Date: Tue, 20 Nov 2018 19:01:18 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r340692 - in vendor-crypto/openssl/dist-1.0.2: . apps crypto crypto/bio crypto/bn crypto/bn/asm crypto/conf crypto/dsa crypto/ec crypto/engine crypto/pkcs12 crypto/pkcs7 crypto/rand cry... Message-ID: <201811201901.wAKJ1IwI061696@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Tue Nov 20 19:01:17 2018 New Revision: 340692 URL: https://svnweb.freebsd.org/changeset/base/340692 Log: Import OpenSSL 1.0.2q. Added: vendor-crypto/openssl/dist-1.0.2/crypto/getenv.c (contents, props changed) Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.2/Makefile vendor-crypto/openssl/dist-1.0.2/NEWS vendor-crypto/openssl/dist-1.0.2/README vendor-crypto/openssl/dist-1.0.2/apps/req.c vendor-crypto/openssl/dist-1.0.2/config vendor-crypto/openssl/dist-1.0.2/crypto/Makefile vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c vendor-crypto/openssl/dist-1.0.2/crypto/engine/eng_list.c vendor-crypto/openssl/dist-1.0.2/crypto/opensslconf.h vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.2/crypto/pkcs12/p12_init.c vendor-crypto/openssl/dist-1.0.2/crypto/pkcs7/pk7_lib.c vendor-crypto/openssl/dist-1.0.2/crypto/rand/Makefile vendor-crypto/openssl/dist-1.0.2/crypto/rand/md_rand.c vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lcl.h vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lib.c vendor-crypto/openssl/dist-1.0.2/crypto/rand/randfile.c vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c vendor-crypto/openssl/dist-1.0.2/crypto/ui/ui_openssl.c vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_dir.c vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_file.c vendor-crypto/openssl/dist-1.0.2/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist-1.0.2/crypto/x509v3/v3_purp.c vendor-crypto/openssl/dist-1.0.2/doc/apps/crl.pod vendor-crypto/openssl/dist-1.0.2/doc/apps/req.pod vendor-crypto/openssl/dist-1.0.2/doc/apps/s_server.pod vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestSignInit.pod vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestVerifyInit.pod vendor-crypto/openssl/dist-1.0.2/doc/crypto/OPENSSL_VERSION_NUMBER.pod vendor-crypto/openssl/dist-1.0.2/engines/e_capi.c vendor-crypto/openssl/dist-1.0.2/ssl/d1_pkt.c vendor-crypto/openssl/dist-1.0.2/ssl/ssl_ciph.c vendor-crypto/openssl/dist-1.0.2/ssl/ssl_lib.c vendor-crypto/openssl/dist-1.0.2/ssl/t1_lib.c vendor-crypto/openssl/dist-1.0.2/util/domd vendor-crypto/openssl/dist-1.0.2/util/libeay.num Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/CHANGES Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/CHANGES Tue Nov 20 19:01:17 2018 (r340692) @@ -7,6 +7,36 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2p and 1.0.2q [20 Nov 2018] + + *) Microarchitecture timing vulnerability in ECC scalar multiplication + + OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been + shown to be vulnerable to a microarchitecture timing side channel attack. + An attacker with sufficient access to mount local timing attacks during + ECDSA signature generation could recover the private key. + + This issue was reported to OpenSSL on 26th October 2018 by Alejandro + Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and + Nicola Tuveri. + (CVE-2018-5407) + [Billy Brumley] + + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object + Module, accidentally introduced while backporting security fixes from the + development branch and hindering the use of ECC in FIPS mode. + [Nicola Tuveri] + Changes between 1.0.2o and 1.0.2p [14 Aug 2018] *) Client DoS due to large DH parameter Modified: vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue Nov 20 19:01:17 2018 (r340692) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/V # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2p -# OSSLTAG format: v1_0_2p +setenv OSSLVER 1.0.2q +# OSSLTAG format: v1_0_2q ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist-1.0.2/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/Makefile Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/Makefile Tue Nov 20 19:01:17 2018 (r340692) @@ -4,18 +4,18 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2p +VERSION=1.0.2q MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=1 SHLIB_MINOR=0.0 -SHLIB_EXT= -PLATFORM=dist -OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine -CONFIGURE_ARGS=dist -SHLIB_TARGET= +SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +PLATFORM=linux-x86_64 +OPTIONS=-Wa,--noexecstack no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine +CONFIGURE_ARGS=linux-x86_64 -Wa,--noexecstack +SHLIB_TARGET=linux-shared # HERE indicates where this Makefile lives. This can be used to indicate # where sub-Makefiles are expected to be. Currently has very limited usage, @@ -59,11 +59,11 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cc -CFLAG= -O +CC= gcc +CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS PEX_LIBS= -EX_LIBS= +EX_LIBS= -ldl EXE_EXT= ARFLAGS= AR= ar $(ARFLAGS) r @@ -73,7 +73,7 @@ NM= nm PERL= /usr/bin/perl TAR= tar TARFLAGS= --no-recursion -MAKEDEPPROG= cc +MAKEDEPPROG= gcc LIBDIR=lib # We let the C compiler driver to take care of .s files. This is done in @@ -89,23 +89,23 @@ ASFLAG=$(CFLAG) PROCESSOR= # CPUID module collects small commonly used assembler snippets -CPUID_OBJ= mem_clr.o -BN_ASM= bn_asm.o -EC_ASM= +CPUID_OBJ= x86_64cpuid.o +BN_ASM= x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o +EC_ASM= ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC= des_enc.o fcrypt_b.o -AES_ENC= aes_core.o aes_cbc.o +AES_ENC= aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC= bf_enc.o CAST_ENC= c_enc.o -RC4_ENC= rc4_enc.o rc4_skey.o +RC4_ENC= rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC= rc5_enc.o -MD5_ASM_OBJ= -SHA1_ASM_OBJ= +MD5_ASM_OBJ= md5-x86_64.o +SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_ASM_OBJ= -WP_ASM_OBJ= wp_block.o -CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o -MODES_ASM_OBJ= +WP_ASM_OBJ= wp-x86_64.o +CMLL_ENC= cmll-x86_64.o cmll_misc.o +MODES_ASM_OBJ= ghash-x86_64.o aesni-gcm-x86_64.o ENGINES_ASM_OBJ= -PERLASM_SCHEME= +PERLASM_SCHEME= elf # KRB5 stuff KRB5_INCLUDES= @@ -177,8 +177,8 @@ LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= -SHARED_LIBS_LINK_EXTS= -SHARED_LDFLAGS= +SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so +SHARED_LDFLAGS=-m64 GENERAL= Makefile BASENAME= openssl Modified: vendor-crypto/openssl/dist-1.0.2/NEWS ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/NEWS Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/NEWS Tue Nov 20 19:01:17 2018 (r340692) @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] + + o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] o Client DoS due to large DH parameter (CVE-2018-0732) Modified: vendor-crypto/openssl/dist-1.0.2/README ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/README Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/README Tue Nov 20 19:01:17 2018 (r340692) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2p 14 Aug 2018 + OpenSSL 1.0.2q 20 Nov 2018 Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist-1.0.2/apps/req.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/apps/req.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/apps/req.c Tue Nov 20 19:01:17 2018 (r340692) @@ -659,8 +659,7 @@ int MAIN(int argc, char **argv) } } - BIO_printf(bio_err, "Generating a %ld bit %s private key\n", - newkey, keyalgstr); + BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); EVP_PKEY_CTX_set_app_data(genctx, bio_err); Modified: vendor-crypto/openssl/dist-1.0.2/config ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/config Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/config Tue Nov 20 19:01:17 2018 (r340692) @@ -992,5 +992,6 @@ if [ $? = "0" ]; then fi else echo "This system ($OUT) is not supported. See file INSTALL for details." + exit 1 fi ) Modified: vendor-crypto/openssl/dist-1.0.2/crypto/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/Makefile Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/Makefile Tue Nov 20 19:01:17 2018 (r340692) @@ -36,9 +36,11 @@ TEST=constant_time_test.c LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ - ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c + ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \ + getenv.c LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \ - uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) + uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o getenv.o \ + $(CPUID_OBJ) SRC= $(LIBSRC) @@ -178,6 +180,13 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/op ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h ex_data.o: ex_data.c fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c +getenv.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h +getenv.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +getenv.o: ../include/openssl/err.h ../include/openssl/lhash.h +getenv.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +getenv.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h +getenv.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h +getenv.o: getenv.c mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem.o: ../include/openssl/err.h ../include/openssl/lhash.h Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c Tue Nov 20 19:01:17 2018 (r340692) @@ -56,6 +56,9 @@ * [including the GNU Public Licence.] */ +#define _DEFAULT_SOURCE +#define _BSD_SOURCE + #include <stdio.h> #include <stdlib.h> #include <errno.h> @@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT static int wsa_init_done = 0; # endif +# if defined(__GLIBC__) +# define HAVE_GETHOSTBYNAME_R +# define GETHOSTNAME_R_BUF (2 * 1024) +# endif + /* * WSAAPI specifier is required to make indirect calls to run-time * linked WinSock 2 functions used in this module, to be specific @@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip int i; int err = 1; int locked = 0; - struct hostent *he; + struct hostent *he = NULL; +# ifdef HAVE_GETHOSTBYNAME_R + char buf[GETHOSTNAME_R_BUF]; + struct hostent hostent; + int h_errnop; +# endif i = get_ip(str, ip); if (i < 0) { @@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip if (i > 0) return (1); + /* if gethostbyname_r is supported, use it. */ +# ifdef HAVE_GETHOSTBYNAME_R + memset(&hostent, 0x00, sizeof(hostent)); + /* gethostbyname_r() sets |he| to NULL on error, we check it further down */ + gethostbyname_r(str, &hostent, buf, sizeof(buf), &he, &h_errnop); +# else /* do a gethostbyname */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); locked = 1; he = BIO_gethostbyname(str); +# endif + if (he == NULL) { BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP); goto err; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 19:01:17 2018 (r340692) @@ -55,12 +55,6 @@ * machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c Tue Nov 20 19:01:17 2018 (r340692) @@ -1,6 +1,6 @@ /* crypto/bn/bn_blind.c */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { - if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) - goto err; - if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) - goto err; + if (b->m_ctx != NULL) { + if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) + || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) + goto err; + } else { + if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) + || !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) + goto err; + } } ret = 1; @@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BL else if (!BN_BLINDING_update(b, ctx)) return (0); - if (r != NULL) { - if (!BN_copy(r, b->Ai)) - ret = 0; - } + if (r != NULL && (BN_copy(r, b->Ai) == NULL)) + return 0; - if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) - ret = 0; + if (b->m_ctx != NULL) + ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); + else + ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, bn_check_top(n); - if (r != NULL) - ret = BN_mod_mul(n, n, r, b->mod, ctx); - else { - if (b->Ai == NULL) { - BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); - return (0); + if (r == NULL && (r = b->Ai) == NULL) { + BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); + return 0; + } + + if (b->m_ctx != NULL) { + /* ensure that BN_mod_mul_montgomery takes pre-defined path */ + if (n->dmax >= r->top) { + size_t i, rtop = r->top, ntop = n->top; + BN_ULONG mask; + + for (i = 0; i < rtop; i++) { + mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1)); + n->d[i] &= mask; + } + mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1)); + /* always true, if (rtop >= ntop) n->top = r->top; */ + n->top = (int)(rtop & ~mask) | (ntop & mask); + n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); + ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + } else { + ret = BN_mod_mul(n, n, r, b->mod, ctx); } bn_check_top(n); @@ -366,11 +386,16 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, } while (1); if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { - if (!ret->bn_mod_exp - (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) + if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) goto err; } else { if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) + goto err; + } + + if (ret->m_ctx != NULL) { + if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx) + || !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx)) goto err; } Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c Tue Nov 20 19:01:17 2018 (r340692) @@ -617,26 +617,40 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIG static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { int n; - size_t i, inc, lasti, j; + size_t i, lasti, j, atop, mask; BN_ULONG l; + /* + * In case |a| is fixed-top, BN_num_bytes can return bogus length, + * but it's assumed that fixed-top inputs ought to be "nominated" + * even for padded output, so it works out... + */ n = BN_num_bytes(a); - if (tolen == -1) + if (tolen == -1) { tolen = n; - else if (tolen < n) - return -1; + } else if (tolen < n) { /* uncommon/unlike case */ + BIGNUM temp = *a; - if (n == 0) { + bn_correct_top(&temp); + n = BN_num_bytes(&temp); + if (tolen < n) + return -1; + } + + /* Swipe through whole available data and don't give away padded zero. */ + atop = a->dmax * BN_BYTES; + if (atop == 0) { OPENSSL_cleanse(to, tolen); return tolen; } - lasti = n - 1; - for (i = 0, inc = 1, j = tolen; j > 0;) { + lasti = atop - 1; + atop = a->top * BN_BYTES; + for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) { l = a->d[i / BN_BYTES]; - to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); - inc = (i - lasti) >> (8 * sizeof(i) - 1); - i += inc; /* stay on top limb */ + mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); + *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ } return tolen; @@ -888,6 +902,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, t = (a->top ^ b->top) & condition; a->top ^= t; b->top ^= t; + + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /*- + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it + */ + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; + a->flags ^= t; + b->flags ^= t; #define BN_CONSTTIME_SWAP(ind) \ do { \ Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c Tue Nov 20 19:01:17 2018 (r340692) @@ -172,7 +172,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c if (mtop > sizeof(storage) / sizeof(storage[0]) && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) - return 0; + return 0; ap = a->d != NULL ? a->d : tp; bp = b->d != NULL ? b->d : tp; @@ -197,6 +197,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c ((volatile BN_ULONG *)tp)[i] = 0; } r->top = mtop; + r->flags |= BN_FLG_FIXED_TOP; r->neg = 0; if (tp != storage) @@ -222,6 +223,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNU if (!BN_sub(r, a, b)) return 0; return BN_nnmod(r, r, m, ctx); +} + +/* + * BN_mod_sub variant that may be used if both a and b are non-negative, + * a is less than m, while b is of same bit width as m. It's implemented + * as subtraction followed by two conditional additions. + * + * 0 <= a < m + * 0 <= b < 2^w < 2*m + * + * after subtraction + * + * -2*m < r = a - b < m + * + * Thus it takes up to two conditional additions to make |r| positive. + */ +int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) +{ + size_t i, ai, bi, mtop = m->top; + BN_ULONG borrow, carry, ta, tb, mask, *rp; + const BN_ULONG *ap, *bp; + + if (bn_wexpand(r, m->top) == NULL) + return 0; + + rp = r->d; + ap = a->d != NULL ? a->d : rp; + bp = b->d != NULL ? b->d : rp; + + for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) { + mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); + ta = ap[ai] & mask; + + mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); + tb = bp[bi] & mask; + rp[i] = ta - tb - borrow; + if (ta != tb) + borrow = (ta < tb); + + i++; + ai += (i - a->dmax) >> (8 * sizeof(i) - 1); + bi += (i - b->dmax) >> (8 * sizeof(i) - 1); + } + ap = m->d; + for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) { + ta = ((ap[i] & mask) + carry) & BN_MASK2; + carry = (ta < carry); + rp[i] = (rp[i] + ta) & BN_MASK2; + carry += (rp[i] < ta); + } + borrow -= carry; + for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) { + ta = ((ap[i] & mask) + carry) & BN_MASK2; + carry = (ta < carry); + rp[i] = (rp[i] + ta) & BN_MASK2; + carry += (rp[i] < ta); + } + + r->top = mtop; + r->flags |= BN_FLG_FIXED_TOP; + r->neg = 0; + + return 1; } /* Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c Tue Nov 20 19:01:17 2018 (r340692) @@ -164,10 +164,10 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, bn_check_top(tmp); if (a == b) { - if (!BN_sqr(tmp, a, ctx)) + if (!bn_sqr_fixed_top(tmp, a, ctx)) goto err; } else { - if (!BN_mul(tmp, a, b, ctx)) + if (!bn_mul_fixed_top(tmp, a, b, ctx)) goto err; } /* reduce from aRR to aR */ @@ -190,6 +190,7 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM BIGNUM *n; BN_ULONG *ap, *np, *rp, n0, v, carry; int nl, max, i; + unsigned int rtop; n = &(mont->N); nl = n->top; @@ -207,12 +208,10 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM rp = r->d; /* clear the top words of T */ -# if 1 - for (i = r->top; i < max; i++) /* memset? XXX */ - rp[i] = 0; -# else - memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG)); -# endif + for (rtop = r->top, i = 0; i < max; i++) { + v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1)); + rp[i] &= v; + } r->top = max; r->flags |= BN_FLG_FIXED_TOP; @@ -263,6 +262,18 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) { + int retn; + + retn = bn_from_mont_fixed_top(ret, a, mont, ctx); + bn_correct_top(ret); + bn_check_top(ret); + + return retn; +} + +int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx) +{ int retn = 0; #ifdef MONT_WORD BIGNUM *t; @@ -270,8 +281,6 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, B BN_CTX_start(ctx); if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) { retn = bn_from_montgomery_word(ret, t, mont); - bn_correct_top(ret); - bn_check_top(ret); } BN_CTX_end(ctx); #else /* !MONT_WORD */ Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c Tue Nov 20 19:01:17 2018 (r340692) @@ -936,6 +936,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { + int ret = bn_mul_fixed_top(r, a, b, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +{ int ret = 0; int top, al, bl; BIGNUM *rr; @@ -1042,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b #if defined(BN_MUL_COMBA) || defined(BN_RECURSION) end: #endif - bn_correct_top(rr); + rr->flags |= BN_FLG_FIXED_TOP; if (r != rr && BN_copy(r, rr) == NULL) goto err; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c Tue Nov 20 19:01:17 2018 (r340692) @@ -66,6 +66,16 @@ */ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { + int ret = bn_sqr_fixed_top(r, a, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) +{ int max, al; int ret = 0; BIGNUM *tmp, *rr; @@ -136,7 +146,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) rr->neg = 0; rr->top = max; - bn_correct_top(rr); + rr->flags |= BN_FLG_FIXED_TOP; if (r != rr && BN_copy(r, rr) == NULL) goto err; Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c Tue Nov 20 19:01:17 2018 (r340692) @@ -4,7 +4,7 @@ * 2005. */ /* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int n for (i = 0; i < 1000; i++) { if (!BN_rand(Xq, nbits, 1, 0)) goto err; + /* Check that |Xp - Xq| > 2^(nbits - 100) */ - BN_sub(t, Xp, Xq); + if (!BN_sub(t, Xp, Xq)) + goto err; if (BN_num_bits(t) > (nbits - 100)) break; } Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h Tue Nov 20 19:01:17 2018 (r340692) @@ -7,9 +7,15 @@ */ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); +int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); +int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile Tue Nov 20 19:01:17 2018 (r340692) @@ -80,12 +80,13 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. conf_api.o: ../../e_os.h ../../include/openssl/bio.h -conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h -conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +conf_api.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h +conf_api.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h conf_api.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -conf_api.o: ../../include/openssl/symhacks.h conf_api.c +conf_api.o: ../../include/openssl/symhacks.h ../cryptlib.h conf_api.c conf_def.o: ../../e_os.h ../../include/openssl/bio.h conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c Tue Nov 20 19:01:17 2018 (r340692) @@ -66,6 +66,7 @@ #include <assert.h> #include <stdlib.h> #include <string.h> +#include "cryptlib.h" #include <openssl/conf.h> #include <openssl/conf_api.h> #include "e_os.h" @@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *s if (v != NULL) return (v->value); if (strcmp(section, "ENV") == 0) { - p = getenv(name); + p = ossl_safe_getenv(name); if (p != NULL) return (p); } @@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *s else return (NULL); } else - return (getenv(name)); + return (ossl_safe_getenv(name)); } #if 0 /* There's no way to provide error checking Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c Tue Nov 20 19:01:17 2018 (r340692) @@ -4,7 +4,7 @@ * 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void) char *file; int len; - file = getenv("OPENSSL_CONF"); + file = ossl_safe_getenv("OPENSSL_CONF"); if (file) return BUF_strdup(file); Modified: vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h Tue Nov 20 19:01:17 2018 (r340692) @@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...); void *OPENSSL_stderr(void); extern int OPENSSL_NONPIC_relocated; +char *ossl_safe_getenv(const char *); + #ifdef __cplusplus } #endif Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c Tue Nov 20 19:01:17 2018 (r340692) @@ -435,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N EVP_MD_CTX_init(&mctx); + /* make sure L > N, otherwise we'll get trapped in an infinite loop */ + if (L <= N) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); + goto err; + } + if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c Tue Nov 20 19:01:17 2018 (r340692) @@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, in DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -279,7 +281,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI goto err; /* Preallocate space */ - q_bits = BN_num_bits(dsa->q); + q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; if (!BN_set_bit(&k, q_bits) || !BN_set_bit(&l, q_bits) || !BN_set_bit(&m, q_bits)) @@ -293,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(&l, BN_FLG_CONSTTIME); } - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) @@ -333,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI if (!BN_mod(r, r, dsa->q, ctx)) goto err; - /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) + /* Compute part of 's = inv(k) (m + xr) mod q' */ + if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) goto err; if (*kinvp != NULL) @@ -467,4 +469,32 @@ static int dsa_finish(DSA *dsa) if (dsa->method_mont_p) BN_MONT_CTX_free(dsa->method_mont_p); return (1); +} + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ + BIGNUM *res = NULL; + BIGNUM *r, e; + + if ((r = BN_new()) == NULL) + return NULL; + + BN_init(&e); + + if (BN_set_word(r, 2) + && BN_sub(&e, q, r) + && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) + res = r; + else + BN_free(r); + BN_free(&e); + return res; } Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h Tue Nov 20 19:01:17 2018 (r340692) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -214,7 +214,7 @@ struct ec_group_st { int asn1_flag; /* flag to control the asn1 encoding */ /* * Kludge: upper bit of ans1_flag is used to denote structure - * version. Is set, then last field is present. This is done + * version. If set, then last field is present. This is done * for interoperation with FIPS code. */ #define EC_GROUP_ASN1_FLAG_MASK 0x7fffffff @@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t n void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in); #endif -int ec_precompute_mont_data(EC_GROUP *); #ifdef ECP_NISTZ256_ASM /** Returns GFp methods using montgomery multiplication, with x86-64 optimized Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue Nov 20 19:00:20 2018 (r340691) +++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue Nov 20 19:01:17 2018 (r340692) @@ -70,6 +70,10 @@ const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT; +/* local function prototypes */ + +static int ec_precompute_mont_data(EC_GROUP *group); + /* functions for EC_GROUP objects */ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) @@ -318,17 +322,25 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P } else BN_zero(&group->cofactor); - /* - * Some groups have an order with - * factors of two, which makes the Montgomery setup fail. - * |group->mont_data| will be NULL in this case. + /*- + * Access to the `mont_data` field of an EC_GROUP struct should always be + * guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the + * group might come from the FIPS module, which does not define the + * `mont_data` field inside the EC_GROUP structure. */ - if (BN_is_odd(&group->order)) { - return ec_precompute_mont_data(group); + if (EC_GROUP_VERSION(group)) { + /*- + * Some groups have an order with + * factors of two, which makes the Montgomery setup fail. + * |group->mont_data| will be NULL in this case. + */ + if (BN_is_odd(&group->order)) + return ec_precompute_mont_data(group); + + BN_MONT_CTX_free(group->mont_data); + group->mont_data = NULL; } - BN_MONT_CTX_free(group->mont_data); - group->mont_data = NULL; return 1; } @@ -1098,17 +1110,22 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *grou * been performed */ } -/* +/*- * ec_precompute_mont_data sets |group->mont_data| from |group->order| and * returns one on success. On error it returns zero. + * *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811201901.wAKJ1IwI061696>