1. 28 9月, 2019 1 次提交
    • D
      Reorganize private crypto header files · 0c994d54
      Dr. Matthias St. Pierre 提交于
      Currently, there are two different directories which contain internal
      header files of libcrypto which are meant to be shared internally:
      
      While header files in 'include/internal' are intended to be shared
      between libcrypto and libssl, the files in 'crypto/include/internal'
      are intended to be shared inside libcrypto only.
      
      To make things complicated, the include search path is set up in such
      a way that the directive #include "internal/file.h" could refer to
      a file in either of these two directoroes. This makes it necessary
      in some cases to add a '_int.h' suffix to some files to resolve this
      ambiguity:
      
        #include "internal/file.h"      # located in 'include/internal'
        #include "internal/file_int.h"  # located in 'crypto/include/internal'
      
      This commit moves the private crypto headers from
      
        'crypto/include/internal'  to  'include/crypto'
      
      As a result, the include directives become unambiguous
      
        #include "internal/file.h"       # located in 'include/internal'
        #include "crypto/file.h"         # located in 'include/crypto'
      
      hence the superfluous '_int.h' suffixes can be stripped.
      
      The files 'store_int.h' and 'store.h' need to be treated specially;
      they are joined into a single file.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/9681)
      0c994d54
  2. 10 9月, 2019 1 次提交
  3. 07 9月, 2019 3 次提交
    • N
      Uniform BN_bn2binpad() and BN_bn2lebinpad() implementations · 2432e129
      Nicola Tuveri 提交于
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
      (Merged from https://github.com/openssl/openssl/pull/9511)
      
      (cherry picked from commit 1b338abe3abb8c73f004c34d4b8a9272b89dfd5d)
      2432e129
    • N
      Make BN_num_bits() consttime upon BN_FLG_CONSTTIME · b9a380f7
      Nicola Tuveri 提交于
      This issue was partially addressed by commit
      972c87df, which hardened its callee
      BN_num_bits_word() to avoid leaking the most-significant word of its
      argument via branching and memory access pattern.
      The commit message also reported:
      > There are a few places where BN_num_bits is called on an input where
      > the bit length is also secret. This does *not* fully resolve those
      > cases as we still only look at the top word.
      
      BN_num_bits() is called directly or indirectly (e.g., through
      BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec`
      code, notably in all the currently supported implementations of scalar
      multiplication (in the generic path through ec_scalar_mul_ladder() as
      well as in dedicated methods like ecp_nistp{224,256,521}.c and
      ecp_nistz256.c).
      
      Under the right conditions, a motivated SCA attacker could retrieve the
      secret bitlength of a secret nonce through this vulnerability,
      potentially leading, ultimately, to recover a long-term secret key.
      
      With this commit, exclusively for BIGNUMs that are flagged with
      BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of
      the BIGNUM are accessed up to bn->dmax and bitwise masking is used to
      avoid branching.
      
      Memory access pattern still leaks bn->dmax, the size of the lazily
      allocated buffer for representing the BIGNUM, which is inevitable with
      the current BIGNUM architecture: reading past bn->dmax would be an
      out-of-bound read.
      As such, it's the caller responsibility to ensure that bn->dmax does not
      leak secret information, by explicitly expanding the internal BIGNUM
      buffer to a public value sufficient to avoid any lazy reallocation
      while manipulating it: this should be already done at the top level
      alongside setting the BN_FLG_CONSTTIME.
      
      Thanks to David Schrammel and Samuel Weiser for reporting this issue
      through responsible disclosure.
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
      (Merged from https://github.com/openssl/openssl/pull/9511)
      
      (cherry picked from commit 8b44198b916015f77bef1befa26edb48ad8a0238)
      b9a380f7
    • B
      Fix a SCA leak in BN_generate_dsa_nonce · 9e1403d9
      Bernd Edlinger 提交于
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
      (Merged from https://github.com/openssl/openssl/pull/9782)
      
      (cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)
      9e1403d9
  4. 01 8月, 2019 1 次提交
  5. 23 7月, 2019 1 次提交
  6. 07 7月, 2019 1 次提交
  7. 11 6月, 2019 1 次提交
  8. 28 5月, 2019 1 次提交
  9. 19 3月, 2019 3 次提交
  10. 26 2月, 2019 2 次提交
    • M
      Update copyright year · 72a7a702
      Matt Caswell 提交于
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8347)
      72a7a702
    • M
      Ensure bn_cmp_words can handle the case where n == 0 · df2cb82a
      Matt Caswell 提交于
      Thanks to David Benjamin who reported this, performed the analysis and
      suggested the patch. I have incorporated some of his analysis in the
      comments below.
      
      This issue can cause an out-of-bounds read. It is believed that this was
      not reachable until the recent "fixed top" changes. Analysis has so far
      only identified one code path that can encounter this - although it is
      possible that others may be found. The one code path only impacts 1.0.2 in
      certain builds. The fuzzer found a path in RSA where iqmp is too large. If
      the input is all zeros, the RSA CRT logic will multiply a padded zero by
      iqmp. Two mitigating factors:
      
      - Private keys which trip this are invalid (iqmp is not reduced mod p).
      Only systems which take untrusted private keys care.
      - In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
      so the bug is only reproducible in 1.0.2 so far.
      
      Fortunately, the bug appears to be relatively harmless. The consequences of
      bn_cmp_word's misbehavior are:
      
      - OpenSSL may crash if the buffers are page-aligned and the previous page is
      non-existent.
      - OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
      are equal.
      - Side channel concerns.
      
      The first is indeed a concern and is a DoS bug. The second is fine in this
      context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
      in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
      a1 - a0. The third would be worth thinking about, but it is overshadowed
      by the entire Karatsuba implementation not being constant time.
      
      Due to the difficulty of tripping this and the low impact no CVE is felt
      necessary for this issue.
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8326)
      
      (cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)
      df2cb82a
  11. 21 2月, 2019 1 次提交
  12. 18 2月, 2019 1 次提交
    • D
      Fix some CFI issues in x86_64 assembly · 2086edb7
      David Benjamin 提交于
      The add/double shortcut in ecp_nistz256-x86_64.pl left one instruction
      point that did not unwind, and the "slow" path in AES_cbc_encrypt was
      not annotated correctly. For the latter, add
      .cfi_{remember,restore}_state support to perlasm.
      
      Next, fill in a bunch of functions that are missing no-op .cfi_startproc
      and .cfi_endproc blocks. libunwind cannot unwind those stack frames
      otherwise.
      
      Finally, work around a bug in libunwind by not encoding rflags. (rflags
      isn't a callee-saved register, so there's not much need to annotate it
      anyway.)
      
      These were found as part of ABI testing work in BoringSSL.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      GH: #8109
      (cherry picked from commit c0e8e5007ba5234d4d448e82a1567e0c4467e629)
      2086edb7
  13. 13 2月, 2019 1 次提交
  14. 05 2月, 2019 1 次提交
  15. 27 1月, 2019 1 次提交
  16. 17 1月, 2019 1 次提交
  17. 08 1月, 2019 1 次提交
  18. 03 1月, 2019 1 次提交
  19. 05 12月, 2018 3 次提交
  20. 26 11月, 2018 1 次提交
  21. 20 11月, 2018 1 次提交
  22. 10 11月, 2018 1 次提交
  23. 30 10月, 2018 1 次提交
  24. 21 9月, 2018 1 次提交
  25. 11 9月, 2018 1 次提交
  26. 03 9月, 2018 1 次提交
  27. 24 8月, 2018 3 次提交
  28. 26 7月, 2018 1 次提交
  29. 24 7月, 2018 1 次提交
  30. 22 7月, 2018 1 次提交
  31. 18 7月, 2018 1 次提交