diff options
41 files changed, 528 insertions, 1535 deletions
@@ -7,6 +7,33 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2q and 1.0.2r [26 Feb 2019] + + *) 0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) + then OpenSSL can respond differently to the calling application if a 0 byte + record is received with invalid padding compared to if a 0 byte record is + received with an invalid MAC. If the application then behaves differently + based on that in a way that is detectable to the remote peer, then this + amounts to a padding oracle that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in + use. Stitched ciphersuites are optimised implementations of certain + commonly used ciphersuites. Also the application must call SSL_shutdown() + twice even if a protocol error has occurred (applications should not do + this but some do anyway). + + This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod + Aviram, with additional investigation by Steven Collison and Andrew + Hourselt. It was reported to OpenSSL on 10th December 2018. + (CVE-2019-1559) + [Matt Caswell] + + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). + [Richard Levitte] + Changes between 1.0.2p and 1.0.2q [20 Nov 2018] *) Microarchitecture timing vulnerability in ECC scalar multiplication @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2q +VERSION=1.0.2r MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -521,7 +521,7 @@ $(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ + \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \ | sort > $(TARFILE).list tar: $(TARFILE).list diff --git a/Makefile.bak b/Makefile.bak deleted file mode 100644 index 1de4ac3..0000000 --- a/Makefile.bak +++ /dev/null @@ -1,692 +0,0 @@ -### Generated automatically from Makefile.org by Configure. - -## -## Makefile for OpenSSL -## - -VERSION=1.0.2q-dev -MAJOR=1 -MINOR=0.2 -SHLIB_VERSION_NUMBER=1.0.0 -SHLIB_VERSION_HISTORY= -SHLIB_MAJOR=1 -SHLIB_MINOR=0.0 -SHLIB_EXT= -PLATFORM=gcc -OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine -CONFIGURE_ARGS=gcc -SHLIB_TARGET= - -# HERE indicates where this Makefile lives. This can be used to indicate -# where sub-Makefiles are expected to be. Currently has very limited usage, -# and should probably not be bothered with at all. -HERE=. - -# INSTALL_PREFIX is for package builders so that they can configure -# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. -# Normally it is left empty. -INSTALL_PREFIX= -INSTALLTOP=/usr/local/ssl - -# Do not edit this manually. Use Configure --openssldir=DIR do change this! -OPENSSLDIR=/usr/local/ssl - -# NO_IDEA - Define to build without the IDEA algorithm -# NO_RC4 - Define to build without the RC4 algorithm -# NO_RC2 - Define to build without the RC2 algorithm -# THREADS - Define when building with threads, you will probably also need any -# system defines as well, i.e. _REENTERANT for Solaris 2.[34] -# TERMIO - Define the termio terminal subsystem, needed if sgtty is missing. -# TERMIOS - Define the termios terminal subsystem, Silicon Graphics. -# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3). -# DEVRANDOM - Give this the value of the 'random device' if your OS supports -# one. 32 bytes will be read from this when the random -# number generator is initalised. -# SSL_FORBID_ENULL - define if you want the server to be not able to use the -# NULL encryption ciphers. -# -# LOCK_DEBUG - turns on lots of lock debug output :-) -# REF_CHECK - turn on some xyz_free() assertions. -# REF_PRINT - prints some stuff on structure free. -# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff -# MFUNC - Make all Malloc/Free/Realloc calls call -# CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to -# call application defined callbacks via CRYPTO_set_mem_functions() -# MD5_ASM needs to be defined to use the x86 assembler for MD5 -# SHA1_ASM needs to be defined to use the x86 assembler for SHA1 -# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160 -# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must -# equal 4. -# PKCS1_CHECK - pkcs1 tests. - -CC= gcc -CFLAG= -O3 -DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS -PEX_LIBS= -EX_LIBS= -EXE_EXT= -ARFLAGS= -AR= ar $(ARFLAGS) r -RANLIB= /usr/bin/ranlib -RC= windres -NM= nm -PERL= /usr/bin/perl -TAR= tar -TARFLAGS= --no-recursion -MAKEDEPPROG= gcc -LIBDIR=lib - -# We let the C compiler driver to take care of .s files. This is done in -# order to be excused from maintaining a separate set of architecture -# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC -# gcc, then the driver will automatically translate it to -xarch=v8plus -# and pass it down to assembler. -AS=$(CC) -c -ASFLAG=$(CFLAG) - -# For x86 assembler: Set PROCESSOR to 386 if you want to support -# the 80386. -PROCESSOR= - -# CPUID module collects small commonly used assembler snippets -CPUID_OBJ= mem_clr.o -BN_ASM= bn_asm.o -EC_ASM= -DES_ENC= des_enc.o fcrypt_b.o -AES_ENC= aes_core.o aes_cbc.o -BF_ENC= bf_enc.o -CAST_ENC= c_enc.o -RC4_ENC= rc4_enc.o rc4_skey.o -RC5_ENC= rc5_enc.o -MD5_ASM_OBJ= -SHA1_ASM_OBJ= -RMD160_ASM_OBJ= -WP_ASM_OBJ= wp_block.o -CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o -MODES_ASM_OBJ= -ENGINES_ASM_OBJ= -PERLASM_SCHEME= - -# KRB5 stuff -KRB5_INCLUDES= -LIBKRB5= - -# Zlib stuff -ZLIB_INCLUDE= -LIBZLIB= - -# TOP level FIPS install directory. -FIPSDIR=/usr/local/ssl/fips-2.0 - -# This is the location of fipscanister.o and friends. -# The FIPS module build will place it $(INSTALLTOP)/lib -# but since $(INSTALLTOP) can only take the default value -# when the module is built it will be in /usr/local/ssl/lib -# $(INSTALLTOP) for this build may be different so hard -# code the path. - -FIPSLIBDIR= - -# The location of the library which contains fipscanister.o -# normally it will be libcrypto unless fipsdso is set in which -# case it will be libfips. If not compiling in FIPS mode at all -# this is empty making it a useful test for a FIPS compile. - -FIPSCANLIB= - -# Shared library base address. Currently only used on Windows. -# - -BASEADDR=0xFB00000 - -DIRS= crypto ssl engines apps test tools -ENGDIRS= ccgost -SHLIBDIRS= crypto ssl - -# dirs in crypto to build -SDIRS= \ - objects \ - md4 md5 sha mdc2 hmac ripemd whrlpool \ - des aes rc2 rc4 idea bf cast camellia seed modes \ - bn ec rsa dsa ecdsa dh ecdh dso engine \ - buffer bio stack lhash rand err \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ - cms pqueue ts srp cmac -# keep in mind that the above list is adjusted by ./Configure -# according to no-xxx arguments... - -# tests to perform. "alltests" is a special word indicating that all tests -# should be performed. -TESTS = alltests - -MAKEFILE= Makefile - -MANDIR=$(OPENSSLDIR)/man -MAN1=1 -MAN3=3 -MANSUFFIX= -HTMLSUFFIX=html -HTMLDIR=$(OPENSSLDIR)/html -SHELL=/bin/sh - -TOP= . -ONEDIRS=out tmp -EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS -WDIRS= windows -LIBS= libcrypto.a libssl.a -SHARED_CRYPTO=libcrypto$(SHLIB_EXT) -SHARED_SSL=libssl$(SHLIB_EXT) -SHARED_LIBS= -SHARED_LIBS_LINK_EXTS= -SHARED_LDFLAGS= - -GENERAL= Makefile -BASENAME= openssl -NAME= $(BASENAME)-$(VERSION) -TARFILE= ../$(NAME).tar -EXHEADER= e_os2.h -HEADER= e_os.h - -all: Makefile build_all - -# as we stick to -e, CLEARENV ensures that local variables in lower -# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn -# shell, which [annoyingly enough] terminates unset with error if VAR -# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh, -# which terminates unset with error if no variable was present:-( -CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \ - $${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES} \ - $${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC} \ - $${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL} \ - $${EXHEADER+EXHEADER} $${HEADER+HEADER} \ - $${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \ - $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ - $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ - $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ - $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \ - $${APPS+APPS} - -# LC_ALL=C ensures that error [and other] messages are delivered in -# same language for uniform treatment. -BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\ - CC='$(CC)' CFLAG='$(CFLAG)' \ - AS='$(CC)' ASFLAG='$(CFLAG) -c' \ - AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \ - RC='$(RC)' \ - CROSS_COMPILE='$(CROSS_COMPILE)' \ - PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \ - SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ - INSTALL_PREFIX='$(INSTALL_PREFIX)' \ - INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)' \ - LIBDIR='$(LIBDIR)' \ - MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \ - DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \ - MAKEDEPPROG='$(MAKEDEPPROG)' \ - SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \ - KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \ - ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \ - EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)' \ - SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)' \ - PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)' \ - CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)' \ - EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' \ - AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)' \ - BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)' \ - RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)' \ - SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \ - MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \ - RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ - WP_ASM_OBJ='$(WP_ASM_OBJ)' \ - MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \ - ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \ - PERLASM_SCHEME='$(PERLASM_SCHEME)' \ - FIPSLIBDIR='${FIPSLIBDIR}' \ - FIPSDIR='${FIPSDIR}' \ - FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ - THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= -# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, -# which in turn eliminates ambiguities in variable treatment with -e. - -# BUILD_CMD is a generic macro to build a given target in a given -# subdirectory. The target must be given through the shell variable -# `target' and the subdirectory to build in must be given through `dir'. -# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or -# BUILD_ONE_CMD instead. -# -# BUILD_ONE_CMD is a macro to build a given target in a given -# subdirectory if that subdirectory is part of $(DIRS). It requires -# exactly the same shell variables as BUILD_CMD. -# -# RECURSIVE_BUILD_CMD is a macro to build a given target in all -# subdirectories defined in $(DIRS). It requires that the target -# is given through the shell variable `target'. -BUILD_CMD= if [ -d "$$dir" ]; then \ - ( cd $$dir && echo "making $$target in $$dir..." && \ - $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \ - ) || exit 1; \ - fi -RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done -BUILD_ONE_CMD=\ - if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \ - $(BUILD_CMD); \ - fi - -reflect: - @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) - -sub_all: build_all - -build_all: build_libs build_apps build_tests build_tools - -build_libs: build_libcrypto build_libssl openssl.pc - -build_libcrypto: build_crypto build_engines libcrypto.pc -build_libssl: build_ssl libssl.pc - -build_crypto: - @dir=crypto; target=all; $(BUILD_ONE_CMD) -build_ssl: build_crypto - @dir=ssl; target=all; $(BUILD_ONE_CMD) -build_engines: build_crypto - @dir=engines; target=all; $(BUILD_ONE_CMD) -build_apps: build_libs - @dir=apps; target=all; $(BUILD_ONE_CMD) -build_tests: build_libs - @dir=test; target=all; $(BUILD_ONE_CMD) -build_tools: build_libs - @dir=tools; target=all; $(BUILD_ONE_CMD) - -all_testapps: build_libs build_testapps -build_testapps: - @dir=crypto; target=testapps; $(BUILD_ONE_CMD) - -fips_premain_dso$(EXE_EXT): libcrypto.a - [ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \ - -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ \ - $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \ - libcrypto.a $(EX_LIBS) - -libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) - @if [ "$(SHLIB_TARGET)" != "" ]; then \ - if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ - FIPSLD_LIBCRYPTO=libcrypto.a ; \ - FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ - export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \ - fi; \ - $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ - (touch -c fips_premain_dso$(EXE_EXT) || :); \ - else \ - echo "There's no support for shared libraries on this platform" >&2; \ - exit 1; \ - fi - -libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a - @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ - else \ - echo "There's no support for shared libraries on this platform" >&2; \ - exit 1; \ - fi - -clean-shared: - @set -e; for i in $(SHLIBDIRS); do \ - if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ - tmp="$(SHARED_LIBS_LINK_EXTS)"; \ - for j in $${tmp:-x}; do \ - ( set -x; rm -f lib$$i$$j ); \ - done; \ - fi; \ - ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ - if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ - ( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ - fi; \ - done - -link-shared: - @ set -e; for i in $(SHLIBDIRS); do \ - $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ - LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ - LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ - symlink.$(SHLIB_TARGET); \ - libs="$$libs -l$$i"; \ - done - -build-shared: do_$(SHLIB_TARGET) link-shared - -do_$(SHLIB_TARGET): - @ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \ - if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ - LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ - LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ - LIBDEPS="$$libs $(EX_LIBS)" \ - link_a.$(SHLIB_TARGET); \ - libs="-l$$i $$libs"; \ - done - -libcrypto.pc: Makefile - @ ( echo 'prefix=$(INSTALLTOP)'; \ - echo 'exec_prefix=$${prefix}'; \ - echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ - echo 'includedir=$${prefix}/include'; \ - echo 'enginesdir=$${libdir}/engines'; \ - echo ''; \ - echo 'Name: OpenSSL-libcrypto'; \ - echo 'Description: OpenSSL cryptography library'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lcrypto'; \ - echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc - -libssl.pc: Makefile - @ ( echo 'prefix=$(INSTALLTOP)'; \ - echo 'exec_prefix=$${prefix}'; \ - echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ - echo 'includedir=$${prefix}/include'; \ - echo ''; \ - echo 'Name: OpenSSL-libssl'; \ - echo 'Description: Secure Sockets Layer and cryptography libraries'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires.private: libcrypto'; \ - echo 'Libs: -L$${libdir} -lssl'; \ - echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc - -openssl.pc: Makefile - @ ( echo 'prefix=$(INSTALLTOP)'; \ - echo 'exec_prefix=$${prefix}'; \ - echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ - echo 'includedir=$${prefix}/include'; \ - echo ''; \ - echo 'Name: OpenSSL'; \ - echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: libssl libcrypto' ) > openssl.pc - -Makefile: Makefile.org Configure config - @echo "Makefile is older than Makefile.org, Configure or config." - @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." - @false - -libclean: - rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib - -clean: libclean - rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c - @set -e; target=clean; $(RECURSIVE_BUILD_CMD) - rm -f $(LIBS) - rm -f openssl.pc libssl.pc libcrypto.pc - rm -f speed.* .pure - rm -f $(TARFILE) - @set -e; for i in $(ONEDIRS) ;\ - do \ - rm -fr $$i/*; \ - done - -distclean: clean - -$(RM) `find . -name .git -prune -o -type l -print` - $(RM) apps/CA.pl - $(RM) test/evptests.txt test/newkey.pem test/testkey.pem test/testreq.pem - $(RM) tools/c_rehash - $(RM) crypto/opensslconf.h - $(RM) Makefile Makefile.bak - -makefile.one: files - $(PERL) util/mk1mf.pl >makefile.one; \ - sh util/do_ms.sh - -files: - $(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO - @set -e; target=files; $(RECURSIVE_BUILD_CMD) - -links: - @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl - @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) - @set -e; target=links; $(RECURSIVE_BUILD_CMD) - -gentests: - @(cd test && echo "generating dummy tests (if needed)..." && \ - $(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate ); - -dclean: - rm -rf *.bak include/openssl certs/.0 - @set -e; target=dclean; $(RECURSIVE_BUILD_CMD) - -rehash: rehash.time -rehash.time: certs apps - @if [ -z "$(CROSS_COMPILE)" ]; then \ - (OPENSSL="`pwd`/util/opensslwrap.sh"; \ - [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ - OPENSSL_DEBUG_MEMORY=on; \ - export OPENSSL OPENSSL_DEBUG_MEMORY; \ - $(PERL) tools/c_rehash certs/demo) && \ - touch rehash.time; \ - else :; fi - -test: tests - -tests: rehash - @(cd test && echo "testing..." && \ - $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests ); - OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a - -report: - @$(PERL) util/selftest.pl - -update: errors stacks util/libeay.num util/ssleay.num TABLE - @set -e; target=update; $(RECURSIVE_BUILD_CMD) - -depend: - @set -e; target=depend; $(RECURSIVE_BUILD_CMD) - -lint: - @set -e; target=lint; $(RECURSIVE_BUILD_CMD) - -tags: - rm -f TAGS - find . -name '[^.]*.[ch]' | xargs etags -a - -errors: - $(PERL) util/ck_errf.pl -strict */*.c */*/*.c - $(PERL) util/mkerr.pl -recurse -write - (cd engines; $(MAKE) PERL=$(PERL) errors) - -stacks: - $(PERL) util/mkstack.pl -write - -util/libeay.num:: - $(PERL) util/mkdef.pl crypto update - -util/ssleay.num:: - $(PERL) util/mkdef.pl ssl update - -TABLE: Configure - (echo 'Output of `Configure TABLE'"':"; \ - $(PERL) Configure TABLE) > TABLE - -# Build distribution tar-file. As the list of files returned by "find" is -# pretty long, on several platforms a "too many arguments" error or similar -# would occur. Therefore the list of files is temporarily stored into a file -# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal -# tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ - --owner 0 --group 0 \ - --transform 's|^|$(NAME)/|' \ - -cvf - - -$(TARFILE).list: - find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ - \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ - | sort > $(TARFILE).list - -tar: $(TARFILE).list - find . -type d -print | xargs chmod 755 - find . -type f -print | xargs chmod a+r - find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best > $(TARFILE).gz - rm -f $(TARFILE).list - ls -l $(TARFILE).gz - -tar-snap: $(TARFILE).list - $(TAR_COMMAND) > $(TARFILE) - rm -f $(TARFILE).list - ls -l $(TARFILE) - -dist: - $(PERL) Configure dist - @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar - -install: all install_docs install_sw - -install_sw: - @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \ - $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private - @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; - @set -e; target=install; $(RECURSIVE_BUILD_CMD) - @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ - do \ - if [ -f "$$i" ]; then \ - ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \ - fi; \ - done; - @set -e; if [ -n "$(SHARED_LIBS)" ]; then \ - tmp="$(SHARED_LIBS)"; \ - for i in $${tmp:-x}; \ - do \ - if [ -f "$$i" -o -f "$$i.a" ]; then \ - ( echo installing $$i; \ - if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ - c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \ - cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \ - else \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \ - fi ); \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ - ( case $$i in \ - *crypto*) i=libeay32.dll;; \ - *ssl*) i=ssleay32.dll;; \ - esac; \ - echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \ - fi; \ - fi; \ - done; \ - ( here="`pwd`"; \ - cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \ - $(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \ - if [ "$(INSTALLTOP)" != "/usr" ]; then \ - echo 'OpenSSL shared libraries have been installed in:'; \ - echo ' $(INSTALLTOP)'; \ - echo ''; \ - sed -e '1,/^$$/d' doc/openssl-shared.txt; \ - fi; \ - fi - cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc - cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc - cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc - -install_html_docs: - here="`pwd`"; \ - filecase=; \ - case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \ - filecase=-i; \ - esac; \ - for subdir in apps crypto ssl; do \ - mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \ - for i in doc/$$subdir/*.pod; do \ - fn=`basename $$i .pod`; \ - echo "installing html/$$fn.$(HTMLSUFFIX)"; \ - cat $$i \ - | sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \ - | pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \ - | sed -r 's/<!DOCTYPE.*//g' \ - > $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \ - $(PERL) util/extract-names.pl < $$i | \ - grep -v $$filecase "^$$fn\$$" | \ - (cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \ - while read n; do \ - PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \ - done); \ - done; \ - done - -install_docs: - @$(PERL) $(TOP)/util/mkdir-p.pl \ - $(INSTALL_PREFIX)$(MANDIR)/man1 \ - $(INSTALL_PREFIX)$(MANDIR)/man3 \ - $(INSTALL_PREFIX)$(MANDIR)/man5 \ - $(INSTALL_PREFIX)$(MANDIR)/man7 - @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ - here="`pwd`"; \ - filecase=; \ - case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \ - filecase=-i; \ - esac; \ - set -e; for i in doc/apps/*.pod; do \ - fn=`basename $$i .pod`; \ - sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ - (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ - $(PERL) util/extract-names.pl < $$i | \ - (grep -v $$filecase "^$$fn\$$"; true) | \ - (grep -v "[ ]"; true) | \ - (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ - while read n; do \ - PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ - done); \ - done; \ - set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \ - fn=`basename $$i .pod`; \ - sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ - (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ - $(PERL) util/extract-names.pl < $$i | \ - (grep -v $$filecase "^$$fn\$$"; true) | \ - (grep -v "[ ]"; true) | \ - (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ - while read n; do \ - PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ - done); \ - done - -# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/Makefile.org b/Makefile.org index f51f0a7..8089d3f 100644 --- a/Makefile.org +++ b/Makefile.org @@ -519,7 +519,7 @@ $(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ + \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \ | sort > $(TARFILE).list tar: $(TARFILE).list @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] + + o 0-byte record padding oracle (CVE-2019-1559) + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2q 20 Nov 2018 + OpenSSL 1.0.2r 26 Feb 2019 Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/apps/CA.pl.bak b/apps/CA.pl.bak deleted file mode 100644 index 43c20b2..0000000 --- a/apps/CA.pl.bak +++ /dev/null @@ -1,188 +0,0 @@ -#!/usr/bin/perl -# -# CA - wrapper around ca to make it easier to use ... basically ca requires -# some setup stuff to be done before you can use it and this makes -# things easier between now and when Eric is convinced to fix it :-) -# -# CA -newca ... will setup the right stuff -# CA -newreq[-nodes] ... will generate a certificate request -# CA -sign ... will sign the generated request and output -# -# At the end of that grab newreq.pem and newcert.pem (one has the key -# and the other the certificate) and cat them together and that is what -# you want/need ... I'll make even this a little cleaner later. -# -# -# 12-Jan-96 tjh Added more things ... including CA -signcert which -# converts a certificate to a request and then signs it. -# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. -# 25-Jul-96 eay Cleaned up filenames some more. -# 11-Jun-96 eay Fixed a few filename missmatches. -# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. -# 18-Apr-96 tjh Original hacking -# -# Tim Hudson -# tjh@cryptsoft.com -# - -# 27-Apr-98 snh Translation into perl, fix existing CA bug. -# -# -# Steve Henson -# shenson@bigfoot.com - -# default openssl.cnf file has setup as per the following -# demoCA ... where everything is stored - -my $openssl; -if(defined $ENV{OPENSSL}) { - $openssl = $ENV{OPENSSL}; -} else { - $openssl = "openssl"; - $ENV{OPENSSL} = $openssl; -} - -$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; -$DAYS="-days 365"; # 1 year -$CADAYS="-days 1095"; # 3 years -$REQ="$openssl req $SSLEAY_CONFIG"; -$CA="$openssl ca $SSLEAY_CONFIG"; -$VERIFY="$openssl verify"; -$X509="$openssl x509"; -$PKCS12="$openssl pkcs12"; - -$CATOP="./demoCA"; -$CAKEY="cakey.pem"; -$CAREQ="careq.pem"; -$CACERT="cacert.pem"; - -$DIRMODE = 0777; - -$RET = 0; - -foreach (@ARGV) { - if ( /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; - exit 0; - } elsif (/^-newcert$/) { - # create a certificate - system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"); - $RET=$?; - print "Certificate is in newcert.pem, private key is in newkey.pem\n" - } elsif (/^-newreq$/) { - # create a certificate request - system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); - $RET=$?; - print "Request is in newreq.pem, private key is in newkey.pem\n"; - } elsif (/^-newreq-nodes$/) { - # create a certificate request - system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); - $RET=$?; - print "Request is in newreq.pem, private key is in newkey.pem\n"; - } elsif (/^-newca$/) { - # if explicitly asked for or it doesn't exist then setup the - # directory structure that Eric likes to manage things - $NEW="1"; - if ( "$NEW" || ! -f "${CATOP}/serial" ) { - # create the directory hierarchy - mkdir $CATOP, $DIRMODE; - mkdir "${CATOP}/certs", $DIRMODE; - mkdir "${CATOP}/crl", $DIRMODE ; - mkdir "${CATOP}/newcerts", $DIRMODE; - mkdir "${CATOP}/private", $DIRMODE; - open OUT, ">${CATOP}/index.txt"; - close OUT; - open OUT, ">${CATOP}/crlnumber"; - print OUT "01\n"; - close OUT; - } - if ( ! -f "${CATOP}/private/$CAKEY" ) { - print "CA certificate filename (or enter to create)\n"; - $FILE = <STDIN>; - - chop $FILE; - - # ask user for existing CA certificate - if ($FILE) { - cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); - cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); - $RET=$?; - } else { - print "Making CA certificate ...\n"; - system ("$REQ -new -keyout " . - "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); - system ("$CA -create_serial " . - "-out ${CATOP}/$CACERT $CADAYS -batch " . - "-keyfile ${CATOP}/private/$CAKEY -selfsign " . - "-extensions v3_ca " . - "-infiles ${CATOP}/$CAREQ "); - $RET=$?; - } - } - } elsif (/^-pkcs12$/) { - my $cname = $ARGV[1]; - $cname = "My Certificate" unless defined $cname; - system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . - "-certfile ${CATOP}/$CACERT -out newcert.p12 " . - "-export -name \"$cname\""); - $RET=$?; - print "PKCS #12 file is in newcert.p12\n"; - exit $RET; - } elsif (/^-xsign$/) { - system ("$CA -policy policy_anything -infiles newreq.pem"); - $RET=$?; - } elsif (/^(-sign|-signreq)$/) { - system ("$CA -policy policy_anything -out newcert.pem " . - "-infiles newreq.pem"); - $RET=$?; - print "Signed certificate is in newcert.pem\n"; - } elsif (/^(-signCA)$/) { - system ("$CA -policy policy_anything -out newcert.pem " . - "-extensions v3_ca -infiles newreq.pem"); - $RET=$?; - print "Signed CA certificate is in newcert.pem\n"; - } elsif (/^-signcert$/) { - system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . - "-out tmp.pem"); - system ("$CA -policy policy_anything -out newcert.pem " . - "-infiles tmp.pem"); - $RET = $?; - print "Signed certificate is in newcert.pem\n"; - } elsif (/^-verify$/) { - if (shift) { - foreach $j (@ARGV) { - system ("$VERIFY -CAfile $CATOP/$CACERT $j"); - $RET=$? if ($? != 0); - } - exit $RET; - } else { - system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); - $RET=$?; - exit 0; - } - } else { - print STDERR "Unknown arg $_\n"; - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; - exit 1; - } -} - -exit $RET; - -sub cp_pem { -my ($infile, $outfile, $bound) = @_; -open IN, $infile; -open OUT, ">$outfile"; -my $flag = 0; -while (<IN>) { - $flag = 1 if (/^-----BEGIN.*$bound/) ; - print OUT $_ if ($flag); - if (/^-----END.*$bound/) { - close IN; - close OUT; - return; - } -} -} diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index cc8f9a8..d04f786 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -234,6 +234,21 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth) { + /* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ + if (!((ameth->pem_str == NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0) + || (ameth->pem_str != NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) { + return 0; + } + if (app_methods == NULL) { app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp); if (!app_methods) @@ -305,18 +320,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, } else ameth->info = NULL; - /* - * One of the following must be true: - * - * pem_str == NULL AND ASN1_PKEY_ALIAS is set - * pem_str != NULL AND ASN1_PKEY_ALIAS is clear - * - * Anything else is an error and may lead to a corrupt ASN1 method table - */ - if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) - || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) - goto err; - if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index bbf906f..024d0cf 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -361,12 +361,16 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) } else _setmode(fd, _O_BINARY); } -# elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# elif defined(OPENSSL_SYS_OS2) int fd = fileno((FILE *)ptr); if (num & BIO_FP_TEXT) setmode(fd, O_TEXT); else setmode(fd, O_BINARY); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) + int fd = fileno((FILE *)ptr); + if (!(num & BIO_FP_TEXT)) + setmode(fd, O_BINARY); # endif } break; @@ -389,11 +393,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) if (!(num & BIO_FP_TEXT)) strcat(p, "b"); else strcat(p, "t"); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) + if (!(num & BIO_FP_TEXT)) + strcat(p, "b"); # endif # if defined(OPENSSL_SYS_NETWARE) if (!(num & BIO_FP_TEXT)) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 526c6a0..d18eedb 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,7 +1,7 @@ /* crypto/bn/bn_ctx.c */ /* Written by Ulf Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } /* OK, make sure the returned bignum is "zero" */ BN_zero(ret); + /* clear BN_FLG_CONSTTIME if leaked from previous frames */ + ret->flags &= (~BN_FLG_CONSTTIME); ctx->used++; CTXDBG_RET(ctx, ret); return ret; diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9b95e5f..2a84698 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -836,6 +836,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) int i; BN_ULONG aa, bb; + if (n == 0) + return 0; + aa = a[n - 1]; bb = b[n - 1]; if (aa != bb) diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index abe5dbe..75aa707 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -89,6 +89,10 @@ #include <openssl/x509.h> #include <openssl/err.h> +#ifndef OSSL_NELEM +# define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0])) +#endif + const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx); int test_kron(BIO *bp, BN_CTX *ctx); int test_sqrt(BIO *bp, BN_CTX *ctx); int rand_neg(void); +static int test_ctx_consttime_flag(void); static int results = 0; static unsigned char lst[] = @@ -330,6 +335,15 @@ int main(int argc, char *argv[]) goto err; (void)BIO_flush(out); #endif + + /* silently flush any pre-existing error on the stack */ + ERR_clear_error(); + + message(out, "BN_CTX_get BN_FLG_CONSTTIME"); + if (!test_ctx_consttime_flag()) + goto err; + (void)BIO_flush(out); + BN_CTX_free(ctx); BIO_free(out); @@ -2158,3 +2172,90 @@ int rand_neg(void) return (sign[(neg++) % 8]); } + +static int test_ctx_set_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[15]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (i % 2 == 1) + BN_set_flags(b[i], BN_FLG_CONSTTIME); + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_check_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[30]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) { + fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n"); + goto err; + } + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_consttime_flag(void) +{ + /*- + * The constant-time flag should not "leak" among BN_CTX frames: + * + * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and + * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained + * from the frame before ending it. + * - test_ctx_check_ct_flag() then starts a new frame and gets a + * number of BIGNUMs from it. In absence of leaks, none of the + * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. + * + * In actual BN_CTX usage inside libcrypto the leak could happen at + * any depth level in the BN_CTX stack, with varying results + * depending on the patterns of sibling trees of nested function + * calls sharing the same BN_CTX object, and the effect of + * unintended BN_FLG_CONSTTIME on the called BN_* functions. + * + * This simple unit test abstracts away this complexity and verifies + * that the leak does not happen between two sibling functions + * sharing the same BN_CTX object at the same level of nesting. + * + */ + BN_CTX *c = NULL; + int st = 0; + + if (NULL == (c = BN_CTX_new())) { + fprintf(stderr, "ERROR: BN_CTX_new() failed.\n"); + goto err; + } + + if (!test_ctx_set_ct_flag(c) + || !test_ctx_check_ct_flag(c)) + goto err; + + st = 1; + err: + BN_CTX_free(c); + return st; +} diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index c786aea..a5734f2 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -204,6 +204,12 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } +/* + * Expected usage pattern is to unconditionally set error and then + * wipe it if there was no actual error. |clear| is 1 or 0. + */ +void err_clear_last_constant_time(int clear); + #ifdef __cplusplus } #endif diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index aa5f305..db7e791 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -601,7 +601,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; - return 2; + return 1; default: return -2; diff --git a/crypto/err/Makefile b/crypto/err/Makefile index b6f3ef1..a09312b 100644 --- a/crypto/err/Makefile +++ b/crypto/err/Makefile @@ -82,7 +82,7 @@ err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -err.o: ../cryptlib.h err.c +err.o: ../constant_time_locl.h ../cryptlib.h err.c err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h err_all.o: ../../include/openssl/cms.h ../../include/openssl/comp.h diff --git a/crypto/err/err.c b/crypto/err/err.c index e9ef215..5ce774a 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -118,6 +118,7 @@ #include <openssl/buffer.h> #include <openssl/bio.h> #include <openssl/err.h> +#include "constant_time_locl.h" DECLARE_LHASH_OF(ERR_STRING_DATA); DECLARE_LHASH_OF(ERR_STATE); @@ -1156,3 +1157,40 @@ int ERR_pop_to_mark(void) es->err_flags[es->top] &= ~ERR_FLAG_MARK; return 1; } + +#ifdef UINTPTR_T +# undef UINTPTR_T +#endif +/* + * uintptr_t is the answer, but unformtunately we can't assume that all + * compilers supported by 1.0.2 have it :-( + */ +#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 +/* + * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 + * even in 64-bit builds, which means that it won't work as mask. + */ +# define UINTPTR_T unsigned long long +#else +# define UINTPTR_T size_t +#endif + +void err_clear_last_constant_time(int clear) +{ + ERR_STATE *es; + int top; + + es = ERR_get_state(); + if (es == NULL) + return; + + top = es->top; + + es->err_flags[top] &= ~(0 - clear); + es->err_buffer[top] &= ~(0UL - clear); + es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & + ~((UINTPTR_T)0 - clear)); + es->err_line[top] |= 0 - clear; + + es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +} diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index cf1de15..883a943 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void); # define EVP_F_EVP_CIPHER_CTX_CTRL 124 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 # define EVP_F_EVP_DECRYPTFINAL_EX 101 +# define EVP_F_EVP_DECRYPTUPDATE 181 # define EVP_F_EVP_DIGESTINIT_EX 128 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 +# define EVP_F_EVP_ENCRYPTUPDATE 180 # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0c740d1..c63fb53 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } -int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - const unsigned char *in, int inl) +static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, + const unsigned char *in, int inl) { int i, j, bl; @@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl) +{ + /* Prevent accidental use of decryption context when encrypting */ + if (!ctx->encrypt) { + EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION); + return 0; + } + + return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); +} + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; @@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int n, ret; unsigned int i, b, bl; + /* Prevent accidental use of decryption context when encrypting */ + if (!ctx->encrypt) { + EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION); + return 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { ret = M_do_cipher(ctx, out, NULL, 0); if (ret < 0) @@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int fix_len; unsigned int b; + /* Prevent accidental use of encryption context when decrypting */ + if (ctx->encrypt) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION); + return 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { fix_len = M_do_cipher(ctx, out, in, inl); if (fix_len < 0) { @@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->flags & EVP_CIPH_NO_PADDING) - return EVP_EncryptUpdate(ctx, out, outl, in, inl); + return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); b = ctx->cipher->block_size; OPENSSL_assert(b <= sizeof(ctx->final)); @@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } else fix_len = 0; - if (!EVP_EncryptUpdate(ctx, out, outl, in, inl)) + if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl)) return 0; /* @@ -494,6 +519,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int i, n; unsigned int b; + + /* Prevent accidental use of encryption context when decrypting */ + if (ctx->encrypt) { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION); + return 0; + } + *outl = 0; if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index bcd841e..11647b9 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] = { {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), "EVP_CIPHER_CTX_set_key_length"}, {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index 97a2083..28544a6 100755 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -1,6 +1,6 @@ /* Written by Ben Laurie, 2001 */ /* - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -327,7 +327,7 @@ static void test1(const EVP_CIPHER *c, const unsigned char *key, int kn, ERR_print_errors_fp(stderr); test1_exit(12); } - if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) { + if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) { fprintf(stderr, "AAD set failed\n"); ERR_print_errors_fp(stderr); test1_exit(13); diff --git a/crypto/opensslconf.h.bak b/crypto/opensslconf.h.bak deleted file mode 100644 index 9cb0f3f..0000000 --- a/crypto/opensslconf.h.bak +++ /dev/null @@ -1,265 +0,0 @@ -/* opensslconf.h */ -/* WARNING: Generated automatically from opensslconf.h.in by Configure. */ - -#ifdef __cplusplus -extern "C" { -#endif -/* OpenSSL was configured with the following options: */ -#ifndef OPENSSL_DOING_MAKEDEPEND - - -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -# define OPENSSL_NO_EC_NISTP_64_GCC_128 -#endif -#ifndef OPENSSL_NO_GMP -# define OPENSSL_NO_GMP -#endif -#ifndef OPENSSL_NO_JPAKE -# define OPENSSL_NO_JPAKE -#endif -#ifndef OPENSSL_NO_KRB5 -# define OPENSSL_NO_KRB5 -#endif -#ifndef OPENSSL_NO_LIBUNBOUND -# define OPENSSL_NO_LIBUNBOUND -#endif -#ifndef OPENSSL_NO_MD2 -# define OPENSSL_NO_MD2 -#endif -#ifndef OPENSSL_NO_RC5 -# define OPENSSL_NO_RC5 -#endif -#ifndef OPENSSL_NO_RFC3779 -# define OPENSSL_NO_RFC3779 -#endif -#ifndef OPENSSL_NO_SCTP -# define OPENSSL_NO_SCTP -#endif -#ifndef OPENSSL_NO_SSL_TRACE -# define OPENSSL_NO_SSL_TRACE -#endif -#ifndef OPENSSL_NO_SSL2 -# define OPENSSL_NO_SSL2 -#endif -#ifndef OPENSSL_NO_STORE -# define OPENSSL_NO_STORE -#endif -#ifndef OPENSSL_NO_UNIT_TEST -# define OPENSSL_NO_UNIT_TEST -#endif -#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS -# define OPENSSL_NO_WEAK_SSL_CIPHERS -#endif - -#endif /* OPENSSL_DOING_MAKEDEPEND */ - -#ifndef OPENSSL_NO_DYNAMIC_ENGINE -# define OPENSSL_NO_DYNAMIC_ENGINE -#endif - -/* The OPENSSL_NO_* macros are also defined as NO_* if the application - asks for it. This is a transient feature that is provided for those - who haven't had the time to do the appropriate changes in their - applications. */ -#ifdef OPENSSL_ALGORITHM_DEFINES -# if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128) -# define NO_EC_NISTP_64_GCC_128 -# endif -# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP) -# define NO_GMP -# endif -# if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE) -# define NO_JPAKE -# endif -# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) -# define NO_KRB5 -# endif -# if defined(OPENSSL_NO_LIBUNBOUND) && !defined(NO_LIBUNBOUND) -# define NO_LIBUNBOUND -# endif -# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2) -# define NO_MD2 -# endif -# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5) -# define NO_RC5 -# endif -# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779) -# define NO_RFC3779 -# endif -# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) -# define NO_SCTP -# endif -# if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE) -# define NO_SSL_TRACE -# endif -# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2) -# define NO_SSL2 -# endif -# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) -# define NO_STORE -# endif -# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST) -# define NO_UNIT_TEST -# endif -# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS) -# define NO_WEAK_SSL_CIPHERS -# endif -#endif - -/* crypto/opensslconf.h.in */ - -/* Generate 80386 code? */ -#undef I386_ONLY - -#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ -#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) -#define ENGINESDIR "/usr/local/ssl/lib/engines" -#define OPENSSLDIR "/usr/local/ssl" -#endif -#endif - -#undef OPENSSL_UNISTD -#define OPENSSL_UNISTD <unistd.h> - -#undef OPENSSL_EXPORT_VAR_AS_FUNCTION - -#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) -#define IDEA_INT unsigned int -#endif - -#if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned int -#endif - -#if defined(HEADER_RC2_H) && !defined(RC2_INT) -/* I need to put in a mod for the alpha - eay */ -#define RC2_INT unsigned int -#endif - -#if defined(HEADER_RC4_H) -#if !defined(RC4_INT) -/* using int types make the structure larger but make the code faster - * on most boxes I have tested - up to %20 faster. */ -/* - * I don't know what does "most" mean, but declaring "int" is a must on: - * - Intel P6 because partial register stalls are very expensive; - * - elder Alpha because it lacks byte load/store instructions; - */ -#define RC4_INT unsigned int -#endif -#if !defined(RC4_CHUNK) -/* - * This enables code handling data aligned at natural CPU word - * boundary. See crypto/rc4/rc4_enc.c for further details. - */ -#undef RC4_CHUNK -#endif -#endif - -#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) -/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ -#ifndef DES_LONG -#define DES_LONG unsigned long -#endif -#endif - -#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) -#define CONFIG_HEADER_BN_H -#define BN_LLONG - -/* Should we define BN_DIV2W here? */ - -/* Only one for the following should be defined */ -#undef SIXTY_FOUR_BIT_LONG -#undef SIXTY_FOUR_BIT -#define THIRTY_TWO_BIT -#endif - -#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) -#define CONFIG_HEADER_RC4_LOCL_H -/* if this is defined data[i] is used instead of *data, this is a %20 - * speedup on x86 */ -#undef RC4_INDEX -#endif - -#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) -#define CONFIG_HEADER_BF_LOCL_H -#undef BF_PTR -#endif /* HEADER_BF_LOCL_H */ - -#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) -#define CONFIG_HEADER_DES_LOCL_H -#ifndef DES_DEFAULT_OPTIONS -/* the following is tweaked from a config script, that is why it is a - * protected undef/define */ -#ifndef DES_PTR -#undef DES_PTR -#endif - -/* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more - * registers */ -#ifndef DES_RISC1 -#undef DES_RISC1 -#endif - -#ifndef DES_RISC2 -#undef DES_RISC2 -#endif - -#if defined(DES_RISC1) && defined(DES_RISC2) -#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -#endif - -/* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ -#ifndef DES_UNROLL -#undef DES_UNROLL -#endif - -/* These default values were supplied by - * Peter Gutman <pgut001@cs.auckland.ac.nz> - * They are only used if nothing else has been defined */ -#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -/* Special defines which change the way the code is built depending on the - CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find - even newer MIPS CPU's, but at the moment one size fits all for - optimization options. Older Sparc's work better with only UNROLL, but - there's no way to tell at compile time what it is you're running on */ - -#if defined( __sun ) || defined ( sun ) /* Newer Sparc's */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#elif defined( __ultrix ) /* Older MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined( __osf1__ ) /* Alpha */ -# define DES_PTR -# define DES_RISC2 -#elif defined ( _AIX ) /* RS6000 */ - /* Unknown */ -#elif defined( __hpux ) /* HP-PA */ - /* Unknown */ -#elif defined( __aux ) /* 68K */ - /* Unknown */ -#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ -# define DES_UNROLL -#elif defined( __sgi ) /* Newer MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#endif /* Systems-specific speed defines */ -#endif - -#endif /* DES_DEFAULT_OPTIONS */ -#endif /* HEADER_DES_LOCL_H */ -#ifdef __cplusplus -} -#endif diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 73d22b3..6eaa0d2 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000211fL +# define OPENSSL_VERSION_NUMBER 0x1000212fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-fips 20 Nov 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q 20 Nov 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r 26 Feb 2019" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/rsa/Makefile b/crypto/rsa/Makefile index 6be73ed..b083e29 100644 --- a/crypto/rsa/Makefile +++ b/crypto/rsa/Makefile @@ -153,7 +153,8 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c +rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h +rsa_eay.o: ../cryptlib.h rsa_eay.c rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h @@ -299,7 +300,8 @@ rsa_ssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c +rsa_ssl.o: ../../include/openssl/symhacks.h ../constant_time_locl.h +rsa_ssl.o: ../cryptlib.h rsa_ssl.c rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index be948a4..7f20fd6 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -115,6 +115,7 @@ #include <openssl/rsa.h> #include <openssl/rand.h> #include "bn_int.h" +#include "constant_time_locl.h" #ifndef RSA_NULL @@ -397,6 +398,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -431,11 +437,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } else d = rsa->d; - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, - rsa->n, ctx)) - goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) goto err; @@ -587,8 +588,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto err; } - if (r < 0) - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); + err_clear_last_constant_time(r >= 0); err: if (ctx != NULL) { diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 3fb8f6b..033ea5a 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -121,7 +121,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const EVP_MD *mgf1md) { int i, dblen = 0, mlen = -1, one_index = 0, msg_index; - unsigned int good, found_one_byte; + unsigned int good = 0, found_one_byte, mask; const unsigned char *maskedseed, *maskeddb; /* * |em| is the encoded message, zero-padded to exactly |num| bytes: em = @@ -148,8 +148,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ - if (num < flen || num < 2 * mdlen + 2) - goto decoding_err; + if (num < flen || num < 2 * mdlen + 2) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + RSA_R_OAEP_DECODING_ERROR); + return -1; + } dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); @@ -158,26 +161,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, goto cleanup; } - if (flen != num) { - em = OPENSSL_malloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, - ERR_R_MALLOC_FAILURE); - goto cleanup; - } + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); + goto cleanup; + } - /* - * Caller is encouraged to pass zero-padded message created with - * BN_bn2binpad, but if it doesn't, we do this zero-padding copy - * to avoid leaking that information. The copy still leaks some - * side-channel information, but it's impossible to have a fixed - * memory access pattern since we can't read out of the bounds of - * |from|. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); - from = em; + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; } + from = em; /* * The first byte must be zero, however we must not leak if this is @@ -224,37 +227,50 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * so plaintext-awareness ensures timing side-channels are no longer a * concern. */ - if (!good) - goto decoding_err; - msg_index = one_index + 1; mlen = dblen - msg_index; - if (tlen < mlen) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE); - mlen = -1; - } else { - memcpy(to, db + msg_index, mlen); - goto cleanup; + /* + * For good measure, do this check in constant tine as well. + */ + good &= constant_time_ge(tlen, mlen); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); + msg_index = constant_time_select_int(good, msg_index, dblen - tlen); + mlen = dblen - msg_index; + for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= dblen & equals; /* if (i == dblen) rewind */ + mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - decoding_err: /* * To avoid chosen ciphertext attacks, the error message should not * reveal which kind of decoding error happened. */ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); + err_clear_last_constant_time(1 & good); cleanup: - if (db != NULL) { - OPENSSL_cleanse(db, dblen); - OPENSSL_free(db); - } - if (em != NULL) { - OPENSSL_cleanse(em, num); - OPENSSL_free(em); - } - return mlen; + OPENSSL_cleanse(seed, sizeof(seed)); + OPENSSL_cleanse(db, dblen); + OPENSSL_free(db); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + + return constant_time_select_int(good, mlen, -1); } int PKCS1_MGF1(unsigned char *mask, long len, diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 5d7882a..074bc0a 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -207,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, int i; /* |em| is the encoded message, zero-padded to exactly |num| bytes */ unsigned char *em = NULL; - unsigned int good, found_zero_byte; + unsigned int good, found_zero_byte, mask; int zero_index = 0, msg_index, mlen = -1; if (tlen < 0 || flen < 0) @@ -218,40 +218,41 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * section 7.2.2. */ - if (flen > num) - goto err; - - if (num < 11) - goto err; + if (flen > num || num < 11) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, + RSA_R_PKCS_DECODING_ERROR); + return -1; + } - if (flen != num) { - em = OPENSSL_malloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); - return -1; - } - /* - * Caller is encouraged to pass zero-padded message created with - * BN_bn2binpad, but if it doesn't, we do this zero-padding copy - * to avoid leaking that information. The copy still leaks some - * side-channel information, but it's impossible to have a fixed - * memory access pattern since we can't read out of the bounds of - * |from|. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); - from = em; + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); + return -1; } + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; + } + from = em; good = constant_time_is_zero(from[0]); good &= constant_time_eq(from[1], 2); + /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { unsigned int equals0 = constant_time_is_zero(from[i]); - zero_index = - constant_time_select_int(~found_zero_byte & equals0, i, - zero_index); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); found_zero_byte |= equals0; } @@ -260,7 +261,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ - good &= constant_time_ge((unsigned int)(zero_index), 2 + 8); + good &= constant_time_ge(zero_index, 2 + 8); /* * Skip the zero byte. This is incorrect if we never found a zero-byte @@ -270,30 +271,35 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, mlen = num - msg_index; /* - * For good measure, do this check in constant time as well; it could - * leak something if |tlen| was assuming valid padding. + * For good measure, do this check in constant time as well. */ - good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); + good &= constant_time_ge(tlen, mlen); /* - * We can't continue in constant-time because we need to copy the result - * and we cannot fake its length. This unavoidably leaks timing - * information at the API boundary. + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. */ - if (!good) { - mlen = -1; - goto err; + tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); + msg_index = constant_time_select_int(good, msg_index, num - tlen); + mlen = num - msg_index; + for (from += msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= tlen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - memcpy(to, from + msg_index, mlen); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); + err_clear_last_constant_time(1 & good); - err: - if (em != NULL) { - OPENSSL_cleanse(em, num); - OPENSSL_free(em); - } - if (mlen == -1) - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, - RSA_R_PKCS_DECODING_ERROR); - return mlen; + return constant_time_select_int(good, mlen, -1); } diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 831f75a..e9a5fe2 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -61,6 +61,7 @@ #include <openssl/bn.h> #include <openssl/rsa.h> #include <openssl/rand.h> +#include "constant_time_locl.h" int RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from, int flen) @@ -101,57 +102,116 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, return (1); } +/* + * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * preserves error code reporting for backward compatibility. + */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from, int flen, int num) { - int i, j, k; - const unsigned char *p; + int i; + /* |em| is the encoded message, zero-padded to exactly |num| bytes */ + unsigned char *em = NULL; + unsigned int good, found_zero_byte, mask, threes_in_row; + int zero_index = 0, msg_index, mlen = -1, err; - p = from; if (flen < 10) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } - /* Accept even zero-padded input */ - if (flen == num) { - if (*(p++) != 0) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); - return -1; - } - flen--; + + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE); + return -1; } - if ((num != (flen + 1)) || (*(p++) != 02)) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); - return (-1); + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; } + from = em; + + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); + err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); + mask = ~good; /* scan over padding data */ - j = flen - 1; /* one for type */ - for (i = 0; i < j; i++) - if (*(p++) == 0) - break; - - if ((i == j) || (i < 8)) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, - RSA_R_NULL_BEFORE_BLOCK_MISSING); - return (-1); - } - for (k = -9; k < -1; k++) { - if (p[k] != 0x03) - break; - } - if (k == -1) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK); - return (-1); + found_zero_byte = 0; + threes_in_row = 0; + for (i = 2; i < num; i++) { + unsigned int equals0 = constant_time_is_zero(from[i]); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); + found_zero_byte |= equals0; + + threes_in_row += 1 & ~found_zero_byte; + threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); } - i++; /* Skip over the '\0' */ - j -= i; - if (j > tlen) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE); - return (-1); + /* + * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * If we never found a 0-byte, then |zero_index| is 0 and the check + * also fails. + */ + good &= constant_time_ge(zero_index, 2 + 8); + err = constant_time_select_int(mask | good, err, + RSA_R_NULL_BEFORE_BLOCK_MISSING); + mask = ~good; + + good &= constant_time_lt(threes_in_row, 8); + err = constant_time_select_int(mask | good, err, + RSA_R_SSLV3_ROLLBACK_ATTACK); + mask = ~good; + + /* + * Skip the zero byte. This is incorrect if we never found a zero-byte + * but in this case we also do not copy the message out. + */ + msg_index = zero_index + 1; + mlen = num - msg_index; + + /* + * For good measure, do this check in constant time as well. + */ + good &= constant_time_ge(tlen, mlen); + err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); + msg_index = constant_time_select_int(good, msg_index, num - tlen); + mlen = num - msg_index; + for (from += msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= tlen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - memcpy(to, p, (unsigned int)j); - return (j); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err); + err_clear_last_constant_time(1 & good); + + return constant_time_select_int(good, mlen, -1); } diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 8d94ecb..7658605 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -214,7 +214,7 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B<x509_extensions> unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w +is present (even if it is empty), then a V3 certificate is created. See the L<x509v3_config(5)|x509v3_config(5)> manual page for details of the extension section format. diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod index c54cf2a..cd648d3 100644 --- a/doc/crypto/PKCS12_parse.pod +++ b/doc/crypto/PKCS12_parse.pod @@ -8,7 +8,8 @@ PKCS12_parse - parse a PKCS#12 structure #include <openssl/pkcs12.h> -int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); + int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, + STACK_OF(X509) **ca); =head1 DESCRIPTION diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod index f20f815..800e777 100644 --- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod @@ -109,7 +109,12 @@ L<ERR_get_error(3)|ERR_get_error(3)>. The RSA_padding_check_PKCS1_type_2() padding check leaks timing information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. +v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +be recommended to pass zero-padded B<f>, so that B<fl> equals to +B<rsa_len>, and if fixed by protocol, B<tlen> being set to the +expected length. In such case leakage would be minimal, it would +take attacker's ability to observe memory access pattern with byte +granilarity as it occurs, post-factum timing analysis won't do. =head1 SEE ALSO diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod index 4716e7e..403725f 100644 --- a/doc/crypto/X509_NAME_ENTRY_get_object.pod +++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod @@ -44,9 +44,6 @@ X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be used to examine an B<X509_NAME_ENTRY> function as returned by X509_NAME_get_entry() for example. -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an - X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() are seldom used in practice because B<X509_NAME_ENTRY> structures diff --git a/doc/man3/X509_cmp_time.pod b/doc/crypto/X509_cmp_time.pod index 5bf5111..f3c0750 100644 --- a/doc/man3/X509_cmp_time.pod +++ b/doc/crypto/X509_cmp_time.pod @@ -29,7 +29,7 @@ B<cmp_time>, and 1 otherwise. It returns 0 on error. =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod index 2a93894..7537616 100644 --- a/doc/ssl/SSL_get_error.pod +++ b/doc/ssl/SSL_get_error.pod @@ -90,14 +90,17 @@ Details depend on the application. =item SSL_ERROR_SYSCALL -Some non-recoverable I/O error occurred. -The OpenSSL error queue may contain more information on the error. -For socket I/O on Unix systems, consult B<errno> for details. +Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may +contain more information on the error. For socket I/O on Unix systems, consult +B<errno> for details. If this error occurs then no further I/O operations should +be performed on the connection and SSL_shutdown() must not be called. =item SSL_ERROR_SSL -A failure in the SSL library occurred, usually a protocol error. The -OpenSSL error queue contains more information on the error. +A non-recoverable, fatal error in the SSL library occurred, usually a protocol +error. The OpenSSL error queue contains more information on the error. If this +error occurs then no further I/O operations should be performed on the +connection and SSL_shutdown() must not be called. =back diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index efbff5a..e2a776c 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and a currently open session is considered closed and good and will be kept in the session cache for further reuse. +Note that SSL_shutdown() must not be called if a previous fatal error has +occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL +or SSL_ERROR_SSL. + The shutdown procedure consists of 2 steps: the sending of the "close notify" shutdown alert and the reception of the peer's "close notify" shutdown alert. According to the TLS standard, it is acceptable for an application diff --git a/openssl.spec b/openssl.spec index f1061be..b42b739 100644 --- a/openssl.spec +++ b/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2q +Version: 1.0.2r Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/packaging/openssl.spec b/packaging/openssl.spec index 2adfa02..dc77159 100644 --- a/packaging/openssl.spec +++ b/packaging/openssl.spec @@ -5,7 +5,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2q +Version: 1.0.2r Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL and Apache-2.0 and BSD-3-Clause Group: Security/Crypto Libraries diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 23aa9db..c7fe977 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 6527df8..830b723 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; @@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc) * protocol_version alerts */ if (desc < 0) return -1; - /* If a fatal one, remove from cache */ - if ((level == 2) && (s->session != NULL)) - SSL_CTX_remove_session(s->session_ctx, s->session); + /* If a fatal one, remove from cache and go into the error state */ + if (level == SSL3_AL_FATAL) { + if (s->session != NULL) + SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; + } s->s3->alert_dispatch = 1; s->s3->send_alert[0] = level; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 55f918d..8c1f3ae 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3697,6 +3697,12 @@ int tls12_get_sigid(const EVP_PKEY *pk) sizeof(tls12_sig) / sizeof(tls12_lookup)); } +static int tls12_get_hash_nid(unsigned char hash_alg) +{ + return tls12_find_nid(hash_alg, tls12_md, + sizeof(tls12_md) / sizeof(tls12_lookup)); +} + const EVP_MD *tls12_get_hash(unsigned char hash_alg) { switch (hash_alg) { @@ -3887,6 +3893,8 @@ int tls1_process_sigalgs(SSL *s) const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; + int mandatory_mdnid; + if (!tls1_set_shared_sigalgs(s)) return 0; @@ -3918,6 +3926,18 @@ int tls1_process_sigalgs(SSL *s) for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { idx = tls12_get_pkey_idx(sigptr->rsign); + if (s->cert->pkeys[idx].privatekey) { + ERR_set_mark(); + if (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey, + &mandatory_mdnid) == 2 && + mandatory_mdnid != tls12_get_hash_nid(sigptr->rhash)) + continue; + /* + * If EVP_PKEY_get_default_digest_nid() failed, don't pollute + * the error stack. + */ + ERR_pop_to_mark(); + } if (idx > 0 && c->pkeys[idx].digest == NULL) { md = tls12_get_hash(sigptr->rhash); c->pkeys[idx].digest = md; diff --git a/test/maketests.com b/test/maketests.com index c0e1730..a440c07 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -198,6 +198,7 @@ $ T_D_BAD_DTLS_TEST := [-.ssl] $ T_D_SSLV2CONFTEST := [-.ssl] $ T_D_DTLSTEST := [-.ssl] $ T_D_FATALERRTEST := [-.ssl] +$ T_D_X509_TIME_TEST := [] $ $ EXOBJ_DTLSTEST := SSLTESTLIB $ EXOBJ_FATALERRTEST := SSLTESTLIB diff --git a/tools/c_rehash.bak b/tools/c_rehash.bak deleted file mode 100644 index 6a27c02..0000000 --- a/tools/c_rehash.bak +++ /dev/null @@ -1,210 +0,0 @@ -#!/usr/bin/perl - -# Perl c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. - -my $dir = "/usr/local/ssl"; -my $prefix = "/usr/local/ssl"; - -my $openssl = $ENV{OPENSSL} || "openssl"; -my $pwd; -my $x509hash = "-subject_hash"; -my $crlhash = "-hash"; -my $verbose = 0; -my $symlink_exists=eval {symlink("",""); 1}; -my $removelinks = 1; - -## Parse flags. -while ( $ARGV[0] =~ /^-/ ) { - my $flag = shift @ARGV; - last if ( $flag eq '--'); - if ( $flag eq '-old') { - $x509hash = "-subject_hash_old"; - $crlhash = "-hash_old"; - } elsif ( $flag eq '-h') { - help(); - } elsif ( $flag eq '-n' ) { - $removelinks = 0; - } elsif ( $flag eq '-v' ) { - $verbose++; - } - else { - print STDERR "Usage error; try -help.\n"; - exit 1; - } -} - -sub help { - print "Usage: c_rehash [-old] [-h] [-v] [dirs...]\n"; - print " -old use old-style digest\n"; - print " -h print this help text\n"; - print " -v print files removed and linked\n"; - exit 0; -} - -eval "require Cwd"; -if (defined(&Cwd::getcwd)) { - $pwd=Cwd::getcwd(); -} else { - $pwd=`pwd`; - chomp($pwd); -} - -# DOS/Win32 or Unix delimiter? Prefix our installdir, then search. -my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; -$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); - -if(! -x $openssl) { - my $found = 0; - foreach (split /$path_delim/, $ENV{PATH}) { - if(-x "$_/$openssl") { - $found = 1; - $openssl = "$_/$openssl"; - last; - } - } - if($found == 0) { - print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; - exit 0; - } -} - -if(@ARGV) { - @dirlist = @ARGV; -} elsif($ENV{SSL_CERT_DIR}) { - @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; -} else { - $dirlist[0] = "$dir/certs"; -} - -if (-d $dirlist[0]) { - chdir $dirlist[0]; - $openssl="$pwd/$openssl" if (!-x $openssl); - chdir $pwd; -} - -foreach (@dirlist) { - if(-d $_ and -w $_) { - hash_dir($_); - } -} - -sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if(-l $_) { - unlink $_; - print "unlink $_" if $verbose; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if(!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if($cert); - link_hash_crl($fname) if($crl); - } -} - -sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while(<IN>) { - if(/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if($is_crl); - } elsif($hdr eq "X509 CRL") { - $is_crl = 1; - last if($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); -} - - -# Link a certificate to its subject name hash value, each hash is of -# the form <hash>.<n> where n is an integer. If the hash value already exists -# then we need to up the value of n, unless its a duplicate in which -# case we skip the link. We check for duplicates by comparing the -# certificate fingerprints - -sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - symlink $fname, $hash; - print "link $fname -> $hash\n" if $verbose; - } else { - open IN,"<$fname" or die "can't open $fname for read"; - open OUT,">$hash" or die "can't open $hash for write"; - print OUT <IN>; # does the job for small text files - close OUT; - close IN; - print "copy $fname -> $hash\n" if $verbose; - } - $hashlist{$hash} = $fprint; -} - -# Same as above except for a CRL. CRL links are of the form <hash>.r<n> - -sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - symlink $fname, $hash; - print "link $fname -> $hash\n" if $verbose; - } else { - system ("cp", $fname, $hash); - print "cp $fname -> $hash\n" if $verbose; - } - $hashlist{$hash} = $fprint; -} - |