Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 26 5月, 2023 1 次提交
  3. 12 4月, 2023 2 次提交
  5. 10 8月, 2021 1 次提交
  7. 27 2月, 2020 1 次提交
  9. 28 9月, 2019 1 次提交
  11. 07 9月, 2019 2 次提交
    • N
      Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations · 2432e129
      Nicola Tuveri 提交于 
      Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)
      2432e129
    • N
      Make BN_num_bits() consttime upon BN_FLG_CONSTTIME · b9a380f7
      Nicola Tuveri 提交于 
      This issue was partially addressed by commit
972c87df, which hardened its callee
BN_num_bits_word() to avoid leaking the most-significant word of its
argument via branching and memory access pattern.
The commit message also reported:
> There are a few places where BN_num_bits is called on an input where
> the bit length is also secret. This does *not* fully resolve those
> cases as we still only look at the top word.

BN_num_bits() is called directly or indirectly (e.g., through
BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
code, notably in all the currently supported implementations of scalar
multiplication (in the generic path through ec_scalar_mul_ladder() as
well as in dedicated methods like ecp_nistp{224,256,521}.c and
ecp_nistz256.c).

Under the right conditions, a motivated SCA attacker could retrieve the
secret bitlength of a secret nonce through this vulnerability,
potentially leading, ultimately, to recover a long-term secret key.

With this commit, exclusively for BIGNUMs that are flagged with
BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
avoid branching.

Memory access pattern still leaks bn->dmax, the size of the lazily
allocated buffer for representing the BIGNUM, which is inevitable with
the current BIGNUM architecture: reading past bn->dmax would be an
out-of-bound read.
As such, it's the caller responsibility to ensure that bn->dmax does not
leak secret information, by explicitly expanding the internal BIGNUM
buffer to a public value sufficient to avoid any lazy reallocation
while manipulating it: this should be already done at the top level
alongside setting the BN_FLG_CONSTTIME.

Thanks to David Schrammel and Samuel Weiser for reporting this issue
through responsible disclosure.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9511)

(cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238)
      b9a380f7
  13. 23 7月, 2019 1 次提交
  15. 19 3月, 2019 1 次提交
  17. 26 2月, 2019 2 次提交
    • M
      Update copyright year · 72a7a702
      Matt Caswell 提交于 
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
      72a7a702
    • M
      Ensure bn_cmp_words can handle the case where n == 0 · df2cb82a
      Matt Caswell 提交于 
      Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.

This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:

- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.

Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:

- OpenSSL may crash if the buffers are page-aligned and the previous page is
non-existent.
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.

The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.

Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8326)

(cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)
      df2cb82a
  19. 26 11月, 2018 1 次提交
  21. 10 11月, 2018 1 次提交
  23. 24 8月, 2018 1 次提交
  25. 18 7月, 2018 1 次提交
  27. 14 7月, 2018 1 次提交
  29. 12 7月, 2018 2 次提交
  31. 27 4月, 2018 1 次提交
  33. 24 4月, 2018 2 次提交
  35. 02 2月, 2018 1 次提交
    • D
      Make BN_num_bits_word constant-time. · 972c87df
      David Benjamin 提交于 
      (This patch was written by Andy Polyakov. I only wrote the commit
message. Mistakes in the analysis are my fault.)

BN_num_bits, by way of BN_num_bits_word, currently leaks the
most-significant word of its argument via branching and memory access
pattern.

BN_num_bits is called on RSA prime factors in various places. These have
public bit lengths, but all bits beyond the high bit are secret. This
fully resolves those cases.

There are a few places where BN_num_bits is called on an input where the
bit length is also secret. This does *not* fully resolve those cases as
we still only look at the top word. Today, that is guaranteed to be
non-zero, but only because of the long-standing bn_correct_top timing
leak. Once that is fixed, a constant-time BN_num_bits on such inputs
must count bits on each word.

Instead, those cases should not call BN_num_bits at all. In particular,
BN_mod_exp_mont_consttime uses the exponent bit width to pick windows,
but it should be using the maximum bit width. The next patch will fix
this.

Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu
for reporting this issue.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)
      972c87df
  37. 19 1月, 2018 1 次提交
  39. 16 1月, 2018 1 次提交
    • M
      Revert BN_copy() flag copy semantics change · 7d461736
      Matt Caswell 提交于 
      Commit 9f944291 changed the semantics of BN_copy() to additionally
copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be
ill advised as it has unintended consequences. For example calling
BN_mod_inverse_no_branch() can sometimes return a result with the flag
set and sometimes not as a result. This can lead to later failures if we
go down code branches that do not support constant time, but check for
the presence of the flag.

The original commit was made due to an issue in BN_MOD_CTX_set(). The
original PR fixed the problem in that function, but it was changed in
review to fix it in BN_copy() instead. The solution seems to be to revert
the BN_copy() change and go back to the originally proposed way.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5080)
      7d461736
  41. 23 10月, 2017 1 次提交
  43. 18 10月, 2017 1 次提交
  45. 12 10月, 2017 1 次提交
  47. 09 10月, 2017 1 次提交
  49. 27 9月, 2017 1 次提交
  51. 04 3月, 2017 1 次提交
  53. 01 3月, 2017 1 次提交
  55. 06 9月, 2016 1 次提交
  57. 02 8月, 2016 1 次提交
  59. 30 6月, 2016 1 次提交
  61. 11 6月, 2016 1 次提交
  63. 22 5月, 2016 1 次提交
  65. 18 5月, 2016 1 次提交
  67. 03 5月, 2016 1 次提交
  69. 08 4月, 2016 1 次提交