Commit graph

365 commits

Author SHA1 Message Date
Kurt Roeckx
f16bc6f06c Revert "Don't check RSA_FLAG_SIGN_VER."
This reverts commit 23a58779f5.

This broke existing engines that didn't properly implement the sign and verify
functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #2077
2016-02-27 13:38:01 +01:00
Dr. Stephen Henson
23a58779f5 Don't check RSA_FLAG_SIGN_VER.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 6656ba7152)
2015-12-20 19:28:23 +00:00
Richard Levitte
e961c7a201 Remove the "eay" c-file-style indicators
Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-12-18 13:13:31 +01:00
Dr. Stephen Henson
d8541d7e9e Add PSS parameter check.
Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.

CVE-2015-3194

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-03 13:45:13 +01:00
Matt Caswell
ec1f125512 Don't treat a bare OCTETSTRING as DigestInfo in int_rsa_verify
The function int_rsa_verify is an internal function used for verifying an
RSA signature. It takes an argument |dtype| which indicates the digest type
that was used. Dependant on that digest type the processing of the
signature data will vary. In particular if |dtype == NID_mdc2| and the
signature data is a bare OCTETSTRING then it is treated differently to the
default case where the signature data is treated as a DigestInfo (X509_SIG).

Due to a missing "else" keyword the logic actually correctly processes the
OCTETSTRING format signature first, and then attempts to continue and
process it as DigestInfo. This will invariably fail because we already know
that it is a bare OCTETSTRING.

This failure doesn't actualy make a real difference because it ends up at
the |err| label regardless and still returns a "success" result. This patch
just cleans things up to make it look a bit more sane.

RT#4076

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit dffe51091f)
2015-10-08 14:17:08 +01:00
Rich Salz
12650153ec RT4044: Remove .cvsignore files.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3be39dc1e3)
2015-09-15 12:00:18 -04:00
Emilia Kasper
9d4798a9e0 RT 3493: fix RSA test
- Pass in the right ciphertext length to ensure we're indeed testing
  ciphertext corruption (and not truncation).
- Only test one mutation per byte to not make the test too slow.
- Add a separate test for truncated ciphertexts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 25d6b3401c)
2015-09-01 20:05:56 +02:00
Dr. Stephen Henson
5030cc69ff use X9.31 keygen by default in FIPS mode
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d0c9a90640)
2015-07-30 14:35:42 +01:00
Richard Levitte
eb797fde3f Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1a2)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
2015-05-23 11:22:10 +02:00
Matt Caswell
017f695f2c Fix buffer overrun in RSA signing
The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding.
It is only triggered if the RSA key size is smaller than the digest length.
So with SHA512 you can trigger the overflow with anything less than an RSA
512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA
key. This wasn't sufficient to cause a crash, although your mileage may
vary.

In practice RSA keys of this length are never used and X931 padding is very
rare. Even if someone did use an excessively short RSA key, the chances of
them combining that with a longer digest and X931 padding is very
small. For these reasons I do not believe there is a security implication to
this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 34166d4189)
2015-04-30 23:27:07 +01:00
Matt Caswell
cda8845ded Re-align some comments after running the reformat script.
This should be a one off operation (subsequent invokation of the
script should not move them)

This commit is for the 1.0.1 changes

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:39:01 +00:00
Matt Caswell
47050853f1 Rerun util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:49 +00:00
Matt Caswell
10621efd32 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:39 +00:00
Matt Caswell
4017726f72 Fix strange formatting by indent
Conflicts:
	crypto/hmac/hmac.h

Conflicts:
	crypto/evp/e_aes_cbc_hmac_sha256.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:29 +00:00
Matt Caswell
3cf9f81b09 indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Conflicts:
	crypto/bn/bn.h
	crypto/ec/ec_lcl.h
	crypto/rsa/rsa.h
	demos/engines/ibmca/hw_ibmca.c
	ssl/ssl.h
	ssl/ssl3.h

Conflicts:
	crypto/ec/ec_lcl.h
	ssl/tls1.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:16 +00:00
Tim Hudson
3e9a08ecb1 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

(cherry picked from commit 1d97c84351)

Conflicts:
	crypto/bn/bn_lcl.h
	crypto/bn/bn_prime.c
	crypto/engine/eng_all.c
	crypto/rc4/rc4_utl.c
	crypto/sha/sha.h
	ssl/kssl.c
	ssl/t1_lib.c

Conflicts:
	crypto/rc4/rc4_enc.c
	crypto/x509v3/v3_scts.c
	crypto/x509v3/v3nametest.c
	ssl/d1_both.c
	ssl/s3_srvr.c
	ssl/ssl.h
	ssl/ssl_locl.h
	ssl/ssltest.c
	ssl/t1_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:33:23 +00:00
Richard Levitte
8202802fad Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:35 +02:00
Dr. Stephen Henson
55614f89f0 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:22:32 +01:00
Emilia Kasper
0f04b004ac RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:17:41 +02:00
Alan Hryngle
675b1c2fce Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:38:44 +01:00
Martin Kaiser
bf8d6f9ab8 remove duplicate 0x for default RSASSA-PSS salt len
(cherry picked from commit 3820fec3a09faecba7fe9912aa20ef7fcda8337b)
2014-05-29 14:12:14 +01:00
Dr. Stephen Henson
c776a3f398 make update 2014-01-06 13:33:27 +00:00
Dr. Stephen Henson
60df657b3a make update 2013-12-08 13:23:14 +00:00
Dr. Stephen Henson
0ec1a77891 Check for missing components in RSA_check.
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
2013-11-09 15:09:21 +00:00
Dr. Stephen Henson
04b727b4dd Fix PSS signature printing.
Fix PSS signature printing: consistently use 0x prefix for hex values for
padding length and trailer fields.
(cherry picked from commit deb24ad53147f5a8dd63416224a5edd7bbc0e74a)
2013-05-05 14:03:30 +01:00
Dr. Stephen Henson
79dabcc137 Typo.
(cherry picked from commit 0ded2a0689)
2013-03-31 17:43:58 +01:00
Ben Laurie
2ee798880a Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
2013-01-28 17:30:38 +00:00
Ben Laurie
af454b5bb0 Reduce version skew. 2012-06-08 09:18:47 +00:00
Dr. Stephen Henson
88be4ebfbc make update 2012-04-26 10:42:20 +00:00
Dr. Stephen Henson
0cd7a0325f Additional compatibility fix for MDC2 signature format.
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
2012-02-15 14:14:01 +00:00
Dr. Stephen Henson
16b7c81d55 An incompatibility has always existed between the format used for RSA
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
2012-02-15 14:00:09 +00:00
Dr. Stephen Henson
9d972207f0 incomplete provisional OAEP CMS decrypt support 2012-01-02 18:16:40 +00:00
Bodo Möller
67f8de9ab8 "make update" 2011-10-19 15:24:44 +00:00
Bodo Möller
2d95ceedc5 BN_BLINDING multi-threading fix.
Submitted by: Emilia Kasper (Google)
2011-10-19 14:58:59 +00:00
Dr. Stephen Henson
9309ea6617 Backport PSS signature support from HEAD. 2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
3a5b97b7f1 Don't set default public key methods in FIPS mode so applications
can switch between modes.
2011-06-20 19:41:13 +00:00
Dr. Stephen Henson
cc30415d0c Use method rsa keygen first if FIPS mode if it is a FIPS method. 2011-06-09 13:18:07 +00:00
Dr. Stephen Henson
2e51a4caa3 Function not used outside FIPS builds. 2011-06-06 11:24:47 +00:00
Dr. Stephen Henson
24d7159abd Backport libcrypto audit: check return values of EVP functions instead
of assuming they will always suceed.
2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
53dd05d8f6 Redirect RSA keygen, sign, verify to FIPS module. 2011-06-03 13:16:16 +00:00
Dr. Stephen Henson
fbe7055370 Redirection of low level APIs to FIPS module.
Digest sign, verify operations are not redirected at this stage.
2011-06-02 18:22:42 +00:00
Dr. Stephen Henson
a5b386205f Backport extended PSS support from HEAD: allow setting of mgf1Hash explicitly.
This is needed to handle FIPS redirection fully.
2011-06-02 18:13:33 +00:00
Richard Levitte
9f427a52cb make update (1.0.1-stable)
This meant a slight renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable.  However, since there's been no release on
this branch yet, it should be harmless.
2011-03-23 00:06:04 +00:00
Dr. Stephen Henson
c42d223ac2 Move RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separate
crypto and ENGINE dependencies in RSA library.
2011-01-25 17:43:20 +00:00
Dr. Stephen Henson
7770da4b41 PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2010-10-11 23:25:23 +00:00
Dr. Stephen Henson
618265e645 Fix CVE-2010-1633 and CVE-2010-0742. 2010-06-01 13:17:06 +00:00
Dr. Stephen Henson
aac751832a PR: 2124
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM>

Check for memory allocation failures.
2009-12-09 13:38:20 +00:00
Dr. Stephen Henson
80afb40ae3 Submitted by: Julia Lawall <julia@diku.dk>
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:27:27 +00:00
Dr. Stephen Henson
ea904b4074 Update from HEAD. 2009-08-05 15:04:16 +00:00
Dr. Stephen Henson
8549a8a5dc Fix from 0.9.8-stable 2009-06-26 23:14:11 +00:00