[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 54a622697eced33a6029fd5e7dd452cfb99bb72e (commit) from 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit) - Log - commit 54a622697eced33a6029fd5e7dd452cfb99bb72e Author: Richard Levitte Date: Mon Feb 11 12:22:02 2019 +0100 crypto/engine/eng_cryptodev.c: fix bignum<->crp conversion bn2crparam() incorrectly delivered a big endian byte string to cryptodev. Using BN_bn2lebinpad() instead of BN_bn2bin() fixes this. crparam2bn() had a hack that avoided this issue in the other direction, but allocated an intermediary chunk of memory to get correct endianness. Using BN_lebin2bn() avoids this allocation. Fixes #8202 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8204) --- Summary of changes: crypto/engine/eng_cryptodev.c | 14 -- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 5572735..1450fdd 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -1228,14 +1228,14 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) crp->crp_p = (caddr_t) b; crp->crp_nbits = bits; -BN_bn2bin(a, b); +BN_bn2lebinpad(a, b, bytes); return (0); } /* Convert a /dev/crypto parameter to a BIGNUM */ static int crparam2bn(struct crparam *crp, BIGNUM *a) { -u_int8_t *pd; +u_int8_t *b; int i, bytes; bytes = (crp->crp_nbits + 7) / 8; @@ -1243,15 +1243,9 @@ static int crparam2bn(struct crparam *crp, BIGNUM *a) if (bytes == 0) return (-1); -if ((pd = OPENSSL_malloc(bytes)) == NULL) -return (-1); - -for (i = 0; i < bytes; i++) -pd[i] = crp->crp_p[bytes - i - 1]; - -BN_bin2bn(pd, bytes, a); -free(pd); +b = (u_int8_t *)crp->crp_p; +BN_lebin2bn(b, bytes, a); return (0); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit) from 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit) - Log - commit 152abc5522d869668f50deeb99cd0d948d0df4c1 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Fix a crash in reuse of d2i_X509_PUBKEY If the second PUBKEY is malformed there is use after free. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8135) --- Summary of changes: CHANGES| 4 crypto/x509/x_pubkey.c | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index b810a12..d634252 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0j and 1.1.0k [xx XXX ] + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index cc69283..03271cb 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, /* Attempt to decode public key and cache in pubkey structure. */ X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); +pubkey->pkey = NULL; /* * Opportunistically decode the key but remove any non fatal errors * from the queue. Subsequent explicit attempts to decode/use the key _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit) from e29dcc3794bdc3928942ffb38ee383328b0d6dc1 (commit) - Log - commit 47c55f881ffef8aa5fafcb88d4230700bb279449 Author: Tobias Stoeckmann Date: Tue Dec 11 20:34:21 2018 +0100 Fixed typo (vi leftover). There was a trailing :w at a line, which didn't make sense in context of the sentence/styling. Removed it, because I think it's a leftover vi command. CLA: trivial Signed-off-by: Tobias Stoeckmann Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7875) (cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396) --- Summary of changes: doc/apps/ca.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 9885bb2..5e183e1 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -223,7 +223,7 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w +is present (even if it is empty), then a V3 certificate is created. See the L manual page for details of the extension section format. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e29dcc3794bdc3928942ffb38ee383328b0d6dc1 (commit) from 6d405b64b77f29241b680f7edadd14d5dc0a8522 (commit) - Log - commit e29dcc3794bdc3928942ffb38ee383328b0d6dc1 Author: Andy Polyakov Date: Fri Dec 7 22:19:57 2018 +0100 err/err.c: improve err_clear_last_constant_time's portability. Reviewed-by: Kurt Roeckx Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7850) (cherry picked from commit 91d0fd1c2753f0f7d6e0953eed3cfb6eb96d8ff4) --- Summary of changes: crypto/err/err.c | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 638cbf2..ba7577b 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -824,6 +824,25 @@ int ERR_pop_to_mark(void) return 1; } +#ifdef UINTPTR_T +# undef UINTPTR_T +#endif +/* + * uintptr_t is the answer, but unfortunately C89, current "least common + * denominator" doesn't define it. Most legacy platforms typedef it anyway, + * so that attempt to fill the gaps means that one would have to identify + * that track these gaps, which would be undesirable. Macro it is... + */ +#if defined(__VMS) && __INITIAL_POINTER_SIZE==64 +/* + * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 + * even in 64-bit builds, which means that it won't work as mask. + */ +# define UINTPTR_T unsigned long long +#else +# define UINTPTR_T size_t +#endif + void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -837,8 +856,8 @@ void err_clear_last_constant_time(int clear) es->err_flags[top] &= ~(0 - clear); es->err_buffer[top] &= ~(0UL - clear); -es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] & - ~((uintptr_t)0 - clear)); +es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & + ~((UINTPTR_T)0 - clear)); es->err_line[top] |= 0 - clear; es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6d405b64b77f29241b680f7edadd14d5dc0a8522 (commit) via 437b7f059304f59a0fa96d329ca62cd8d748cbc8 (commit) via 43d53fa19da6809e458ebdadba6016d5fbc780a2 (commit) via b58c44a8c1b6c7354c9c8ce4631e27f9eb977b60 (commit) via 0ba39c87aa386db3a97be9e11c77aac94176a2fa (commit) from 7cbff94dff0b927e95be6fed991579ce8e98aa65 (commit) - Log - commit 6d405b64b77f29241b680f7edadd14d5dc0a8522 Author: Andy Polyakov Date: Fri Sep 14 17:24:13 2018 +0200 rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time. Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding if nul delimiter is preceded by 8 consecutive 0x03 bytes. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c) Resolved conflicts: crypto/rsa/rsa_ssl.c (Merged from https://github.com/openssl/openssl/pull/7735) commit 437b7f059304f59a0fa96d329ca62cd8d748cbc8 Author: Andy Polyakov Date: Thu Sep 6 21:54:23 2018 +0200 rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP. And make RSAErr call unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06) (Merged from https://github.com/openssl/openssl/pull/7735) commit 43d53fa19da6809e458ebdadba6016d5fbc780a2 Author: Andy Polyakov Date: Sat Sep 1 12:00:33 2018 +0200 rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2. And make RSAErr call unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c) (Merged from https://github.com/openssl/openssl/pull/7735) commit b58c44a8c1b6c7354c9c8ce4631e27f9eb977b60 Author: Andy Polyakov Date: Fri Sep 14 12:17:43 2018 +0200 rsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1) (Merged from https://github.com/openssl/openssl/pull/7735) commit 0ba39c87aa386db3a97be9e11c77aac94176a2fa Author: Andy Polyakov Date: Sat Sep 1 12:19:30 2018 +0200 err/err.c: add err_clear_last_constant_time. Expected usage pattern is to unconditionally set error and then wipe it if there was no actual error. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b) Resolved conflicts: crypto/err/err.c (Merged from https://github.com/openssl/openssl/pull/7735) --- Summary of changes: crypto/err/err.c| 21 + crypto/rsa/rsa_oaep.c | 82 ++--- crypto/rsa/rsa_ossl.c | 5 +- crypto/rsa/rsa_pk1.c| 93 ++- crypto/rsa/rsa_ssl.c| 133 doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 +- include/internal/constant_time_locl.h | 6 ++ 7 files changed, 234 insertions(+), 113 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 08c27a3..638cbf2 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -19,6 +19,7 @@ #include #include #include +#include "internal/constant_time_locl.h" static void err_load_strings(int lib, ERR_STRING_DATA *str); @@ -822,3 +823,23 @@ int ERR_pop_to_mark(void) es->err_flags[es->top] &= ~ERR_FLAG_MARK; return 1; } + +void err_clear_last_constant_time(int clear) +{ +ERR_STATE *es; +int top; + +es = ERR_get_state(); +if (es == NULL) +return; + +top = es->top; + +es->err_flags[top] &= ~(0 - clear); +es->err_buffer[top] &= ~(0UL - clear); +es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] & + ~((uintptr_t)0 - clear)); +es->err_line[top] |= 0 - clear; + +es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +} diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index df08a2f..4958212 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -126,7 +126,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const EVP_MD *mgf1md) { int i, dblen = 0, mlen = -1, one_index = 0, msg_index; -unsigned int good, found_one_byte; +unsigned int good = 0, found_one_byte, mask; const unsigned char *maskedseed, *maskeddb; /* * |em| is the encoded message, zero-padded to exactly |num| bytes: em = @@ -153,8 +153,11
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 403783ce05991e21a50d637398798a014e2c4f9d (commit) via ffe7659f788300d924179209c854e6826f2c0332 (commit) via 58381f26c288505766daac9e0f20f879fcd06631 (commit) via 0e17281a9c35077263128f721e82199a89c36cb8 (commit) via ed207080455147f76d575687f1a7743fa6b0ae0a (commit) from 7dac8144a760f0d9780cd7eb0771894874becd78 (commit) - Log - commit 403783ce05991e21a50d637398798a014e2c4f9d Author: Richard Levitte Date: Sat Nov 24 17:51:24 2018 +0100 Have util/mktar.sh display the absolute path to the tarball Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7696) (cherry picked from commit 3be389435fc7b94623d972b622dbd9f0cd5c34f7) commit ffe7659f788300d924179209c854e6826f2c0332 Author: Richard Levitte Date: Sat Nov 24 11:27:50 2018 +0100 Make sure to run util/mktar.sh from the source directory Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7696) (cherry picked from commit b741f153b2f24139d7210b1b0c9caf561f4900e8) commit 58381f26c288505766daac9e0f20f879fcd06631 Author: Richard Levitte Date: Sat Nov 24 00:59:33 2018 +0100 Don't export the submodules 'boringssl', 'krb5' and 'pyca-cryptography' Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7696) (cherry picked from commit 76bc401cc63219a462224884cb4af787e17725ed) commit 0e17281a9c35077263128f721e82199a89c36cb8 Author: Richard Levitte Date: Fri Nov 23 14:43:16 2018 +0100 Don't export util/mktar.sh When creating a tarball, it's pointless to include scripts that assume a git workspace. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7696) (cherry picked from commit b9a694717902af796639e1dff641ba620703303b) commit ed207080455147f76d575687f1a7743fa6b0ae0a Author: Richard Levitte Date: Fri Nov 23 14:40:39 2018 +0100 Document the removed 'dist' target Also adds missing copyright boilerplate to util/mktar.sh Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7696) (cherry picked from commit b42922ea2f605fd6c42faad1743fb27be5f7f1f3) --- Summary of changes: .gitattributes| 4 CHANGES | 5 - Configurations/unix-Makefile.tmpl | 3 ++- util/mktar.sh | 11 ++- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.gitattributes b/.gitattributes index 912b4ae..96e40b6 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,3 +6,7 @@ fuzz/corpora/** export-ignore Configurations/*.norelease.conf export-ignore .* export-ignore +util/mktar.sh export-ignore +boringssl export-ignore +krb5export-ignore +pyca-cryptography export-ignore diff --git a/CHANGES b/CHANGES index 60c0dd1..e19b976 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,10 @@ Changes between 1.1.0j and 1.1.0k [xx XXX ] - *) + *) Remove the 'dist' target and add a tarball building script. The + 'dist' target has fallen out of use, and it shouldn't be + necessary to configure just to create a source distribution. + [Richard Levitte] Changes between 1.1.0i and 1.1.0j [20 Nov 2018] diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index b35db4f..af84bd4 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -201,6 +201,7 @@ MAKEDEPEND={- $config{makedepprog} -} BASENAME= openssl NAME= $(BASENAME)-$(VERSION) +# Relative to $(SRCDIR) TARFILE=../$(NAME).tar # We let the C compiler driver to take care of .s files. This is done in @@ -666,7 +667,7 @@ tags TAGS: FORCE # Release targets (note: only available on Unix) # tar: - $(SRCDIR)/util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)' + (cd $(SRCDIR); ./util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)') # Helper targets # diff --git a/util/mktar.sh b/util/mktar.sh index 0848b7b..17115cf 100755 --- a/util/mktar.sh +++ b/util/mktar.sh @@ -1,4 +1,10 @@ #! /bin/sh +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html HERE=`dirname $0`
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 7dac8144a760f0d9780cd7eb0771894874becd78 (commit) from b97cbe05a3a4bf18b6bd6262dbda04b87256a54c (commit) - Log - commit 7dac8144a760f0d9780cd7eb0771894874becd78 Author: Andy Polyakov Date: Wed Nov 7 22:07:22 2018 +0100 rsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier. Blinding is performed more efficiently and securely if MONT_CTX for public modulus is available by the time blinding parameter are instantiated. So make sure it's the case. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575) Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7586) --- Summary of changes: crypto/rsa/rsa_ossl.c | 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 23f948f..a485c7e 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -280,6 +280,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, goto err; } +if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +if (!BN_MONT_CTX_set_locked(>_method_mod_n, rsa->lock, +rsa->n, ctx)) +goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, _blinding, ctx); if (blinding == NULL) { @@ -311,13 +316,6 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -if (!BN_MONT_CTX_set_locked(>_method_mod_n, rsa->lock, -rsa->n, ctx)) { -BN_free(d); -goto err; -} - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { BN_free(d); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b97cbe05a3a4bf18b6bd6262dbda04b87256a54c (commit) via f68bfdf62805f1f3af4330754c7f141fa521b6dd (commit) from 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a (commit) - Log - commit b97cbe05a3a4bf18b6bd6262dbda04b87256a54c Author: Richard Levitte Date: Thu Nov 22 21:29:02 2018 +0100 Remove all 'make dist' artifacts Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7692) (cherry picked from commit 8d9535ec3e317641b8e551973c8cfe2ee1c89296) commit f68bfdf62805f1f3af4330754c7f141fa521b6dd Author: Richard Levitte Date: Thu Nov 22 21:17:47 2018 +0100 Change tarball making procedure Since recently, OpenSSL tarballs are produced with 'make tar' rather than 'make dist', as the latter has turned out to be more troublesome than useful. The next step to look at is why we would need to configure at all to produce a Makefile just to produce a tarball. After all, the tarball should now only contain source files that are present even without configuring. Furthermore, the current method for producing tarballs is a bit complex, and can be greatly simplified with the right tools. Since we have everything versioned with git, we might as well use the tool that comes with it. Added: util/mktar.sh, a simple script to produce OpenSSL tarballs. It takes the options --name to modify the prefix of the distribution, and --tarfile tp modify the tarball file name specifically. This also adds a few entries in .gitattributes to specify files that should never end up in a distribution tarball. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7692) (cherry picked from commit 8c209eeef426ded66ce99048f535f35d08b88462) --- Summary of changes: .gitattributes| 5 + .travis-create-release.sh | 10 +- Configurations/dist.conf | 12 Configurations/unix-Makefile.tmpl | 30 +- util/mktar.sh | 27 +++ 5 files changed, 34 insertions(+), 50 deletions(-) delete mode 100644 Configurations/dist.conf create mode 100755 util/mktar.sh diff --git a/.gitattributes b/.gitattributes index 15121c8..912b4ae 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,3 +1,8 @@ *.der binary /fuzz/corpora/** binary *.pfx binary + +# For git archive +fuzz/corpora/** export-ignore +Configurations/*.norelease.conf export-ignore +.* export-ignore diff --git a/.travis-create-release.sh b/.travis-create-release.sh index 311cedd..3407de7 100644 --- a/.travis-create-release.sh +++ b/.travis-create-release.sh @@ -1,11 +1,3 @@ #! /bin/sh -# $1 is expected to be $TRAVIS_OS_NAME - -./Configure dist -if [ "$1" == osx ]; then -make NAME='_srcdist' TARFILE='_srcdist.tar' \ - TAR_COMMAND='$(TAR) $(TARFLAGS) -cvf -' tar -else -make TARFILE='_srcdist.tar' NAME='_srcdist' dist -fi +./util/mktar.sh --name=_srcdist diff --git a/Configurations/dist.conf b/Configurations/dist.conf deleted file mode 100644 index 4f58dad..000 --- a/Configurations/dist.conf +++ /dev/null @@ -1,12 +0,0 @@ -## -*- mode: perl; -*- -## Build configuration targets for openssl-team members - -# This is to support 'make dist' -%targets = ( -"dist" => { -inherit_from => [ 'BASE_unix' ], -cc => "cc", -cflags => "-O", -thread_scheme=> "(unknown)", -}, -); diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 7254478..b35db4f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -665,36 +665,8 @@ tags TAGS: FORCE # Release targets (note: only available on Unix) # -# If your tar command doesn't support --owner and --group, make sure to -# use one that does, for example GNU tar -TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - -PREPARE_CMD=: tar: - set -e; \ - TMPDIR=/var/tmp/openssl-copy.; \ - DISTDIR=$(NAME); \ - mkdir -p $$TMPDIR/$$DISTDIR; \ - (cd $(SRCDIR); \ -excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \ -echo "$$excl_re"; \ -git ls-tree -r --name-only --full-tree HEAD \ -| egrep -v "$$excl_re" \ -| while read F; do \ - mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \ - cp $$F $$TMPDIR/$$DISTDIR/$$F; \ - done); \ - (cd $$TMPDIR/$$DISTDIR; \ -$(PREPARE_CMD); \ -find . -type d -print | xargs chmod 755; \ -find . -type f -print | xargs chmod a+r; \ -
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a (commit) via 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762 (commit) from a8e613cc51beaeb181a322da3620a27ef8bcead3 (commit) - Log - commit 0fbe8491fc05d280a1f00bfc26dd3c3a6c63f04a Author: Matt Caswell Date: Tue Nov 20 13:42:16 2018 + Prepare for 1.1.0k-dev Reviewed-by: Richard Levitte commit 74f2d9c1ec5f5510e1d3da5a9f03c28df0977762 Author: Matt Caswell Date: Tue Nov 20 13:41:22 2018 + Prepare for 1.1.0j release Reviewed-by: Richard Levitte --- Summary of changes: CHANGES| 6 +- NEWS | 6 +- README | 2 +- include/openssl/opensslv.h | 6 +++--- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index cb2e6b1..60c0dd1 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.1.0i and 1.1.0j [xx XXX ] + Changes between 1.1.0j and 1.1.0k [xx XXX ] + + *) + + Changes between 1.1.0i and 1.1.0j [20 Nov 2018] *) Timing vulnerability in DSA signature generation diff --git a/NEWS b/NEWS index 88a0be4..188e9aa 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development] + Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [under development] + + o + + Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018] o Timing vulnerability in DSA signature generation (CVE-2018-0734) o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) diff --git a/README b/README index 3af2619..51828a7 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.0j-dev + OpenSSL 1.1.0k-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 72f09af..0e2992e 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,11 +39,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101000a0L +# define OPENSSL_VERSION_NUMBER 0x101000b0L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-fips-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-fips-dev xx XXX " # else -# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0k-dev xx XXX " # endif /*- _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a8e613cc51beaeb181a322da3620a27ef8bcead3 (commit) from 503c18583a1c8910ad42d4426290f0a61daae7a6 (commit) - Log - commit a8e613cc51beaeb181a322da3620a27ef8bcead3 Author: Matt Caswell Date: Tue Nov 20 13:21:36 2018 + Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7670) --- Summary of changes: apps/pkey.c | 2 +- apps/req.c | 2 +- config | 2 +- crypto/bio/b_print.c| 2 +- crypto/bn/asm/x86_64-gcc.c | 2 +- crypto/bn/bn_blind.c| 2 +- crypto/bn/bn_mul.c | 2 +- crypto/bn/bn_x931p.c| 2 +- crypto/conf/conf_mod.c | 2 +- crypto/ct/ct_log.c | 2 +- crypto/dh/dh_lib.c | 2 +- crypto/dsa/dsa_lib.c| 2 +- crypto/ec/ec_key.c | 2 +- crypto/ec/ec_kmeth.c| 2 +- crypto/ec/ecp_mont.c| 2 +- crypto/ec/ecp_nist.c| 2 +- crypto/ec/ecp_nistp224.c| 2 +- crypto/ec/ecp_nistp521.c| 2 +- crypto/engine/eng_list.c| 2 +- crypto/kdf/hkdf.c | 2 +- crypto/lhash/lhash.c| 2 +- crypto/objects/o_names.c| 2 +- crypto/ocsp/ocsp_cl.c | 2 +- crypto/pkcs12/p12_init.c| 2 +- crypto/pkcs12/p12_mutl.c| 2 +- crypto/pkcs7/pk7_lib.c | 2 +- crypto/rand/md_rand.c | 2 +- crypto/rand/randfile.c | 2 +- crypto/rsa/rsa_lib.c| 2 +- crypto/x509/by_file.c | 2 +- doc/apps/crl.pod| 2 +- doc/apps/req.pod| 2 +- doc/crypto/EVP_DigestVerifyInit.pod | 2 +- engines/e_capi.c| 2 +- include/openssl/ec.h| 2 +- include/openssl/ocsp.h | 2 +- include/openssl/symhacks.h | 2 +- ssl/s3_enc.c| 2 +- test/ct_test.c | 2 +- test/recipes/30-test_evp.t | 2 +- test/secmemtest.c | 2 +- util/mkrc.pl| 2 +- 42 files changed, 42 insertions(+), 42 deletions(-) diff --git a/apps/pkey.c b/apps/pkey.c index 60e8581..5c13d8b 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/req.c b/apps/req.c index a691f93..a20e7c1 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/config b/config index 19c0071..ef0841d 100755 --- a/config +++ b/config @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index bf006d1..8f50cb8 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index cdb54fa..621be33 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 7a8237c..9474e21 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. *
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 503c18583a1c8910ad42d4426290f0a61daae7a6 (commit) from b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f (commit) - Log - commit 503c18583a1c8910ad42d4426290f0a61daae7a6 Author: Matt Caswell Date: Tue Nov 20 10:52:53 2018 + Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7666) --- Summary of changes: CHANGES | 20 NEWS| 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 28b9938..cb2e6b1 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,26 @@ Changes between 1.1.0i and 1.1.0j [xx XXX ] + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] + *) Add coordinate blinding for EC_POINT and implement projective coordinate blinding for generic prime curves as a countermeasure to chosen point SCA attacks. diff --git a/NEWS b/NEWS index ca3ed49..88a0be4 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development] - o + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f (commit) from 841303dad2d0bb28db2317d36ef430e73d137d3d (commit) - Log - commit b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f Author: Richard Levitte Date: Tue Nov 13 17:57:45 2018 +0100 Fix typo in util/perl/OpenSSL/Test.pm Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7633) (cherry picked from commit 2dc37bc2b4c678462a24d2904604e58c0c5ac1cb) --- Summary of changes: util/perl/OpenSSL/Test.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index a6be487..a77909c 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -704,7 +704,7 @@ Returns a list of two numbers, the first representing the build version, the second representing the library version. See opensslv.h for more information on those numbers. -= back +=back =cut _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 841303dad2d0bb28db2317d36ef430e73d137d3d (commit) via 75711510f08c33f55c40b89b21cb71d1a1679abf (commit) from 013aefc5f03c95f5366cc854ffb02b0df49af90d (commit) - Log - commit 841303dad2d0bb28db2317d36ef430e73d137d3d Author: Richard Levitte Date: Tue Nov 13 18:28:41 2018 +0100 test/recipes/90-test_shlibload.t needs $target{shared_extension} We therefore must add defaults. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7631) commit 75711510f08c33f55c40b89b21cb71d1a1679abf Author: Richard Levitte Date: Tue Nov 13 15:57:34 2018 +0100 Fix rpath-related Linux "test_shlibload" failure. When libssl and libcrypto are compiled on Linux with "-rpath", but not "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, and we end up running with the wrong libraries. This is resolved by using full (or at least relative, rather than just the filename to be found on LD_LIBRARY_PATH) paths to the shared objects. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7631) --- Summary of changes: Configurations/00-base-templates.conf | 6 ++ test/recipes/90-test_shlibload.t | 27 +++ util/shlib_wrap.sh.in | 28 +++- 3 files changed, 44 insertions(+), 17 deletions(-) diff --git a/Configurations/00-base-templates.conf b/Configurations/00-base-templates.conf index 3455b3a..8503c2f 100644 --- a/Configurations/00-base-templates.conf +++ b/Configurations/00-base-templates.conf @@ -68,6 +68,8 @@ } return (); }, +shared_extension => ".so", + build_scheme=> [ "unified", "unix" ], build_file => "Makefile", }, @@ -99,6 +101,8 @@ mtinflag=> "-manifest ", mtoutflag => "-outputresource:", +shared_extension => ".dll", + build_file => "makefile", build_scheme=> [ "unified", "windows" ], }, @@ -107,6 +111,8 @@ inherit_from=> [ "BASE_common" ], template=> 1, +shared_extension => ".exe", + build_file => "descrip.mms", build_scheme => [ "unified", "VMS" ], }, diff --git a/test/recipes/90-test_shlibload.t b/test/recipes/90-test_shlibload.t index 04d5265..78899f6 100644 --- a/test/recipes/90-test_shlibload.t +++ b/test/recipes/90-test_shlibload.t @@ -6,8 +6,7 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html - -use OpenSSL::Test qw/:DEFAULT bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; #Load configdata.pm @@ -22,12 +21,13 @@ plan skip_all => "Test only supported in a shared build" if disabled("shared"); plan tests => 4; -my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto"; -my $libssl_idx = $unified_info{rename}->{libssl} // "libssl"; -my $libcrypto = - $unified_info{sharednames}->{$libcrypto_idx}.$target{shared_extension_simple}; -my $libssl = -$unified_info{sharednames}->{$libssl_idx}.$target{shared_extension_simple}; +# When libssl and libcrypto are compiled on Linux with "-rpath", but not +# "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, +# and we end up running with the wrong libraries. This is resolved by +# using paths to the shared objects, not just the names. + +my $libcrypto = bldtop_file(shlib('libcrypto')); +my $libssl = bldtop_file(shlib('libssl')); ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl])), "running shlibloadtest -crypto_first"); @@ -38,3 +38,14 @@ ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])), ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])), "running shlibloadtest -dso_ref"); +sub shlib { +my $lib = shift; +$lib = $unified_info{rename}->{$lib} +if defined $unified_info{rename}->{$lib}; +$lib = $unified_info{sharednames}->{$lib} +. ($target{shlib_variant} || "") +. ($target{shared_extension} || ".so"); +$lib =~ s|\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\) + |.$config{shlib_version_number}|x; +return $lib; +} diff --git a/util/shlib_wrap.sh.in b/util/shlib_wrap.sh.in index 6c115ba..d030d33 100755 --- a/util/shlib_wrap.sh.in +++ b/util/shlib_wrap.sh.in @@ -1,5 +1,22 @@ #!/bin/sh +{- +use lib '.'; +use configdata; +sub shlib { +my $lib = shift; +return "" if $disabled{shared}; +$lib = $unified_info{rename}->{$lib} +if defined $unified_info{rename}->{$lib}; +$lib = $unified_info{sharednames}->{$lib} +.
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 013aefc5f03c95f5366cc854ffb02b0df49af90d (commit) from 5f16ab333142de832555d3265aad243eb119b195 (commit) - Log - commit 013aefc5f03c95f5366cc854ffb02b0df49af90d Author: Richard Levitte Date: Tue Nov 13 18:49:21 2018 +0100 Configuration: make sure the shared_sources table doesn't contain empty elements Fixes #7634 Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7635) (cherry picked from commit 0c594ccc29f6ba241627f436ba3d05fc400d1066) --- Summary of changes: Configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index d85ff6a..a1ce652 100755 --- a/Configure +++ b/Configure @@ -1906,8 +1906,8 @@ EOF next unless defined($unified_info{includes}->{$dest}->{$k}); my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}}; foreach my $obj (grep /\.o$/, - (keys %{$unified_info{sources}->{$dest}}, - keys %{$unified_info{shared_sources}->{$dest}})) { + (keys %{$unified_info{sources}->{$dest} // {}}, + keys %{$unified_info{shared_sources}->{$dest} // {}})) { foreach my $inc (@incs) { unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}}; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 5f16ab333142de832555d3265aad243eb119b195 (commit) from 6ab937f2df403bdda7e25b6c62a93b061171250e (commit) - Log - commit 5f16ab333142de832555d3265aad243eb119b195 Author: Richard Levitte Date: Wed Oct 31 09:02:00 2018 +0100 Windows build: build foo.d after foo.obj We made the build of foo.obj depend on foo.d, meaning the latter gets built first. Unfortunately, the way the compiler works, we are forced to redirect all output to foo.d, meaning that if the source contains an error, the build fails without showing those errors. We therefore remove the dependency and force the build of foo.d to always happen after build of foo.obj. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7533) --- Summary of changes: Configurations/windows-makefile.tmpl | 16 +++- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index ef5af42..5c8d3e8 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -461,22 +461,20 @@ $obj$objext: $deps \$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs EOF } - return <<"EOF"if (!$disabled{makedepend}); -$obj$depext: $deps - \$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\ + my $recipe = <<"EOF"; +$obj$objext: $deps + \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs +EOF + $recipe .= <<"EOF"unless $disabled{makedepend}; + \$(CC) $incs \$(CFLAGS) $ecflags /Zs /showIncludes $srcs 2>&1 | \\ "\$(PERL)" -n << > $obj$depext chomp; s/^Note: including file: *//; \$\$collect{\$\$_} = 1; END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" } << -$obj$objext: $obj$depext - \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs -EOF -return <<"EOF" if ($disabled{makedepend}); -$obj$objext: $deps - \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs EOF + return $recipe; } # On Unix, we build shlibs from static libs, so we're ignoring the _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6ab937f2df403bdda7e25b6c62a93b061171250e (commit) from 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit) - Log - commit 6ab937f2df403bdda7e25b6c62a93b061171250e Author: Billy Brumley Date: Fri Nov 9 09:25:43 2018 +0200 [crypto/bn] swap BN_FLG_FIXED_TOP too Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7599) (cherry picked from commit dd41956d80686638d74fd203bd67060f90966280) --- Summary of changes: crypto/bn/bn_lib.c | 42 +++--- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 80f8599..3f3c7bb 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -852,26 +852,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ -t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + +t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit) from 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit) - Log - commit 4a498d0ed50f377584ebadce715fbcc2c0f53c23 Author: Richard Levitte Date: Fri Nov 9 12:08:08 2018 +0100 Fix cherry-pick error A couple of $(ECHO) sneaked in from patches in newer branches Fixes #7600 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7601) --- Summary of changes: Configurations/unix-Makefile.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 181b618..7254478 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -517,7 +517,7 @@ install_runtime_libs: build_libs install_programs: install_runtime_libs build_programs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin - @$(ECHO) "*** Installing runtime programs" + @echo "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ @@ -558,7 +558,7 @@ uninstall_programs: -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin uninstall_runtime_libs: - @$(ECHO) "*** Uninstalling runtime libraries" + @echo "*** Uninstalling runtime libraries" @ : {- output_off() unless windowsdll(); "" -} @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit) from 2801f671288d592b29a38c6098f53e6f3221d27a (commit) - Log - commit 401e1c9d9d2202fff557f6286f47214803bf7e15 Author: Richard Levitte Date: Fri Nov 9 12:23:53 2018 +0100 VMS build: colon after target must be separated with a space ... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7602) (cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3) --- Summary of changes: Configurations/descrip.mms.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 552decf..7399288 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -414,7 +414,7 @@ install_engines : check_INSTALLTOP install_runtime_libs build_engines @{$unified_info{install}->{engines}}) -} @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -install_runtime: install_programs +install_runtime : install_programs install_runtime_libs : check_INSTALLTOP build_libs @ {- output_off() if $disabled{shared}; "" -} ! _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 2801f671288d592b29a38c6098f53e6f3221d27a (commit) via 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c (commit) from 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit) - Log - commit 2801f671288d592b29a38c6098f53e6f3221d27a Author: Richard Levitte Date: Wed Nov 7 16:13:57 2018 +0100 Have install targets depend on more precise build targets We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f) commit 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c Author: Richard Levitte Date: Thu Oct 25 09:09:20 2018 +0200 Allow parallel install When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d) --- Summary of changes: Configurations/descrip.mms.tmpl | 53 +--- Configurations/unix-Makefile.tmpl| 27 -- Configurations/windows-makefile.tmpl | 17 3 files changed, 56 insertions(+), 41 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 7e3356f..552decf 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -368,12 +368,10 @@ descrip.mms : FORCE # Install helper targets # -install_sw : all install_shared _install_dev_ns - - install_engines _install_runtime_ns - +install_sw : install_dev install_engines install_runtime - install_startup install_ivp -uninstall_sw : uninstall_shared _uninstall_dev_ns - - uninstall_engines _uninstall_runtime_ns - +uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime - uninstall_startup uninstall_ivp install_docs : install_html_docs @@ -396,17 +394,7 @@ install_ssldirs : check_INSTALLTOP COPY/PROT=W:R {- sourcefile("apps", "openssl-vms.cnf") -} - ossl_dataroot:[00]openssl.cnf -install_shared : check_INSTALLTOP -@ {- output_off() if $disabled{shared}; "" -} ! -@ WRITE SYS$OUTPUT "*** Installing shareable images" -@ ! Install shared (runtime) libraries -- CREATE/DIR ossl_installroot:[LIB.'arch'] -{- join("\n", -map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } -@install_shlibs) -} -@ {- output_on() if $disabled{shared}; "" -} ! - -_install_dev_ns : check_INSTALLTOP +install_dev : check_INSTALLTOP install_runtime_libs @ WRITE SYS$OUTPUT "*** Installing development files" @ ! Install header files - CREATE/DIR ossl_installroot:[include.openssl] @@ -417,9 +405,29 @@ _install_dev_ns : check_INSTALLTOP map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" } @{$unified_info{install}->{libraries}}) -} -install_dev : install_shared _install_dev_ns +install_engines : check_INSTALLTOP install_runtime_libs build_engines +@ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! +@ WRITE SYS$OUTPUT "*** Installing engines" +- CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size} -}.'arch'] +{- join("\n", +map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover$target{pointer_size}.'arch']" } +@{$unified_info{install}->{engines}}) -} +@ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -_install_runtime_ns : check_INSTALLTOP +install_runtime: install_programs + +install_runtime_libs : check_INSTALLTOP build_libs +@ {- output_off() if $disabled{shared}; "" -} ! +@ WRITE SYS$OUTPUT "*** Installing shareable images" +@ ! Install shared (runtime) libraries +- CREATE/DIR ossl_installroot:[LIB.'arch'] +{- join("\n", +
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit) from 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee (commit) - Log - commit 26d7fce13d469f8d1a1b42131467ed4a65f8137b Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) --- Summary of changes: crypto/dsa/dsa_ossl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index be58625..868283a 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -225,6 +225,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); +BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(>method_mont_p, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee (commit) from 56fb454d281a023b3f950d969693553d3f3ceea1 (commit) - Log - commit 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee Author: Rod Vagg Date: Mon Oct 29 20:43:53 2018 +1100 Remove brace from bad cherry-pick of DSA reallocation fix Commit 56fb454 backported the DSA reallocation fix to 1.1.0, however a code block that has multiple statements in 1.1.1+ only has a `goto` in 1.1.0 so introduces a brace that causes a compile failure. CLA:trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7516) --- Summary of changes: crypto/ec/ec_mult.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index ff882cc..8350082 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -178,7 +178,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); if ((bn_wexpand(k, group_top + 2) == NULL) -|| (bn_wexpand(lambda, group_top + 2) == NULL)) { +|| (bn_wexpand(lambda, group_top + 2) == NULL)) goto err; if (!BN_copy(k, scalar)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 56fb454d281a023b3f950d969693553d3f3ceea1 (commit) from ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit) - Log - commit 56fb454d281a023b3f950d969693553d3f3ceea1 Author: Pauli Date: Fri Oct 26 10:54:58 2018 +1000 Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) --- Summary of changes: crypto/ec/ec_mult.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 22bb30f..ff882cc 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, */ cardinality_bits = BN_num_bits(cardinality); group_top = bn_get_top(cardinality); -if ((bn_wexpand(k, group_top + 1) == NULL) -|| (bn_wexpand(lambda, group_top + 1) == NULL)) +if ((bn_wexpand(k, group_top + 2) == NULL) +|| (bn_wexpand(lambda, group_top + 2) == NULL)) { goto err; if (!BN_copy(k, scalar)) @@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, * k := scalar + 2*cardinality */ kbit = BN_is_bit_set(lambda, cardinality_bits); -BN_consttime_swap(kbit, k, lambda, group_top + 1); +BN_consttime_swap(kbit, k, lambda, group_top + 2); group_top = bn_get_top(group->field); if ((bn_wexpand(s->X, group_top) == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ef11e19d1365eea2b1851e6f540a0bf365d303e7 (commit) from 84862c0979737b591acb689aef41ae2644176f32 (commit) - Log - commit ef11e19d1365eea2b1851e6f540a0bf365d303e7 Author: Pauli Date: Wed Oct 24 07:42:46 2018 +1000 Timing vulnerability in DSA signature generation (CVE-2018-0734). Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) (cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6) --- Summary of changes: crypto/dsa/dsa_ossl.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 3b657d5..be58625 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -11,6 +11,7 @@ #include #include "internal/cryptlib.h" +#include "internal/bn_int.h" #include #include #include "dsa_locl.h" @@ -182,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, { BN_CTX *ctx = NULL; BIGNUM *k, *kinv = NULL, *r = *rp; -BIGNUM *l, *m; +BIGNUM *l; int ret = 0; -int q_bits; +int q_bits, q_words; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); @@ -193,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, k = BN_new(); l = BN_new(); -m = BN_new(); -if (k == NULL || l == NULL || m == NULL) +if (k == NULL || l == NULL) goto err; if (ctx_in == NULL) { @@ -205,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->q); -if (!BN_set_bit(k, q_bits) -|| !BN_set_bit(l, q_bits) -|| !BN_set_bit(m, q_bits)) +q_words = bn_get_top(dsa->q); +if (!bn_wexpand(k, q_words + 2) +|| !bn_wexpand(l, q_words + 2)) goto err; /* Get random k */ @@ -242,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic - * conditional copy. + * There are some concerns about the efficacy of doing this. More + * specificly refer to the discussion starting with: + * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 + * The fix is to rework BN so these gymnastics aren't required. */ if (!BN_add(l, k, dsa->q) -|| !BN_add(m, l, dsa->q) -|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) +|| !BN_add(k, l, dsa->q)) goto err; +BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); + if ((dsa)->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) @@ -262,7 +265,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, if (!BN_mod(r, r, dsa->q, ctx)) goto err; -/* Compute part of 's = inv(k) (m + xr) mod q' */ +/* Compute part of 's = inv(k) (m + xr) mod q' */ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; @@ -277,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BN_CTX_free(ctx); BN_clear_free(k); BN_clear_free(l); -BN_clear_free(m); return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 84862c0979737b591acb689aef41ae2644176f32 (commit) from bd04577743ec3b1e605039ee31e10616fee5f05f (commit) - Log - commit 84862c0979737b591acb689aef41ae2644176f32 Author: Pauli Date: Mon Oct 29 06:50:51 2018 +1000 DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7487) (cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79) --- Summary of changes: crypto/dsa/dsa_ossl.c | 32 +++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 4aa49f5..3b657d5 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -25,6 +25,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -261,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ -if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) +if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) goto err; BN_clear_free(*kinvp); @@ -395,3 +397,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return (1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ +BIGNUM *res = NULL; +BIGNUM *r, *e; + +if ((r = BN_new()) == NULL) +return NULL; + +BN_CTX_start(ctx); +if ((e = BN_CTX_get(ctx)) != NULL +&& BN_set_word(r, 2) +&& BN_sub(e, q, r) +&& BN_mod_exp_mont(r, k, e, q, ctx, NULL)) +res = r; +else +BN_free(r); +BN_CTX_end(ctx); +return res; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via bd04577743ec3b1e605039ee31e10616fee5f05f (commit) from f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 (commit) - Log - commit bd04577743ec3b1e605039ee31e10616fee5f05f Author: Dr. Matthias St. Pierre Date: Thu Oct 18 23:04:32 2018 +0200 md_rand.c: don't stop polling until properly initialized Previously, the RNG sets `initialized=1` after the first call to RAND_poll(), although its criterion for being initialized actually is whether condition `entropy >= ENTROPY_NEEDED` is true. This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`, which has the effect that on the next call, RAND_poll() will be called again, if it previously failed to obtain enough entropy. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7438) --- Summary of changes: crypto/rand/md_rand.c | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 7d5fcb7..bc1b6fb 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -275,7 +275,6 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo) static volatile int stirred_pool = 0; int i, j, k; size_t num_ceil, st_idx, st_num; -int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX *m; @@ -362,14 +361,13 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo) if (!initialized) { RAND_poll(); -initialized = 1; +initialized = (entropy >= ENTROPY_NEEDED); } if (!stirred_pool) do_stir_pool = 1; -ok = (entropy >= ENTROPY_NEEDED); -if (!ok) { +if (!initialized) { /* * If the PRNG state is not yet unpredictable, then seeing the PRNG * output may help attackers to determine the new state; thus we have @@ -408,7 +406,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo) rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); n -= MD_DIGEST_LENGTH; } -if (ok) +if (initialized) stirred_pool = 1; } @@ -500,7 +498,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo) CRYPTO_THREAD_unlock(rand_lock); EVP_MD_CTX_free(m); -if (ok) +if (initialized) return (1); else if (pseudo) return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 (commit) from d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit) - Log - commit f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 Author: Andy Polyakov Date: Wed Oct 17 10:09:33 2018 +0200 arch/async_posix.h: improve portability. {make|swap|get|set}context are removed in POSIX.1-2008, but glibc apparently keeps providing it. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7420) (cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f) --- Summary of changes: crypto/async/arch/async_posix.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index 76937a9..939b4ab 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -17,7 +17,8 @@ # include -# if _POSIX_VERSION >= 200112L +# if _POSIX_VERSION >= 200112L \ + && (_POSIX_VERSION < 200809L || defined(__GLIBC__)) # include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit) via cc54a2a0f5a2455205ee236bb44458cc39366065 (commit) from a76a41655e57b72b30a373aae6e75afedf920076 (commit) - Log - commit d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 Author: Viktor Dukhovni Date: Mon Oct 8 12:05:14 2018 -0400 Apply self-imposed path length also to root CAs Also, some readers of the code find starting the count at 1 for EE cert confusing (since RFC5280 counts only non-self-issued intermediate CAs, but we also counted the leaf). Therefore, never count the EE cert, and adjust the path length comparison accordinly. This may be more clear to the reader. Reviewed-by: Matt Caswell (cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6) commit cc54a2a0f5a2455205ee236bb44458cc39366065 Author: Viktor Dukhovni Date: Thu Oct 4 23:53:01 2018 -0400 Only CA certificates can be self-issued At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph of above https://tools.ietf.org/html/rfc5280#section-3.3), we see: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. that the term "self-issued" is only applicable to CAs, not end-entity certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9 the description of path length constraints says: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) This makes it clear that exclusion of self-issued certificates from the path length count applies only to some *intermediate* CA certificates. A leaf certificate whether it has identical issuer and subject or whether it is a CA or not is never part of the intermediate certificate count. The handling of all leaf certificates must be the same, in the case of our code to post-increment the path count by 1, so that we ultimately reach a non-self-issued intermediate it will be the first one (not zeroth) in the chain of intermediates. Reviewed-by: Matt Caswell (cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f) --- Summary of changes: crypto/x509/x509_vfy.c | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f86871f..ba186d3 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -515,15 +515,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) /* check_purpose() makes the callback as needed */ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; -/* Check pathlen if not self issued */ -if ((i > 1) && !(x->ex_flags & EXFLAG_SI) -&& (x->ex_pathlen != -1) -&& (plen > (x->ex_pathlen + proxy_path_length + 1))) { +/* Check pathlen */ +if ((i > 1) && (x->ex_pathlen != -1) +&& (plen > (x->ex_pathlen + proxy_path_length))) { if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } -/* Increment path length if not self issued */ -if (!(x->ex_flags & EXFLAG_SI)) +/* Increment path length if not a self issued intermediate
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a76a41655e57b72b30a373aae6e75afedf920076 (commit) from 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit) - Log - commit a76a41655e57b72b30a373aae6e75afedf920076 Author: Andy Polyakov Date: Fri Oct 12 22:17:51 2018 +0200 ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac. (back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7392) --- Summary of changes: ssl/s3_enc.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index e08857d..89b7739 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -404,13 +404,14 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) } if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); -return 0; +ret = 0; +goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { -EVP_MD_CTX_reset(ctx); -return 0; +ret = 0; +goto err; } if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) @@ -422,6 +423,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) ret = 0; } + err: EVP_MD_CTX_free(ctx); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit) from 737a37f7f170121769875e8e6f5fe7389701dff8 (commit) - Log - commit 77078e6bbfa686dba00cf379f0c96bd2833133a6 Author: Benjamin Kaduk Date: Thu Oct 4 13:49:21 2018 -0500 apps: allow empty attribute values with -subj Historically (i.e., OpenSSL 1.0.x), the openssl applications would allow for empty subject attributes to be passed via the -subj argument, e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite to the parse_name() helper function that parses these strings, but in the process dropped a check that would skip attributes with no associated value. As a result, such strings are now treated as hard errors and the operation fails. Restore the check to skip empty attribute values and restore the historical behavior. Document the behavior for empty subject attribute values in the corresponding applications' manual pages. (cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142) (cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7368) --- Summary of changes: apps/apps.c | 6 ++ doc/apps/ca.pod | 6 -- doc/apps/req.pod | 6 -- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index a162b16..94efa5a 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1770,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) opt_getprog(), typestr); continue; } +if (*valstr == '\0') { +BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); +continue; +} if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 9918a13..9885bb2 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -243,8 +243,10 @@ for all available algorithms. =item B<-subj arg> supersedes subject name given in the request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. =item B<-utf8> diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 0a28aea..00ec1a8 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -213,8 +213,10 @@ see L. sets subject name for new request or supersedes the subject name when processing a request. -The arg must be formatted as I, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. =item B<-multivalue-rdn> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 737a37f7f170121769875e8e6f5fe7389701dff8 (commit) from f7cbb8a4c222807be19994167890e66630a70101 (commit) - Log - commit 737a37f7f170121769875e8e6f5fe7389701dff8 Author: Tomas Mraz Date: Tue Oct 9 18:37:10 2018 +0200 Fix copy error found in Coverity scan Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7377) (cherry picked from commit 628ee796389b555ddb5fc28355e16e9417ab1724) --- Summary of changes: apps/speed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/speed.c b/apps/speed.c index 3ef37b7..6672fe6 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2541,7 +2541,7 @@ int speed_main(int argc, char **argv) if (rsa_count <= 1) { /* if longer than 10s, don't do any more */ -for (testnum++; testnum < EC_NUM; testnum++) +for (testnum++; testnum < ECDSA_NUM; testnum++) ecdsa_doit[testnum] = 0; } } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f7cbb8a4c222807be19994167890e66630a70101 (commit) from d39b27749f7402127a0be1e8dfffd710db52bde6 (commit) - Log - commit f7cbb8a4c222807be19994167890e66630a70101 Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 5703411..23f948f 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -655,10 +655,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d39b27749f7402127a0be1e8dfffd710db52bde6 (commit) via 32451d8f861324697fc275593fbb830f80c1723b (commit) from 875ba8b21ecc65ad9a6bdc66971e50461660fcbb (commit) - Log - commit d39b27749f7402127a0be1e8dfffd710db52bde6 Author: Richard Levitte Date: Sun Sep 30 02:18:47 2018 +0200 Clean out aliases in include/openssl/symhacks.h Only a few clashing ones remain Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7331) (cherry picked from commit b44882a0bd0717e0aab84f5dc3ef81ab673155e9) commit 32451d8f861324697fc275593fbb830f80c1723b Author: Richard Levitte Date: Sun Sep 30 01:59:11 2018 +0200 Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h) BIO_s_log() is declared for everyone, so should return NULL when not actually implemented. Also, it had explicit platform limitations in util/mkdef.pl that didn't correspond to what was actually in code. While at it, a few other hard coded things that have lost their relevance were removed. include/openssl/ocsp.h had a few duplicate declarations. Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7331) (cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f) --- Summary of changes: crypto/bio/bss_log.c | 5 + include/openssl/ocsp.h | 3 --- include/openssl/symhacks.h | 15 --- util/libcrypto.num | 2 +- util/mkdef.pl | 10 -- 5 files changed, 6 insertions(+), 29 deletions(-) diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index 4719a5e..f090e82 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -404,4 +404,9 @@ static void xcloselog(BIO *bp) # endif /* Unix */ +#else /* NO_SYSLOG */ +const BIO_METHOD *BIO_s_log(void) +{ +return NULL; +} #endif /* NO_SYSLOG */ diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index fd172fb..aa432f1 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -92,7 +92,6 @@ typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; # define V_OCSP_RESPID_KEY 1 DEFINE_STACK_OF(OCSP_RESPID) -DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; @@ -159,8 +158,6 @@ int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, ASN1_VALUE **pval, const ASN1_ITEM *it); BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx); -int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, - ASN1_VALUE *val); int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h index caf1f1a..b6d68ef 100644 --- a/include/openssl/symhacks.h +++ b/include/openssl/symhacks.h @@ -28,21 +28,6 @@ # undef i2d_ECPKPARAMETERS # define i2d_ECPKPARAMETERS i2d_UC_ECPKPARAMETERS -/* - * These functions do not seem to exist! However, I'm paranoid... Original - * command in x509v3.h: These functions are being redefined in another - * directory, and clash when the linker is case-insensitive, so let's hide - * them a little, by giving them an extra 'o' at the beginning of the name... - */ -# undef X509v3_cleanup_extensions -# define X509v3_cleanup_extensions oX509v3_cleanup_extensions -# undef X509v3_add_extension -# define X509v3_add_extensionoX509v3_add_extension -# undef X509v3_add_netscape_extensions -# define X509v3_add_netscape_extensions oX509v3_add_netscape_extensions -# undef X509v3_add_standard_extensions -# define X509v3_add_standard_extensions oX509v3_add_standard_extensions - /* This one clashes with CMS_data_create */ # undef cms_Data_create # define cms_Data_create priv_cms_Data_create diff --git a/util/libcrypto.num b/util/libcrypto.num index c0fe79d..2390fa0 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -282,7 +282,7 @@ TS_REQ_free 282 1_1_0 EXIST::FUNCTION:TS PEM_read_DHparams 2831_1_0 EXIST::FUNCTION:DH,STDIO RSA_private_decrypt 2841_1_0 EXIST::FUNCTION:RSA X509V3_EXT_get_nid 2851_1_0 EXIST::FUNCTION: -BIO_s_log 2861_1_0 EXIST:!WIN32,!macintosh:FUNCTION: +BIO_s_log 2861_1_0 EXIST::FUNCTION: EC_POINT_set_to_infinity287
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 908f7a1a1b73ec196efd6e12c9ee1e377f044033 (commit) from 1abdf08284af055f68c5ece4c7c0efa8f2bf323a (commit) - Log - commit 908f7a1a1b73ec196efd6e12c9ee1e377f044033 Author: Daniel Bevenius Date: Mon Sep 24 08:43:35 2018 +0200 Document OPENSSL_VERSION_TEXT macro This commit documents the OPENSSL_VERSION_TEXT which is currently missing in the man page. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7301) (cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165) --- Summary of changes: doc/crypto/OPENSSL_VERSION_NUMBER.pod | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f5429d2..01623ba 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -2,13 +2,14 @@ =head1 NAME -OPENSSL_VERSION_NUMBER, OpenSSL_version, +OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version, OpenSSL_version_num - get OpenSSL version number =head1 SYNOPSIS #include #define OPENSSL_VERSION_NUMBER 0xnL + #define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX " #include @@ -45,6 +46,10 @@ Version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. +OPENSSL_VERSION_TEXT is the text variant of the version number and the +release date. For example, +"OpenSSL 1.0.1a 15 Oct 2015". + OpenSSL_version_num() returns the version number. OpenSSL_version() returns different strings depending on B: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1abdf08284af055f68c5ece4c7c0efa8f2bf323a (commit) from 4aa1739c111e1390909533e7b2f485bc655c2489 (commit) - Log - commit 1abdf08284af055f68c5ece4c7c0efa8f2bf323a Author: Pauli Date: Mon Sep 24 11:21:18 2018 +1000 Use secure_getenv(3) when available. Change all calls to getenv() inside libcrypto to use a new wrapper function that use secure_getenv() if available and an issetugid then getenv if not. CPU processor override flags are unchanged. Extra checks for OPENSSL_issetugid() have been removed in favour of the safe getenv. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7047) (cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d) --- Summary of changes: crypto/build.info | 2 +- crypto/conf/conf_api.c | 7 --- crypto/conf/conf_mod.c | 3 +-- crypto/ct/ct_log.c | 2 +- crypto/engine/eng_list.c | 2 +- crypto/getenv.c| 31 +++ crypto/include/internal/cryptlib.h | 2 ++ crypto/pkcs12/p12_mutl.c | 18 +- crypto/rand/randfile.c | 9 ++--- crypto/x509/by_dir.c | 3 ++- crypto/x509/by_file.c | 2 +- 11 files changed, 55 insertions(+), 26 deletions(-) create mode 100644 crypto/getenv.c diff --git a/crypto/build.info b/crypto/build.info index e693eba..8e15379 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -2,7 +2,7 @@ LIBS=../libcrypto SOURCE[../libcrypto]=\ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c \ -threads_pthread.c threads_win.c threads_none.c \ +threads_pthread.c threads_win.c threads_none.c getenv.c \ o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \ {- $target{uplink_aux_src} -} EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index 79e682a..36c91b1 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -9,11 +9,12 @@ /* Part of the code in here was originally in conf.c, which is now removed */ +#include "e_os.h" +#include "internal/cryptlib.h" #include #include #include #include -#include "e_os.h" static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf); static void value_free_stack_doall(CONF_VALUE *a); @@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section, if (v != NULL) return (v->value); if (strcmp(section, "ENV") == 0) { -p = getenv(name); +p = ossl_safe_getenv(name); if (p != NULL) return (p); } @@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section, else return (NULL); } else -return (getenv(name)); +return ossl_safe_getenv(name); } static unsigned long conf_value_hash(const CONF_VALUE *v) diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 543a8ea..7314435 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -478,8 +478,7 @@ char *CONF_get1_default_config_file(void) char *file; int len; -file = getenv("OPENSSL_CONF"); -if (file) +if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL) return OPENSSL_strdup(file); len = strlen(X509_get_default_cert_area()); diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c index d442322..881dc98 100644 --- a/crypto/ct/ct_log.c +++ b/crypto/ct/ct_log.c @@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *sec int CTLOG_STORE_load_default_file(CTLOG_STORE *store) { -const char *fpath = getenv(CTLOG_FILE_EVP); +const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); if (fpath == NULL) fpath = CTLOG_FILE; diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 934389f..fcab415 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -322,7 +322,7 @@ ENGINE *ENGINE_by_id(const char *id) * Prevent infinite recursion if we're looking for the dynamic engine. */ if (strcmp(id, "dynamic")) { -if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) +if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL) load_dir = ENGINESDIR; iterator = ENGINE_by_id("dynamic"); if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || diff --git a/crypto/getenv.c b/crypto/getenv.c new file mode 100644 index 000..7e98b64 --- /dev/null +++ b/crypto/getenv.c @@
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 4aa1739c111e1390909533e7b2f485bc655c2489 (commit) from ad1730359220cef5903d16c7f58b602fc3713414 (commit) - Log - commit 4aa1739c111e1390909533e7b2f485bc655c2489 Author: Richard Levitte Date: Fri Sep 21 11:11:15 2018 +0200 crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG This module includes bn.h via other headers, so it picks up the definition from there and doesn't need to define them locally (any more?). Worst case scenario, the redefinition may be different and cause all sorts of compile errors. Fixes #7227 Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7287) (cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72) --- Summary of changes: crypto/bn/asm/x86_64-gcc.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index 0ff3805..cdb54fa 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -64,12 +64,6 @@ *machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ad1730359220cef5903d16c7f58b602fc3713414 (commit) from ae59efc2f60bd839fe80ef50d889c74c4afbb703 (commit) - Log - commit ad1730359220cef5903d16c7f58b602fc3713414 Author: Richard Levitte Date: Wed Sep 19 21:33:45 2018 +0200 crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too These both indicate that the file descriptor we're trying to use as a terminal isn't, in fact, a terminal. Fixes #7271 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7272) (cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067) --- Summary of changes: crypto/ui/ui_openssl.c | 18 ++ 1 file changed, 18 insertions(+) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index bfe93a5..a25934c 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -436,6 +436,24 @@ static int open_console(UI *ui) is_a_tty = 0; else # endif +# ifdef ENXIO +/* + * Solaris can return ENXIO. + * This should be ok + */ +if (errno == ENXIO) +is_a_tty = 0; +else +# endif +# ifdef EIO +/* + * Linux can return EIO. + * This should be ok + */ +if (errno == EIO) +is_a_tty = 0; +else +# endif # ifdef ENODEV /* * MacOS X returns ENODEV (Operation not supported by device), _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via ae59efc2f60bd839fe80ef50d889c74c4afbb703 (commit) from 55b1542ca57537e0899e8b82d4f0363db8f1d261 (commit) - Log - commit ae59efc2f60bd839fe80ef50d889c74c4afbb703 Author: Pauli Date: Mon Sep 17 07:47:42 2018 +1000 Use 'i' as parameter name not 'I'. The latter causes problems when complex.h is #included. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7233) (cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46) --- Summary of changes: crypto/rsa/rsa_meth.c | 4 ++-- doc/crypto/RSA_meth_new.pod | 4 ++-- include/openssl/rsa.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/rsa/rsa_meth.c b/crypto/rsa/rsa_meth.c index 83de554..ba40cff 100644 --- a/crypto/rsa/rsa_meth.c +++ b/crypto/rsa/rsa_meth.c @@ -163,13 +163,13 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth, /* Can be null */ int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) -(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) +(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx) { return meth->rsa_mod_exp; } int RSA_meth_set_mod_exp(RSA_METHOD *meth, - int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, + int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)) { meth->rsa_mod_exp = mod_exp; diff --git a/doc/crypto/RSA_meth_new.pod b/doc/crypto/RSA_meth_new.pod index 9c89426..8f6d428 100644 --- a/doc/crypto/RSA_meth_new.pod +++ b/doc/crypto/RSA_meth_new.pod @@ -58,9 +58,9 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen int padding)); /* Can be null */ int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) - (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); + (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); int RSA_meth_set_mod_exp(RSA_METHOD *rsa, - int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, + int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)); /* Can be null */ int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth)) diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 790831b..9c28329 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -407,9 +407,9 @@ int RSA_meth_set_priv_dec(RSA_METHOD *rsa, unsigned char *to, RSA *rsa, int padding)); int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) -(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); +(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); int RSA_meth_set_mod_exp(RSA_METHOD *rsa, - int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, + int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)); int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth)) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 55b1542ca57537e0899e8b82d4f0363db8f1d261 (commit) from 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0 (commit) - Log - commit 55b1542ca57537e0899e8b82d4f0363db8f1d261 Author: Pauli Date: Mon Sep 17 08:09:25 2018 +1000 Add a compile time test to verify that openssl/rsa.h and complex.h can coexist. Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7233) (cherry picked from commit da5fac72b1cba5651b871902eea234e693cf01e5) --- Summary of changes: .gitignore | 1 + test/build.info| 5 - test/rsa_complex.c | 27 +++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 test/rsa_complex.c diff --git a/.gitignore b/.gitignore index 3dee392..717aeb3 100644 --- a/.gitignore +++ b/.gitignore @@ -52,6 +52,7 @@ Makefile /test/x509aux /test/v3ext /test/versions +/test/rsa_complex # Certain files that get created by tests on the fly /test/test-runs diff --git a/test/build.info b/test/build.info index d850b52..2367ab8 100644 --- a/test/build.info +++ b/test/build.info @@ -2,7 +2,7 @@ IF[{- !$disabled{tests} -}] PROGRAMS_NO_INST=\ versions \ aborttest \ - sanitytest exdatatest bntest \ + sanitytest rsa_complex exdatatest bntest \ ectest ecdsatest gmdifftest pbelutest ideatest \ md2test md4test md5test \ hmactest wp_test \ @@ -32,6 +32,9 @@ IF[{- !$disabled{tests} -}] INCLUDE[sanitytest]=../include DEPEND[sanitytest]=../libcrypto + SOURCE[rsa_complex]=rsa_complex.c + INCLUDE[rsa_complex]=../include + SOURCE[exdatatest]=exdatatest.c INCLUDE[exdatatest]=../include DEPEND[exdatatest]=../libcrypto diff --git a/test/rsa_complex.c b/test/rsa_complex.c new file mode 100644 index 000..fac5812 --- /dev/null +++ b/test/rsa_complex.c @@ -0,0 +1,27 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Check to see if there is a conflict between complex.h and openssl/rsa.h. + * The former defines "I" as a macro and earlier versions of the latter use + * for function arguments. + */ +#if defined(__STDC_VERSION__) +# if __STDC_VERSION__ >= 199901L +# include +# endif +#endif +#include +#include + +int main(int argc, char *argv[]) +{ +/* There are explicitly no run time checks for this one */ +return EXIT_SUCCESS; +} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0 (commit) from 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa (commit) - Log - commit 622fc2e051bc3c61a09d08f1fafdb45f6f8499b0 Author: Matt Caswell Date: Wed Sep 12 16:49:19 2018 +0100 Add an explicit cast to time_t Caused a compilation failure in some environments Fixes #7204 Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7205) (cherry picked from commit bc278f30f0b766bfb82426c641dc1d51ace4a994) --- Summary of changes: test/ct_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/ct_test.c b/test/ct_test.c index ea90923..88a8b77 100644 --- a/test/ct_test.c +++ b/test/ct_test.c @@ -542,8 +542,8 @@ static int test_default_ct_policy_eval_ctx_time_is_now() { int success = 0; CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new(); -const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / -1000; +const time_t default_time = +(time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000); const time_t time_tolerance = 600; /* 10 minutes */ if (fabs(difftime(time(NULL), default_time)) > time_tolerance) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa (commit) from e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 (commit) - Log - commit 477d1a6234d5f4cf5ebfe022390cf5fff42b60fa Author: Viktor Szakats Date: Tue Sep 11 22:34:00 2018 + minor fixes for Windows - fix to use secure URL in generated Windows resources - fix a potentially uninitialized variable CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7189) --- Summary of changes: crypto/cryptlib.c | 2 +- util/mkrc.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 3b878cd..9e59e03 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -198,7 +198,7 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); -FARPROC f; +FARPROC f = NULL; if (mod != NULL) f = GetProcAddress(mod, "_OPENSSL_isservice"); diff --git a/util/mkrc.pl b/util/mkrc.pl index c177349..96f56f3 100755 --- a/util/mkrc.pl +++ b/util/mkrc.pl @@ -60,7 +60,7 @@ BEGIN BLOCK "040904b0" BEGIN // Required: -VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0; +VALUE "CompanyName", "The OpenSSL Project, https://www.openssl.org/\\0; VALUE "FileDescription", "$description\\0" VALUE "FileVersion", "$version\\0" VALUE "InternalName", "$basename\\0" _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 (commit) from aa4312d24492c977eb7d01014e23da61bf245de5 (commit) - Log - commit e13dc23cc0fd64c304c25a67d5fa516a77f9e8f1 Author: Bernd Edlinger Date: Mon Sep 10 14:18:23 2018 +0200 Make the config script fail with an error code if Configure failed Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7166) --- Summary of changes: config | 1 + 1 file changed, 1 insertion(+) diff --git a/config b/config index 35e849a..19c0071 100755 --- a/config +++ b/config @@ -929,5 +929,6 @@ if [ $? = "0" ]; then fi else echo "This system ($OUT) is not supported. See file INSTALL for details." + exit 1 fi ) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via aa4312d24492c977eb7d01014e23da61bf245de5 (commit) from f6c6c7c95caedb6046e751a3e24d1923a6554fa7 (commit) - Log - commit aa4312d24492c977eb7d01014e23da61bf245de5 Author: parasssh Date: Wed Aug 22 22:42:11 2018 -0700 Fix typos in documentation. CLA: trivial (cherry picked from commit fa332bba919d094c1654bbb3be0528b3df6e9023) Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7040) --- Summary of changes: doc/crypto/EVP_DigestInit.pod | 2 +- doc/crypto/EVP_DigestSignInit.pod | 10 +- doc/crypto/EVP_DigestVerifyInit.pod | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod index 1dc76cb..9fda29b 100644 --- a/doc/crypto/EVP_DigestInit.pod +++ b/doc/crypto/EVP_DigestInit.pod @@ -223,7 +223,7 @@ EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context instead of initializing and cleaning it up on each call and allow non default implementations of digests to be specified. -If digest contexts are not cleaned up after use +If digest contexts are not cleaned up after use, memory leaks will occur. EVP_MD_CTX_size(), EVP_MD_CTX_block_size(), EVP_MD_CTX_type(), diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index bec8e9d..a3938d5 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod @@ -28,7 +28,7 @@ is freed). The digest B may be NULL if the signing algorithm supports it. Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of -"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, +"signing". Built-in EVP_PKEY types supported by these functions are CMAC, DSA, ECDSA, HMAC and RSA. Not all digests can be used for all key types. The following combinations apply. @@ -71,17 +71,17 @@ signature context B. This function can be called several times on the same B to include additional data. This function is currently implemented using a macro. -EVP_DigestSignFinal() signs the data in B places the signature in B. +EVP_DigestSignFinal() signs the data in B and places the signature in B. If B is B then the maximum size of the output buffer is written to the B parameter. If B is not B then before the call the -B parameter should contain the length of the B buffer, if the +B parameter should contain the length of the B buffer. If the call is successful the signature is written to B and the amount of data written to B. =head1 RETURN VALUES EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return -1 for success and 0 or a negative value for failure. In particular a return +1 for success and 0 or a negative value for failure. In particular, a return value of -2 indicates the operation is not supported by the public key algorithm. @@ -105,7 +105,7 @@ The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and EVP_DigestSignFinal() can be called later to digest and sign additional data. -Since only a copy of the digest context is ever finalized the context must +Since only a copy of the digest context is ever finalized, the context must be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak will occur. diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index 6c3d070..2e1d00f 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod @@ -65,7 +65,7 @@ The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can be called later to digest and verify additional data. -Since only a copy of the digest context is ever finalized the context must +Since only a copy of the digest context is ever finalized, the context must be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak will occur. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f6c6c7c95caedb6046e751a3e24d1923a6554fa7 (commit) from 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 (commit) - Log - commit f6c6c7c95caedb6046e751a3e24d1923a6554fa7 Author: Richard Levitte Date: Tue Sep 11 11:00:30 2018 +0200 CAPI engine: add support for RSA_NO_PADDING Since the SSL code started using RSA_NO_PADDING, the CAPI engine became unusable. This change fixes that. Fixes #7131 Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7174) (cherry picked from commit 37f4928701aa54937ce8eef422a2165afeec5cec) --- Summary of changes: engines/e_capi.c | 28 +--- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/engines/e_capi.c b/engines/e_capi.c index 4660f1a..9d5e850 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -917,6 +917,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *tmpbuf; CAPI_KEY *capi_key; CAPI_CTX *ctx; +DWORD flags = 0; DWORD dlen; if (flen <= 0) @@ -932,12 +933,23 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, return -1; } -if (padding != RSA_PKCS1_PADDING) { -char errstr[10]; -BIO_snprintf(errstr, 10, "%d", padding); -CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); -ERR_add_error_data(2, "padding=", errstr); -return -1; +switch (padding) { +case RSA_PKCS1_PADDING: +/* Nothing to do */ +break; +#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK +case RSA_NO_PADDING: +flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK; +break; +#endif +default: +{ +char errstr[10]; +BIO_snprintf(errstr, 10, "%d", padding); +CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); +ERR_add_error_data(2, "padding=", errstr); +return -1; +} } /* Create temp reverse order version of input */ @@ -950,14 +962,16 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from, /* Finally decrypt it */ dlen = flen; -if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, )) { +if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, )) { CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); capi_addlasterror(); +OPENSSL_cleanse(tmpbuf, dlen); OPENSSL_free(tmpbuf); return -1; } else { memcpy(to, tmpbuf, (flen = (int)dlen)); } +OPENSSL_cleanse(tmpbuf, flen); OPENSSL_free(tmpbuf); return flen; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 (commit) from 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 (commit) - Log - commit 1fa7e2ee06f24cdc7fe04599456a07f29db69d95 Author: Matt Caswell Date: Mon Sep 10 16:23:14 2018 +0100 Check the return value from ASN1_INTEGER_set Found by Coverity Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7169) (cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7) --- Summary of changes: crypto/pkcs12/p12_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index a78e183..7b76909 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -22,7 +22,8 @@ PKCS12 *PKCS12_init(int mode) PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE); return NULL; } -ASN1_INTEGER_set(pkcs12->version, 3); +if (!ASN1_INTEGER_set(pkcs12->version, 3)) +goto err; pkcs12->authsafes->type = OBJ_nid2obj(mode); switch (mode) { case NID_pkcs7_data: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 (commit) from a842be9cf7bdf3cb3abbfe152d811cbc57dded27 (commit) - Log - commit 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 Author: Shane Lontis Date: Mon Sep 3 11:39:50 2018 +1000 RSA padding Zeroization fixes Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7090) (cherry picked from commit 82eba370daeb6d80b01b521d9e2963451487f0cb) --- Summary of changes: crypto/rsa/rsa_oaep.c | 33 +++-- crypto/rsa/rsa_pss.c | 4 ++-- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f313519..df08a2f 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -43,10 +43,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *param, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { +int rv = 0; int i, emlen = tlen - 1; unsigned char *db, *seed; -unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE]; -int mdlen; +unsigned char *dbmask = NULL; +unsigned char seedmask[EVP_MAX_MD_SIZE]; +int mdlen, dbmask_len = 0; if (md == NULL) md = EVP_sha1(); @@ -72,40 +74,41 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, db = to + mdlen + 1; if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) -return 0; +goto err; memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1); db[emlen - flen - mdlen - 1] = 0x01; memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); if (RAND_bytes(seed, mdlen) <= 0) -return 0; +goto err; + #ifdef PKCS_TESTVECT memcpy(seed, "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", 20); #endif -dbmask = OPENSSL_malloc(emlen - mdlen); +dbmask_len = emlen - mdlen; +dbmask = OPENSSL_malloc(dbmask_len); if (dbmask == NULL) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); -return 0; +goto err; } -if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) +if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0) goto err; -for (i = 0; i < emlen - mdlen; i++) +for (i = 0; i < dbmask_len; i++) db[i] ^= dbmask[i]; -if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) +if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0) goto err; for (i = 0; i < mdlen; i++) seed[i] ^= seedmask[i]; - -OPENSSL_free(dbmask); -return 1; +rv = 1; err: -OPENSSL_free(dbmask); -return 0; +OPENSSL_cleanse(seedmask, sizeof(seedmask)); +OPENSSL_clear_free(dbmask, dbmask_len); +return rv; } int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, @@ -247,6 +250,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); cleanup: +OPENSSL_cleanse(seed, sizeof(seed)); OPENSSL_clear_free(db, dblen); OPENSSL_clear_free(em, num); return mlen; @@ -289,6 +293,7 @@ int PKCS1_MGF1(unsigned char *mask, long len, } rv = 0; err: +OPENSSL_cleanse(md, sizeof(md)); EVP_MD_CTX_free(c); return rv; } diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index f814338..4a1e599 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -242,7 +242,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, err: EVP_MD_CTX_free(ctx); -OPENSSL_free(salt); +OPENSSL_clear_free(salt, sLen); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a842be9cf7bdf3cb3abbfe152d811cbc57dded27 (commit) via c28a2ffd01dc1da932aa55d518b57a933cdc51be (commit) from 374804bd0973e8af05046caecc40e6b906d1a375 (commit) - Log - commit a842be9cf7bdf3cb3abbfe152d811cbc57dded27 Author: Nicola Tuveri Date: Wed Sep 5 12:08:12 2018 +0300 Harmonize the error handling codepath Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7121) commit c28a2ffd01dc1da932aa55d518b57a933cdc51be Author: Nicola Tuveri Date: Wed Sep 5 11:58:55 2018 +0300 Fix segfault in RSA_free() (and DSA/DH/EC_KEY) `RSA_free()` and friends are called in case of error from `RSA_new_method(ENGINE *e)` (or the respective equivalent functions). For the rest of the description I'll talk about `RSA_*`, but the same applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`. If `RSA_new_method()` fails because the engine does not implement the required method, when `RSA_free(RSA *r)` is called, `r->meth == NULL` and a segfault happens while checking if `r->meth->finish` is defined. This commit fixes this issue by ensuring that `r->meth` is not NULL before dereferencing it to check for `r->meth->finish`. Fixes #7102 . Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7121) --- Summary of changes: crypto/dh/dh_lib.c | 10 ++ crypto/dsa/dsa_lib.c | 10 ++ crypto/ec/ec_key.c | 2 +- crypto/ec/ec_kmeth.c | 2 +- crypto/rsa/rsa_lib.c | 4 ++-- 5 files changed, 16 insertions(+), 12 deletions(-) diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 716f4a4..4bc62a6 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -82,12 +82,14 @@ DH *DH_new_method(ENGINE *engine) if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL); -err: -DH_free(ret); -ret = NULL; +goto err; } return ret; + + err: +DH_free(ret); +return NULL; } void DH_free(DH *r) @@ -103,7 +105,7 @@ void DH_free(DH *r) return; REF_ASSERT_ISNT(i < 0); -if (r->meth->finish) +if (r->meth != NULL && r->meth->finish != NULL) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE ENGINE_finish(r->engine); diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 9598846..9600c61 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -91,12 +91,14 @@ DSA *DSA_new_method(ENGINE *engine) if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_INIT_FAIL); -err: -DSA_free(ret); -ret = NULL; +goto err; } return ret; + + err: +DSA_free(ret); +return NULL; } void DSA_free(DSA *r) @@ -112,7 +114,7 @@ void DSA_free(DSA *r) return; REF_ASSERT_ISNT(i < 0); -if (r->meth->finish) +if (r->meth != NULL && r->meth->finish != NULL) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE ENGINE_finish(r->engine); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index f1f0afb..df35b64 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -55,7 +55,7 @@ void EC_KEY_free(EC_KEY *r) return; REF_ASSERT_ISNT(i < 0); -if (r->meth->finish != NULL) +if (r->meth != NULL && r->meth->finish != NULL) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index 5e5d1ae..decad65 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -119,7 +119,7 @@ EC_KEY *EC_KEY_new_method(ENGINE *engine) } return ret; -err: + err: EC_KEY_free(ret); return NULL; } diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index e1377a0..40dee36 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -94,7 +94,7 @@ RSA *RSA_new_method(ENGINE *engine) return ret; -err: + err: RSA_free(ret); return NULL; } @@ -112,7 +112,7 @@ void RSA_free(RSA *r) return; REF_ASSERT_ISNT(i < 0); -if (r->meth->finish) +if (r->meth != NULL && r->meth->finish != NULL) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE ENGINE_finish(r->engine); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 374804bd0973e8af05046caecc40e6b906d1a375 (commit) from bfd752fe83c72f248a6905d971217e8a3e3a287d (commit) - Log - commit 374804bd0973e8af05046caecc40e6b906d1a375 Author: Pauli Date: Wed Sep 5 07:50:17 2018 +1000 Key zeroization fix for EVP_SealInit. Manual backport from master. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7116) --- Summary of changes: crypto/evp/p_seal.c | 21 ++--- test/evp_extra_test.c | 48 +++- 2 files changed, 61 insertions(+), 8 deletions(-) diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index faa2464..6f026e7 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, { unsigned char key[EVP_MAX_KEY_LENGTH]; int i; +int rv = 0; if (type) { EVP_CIPHER_CTX_reset(ctx); @@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; + if (EVP_CIPHER_CTX_iv_length(ctx) -&& RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) -return 0; +&& RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) +goto err; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) -return 0; +goto err; for (i = 0; i < npubk; i++) { ekl[i] = EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), pubk[i]); -if (ekl[i] <= 0) -return (-1); +if (ekl[i] <= 0) { +rv = -1; +goto err; +} } -return (npubk); +rv = npubk; +err: +OPENSSL_cleanse(key, sizeof(key)); +return rv; } /*- MACRO diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 9217f3a..bc02fad 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include #include +#include #include #include #include @@ -326,6 +327,46 @@ static int test_d2i_AutoPrivateKey(const unsigned char *input, return ret; } +static int test_EVP_Enveloped(void) +{ +int ret = 0; +EVP_CIPHER_CTX *ctx = NULL; +EVP_PKEY *keypair = NULL; +unsigned char *kek = NULL; +int kek_len; +unsigned char iv[EVP_MAX_IV_LENGTH]; +static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 }; +int len, ciphertext_len, plaintext_len; +unsigned char ciphertext[32], plaintext[16]; +const EVP_CIPHER *type = EVP_aes_256_cbc(); + +if ((keypair = load_example_rsa_key()) == NULL +|| (kek = OPENSSL_zalloc(EVP_PKEY_size(keypair))) == NULL +|| (ctx = EVP_CIPHER_CTX_new()) == NULL +|| !EVP_SealInit(ctx, type, , _len, iv, , 1) +|| !EVP_SealUpdate(ctx, ciphertext, _len, + msg, sizeof(msg)) +|| !EVP_SealFinal(ctx, ciphertext + ciphertext_len, )) +goto err; + +ciphertext_len += len; +if (!EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair) +|| !EVP_OpenUpdate(ctx, plaintext, _len, + ciphertext, ciphertext_len) +|| !EVP_OpenFinal(ctx, plaintext + plaintext_len, ) +|| (plaintext_len += len) != sizeof(msg) +|| memcmp(msg, plaintext, sizeof(msg)) != 0) +goto err; + +ret = 1; + +err: +OPENSSL_free(kek); +EVP_PKEY_free(keypair); +EVP_CIPHER_CTX_free(ctx); +return ret; +} + #ifndef OPENSSL_NO_EC /* Tests loading a bad key in PKCS8 format */ static int test_EVP_PKCS82PKEY(void) @@ -386,6 +427,11 @@ int main(void) return 1; } +if (!test_EVP_Enveloped()) { +fprintf(stderr, "test_EVP_Enveloped failed\n"); +return 1; +} + #ifndef OPENSSL_NO_EC if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC)) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via bfd752fe83c72f248a6905d971217e8a3e3a287d (commit) from fe4de29d48d6f7125576a6f8ac73c5af5e832083 (commit) - Log - commit bfd752fe83c72f248a6905d971217e8a3e3a287d Author: Eric Curtin Date: Mon Sep 3 15:23:37 2018 +0100 New openssl subject parser hard to debug -subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote Device Access Test Local CA, emailAddress = r...@hpe.com' was a valid subject in openssl 1.0. Error received in 1.1 is: problems making Certificate Request Not very informative, I only figured this out because I compiled the code and added logging. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7098) (cherry picked from commit 2167640b0bf76ec50a397dd90444b97c242e3f04) --- Summary of changes: apps/apps.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apps/apps.c b/apps/apps.c index d52201f..a162b16 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1707,8 +1707,14 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) char *work; X509_NAME *n; -if (*cp++ != '/') +if (*cp++ != '/') { +BIO_printf(bio_err, + "name is expected to be in the format " + "/type0=value0/type1=value1/type2=... where characters may " + "be escaped by \\. This name is not in that format: '%s'\n", + --cp); return NULL; +} n = X509_NAME_new(); if (n == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via fe4de29d48d6f7125576a6f8ac73c5af5e832083 (commit) from b5b39779f3dfe811a64899bd8b33397647dda57a (commit) - Log - commit fe4de29d48d6f7125576a6f8ac73c5af5e832083 Author: Pauli Date: Wed Sep 5 05:35:34 2018 +1000 Make OBJ_NAME case insensitive. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7101) --- Summary of changes: .../{conf/conf_lcl.h => include/internal/lhash.h} | 6 - crypto/lhash/lhash.c | 23 crypto/objects/o_names.c | 31 +++--- test/evptests.txt | 30 + 4 files changed, 73 insertions(+), 17 deletions(-) copy crypto/{conf/conf_lcl.h => include/internal/lhash.h} (74%) diff --git a/crypto/conf/conf_lcl.h b/crypto/include/internal/lhash.h similarity index 74% copy from crypto/conf/conf_lcl.h copy to crypto/include/internal/lhash.h index 6e1f7fe..200ba86 100644 --- a/crypto/conf/conf_lcl.h +++ b/crypto/include/internal/lhash.h @@ -7,5 +7,9 @@ * https://www.openssl.org/source/license.html */ -void conf_add_ssl_module(void); +#ifndef INTERNAL_LHASH_H +# define INTERNAL_LHASH_H +unsigned long openssl_lh_strcasehash(const char *); + +#endif diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index f485411..319dd49 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -12,6 +12,8 @@ #include #include #include +#include +#include "internal/lhash.h" #include "lhash_lcl.h" /* @@ -351,6 +353,27 @@ unsigned long OPENSSL_LH_strhash(const char *c) return ((ret >> 16) ^ ret); } +unsigned long openssl_lh_strcasehash(const char *c) +{ +unsigned long ret = 0; +long n; +unsigned long v; +int r; + +if (c == NULL || *c == '\0') +return ret; + +for (n = 0x100; *c != '\0'; n += 0x100) { +v = n | tolower(*c); +r = (int)((v >> 2) ^ v) & 0x0f; +ret = (ret << r) | (ret >> (32 - r)); +ret &= 0xL; +ret ^= v * v; +c++; +} +return (ret >> 16) ^ ret; +} + unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh) { return lh ? lh->num_items : 0; diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index 15fe653..709b9c3 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -16,27 +16,26 @@ #include #include #include -#include +#include "internal/thread_once.h" +#include "internal/lhash.h" #include "obj_lcl.h" +#include "e_os.h" /* * We define this wrapper for two reasons. Firstly, later versions of * DEC C add linkage information to certain functions, which makes it * tricky to use them as values to regular function pointers. - * Secondly, in the EDK2 build environment, the strcmp function is - * actually an external function (AsciiStrCmp) with the Microsoft ABI, - * so we can't transparently assign function pointers to it. - * Arguably the latter is a stupidity of the UEFI environment, but - * since the wrapper solves the DEC C issue too, let's just use the - * same solution. + * Secondly, in the EDK2 build environment, the strcasecmp function is + * actually an external function with the Microsoft ABI, so we can't + * transparently assign function pointers to it. */ #if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI) -static int obj_strcmp(const char *a, const char *b) +static int obj_strcasecmp(const char *a, const char *b) { -return strcmp(a, b); +return strcasecmp(a, b); } #else -#define obj_strcmp strcmp +#define obj_strcasecmp strcasecmp #endif /* @@ -111,8 +110,8 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *), ret = 0; goto out; } -name_funcs->hash_func = OPENSSL_LH_strhash; -name_funcs->cmp_func = obj_strcmp; +name_funcs->hash_func = openssl_lh_strcasehash; +name_funcs->cmp_func = obj_strcasecmp; CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE); push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs); @@ -149,7 +148,7 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b) ret = sk_NAME_FUNCS_value(name_funcs_stack, a->type)->cmp_func(a->name, b->name); } else -ret = strcmp(a->name, b->name); +ret = strcasecmp(a->name, b->name); } return ret; } @@ -164,7 +163,7 @@ static unsigned long obj_name_hash(const OBJ_NAME *a) sk_NAME_FUNCS_value(name_funcs_stack, a->type)->hash_func(a->name); } else { -ret = OPENSSL_LH_strhash(a->name); +ret = openssl_lh_strcasehash(a->name); } ret ^= a->type;
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b5b39779f3dfe811a64899bd8b33397647dda57a (commit) from febb025068f6c74f6776cc7faf1a8bcd55138f87 (commit) - Log - commit b5b39779f3dfe811a64899bd8b33397647dda57a Author: Shane Lontis Date: Tue Sep 4 14:01:37 2018 +1000 hkdf zeroization fix Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7106) (cherry picked from commit 64ed55ab033f1bfa795d46f0ecc61c313204b418) --- Summary of changes: crypto/kdf/hkdf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c index 00b95b5..6d38a2f 100644 --- a/crypto/kdf/hkdf.c +++ b/crypto/kdf/hkdf.c @@ -234,6 +234,7 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md, unsigned char *okm, size_t okm_len) { HMAC_CTX *hmac; +unsigned char *ret = NULL; unsigned int i; @@ -283,11 +284,10 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md, done_len += copy_len; } - -HMAC_CTX_free(hmac); -return okm; +ret = okm; err: +OPENSSL_cleanse(prev, sizeof(prev)); HMAC_CTX_free(hmac); -return NULL; +return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via febb025068f6c74f6776cc7faf1a8bcd55138f87 (commit) from b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit) - Log - commit febb025068f6c74f6776cc7faf1a8bcd55138f87 Author: Shane Lontis Date: Tue Sep 4 15:00:21 2018 +1000 key zeroisation fix for p12 Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7109) (cherry picked from commit f5cee414fa8e7e9a088d8d5ebe641f368df20801) --- Summary of changes: crypto/pkcs12/p12_mutl.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index a9e2202..02e529c 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -75,6 +75,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, unsigned char *out, const EVP_MD *md_type)) { +int ret = 0; const EVP_MD *md_type; HMAC_CTX *hmac = NULL; unsigned char key[EVP_MAX_MD_SIZE], *salt; @@ -116,24 +117,27 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter, md_size, key, md_type)) { PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); -return 0; +goto err; } } else if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, md_size, key, md_type)) { PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR); -return 0; +goto err; } if ((hmac = HMAC_CTX_new()) == NULL || !HMAC_Init_ex(hmac, key, md_size, md_type, NULL) || !HMAC_Update(hmac, p12->authsafes->d.data->data, p12->authsafes->d.data->length) || !HMAC_Final(hmac, mac, maclen)) { -HMAC_CTX_free(hmac); -return 0; +goto err; } +ret = 1; + +err: +OPENSSL_cleanse(key, sizeof(key)); HMAC_CTX_free(hmac); -return 1; +return ret; } int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit) from 1018ba701368bdcdec7190bfcd2fb4076d0c1244 (commit) - Log - commit b4b651b09e738e8874c59f9fd24ec52d7258e5b4 Author: Shane Lontis Date: Tue Sep 4 14:31:11 2018 +1000 key zeroisation for pvkfmt now done on all branch paths Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7107) (cherry picked from commit 0239283d99a37e8527199a62100fec867b9996cb) --- Summary of changes: crypto/pem/pvkfmt.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 63ce925..96a82eb 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -675,11 +675,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, const unsigned char *p = *in; unsigned int magic; unsigned char *enctmp = NULL, *q; +unsigned char keybuf[20]; EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); if (saltlen) { char psbuf[PEM_BUFSIZE]; -unsigned char keybuf[20]; int enctmplen, inlen; if (cb) inlen = cb(psbuf, PEM_BUFSIZE, 0, u); @@ -719,7 +719,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, memset(keybuf + 5, 0, 11); if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; -OPENSSL_cleanse(keybuf, 20); if (!EVP_DecryptUpdate(cctx, q, , p, inlen)) goto err; if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, )) @@ -729,15 +728,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); goto err; } -} else -OPENSSL_cleanse(keybuf, 20); +} p = enctmp; } ret = b2i_PrivateKey(, keylen); err: EVP_CIPHER_CTX_free(cctx); -OPENSSL_free(enctmp); +if (enctmp != NULL) { +OPENSSL_cleanse(keybuf, sizeof(keybuf)); +OPENSSL_free(enctmp); +} return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1018ba701368bdcdec7190bfcd2fb4076d0c1244 (commit) from 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 (commit) - Log - commit 1018ba701368bdcdec7190bfcd2fb4076d0c1244 Author: Richard Levitte Date: Mon Sep 3 13:17:03 2018 +0200 openssl req: don't try to report bits With the introduction of -pkeyopt, the number of bits may change without |newkey| being updated. Unfortunately, there is no API to retrieve the information from a EVP_PKEY_CTX either, so chances are that we report incorrect information. For the moment, it's better not to try to report the number of bits at all. Fixes #7086 Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7096) (cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039) --- Summary of changes: apps/req.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apps/req.c b/apps/req.c index 2a21569..a691f93 100644 --- a/apps/req.c +++ b/apps/req.c @@ -509,8 +509,7 @@ int req_main(int argc, char **argv) if (pkey_type == EVP_PKEY_EC) { BIO_printf(bio_err, "Generating an EC private key\n"); } else { -BIO_printf(bio_err, "Generating a %ld bit %s private key\n", - newkey, keyalgstr); +BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); } EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 (commit) from e25fc6b5b2b99ed02f8966192c94c820b6f69add (commit) - Log - commit 019cb1ec5bb74cd1e6ec11b5ce1f1b50b0c9b2e2 Author: Matt Caswell Date: Thu Aug 23 11:37:22 2018 +0100 Clarify the EVP_DigestSignInit docs They did not make it clear how the memory management works for the |pctx| parameter. Fixes #7037 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7042) (cherry picked from commit f097e8759820f6f9b78adb99eb4bfced2945d623) --- Summary of changes: doc/crypto/EVP_DigestSignInit.pod | 8 +--- doc/crypto/EVP_DigestVerifyInit.pod | 7 +-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index 5fadc82..bec8e9d 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod @@ -19,10 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestSignInit() sets up signing context B to use digest B from ENGINE B and private key B. B must be created with -EVP_MD_CTX_new() before calling this function. If B is not NULL the +EVP_MD_CTX_new() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. The digest B may be NULL if -the signing algorithm supports it. +be used to set alternative signing options. Note that any existing value in +B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed +directly by the application (it will be freed automatically when the EVP_MD_CTX +is freed). The digest B may be NULL if the signing algorithm supports it. Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index ce59422..6c3d070 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod @@ -19,9 +19,12 @@ The EVP signature routines are a high level interface to digital signatures. EVP_DigestVerifyInit() sets up verification context B to use digest B from ENGINE B and public key B. B must be created -with EVP_MD_CTX_new() before calling this function. If B is not NULL the +with EVP_MD_CTX_new() before calling this function. If B is not NULL, the EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this -can be used to set alternative verification options. +can be used to set alternative verification options. Note that any existing +value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be +freed directly by the application (it will be freed automatically when the +EVP_MD_CTX is freed). EVP_DigestVerifyUpdate() hashes B bytes of data at B into the verification context B. This function can be called several times on the _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e25fc6b5b2b99ed02f8966192c94c820b6f69add (commit) from fab16cd1476e047a2052ca418527b055faa988bd (commit) - Log - commit e25fc6b5b2b99ed02f8966192c94c820b6f69add Author: Jakub Wilk Date: Mon Sep 3 11:09:51 2018 +0200 Fix example in crl(1) man page The default input format is PEM, so explicit "-inform DER" is needed to read DER-encoded CRL. CLA: trivial Reviewed-by: Paul Yang Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7094) (cherry picked from commit 785e614a95a134831f213749332bcf40c4920f69) --- Summary of changes: doc/apps/crl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index fded397..8207ee9 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -120,7 +120,7 @@ Convert a CRL file from PEM to DER: Output the text form of a DER encoded certificate: - openssl crl -in crl.der -text -noout + openssl crl -in crl.der -inform DER -text -noout =head1 BUGS _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via fab16cd1476e047a2052ca418527b055faa988bd (commit) from b50c9f3be062f3af1f6261c87ddb0fbbcb682d09 (commit) - Log - commit fab16cd1476e047a2052ca418527b055faa988bd Author: Matt Caswell Date: Thu Aug 9 16:25:29 2018 +0100 The req documentation incorrectly states that we default to md5 Just remove that statement. It's not been true since 2005. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/6905) --- Summary of changes: doc/apps/req.pod | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/apps/req.pod b/doc/apps/req.pod index c5b5260..0a28aea 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -369,7 +369,6 @@ option. For compatibility B is an equivalent option. This option specifies the digest algorithm to use. Any digest supported by the OpenSSL B command can be used. -If not present then MD5 is used. This option can be overridden on the command line. =item B _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b50c9f3be062f3af1f6261c87ddb0fbbcb682d09 (commit) via 9ba3012387e9b7c93d864fe757290726f92cf6e9 (commit) from f2ce14d6cfa83c16b36319d71b245a388ddcc1ce (commit) - Log - commit b50c9f3be062f3af1f6261c87ddb0fbbcb682d09 Author: Paul Kehrer Date: Sat Sep 1 10:50:28 2018 -0400 add docs for OCSP_resp_get0_signature Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7082) commit 9ba3012387e9b7c93d864fe757290726f92cf6e9 Author: Paul Kehrer Date: Sat Sep 1 00:05:55 2018 -0400 add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP fixes #7081 Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7082) --- Summary of changes: crypto/ocsp/ocsp_cl.c| 10 ++ doc/crypto/OCSP_resp_find_status.pod | 12 include/openssl/ocsp.h | 2 ++ util/libcrypto.num | 2 ++ 4 files changed, 26 insertions(+) diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index a42b80f..5d99ae3 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -166,6 +166,16 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) return bs->signature; } +const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) +{ +return >signatureAlgorithm; +} + +const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) +{ +return >tbsResponseData; +} + /* * Return number of OCSP_SINGLERESP responses present in a basic response. */ diff --git a/doc/crypto/OCSP_resp_find_status.pod b/doc/crypto/OCSP_resp_find_status.pod index e014df5..a4e3c1c 100644 --- a/doc/crypto/OCSP_resp_find_status.pod +++ b/doc/crypto/OCSP_resp_find_status.pod @@ -6,6 +6,9 @@ OCSP_resp_get0_certs, OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, +OCSP_resp_get0_signature, +OCSP_resp_get0_tbs_sigalg, +OCSP_resp_get0_respdata, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity, OCSP_basic_verify @@ -32,6 +35,9 @@ OCSP_basic_verify const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( const OCSP_BASICRESP* single); + const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); + const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); + const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, @@ -78,6 +84,12 @@ B<*revtime>, B<*thisupd> and B<*nextupd>. OCSP_resp_get0_produced_at() extracts the B field from the single response B. +OCSP_resp_get0_signature() returns the signature from B. + +OCSP_resp_get0_tbs_sigalg() returns the B from B. + +OCSP_resp_get0_respdata() returns the B from B. + OCSP_resp_get0_certs() returns any certificates included in B. OCSP_resp_get0_signer() attempts to retrieve the certificate that directly diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 90ebe5c..fd172fb 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -194,6 +194,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); +const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); +const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, STACK_OF(X509) *extra_certs); diff --git a/util/libcrypto.num b/util/libcrypto.num index 51f1d7d..c0fe79d 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4263,3 +4263,5 @@ X509_OBJECT_set1_X509 4514 1_1_0i EXIST::FUNCTION: X509_LOOKUP_meth_get_get_by_issuer_serial 4515 1_1_0i EXIST::FUNCTION: X509_LOOKUP_meth_set_init 4516 1_1_0i EXIST::FUNCTION: X509_OBJECT_set1_X509_CRL 4517 1_1_0i EXIST::FUNCTION: +OCSP_resp_get0_tbs_sigalg 4529 1_1_0j EXIST::FUNCTION:OCSP +OCSP_resp_get0_respdata 4530 1_1_0j EXIST::FUNCTION:OCSP _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via dfbc526e30b2e30cb574a727b3319e4a6125c9e3 (commit) from ac5090b780c5534963061f3e6554e2a59114ed75 (commit) - Log - commit dfbc526e30b2e30cb574a727b3319e4a6125c9e3 Author: Eric Brown Date: Thu Aug 16 08:34:39 2018 -0700 Remove redundant ASN1_INTEGER_set call This trivial patch removes a duplicated call to ASN1_INTEGER_set. Fixes Issue #6977 Signed-off-by: Eric Brown Reviewed-by: Richard Levitte Reviewed-by: Andy Polyakov Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6984) (cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3) --- Summary of changes: crypto/pkcs7/pk7_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 69c68cf..c7d7181 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -134,7 +134,6 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; -ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 521637702fa7bee89cb598fe9b1ba7ff0f60 (commit) from 73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit) - Log - commit 521637702fa7bee89cb598fe9b1ba7ff0f60 Author: Matt Caswell Date: Mon Aug 27 15:04:28 2018 +0100 Free SSL object on an error path Thanks to @fangang190 for reporting this Fixes #7061 Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7065) --- Summary of changes: apps/s_server.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index e8aa323..8629833 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2660,8 +2660,10 @@ static int www_body(int s, int stype, unsigned char *context) if (context && !SSL_set_session_id_context(con, context, - strlen((char *)context))) + strlen((char *)context))) { +SSL_free(con); goto err; +} sbio = BIO_new_socket(s, BIO_NOCLOSE); if (s_nbio_test) { @@ -2673,7 +2675,7 @@ static int www_body(int s, int stype, unsigned char *context) SSL_set_bio(con, sbio, sbio); SSL_set_accept_state(con); -/* SSL_set_fd(con,s); */ +/* No need to free |con| after this. Done by BIO_free(ssl_bio) */ BIO_set_ssl(ssl_bio, con, BIO_CLOSE); BIO_push(io, ssl_bio); #ifdef CHARSET_EBCDIC @@ -3030,6 +3032,7 @@ static int rev_body(int s, int stype, unsigned char *context) if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { +SSL_free(con); ERR_print_errors(bio_err); goto err; } @@ -3038,6 +3041,7 @@ static int rev_body(int s, int stype, unsigned char *context) SSL_set_bio(con, sbio, sbio); SSL_set_accept_state(con); +/* No need to free |con| after this. Done by BIO_free(ssl_bio) */ BIO_set_ssl(ssl_bio, con, BIO_CLOSE); BIO_push(io, ssl_bio); #ifdef CHARSET_EBCDIC _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit) via c5c6915fba3f1becfd78ed2be032caa38ecadef3 (commit) via db09fdc1a675bde167001a4f68e0f1e595e96dee (commit) via a6d8fe92a601728138e645302fa8bab7ca54fb58 (commit) from 5eee95a54de6854e60886c8e662a902184b12d04 (commit) - Log - commit 73bebc17a14da5278b01416b39e5c28a7d0c1861 Author: Andy Polyakov Date: Wed Aug 15 15:46:35 2018 +0200 bn/bn_lib.c: conceal even memmory access pattern in bn2binpad. (cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit c5c6915fba3f1becfd78ed2be032caa38ecadef3 Author: Andy Polyakov Date: Mon Aug 13 16:59:08 2018 +0200 bn/bn_blind.c: use Montgomery multiplication when possible. (cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28) Resolved conflicts: crypto/bn/bn_blind.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit db09fdc1a675bde167001a4f68e0f1e595e96dee Author: Andy Polyakov Date: Fri Aug 10 19:46:03 2018 +0200 rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA." In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... (cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59) Resolved conflicts: crypto/rsa/rsa_ossl.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit a6d8fe92a601728138e645302fa8bab7ca54fb58 Author: Andy Polyakov Date: Fri Aug 10 19:31:22 2018 +0200 crypto/bn: add more fixed-top routines. Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. (cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) --- Summary of changes: crypto/bn/bn_blind.c | 88 -- crypto/bn/bn_lib.c | 34 +++--- crypto/bn/bn_mod.c | 67 +++- crypto/bn/bn_mont.c | 27 +--- crypto/bn/bn_mul.c | 12 +++- crypto/bn/bn_sqr.c | 12 +++- crypto/include/internal/bn_int.h | 6 ++ crypto/rsa/rsa_ossl.c| 130 --- 8 files changed, 287 insertions(+), 89 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 24d1383..7a8237c 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -109,10 +109,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { -if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) -goto err; -if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) -goto err; +if (b->m_ctx != NULL) { +if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) +|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) +goto err; +} else { +if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) +|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) +goto err; +} } ret = 1; @@ -144,13 +149,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return (0); -if (r != NULL) { -if (!BN_copy(r, b->Ai)) -ret = 0; -} +if (r != NULL && (BN_copy(r, b->Ai) == NULL)) +return 0; -if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) -ret = 0; +if (b->m_ctx != NULL) +ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); +else +ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -167,14 +172,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); -if (r != NULL) -ret = BN_mod_mul(n, n, r, b->mod, ctx); -else { -if (b->Ai == NULL) { -BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); -return (0); +if (r == NULL && (r = b->Ai) == NULL) { +BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); +return 0; +} + +if (b->m_ctx != NULL) { +/* ensure that BN_mod_mul_montgomery takes pre-defined path */ +if
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 5eee95a54de6854e60886c8e662a902184b12d04 (commit) from 837017b4748d587912d9d218894644d6ca86721f (commit) - Log - commit 5eee95a54de6854e60886c8e662a902184b12d04 Author: Nicola Tuveri Date: Tue Aug 21 00:50:01 2018 +0300 Backport #6648 to OpenSSL_1_1_0-stable Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7015) --- Summary of changes: crypto/ec/ec_mult.c | 46 -- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 56c7767..71ec910 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -382,30 +382,32 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } -/*- - * Handle the common cases where the scalar is secret, enforcing a constant - * time scalar multiplication algorithm. - */ -if ((scalar != NULL) && (num == 0)) { -/*- - * In this case we want to compute scalar * GeneratorPoint: this - * codepath is reached most prominently by (ephemeral) key generation - * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH - * keygen/first half), where the scalar is always secret. This is why - * we ignore if BN_FLG_CONSTTIME is actually set and we always call the - * constant time version. - */ -return ec_mul_consttime(group, r, scalar, NULL, ctx); -} -if ((scalar == NULL) && (num == 1)) { +if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) { /*- - * In this case we want to compute scalar * GenericPoint: this codepath - * is reached most prominently by the second half of ECDH, where the - * secret scalar is multiplied by the peer's public point. To protect - * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and - * we always call the constant time version. + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. */ -return ec_mul_consttime(group, r, scalars[0], points[0], ctx); +if ((scalar != NULL) && (num == 0)) { +/*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ +return ec_mul_consttime(group, r, scalar, NULL, ctx); +} +if ((scalar == NULL) && (num == 1)) { +/*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ +return ec_mul_consttime(group, r, scalars[0], points[0], ctx); +} } for (i = 0; i < num; i++) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 837017b4748d587912d9d218894644d6ca86721f (commit) from 8255fd0f4f86fa4202962d4b27185c0d96f21d75 (commit) - Log - commit 837017b4748d587912d9d218894644d6ca86721f Author: Pauli Date: Wed Aug 22 10:04:27 2018 +1000 Zero memory in CRYPTO_secure_malloc. This commit destroys the free list pointers which would otherwise be present in the returned memory blocks. This in turn helps prevent information leakage from the secure memory area. Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory: before the secure memory system is initialised or if it isn't implemented. [manual merge of #7011] Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7026) --- Summary of changes: crypto/mem_sec.c | 16 +++- test/secmemtest.c | 44 2 files changed, 55 insertions(+), 5 deletions(-) diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index 25cdb47..1ccf68c 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -134,11 +134,12 @@ void *CRYPTO_secure_malloc(size_t num, const char *file, int line) void *CRYPTO_secure_zalloc(size_t num, const char *file, int line) { -void *ret = CRYPTO_secure_malloc(num, file, line); - -if (ret != NULL) -memset(ret, 0, num); -return ret; +#ifdef IMPLEMENTED +if (secure_mem_initialized) +/* CRYPTO_secure_malloc() zeroes allocations when it is implemented */ +return CRYPTO_secure_malloc(num, file, line); +#endif +return CRYPTO_zalloc(num, file, line); } void CRYPTO_secure_free(void *ptr, const char *file, int line) @@ -574,6 +575,9 @@ static char *sh_malloc(size_t size) OPENSSL_assert(WITHIN_ARENA(chunk)); +/* zero the free list header as a precaution against information leakage */ +memset(chunk, 0, sizeof(SH_LIST)); + return chunk; } @@ -606,6 +610,8 @@ static void sh_free(char *ptr) list--; +/* Zero the higher addressed block's free list pointers */ +memset(ptr > buddy ? ptr : buddy, 0, sizeof(SH_LIST)); if (ptr > buddy) ptr = buddy; diff --git a/test/secmemtest.c b/test/secmemtest.c index 9405f34..6077216 100644 --- a/test/secmemtest.c +++ b/test/secmemtest.c @@ -18,6 +18,8 @@ int main(int argc, char **argv) { #if defined(OPENSSL_SYS_LINUX) || defined(OPENSSL_SYS_UNIX) char *p = NULL, *q = NULL, *r = NULL, *s = NULL; +int i; +const int size = 64; s = OPENSSL_secure_malloc(20); /* s = non-secure 20 */ @@ -128,6 +130,48 @@ int main(int argc, char **argv) return 1; } +if (!CRYPTO_secure_malloc_init(32768, 16)) { +perror_line(); +return 1; +} + +/* + * Verify that secure memory gets zeroed properly. + */ +if ((p = OPENSSL_secure_malloc(size)) == NULL) { +perror_line(); +return 1; +} +for (i = 0; i < size; i++) +if (p[i] != 0) { +perror_line(); +fprintf(stderr, "iteration %d\n", i); +return 1; +} + +for (i = 0; i < size; i++) +p[i] = (unsigned char)(i + ' ' + 1); +OPENSSL_secure_free(p); + +/* + * A deliberate use after free here to verify that the memory has been + * cleared properly. Since secure free doesn't return the memory to + * libc's memory pool, it technically isn't freed. However, the header + * bytes have to be skipped and these consist of two pointers in the + * current implementation. + */ +for (i = sizeof(void *) * 2; i < size; i++) +if (p[i] != 0) { +perror_line(); +fprintf(stderr, "iteration %d\n", i); +return 1; +} + +if (!CRYPTO_secure_malloc_done()) { +perror_line(); +return 1; +} + /*- * There was also a possible infinite loop when the number of * elements was 1<<31, as |int i| was set to that, which is a _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 8255fd0f4f86fa4202962d4b27185c0d96f21d75 (commit) from b2a73156186ec436f584a565e6d4a98b75734286 (commit) - Log - commit 8255fd0f4f86fa4202962d4b27185c0d96f21d75 Author: Andy Polyakov Date: Thu Aug 16 09:26:12 2018 +0200 crypto/init.c: improve destructor_key's portability. It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type, which doesn't appear to hold true. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6976) (cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53) --- Summary of changes: crypto/init.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/crypto/init.c b/crypto/init.c index 00a9179..2ad946c 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -41,7 +41,10 @@ static int stopped = 0; * key value and pull NULL past initialization in the first thread that * intends to use libcrypto. */ -static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; +static union { +long sane; +CRYPTO_THREAD_LOCAL value; +} destructor_key = { -1 }; static void ossl_init_thread_stop(struct thread_local_inits_st *locals); @@ -53,17 +56,17 @@ static void ossl_init_thread_destructor(void *local) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) { struct thread_local_inits_st *local = -CRYPTO_THREAD_get_local(_key); +CRYPTO_THREAD_get_local(_key.value); if (alloc) { if (local == NULL && (local = OPENSSL_zalloc(sizeof(*local))) != NULL -&& !CRYPTO_THREAD_set_local(_key, local)) { +&& !CRYPTO_THREAD_set_local(_key.value, local)) { OPENSSL_free(local); return NULL; } } else { -CRYPTO_THREAD_set_local(_key, NULL); +CRYPTO_THREAD_set_local(_key.value, NULL); } return local; @@ -97,7 +100,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) #endif OPENSSL_cpuid_setup(); -destructor_key = key; +destructor_key.value = key; base_inited = 1; return 1; @@ -396,7 +399,7 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) void OPENSSL_thread_stop(void) { -if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) +if (destructor_key.sane != -1) ossl_init_thread_stop(ossl_init_get_thread_local(0)); } @@ -493,8 +496,8 @@ void OPENSSL_cleanup(void) err_free_strings_int(); } -key = destructor_key; -destructor_key = (CRYPTO_THREAD_LOCAL)-1; +key = destructor_key.value; +destructor_key.sane = -1; CRYPTO_THREAD_cleanup_local(); #ifdef OPENSSL_INIT_DEBUG _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b2a73156186ec436f584a565e6d4a98b75734286 (commit) from dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 (commit) - Log - commit b2a73156186ec436f584a565e6d4a98b75734286 Author: Bernd Edlinger Date: Fri Aug 17 09:02:53 2018 +0200 Fix a warning from MSVC build Apparently after internal/numbers.h defines INTx_MIN/MAX stdint gets included and it defines those differently: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48): warning C4005: 'INT8_MIN': macro redefinition Avoid that by changing the sequence in which the include files appear in crypto/bio/b_print.c. [extended tests] Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6995) --- Summary of changes: crypto/bio/b_print.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index cdfe05f..bf006d1 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -10,9 +10,9 @@ #include #include #include -#include "internal/numbers.h" -#include "internal/cryptlib.h" #include +#include "internal/cryptlib.h" +#include "internal/numbers.h" /* * Copyright Patrick Powell 1995 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 (commit) from d706faf38da07083cb2116f4d30422081bc8ae1d (commit) - Log - commit dba995e78f09ccf00a3cf1b1c4c196febd2a7fa4 Author: Benjamin Kaduk Date: Thu Aug 16 15:42:55 2018 -0500 Avoid shadowing 'free' in X509_LOOKUP_met_set_free gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6991) (cherry picked from commit 50f3994b513ead4da94845bf38222bb71c440fb3) --- Summary of changes: crypto/x509/x509_meth.c| 4 ++-- include/openssl/x509_vfy.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_meth.c b/crypto/x509/x509_meth.c index 05ed4bf..9dc587a 100644 --- a/crypto/x509/x509_meth.c +++ b/crypto/x509/x509_meth.c @@ -58,9 +58,9 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) int X509_LOOKUP_meth_set_free( X509_LOOKUP_METHOD *method, -void (*free) (X509_LOOKUP *ctx)) +void (*free_fn) (X509_LOOKUP *ctx)) { -method->free = free; +method->free = free_fn; return 1; } diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index d91581c..131b6cf 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -397,7 +397,7 @@ int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, - void (*free) (X509_LOOKUP *ctx)); + void (*free_fn) (X509_LOOKUP *ctx)); void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) (X509_LOOKUP *ctx); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d706faf38da07083cb2116f4d30422081bc8ae1d (commit) via 97c0959f27b294fe1eb10b547145ebef2524b896 (commit) from 6244f531776a0c53fa35f815cbc588988b343036 (commit) - Log - commit d706faf38da07083cb2116f4d30422081bc8ae1d Author: Matt Caswell Date: Tue Aug 14 13:46:03 2018 +0100 Prepare for 1.1.0j-dev Reviewed-by: Richard Levitte commit 97c0959f27b294fe1eb10b547145ebef2524b896 Author: Matt Caswell Date: Tue Aug 14 13:45:05 2018 +0100 Prepare for 1.1.0i release Reviewed-by: Richard Levitte --- Summary of changes: CHANGES| 6 +- NEWS | 6 +- README | 2 +- include/openssl/opensslv.h | 6 +++--- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index faf5a3c..ae8ceca 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,11 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.1.0h and 1.1.0i [xx XXX ] + Changes between 1.1.0i and 1.1.0j [xx XXX ] + + *) + + Changes between 1.1.0h and 1.1.0i [14 Aug 2018] *) Client DoS due to large DH parameter diff --git a/NEWS b/NEWS index 9f6e3cf..ca3ed49 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [under development] + Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development] + + o + + Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] o Client DoS due to large DH parameter (CVE-2018-0732) o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) diff --git a/README b/README index 40dbcfa..3af2619 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.0i-dev + OpenSSL 1.1.0j-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 7221a45..72f09af 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,11 +39,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10100090L +# define OPENSSL_VERSION_NUMBER 0x101000a0L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0i-fips-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-fips-dev xx XXX " # else -# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0i-dev xx XXX " +# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.0j-dev xx XXX " # endif /*- _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6244f531776a0c53fa35f815cbc588988b343036 (commit) from 825dbd019c7eca898457f64d377074d7f0d43ada (commit) - Log - commit 6244f531776a0c53fa35f815cbc588988b343036 Author: Matt Caswell Date: Tue Aug 14 13:25:55 2018 +0100 Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6954) --- Summary of changes: README| 2 +- apps/apps.c | 2 +- apps/asn1pars.c | 2 +- apps/dhparam.c| 2 +- apps/ocsp.c | 2 +- apps/rehash.c | 2 +- apps/verify.c | 2 +- crypto/arm_arch.h | 2 +- crypto/armcap.c | 2 +- crypto/armv4cpuid.pl | 2 +- crypto/asn1/a_object.c| 2 +- crypto/asn1/a_strex.c | 2 +- crypto/asn1/p5_scrypt.c | 2 +- crypto/asn1/tasn_enc.c| 2 +- crypto/asn1/tasn_utl.c| 2 +- crypto/async/async.c | 2 +- crypto/bio/b_addr.c | 2 +- crypto/bio/b_sock.c | 2 +- crypto/bio/bss_log.c | 2 +- crypto/bio/bss_mem.c | 2 +- crypto/bn/asm/alpha-mont.pl | 2 +- crypto/bn/asm/armv4-mont.pl | 2 +- crypto/bn/asm/ia64-mont.pl| 2 +- crypto/bn/asm/mips-mont.pl| 2 +- crypto/bn/asm/parisc-mont.pl | 2 +- crypto/bn/asm/ppc-mont.pl | 2 +- crypto/bn/asm/ppc64-mont.pl | 2 +- crypto/bn/asm/rsaz-avx2.pl| 2 +- crypto/bn/asm/s390x-mont.pl | 2 +- crypto/bn/asm/sparct4-mont.pl | 2 +- crypto/bn/asm/sparcv9-mont.pl | 2 +- crypto/bn/asm/via-mont.pl | 2 +- crypto/bn/asm/vis3-mont.pl| 2 +- crypto/bn/asm/x86-mont.pl | 2 +- crypto/bn/asm/x86_64-mont.pl | 2 +- crypto/bn/asm/x86_64-mont5.pl | 2 +- crypto/bn/bn_div.c| 2 +- crypto/bn/bn_gcd.c| 2 +- crypto/bn/bn_gf2m.c | 2 +- crypto/bn/bn_intern.c | 2 +- crypto/bn/bn_lcl.h| 2 +- crypto/bn/bn_mod.c| 2 +- crypto/bn/bn_sqr.c| 2 +- crypto/chacha/asm/chacha-x86.pl | 2 +- crypto/cms/cms_env.c | 2 +- crypto/cms/cms_smime.c| 2 +- crypto/conf/conf_api.c| 2 +- crypto/conf/conf_mall.c | 2 +- crypto/dh/dh_key.c| 2 +- crypto/dh/dh_meth.c | 2 +- crypto/dsa/dsa_gen.c | 2 +- crypto/dsa/dsa_meth.c | 2 +- crypto/dsa/dsa_ossl.c | 2 +- crypto/dsa/dsa_pmeth.c| 2 +- crypto/ec/asm/ecp_nistz256-armv4.pl | 2 +- crypto/ec/asm/ecp_nistz256-armv8.pl | 2 +- crypto/ec/asm/ecp_nistz256-avx2.pl| 2 +- crypto/ec/asm/ecp_nistz256-sparcv9.pl | 2 +- crypto/ec/asm/ecp_nistz256-x86.pl | 2 +- crypto/ec/ec2_smpl.c | 2 +- crypto/ec/ec_ameth.c | 2 +- crypto/ec/ec_curve.c | 2 +- crypto/ec/ec_lcl.h| 2 +- crypto/ec/ec_lib.c| 2 +- crypto/ec/ec_mult.c | 2 +- crypto/ec/ec_oct.c| 2 +- crypto/ec/ecdsa_ossl.c| 2 +- crypto/ec/ecp_nistz256.c | 2 +- crypto/ec/ecp_smpl.c | 2 +- crypto/engine/eng_lib.c | 2 +- crypto/engine/tb_asnmth.c | 2 +- crypto/err/err.c | 2 +- crypto/evp/pmeth_lib.c| 2 +- crypto/evp/scrypt.c | 2 +- crypto/ex_data.c | 2 +- crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H | 2 +-
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 825dbd019c7eca898457f64d377074d7f0d43ada (commit) from cc08075f66cd8494952321bb59566f22dce0 (commit) - Log - commit 825dbd019c7eca898457f64d377074d7f0d43ada Author: Matt Caswell Date: Tue Aug 14 10:39:19 2018 +0100 Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6950) --- Summary of changes: CHANGES | 24 NEWS| 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 13cc641..faf5a3c 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,30 @@ Changes between 1.1.0h and 1.1.0i [xx XXX ] + *) Client DoS due to large DH parameter + + During key agreement in a TLS handshake using a DH(E) based ciphersuite a + malicious server can send a very large prime value to the client. This will + cause the client to spend an unreasonably long period of time generating a + key for this prime resulting in a hang until the client has finished. This + could be exploited in a Denial Of Service attack. + + This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken + (CVE-2018-0732) + [Guido Vranken] + + *) Cache timing vulnerability in RSA Key Generation + + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to + a cache timing side channel attack. An attacker with sufficient access to + mount cache timing attacks during the RSA key generation process could + recover the private key. + + This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera + Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. + (CVE-2018-0737) + [Billy Brumley] + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. diff --git a/NEWS b/NEWS index 22ccd9e..9f6e3cf 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [under development] - o + o Client DoS due to large DH parameter (CVE-2018-0732) + o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via cc08075f66cd8494952321bb59566f22dce0 (commit) from 6114041540d8d1fecaf23a861788c3c742d3b467 (commit) - Log - commit cc08075f66cd8494952321bb59566f22dce0 Author: Andy Polyakov Date: Wed Jun 27 11:57:45 2018 +0200 crypto/o_fopen.c: alias fopen to fopen64. Originally fopen(3) was called from bio/bss_file.c, which performed the aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition was left behind. It's still useful on 32-bit platforms, so pull it to o_fopen.c. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6596) (cherry picked from commit 2369111fd94ebc9b7d37e68f3ea9629f2fe5fa2e) --- Summary of changes: crypto/o_fopen.c | 18 ++ 1 file changed, 18 insertions(+) diff --git a/crypto/o_fopen.c b/crypto/o_fopen.c index a3a0065..63a31b0 100644 --- a/crypto/o_fopen.c +++ b/crypto/o_fopen.c @@ -7,6 +7,24 @@ * https://www.openssl.org/source/license.html */ +# if defined(__linux) || defined(__sun) || defined(__hpux) +/* + * Following definition aliases fopen to fopen64 on above mentioned + * platforms. This makes it possible to open and sequentially access files + * larger than 2GB from 32-bit application. It does not allow to traverse + * them beyond 2GB with fseek/ftell, but on the other hand *no* 32-bit + * platform permits that, not with fseek/ftell. Not to mention that breaking + * 2GB limit for seeking would require surgery to *our* API. But sequential + * access suffices for practical cases when you can run into large files, + * such as fingerprinting, so we can let API alone. For reference, the list + * of 32-bit platforms which allow for sequential access of large files + * without extra "magic" comprise *BSD, Darwin, IRIX... + */ +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 +# endif +# endif + #include "internal/cryptlib.h" #if !defined(OPENSSL_NO_STDIO) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6114041540d8d1fecaf23a861788c3c742d3b467 (commit) from 9553d9691ca67d6cd31573c7f6e567b182800511 (commit) - Log - commit 6114041540d8d1fecaf23a861788c3c742d3b467 Author: Richard Levitte Date: Sat Aug 11 09:59:20 2018 +0200 i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/6918) (cherry picked from commit cba024dc685d13dbcbd0577bed028ee6b295b56a) --- Summary of changes: crypto/asn1/a_object.c | 21 - crypto/asn1/asn1_err.c | 1 + include/openssl/asn1.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 1ec7a7e..91c7e28 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -19,7 +19,7 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { -unsigned char *p; +unsigned char *p, *allocated = NULL; int objsize; if ((a == NULL) || (a->data == NULL)) @@ -29,13 +29,24 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) if (pp == NULL || objsize == -1) return objsize; -p = *pp; +if (*pp == NULL) { +if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { +ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); +return 0; +} +} else { +p = *pp; +} + ASN1_put_object(, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); -p += a->length; -*pp = p; -return (objsize); +/* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ +*pp = allocated != NULL ? allocated : p + a->length; +return objsize; } int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 7068c0c..5d895d3 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -95,6 +95,7 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_DO_BUF), "do_buf"}, {ERR_FUNC(ASN1_F_DO_TCREATE), "do_tcreate"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, +{ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY), "i2d_EC_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"}, diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 88e6469..d0b1099 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -956,6 +956,7 @@ int ERR_load_ASN1_strings(void); # define ASN1_F_DO_BUF142 # define ASN1_F_DO_TCREATE222 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_OBJECT 143 # define ASN1_F_I2D_DSA_PUBKEY161 # define ASN1_F_I2D_EC_PUBKEY 181 # define ASN1_F_I2D_PRIVATEKEY163 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9553d9691ca67d6cd31573c7f6e567b182800511 (commit) via 80158ae42fffe3354b160c5818f48b6a9b651538 (commit) from a0f443a05dd68b9949b39b3310a595babcae4624 (commit) - Log - commit 9553d9691ca67d6cd31573c7f6e567b182800511 Author: Andy Polyakov Date: Sun Jul 29 14:37:17 2018 +0200 x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6891) (back-ported from commit f21b5b64cbbc279ef31389e6ae312690575187da) commit 80158ae42fffe3354b160c5818f48b6a9b651538 Author: Andy Polyakov Date: Sun Jul 29 14:13:32 2018 +0200 x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6891) (cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7) --- Summary of changes: crypto/include/internal/x509_int.h | 1 + crypto/x509v3/v3_purp.c| 10 -- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 2845026..9a6322c 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -166,6 +166,7 @@ struct x509_st { unsigned char sha1_hash[SHA_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_RWLOCK *lock; +volatile int ex_cached; } /* X509 */ ; /* diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 144de0c..7ac0672 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -350,10 +350,10 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; -if (x->ex_flags & EXFLAG_SET) +/* fast lock-free check, see end of the function for details. */ +if (x->ex_cached) return; CRYPTO_THREAD_write_lock(x->lock); @@ -496,6 +496,12 @@ static void x509v3_cache_extensions(X509 *x) } x->ex_flags |= EXFLAG_SET; CRYPTO_THREAD_unlock(x->lock); +/* + * It has to be placed after memory barrier, which is implied by unlock. + * Worst thing that can happen is that another thread proceeds to lock + * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function. + */ +x->ex_cached = 1; } /*- _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a0f443a05dd68b9949b39b3310a595babcae4624 (commit) from f48e0ef1144c647a3159a71db114598d8fb6adc9 (commit) - Log - commit a0f443a05dd68b9949b39b3310a595babcae4624 Author: Rich Salz Date: Tue Aug 7 15:28:59 2018 -0400 Increase CT_NUMBER values Also add build-time errors to keep them in sync. Thanks to GitHub user YuDudysheva for reporting this. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6874) (cherry picked from commit b5ee517794cf546dc7e3d5a82b400955a7381053) --- Summary of changes: include/openssl/ssl3.h | 10 -- include/openssl/tls1.h | 8 +++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 4ca434e..e51629f 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -252,9 +252,15 @@ extern "C" { # define SSL3_CT_FORTEZZA_DMS20 /* * SSL3_CT_NUMBER is used to size arrays and it must be large enough to - * contain all of the cert types defined either for SSLv3 and TLSv1. + * contain all of the cert types defined for *either* SSLv3 and TLSv1. */ -# define SSL3_CT_NUMBER 9 +# define SSL3_CT_NUMBER 10 + +# if defined(TLS_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +#error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 3fe01fe..b536d84 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -883,7 +883,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -# define TLS_CT_NUMBER 9 +# define TLS_CT_NUMBER 10 + +# if defined(SSL3_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +#error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define TLS1_FINISH_MAC_LENGTH 12 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f48e0ef1144c647a3159a71db114598d8fb6adc9 (commit) from 32096fdac975dde7a13d463fdf256fd2955cd5ab (commit) - Log - commit f48e0ef1144c647a3159a71db114598d8fb6adc9 Author: Rich Salz Date: Tue Aug 7 15:08:03 2018 -0400 Fix setting of ssl_strings_inited. Thanks to GitHub user zsergey105 for reporting this. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/6875) (cherry picked from commit 10281e83eac0fb96de3f14855154197aa33bb800) --- Summary of changes: ssl/ssl_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index c91e1c5..0b9155d 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -127,8 +127,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) "ERR_load_SSL_strings()\n"); # endif ERR_load_SSL_strings(); -#endif ssl_strings_inited = 1; +#endif return 1; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 32096fdac975dde7a13d463fdf256fd2955cd5ab (commit) from 29cbeb9f0279678706dc9f5d96bcb64fc766658f (commit) - Log - commit 32096fdac975dde7a13d463fdf256fd2955cd5ab Author: Richard Levitte Date: Tue Aug 7 12:38:16 2018 +0200 Check early that the config target exists and isn't a template Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6885) (cherry picked from commit 4e360445473c3da938703a8142a36cf6ee86a191) --- Summary of changes: Configure | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index 7e482f7..d85ff6a 100755 --- a/Configure +++ b/Configure @@ -911,11 +911,12 @@ if ($d) { $target = $t; } } + + if !$table{$target} || $table{$target}->{template}; + $config{target} = $target; my %target = resolve_config($target); - if (!%target || $target{template}); - my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}}); $config{conf_files} = [ sort keys %conf_files ]; %target = ( %{$table{DEFAULTS}}, %target ); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 29cbeb9f0279678706dc9f5d96bcb64fc766658f (commit) from 831a2b0637b0eb21c9c2f8cc67f4579368637077 (commit) - Log - commit 29cbeb9f0279678706dc9f5d96bcb64fc766658f Author: Richard Levitte Date: Tue Aug 7 04:55:47 2018 +0200 Make EVP_PKEY_asn1_new() stricter with its input Reviewed-by: Matthias St. Pierre Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6880) (cherry picked from commit 38eca7fed09a57c1b7a05d651af2c667b3e87719) --- Summary of changes: CHANGES | 5 + crypto/asn1/ameth_lib.c | 12 2 files changed, 17 insertions(+) diff --git a/CHANGES b/CHANGES index 277654d..13cc641 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.1.0h and 1.1.0i [xx XXX ] + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str + parameter is no longer accepted, as it leads to a corrupt table. NULL + pem_str is reserved for alias entries only. + [Richard Levitte] + *) Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov] diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index b8ba067..9b0a2cc 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -255,6 +255,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, goto err; } +/* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ +if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) + || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) +goto err; + if (pem_str) { ameth->pem_str = OPENSSL_strdup(pem_str); if (!ameth->pem_str) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 831a2b0637b0eb21c9c2f8cc67f4579368637077 (commit) from f96d3c1fc65fae4193bdda464819bb1180feba5a (commit) - Log - commit 831a2b0637b0eb21c9c2f8cc67f4579368637077 Author: Bernd Edlinger Date: Thu Aug 2 19:47:42 2018 +0200 Fix uninitialized value $s warning in windows static builds Fixes: #6826 [extended tests] Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/pr6849) --- Summary of changes: Configurations/windows-makefile.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index af11ff4..40dc41d 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -89,8 +89,8 @@ GENERATED={- join(" ", ( grep { /\.h$/ } keys %{$unified_info{generate}} )) -} INSTALL_LIBS={- join(" ", map { quotify1($_.$libext) } @{$unified_info{install}->{libraries}}) -} -INSTALL_SHLIBS={- join(" ", map { quotify1(shlib($_)) } @{$unified_info{install}->{libraries}}) -} -INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; quotify1(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBS={- join(" ", map { quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} INSTALL_ENGINES={- join(" ", map { quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} INSTALL_ENGINEPDBS={- join(" ", map { local $dsoext = ".pdb"; quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} INSTALL_PROGRAMS={- join(" ", map { quotify1($_.$exeext) } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f96d3c1fc65fae4193bdda464819bb1180feba5a (commit) from e0a79ae63700051ddab9e091031dd37ae18182a5 (commit) - Log - commit f96d3c1fc65fae4193bdda464819bb1180feba5a Author: Pauli Date: Mon Aug 6 07:31:49 2018 +1000 Avoid errors when loading a cert multiple times. Manual backport of #2830 to 1.1.0 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6861) --- Summary of changes: crypto/x509/x509_lu.c | 62 --- test/build.info| 6 +- ...test_ssl_test_ctx.t => 60-test_x509_dup_cert.t} | 14 ++--- test/x509_dup_cert_test.c | 70 ++ 4 files changed, 106 insertions(+), 46 deletions(-) copy test/recipes/{80-test_ssl_test_ctx.t => 60-test_x509_dup_cert.t} (51%) create mode 100644 test/x509_dup_cert_test.c diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index b80cc8e..e5bea5b 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -310,26 +310,30 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return 1; } -int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +static int x509_store_add(X509_STORE *ctx, void *x, int crl) { X509_OBJECT *obj; -int ret = 1, added = 1; +int ret = 0, added = 0; if (x == NULL) return 0; obj = X509_OBJECT_new(); if (obj == NULL) return 0; -obj->type = X509_LU_X509; -obj->data.x509 = x; + +if (crl) { +obj->type = X509_LU_CRL; +obj->data.crl = (X509_CRL *)x; +} else { +obj->type = X509_LU_X509; +obj->data.x509 = (X509 *)x; +} X509_OBJECT_up_ref_count(obj); CRYPTO_THREAD_write_lock(ctx->lock); if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { -X509err(X509_F_X509_STORE_ADD_CERT, -X509_R_CERT_ALREADY_IN_HASH_TABLE); -ret = 0; +ret = 1; } else { added = sk_X509_OBJECT_push(ctx->objs, obj); ret = added != 0; @@ -337,46 +341,28 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) CRYPTO_THREAD_unlock(ctx->lock); -if (!ret) /* obj not pushed */ +if (added == 0) /* obj not pushed */ X509_OBJECT_free(obj); -if (!added) /* on push failure */ -X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return ret; } -int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) { -X509_OBJECT *obj; -int ret = 1, added = 1; - -if (x == NULL) -return 0; -obj = X509_OBJECT_new(); -if (obj == NULL) + if (!x509_store_add(ctx, x, 0)) { +X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return 0; -obj->type = X509_LU_CRL; -obj->data.crl = x; -X509_OBJECT_up_ref_count(obj); - -CRYPTO_THREAD_write_lock(ctx->lock); - -if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { -X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE); -ret = 0; -} else { -added = sk_X509_OBJECT_push(ctx->objs, obj); -ret = added != 0; } +return 1; +} -CRYPTO_THREAD_unlock(ctx->lock); - -if (!ret) /* obj not pushed */ -X509_OBJECT_free(obj); -if (!added) /* on push failure */ +int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) +{ +if (!x509_store_add(ctx, x, 1)) { X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); - -return ret; +return 0; +} +return 1; } int X509_OBJECT_up_ref_count(X509_OBJECT *a) diff --git a/test/build.info b/test/build.info index 87961bc..d850b52 100644 --- a/test/build.info +++ b/test/build.info @@ -18,7 +18,7 @@ IF[{- !$disabled{tests} -}] dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ - ocspapitest fatalerrtest x509_time_test errtest + ocspapitest fatalerrtest x509_time_test x509_dup_cert_test errtest SOURCE[versions]=versions.c INCLUDE[versions]=../include @@ -301,6 +301,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[x509_time_test]=.. ../include DEPEND[x509_time_test]=../libcrypto +
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e0a79ae63700051ddab9e091031dd37ae18182a5 (commit) from c700d1fe090acf3661d3948c25f489803f50a98b (commit) - Log - commit e0a79ae63700051ddab9e091031dd37ae18182a5 Author: Rich Salz Date: Fri Aug 3 18:03:22 2018 -0400 Use auto-null-initializer Thanks to GitHub user YuDudysheva for reporting this. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/6853) --- Summary of changes: ssl/ssl_ciph.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 7a393cb..b8da982 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -101,10 +101,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, }; -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { -NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -NULL, NULL -}; +static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]; #define SSL_COMP_NULL_IDX 0 #define SSL_COMP_ZLIB_IDX 1 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c700d1fe090acf3661d3948c25f489803f50a98b (commit) via 4e7ade969944a9e6923a48471efb910dfb5f4a3a (commit) from 24233a0f3c491919ee3a38e2567271ccc041ee1d (commit) - Log - commit c700d1fe090acf3661d3948c25f489803f50a98b Author: Andy Polyakov Date: Thu Aug 2 09:02:47 2018 +0200 asn1/tasn_utl.c: fix logical error in asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6843) commit 4e7ade969944a9e6923a48471efb910dfb5f4a3a Author: Andy Polyakov Date: Thu Aug 2 08:59:48 2018 +0200 Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock." This reverts commit 24233a0f3c491919ee3a38e2567271ccc041ee1d. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6843) --- Summary of changes: crypto/asn1/tasn_utl.c | 35 --- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 22e853d..cad45a0 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -57,10 +57,8 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; -CRYPTO_REF_COUNT *lck; +int *lck, ret; CRYPTO_RWLOCK **lock; -int ret = -1; - if ((it->itype != ASN1_ITYPE_SEQUENCE) && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; @@ -69,34 +67,25 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) return 0; lck = offset2ptr(*pval, aux->ref_offset); lock = offset2ptr(*pval, aux->ref_lock); - -switch (op) { -case 0: -*lck = ret = 1; +if (op == 0) { +*lck = 1; *lock = CRYPTO_THREAD_lock_new(); if (*lock == NULL) { ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE); return -1; } -break; -case 1: -if (!CRYPTO_UP_REF(lck, , *lock)) -return -1; -break; -case -1: -if (!CRYPTO_DOWN_REF(lck, , *lock)) -return -1; /* failed */ +return 1; +} +if (!CRYPTO_atomic_add(lck, op, , *lock)) +return -1; /* failed */ #ifdef REF_PRINT -fprintf(stderr, "%p:%4d:%s\n", it, ret, it->sname); +fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); #endif -REF_ASSERT_ISNT(ret < 0); -if (ret == 0) { -CRYPTO_THREAD_lock_free(*lock); -*lock = NULL; -} -break; +REF_ASSERT_ISNT(ret < 0); +if (ret == 0) { +CRYPTO_THREAD_lock_free(*lock); +*lock = NULL; } - return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 24233a0f3c491919ee3a38e2567271ccc041ee1d (commit) from c0cc23af26d0363dbd164ceae97ed044e3fd8861 (commit) - Log - commit 24233a0f3c491919ee3a38e2567271ccc041ee1d Author: Andy Polyakov Date: Tue Jul 31 14:59:14 2018 +0200 asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Rich Salz (cherry picked from commit 680b9d45b005c2d0a48fd574db903bf4486b49ae) --- Summary of changes: crypto/asn1/tasn_utl.c | 35 +++ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index f79d7d6..22e853d 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -57,8 +57,10 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; -int *lck, ret; +CRYPTO_REF_COUNT *lck; CRYPTO_RWLOCK **lock; +int ret = -1; + if ((it->itype != ASN1_ITYPE_SEQUENCE) && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; @@ -67,25 +69,34 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) return 0; lck = offset2ptr(*pval, aux->ref_offset); lock = offset2ptr(*pval, aux->ref_lock); -if (op == 0) { -*lck = 1; + +switch (op) { +case 0: +*lck = ret = 1; *lock = CRYPTO_THREAD_lock_new(); if (*lock == NULL) { ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE); return -1; } -return 1; -} -if (CRYPTO_atomic_add(lck, op, , *lock) < 0) -return -1; /* failed */ +break; +case 1: +if (!CRYPTO_UP_REF(lck, , *lock)) +return -1; +break; +case -1: +if (!CRYPTO_DOWN_REF(lck, , *lock)) +return -1; /* failed */ #ifdef REF_PRINT -fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); +fprintf(stderr, "%p:%4d:%s\n", it, ret, it->sname); #endif -REF_ASSERT_ISNT(ret < 0); -if (ret == 0) { -CRYPTO_THREAD_lock_free(*lock); -*lock = NULL; +REF_ASSERT_ISNT(ret < 0); +if (ret == 0) { +CRYPTO_THREAD_lock_free(*lock); +*lock = NULL; +} +break; } + return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c0cc23af26d0363dbd164ceae97ed044e3fd8861 (commit) from 35fa31cc9d480dcd5108d17ccf8dc576bee20f09 (commit) - Log - commit c0cc23af26d0363dbd164ceae97ed044e3fd8861 Author: Pauli Date: Tue Jul 31 13:11:00 2018 +1000 Check return from BN_sub Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6823) (cherry picked from commit 3d3cbce550ff5d6172cf28dbbf80bda93f6577a9) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 41fafa7..8e81cbb 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -332,7 +332,8 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, goto err; if (padding == RSA_X931_PADDING) { -BN_sub(f, rsa->n, ret); +if (!BN_sub(f, rsa->n, ret)) +goto err; if (BN_cmp(ret, f) > 0) res = f; else _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 35fa31cc9d480dcd5108d17ccf8dc576bee20f09 (commit) from 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 (commit) - Log - commit 35fa31cc9d480dcd5108d17ccf8dc576bee20f09 Author: Pauli Date: Tue Jul 31 11:37:05 2018 +1000 Check conversion return in ASN1_INTEGER_print_bio. Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the BN instead of doing it separately. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6821) (cherry picked from commit 35c9408108f3608eb572acd7f64a93cf4f43f4f6) --- Summary of changes: crypto/ts/ts_lib.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c index de36e0e..ce2e12c 100644 --- a/crypto/ts/ts_lib.c +++ b/crypto/ts/ts_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,10 +22,9 @@ int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) int result = 0; char *hex; -num_bn = BN_new(); +num_bn = ASN1_INTEGER_to_BN(num, NULL); if (num_bn == NULL) return -1; -ASN1_INTEGER_to_BN(num, num_bn); if ((hex = BN_bn2hex(num_bn))) { result = BIO_write(bio, "0x", 2) > 0; result = result && BIO_write(bio, hex, strlen(hex)) > 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 (commit) from 3c0addb71c66adf729f48050c3a75f68c44b23b6 (commit) - Log - commit 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 Author: Bryan Donlan Date: Tue Jul 17 13:38:17 2018 -0700 Remove DSA digest length checks when no digest is passed FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6749) (cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd) --- Summary of changes: crypto/dsa/dsa_pmeth.c | 18 -- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index a1cbaad..a82c4c9 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_sign(0, tbs, tbslen, sig, , dsa); @@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 3c0addb71c66adf729f48050c3a75f68c44b23b6 (commit) via 811162832e875576c13139493d949b3157a1c8cf (commit) from 9da6f31c7e61b484dda6c0a59d46c76410981e13 (commit) - Log - commit 3c0addb71c66adf729f48050c3a75f68c44b23b6 Author: Andy Polyakov Date: Fri Jul 20 13:23:42 2018 +0200 crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop. Problem was that Windows threads that were terminating before libcrypto was initialized were referencing uninitialized or possibly even unrelated thread local storage index. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6799) (cherry picked from commit 80ae7285e1994d35c84519bf9e038b11d9942875) Resolved conflicts: crypto/init.c commit 811162832e875576c13139493d949b3157a1c8cf Author: Andy Polyakov Date: Fri Jul 20 13:15:48 2018 +0200 crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6799) (cherry picked from commit b86d57bb0b23253c720db38ab18ca97cb888f701) Resolved conflicts: crypto/cryptlib.c --- Summary of changes: crypto/cryptlib.c | 104 +- crypto/init.c | 54 ++-- 2 files changed, 122 insertions(+), 36 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index bf73244..3b878cd 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -23,29 +23,97 @@ extern unsigned int OPENSSL_ia32cap_P[4]; # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) -#include + +/* + * Purpose of these minimalistic and character-type-agnostic subroutines + * is to break dependency on MSVCRT (on Windows) and locale. This makes + * OPENSSL_cpuid_setup safe to use as "constructor". "Character-type- + * agnostic" means that they work with either wide or 8-bit characters, + * exploiting the fact that first 127 characters can be simply casted + * between the sets, while the rest would be simply rejected by ossl_is* + * subroutines. + */ +# ifdef _WIN32 +typedef WCHAR variant_char; + +static variant_char *ossl_getenv(const char *name) +{ +/* + * Since we pull only one environment variable, it's simpler to + * to just ignore |name| and use equivalent wide-char L-literal. + * As well as to ignore excessively long values... + */ +static WCHAR value[48]; +DWORD len = GetEnvironmentVariableW(L"OPENSSL_ia32cap", value, 48); + +return (len > 0 && len < 48) ? value : NULL; +} +# else +typedef char variant_char; +# define ossl_getenv getenv +# endif + +static int todigit(variant_char c) +{ +if (c >= '0' && c <= '9') +return c - '0'; +else if (c >= 'A' && c <= 'F') +return c - 'A' + 10; +else if (c >= 'a' && c <= 'f') +return c - 'a' + 10; + +/* return largest base value to make caller terminate the loop */ +return 16; +} + +static uint64_t ossl_strtouint64(const variant_char *str) +{ +uint64_t ret = 0; +unsigned int digit, base = 10; + +if (*str == '0') { +base = 8, str++; +if (*str == 'x' || *str == 'X') +base = 16, str++; +} + +while((digit = todigit(*str++)) < base) +ret = ret * base + digit; + +return ret; +} + +static variant_char *ossl_strchr(const variant_char *str, char srch) +{ variant_char c; + +while((c = *str)) { +if (c == srch) + return (variant_char *)str; +str++; +} + +return NULL; +} + # define OPENSSL_CPUID_SETUP typedef uint64_t IA32CAP; + void OPENSSL_cpuid_setup(void) { static int trigger = 0; IA32CAP OPENSSL_ia32_cpuid(unsigned int *); IA32CAP vec; -char *env; +const variant_char *env; if (trigger) return; trigger = 1; -if ((env = getenv("OPENSSL_ia32cap"))) { +if ((env = ossl_getenv("OPENSSL_ia32cap")) != NULL) { int off = (env[0] == '~') ? 1 : 0; -# if defined(_WIN32) -if (!sscanf(env + off, "%I64i", )) -vec = strtoul(env + off, NULL, 0); -# else -if (!sscanf(env + off, "%lli", (long long *))) -vec = strtoul(env + off, NULL, 0); -# endif + +vec = ossl_strtouint64(env + off); + if (off) { IA32CAP mask = vec; vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~mask; @@ -64,15 +132,17 @@ void OPENSSL_cpuid_setup(void) vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); } -if ((env = strchr(env, ':'))) { -unsigned int vecx; +if ((env = ossl_strchr(env, ':')) != NULL) { +IA32CAP vecx; + env++; off = (env[0]
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9da6f31c7e61b484dda6c0a59d46c76410981e13 (commit) via ed04bcf67426888e8f8556b9eb37e9e2cf4eb04b (commit) via e1c495db1d48c4a8c467d4a5e692e991528d8618 (commit) via 63ad27165f9abd4f9e55d1a2e8c9bbdb01073a4f (commit) via 6040bd3f7109dcae508c3194232e7b8ee8654dc0 (commit) from 2f19065bd35dc84492c4c47ff5b706340300866f (commit) - Log - commit 9da6f31c7e61b484dda6c0a59d46c76410981e13 Author: Andy Polyakov Date: Thu Jul 26 14:38:53 2018 +0200 CHANGES: mention blinding reverting in ECDSA. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) commit ed04bcf67426888e8f8556b9eb37e9e2cf4eb04b Author: Andy Polyakov Date: Wed Jul 25 10:29:51 2018 +0200 bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e) commit e1c495db1d48c4a8c467d4a5e692e991528d8618 Author: Andy Polyakov Date: Thu Jul 12 22:27:43 2018 +0200 ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 37132c9702328940a99b1307f742ab094ef754a7) commit 63ad27165f9abd4f9e55d1a2e8c9bbdb01073a4f Author: Andy Polyakov Date: Fri Jul 6 16:13:29 2018 +0200 ec/ecdsa_ossl.c: formatting and readability fixes. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d) commit 6040bd3f7109dcae508c3194232e7b8ee8654dc0 Author: Andy Polyakov Date: Fri Jul 6 15:55:34 2018 +0200 ec/ecdsa_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f) Resolved conflicts: crypto/ec/ecdsa_ossl.c --- Summary of changes: CHANGES | 4 ++ crypto/bn/bn_mod.c | 67 ++-- crypto/ec/ecdsa_ossl.c | 130 +++ crypto/include/internal/bn_int.h | 2 + 4 files changed, 104 insertions(+), 99 deletions(-) diff --git a/CHANGES b/CHANGES index 148960a..277654d 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0h and 1.1.0i [xx XXX ] + *) Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + [Andy Polyakov] + *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 13b583f..e33e3f3 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -35,18 +35,73 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + *if (!BN_uadd(r, a, b)) + * return 0; + *if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ -int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m) +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) { -if (!BN_uadd(r, a, b)) +size_t i, ai, bi, mtop = m->top; +BN_ULONG storage[1024 / BN_BITS2]; +BN_ULONG carry, temp, mask, *rp, *tp = storage; +const BN_ULONG *ap, *bp; + +if (bn_wexpand(r, mtop) == NULL) return 0; -if (BN_ucmp(r, m) >= 0) -return BN_usub(r, r, m); + +if (mtop > sizeof(storage) / sizeof(storage[0]) +&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + +ap = a->d != NULL ? a->d : tp; +bp = b->d != NULL ? b->d : tp; + +for (i = 0,
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 2f19065bd35dc84492c4c47ff5b706340300866f (commit) via b7862891fed4cfb5ec36a31d35e14b51bf26d01e (commit) from 616153f2f9c07f51212fb5e85170e89a4ebaadbb (commit) - Log - commit 2f19065bd35dc84492c4c47ff5b706340300866f Author: Andy Polyakov Date: Fri Jul 6 15:13:15 2018 +0200 bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6707) (cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b) Resolved conflicts: crypto/bn/bn_exp.c crypto/bn/bn_mont.c crypto/include/internal/bn_int.h commit b7862891fed4cfb5ec36a31d35e14b51bf26d01e Author: Andy Polyakov Date: Fri Jul 6 15:02:29 2018 +0200 bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6707) (cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb) Resolved conflicts: crypto/bn/bn_lcl.h --- Summary of changes: crypto/bn/bn_div.c | 1 + crypto/bn/bn_exp.c | 47 ++-- crypto/bn/bn_lcl.h | 21 ++ crypto/bn/bn_lib.c | 15 + crypto/bn/bn_mont.c | 45 -- crypto/bn/bn_sqr.c | 10 ++--- crypto/include/internal/bn_int.h | 11 ++ 7 files changed, 102 insertions(+), 48 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 5e620b2..aa13ce6 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -240,6 +240,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; +wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index dac3640..a6ad475 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -371,17 +371,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } -if (!BN_to_montgomery(val[0], aa, mont, ctx)) +if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { -if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) +if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || -!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) +!bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx)) goto err; } } @@ -403,19 +403,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; -/* - * Upper words will be zero if the corresponding words of 'm' were - * 0xfff[...], so decrement r->top accordingly. - */ -bn_correct_top(r); +r->flags |= BN_FLG_FIXED_TOP; } else #endif -if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) +if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { -if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) +if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } if (wstart == 0) @@ -446,12 +442,12 @@
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 616153f2f9c07f51212fb5e85170e89a4ebaadbb (commit) from 707efcd64129c8010e192bd209bace0bc6d18ac9 (commit) - Log - commit 616153f2f9c07f51212fb5e85170e89a4ebaadbb Author: Kurt Roeckx Date: Thu Jul 26 11:10:24 2018 +0200 Fix inconsistent use of bit vs bits Reviewed-by: Tim Hudson GH: #6794 (cherry picked from commit b9e54e98066c1ff8adab5d68b6c114b14d2f74e5) --- Summary of changes: doc/crypto/BN_generate_prime.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 4adc3c8..849df07 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -102,8 +102,8 @@ probabilistic primality test with B iterations. If B, a number of iterations is used that yields a false positive rate of at most 2^-64 for random input. The error rate depends on the size of the prime and goes down for bigger primes. -The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bit, 2^-128 at 1080 bits, -2^-192 at 3747 bit and 2^-256 at 6394 bit. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits, +2^-192 at 3747 bits and 2^-256 at 6394 bits. When the source of the prime is not random or not trusted, the number of checks needs to be much higher to reach the same level of assurance: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 707efcd64129c8010e192bd209bace0bc6d18ac9 (commit) via acaa6ae936194362cb8011a2c145eb87aae1d1fa (commit) from e18da726ed60b502f19fa35fca20201759f371d9 (commit) - Log - commit 707efcd64129c8010e192bd209bace0bc6d18ac9 Author: Kurt Roeckx Date: Wed Jul 25 18:55:16 2018 +0200 Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale GH: #6075 Fixes: #6012 (cherry picked from commit feac7a1c8be49fbcb76fcb721ec9f02fdd91030e) commit acaa6ae936194362cb8011a2c145eb87aae1d1fa Author: Kurt Roeckx Date: Wed Apr 25 21:47:20 2018 +0200 Change the number of Miller-Rabin test for DSA generation to 64 This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale GH: #6075 (cherry picked from commit 74ee379651fb2bb12c6f7eb9fa10e70be89ac7c8) --- Summary of changes: CHANGES | 10 + doc/crypto/BN_generate_prime.pod | 12 +- include/openssl/bn.h | 87 +++- include/openssl/dsa.h| 8 ++-- 4 files changed, 95 insertions(+), 22 deletions(-) diff --git a/CHANGES b/CHANGES index b16a1be..148960a 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,16 @@ Changes between 1.1.0h and 1.1.0i [xx XXX ] + *) Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + For larger primes this will result in more rounds of Miller-Rabin. + The maximal error rate for primes with more than 1080 bits is lowered + to 2^-128. + [Kurt Roeckx, Annie Yousar] + + *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. + [Kurt Roeckx] + *) Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell] diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index c97536b..4adc3c8 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -100,7 +100,17 @@ If B, this test is skipped. Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin probabilistic primality test with B iterations. If B, a number of iterations is used that -yields a false positive rate of at most 2^-80 for random input. +yields a false positive rate of at most 2^-64 for random input. +The error rate depends on the size of the prime and goes down for bigger primes. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bit, 2^-128 at 1080 bits, +2^-192 at 3747 bit and 2^-256 at 6394 bit. + +When the source of the prime is not random or not trusted, the number +of checks needs to be much higher to reach the same level of assurance: +It should equal half of the targeted security level in bits (rounded up to the +next integer if necessary). +For instance, to reach the 128 bit security level, B should be set to +64. If B is not B, B is called after the j-th iteration (j = 0, 1, ...). B is a diff --git a/include/openssl/bn.h b/include/openssl/bn.h index 54ae760..7b2e4fa 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -119,25 +119,76 @@ void *BN_GENCB_get_arg(BN_GENCB *cb); * on the size of the number */ /* - * number of Miller-Rabin iterations for an error rate of less than 2^-80 for - * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of - * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error - * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) - * 177-194) + * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations + * that will be done for checking that a random number is probably prime. The + * error rate for accepting a composite number as prime depends on the size of + * the prime |b|. The error rates used are for calculating an RSA key with 2 primes, + * and so the level is what you would expect for a key of double the size of the + * prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e18da726ed60b502f19fa35fca20201759f371d9 (commit) from 1de6818a30fa11350460aa148e1ee30cad0a9b10 (commit) - Log - commit e18da726ed60b502f19fa35fca20201759f371d9 Author: Rich Salz Date: Wed Jul 25 15:57:18 2018 -0400 Check for failures, to avoid memory leak Thanks to Jiecheng Wu, Zuxing Gu for the report. Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6791) (cherry picked from commit 037241bf046be8cfc7e9216959393dd20b06fc21) --- Summary of changes: crypto/ec/ec_ameth.c| 11 ++- crypto/x509v3/v3_tlsf.c | 7 +++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index b66adf2..49d0739 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -92,19 +92,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) static EC_KEY *eckey_type2param(int ptype, const void *pval) { EC_KEY *eckey = NULL; +EC_GROUP *group = NULL; + if (ptype == V_ASN1_SEQUENCE) { const ASN1_STRING *pstr = pval; -const unsigned char *pm = NULL; -int pmlen; -pm = pstr->data; -pmlen = pstr->length; +const unsigned char *pm = pstr->data; +int pmlen = pstr->length; + if ((eckey = d2i_ECParameters(NULL, , pmlen)) == NULL) { ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { const ASN1_OBJECT *poid = pval; -EC_GROUP *group; /* * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID @@ -129,6 +129,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval) ecerr: EC_KEY_free(eckey); +EC_GROUP_free(group); return NULL; } diff --git a/crypto/x509v3/v3_tlsf.c b/crypto/x509v3/v3_tlsf.c index fec6724..2d30ea6 100644 --- a/crypto/x509v3/v3_tlsf.c +++ b/crypto/x509v3/v3_tlsf.c @@ -121,13 +121,12 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method, } } -ai = ASN1_INTEGER_new(); -if (ai == NULL) { +if ((ai = ASN1_INTEGER_new()) == NULL +|| !ASN1_INTEGER_set(ai, tlsextid) +|| sk_ASN1_INTEGER_push(tlsf, ai) <= 0) { X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE); goto err; } -ASN1_INTEGER_set(ai, tlsextid); -sk_ASN1_INTEGER_push(tlsf, ai); } return tlsf; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1de6818a30fa11350460aa148e1ee30cad0a9b10 (commit) from 793e7eafd46a39f6345d7113a517c5ee5c2c6884 (commit) - Log - commit 1de6818a30fa11350460aa148e1ee30cad0a9b10 Author: Andy Polyakov Date: Fri Jul 20 13:19:11 2018 +0200 crypto/cryptlib.c: resolve possible race in OPENSSL_isservice. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6752) (cherry picked from commit 9e4a1c3f65863b0175ddc534e232e63c4f82ea5c) --- Summary of changes: crypto/cryptlib.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index d93bcd3..bf73244 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -128,10 +128,14 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); +FARPROC f; + if (mod != NULL) -_OPENSSL_isservice.f = GetProcAddress(mod, "_OPENSSL_isservice"); -if (_OPENSSL_isservice.p == NULL) +f = GetProcAddress(mod, "_OPENSSL_isservice"); +if (f == NULL) _OPENSSL_isservice.p = (void *)-1; +else +_OPENSSL_isservice.f = f; } if (_OPENSSL_isservice.p != (void *)-1) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 793e7eafd46a39f6345d7113a517c5ee5c2c6884 (commit) from 36e732b00c8a22d50f88ee59d8790d5667ff72e2 (commit) - Log - commit 793e7eafd46a39f6345d7113a517c5ee5c2c6884 Author: Andy Polyakov Date: Mon Jul 23 22:26:30 2018 +0200 apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly. Reviewed-by: Rich Salz (cherry picked from commit d6b50b6e2ebc0c198877b5c56ae0a54cb9036088) --- Summary of changes: apps/dsaparam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 46e3abc..20891cf 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -226,7 +226,7 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); -BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); +BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p); print_bignum_var(bio_out, p, "dsap", bits_p, data); print_bignum_var(bio_out, q, "dsaq", bits_p, data); print_bignum_var(bio_out, g, "dsag", bits_p, data); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 36e732b00c8a22d50f88ee59d8790d5667ff72e2 (commit) via f65389acaad600e816dcd9c231ea70d505d027a4 (commit) via 64eae7475e6caa669cd6369770ba4853ecaff8d1 (commit) from bb8befc66003c765c227f01b1b4d60e19db86fc7 (commit) - Log - commit 36e732b00c8a22d50f88ee59d8790d5667ff72e2 Author: Richard Levitte Date: Tue Jul 24 21:46:55 2018 +0200 Configure death handler: instead of printing directly, amend the message This is done by calling die again, just make sure to reset the __DIE__ handler first. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6776) (cherry picked from commit eb807d5383fd228a5c4cf9afc2fec487e0d22cee) commit f65389acaad600e816dcd9c231ea70d505d027a4 Author: Richard Levitte Date: Tue Jul 24 19:29:49 2018 +0200 Configure death handler: remember to call original death handler Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6776) (cherry picked from commit 88accfe6dccf904fec5a17db4a59cd2c4c480382) commit 64eae7475e6caa669cd6369770ba4853ecaff8d1 Author: Richard Levitte Date: Tue Jul 24 19:29:06 2018 +0200 Configure death handler: bail out early when run in eval block Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6776) (cherry picked from commit 1a6c30029802179ebe0ec1eedfdc9d78bb6dc4dd) --- Summary of changes: Configure | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Configure b/Configure index 19bab07..7e482f7 100755 --- a/Configure +++ b/Configure @@ -2163,14 +2163,19 @@ exit(0); # Death handler, to print a helpful message in case of failure ### # sub death_handler { +die @_ if $^S; # To prevent the added message in eval blocks my $build_file = $target{build_file} // "build file"; -print STDERR <<"_"; +my @message = ( <<"_", @_ ); Failure! $build_file wasn't produced. Please read INSTALL and associated NOTES files. You may also have to look over your available compiler tool chain or change your configuration. _ + +# Dying is terminal, so it's ok to reset the signal handler here. +$SIG{__DIE__} = $orig_death_handler; +die @message; } # Configuration file reading # _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via bb8befc66003c765c227f01b1b4d60e19db86fc7 (commit) from eff1c8a2d8c625b36e6ed33bd49ac09f37f1bf22 (commit) - Log - commit bb8befc66003c765c227f01b1b4d60e19db86fc7 Author: Richard Levitte Date: Tue Jul 24 10:45:05 2018 +0200 Configure: print generic advice when dying On the same note, change the 'NASM not found' message to give specific advice on how to handle the failure. Fixes #6765 Reviewed-by: Tim Hudson Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6771) (cherry picked from commit 8937a4ed8ac3fd64be61e9ce7a16bf3d2273) --- Summary of changes: Configurations/10-main.conf | 4 ++-- Configure | 18 ++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 7e66705..6c05c28 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -14,7 +14,7 @@ sub vc_win64a_info { asflags => "/c /Cp /Cx /Zi", asoutflag => "/Fo" }; } else { -$die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); +$die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win64a_info = { as=> "{unknown}", asflags => "", asoutflag => "" }; @@ -39,7 +39,7 @@ sub vc_win32_info { asoutflag => "/Fo", perlasm_scheme => "win32" }; } else { -$die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); +$die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win32_info = { as=> "{unknown}", asflags => "", asoutflag => "", diff --git a/Configure b/Configure index f819cab..19bab07 100755 --- a/Configure +++ b/Configure @@ -20,6 +20,9 @@ use OpenSSL::Glob; # see INSTALL for instructions. +my $orig_death_handler = $SIG{__DIE__}; +$SIG{__DIE__} = \_handler; + my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; # Options: @@ -2127,6 +2130,8 @@ my %builders = ( $builders{$builder}->($builder_platform, @builder_opts); +$SIG{__DIE__} = $orig_death_handler; + print <<"EOF"; Configured for $target. @@ -2155,6 +2160,19 @@ exit(0); # Helpers and utility functions # +# Death handler, to print a helpful message in case of failure ### +# +sub death_handler { +my $build_file = $target{build_file} // "build file"; +print STDERR <<"_"; + +Failure! $build_file wasn't produced. +Please read INSTALL and associated NOTES files. You may also have to look over +your available compiler tool chain or change your configuration. + +_ +} + # Configuration file reading # # Note: All of the helper functions are for lazy evaluation. They all _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via eff1c8a2d8c625b36e6ed33bd49ac09f37f1bf22 (commit) via 5c2bac9289e97b47dc1fd1603efe09d3e10ce9cb (commit) via 08a1d30e6051afc78780f92e80b9809ba1bdaac3 (commit) from 1ef7cb279ccb69f5c3adde8aa961b72c05094237 (commit) - Log - commit eff1c8a2d8c625b36e6ed33bd49ac09f37f1bf22 Author: Andy Polyakov Date: Wed Jul 18 15:22:07 2018 +0200 ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit 8fc4aeb9521270ac74b29ce7f569939b0b39e685) commit 5c2bac9289e97b47dc1fd1603efe09d3e10ce9cb Author: Andy Polyakov Date: Wed Jul 18 15:14:44 2018 +0200 ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function. The ecp_nistz256_scatter_w7 function is called when application attempts to use custom generator, i.e. rarely. Even though non-x86_64 versions were wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit 87a75b3e5c04a1696208c279f32d1114b862cfed) commit 08a1d30e6051afc78780f92e80b9809ba1bdaac3 Author: Andy Polyakov Date: Wed Jul 18 15:13:27 2018 +0200 bn/bn_intern.c: const-ify bn_set_{static}_words. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1) --- Summary of changes: crypto/bn/bn_intern.c | 10 +++--- crypto/ec/asm/ecp_nistz256-armv4.pl | 8 crypto/ec/asm/ecp_nistz256-armv8.pl | 16 crypto/ec/asm/ecp_nistz256-sparcv9.pl | 8 crypto/ec/asm/ecp_nistz256-x86.pl | 2 +- crypto/ec/ecp_nistz256.c | 28 ++-- crypto/include/internal/bn_int.h | 4 ++-- 7 files changed, 32 insertions(+), 44 deletions(-) diff --git a/crypto/bn/bn_intern.c b/crypto/bn/bn_intern.c index 2c97064..92f1cb7 100644 --- a/crypto/bn/bn_intern.c +++ b/crypto/bn/bn_intern.c @@ -177,16 +177,20 @@ BN_ULONG *bn_get_words(const BIGNUM *a) return a->d; } -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size) { -a->d = words; +/* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ +a->d = (BN_ULONG *)words; a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; bn_correct_top(a); } -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words) { if (bn_wexpand(a, num_words) == NULL) { BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/ec/asm/ecp_nistz256-armv4.pl index 39d4cb9..4b58135 100755 --- a/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs$index,$index,#1 - strb$mask,[$out,#64*0-1] + strb$mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*1-1] + strb$mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*2-1] + strb$mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*3-1] + strb$mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl index cdc9161..a726cc3 100644 --- a/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7: prfmpstl1strm,[$out,#4096+64*5] prfmpstl1strm,[$out,#4096+64*6] prfmpstl1strm,[$out,#4096+64*7] - strbw3,[$out,#64*0-1] + strbw3,[$out,#64*0] lsr x3,x3,#8 - strbw3,[$out,#64*1-1] + strbw3,[$out,#64*1] lsr x3,x3,#8 - strbw3,[$out,#64*2-1] + strbw3,[$out,#64*2] lsr x3,x3,#8 - strbw3,[$out,#64*3-1] + strbw3,[$out,#64*3] lsr x3,x3,#8 - strbw3,[$out,#64*4-1] + strbw3,[$out,#64*4] lsr x3,x3,#8 - strbw3,[$out,#64*5-1] + strb
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1ef7cb279ccb69f5c3adde8aa961b72c05094237 (commit) from a0d893f9b403e2e435b39b4adf14ebffadd4ea89 (commit) - Log - commit 1ef7cb279ccb69f5c3adde8aa961b72c05094237 Author: Andy Polyakov Date: Sat Jul 21 13:50:14 2018 +0200 apps/dsaparam.c: fix -C output. Reviewed-by: Matthias St. Pierre Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6758) (cherry picked from commit 708c28f2f0598af6bccbeb60fb46086784aed7da) --- Summary of changes: apps/dsaparam.c | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 5c3c8f8..46e3abc 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -227,24 +227,27 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); -print_bignum_var(bio_out, p, "dsap", len, data); -print_bignum_var(bio_out, q, "dsaq", len, data); -print_bignum_var(bio_out, g, "dsag", len, data); +print_bignum_var(bio_out, p, "dsap", bits_p, data); +print_bignum_var(bio_out, q, "dsaq", bits_p, data); +print_bignum_var(bio_out, g, "dsag", bits_p, data); BIO_printf(bio_out, "DSA *dsa = DSA_new();\n" +"BIGNUM *p, *q, *g;\n" "\n"); BIO_printf(bio_out, "if (dsa == NULL)\n" "return NULL;\n"); -BIO_printf(bio_out, "dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "if (!dsa->p || !dsa->q || !dsa->g) {\n" -"DSA_free(dsa);\n" +BIO_printf(bio_out, "if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n", + bits_p, bits_p); +BIO_printf(bio_out, "DSA_free(dsa);\n" +"BN_free(p);\n" +"BN_free(q);\n" +"BN_free(g);\n" "return NULL;\n" "}\n" -"return(dsa);\n}\n"); +"return dsa;\n}\n"); OPENSSL_free(data); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a0d893f9b403e2e435b39b4adf14ebffadd4ea89 (commit) from 46905cd473db84649b39850c02056883c3da0960 (commit) - Log - commit a0d893f9b403e2e435b39b4adf14ebffadd4ea89 Author: Richard Levitte Date: Sun Jul 22 10:56:25 2018 +0200 Configure: Display error/warning on deprecated/unsupported options after loop Fixes #6755 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6759) (cherry picked from commit ddbe700e93e34694519d303e1b4e4525184c9dad) --- Summary of changes: Configure | 26 +- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Configure b/Configure index 7f073b6..f819cab 100755 --- a/Configure +++ b/Configure @@ -756,21 +756,21 @@ while (@argvcopy) else { $config{options} .= " ".$_; } } + } -if (defined($config{api}) && !exists $apitable->{$config{api}}) { - die "* Unsupported api compatibility level: $config{api}\n", -} +if (defined($config{api}) && !exists $apitable->{$config{api}}) { + die "* Unsupported api compatibility level: $config{api}\n", +} - if (keys %deprecated_options) - { - warn "* Deprecated options: ", - join(", ", keys %deprecated_options), "\n"; - } - if (keys %unsupported_options) - { - die "* Unsupported options: ", - join(", ", keys %unsupported_options), "\n"; - } +if (keys %deprecated_options) + { + warn "* Deprecated options: ", + join(", ", keys %deprecated_options), "\n"; + } +if (keys %unsupported_options) + { + die "* Unsupported options: ", + join(", ", keys %unsupported_options), "\n"; } if ($libs =~ /(^|\s)-Wl,-rpath,/ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 46905cd473db84649b39850c02056883c3da0960 (commit) from 821c3baa002fc874553cfacd65bd7bd6f6e9cb3f (commit) - Log - commit 46905cd473db84649b39850c02056883c3da0960 Author: Richard Levitte Date: Thu Jul 12 22:55:03 2018 +0200 PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF As per RFC 7292. Fixes #6665 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6708) (cherry picked from commit b709babbca0498cd2b05f543b09f57f4a670298e) --- Summary of changes: crypto/pkcs12/p12_asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/pkcs12/p12_asn.c b/crypto/pkcs12/p12_asn.c index f2bfe32..3ad8664 100644 --- a/crypto/pkcs12/p12_asn.c +++ b/crypto/pkcs12/p12_asn.c @@ -51,7 +51,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ ASN1_ADB(PKCS12_SAFEBAG) = { ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), -ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), +ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 821c3baa002fc874553cfacd65bd7bd6f6e9cb3f (commit) from 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit) - Log - commit 821c3baa002fc874553cfacd65bd7bd6f6e9cb3f Author: Andy Polyakov Date: Mon Jul 16 18:17:44 2018 +0200 bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz (cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec) --- Summary of changes: crypto/bn/bn_lib.c | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index ebad255..6c57a53 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -498,28 +498,27 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i, j, top; +int n; +size_t i, inc, lasti, j; BN_ULONG l; -i = BN_num_bytes(a); +n = BN_num_bytes(a); if (tolen == -1) -tolen = i; -else if (tolen < i) +tolen = n; +else if (tolen < n) return -1; -if (i == 0) { +if (n == 0) { OPENSSL_cleanse(to, tolen); return tolen; } -top = a->top * BN_BYTES; -for (i = 0, j = tolen; j > 0; i++) { -unsigned int mask; - -mask = constant_time_lt(i, top); -i -= 1 & ~mask; /* stay on top limb */ +lasti = n - 1; +for (i = 0, inc = 1, j = tolen; j > 0;) { l = a->d[i / BN_BYTES]; -to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); +inc = (i - lasti) >> (8 * sizeof(i) - 1); +i += inc; /* stay on top limb */ } return tolen; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit) via 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 (commit) from db9926ff007ad8cd999a4e7eff35b04505b744b8 (commit) - Log - commit 0b139e41b4ca03c1d36f4c93c6e9147e497029ca Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) commit 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: make BN_bn2binpad computationally constant-time. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) --- Summary of changes: crypto/bn/bn_lib.c| 23 +++ crypto/rsa/rsa_oaep.c | 38 +++--- crypto/rsa/rsa_ossl.c | 38 -- crypto/rsa/rsa_pk1.c | 39 +-- crypto/rsa/rsa_ssl.c | 8 5 files changed, 79 insertions(+), 67 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 8fa9f2f..ebad255 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -497,24 +498,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i; +int i, j, top; BN_ULONG l; -bn_check_top(a); i = BN_num_bytes(a); if (tolen == -1) tolen = i; else if (tolen < i) return -1; -/* Add leading zeroes if necessary */ -if (tolen > i) { -memset(to, 0, tolen - i); -to += tolen - i; + +if (i == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; } -while (i--) { + +top = a->top * BN_BYTES; +for (i = 0, j = tolen; j > 0; i++) { +unsigned int mask; + +mask = constant_time_lt(i, top); +i -= 1 & ~mask; /* stay on top limb */ l = a->d[i / BN_BYTES]; -*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); } + return tolen; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 4878d49..fbe65c4 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); -em = OPENSSL_malloc(num); -if (db == NULL || em == NULL) { +if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } -/* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ -memset(em, 0, num); -memcpy(em + num - flen, from, flen); +if (flen != num) { +em = OPENSSL_zalloc(num); +if (em == NULL) { +RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); +goto cleanup; +} + +/* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ +memcpy(em + num - flen, from, flen); +from = em; +} /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ -good =
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via db9926ff007ad8cd999a4e7eff35b04505b744b8 (commit) from 88af716e831fd7f76e2b2eab568905733b7c87eb (commit) - Log - commit db9926ff007ad8cd999a4e7eff35b04505b744b8 Author: Alexandre Perrin Date: Fri Jul 13 10:32:42 2018 +0200 Documentation typo fix in BN_bn2bin.pod Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype. CLA: trivial Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6712) --- Summary of changes: doc/crypto/BN_bn2bin.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod index ac46948..9bfda2d 100644 --- a/doc/crypto/BN_bn2bin.pod +++ b/doc/crypto/BN_bn2bin.pod @@ -55,8 +55,8 @@ freed later using OPENSSL_free(). BN_hex2bn() takes as many characters as possible from the string B, including the leading character '-' which means negative, to form a valid hexadecimal number representation and converts them to a B and -stores it in **B. If *B is NULL, a new B is created. If -B is NULL, it only computes the length of valid representation. +stores it in **B. If *B is NULL, a new B is created. If +B is NULL, it only computes the length of valid representation. A "negative zero" is converted to zero. BN_dec2bn() is the same using the decimal system. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits