswell
7c6d372aff Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7669)
2018-11-20 13:27:36 +00:00
Andy Polyakov
7a6d71c527 sha/asm/sha512p8-ppc.pl: optimize epilogue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7643)

(cherry picked from commit 6b956fe77b)
2018-11-16 09:26:29 +01:00
Andy Polyakov
0e2ad9593a sha/asm/sha512p8-ppc.pl: fix typo in prologue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7643)

(cherry picked from commit 79d7fb990c)
2018-11-16 09:26:28 +01:00
Vitezslav Cizek
42acb69fd1 DSA: Check for sanity of input parameters
dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

(cherry picked from commit 3afd38b277)

(Merged from https://github.com/openssl/openssl/pull/7493)
2018-11-14 13:07:54 +01:00
Richard Levitte
61e78e7ace Fix SipHash init order.
Setting the SipHash hash size and setting its key is done with two
independent functions...  and yet, the internals depend on both.

Unfortunately, the function to change the size wasn't adapted for the
possibility that the key was set first, with a different hash size.

This changes the hash setting function to fix the internal values
(which is easy, fortunately) according to the hash size.

evpmac.txt value for digestsize:8 is also corrected.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7613)

(cherry picked from commit 425036130d)
2018-11-12 07:16:58 +01:00
Billy Brumley
6f172154f5 [crypto/bn] swap BN_FLG_FIXED_TOP too
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7599)

(cherry picked from commit dd41956d80)
2018-11-10 04:14:11 +02:00
Bernd Edlinger
bdb8897691 Fix issues with do_rand_init/rand_cleanup_int
Fixes #7022

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7588)

(cherry picked from commit e2d227bb4a)
2018-11-09 13:37:38 +01:00
Dr. Matthias St. Pierre
abf58ed319 rand_unix.c: open random devices on first use only
Commit c7504aeb64 (pr #6432) fixed a regression for applications in
chroot environments, which compensated the fact that the new OpenSSL CSPRNG
(based on the NIST DRBG) now reseeds periodically, which the previous
one didn't. Now the reseeding could fail in the chroot environment if the
DEVRANDOM devices were not present anymore and no other entropy source
(e.g. getrandom()) was available.

The solution was to keep the file handles for the DEVRANDOM devices open
by default. In fact, the fix did more than this, it opened the DEVRANDOM
devices early and unconditionally in rand_pool_init(), which had the
unwanted side effect that the devices were opened (and kept open) even
in cases when they were not used at all, for example when the getrandom()
system call was available. Due  to a bug (issue #7419) this even happened
when the feature was disabled by the application.

This commit removes the unconditional opening of all DEVRANDOM devices.
They will now only be opened (and kept open) on first use. In particular,
if getrandom() is available, the handles will not be opened unnecessarily.

This change does not introduce a regression for applications compiled for
libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the
above constellation the CSPRNG will only be properly seeded if it is happens
before the forking and chrooting.

Fixes #7419

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7437)

(cherry picked from commit 8cfc19716c)
2018-11-08 16:41:24 +01:00
Dr. Matthias St. Pierre
c39df745b0 Test: link drbgtest statically against libcrypto
and remove duplicate rand_drbg_seedlen() implementation again.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7462)

(cherry picked from commit 1c615e4ce9)
2018-11-08 16:32:30 +01:00
Pauli
f7258489d8 Add missing RAND initialisation call.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7587)

(cherry picked from commit ac765685d4)
2018-11-08 08:13:16 +10:00
Bernd Edlinger
294941aebb Rename the rand_drbg_st data member "pool" to "seed_pool"
... to make the intended use more clear and differentiate
it from the data member "adin_pool".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7575)

(cherry picked from commit 31f32abb8e)
2018-11-07 15:23:39 +01:00
Bernd Edlinger
9bc987f008 Initialize reseed_gen_counter to 1, like it is done in master
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7532)
2018-11-07 15:16:19 +01:00
Bernd Edlinger
939ef2ea11 Avoid two memory allocations in each RAND_DRBG_bytes
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7518)
2018-11-05 22:52:24 +01:00
Bernd Edlinger
c40c1ef4f3 Fix error handling in RAND_DRBG_uninstantiate
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:21 +01:00
Bernd Edlinger
ee5a79104c Fix error handling in rand_drbg_new
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:20 +01:00
Bernd Edlinger
f98a893ed4 Fix error handling in RAND_DRBG_set
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7519)
2018-11-05 22:46:20 +01:00
Richard Levitte
cd01707b7f crypto/engine/eng_devcrypto.c: ensure we don't leak resources
If engine building fails for some reason, we must make sure to close
the /dev/crypto handle.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7506)

(cherry picked from commit 681e8cacdb)
2018-11-02 20:24:08 +01:00
Richard Levitte
120fc33e29 crypto/engine/eng_devcrypto.c: open /dev/crypto only once
We opened /dev/crypto once for each session, which is quite unnecessary.
With this change, we open /dev/crypto once at engine init, and close
it on unload.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7506)

(cherry picked from commit 458c7dad9e)
2018-11-02 20:24:00 +01:00
Richard Levitte
dcbbcf083c crypto/engine/eng_devcrypto.c: new compilers are strict on prototypes
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7506)

(cherry picked from commit 28ac1bd9a9)
2018-11-02 20:23:53 +01:00
Richard Levitte
3dcca12a20 crypto/engine/eng_devcrypto.c: add digest copy
Copying an EVP_MD_CTX, including the implementation local bits, is a
necessary operation.  In this case, though, it's the same as
initializing the local bits to be "copied to".

Fixes #7495

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7506)

(cherry picked from commit 36af124bfb)
2018-11-02 20:23:47 +01:00
Pauli
6039651c43 Add a constant time flag to one of the bignums to avoid a timing leak.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)

(cherry picked from commit 00496b6423)
2018-11-02 08:14:35 +10:00
Bernd Edlinger
faca6bfac3 Fix a race condition in drbg_add
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7523)

(cherry picked from commit 4011bab1f8)
2018-10-30 23:28:12 +01:00
Chocobo1
189b56b206 Fix MSVC warning C4819
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7444)

(cherry picked from commit cf4eea1204)
2018-10-30 04:52:27 +01:00
Matt Caswell
070ce40be1 Reset the HKDF state between operations
Fixes #7497

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7501)

(cherry picked from commit ca55d70be0)
2018-10-29 14:11:40 +00:00
Bernd Edlinger
6101850baf Rework and simplify resource flow in drbg_add
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7504)

(cherry picked from commit f9e43929c4)
2018-10-29 12:31:21 +01:00
Dr. Matthias St. Pierre
c7a7ed3870 randfile.c: fix a Coverity warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7510)

(cherry picked from commit 040a03470c)
2018-10-28 23:39:13 +01:00
Pauli
b1d6d55ece Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

(cherry picked from commit 99540ec794)
2018-10-29 07:59:23 +10:00
Pauli
8abfe72e8c Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized.  Increasing the size of the BNs
prior to doing anything with them suppresses the attack.

Thanks due to Samuel Weiser for finding and locating this.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

(cherry picked from commit a9cfb8c2aa)
2018-10-29 07:58:42 +10:00
Pauli
f1b12b8713 DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)

(cherry picked from commit 415c335635)
2018-10-29 06:51:55 +10:00
Dr. Matthias St. Pierre
d2953e5e7d drbg_lib: avoid NULL pointer dereference in drbg_add
Found by Coverity Scan

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7511)

(cherry picked from commit 59f90557dd)
2018-10-28 19:21:12 +01:00
Bernd Edlinger
1f98527659 Fix data race in RAND_DRBG_generate
Fixes #7394

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7399)

(cherry picked from commit a83dc59afa)
2018-10-27 13:04:55 +02:00
Dr. Matthias St. Pierre
d597a9a877 RAND_add()/RAND_seed(): fix failure on short input or low entropy
Commit 5b4cb385c1 (#7382) introduced a bug which had the effect
that RAND_add()/RAND_seed() failed for buffer sizes less than
32 bytes. The reason was that now the added random data was used
exlusively as entropy source for reseeding. When the random input
was too short or contained not enough entropy, the DRBG failed
without querying the available entropy sources.

This commit makes drbg_add() act smarter: it checks the entropy
requirements explicitely. If the random input fails this check,
it won't be added as entropy input, but only as additional data.
More precisely, the behaviour depends on whether an os entropy
source was configured (which is the default on most os):

- If an os entropy source is avaible then we declare the buffer
  content as additional data by setting randomness to zero and
  trigger a regular   reseeding.

- If no os entropy source is available, a reseeding will fail
  inevitably. So drbg_add() uses a trick to mix the buffer contents
  into the DRBG state without forcing a reseeding: it generates a
  dummy random byte, using the buffer content as additional data.

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)

(cherry picked from commit 8817215d5c)
2018-10-27 13:03:35 +02:00
Dr. Matthias St. Pierre
35a34508ef Backport some DRBG renamings and typo fixes
In commit 8bf3665196 some renamings andd typo fixes were made
while adding back the DRBG-HMAC and DRBG-HASH implementation.
Since the commit could not be backported, a lot of unnecessary
differences between master and 1.1.1 were introduced.

These differences result in tiresome merge conflicts when
cherry-picking. To minimize these merge-conflicts, this patch
ports all 'non-feature' changes of commit 8bf3665196
(e.g., renamings of private variables, fixes of typographical
errors, comment changes) manually back to 1.1.1.

The commits a83dc59afa (#7399) and 8817215d5c (#7456)
failed to cherry-pick previously to 1.1.1, with this patch
they both cherry-pick without conflicts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7505)
2018-10-26 23:04:23 +02:00
Bernd Edlinger
f3f7f1a826 Fix a possible crash in rand_drbg_get_entropy
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7474)

(cherry picked from commit 21311777ad)
2018-10-26 15:26:21 +02:00
Dr. Matthias St. Pierre
1d0671b81f RAND_load_file(): avoid adding small chunks to RAND_add()
Increase the load buffer size such that it exceeds the chunk
size by a comfortable amount. This is done to avoid calling
RAND_add() with a small final chunk. Instead, such a small
final chunk will be added together with the previous chunk
(unless it's the only one).

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)
2018-10-26 08:50:26 +02:00
Dr. Matthias St. Pierre
13ce86259e RAND_load_file(): return error if reseeding failed
The failure of RAND_load_file was only noticed because of the
heap corruption which was reported in #7499 and fixed in commit
5b4cb385c1. To prevent this in the future, RAND_load_file()
now explicitly checks RAND_status() and reports an error if it
fails.

Related-to: #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)
2018-10-26 08:50:26 +02:00
Richard Levitte
28361a0b82 RAND: ensure INT32_MAX is defined
This value is used to set DRBG_MAX_LENGTH

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7467)

(cherry picked from commit f81b043ad8)
2018-10-23 10:56:59 +02:00
Dr. Matthias St. Pierre
ece482ff3a RAND_add(): fix heap corruption in error path
This bug was introduced by #7382 which enhanced RAND_add() to
accept large buffer sizes. As a consequence, RAND_add() now fails
for buffer sizes less than 32 bytes (i.e. less than 256 bits).
In addition, rand_drbg_get_entropy() forgets to reset the attached
drbg->pool in the case of an error, which leads to the heap corruption.

The problem occurred with RAND_load_file(), which reads the file in
chunks of 1024 bytes each. If the size of the final chunk is less than
32 bytes, then RAND_add() fails, whence RAND_load_file() fails
silently for buffer sizes n = k * 1024 + r with r = 1,...,31.

This commit fixes the heap corruption only. The other issues will
be addressed in a separate pull request.

Thanks to Gisle Vanem for reporting this issue.

Fixes #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7455)

(cherry picked from commit 5b4cb385c1)
2018-10-22 14:57:04 +02:00
Andy Polyakov
fc762e7d5c arch/async_posix.h: improve portability.
{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7420)

(cherry picked from commit 9d71a24ebf)
2018-10-19 10:31:04 +02:00
Viktor Dukhovni
a190ea8ad7 Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dc5831da59)
2018-10-18 00:10:04 -04:00
Viktor Dukhovni
bb6923945e Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA
   certificate.)

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ed422a2d01)
2018-10-18 00:10:03 -04:00
Antoine Salon
8710396980 EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7345)

(cherry picked from commit ffd89124bd)
2018-10-17 13:31:59 +03:00
Dr. Matthias St. Pierre
dbf0a49625 DRBG: fix reseeding via RAND_add()/RAND_seed() with large input
In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.

When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively
ignored.

This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.

Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.

Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.

Fixes #7381

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7382)

(cherry picked from commit 3064b55134)
2018-10-16 22:32:42 +02:00
Mykola Baibuz
3924d69965 Safer memory cleanup in (crypto/rsa/rsa_lib.c)
We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7363)

(cherry picked from commit c033101db3)
2018-10-13 21:19:24 +08:00
Andy Polyakov
a9e4192e71 rsa/rsa_ossl.c: fix and extend commentary [skip ci].
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)

(cherry picked from commit d1c008f66b)
2018-10-12 22:28:52 +02:00
Andy Polyakov
7ed9ad1cc3 sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue.
Negative displacement in memory references was not originally specified,
so that for maximum coverage one should abstain from it, just like with
any other extension. [Unless it's guarded by run-time switch, but there
is no switch in keccak1600-s390x.]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7239)

(cherry picked from commit fc97c882f4)
2018-10-12 20:53:57 +02:00
FdaSilvaYY
7f0e220f4d crypto/rand: fix some style nit's
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7378)

(cherry picked from commit c2e33a05b1)
2018-10-10 14:02:45 +02:00
Dr. Matthias St. Pierre
b99f047f3f rand_unix.c: fix --with-rand-seed=none build
Fixes a compiler warning about an unused syscall_random()
and cleans up the OPENSSL_RAND_SEED preprocessor logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/779)

(cherry picked from commit d90e128be6)
2018-10-10 12:40:52 +02:00
Paul Yang
8848b14fda Fix a nit of copyright date range
Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7364)
2018-10-10 09:51:03 +08:00
Richard Levitte
e9a4fb4997 /dev/crypto engine: give CIOCFSESSION the actual sess-id
We passed that ioctl a pointer to the whole session_op structure,
which wasn't quite right.

Notified by David Legault.

Fixes #7302

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7304)

(cherry picked from commit 470096e576)
2018-10-05 21:55:38 +02:00
Dr. Matthias St. Pierre
5e130ae632 test/secmemtest: test secure memory only if it is implemented
Fixes #7322

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7351)

(cherry picked from commit 8529b15642)
2018-10-05 12:23:34 +02:00
Matt Caswell
90893527fc Fix the BIO callback return code handling
The BIO callback handling incorrectly wrote over the return code passed
to the callback, meaning that an incorrect result was (eventually) returned
to the caller.

Fixes #7343

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7344)

(cherry picked from commit d97ce8d9a0)
2018-10-04 14:20:27 +01:00
Richard Levitte
6babfb2161 Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)
BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented.  Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.

include/openssl/ocsp.h had a few duplicate declarations.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)

(cherry picked from commit 7e09c5eaa5)
2018-10-04 09:59:00 +02:00
Matt Caswell
acb03676c5 Fix some Coverity warnings
Check some return values on some functions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7335)

(cherry picked from commit 434893af2b)
2018-10-02 10:58:05 +01:00
Pauli
79c2c74130 Use secure_getenv(3) when available.
Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.

CPU processor override flags are unchanged.

Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7047)

(cherry picked from commit 5c39a55d04)
2018-09-24 11:22:22 +10:00
agnosticdev
c257f61f10 typo-fixes: miscellaneous typo fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7277)

(cherry picked from commit 46d085096c)
2018-09-21 23:59:02 +02:00
Richard Levitte
4ccd6c5479 crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)

(cherry picked from commit dda5396aae)
2018-09-21 11:35:14 +02:00
Richard Levitte
baa5cdad88 /dev/crypto engine: add missing RC4 parameter
Fixes #7280

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7281)

(cherry picked from commit f52f2c1ae8)
2018-09-20 22:02:43 +02:00
Richard Levitte
226e6a2cf2 crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)

(cherry picked from commit 276bf8620c)
2018-09-20 06:40:52 +02:00
Pauli
d2d3b5ded7 Add missing include file.
Specifically, include e_os.h to pick up alloca definition for WIN32.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7234)

(cherry picked from commit a825856ab7)
2018-09-17 12:54:20 +10:00
Pauli
24907560db Use 'i' as parameter name not 'I'.
The latter causes problems when complex.h is #included.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)

(cherry picked from commit 972f67889b)
2018-09-17 09:53:15 +10:00
Richard Levitte
d6d6aa3521 VMS: only use the high precision on VMS v8.4 and up
It simply isn't available on older versions.

Issue submitted by Mark Daniels

Fixes #7229

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7230)
2018-09-15 14:59:06 +02:00
Paul Yang
2ccfcbfb71 Make some return checks consistent with others
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7209)
2018-09-13 23:23:18 +09:00
Dr. Matthias St. Pierre
b262a00229 Replace the public RAND_DRBG_USED_FLAGS #define by an internal constant
The new DRBG API added the aforementioned #define. However, it is
used internally only and having it defined publicly does not serve
any purpose except causing potential version compatibility problems.

Fixes #7182

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7190)

(cherry picked from commit c402e943cd)
2018-09-12 23:48:18 +02:00
Viktor Szakats
f8e1c190d5 minor fixes for Windows
- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
- fix an unused variable warning

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7189)
2018-09-12 09:18:25 +02:00
Richard Levitte
6258e244bf crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined
Fixes #7186

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7193)

(cherry picked from commit 88ea3685e4)
2018-09-12 02:12:31 +02:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Matt Caswell
512d811719 Check the return value from ASN1_INTEGER_set
Found by Coverity

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)
2018-09-10 17:33:02 +01:00
Matt Caswell
d689f313cc Validate the SM2 digest len before use
Fixes a Coverity complaint.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7170)
2018-09-10 17:28:33 +01:00
Dr. Matthias St. Pierre
427e91d928 crypto/rsa/rsa_pss.c: silence coverity warning
Reported by Coverity Scan (CID 1439138)
[extended tests]

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7156)
2018-09-10 11:03:50 +01:00
Richard Levitte
ca89174bc9 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes
The deprecated ASN.1 type LONG / ZLONG (incorrectly) produced zero
length INTEGER encoding for zeroes.  For the sake of backward
compatibility, we allow those to be read without fault when using the
replacement types INT32 / UINT32 / INT64 / UINT64.

Fixes #7134

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7144)
2018-09-09 03:39:37 +02:00
Richard Levitte
d74f23d2db SipHash: add separate setter for the hash size
This was originally part of SipHash_Init.  However, there are cases
where there isn't any key material to initialize from when setting the
hash size, and we do allow doing so with a EVP_PKEY control.  The
solution is to provide a separate hash_size setter and to use it in
the corresponding EVP_PKEY_METHOD.

Fixes #7143

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7145)
2018-09-09 01:47:56 +02:00
Richard Levitte
d0123525cd SipHash: make it possible to control the hash size through string controls
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7154)
2018-09-09 01:47:56 +02:00
Paul Yang
f922dac87d Add missing SM2err and fix doc nits
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
81c7945388 Allow EVP_MD_CTX_set_pkey_ctx to accept NULL pctx
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
675f4ceef8 Update document for SM2 stuffs
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
4803717f5e Support setting SM2 ID
zero-length ID is allowed, but it's not allowed to skip the ID.

Fixes: #6534

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
00433bad41 Make SM2 ID stick to specification
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
0a8fdef752 Support pmeth->digest_custom
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
00902d9414 Introduce EVP_MD_CTX_set_pkey_ctx
Thus users can use this function to set customized EVP_PKEY_CTX to
EVP_MD_CTX structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
5bd0abe7a2 Remove unnecessary sm2_za.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Pauli
a6465b3f85 Avoid SEGV when giving X509_sign a NULL private key.
Put a NULL check back in to avoid dereferencing the NULL pointer.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7146)
2018-09-07 09:04:59 +10:00
Shane Lontis
82eba370da RSA padding Zeroization fixes
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)
2018-09-06 14:51:30 +10:00
Shane Lontis
2eb2b4f3a1 Key zeroization fix for EVP_SealInit + added simple test
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7105)
2018-09-06 08:34:45 +10:00
Nicola Tuveri
544648a8e0 Harmonize the error handling codepath
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Nicola Tuveri
0c5d725ebf Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).

For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.

If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.

This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.

Fixes #7102 .

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Shane Lontis
64ed55ab03 hkdf zeroization fix
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)
2018-09-05 05:21:46 +10:00
Shane Lontis
f5cee414fa key zeroisation fix for p12
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)
2018-09-05 05:18:43 +10:00