Date: Tue, 28 May 2019 20:13:54 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r348335 - in vendor-crypto/openssl/dist-1.0.2: . apps crypto crypto/dh crypto/dsa crypto/ec crypto/ecdh crypto/err crypto/rsa doc/apps ssl Message-ID: <201905282013.x4SKDsNU062550@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Tue May 28 20:13:54 2019 New Revision: 348335 URL: https://svnweb.freebsd.org/changeset/base/348335 Log: Import OpenSSL 1.0.2s. Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES vendor-crypto/openssl/dist-1.0.2/Configure vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.2/Makefile vendor-crypto/openssl/dist-1.0.2/README vendor-crypto/openssl/dist-1.0.2/apps/CA.pl vendor-crypto/openssl/dist-1.0.2/config vendor-crypto/openssl/dist-1.0.2/crypto/dh/dh_pmeth.c vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_pmeth.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec2_oct.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_nistp521.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_oct.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ectest.c vendor-crypto/openssl/dist-1.0.2/crypto/ecdh/ech_ossl.c vendor-crypto/openssl/dist-1.0.2/crypto/err/err.c vendor-crypto/openssl/dist-1.0.2/crypto/err/err.h vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_oaep.c vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pk1.c vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pmeth.c vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_ssl.c vendor-crypto/openssl/dist-1.0.2/doc/apps/genpkey.pod vendor-crypto/openssl/dist-1.0.2/ssl/d1_pkt.c vendor-crypto/openssl/dist-1.0.2/ssl/s3_pkt.c Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/CHANGES Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/CHANGES Tue May 28 20:13:54 2019 (r348335) @@ -7,6 +7,23 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2r and 1.0.2s [28 May 2019] + + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + + *) Add FIPS support for Android Arm 64-bit + + Support for Android Arm 64-bit was added to the OpenSSL FIPS Object + Module in Version 2.0.10. For some reason, the corresponding target + 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be + built with FIPS support on Android Arm 64-bit. This omission has been + fixed. + [Matthias St. Pierre] + Changes between 1.0.2q and 1.0.2r [26 Feb 2019] *) 0-byte record padding oracle Modified: vendor-crypto/openssl/dist-1.0.2/Configure ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/Configure Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/Configure Tue May 28 20:13:54 2019 (r348335) @@ -475,6 +475,7 @@ my %table=( "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"android64-aarch64","gcc:-mandroid -fPIC -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-pie%-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### *BSD [do see comment about ${BSDthreads} above!] "BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Modified: vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue May 28 20:13:54 2019 (r348335) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/V # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2r -# OSSLTAG format: v1_0_2r +setenv OSSLVER 1.0.2s +# OSSLTAG format: v1_0_2s ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist-1.0.2/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/Makefile Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/Makefile Tue May 28 20:13:54 2019 (r348335) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2r +VERSION=1.0.2s MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -70,7 +70,7 @@ AR= ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib RC= windres NM= nm -PERL= /usr/bin/perl +PERL= /usr/local/bin/perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG= gcc Modified: vendor-crypto/openssl/dist-1.0.2/README ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/README Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/README Tue May 28 20:13:54 2019 (r348335) @@ -1,7 +1,7 @@ - OpenSSL 1.0.2r 26 Feb 2019 + OpenSSL 1.0.2s 28 May 2019 - Copyright (c) 1998-2018 The OpenSSL Project + Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. Modified: vendor-crypto/openssl/dist-1.0.2/apps/CA.pl ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/apps/CA.pl Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/apps/CA.pl Tue May 28 20:13:54 2019 (r348335) @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes Modified: vendor-crypto/openssl/dist-1.0.2/config ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/config Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/config Tue May 28 20:13:54 2019 (r348335) @@ -871,6 +871,7 @@ case "$GUESSOS" in *-*-qnx6) OUT="QNX6" ;; x86-*-android|i?86-*-android) OUT="android-x86" ;; armv[7-9]*-*-android) OUT="android-armv7" ;; + aarch64-*-android) OUT="android64-aarch64" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dh/dh_pmeth.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/dh/dh_pmeth.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/dh/dh_pmeth.c Tue May 28 20:13:54 2019 (r348335) @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX)); if (!dctx) return 0; - dctx->prime_len = 1024; + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->use_dsa = 0; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_pmeth.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_pmeth.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_pmeth.c Tue May 28 20:13:54 2019 (r348335) @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -69,8 +69,8 @@ typedef struct { /* Parameter gen parameters */ - int nbits; /* size of p in bits (default: 1024) */ - int qbits; /* size of q in bits (default: 160) */ + int nbits; /* size of p in bits (default: 2048) */ + int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX)); if (!dctx) return 0; - dctx->nbits = 1024; - dctx->qbits = 160; + dctx->nbits = 2048; + dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec2_oct.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec2_oct.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec2_oct.c Tue May 28 20:13:54 2019 (r348335) @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -299,7 +299,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC BN_CTX *ctx) { point_conversion_form_t form; - int y_bit; + int y_bit, m; BN_CTX *new_ctx = NULL; BIGNUM *x, *y, *yxi; size_t field_len, enc_len; @@ -332,7 +332,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC return EC_POINT_set_to_infinity(group, point); } - field_len = (EC_GROUP_get_degree(group) + 7) / 8; + m = EC_GROUP_get_degree(group); + field_len = (m + 7) / 8; enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; @@ -357,7 +358,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC if (!BN_bin2bn(buf + 1, field_len, x)) goto err; - if (BN_ucmp(x, &group->field) >= 0) { + if (BN_num_bits(x) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -369,7 +370,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err; - if (BN_ucmp(y, &group->field) >= 0) { + if (BN_num_bits(y) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -382,14 +383,12 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC } } + /* + * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; - } - - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; } ret = 1; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue May 28 20:13:54 2019 (r348335) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -872,7 +872,15 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #ifndef OPENSSL_NO_EC2M @@ -890,7 +898,15 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROU EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #endif Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c Tue May 28 20:13:54 2019 (r348335) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -519,7 +519,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_ ret = 1; err: - EC_POINT_free(s); + EC_POINT_clear_free(s); BN_CTX_end(ctx); BN_CTX_free(new_ctx); Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_nistp521.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_nistp521.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_nistp521.c Tue May 28 20:13:54 2019 (r348335) @@ -356,10 +356,15 @@ static void felem_diff64(felem out, const felem in) static void felem_diff_128_64(largefelem out, const felem in) { /* - * In order to prevent underflow, we add 0 mod p before subtracting. + * In order to prevent underflow, we add 64p mod p (which is equivalent + * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 + * digit number with all bits set to 1. See "The representation of field + * elements" comment above for a description of how limbs are used to + * represent a number. 64p is represented with 8 limbs containing a number + * with 58 bits set and one limb with a number with 57 bits set. */ - static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); - static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); + static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); + static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); out[0] += two63m6 - in[0]; out[1] += two63m5 - in[1]; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_oct.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_oct.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ecp_oct.c Tue May 28 20:13:54 2019 (r348335) @@ -5,7 +5,7 @@ * OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -408,14 +408,12 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_ } } + /* + * EC_POINT_set_affine_coordinates_GFp is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; - } - - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; } ret = 1; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ectest.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ectest.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ectest.c Tue May 28 20:13:54 2019 (r348335) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -325,7 +325,7 @@ static void prime_field_tests(void) EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z; + BIGNUM *x, *y, *z, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -405,7 +405,8 @@ static void prime_field_tests(void) x = BN_new(); y = BN_new(); z = BN_new(); - if (!x || !y || !z) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "D")) @@ -542,6 +543,14 @@ static void prime_field_tests(void) ABORT; if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; if (EC_POINT_is_on_curve(group, P, ctx) <= 0) @@ -613,6 +622,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 192) ABORT; @@ -668,6 +686,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 224) ABORT; @@ -728,6 +755,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 256) ABORT; @@ -783,6 +819,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 384) ABORT; @@ -844,6 +889,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 521) ABORT; @@ -858,6 +912,10 @@ static void prime_field_tests(void) /* more tests using the last curve */ + /* Restore the point that got mangled in the (x, y + 1) test. */ + if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) + ABORT; + if (!EC_POINT_copy(Q, P)) ABORT; if (EC_POINT_is_at_infinity(group, Q)) @@ -987,6 +1045,7 @@ static void prime_field_tests(void) BN_free(x); BN_free(y); BN_free(z); + BN_free(yplusone); if (P_160) EC_GROUP_free(P_160); @@ -1007,6 +1066,13 @@ static void prime_field_tests(void) # ifdef OPENSSL_EC_BIN_PT_COMP # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ + if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1025,6 +1091,12 @@ static void prime_field_tests(void) # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1062,7 +1134,7 @@ static void char2_field_tests(void) EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z, *cof; + BIGNUM *x, *y, *z, *cof, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -1076,7 +1148,7 @@ static void char2_field_tests(void) p = BN_new(); a = BN_new(); b = BN_new(); - if (!p || !a || !b) + if (p == NULL || a == NULL || b == NULL) ABORT; if (!BN_hex2bn(&p, "13")) @@ -1142,7 +1214,8 @@ static void char2_field_tests(void) y = BN_new(); z = BN_new(); cof = BN_new(); - if (!x || !y || !z || !cof) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "6")) @@ -1504,6 +1577,7 @@ static void char2_field_tests(void) BN_free(y); BN_free(z); BN_free(cof); + BN_free(yplusone); if (C2_K163) EC_GROUP_free(C2_K163); @@ -1672,7 +1746,7 @@ static const struct nistp_test_params nistp_tests_para static void nistp_single_test(const struct nistp_test_params *test) { BN_CTX *ctx; - BIGNUM *p, *a, *b, *x, *y, *n, *m, *order; + BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone; EC_GROUP *NISTP; EC_POINT *G, *P, *Q, *Q_CHECK; @@ -1687,6 +1761,7 @@ static void nistp_single_test(const struct nistp_test_ m = BN_new(); n = BN_new(); order = BN_new(); + yplusone = BN_new(); NISTP = EC_GROUP_new(test->meth()); if (!NISTP) @@ -1709,6 +1784,14 @@ static void nistp_single_test(const struct nistp_test_ ABORT; if (!BN_hex2bn(&y, test->Qy)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT; if (!BN_hex2bn(&x, test->Gx)) @@ -1811,6 +1894,7 @@ static void nistp_single_test(const struct nistp_test_ BN_free(x); BN_free(y); BN_free(order); + BN_free(yplusone); BN_CTX_free(ctx); } Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ecdh/ech_ossl.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ecdh/ech_ossl.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ecdh/ech_ossl.c Tue May 28 20:13:54 2019 (r348335) @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -207,7 +207,7 @@ static int ecdh_compute_key(void *out, size_t outlen, err: if (tmp) - EC_POINT_free(tmp); + EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); if (ctx) Modified: vendor-crypto/openssl/dist-1.0.2/crypto/err/err.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/err/err.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/err/err.c Tue May 28 20:13:54 2019 (r348335) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top return ERR_R_INTERNAL_ERROR; } + while (es->bottom != es->top) { + if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { + err_clear(es, es->top); + es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; + continue; + } + i = (es->bottom + 1) % ERR_NUM_ERRORS; + if (es->err_flags[i] & ERR_FLAG_CLEAR) { + es->bottom = i; + err_clear(es, es->bottom); + continue; + } + break; + } + if (es->bottom == es->top) return 0; + if (top) i = es->top; /* last error */ else @@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unformtunately we can't assume that all - * compilers supported by 1.0.2 have it :-( - */ -#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear) top = es->top; - es->err_flags[top] &= ~(0 - clear); - es->err_buffer[top] &= ~(0UL - clear); - es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); - es->err_line[top] |= 0 - clear; - - es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; + /* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ + clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); + es->err_flags[top] |= clear; } Modified: vendor-crypto/openssl/dist-1.0.2/crypto/err/err.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/err/err.h Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/err/err.h Tue May 28 20:13:54 2019 (r348335) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -143,6 +143,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { Modified: vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h Tue May 28 20:13:54 2019 (r348335) @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000212fL +# define OPENSSL_VERSION_NUMBER 0x1000213fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-fips 28 May 2019" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s 28 May 2019" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c Tue May 28 20:13:54 2019 (r348335) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const uns goto err; } RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); - err_clear_last_constant_time(r >= 0); + err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) { Modified: vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_oaep.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_oaep.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_oaep.c Tue May 28 20:13:54 2019 (r348335) @@ -144,7 +144,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t * |num| is the length of the modulus; |flen| is the length of the * encoded message. Therefore, for any |from| that was obtained by * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, - * num < 2 * mdlen + 2 must hold for the modulus irrespective of + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ @@ -180,17 +180,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t from -= 1 & mask; *--em = *from & mask; } - from = em; /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(from[0]); + good = constant_time_is_zero(em[0]); - maskedseed = from + 1; - maskeddb = from + 1 + mdlen; + maskedseed = em + 1; + maskeddb = em + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; @@ -231,29 +230,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t mlen = dblen - msg_index; /* - * For good measure, do this check in constant tine as well. + * For good measure, do this check in constant time as well. */ good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); - msg_index = constant_time_select_int(good, msg_index, dblen - tlen); - mlen = dblen - msg_index; - for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= dblen & equals; /* if (i == dblen) rewind */ - mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), + dblen - mdlen - 1, tlen); + for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); + for (i = mdlen + 1; i < dblen - msg_index; i++) + db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* Modified: vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pk1.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pk1.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pk1.c Tue May 28 20:13:54 2019 (r348335) @@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -276,24 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_cleanse(em, num); Modified: vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pmeth.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pmeth.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_pmeth.c Tue May 28 20:13:54 2019 (r348335) @@ -4,7 +4,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); if (!rctx) return 0; - rctx->nbits = 1024; + rctx->nbits = 2048; rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; rctx->md = NULL; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_ssl.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_ssl.c Tue May 28 20:08:42 2019 (r348334) +++ vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_ssl.c Tue May 28 20:13:54 2019 (r348335) @@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -116,7 +116,10 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl unsigned int good, found_zero_byte, mask, threes_in_row; int zero_index = 0, msg_index, mlen = -1, err; - if (flen < 10) { + if (tlen <= 0 || flen <= 0) + return -1; + + if (flen > num || num < 11) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } @@ -138,10 +141,9 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); mask = ~good; @@ -149,18 +151,18 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl found_zero_byte = 0; threes_in_row = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); found_zero_byte |= equals0; threes_in_row += 1 & ~found_zero_byte; - threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); + threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -169,7 +171,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_lt(threes_in_row, 8); + good &= constant_time_ge(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; @@ -188,24 +190,25 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905282013.x4SKDsNU062550>