diff options
35 files changed, 527 insertions, 180 deletions
@@ -7,6 +7,33 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2q and 1.0.2r [26 Feb 2019] + + *) 0-byte record padding oracle + + If an application encounters a fatal protocol error and then calls + SSL_shutdown() twice (once to send a close_notify, and once to receive one) + then OpenSSL can respond differently to the calling application if a 0 byte + record is received with invalid padding compared to if a 0 byte record is + received with an invalid MAC. If the application then behaves differently + based on that in a way that is detectable to the remote peer, then this + amounts to a padding oracle that could be used to decrypt data. + + In order for this to be exploitable "non-stitched" ciphersuites must be in + use. Stitched ciphersuites are optimised implementations of certain + commonly used ciphersuites. Also the application must call SSL_shutdown() + twice even if a protocol error has occurred (applications should not do + this but some do anyway). + + This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod + Aviram, with additional investigation by Steven Collison and Andrew + Hourselt. It was reported to OpenSSL on 10th December 2018. + (CVE-2019-1559) + [Matt Caswell] + + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). + [Richard Levitte] + Changes between 1.0.2p and 1.0.2q [20 Nov 2018] *) Microarchitecture timing vulnerability in ECC scalar multiplication diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade index 2365e9149b73..d982c3bdf2ab 100644 --- a/FREEBSD-upgrade +++ b/FREEBSD-upgrade @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2q -# OSSLTAG format: v1_0_2q +setenv OSSLVER 1.0.2r +# OSSLTAG format: v1_0_2r ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2q +VERSION=1.0.2r MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -521,7 +521,7 @@ $(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ + \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \ | sort > $(TARFILE).list tar: $(TARFILE).list diff --git a/Makefile.org b/Makefile.org index f51f0a756c3e..8089d3fc2ead 100644 --- a/Makefile.org +++ b/Makefile.org @@ -519,7 +519,7 @@ $(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ - \! -name '.#*' \! -name '*~' \! -type l \ + \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \ | sort > $(TARFILE).list tar: $(TARFILE).list @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] + + o 0-byte record padding oracle (CVE-2019-1559) + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2q 20 Nov 2018 + OpenSSL 1.0.2r 26 Feb 2019 Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index cc8f9a8243e7..d04f7861a1b3 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -234,6 +234,21 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth) { + /* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ + if (!((ameth->pem_str == NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0) + || (ameth->pem_str != NULL + && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) { + return 0; + } + if (app_methods == NULL) { app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp); if (!app_methods) @@ -305,18 +320,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, } else ameth->info = NULL; - /* - * One of the following must be true: - * - * pem_str == NULL AND ASN1_PKEY_ALIAS is set - * pem_str != NULL AND ASN1_PKEY_ALIAS is clear - * - * Anything else is an error and may lead to a corrupt ASN1 method table - */ - if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) - || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) - goto err; - if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index bbf906fabba0..024d0cf418b2 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -361,12 +361,16 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) } else _setmode(fd, _O_BINARY); } -# elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# elif defined(OPENSSL_SYS_OS2) int fd = fileno((FILE *)ptr); if (num & BIO_FP_TEXT) setmode(fd, O_TEXT); else setmode(fd, O_BINARY); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) + int fd = fileno((FILE *)ptr); + if (!(num & BIO_FP_TEXT)) + setmode(fd, O_BINARY); # endif } break; @@ -389,11 +393,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) if (!(num & BIO_FP_TEXT)) strcat(p, "b"); else strcat(p, "t"); +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) + if (!(num & BIO_FP_TEXT)) + strcat(p, "b"); # endif # if defined(OPENSSL_SYS_NETWARE) if (!(num & BIO_FP_TEXT)) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 526c6a046d16..d18eedbd4556 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,7 +1,7 @@ /* crypto/bn/bn_ctx.c */ /* Written by Ulf Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } /* OK, make sure the returned bignum is "zero" */ BN_zero(ret); + /* clear BN_FLG_CONSTTIME if leaked from previous frames */ + ret->flags &= (~BN_FLG_CONSTTIME); ctx->used++; CTXDBG_RET(ctx, ret); return ret; diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9b95e5f2bd92..2a84698af8c1 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -836,6 +836,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) int i; BN_ULONG aa, bb; + if (n == 0) + return 0; + aa = a[n - 1]; bb = b[n - 1]; if (aa != bb) diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index abe5dbe0b01a..75aa7075abd5 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -89,6 +89,10 @@ #include <openssl/x509.h> #include <openssl/err.h> +#ifndef OSSL_NELEM +# define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0])) +#endif + const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx); int test_kron(BIO *bp, BN_CTX *ctx); int test_sqrt(BIO *bp, BN_CTX *ctx); int rand_neg(void); +static int test_ctx_consttime_flag(void); static int results = 0; static unsigned char lst[] = @@ -330,6 +335,15 @@ int main(int argc, char *argv[]) goto err; (void)BIO_flush(out); #endif + + /* silently flush any pre-existing error on the stack */ + ERR_clear_error(); + + message(out, "BN_CTX_get BN_FLG_CONSTTIME"); + if (!test_ctx_consttime_flag()) + goto err; + (void)BIO_flush(out); + BN_CTX_free(ctx); BIO_free(out); @@ -2158,3 +2172,90 @@ int rand_neg(void) return (sign[(neg++) % 8]); } + +static int test_ctx_set_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[15]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (i % 2 == 1) + BN_set_flags(b[i], BN_FLG_CONSTTIME); + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_check_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[30]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) { + fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n"); + goto err; + } + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_consttime_flag(void) +{ + /*- + * The constant-time flag should not "leak" among BN_CTX frames: + * + * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and + * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained + * from the frame before ending it. + * - test_ctx_check_ct_flag() then starts a new frame and gets a + * number of BIGNUMs from it. In absence of leaks, none of the + * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. + * + * In actual BN_CTX usage inside libcrypto the leak could happen at + * any depth level in the BN_CTX stack, with varying results + * depending on the patterns of sibling trees of nested function + * calls sharing the same BN_CTX object, and the effect of + * unintended BN_FLG_CONSTTIME on the called BN_* functions. + * + * This simple unit test abstracts away this complexity and verifies + * that the leak does not happen between two sibling functions + * sharing the same BN_CTX object at the same level of nesting. + * + */ + BN_CTX *c = NULL; + int st = 0; + + if (NULL == (c = BN_CTX_new())) { + fprintf(stderr, "ERROR: BN_CTX_new() failed.\n"); + goto err; + } + + if (!test_ctx_set_ct_flag(c) + || !test_ctx_check_ct_flag(c)) + goto err; + + st = 1; + err: + BN_CTX_free(c); + return st; +} diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index c786aea94947..a5734f2fece6 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -204,6 +204,12 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } +/* + * Expected usage pattern is to unconditionally set error and then + * wipe it if there was no actual error. |clear| is 1 or 0. + */ +void err_clear_last_constant_time(int clear); + #ifdef __cplusplus } #endif diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index aa5f3056af77..db7e791bf530 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -601,7 +601,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; - return 2; + return 1; default: return -2; diff --git a/crypto/err/Makefile b/crypto/err/Makefile index b6f3ef1778d1..a09312b9f05d 100644 --- a/crypto/err/Makefile +++ b/crypto/err/Makefile @@ -82,7 +82,7 @@ err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -err.o: ../cryptlib.h err.c +err.o: ../constant_time_locl.h ../cryptlib.h err.c err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h err_all.o: ../../include/openssl/cms.h ../../include/openssl/comp.h diff --git a/crypto/err/err.c b/crypto/err/err.c index e9ef2156e11f..5ce774a3f567 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -118,6 +118,7 @@ #include <openssl/buffer.h> #include <openssl/bio.h> #include <openssl/err.h> +#include "constant_time_locl.h" DECLARE_LHASH_OF(ERR_STRING_DATA); DECLARE_LHASH_OF(ERR_STATE); @@ -1156,3 +1157,40 @@ int ERR_pop_to_mark(void) es->err_flags[es->top] &= ~ERR_FLAG_MARK; return 1; } + +#ifdef UINTPTR_T +# undef UINTPTR_T +#endif +/* + * uintptr_t is the answer, but unformtunately we can't assume that all + * compilers supported by 1.0.2 have it :-( + */ +#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 +/* + * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 + * even in 64-bit builds, which means that it won't work as mask. + */ +# define UINTPTR_T unsigned long long +#else +# define UINTPTR_T size_t +#endif + +void err_clear_last_constant_time(int clear) +{ + ERR_STATE *es; + int top; + + es = ERR_get_state(); + if (es == NULL) + return; + + top = es->top; + + es->err_flags[top] &= ~(0 - clear); + es->err_buffer[top] &= ~(0UL - clear); + es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & + ~((UINTPTR_T)0 - clear)); + es->err_line[top] |= 0 - clear; + + es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +} diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index cf1de15e6d03..883a9434899b 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void); # define EVP_F_EVP_CIPHER_CTX_CTRL 124 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 # define EVP_F_EVP_DECRYPTFINAL_EX 101 +# define EVP_F_EVP_DECRYPTUPDATE 181 # define EVP_F_EVP_DIGESTINIT_EX 128 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 +# define EVP_F_EVP_ENCRYPTUPDATE 180 # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0c740d167902..c63fb53ac85e 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } -int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - const unsigned char *in, int inl) +static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, + const unsigned char *in, int inl) { int i, j, bl; @@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl) +{ + /* Prevent accidental use of decryption context when encrypting */ + if (!ctx->encrypt) { + EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION); + return 0; + } + + return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); +} + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; @@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int n, ret; unsigned int i, b, bl; + /* Prevent accidental use of decryption context when encrypting */ + if (!ctx->encrypt) { + EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION); + return 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { ret = M_do_cipher(ctx, out, NULL, 0); if (ret < 0) @@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int fix_len; unsigned int b; + /* Prevent accidental use of encryption context when decrypting */ + if (ctx->encrypt) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION); + return 0; + } + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { fix_len = M_do_cipher(ctx, out, in, inl); if (fix_len < 0) { @@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->flags & EVP_CIPH_NO_PADDING) - return EVP_EncryptUpdate(ctx, out, outl, in, inl); + return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); b = ctx->cipher->block_size; OPENSSL_assert(b <= sizeof(ctx->final)); @@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } else fix_len = 0; - if (!EVP_EncryptUpdate(ctx, out, outl, in, inl)) + if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl)) return 0; /* @@ -494,6 +519,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int i, n; unsigned int b; + + /* Prevent accidental use of encryption context when decrypting */ + if (ctx->encrypt) { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION); + return 0; + } + *outl = 0; if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index bcd841eb7792..11647b92c613 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] = { {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), "EVP_CIPHER_CTX_set_key_length"}, {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index 97a208302785..28544a61a683 100644 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -1,6 +1,6 @@ /* Written by Ben Laurie, 2001 */ /* - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -327,7 +327,7 @@ static void test1(const EVP_CIPHER *c, const unsigned char *key, int kn, ERR_print_errors_fp(stderr); test1_exit(12); } - if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) { + if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) { fprintf(stderr, "AAD set failed\n"); ERR_print_errors_fp(stderr); test1_exit(13); diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 73d22b399a8a..6eaa0d2bd844 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000211fL +# define OPENSSL_VERSION_NUMBER 0x1000212fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-fips 20 Nov 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q 20 Nov 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r 26 Feb 2019" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/rsa/Makefile b/crypto/rsa/Makefile index 6be73ed187f0..b083e2919096 100644 --- a/crypto/rsa/Makefile +++ b/crypto/rsa/Makefile @@ -153,7 +153,8 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c +rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h +rsa_eay.o: ../cryptlib.h rsa_eay.c rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h @@ -299,7 +300,8 @@ rsa_ssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c +rsa_ssl.o: ../../include/openssl/symhacks.h ../constant_time_locl.h +rsa_ssl.o: ../cryptlib.h rsa_ssl.c rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index be948a4cf8bd..7f20fd6738a7 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -115,6 +115,7 @@ #include <openssl/rsa.h> #include <openssl/rand.h> #include "bn_int.h" +#include "constant_time_locl.h" #ifndef RSA_NULL @@ -397,6 +398,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -431,11 +437,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } else d = rsa->d; - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, - rsa->n, ctx)) - goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) goto err; @@ -587,8 +588,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto err; } - if (r < 0) - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); + err_clear_last_constant_time(r >= 0); err: if (ctx != NULL) { diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 3fb8f6b33d4b..033ea5a520cb 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -121,7 +121,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const EVP_MD *mgf1md) { int i, dblen = 0, mlen = -1, one_index = 0, msg_index; - unsigned int good, found_one_byte; + unsigned int good = 0, found_one_byte, mask; const unsigned char *maskedseed, *maskeddb; /* * |em| is the encoded message, zero-padded to exactly |num| bytes: em = @@ -148,8 +148,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ - if (num < flen || num < 2 * mdlen + 2) - goto decoding_err; + if (num < flen || num < 2 * mdlen + 2) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + RSA_R_OAEP_DECODING_ERROR); + return -1; + } dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); @@ -158,26 +161,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, goto cleanup; } - if (flen != num) { - em = OPENSSL_malloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, - ERR_R_MALLOC_FAILURE); - goto cleanup; - } + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); + goto cleanup; + } - /* - * Caller is encouraged to pass zero-padded message created with - * BN_bn2binpad, but if it doesn't, we do this zero-padding copy - * to avoid leaking that information. The copy still leaks some - * side-channel information, but it's impossible to have a fixed - * memory access pattern since we can't read out of the bounds of - * |from|. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); - from = em; + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; } + from = em; /* * The first byte must be zero, however we must not leak if this is @@ -224,37 +227,50 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, * so plaintext-awareness ensures timing side-channels are no longer a * concern. */ - if (!good) - goto decoding_err; - msg_index = one_index + 1; mlen = dblen - msg_index; - if (tlen < mlen) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE); - mlen = -1; - } else { - memcpy(to, db + msg_index, mlen); - goto cleanup; + /* + * For good measure, do this check in constant tine as well. + */ + good &= constant_time_ge(tlen, mlen); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); + msg_index = constant_time_select_int(good, msg_index, dblen - tlen); + mlen = dblen - msg_index; + for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= dblen & equals; /* if (i == dblen) rewind */ + mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - decoding_err: /* * To avoid chosen ciphertext attacks, the error message should not * reveal which kind of decoding error happened. */ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); + err_clear_last_constant_time(1 & good); cleanup: - if (db != NULL) { - OPENSSL_cleanse(db, dblen); - OPENSSL_free(db); - } - if (em != NULL) { - OPENSSL_cleanse(em, num); - OPENSSL_free(em); - } - return mlen; + OPENSSL_cleanse(seed, sizeof(seed)); + OPENSSL_cleanse(db, dblen); + OPENSSL_free(db); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + + return constant_time_select_int(good, mlen, -1); } int PKCS1_MGF1(unsigned char *mask, long len, diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 5d7882a3bfcf..074bc0a93947 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -207,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, int i; /* |em| is the encoded message, zero-padded to exactly |num| bytes */ unsigned char *em = NULL; - unsigned int good, found_zero_byte; + unsigned int good, found_zero_byte, mask; int zero_index = 0, msg_index, mlen = -1; if (tlen < 0 || flen < 0) @@ -218,40 +218,41 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * section 7.2.2. */ - if (flen > num) - goto err; - - if (num < 11) - goto err; + if (flen > num || num < 11) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, + RSA_R_PKCS_DECODING_ERROR); + return -1; + } - if (flen != num) { - em = OPENSSL_malloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); - return -1; - } - /* - * Caller is encouraged to pass zero-padded message created with - * BN_bn2binpad, but if it doesn't, we do this zero-padding copy - * to avoid leaking that information. The copy still leaks some - * side-channel information, but it's impossible to have a fixed - * memory access pattern since we can't read out of the bounds of - * |from|. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); - from = em; + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); + return -1; } + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; + } + from = em; good = constant_time_is_zero(from[0]); good &= constant_time_eq(from[1], 2); + /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { unsigned int equals0 = constant_time_is_zero(from[i]); - zero_index = - constant_time_select_int(~found_zero_byte & equals0, i, - zero_index); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); found_zero_byte |= equals0; } @@ -260,7 +261,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ - good &= constant_time_ge((unsigned int)(zero_index), 2 + 8); + good &= constant_time_ge(zero_index, 2 + 8); /* * Skip the zero byte. This is incorrect if we never found a zero-byte @@ -270,30 +271,35 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, mlen = num - msg_index; /* - * For good measure, do this check in constant time as well; it could - * leak something if |tlen| was assuming valid padding. + * For good measure, do this check in constant time as well. */ - good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); + good &= constant_time_ge(tlen, mlen); /* - * We can't continue in constant-time because we need to copy the result - * and we cannot fake its length. This unavoidably leaks timing - * information at the API boundary. + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. */ - if (!good) { - mlen = -1; - goto err; + tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); + msg_index = constant_time_select_int(good, msg_index, num - tlen); + mlen = num - msg_index; + for (from += msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= tlen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - memcpy(to, from + msg_index, mlen); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); + err_clear_last_constant_time(1 & good); - err: - if (em != NULL) { - OPENSSL_cleanse(em, num); - OPENSSL_free(em); - } - if (mlen == -1) - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, - RSA_R_PKCS_DECODING_ERROR); - return mlen; + return constant_time_select_int(good, mlen, -1); } diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 831f75aaf434..e9a5fe2385b3 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -61,6 +61,7 @@ #include <openssl/bn.h> #include <openssl/rsa.h> #include <openssl/rand.h> +#include "constant_time_locl.h" int RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from, int flen) @@ -101,57 +102,116 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, return (1); } +/* + * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * preserves error code reporting for backward compatibility. + */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, const unsigned char *from, int flen, int num) { - int i, j, k; - const unsigned char *p; + int i; + /* |em| is the encoded message, zero-padded to exactly |num| bytes */ + unsigned char *em = NULL; + unsigned int good, found_zero_byte, mask, threes_in_row; + int zero_index = 0, msg_index, mlen = -1, err; - p = from; if (flen < 10) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } - /* Accept even zero-padded input */ - if (flen == num) { - if (*(p++) != 0) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); - return -1; - } - flen--; + + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE); + return -1; } - if ((num != (flen + 1)) || (*(p++) != 02)) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); - return (-1); + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. + */ + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; } + from = em; + + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); + err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); + mask = ~good; /* scan over padding data */ - j = flen - 1; /* one for type */ - for (i = 0; i < j; i++) - if (*(p++) == 0) - break; - - if ((i == j) || (i < 8)) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, - RSA_R_NULL_BEFORE_BLOCK_MISSING); - return (-1); - } - for (k = -9; k < -1; k++) { - if (p[k] != 0x03) - break; - } - if (k == -1) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK); - return (-1); + found_zero_byte = 0; + threes_in_row = 0; + for (i = 2; i < num; i++) { + unsigned int equals0 = constant_time_is_zero(from[i]); + + zero_index = constant_time_select_int(~found_zero_byte & equals0, + i, zero_index); + found_zero_byte |= equals0; + + threes_in_row += 1 & ~found_zero_byte; + threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); } - i++; /* Skip over the '\0' */ - j -= i; - if (j > tlen) { - RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE); - return (-1); + /* + * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * If we never found a 0-byte, then |zero_index| is 0 and the check + * also fails. + */ + good &= constant_time_ge(zero_index, 2 + 8); + err = constant_time_select_int(mask | good, err, + RSA_R_NULL_BEFORE_BLOCK_MISSING); + mask = ~good; + + good &= constant_time_lt(threes_in_row, 8); + err = constant_time_select_int(mask | good, err, + RSA_R_SSLV3_ROLLBACK_ATTACK); + mask = ~good; + + /* + * Skip the zero byte. This is incorrect if we never found a zero-byte + * but in this case we also do not copy the message out. + */ + msg_index = zero_index + 1; + mlen = num - msg_index; + + /* + * For good measure, do this check in constant time as well. + */ + good &= constant_time_ge(tlen, mlen); + err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| + * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, + * where |mlen'| is "saturated" |mlen| value. Deducing information + * about failure or |mlen| would take attacker's ability to observe + * memory access pattern with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); + msg_index = constant_time_select_int(good, msg_index, num - tlen); + mlen = num - msg_index; + for (from += msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= tlen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - memcpy(to, p, (unsigned int)j); - return (j); + OPENSSL_cleanse(em, num); + OPENSSL_free(em); + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err); + err_clear_last_constant_time(1 & good); + + return constant_time_select_int(good, mlen, -1); } diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 8d94ecb4613e..765860597fb3 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -214,7 +214,7 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B<x509_extensions> unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. See the:w +is present (even if it is empty), then a V3 certificate is created. See the L<x509v3_config(5)|x509v3_config(5)> manual page for details of the extension section format. diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod index c54cf2ad613e..cd648d39b0d1 100644 --- a/doc/crypto/PKCS12_parse.pod +++ b/doc/crypto/PKCS12_parse.pod @@ -8,7 +8,8 @@ PKCS12_parse - parse a PKCS#12 structure #include <openssl/pkcs12.h> -int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); + int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, + STACK_OF(X509) **ca); =head1 DESCRIPTION diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod index f20f815d4786..800e777869f4 100644 --- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod @@ -109,7 +109,12 @@ L<ERR_get_error(3)|ERR_get_error(3)>. The RSA_padding_check_PKCS1_type_2() padding check leaks timing information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. +v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +be recommended to pass zero-padded B<f>, so that B<fl> equals to +B<rsa_len>, and if fixed by protocol, B<tlen> being set to the +expected length. In such case leakage would be minimal, it would +take attacker's ability to observe memory access pattern with byte +granilarity as it occurs, post-factum timing analysis won't do. =head1 SEE ALSO diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod index 4716e7ee7542..403725fd48a5 100644 --- a/doc/crypto/X509_NAME_ENTRY_get_object.pod +++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod @@ -44,9 +44,6 @@ X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be used to examine an B<X509_NAME_ENTRY> function as returned by X509_NAME_get_entry() for example. -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an - X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() are seldom used in practice because B<X509_NAME_ENTRY> structures diff --git a/doc/man3/X509_cmp_time.pod b/doc/crypto/X509_cmp_time.pod index 5bf51114511a..f3c0750efe0d 100644 --- a/doc/man3/X509_cmp_time.pod +++ b/doc/crypto/X509_cmp_time.pod @@ -29,7 +29,7 @@ B<cmp_time>, and 1 otherwise. It returns 0 on error. =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod index 2a93894096e7..7537616d475c 100644 --- a/doc/ssl/SSL_get_error.pod +++ b/doc/ssl/SSL_get_error.pod @@ -90,14 +90,17 @@ Details depend on the application. =item SSL_ERROR_SYSCALL -Some non-recoverable I/O error occurred. -The OpenSSL error queue may contain more information on the error. -For socket I/O on Unix systems, consult B<errno> for details. +Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may +contain more information on the error. For socket I/O on Unix systems, consult +B<errno> for details. If this error occurs then no further I/O operations should +be performed on the connection and SSL_shutdown() must not be called. =item SSL_ERROR_SSL -A failure in the SSL library occurred, usually a protocol error. The -OpenSSL error queue contains more information on the error. +A non-recoverable, fatal error in the SSL library occurred, usually a protocol +error. The OpenSSL error queue contains more information on the error. If this +error occurs then no further I/O operations should be performed on the +connection and SSL_shutdown() must not be called. =back diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index efbff5a0a323..e2a776cf1c73 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and a currently open session is considered closed and good and will be kept in the session cache for further reuse. +Note that SSL_shutdown() must not be called if a previous fatal error has +occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL +or SSL_ERROR_SSL. + The shutdown procedure consists of 2 steps: the sending of the "close notify" shutdown alert and the reception of the peer's "close notify" shutdown alert. According to the TLS standard, it is acceptable for an application diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 23aa9dbce484..c7fe97727bfa 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 6527df8ce228..830b7237a2f3 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; @@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc) * protocol_version alerts */ if (desc < 0) return -1; - /* If a fatal one, remove from cache */ - if ((level == 2) && (s->session != NULL)) - SSL_CTX_remove_session(s->session_ctx, s->session); + /* If a fatal one, remove from cache and go into the error state */ + if (level == SSL3_AL_FATAL) { + if (s->session != NULL) + SSL_CTX_remove_session(s->session_ctx, s->session); + s->state = SSL_ST_ERR; + } s->s3->alert_dispatch = 1; s->s3->send_alert[0] = level; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 55f918d10851..8c1f3ae57079 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3697,6 +3697,12 @@ int tls12_get_sigid(const EVP_PKEY *pk) sizeof(tls12_sig) / sizeof(tls12_lookup)); } +static int tls12_get_hash_nid(unsigned char hash_alg) +{ + return tls12_find_nid(hash_alg, tls12_md, + sizeof(tls12_md) / sizeof(tls12_lookup)); +} + const EVP_MD *tls12_get_hash(unsigned char hash_alg) { switch (hash_alg) { @@ -3887,6 +3893,8 @@ int tls1_process_sigalgs(SSL *s) const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; + int mandatory_mdnid; + if (!tls1_set_shared_sigalgs(s)) return 0; @@ -3918,6 +3926,18 @@ int tls1_process_sigalgs(SSL *s) for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { idx = tls12_get_pkey_idx(sigptr->rsign); + if (s->cert->pkeys[idx].privatekey) { + ERR_set_mark(); + if (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey, + &mandatory_mdnid) == 2 && + mandatory_mdnid != tls12_get_hash_nid(sigptr->rhash)) + continue; + /* + * If EVP_PKEY_get_default_digest_nid() failed, don't pollute + * the error stack. + */ + ERR_pop_to_mark(); + } if (idx > 0 && c->pkeys[idx].digest == NULL) { md = tls12_get_hash(sigptr->rhash); c->pkeys[idx].digest = md; |