wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/crypto
History
Matt Caswell d49b888910 Avoid an underflow in ecp_nistp521.c 
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.

It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.

This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.

With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 13fbce17fc)
2019-03-07 14:47:39 +00:00
..
aes Update copyright year 2019-02-26 14:05:09 +00:00
aria
asn1 Update copyright year 2019-02-26 14:05:09 +00:00
async arch/async_posix.h: improve portability. 2018-10-19 10:31:04 +02:00
bf
bio Update copyright year 2019-02-26 14:05:09 +00:00
blake2
bn Update copyright year 2019-02-26 14:05:09 +00:00
buffer
camellia Update copyright year 2018-09-11 13:45:17 +01:00
cast
chacha deps: add s390 asm rules for OpenSSL-1.1.1 2019-03-01 08:41:26 +01:00
cmac
cms Update copyright year 2019-02-26 14:05:09 +00:00
comp Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
conf Update copyright year 2019-02-26 14:05:09 +00:00
ct Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
des Update copyright year 2019-02-26 14:05:09 +00:00
dh Harmonize the error handling codepath 2018-09-05 15:22:35 +03:00
dsa DSA: Check for sanity of input parameters 2018-11-14 13:07:54 +01:00
dso Preserve errno on dlopen 2018-12-10 10:22:05 +00:00
ec Avoid an underflow in ecp_nistp521.c 2019-03-07 14:47:39 +00:00
engine Update copyright year 2019-02-26 14:05:09 +00:00
err Update copyright year 2019-02-26 14:05:09 +00:00
evp Prevent over long nonces in ChaCha20-Poly1305 2019-03-06 13:30:39 +00:00
hmac Fix HMAC SHA3-224 and HMAC SHA3-256. 2018-09-04 08:09:12 +10:00
idea
include/internal bn/bn_{div|shift}.c: introduce fixed-top interfaces. 2018-12-05 10:38:22 +00:00
kdf Reset the HKDF state between operations 2018-10-29 14:11:40 +00:00
lhash Update copyright year 2018-09-11 13:45:17 +01:00
md2
md4
md5
mdc2
modes cfi build fixes in x86-64 ghash assembly 2019-02-27 22:44:46 +01:00
objects Update generator copyright year. 2019-01-07 13:53:24 -05:00
ocsp Update copyright year 2018-09-11 13:45:17 +01:00
pem Update copyright year 2019-02-26 14:05:09 +00:00
perlasm Update copyright year 2019-02-26 14:05:09 +00:00
pkcs7 Update copyright year 2018-09-11 13:45:17 +01:00
pkcs12 Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
poly1305 deps: add s390 asm rules for OpenSSL-1.1.1 2019-03-01 08:41:26 +01:00
rand Fix seeding from random device w/o getrandom syscall 2019-03-01 18:29:56 +01:00
rc2
rc4 deps: add s390 asm rules for OpenSSL-1.1.1 2019-03-01 08:41:26 +01:00
rc5
ripemd
rsa Fix cert with rsa instead of rsaEncryption as public key algorithm 2018-12-31 09:51:04 +01:00
seed Update copyright year 2018-09-11 13:45:17 +01:00
sha Update copyright year 2019-02-26 14:05:09 +00:00
siphash Fix SipHash init order. 2018-11-12 07:16:58 +01:00
sm2 EVP module documentation pass 2018-10-17 13:31:59 +03:00
sm3
sm4
srp Update copyright year 2019-02-26 14:05:09 +00:00
stack Revert "stack/stack.c: omit redundant NULL checks." 2018-08-09 14:37:10 +01:00
store crypto/*: address standard-compilance nits. 2018-07-20 13:40:30 +02:00
ts Check conversion return in ASN1_INTEGER_print_bio. 2018-07-31 11:37:05 +10:00
txt_db
ui Update copyright year 2019-02-26 14:05:09 +00:00
whrlpool
x509 Update copyright year 2019-02-26 14:05:09 +00:00
x509v3 Update copyright year 2018-09-11 13:45:17 +01:00
alphacpuid.pl
arm64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
arm_arch.h
armcap.c Update copyright year 2019-02-26 14:05:09 +00:00
armv4cpuid.pl Update copyright year 2018-05-01 13:34:30 +01:00
build.info Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
c64xpluscpuid.pl
cpt_err.c Fix last(?) batch of malloc-NULL places 2018-04-26 14:02:24 -04:00
cryptlib.c Update copyright year 2019-02-26 14:05:09 +00:00
ctype.c
cversion.c
dllmain.c Update copyright year 2018-09-11 13:45:17 +01:00
ebcdic.c
ex_data.c
getenv.c Use secure_getenv(3) when available. 2018-09-24 11:22:22 +10:00
ia64cpuid.S
init.c Update copyright year 2019-02-26 14:05:09 +00:00
LPdir_nyi.c
LPdir_unix.c typo-fixes: miscellaneous typo fixes 2018-09-21 23:59:02 +02:00
LPdir_vms.c
LPdir_win.c
LPdir_win32.c
LPdir_wince.c
mem.c crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG. 2018-08-07 09:08:50 +02:00
mem_clr.c
mem_dbg.c
mem_sec.c test/secmemtest: test secure memory only if it is implemented 2018-10-05 12:23:34 +02:00
mips_arch.h
o_dir.c
o_fips.c
o_fopen.c Add missing include file. 2018-09-17 12:54:20 +10:00
o_init.c
o_str.c openssl_strerror_r: Fix handling of GNU strerror_r 2019-03-04 10:11:05 +00:00
o_time.c
pariscid.pl PA-RISC assembly pack: make it work with GNU assembler for HP-UX. 2018-06-25 16:45:48 +02:00
ppc_arch.h Update copyright year 2019-02-26 14:05:09 +00:00
ppccap.c Update copyright year 2019-02-26 14:05:09 +00:00
ppccpuid.pl Update copyright year 2019-02-26 14:05:09 +00:00
s390x_arch.h s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
s390xcap.c
s390xcpuid.pl s390x assembly pack: add KIMD/KLMD code path for sha3/shake 2018-08-06 12:04:52 +02:00
sparc_arch.h
sparccpuid.S
sparcv9cap.c
threads_none.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_pthread.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
threads_win.c crypto/threads_*: remove CRYPTO_atomic_{read|write}. 2018-08-17 12:40:39 +02:00
uid.c Update copyright year 2019-02-26 14:05:09 +00:00
vms_rms.h
x86_64cpuid.pl {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp. 2018-06-03 21:15:18 +02:00
x86cpuid.pl