Commit graph

36 commits

Author SHA1 Message Date
Matt Caswell
d5475e3195 Remove some dead code
The intention of the removed code was to check if the previous operation
carried. However this does not work. The "mask" value always ends up being
a constant and is all ones - thus it has no effect. This check is no longer
required because of the previous commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
2017-07-19 11:49:08 +01:00
Matt Caswell
335d0a4646 Fix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c
In TLS mode of operation the padding value "pad" is obtained along with the
maximum possible padding value "maxpad". If pad > maxpad then the data is
invalid. However we must continue anyway because this is constant time code.

We calculate the payload length like this:

    inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);

However if pad is invalid then inp_len ends up -ve (actually large +ve
because it is a size_t).

Later we do this:

    /* verify HMAC */
    out += inp_len;
    len -= inp_len;

This ends up with "out" pointing before the buffer which is undefined
behaviour. Next we calculate "p" like this:

    unsigned char *p =
        out + len - 1 - maxpad - SHA256_DIGEST_LENGTH;

Because of the "out + len" term the -ve inp_len value is cancelled out
so "p" points to valid memory (although technically the pointer arithmetic
is undefined behaviour again).

We only ever then dereference "p" and never "out" directly so there is
never an invalid read based on the bad pointer - so there is no security
issue.

This commit fixes the undefined behaviour by ensuring we use maxpad in
place of pad, if the supplied pad is invalid.

With thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
2017-07-19 11:49:08 +01:00
Rich Salz
a68d35057b check length sanity before correcting in EVP_CTRL_AEAD_TLS1_AAD
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3289)
2017-04-24 11:19:56 -04:00
Andy Polyakov
5908555c96 evp/e_aes_cbc_hmac_{sha1|sha256}.c: tag reference code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-02 16:25:36 +01:00
Todd Short
9d6fcd4295 Cleanup EVP_CIPH/EP_CTRL duplicate defines
Remove duplicate defines from EVP source files.
Most of them were in evp.h, which is always included.
Add new ones evp_int.h
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is now always defined in evp.h, so
remove conditionals on it

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2201)
2017-01-24 18:47:10 +01:00
FdaSilvaYY
02e112a885 Whitespace cleanup in crypto
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
2016-06-29 09:56:39 -04:00
Rich Salz
aa6bb1352b Copyright consolidation 05/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 15:38:09 -04:00
Kurt Roeckx
70428eada9 Check that we have enough padding characters.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

CVE-2016-2107

MR: #2572
2016-05-03 13:15:39 +01:00
Andy Polyakov
b1a07c3854 Remove obsolete defined(__INTEL__) condition.
This macro was defined by no-longer-supported __MWERKS__ compiler.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-02 12:35:01 +02:00
Matt Caswell
5158c763f5 Remove OPENSSL_NO_AES guards
no-aes is no longer a Configure option and therefore the OPENSSL_NO_AES
guards can be removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 21:25:24 +01:00
Matt Caswell
44ab2dfdf9 Rename EVP_CIPHER_CTX_cipher_data to EVP_CIPHER_CTX_get_cipher_data
We had the function EVP_CIPHER_CTX_cipher_data which is newly added for
1.1.0. As we now also need an EVP_CIPHER_CTX_set_cipher_data it makes
more sense for the former to be called EVP_CIPHER_CTX_get_cipher_data.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:42:09 +00:00
Richard Levitte
6435f0f6c6 Adapt builtin cipher implementations to opaque EVP_CIPHER
They all stop including evp_locl.h, so we also take care of their
adaptation to opaque EVP_CIPHER_CTX, as was promised in an earlier
commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:52:22 +01:00
Richard Levitte
936166aff2 Adapt cipher implementations to opaque EVP_CIPHER_CTX
Note: there's a larger number of implementations in crypto/evp/ that
aren't affected because they include evp_locl.h.  They will be handled
in a separate commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:52:22 +01:00
Andy Polyakov
f0fa5c8306 e_aes_cbc_hmac_sha*.c: address linker warning about OPENSSL_ia32cap_P size mismatch.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11 10:12:54 +02:00
Matt Caswell
c826988109 Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-30 23:12:39 +01:00
Rich Salz
474e469bbd OPENSSL_NO_xxx cleanup: SHA
Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
	GENUINE_DSA         OPENSSL_NO_SHA0
	OPENSSL_NO_SHA      OPENSSL_NO_SHA1
	OPENSSL_NO_SHA224   OPENSSL_NO_SHA256
	OPENSSL_NO_SHA384   OPENSSL_NO_SHA512

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 12:34:45 -05:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
68d39f3ce6 Move more comments that confuse indent
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Andy Polyakov
2893a302a9 crypto/evp/e_aes_cbc_hmac_sha[1|256].c: fix compiler warnings.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-20 22:18:14 +02:00
Felix Laurie von Massenbach
1f61d8b5b1 Fix shadow declaration. 2014-06-17 17:41:46 +01:00
Andy Polyakov
ce00c64df9 evp/e_aes_cbc_sha[1|256].c: fix -DPEDANTIC build. 2014-06-14 23:15:39 +02:00
Andy Polyakov
701134320a ssl/s3_pkt.c: detect RAND_bytes error in multi-block. 2014-02-14 17:43:31 +01:00
Andy Polyakov
9587429fa0 evp/e_aes_cbc_hmac_sha*.c: improve cache locality. 2014-02-13 14:39:55 +01:00
Andy Polyakov
5a42c8f07f e_aes_cbc_hmac_sha[1|256].c: fix compiler warning. 2014-02-05 16:38:22 +01:00
Andy Polyakov
0d5096fbd6 evp/e_aes_cbc_hmac_sha*.c: additional CTRL to query buffer requirements. 2014-02-05 14:05:08 +01:00
Andy Polyakov
2f3af3dc36 aesni-sha1-x86_64.pl: add stiched decrypt procedure,
but keep it disabled, too little gain... Add some Atom-specific
optimization.
2014-01-03 21:40:08 +01:00
Andy Polyakov
b4f0abd246 evp/e_aes_cbc_hmac_sha*.c: limit multi-block fragmentation to 1KB.
Excessive fragmentation put additional burden (of addtional MAC
calculations) on the other size and limiting fragments it to 1KB
limits the overhead to ~6%.
2013-10-12 22:10:28 +02:00
Andy Polyakov
a69c0a1be5 evp/e_aes_cbc_hmac_sha*.c: harmonize names, fix bugs. 2013-10-08 23:39:26 +02:00
Andy Polyakov
7f893258f6 evp/e_aes_cbc_hmac_sha*.c: multi-block glue code. 2013-10-03 00:24:03 +02:00
Andy Polyakov
5c60046553 e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
PR: 3002
2013-03-18 19:29:41 +01:00
Andy Polyakov
2141e6f30b e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line.
It also ensures that valgring is happy.
2013-02-08 10:31:13 +01:00
Andy Polyakov
1041ab696e e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret.
(cherry picked from commit 529d27ea47)
2013-02-06 14:19:11 +00:00
Andy Polyakov
9970308c88 e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b59f)
2013-02-06 14:19:10 +00:00
Andy Polyakov
fc90e42c86 e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag
countermeasure.

PR: 2778
2012-04-15 14:14:22 +00:00
Dr. Stephen Henson
5e92fd244c Stop warnings. 2011-09-01 14:15:47 +00:00
Andy Polyakov
c608171d9c Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. 2011-08-23 20:51:38 +00:00