aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2019-05-28 20:13:54 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2019-05-28 20:13:54 +0000
commit10d08b8de39401736faf1f37a8c6121cdd6814c8 (patch)
tree3eb1a0ee652178757d91d9bab8053aa7bece8c27
parentd98e9d8878016a75426544bc9110d4ce403abf61 (diff)
downloadsrc-10d08b8de39401736faf1f37a8c6121cdd6814c8.tar.gz
src-10d08b8de39401736faf1f37a8c6121cdd6814c8.zip
Import OpenSSL 1.0.2s.vendor/openssl/1.0.2s
Notes
Notes: svn path=/vendor-crypto/openssl/dist-1.0.2/; revision=348335 svn path=/vendor-crypto/openssl/1.0.2s/; revision=348336; tag=vendor/openssl/1.0.2s
-rw-r--r--CHANGES17
-rwxr-xr-xConfigure1
-rw-r--r--FREEBSD-upgrade4
-rw-r--r--Makefile4
-rw-r--r--README4
-rwxr-xr-xapps/CA.pl2
-rwxr-xr-xconfig1
-rw-r--r--crypto/dh/dh_pmeth.c4
-rw-r--r--crypto/dsa/dsa_pmeth.c10
-rw-r--r--crypto/ec/ec2_oct.c21
-rw-r--r--crypto/ec/ec_lib.c22
-rw-r--r--crypto/ec/ec_mult.c4
-rw-r--r--crypto/ec/ecp_nistp521.c11
-rw-r--r--crypto/ec/ecp_oct.c12
-rw-r--r--crypto/ec/ectest.c98
-rw-r--r--crypto/ecdh/ech_ossl.c4
-rw-r--r--crypto/err/err.c49
-rw-r--r--crypto/err/err.h3
-rw-r--r--crypto/opensslv.h6
-rw-r--r--crypto/rsa/rsa_eay.c4
-rw-r--r--crypto/rsa/rsa_oaep.c46
-rw-r--r--crypto/rsa/rsa_pk1.c44
-rw-r--r--crypto/rsa/rsa_pmeth.c4
-rw-r--r--crypto/rsa/rsa_ssl.c55
-rw-r--r--doc/apps/genpkey.pod8
-rw-r--r--ssl/d1_pkt.c2
-rw-r--r--ssl/s3_pkt.c2
27 files changed, 283 insertions, 159 deletions
diff --git a/CHANGES b/CHANGES
index 850e13f41c66..8cfdec686028 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,23 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.0.2r and 1.0.2s [28 May 2019]
+
+ *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
+ [Kurt Roeckx]
+
+ *) Add FIPS support for Android Arm 64-bit
+
+ Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
+ Module in Version 2.0.10. For some reason, the corresponding target
+ 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
+ built with FIPS support on Android Arm 64-bit. This omission has been
+ fixed.
+ [Matthias St. Pierre]
+
Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
*) 0-byte record padding oracle
diff --git a/Configure b/Configure
index c7066dc97c58..3846c9133a2b 100755
--- a/Configure
+++ b/Configure
@@ -475,6 +475,7 @@ my %table=(
"android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"android64-aarch64","gcc:-mandroid -fPIC -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-pie%-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### *BSD [do see comment about ${BSDthreads} above!]
"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade
index d982c3bdf2ab..c39f65d39f66 100644
--- a/FREEBSD-upgrade
+++ b/FREEBSD-upgrade
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2r
-# OSSLTAG format: v1_0_2r
+setenv OSSLVER 1.0.2s
+# OSSLTAG format: v1_0_2s
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
diff --git a/Makefile b/Makefile
index 2ffb28002ee2..1f018f5530c8 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2r
+VERSION=1.0.2s
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -70,7 +70,7 @@ AR= ar $(ARFLAGS) r
RANLIB= /usr/bin/ranlib
RC= windres
NM= nm
-PERL= /usr/bin/perl
+PERL= /usr/local/bin/perl
TAR= tar
TARFLAGS= --no-recursion
MAKEDEPPROG= gcc
diff --git a/README b/README
index 8404d214e232..4288325106af 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
- OpenSSL 1.0.2r 26 Feb 2019
+ OpenSSL 1.0.2s 28 May 2019
- Copyright (c) 1998-2018 The OpenSSL Project
+ Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
diff --git a/apps/CA.pl b/apps/CA.pl
index 43c20b201c79..3bf4c99f3102 100755
--- a/apps/CA.pl
+++ b/apps/CA.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/local/bin/perl
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
diff --git a/config b/config
index 6214c4b1df9f..c8a3b5897d26 100755
--- a/config
+++ b/config
@@ -871,6 +871,7 @@ case "$GUESSOS" in
*-*-qnx6) OUT="QNX6" ;;
x86-*-android|i?86-*-android) OUT="android-x86" ;;
armv[7-9]*-*-android) OUT="android-armv7" ;;
+ aarch64-*-android) OUT="android64-aarch64" ;;
*) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
esac
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 162753af071d..924a5ae64928 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -3,7 +3,7 @@
* 2006.
*/
/* ====================================================================
- * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX));
if (!dctx)
return 0;
- dctx->prime_len = 1024;
+ dctx->prime_len = 2048;
dctx->subprime_len = -1;
dctx->generator = 2;
dctx->use_dsa = 0;
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 7f00e97036f2..cdf7320325cf 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -3,7 +3,7 @@
* 2006.
*/
/* ====================================================================
- * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -69,8 +69,8 @@
typedef struct {
/* Parameter gen parameters */
- int nbits; /* size of p in bits (default: 1024) */
- int qbits; /* size of q in bits (default: 160) */
+ int nbits; /* size of p in bits (default: 2048) */
+ int qbits; /* size of q in bits (default: 224) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
@@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX));
if (!dctx)
return 0;
- dctx->nbits = 1024;
- dctx->qbits = 160;
+ dctx->nbits = 2048;
+ dctx->qbits = 224;
dctx->pmd = NULL;
dctx->md = NULL;
diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c
index 0d04cc692303..5da3cd8bf51c 100644
--- a/crypto/ec/ec2_oct.c
+++ b/crypto/ec/ec2_oct.c
@@ -14,7 +14,7 @@
*
*/
/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -299,7 +299,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
BN_CTX *ctx)
{
point_conversion_form_t form;
- int y_bit;
+ int y_bit, m;
BN_CTX *new_ctx = NULL;
BIGNUM *x, *y, *yxi;
size_t field_len, enc_len;
@@ -332,7 +332,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
return EC_POINT_set_to_infinity(group, point);
}
- field_len = (EC_GROUP_get_degree(group) + 7) / 8;
+ m = EC_GROUP_get_degree(group);
+ field_len = (m + 7) / 8;
enc_len =
(form ==
POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
@@ -357,7 +358,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
if (!BN_bin2bn(buf + 1, field_len, x))
goto err;
- if (BN_ucmp(x, &group->field) >= 0) {
+ if (BN_num_bits(x) > m) {
ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
goto err;
}
@@ -369,7 +370,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
} else {
if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
goto err;
- if (BN_ucmp(y, &group->field) >= 0) {
+ if (BN_num_bits(y) > m) {
ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
goto err;
}
@@ -382,16 +383,14 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
}
}
+ /*
+ * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that
+ * the point is on the curve.
+ */
if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx))
goto err;
}
- /* test required by X9.62 */
- if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
- ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
- goto err;
- }
-
ret = 1;
err:
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index df56484b5ee2..cd2c420176f7 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -3,7 +3,7 @@
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -872,7 +872,15 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
- return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
+ if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
+ return 0;
+
+ if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
+ ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,
+ EC_R_POINT_IS_NOT_ON_CURVE);
+ return 0;
+ }
+ return 1;
}
#ifndef OPENSSL_NO_EC2M
@@ -890,7 +898,15 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group,
EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
- return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
+ if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
+ return 0;
+
+ if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
+ ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M,
+ EC_R_POINT_IS_NOT_ON_CURVE);
+ return 0;
+ }
+ return 1;
}
#endif
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index da71526818f8..a784a99ce91e 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -3,7 +3,7 @@
* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
*/
/* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -519,7 +519,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
ret = 1;
err:
- EC_POINT_free(s);
+ EC_POINT_clear_free(s);
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 90989c5a0769..1a42068c01f9 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -356,10 +356,15 @@ static void felem_diff64(felem out, const felem in)
static void felem_diff_128_64(largefelem out, const felem in)
{
/*
- * In order to prevent underflow, we add 0 mod p before subtracting.
+ * In order to prevent underflow, we add 64p mod p (which is equivalent
+ * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
+ * digit number with all bits set to 1. See "The representation of field
+ * elements" comment above for a description of how limbs are used to
+ * represent a number. 64p is represented with 8 limbs containing a number
+ * with 58 bits set and one limb with a number with 57 bits set.
*/
- static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
- static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
+ static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
+ static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
out[0] += two63m6 - in[0];
out[1] += two63m5 - in[1];
diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c
index 1bc3f39ad15f..6943ceeec6d2 100644
--- a/crypto/ec/ecp_oct.c
+++ b/crypto/ec/ecp_oct.c
@@ -5,7 +5,7 @@
* OpenSSL project.
*/
/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -408,16 +408,14 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
}
}
+ /*
+ * EC_POINT_set_affine_coordinates_GFp is responsible for checking that
+ * the point is on the curve.
+ */
if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
goto err;
}
- /* test required by X9.62 */
- if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
- ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
- goto err;
- }
-
ret = 1;
err:
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index 5e1ef5093383..73f73744576a 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -3,7 +3,7 @@
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -325,7 +325,7 @@ static void prime_field_tests(void)
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 =
NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z;
+ BIGNUM *x, *y, *z, *yplusone;
unsigned char buf[100];
size_t i, len;
int k;
@@ -405,7 +405,8 @@ static void prime_field_tests(void)
x = BN_new();
y = BN_new();
z = BN_new();
- if (!x || !y || !z)
+ yplusone = BN_new();
+ if (x == NULL || y == NULL || z == NULL || yplusone == NULL)
ABORT;
if (!BN_hex2bn(&x, "D"))
@@ -542,6 +543,14 @@ static void prime_field_tests(void)
ABORT;
if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32"))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
ABORT;
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
@@ -613,6 +622,15 @@ static void prime_field_tests(void)
if (0 != BN_cmp(y, z))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 192)
ABORT;
@@ -668,6 +686,15 @@ static void prime_field_tests(void)
if (0 != BN_cmp(y, z))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 224)
ABORT;
@@ -728,6 +755,15 @@ static void prime_field_tests(void)
if (0 != BN_cmp(y, z))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 256)
ABORT;
@@ -783,6 +819,15 @@ static void prime_field_tests(void)
if (0 != BN_cmp(y, z))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 384)
ABORT;
@@ -844,6 +889,15 @@ static void prime_field_tests(void)
if (0 != BN_cmp(y, z))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 521)
ABORT;
@@ -858,6 +912,10 @@ static void prime_field_tests(void)
/* more tests using the last curve */
+ /* Restore the point that got mangled in the (x, y + 1) test. */
+ if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+
if (!EC_POINT_copy(Q, P))
ABORT;
if (EC_POINT_is_at_infinity(group, Q))
@@ -987,6 +1045,7 @@ static void prime_field_tests(void)
BN_free(x);
BN_free(y);
BN_free(z);
+ BN_free(yplusone);
if (P_160)
EC_GROUP_free(P_160);
@@ -1007,6 +1066,13 @@ static void prime_field_tests(void)
# ifdef OPENSSL_EC_BIN_PT_COMP
# define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
if (!BN_hex2bn(&x, _x)) ABORT; \
+ if (!BN_hex2bn(&y, _y)) ABORT; \
+ if (!BN_add(yplusone, y, BN_value_one())) ABORT; \
+ /* \
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \
+ * and therefore setting the coordinates should fail. \
+ */ \
+ if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \
if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \
if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \
if (!BN_hex2bn(&z, _order)) ABORT; \
@@ -1025,6 +1091,12 @@ static void prime_field_tests(void)
# define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
if (!BN_hex2bn(&x, _x)) ABORT; \
if (!BN_hex2bn(&y, _y)) ABORT; \
+ if (!BN_add(yplusone, y, BN_value_one())) ABORT; \
+ /* \
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \
+ * and therefore setting the coordinates should fail. \
+ */ \
+ if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \
if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \
if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \
if (!BN_hex2bn(&z, _order)) ABORT; \
@@ -1062,7 +1134,7 @@ static void char2_field_tests(void)
EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 =
NULL, *C2_B571 = NULL;
EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z, *cof;
+ BIGNUM *x, *y, *z, *cof, *yplusone;
unsigned char buf[100];
size_t i, len;
int k;
@@ -1076,7 +1148,7 @@ static void char2_field_tests(void)
p = BN_new();
a = BN_new();
b = BN_new();
- if (!p || !a || !b)
+ if (p == NULL || a == NULL || b == NULL)
ABORT;
if (!BN_hex2bn(&p, "13"))
@@ -1142,7 +1214,8 @@ static void char2_field_tests(void)
y = BN_new();
z = BN_new();
cof = BN_new();
- if (!x || !y || !z || !cof)
+ yplusone = BN_new();
+ if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL)
ABORT;
if (!BN_hex2bn(&x, "6"))
@@ -1504,6 +1577,7 @@ static void char2_field_tests(void)
BN_free(y);
BN_free(z);
BN_free(cof);
+ BN_free(yplusone);
if (C2_K163)
EC_GROUP_free(C2_K163);
@@ -1672,7 +1746,7 @@ static const struct nistp_test_params nistp_tests_params[] = {
static void nistp_single_test(const struct nistp_test_params *test)
{
BN_CTX *ctx;
- BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
+ BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone;
EC_GROUP *NISTP;
EC_POINT *G, *P, *Q, *Q_CHECK;
@@ -1687,6 +1761,7 @@ static void nistp_single_test(const struct nistp_test_params *test)
m = BN_new();
n = BN_new();
order = BN_new();
+ yplusone = BN_new();
NISTP = EC_GROUP_new(test->meth());
if (!NISTP)
@@ -1709,6 +1784,14 @@ static void nistp_single_test(const struct nistp_test_params *test)
ABORT;
if (!BN_hex2bn(&y, test->Qy))
ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx))
+ ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx))
ABORT;
if (!BN_hex2bn(&x, test->Gx))
@@ -1811,6 +1894,7 @@ static void nistp_single_test(const struct nistp_test_params *test)
BN_free(x);
BN_free(y);
BN_free(order);
+ BN_free(yplusone);
BN_CTX_free(ctx);
}
diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index d3b05247fe37..2185c3859c23 100644
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -14,7 +14,7 @@
*
*/
/* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -207,7 +207,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
err:
if (tmp)
- EC_POINT_free(tmp);
+ EC_POINT_clear_free(tmp);
if (ctx)
BN_CTX_end(ctx);
if (ctx)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 5ce774a3f567..e6138aa23859 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top, const char **file,
return ERR_R_INTERNAL_ERROR;
}
+ while (es->bottom != es->top) {
+ if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
+ err_clear(es, es->top);
+ es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
+ continue;
+ }
+ i = (es->bottom + 1) % ERR_NUM_ERRORS;
+ if (es->err_flags[i] & ERR_FLAG_CLEAR) {
+ es->bottom = i;
+ err_clear(es, es->bottom);
+ continue;
+ }
+ break;
+ }
+
if (es->bottom == es->top)
return 0;
+
if (top)
i = es->top; /* last error */
else
@@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void)
return 1;
}
-#ifdef UINTPTR_T
-# undef UINTPTR_T
-#endif
-/*
- * uintptr_t is the answer, but unformtunately we can't assume that all
- * compilers supported by 1.0.2 have it :-(
- */
-#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
-/*
- * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
- * even in 64-bit builds, which means that it won't work as mask.
- */
-# define UINTPTR_T unsigned long long
-#else
-# define UINTPTR_T size_t
-#endif
-
void err_clear_last_constant_time(int clear)
{
ERR_STATE *es;
@@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear)
top = es->top;
- es->err_flags[top] &= ~(0 - clear);
- es->err_buffer[top] &= ~(0UL - clear);
- es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
- ~((UINTPTR_T)0 - clear));
- es->err_line[top] |= 0 - clear;
-
- es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+ /*
+ * Flag error as cleared but remove it elsewhere to avoid two errors
+ * accessing the same error stack location, revealing timing information.
+ */
+ clear = constant_time_select_int(constant_time_eq_int(clear, 0),
+ 0, ERR_FLAG_CLEAR);
+ es->err_flags[top] |= clear;
}
diff --git a/crypto/err/err.h b/crypto/err/err.h
index f42365620db0..1862456e9bf7 100644
--- a/crypto/err/err.h
+++ b/crypto/err/err.h
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -143,6 +143,7 @@ extern "C" {
# define ERR_TXT_STRING 0x02
# define ERR_FLAG_MARK 0x01
+# define ERR_FLAG_CLEAR 0x02
# define ERR_NUM_ERRORS 16
typedef struct err_state_st {
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 6eaa0d2bd844..8b4756989b1e 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1000212fL
+# define OPENSSL_VERSION_NUMBER 0x1000213fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-fips 28 May 2019"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r 26 Feb 2019"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s 28 May 2019"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 7f20fd6738a7..b7362ad7656d 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto err;
}
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
- err_clear_last_constant_time(r >= 0);
+ err_clear_last_constant_time(1 & ~constant_time_msb(r));
err:
if (ctx != NULL) {
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 033ea5a520cb..41e9c3bfe3ba 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -144,7 +144,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* |num| is the length of the modulus; |flen| is the length of the
* encoded message. Therefore, for any |from| that was obtained by
* decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
- * num < 2 * mdlen + 2 must hold for the modulus irrespective of
+ * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
@@ -180,17 +180,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
- good = constant_time_is_zero(from[0]);
+ good = constant_time_is_zero(em[0]);
- maskedseed = from + 1;
- maskeddb = from + 1 + mdlen;
+ maskedseed = em + 1;
+ maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@@ -231,29 +230,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
mlen = dblen - msg_index;
/*
- * For good measure, do this check in constant tine as well.
+ * For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
- msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
- mlen = dblen - msg_index;
- for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= dblen & equals; /* if (i == dblen) rewind */
- mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+ dblen - mdlen - 1, tlen);
+ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
+ for (i = mdlen + 1; i < dblen - msg_index; i++)
+ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
}
/*
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index 074bc0a93947..86e0debc46bb 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
- good = constant_time_is_zero(from[0]);
- good &= constant_time_eq(from[1], 2);
+ good = constant_time_is_zero(em[0]);
+ good &= constant_time_eq(em[1], 2);
/* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
- unsigned int equals0 = constant_time_is_zero(from[i]);
+ unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
@@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@@ -276,24 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
good &= constant_time_ge(tlen, mlen);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
- msg_index = constant_time_select_int(good, msg_index, num - tlen);
- mlen = num - msg_index;
- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= tlen & equals; /* if (i == mlen) rewind */
- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+ num - 11, tlen);
+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+ for (i = 11; i < num - msg_index; i++)
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
OPENSSL_cleanse(em, num);
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 00e730ffa958..a798be5b3459 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -4,7 +4,7 @@
* 2006.
*/
/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
if (!rctx)
return 0;
- rctx->nbits = 1024;
+ rctx->nbits = 2048;
rctx->pub_exp = NULL;
rctx->pad_mode = RSA_PKCS1_PADDING;
rctx->md = NULL;
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index e9a5fe2385b3..6f25acdac47a 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
* preserves error code reporting for backward compatibility.
*/
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -116,7 +116,10 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
unsigned int good, found_zero_byte, mask, threes_in_row;
int zero_index = 0, msg_index, mlen = -1, err;
- if (flen < 10) {
+ if (tlen <= 0 || flen <= 0)
+ return -1;
+
+ if (flen > num || num < 11) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return (-1);
}
@@ -138,10 +141,9 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
- from = em;
- good = constant_time_is_zero(from[0]);
- good &= constant_time_eq(from[1], 2);
+ good = constant_time_is_zero(em[0]);
+ good &= constant_time_eq(em[1], 2);
err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
mask = ~good;
@@ -149,18 +151,18 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
found_zero_byte = 0;
threes_in_row = 0;
for (i = 2; i < num; i++) {
- unsigned int equals0 = constant_time_is_zero(from[i]);
+ unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
found_zero_byte |= equals0;
threes_in_row += 1 & ~found_zero_byte;
- threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
+ threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@@ -169,7 +171,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
- good &= constant_time_lt(threes_in_row, 8);
+ good &= constant_time_ge(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
mask = ~good;
@@ -188,24 +190,25 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
/*
- * Even though we can't fake result's length, we can pretend copying
- * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
- * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
- * where |mlen'| is "saturated" |mlen| value. Deducing information
- * about failure or |mlen| would take attacker's ability to observe
- * memory access pattern with byte granularity *as it occurs*. It
- * should be noted that failure is indistinguishable from normal
- * operation if |tlen| is fixed by protocol.
+ * Move the result in-place by |num|-11-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+11 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
- msg_index = constant_time_select_int(good, msg_index, num - tlen);
- mlen = num - msg_index;
- for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
- unsigned int equals = constant_time_eq(i, mlen);
-
- from -= tlen & equals; /* if (i == mlen) rewind */
- mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
- to[i] = constant_time_select_8(mask, from[i], to[i]);
+ tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
+ num - 11, tlen);
+ for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
+ for (i = 11; i < num - msg_index; i++)
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
OPENSSL_cleanse(em, num);
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 2e2440056fdd..2a86c680c57f 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -111,7 +111,7 @@ below.
=item B<rsa_keygen_bits:numbits>
-The number of bits in the generated key. If not specified 1024 is used.
+The number of bits in the generated key. If not specified 2048 is used.
=item B<rsa_keygen_pubexp:value>
@@ -149,12 +149,12 @@ below.
=item B<dsa_paramgen_bits:numbits>
-The number of bits in the generated prime. If not specified 1024 is used.
+The number of bits in the generated prime. If not specified 2048 is used.
=item B<dsa_paramgen_q_bits:numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
-specified 160 is used.
+specified 224 is used.
=item B<dsa_paramgen_md:digest>
@@ -173,7 +173,7 @@ or B<sha256> if it is 256.
=item B<dh_paramgen_prime_len:numbits>
-The number of bits in the prime parameter B<p>. The default is 1024.
+The number of bits in the prime parameter B<p>. The default is 2048.
=item B<dh_paramgen_subprime_len:numbits>
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index c7fe97727bfa..00aa15f85b7d 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -4,7 +4,7 @@
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 830b7237a2f3..f6947677d13e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions