svn commit: r340692 - in vendor-crypto/openssl/dist-1.0.2: . apps crypto crypto/bio crypto/bn crypto/bn/asm crypto/conf crypto/dsa crypto/ec crypto/engine crypto/pkcs12 crypto/pkcs7 crypto/rand cry...
Jung-uk Kim
jkim at FreeBSD.org
Tue Nov 20 19:01:24 UTC 2018
Author: jkim
Date: Tue Nov 20 19:01:17 2018
New Revision: 340692
URL: https://svnweb.freebsd.org/changeset/base/340692
Log:
Import OpenSSL 1.0.2q.
Added:
vendor-crypto/openssl/dist-1.0.2/crypto/getenv.c (contents, props changed)
Modified:
vendor-crypto/openssl/dist-1.0.2/CHANGES
vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade
vendor-crypto/openssl/dist-1.0.2/Makefile
vendor-crypto/openssl/dist-1.0.2/NEWS
vendor-crypto/openssl/dist-1.0.2/README
vendor-crypto/openssl/dist-1.0.2/apps/req.c
vendor-crypto/openssl/dist-1.0.2/config
vendor-crypto/openssl/dist-1.0.2/crypto/Makefile
vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c
vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h
vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile
vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c
vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c
vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h
vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c
vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c
vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h
vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c
vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_mult.c
vendor-crypto/openssl/dist-1.0.2/crypto/engine/eng_list.c
vendor-crypto/openssl/dist-1.0.2/crypto/opensslconf.h
vendor-crypto/openssl/dist-1.0.2/crypto/opensslv.h
vendor-crypto/openssl/dist-1.0.2/crypto/pkcs12/p12_init.c
vendor-crypto/openssl/dist-1.0.2/crypto/pkcs7/pk7_lib.c
vendor-crypto/openssl/dist-1.0.2/crypto/rand/Makefile
vendor-crypto/openssl/dist-1.0.2/crypto/rand/md_rand.c
vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lcl.h
vendor-crypto/openssl/dist-1.0.2/crypto/rand/rand_lib.c
vendor-crypto/openssl/dist-1.0.2/crypto/rand/randfile.c
vendor-crypto/openssl/dist-1.0.2/crypto/rsa/rsa_eay.c
vendor-crypto/openssl/dist-1.0.2/crypto/ui/ui_openssl.c
vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_dir.c
vendor-crypto/openssl/dist-1.0.2/crypto/x509/by_file.c
vendor-crypto/openssl/dist-1.0.2/crypto/x509/x509_vfy.c
vendor-crypto/openssl/dist-1.0.2/crypto/x509v3/v3_purp.c
vendor-crypto/openssl/dist-1.0.2/doc/apps/crl.pod
vendor-crypto/openssl/dist-1.0.2/doc/apps/req.pod
vendor-crypto/openssl/dist-1.0.2/doc/apps/s_server.pod
vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestSignInit.pod
vendor-crypto/openssl/dist-1.0.2/doc/crypto/EVP_DigestVerifyInit.pod
vendor-crypto/openssl/dist-1.0.2/doc/crypto/OPENSSL_VERSION_NUMBER.pod
vendor-crypto/openssl/dist-1.0.2/engines/e_capi.c
vendor-crypto/openssl/dist-1.0.2/ssl/d1_pkt.c
vendor-crypto/openssl/dist-1.0.2/ssl/ssl_ciph.c
vendor-crypto/openssl/dist-1.0.2/ssl/ssl_lib.c
vendor-crypto/openssl/dist-1.0.2/ssl/t1_lib.c
vendor-crypto/openssl/dist-1.0.2/util/domd
vendor-crypto/openssl/dist-1.0.2/util/libeay.num
Modified: vendor-crypto/openssl/dist-1.0.2/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/CHANGES Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/CHANGES Tue Nov 20 19:01:17 2018 (r340692)
@@ -7,6 +7,36 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
+
+ *) Microarchitecture timing vulnerability in ECC scalar multiplication
+
+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
+ shown to be vulnerable to a microarchitecture timing side channel attack.
+ An attacker with sufficient access to mount local timing attacks during
+ ECDSA signature generation could recover the private key.
+
+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro
+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
+ Nicola Tuveri.
+ (CVE-2018-5407)
+ [Billy Brumley]
+
+ *) Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ (CVE-2018-0734)
+ [Paul Dale]
+
+ *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
+ Module, accidentally introduced while backporting security fixes from the
+ development branch and hindering the use of ECC in FIPS mode.
+ [Nicola Tuveri]
+
Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
*) Client DoS due to large DH parameter
Modified: vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/FREEBSD-upgrade Tue Nov 20 19:01:17 2018 (r340692)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/V
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2p
-# OSSLTAG format: v1_0_2p
+setenv OSSLVER 1.0.2q
+# OSSLTAG format: v1_0_2q
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
Modified: vendor-crypto/openssl/dist-1.0.2/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/Makefile Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/Makefile Tue Nov 20 19:01:17 2018 (r340692)
@@ -4,18 +4,18 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2p
+VERSION=1.0.2q
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=1
SHLIB_MINOR=0.0
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
-CONFIGURE_ARGS=dist
-SHLIB_TARGET=
+SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+PLATFORM=linux-x86_64
+OPTIONS=-Wa,--noexecstack no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
+CONFIGURE_ARGS=linux-x86_64 -Wa,--noexecstack
+SHLIB_TARGET=linux-shared
# HERE indicates where this Makefile lives. This can be used to indicate
# where sub-Makefiles are expected to be. Currently has very limited usage,
@@ -59,11 +59,11 @@ OPENSSLDIR=/usr/local/ssl
# equal 4.
# PKCS1_CHECK - pkcs1 tests.
-CC= cc
-CFLAG= -O
+CC= gcc
+CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
PEX_LIBS=
-EX_LIBS=
+EX_LIBS= -ldl
EXE_EXT=
ARFLAGS=
AR= ar $(ARFLAGS) r
@@ -73,7 +73,7 @@ NM= nm
PERL= /usr/bin/perl
TAR= tar
TARFLAGS= --no-recursion
-MAKEDEPPROG= cc
+MAKEDEPPROG= gcc
LIBDIR=lib
# We let the C compiler driver to take care of .s files. This is done in
@@ -89,23 +89,23 @@ ASFLAG=$(CFLAG)
PROCESSOR=
# CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= mem_clr.o
-BN_ASM= bn_asm.o
-EC_ASM=
+CPUID_OBJ= x86_64cpuid.o
+BN_ASM= x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
+EC_ASM= ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
+AES_ENC= aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
BF_ENC= bf_enc.o
CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o rc4_skey.o
+RC4_ENC= rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ=
-SHA1_ASM_OBJ=
+MD5_ASM_OBJ= md5-x86_64.o
+SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_ASM_OBJ=
-WP_ASM_OBJ= wp_block.o
-CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o
-MODES_ASM_OBJ=
+WP_ASM_OBJ= wp-x86_64.o
+CMLL_ENC= cmll-x86_64.o cmll_misc.o
+MODES_ASM_OBJ= ghash-x86_64.o aesni-gcm-x86_64.o
ENGINES_ASM_OBJ=
-PERLASM_SCHEME=
+PERLASM_SCHEME= elf
# KRB5 stuff
KRB5_INCLUDES=
@@ -177,8 +177,8 @@ LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
+SHARED_LDFLAGS=-m64
GENERAL= Makefile
BASENAME= openssl
Modified: vendor-crypto/openssl/dist-1.0.2/NEWS
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/NEWS Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/NEWS Tue Nov 20 19:01:17 2018 (r340692)
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
+
+ o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
+ o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
o Client DoS due to large DH parameter (CVE-2018-0732)
Modified: vendor-crypto/openssl/dist-1.0.2/README
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/README Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/README Tue Nov 20 19:01:17 2018 (r340692)
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2p 14 Aug 2018
+ OpenSSL 1.0.2q 20 Nov 2018
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Modified: vendor-crypto/openssl/dist-1.0.2/apps/req.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/apps/req.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/apps/req.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -659,8 +659,7 @@ int MAIN(int argc, char **argv)
}
}
- BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
- newkey, keyalgstr);
+ BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
EVP_PKEY_CTX_set_app_data(genctx, bio_err);
Modified: vendor-crypto/openssl/dist-1.0.2/config
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/config Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/config Tue Nov 20 19:01:17 2018 (r340692)
@@ -992,5 +992,6 @@ if [ $? = "0" ]; then
fi
else
echo "This system ($OUT) is not supported. See file INSTALL for details."
+ exit 1
fi
)
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/Makefile Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/Makefile Tue Nov 20 19:01:17 2018 (r340692)
@@ -36,9 +36,11 @@ TEST=constant_time_test.c
LIB= $(TOP)/libcrypto.a
SHARED_LIB= libcrypto$(SHLIB_EXT)
LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
- ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+ ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \
+ getenv.c
LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
- uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
+ uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o getenv.o \
+ $(CPUID_OBJ)
SRC= $(LIBSRC)
@@ -178,6 +180,13 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/op
ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
ex_data.o: ex_data.c
fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c
+getenv.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+getenv.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+getenv.o: ../include/openssl/err.h ../include/openssl/lhash.h
+getenv.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+getenv.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+getenv.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+getenv.o: getenv.c
mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bio/b_sock.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -56,6 +56,9 @@
* [including the GNU Public Licence.]
*/
+#define _DEFAULT_SOURCE
+#define _BSD_SOURCE
+
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
@@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT
static int wsa_init_done = 0;
# endif
+# if defined(__GLIBC__)
+# define HAVE_GETHOSTBYNAME_R
+# define GETHOSTNAME_R_BUF (2 * 1024)
+# endif
+
/*
* WSAAPI specifier is required to make indirect calls to run-time
* linked WinSock 2 functions used in this module, to be specific
@@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip
int i;
int err = 1;
int locked = 0;
- struct hostent *he;
+ struct hostent *he = NULL;
+# ifdef HAVE_GETHOSTBYNAME_R
+ char buf[GETHOSTNAME_R_BUF];
+ struct hostent hostent;
+ int h_errnop;
+# endif
i = get_ip(str, ip);
if (i < 0) {
@@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip
if (i > 0)
return (1);
+ /* if gethostbyname_r is supported, use it. */
+# ifdef HAVE_GETHOSTBYNAME_R
+ memset(&hostent, 0x00, sizeof(hostent));
+ /* gethostbyname_r() sets |he| to NULL on error, we check it further down */
+ gethostbyname_r(str, &hostent, buf, sizeof(buf), &he, &h_errnop);
+# else
/* do a gethostbyname */
CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
locked = 1;
he = BIO_gethostbyname(str);
+# endif
+
if (he == NULL) {
BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP);
goto err;
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/asm/x86_64-gcc.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -55,12 +55,6 @@
* machine.
*/
-# if defined(_WIN64) || !defined(__LP64__)
-# define BN_ULONG unsigned long long
-# else
-# define BN_ULONG unsigned long
-# endif
-
# undef mul
# undef mul_add
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_blind.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -1,6 +1,6 @@
/* crypto/bn/bn_blind.c */
/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
goto err;
} else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
- if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
- goto err;
- if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
- goto err;
+ if (b->m_ctx != NULL) {
+ if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
+ || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
+ goto err;
+ } else {
+ if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
+ || !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
+ goto err;
+ }
}
ret = 1;
@@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BL
else if (!BN_BLINDING_update(b, ctx))
return (0);
- if (r != NULL) {
- if (!BN_copy(r, b->Ai))
- ret = 0;
- }
+ if (r != NULL && (BN_copy(r, b->Ai) == NULL))
+ return 0;
- if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
- ret = 0;
+ if (b->m_ctx != NULL)
+ ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
+ else
+ ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
return ret;
}
@@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r,
bn_check_top(n);
- if (r != NULL)
- ret = BN_mod_mul(n, n, r, b->mod, ctx);
- else {
- if (b->Ai == NULL) {
- BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
- return (0);
+ if (r == NULL && (r = b->Ai) == NULL) {
+ BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
+ return 0;
+ }
+
+ if (b->m_ctx != NULL) {
+ /* ensure that BN_mod_mul_montgomery takes pre-defined path */
+ if (n->dmax >= r->top) {
+ size_t i, rtop = r->top, ntop = n->top;
+ BN_ULONG mask;
+
+ for (i = 0; i < rtop; i++) {
+ mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1));
+ n->d[i] &= mask;
+ }
+ mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1));
+ /* always true, if (rtop >= ntop) n->top = r->top; */
+ n->top = (int)(rtop & ~mask) | (ntop & mask);
+ n->flags |= (BN_FLG_FIXED_TOP & ~mask);
}
- ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
+ ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
+ } else {
+ ret = BN_mod_mul(n, n, r, b->mod, ctx);
}
bn_check_top(n);
@@ -366,11 +386,16 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
} while (1);
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
- if (!ret->bn_mod_exp
- (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
+ if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
goto err;
} else {
if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
+ goto err;
+ }
+
+ if (ret->m_ctx != NULL) {
+ if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx)
+ || !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx))
goto err;
}
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_lib.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -617,26 +617,40 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIG
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
int n;
- size_t i, inc, lasti, j;
+ size_t i, lasti, j, atop, mask;
BN_ULONG l;
+ /*
+ * In case |a| is fixed-top, BN_num_bytes can return bogus length,
+ * but it's assumed that fixed-top inputs ought to be "nominated"
+ * even for padded output, so it works out...
+ */
n = BN_num_bytes(a);
- if (tolen == -1)
+ if (tolen == -1) {
tolen = n;
- else if (tolen < n)
- return -1;
+ } else if (tolen < n) { /* uncommon/unlike case */
+ BIGNUM temp = *a;
- if (n == 0) {
+ bn_correct_top(&temp);
+ n = BN_num_bytes(&temp);
+ if (tolen < n)
+ return -1;
+ }
+
+ /* Swipe through whole available data and don't give away padded zero. */
+ atop = a->dmax * BN_BYTES;
+ if (atop == 0) {
OPENSSL_cleanse(to, tolen);
return tolen;
}
- lasti = n - 1;
- for (i = 0, inc = 1, j = tolen; j > 0;) {
+ lasti = atop - 1;
+ atop = a->top * BN_BYTES;
+ for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
l = a->d[i / BN_BYTES];
- to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc));
- inc = (i - lasti) >> (8 * sizeof(i) - 1);
- i += inc; /* stay on top limb */
+ mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
+ *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+ i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
}
return tolen;
@@ -888,6 +902,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a,
t = (a->top ^ b->top) & condition;
a->top ^= t;
b->top ^= t;
+
+ t = (a->neg ^ b->neg) & condition;
+ a->neg ^= t;
+ b->neg ^= t;
+
+ /*-
+ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
+ * is actually to treat it as it's read-only data, and some (if not most)
+ * of it does reside in read-only segment. In other words observation of
+ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
+ * condition. It would either cause SEGV or effectively cause data
+ * corruption.
+ *
+ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
+ * preserved.
+ *
+ * BN_FLG_SECURE: must be preserved, because it determines how x->d was
+ * allocated and hence how to free it.
+ *
+ * BN_FLG_CONSTTIME: sufficient to mask and swap
+ *
+ * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
+ * the data, so the d array may be padded with additional 0 values (i.e.
+ * top could be greater than the minimal value that it could be). We should
+ * be swapping it
+ */
+
+#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
+
+ t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
+ a->flags ^= t;
+ b->flags ^= t;
#define BN_CONSTTIME_SWAP(ind) \
do { \
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mod.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -172,7 +172,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c
if (mtop > sizeof(storage) / sizeof(storage[0])
&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
- return 0;
+ return 0;
ap = a->d != NULL ? a->d : tp;
bp = b->d != NULL ? b->d : tp;
@@ -197,6 +197,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, c
((volatile BN_ULONG *)tp)[i] = 0;
}
r->top = mtop;
+ r->flags |= BN_FLG_FIXED_TOP;
r->neg = 0;
if (tp != storage)
@@ -222,6 +223,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNU
if (!BN_sub(r, a, b))
return 0;
return BN_nnmod(r, r, m, ctx);
+}
+
+/*
+ * BN_mod_sub variant that may be used if both a and b are non-negative,
+ * a is less than m, while b is of same bit width as m. It's implemented
+ * as subtraction followed by two conditional additions.
+ *
+ * 0 <= a < m
+ * 0 <= b < 2^w < 2*m
+ *
+ * after subtraction
+ *
+ * -2*m < r = a - b < m
+ *
+ * Thus it takes up to two conditional additions to make |r| positive.
+ */
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m)
+{
+ size_t i, ai, bi, mtop = m->top;
+ BN_ULONG borrow, carry, ta, tb, mask, *rp;
+ const BN_ULONG *ap, *bp;
+
+ if (bn_wexpand(r, m->top) == NULL)
+ return 0;
+
+ rp = r->d;
+ ap = a->d != NULL ? a->d : rp;
+ bp = b->d != NULL ? b->d : rp;
+
+ for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) {
+ mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
+ ta = ap[ai] & mask;
+
+ mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
+ tb = bp[bi] & mask;
+ rp[i] = ta - tb - borrow;
+ if (ta != tb)
+ borrow = (ta < tb);
+
+ i++;
+ ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
+ bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
+ }
+ ap = m->d;
+ for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
+ ta = ((ap[i] & mask) + carry) & BN_MASK2;
+ carry = (ta < carry);
+ rp[i] = (rp[i] + ta) & BN_MASK2;
+ carry += (rp[i] < ta);
+ }
+ borrow -= carry;
+ for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
+ ta = ((ap[i] & mask) + carry) & BN_MASK2;
+ carry = (ta < carry);
+ rp[i] = (rp[i] + ta) & BN_MASK2;
+ carry += (rp[i] < ta);
+ }
+
+ r->top = mtop;
+ r->flags |= BN_FLG_FIXED_TOP;
+ r->neg = 0;
+
+ return 1;
}
/*
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mont.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -164,10 +164,10 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a,
bn_check_top(tmp);
if (a == b) {
- if (!BN_sqr(tmp, a, ctx))
+ if (!bn_sqr_fixed_top(tmp, a, ctx))
goto err;
} else {
- if (!BN_mul(tmp, a, b, ctx))
+ if (!bn_mul_fixed_top(tmp, a, b, ctx))
goto err;
}
/* reduce from aRR to aR */
@@ -190,6 +190,7 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
BIGNUM *n;
BN_ULONG *ap, *np, *rp, n0, v, carry;
int nl, max, i;
+ unsigned int rtop;
n = &(mont->N);
nl = n->top;
@@ -207,12 +208,10 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
rp = r->d;
/* clear the top words of T */
-# if 1
- for (i = r->top; i < max; i++) /* memset? XXX */
- rp[i] = 0;
-# else
- memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
-# endif
+ for (rtop = r->top, i = 0; i < max; i++) {
+ v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1));
+ rp[i] &= v;
+ }
r->top = max;
r->flags |= BN_FLG_FIXED_TOP;
@@ -263,6 +262,18 @@ static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM
int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx)
{
+ int retn;
+
+ retn = bn_from_mont_fixed_top(ret, a, mont, ctx);
+ bn_correct_top(ret);
+ bn_check_top(ret);
+
+ return retn;
+}
+
+int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
+ BN_CTX *ctx)
+{
int retn = 0;
#ifdef MONT_WORD
BIGNUM *t;
@@ -270,8 +281,6 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, B
BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
retn = bn_from_montgomery_word(ret, t, mont);
- bn_correct_top(ret);
- bn_check_top(ret);
}
BN_CTX_end(ctx);
#else /* !MONT_WORD */
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_mul.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -936,6 +936,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b
int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
{
+ int ret = bn_mul_fixed_top(r, a, b, ctx);
+
+ bn_correct_top(r);
+ bn_check_top(r);
+
+ return ret;
+}
+
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+{
int ret = 0;
int top, al, bl;
BIGNUM *rr;
@@ -1042,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b
#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
end:
#endif
- bn_correct_top(rr);
+ rr->flags |= BN_FLG_FIXED_TOP;
if (r != rr && BN_copy(r, rr) == NULL)
goto err;
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_sqr.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -66,6 +66,16 @@
*/
int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
{
+ int ret = bn_sqr_fixed_top(r, a, ctx);
+
+ bn_correct_top(r);
+ bn_check_top(r);
+
+ return ret;
+}
+
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+{
int max, al;
int ret = 0;
BIGNUM *tmp, *rr;
@@ -136,7 +146,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
rr->neg = 0;
rr->top = max;
- bn_correct_top(rr);
+ rr->flags |= BN_FLG_FIXED_TOP;
if (r != rr && BN_copy(r, rr) == NULL)
goto err;
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn/bn_x931p.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -4,7 +4,7 @@
* 2005.
*/
/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int n
for (i = 0; i < 1000; i++) {
if (!BN_rand(Xq, nbits, 1, 0))
goto err;
+
/* Check that |Xp - Xq| > 2^(nbits - 100) */
- BN_sub(t, Xp, Xq);
+ if (!BN_sub(t, Xp, Xq))
+ goto err;
if (BN_num_bits(t) > (nbits - 100))
break;
}
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/bn_int.h Tue Nov 20 19:01:17 2018 (r340692)
@@ -7,9 +7,15 @@
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+ BN_CTX *ctx);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m);
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/Makefile Tue Nov 20 19:01:17 2018 (r340692)
@@ -80,12 +80,13 @@ clean:
# DO NOT DELETE THIS LINE -- make depend depends on it.
conf_api.o: ../../e_os.h ../../include/openssl/bio.h
-conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_api.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
+conf_api.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
conf_api.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-conf_api.o: ../../include/openssl/symhacks.h conf_api.c
+conf_api.o: ../../include/openssl/symhacks.h ../cryptlib.h conf_api.c
conf_def.o: ../../e_os.h ../../include/openssl/bio.h
conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_api.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -66,6 +66,7 @@
#include <assert.h>
#include <stdlib.h>
#include <string.h>
+#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/conf_api.h>
#include "e_os.h"
@@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
if (v != NULL)
return (v->value);
if (strcmp(section, "ENV") == 0) {
- p = getenv(name);
+ p = ossl_safe_getenv(name);
if (p != NULL)
return (p);
}
@@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *s
else
return (NULL);
} else
- return (getenv(name));
+ return (ossl_safe_getenv(name));
}
#if 0 /* There's no way to provide error checking
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/conf/conf_mod.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -4,7 +4,7 @@
* 2001.
*/
/* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void)
char *file;
int len;
- file = getenv("OPENSSL_CONF");
+ file = ossl_safe_getenv("OPENSSL_CONF");
if (file)
return BUF_strdup(file);
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/cryptlib.h Tue Nov 20 19:01:17 2018 (r340692)
@@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
+char *ossl_safe_getenv(const char *);
+
#ifdef __cplusplus
}
#endif
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_gen.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -435,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N
EVP_MD_CTX_init(&mctx);
+ /* make sure L > N, otherwise we'll get trapped in an infinite loop */
+ if (L <= N) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+ goto err;
+ }
+
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/dsa/dsa_ossl.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, in
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
@@ -279,7 +281,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
goto err;
/* Preallocate space */
- q_bits = BN_num_bits(dsa->q);
+ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
if (!BN_set_bit(&k, q_bits)
|| !BN_set_bit(&l, q_bits)
|| !BN_set_bit(&m, q_bits))
@@ -293,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
BN_set_flags(&k, BN_FLG_CONSTTIME);
+ BN_set_flags(&l, BN_FLG_CONSTTIME);
}
-
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
CRYPTO_LOCK_DSA, dsa->p, ctx))
@@ -333,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BI
if (!BN_mod(r, r, dsa->q, ctx))
goto err;
- /* Compute part of 's = inv(k) (m + xr) mod q' */
- if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL)
+ /* Compute part of 's = inv(k) (m + xr) mod q' */
+ if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL)
goto err;
if (*kinvp != NULL)
@@ -467,4 +469,32 @@ static int dsa_finish(DSA *dsa)
if (dsa->method_mont_p)
BN_MONT_CTX_free(dsa->method_mont_p);
return (1);
+}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation. Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx)
+{
+ BIGNUM *res = NULL;
+ BIGNUM *r, e;
+
+ if ((r = BN_new()) == NULL)
+ return NULL;
+
+ BN_init(&e);
+
+ if (BN_set_word(r, 2)
+ && BN_sub(&e, q, r)
+ && BN_mod_exp_mont(r, k, &e, q, ctx, NULL))
+ res = r;
+ else
+ BN_free(r);
+ BN_free(&e);
+ return res;
}
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lcl.h Tue Nov 20 19:01:17 2018 (r340692)
@@ -3,7 +3,7 @@
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
- * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -214,7 +214,7 @@ struct ec_group_st {
int asn1_flag; /* flag to control the asn1 encoding */
/*
* Kludge: upper bit of ans1_flag is used to denote structure
- * version. Is set, then last field is present. This is done
+ * version. If set, then last field is present. This is done
* for interoperation with FIPS code.
*/
#define EC_GROUP_ASN1_FLAG_MASK 0x7fffffff
@@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t n
void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
unsigned char *digit, unsigned char in);
#endif
-int ec_precompute_mont_data(EC_GROUP *);
#ifdef ECP_NISTZ256_ASM
/** Returns GFp methods using montgomery multiplication, with x86-64 optimized
Modified: vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue Nov 20 19:00:20 2018 (r340691)
+++ vendor-crypto/openssl/dist-1.0.2/crypto/ec/ec_lib.c Tue Nov 20 19:01:17 2018 (r340692)
@@ -70,6 +70,10 @@
const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+/* local function prototypes */
+
+static int ec_precompute_mont_data(EC_GROUP *group);
+
/* functions for EC_GROUP objects */
EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
@@ -318,17 +322,25 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_P
} else
BN_zero(&group->cofactor);
- /*
- * Some groups have an order with
- * factors of two, which makes the Montgomery setup fail.
- * |group->mont_data| will be NULL in this case.
+ /*-
+ * Access to the `mont_data` field of an EC_GROUP struct should always be
+ * guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the
+ * group might come from the FIPS module, which does not define the
+ * `mont_data` field inside the EC_GROUP structure.
*/
- if (BN_is_odd(&group->order)) {
- return ec_precompute_mont_data(group);
+ if (EC_GROUP_VERSION(group)) {
+ /*-
+ * Some groups have an order with
+ * factors of two, which makes the Montgomery setup fail.
+ * |group->mont_data| will be NULL in this case.
+ */
+ if (BN_is_odd(&group->order))
+ return ec_precompute_mont_data(group);
+
+ BN_MONT_CTX_free(group->mont_data);
+ group->mont_data = NULL;
}
- BN_MONT_CTX_free(group->mont_data);
- group->mont_data = NULL;
return 1;
}
@@ -1098,17 +1110,22 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *grou
* been performed */
}
-/*
+/*-
* ec_precompute_mont_data sets |group->mont_data| from |group->order| and
* returns one on success. On error it returns zero.
+ *
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list