Import OpenSSL 1.1.1d.
This commit is contained in:
parent
55cff0339b
commit
fbc3ad1ae1
111
CHANGES
111
CHANGES
@ -7,6 +7,101 @@
|
||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||
release branch.
|
||||
|
||||
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
|
||||
|
||||
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
|
||||
number generator (RNG). This was intended to include protection in the
|
||||
event of a fork() system call in order to ensure that the parent and child
|
||||
processes did not share the same RNG state. However this protection was not
|
||||
being used in the default case.
|
||||
|
||||
A partial mitigation for this issue is that the output from a high
|
||||
precision timer is mixed into the RNG state so the likelihood of a parent
|
||||
and child process sharing state is significantly reduced.
|
||||
|
||||
If an application already calls OPENSSL_init_crypto() explicitly using
|
||||
OPENSSL_INIT_ATFORK then this problem does not occur at all.
|
||||
(CVE-2019-1549)
|
||||
[Matthias St. Pierre]
|
||||
|
||||
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
|
||||
used even when parsing explicit parameters, when loading a serialized key
|
||||
or calling `EC_GROUP_new_from_ecpkparameters()`/
|
||||
`EC_GROUP_new_from_ecparameters()`.
|
||||
This prevents bypass of security hardening and performance gains,
|
||||
especially for curves with specialized EC_METHODs.
|
||||
By default, if a key encoded with explicit parameters is loaded and later
|
||||
serialized, the output is still encoded with explicit parameters, even if
|
||||
internally a "named" EC_GROUP is used for computation.
|
||||
[Nicola Tuveri]
|
||||
|
||||
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
|
||||
this change, EC_GROUP_set_generator would accept order and/or cofactor as
|
||||
NULL. After this change, only the cofactor parameter can be NULL. It also
|
||||
does some minimal sanity checks on the passed order.
|
||||
(CVE-2019-1547)
|
||||
[Billy Bob Brumley]
|
||||
|
||||
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
|
||||
An attack is simple, if the first CMS_recipientInfo is valid but the
|
||||
second CMS_recipientInfo is chosen ciphertext. If the second
|
||||
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
|
||||
encryption key will be replaced by garbage, and the message cannot be
|
||||
decoded, but if the RSA decryption fails, the correct encryption key is
|
||||
used and the recipient will not notice the attack.
|
||||
As a work around for this potential attack the length of the decrypted
|
||||
key must be equal to the cipher default key length, in case the
|
||||
certifiate is not given and all recipientInfo are tried out.
|
||||
The old behaviour can be re-enabled in the CMS code by setting the
|
||||
CMS_DEBUG_DECRYPT flag.
|
||||
(CVE-2019-1563)
|
||||
[Bernd Edlinger]
|
||||
|
||||
*) Early start up entropy quality from the DEVRANDOM seed source has been
|
||||
improved for older Linux systems. The RAND subsystem will wait for
|
||||
/dev/random to be producing output before seeding from /dev/urandom.
|
||||
The seeded state is stored for future library initialisations using
|
||||
a system global shared memory segment. The shared memory identifier
|
||||
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
|
||||
the desired value. The default identifier is 114.
|
||||
[Paul Dale]
|
||||
|
||||
*) Correct the extended master secret constant on EBCDIC systems. Without this
|
||||
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
|
||||
negotiate EMS will fail. Unfortunately this also means that TLS connections
|
||||
between EBCDIC systems with this fix, and EBCDIC systems without this
|
||||
fix will fail if they negotiate EMS.
|
||||
[Matt Caswell]
|
||||
|
||||
*) Use Windows installation paths in the mingw builds
|
||||
|
||||
Mingw isn't a POSIX environment per se, which means that Windows
|
||||
paths should be used for installation.
|
||||
(CVE-2019-1552)
|
||||
[Richard Levitte]
|
||||
|
||||
*) Changed DH_check to accept parameters with order q and 2q subgroups.
|
||||
With order 2q subgroups the bit 0 of the private key is not secret
|
||||
but DH_generate_key works around that by clearing bit 0 of the
|
||||
private key for those. This avoids leaking bit 0 of the private key.
|
||||
[Bernd Edlinger]
|
||||
|
||||
*) Significantly reduce secure memory usage by the randomness pools.
|
||||
[Paul Dale]
|
||||
|
||||
*) Revert the DEVRANDOM_WAIT feature for Linux systems
|
||||
|
||||
The DEVRANDOM_WAIT feature added a select() call to wait for the
|
||||
/dev/random device to become readable before reading from the
|
||||
/dev/urandom device.
|
||||
|
||||
It turned out that this change had negative side effects on
|
||||
performance which were not acceptable. After some discussion it
|
||||
was decided to revert this feature and leave it up to the OS
|
||||
resp. the platform maintainer to ensure a proper initialization
|
||||
during early boot time.
|
||||
[Matthias St. Pierre]
|
||||
|
||||
Changes between 1.1.1b and 1.1.1c [28 May 2019]
|
||||
|
||||
*) Add build tests for C++. These are generated files that only do one
|
||||
@ -75,6 +170,16 @@
|
||||
(CVE-2019-1543)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Add DEVRANDOM_WAIT feature for Linux systems
|
||||
|
||||
On older Linux systems where the getrandom() system call is not available,
|
||||
OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
|
||||
Contrary to getrandom(), the /dev/urandom device will not block during
|
||||
early boot when the kernel CSPRNG has not been seeded yet.
|
||||
|
||||
To mitigate this known weakness, use select() to wait for /dev/random to
|
||||
become readable before reading from /dev/urandom.
|
||||
|
||||
*) Ensure that SM2 only uses SM3 as digest algorithm
|
||||
[Paul Yang]
|
||||
|
||||
@ -322,7 +427,7 @@
|
||||
SSL_set_ciphersuites()
|
||||
[Matt Caswell]
|
||||
|
||||
*) Memory allocation failures consistenly add an error to the error
|
||||
*) Memory allocation failures consistently add an error to the error
|
||||
stack.
|
||||
[Rich Salz]
|
||||
|
||||
@ -6860,7 +6965,7 @@
|
||||
reason texts, thereby removing some of the footprint that may not
|
||||
be interesting if those errors aren't displayed anyway.
|
||||
|
||||
NOTE: it's still possible for any application or module to have it's
|
||||
NOTE: it's still possible for any application or module to have its
|
||||
own set of error texts inserted. The routines are there, just not
|
||||
used by default when no-err is given.
|
||||
[Richard Levitte]
|
||||
@ -8826,7 +8931,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
|
||||
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
|
||||
|
||||
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
|
||||
memory from it's contents. This is done with a counter that will
|
||||
memory from its contents. This is done with a counter that will
|
||||
place alternating values in each byte. This can be used to solve
|
||||
two issues: 1) the removal of calls to memset() by highly optimizing
|
||||
compilers, and 2) cleansing with other values than 0, since those can
|
||||
|
@ -87,9 +87,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
|
||||
# linked openssl executable has rather debugging value than
|
||||
# production quality.
|
||||
#
|
||||
# DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
|
||||
# provided to stack calls. Generates unique stack functions for
|
||||
# each possible stack type.
|
||||
# BN_LLONG use the type 'long long' in crypto/bn/bn.h
|
||||
# RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
|
||||
# Following are set automatically by this script
|
||||
@ -145,13 +142,13 @@ my @gcc_devteam_warn = qw(
|
||||
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
|
||||
# -Wextended-offsetof -- no, needed in CMS ASN1 code
|
||||
my @clang_devteam_warn = qw(
|
||||
-Wno-unknown-warning-option
|
||||
-Wswitch-default
|
||||
-Wno-parentheses-equality
|
||||
-Wno-language-extension-token
|
||||
-Wno-extended-offsetof
|
||||
-Wconditional-uninitialized
|
||||
-Wincompatible-pointer-types-discards-qualifiers
|
||||
-Wno-unknown-warning-option
|
||||
-Wmissing-variable-declarations
|
||||
);
|
||||
|
||||
|
@ -11,7 +11,7 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
|
||||
# Xlist
|
||||
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
|
||||
setenv FSVN "svn+ssh://repo.freebsd.org/base"
|
||||
setenv OSSLVER 1.1.1c
|
||||
setenv OSSLVER 1.1.1d
|
||||
|
||||
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
|
||||
|
||||
|
29
INSTALL
29
INSTALL
@ -98,6 +98,9 @@
|
||||
$ nmake test
|
||||
$ nmake install
|
||||
|
||||
Note that in order to perform the install step above you need to have
|
||||
appropriate permissions to write to the installation directory.
|
||||
|
||||
If any of these steps fails, see section Installation in Detail below.
|
||||
|
||||
This will build and install OpenSSL in the default location, which is:
|
||||
@ -107,6 +110,12 @@
|
||||
OpenSSL version number with underscores instead of periods.
|
||||
Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
|
||||
|
||||
The installation directory should be appropriately protected to ensure
|
||||
unprivileged users cannot make changes to OpenSSL binaries or files, or install
|
||||
engines. If you already have a pre-installed version of OpenSSL as part of
|
||||
your Operating System it is recommended that you do not overwrite the system
|
||||
version and instead install to somewhere else.
|
||||
|
||||
If you want to install it anywhere else, run config like this:
|
||||
|
||||
On Unix:
|
||||
@ -135,7 +144,10 @@
|
||||
Don't build with support for deprecated APIs below the
|
||||
specified version number. For example "--api=1.1.0" will
|
||||
remove support for all APIS that were deprecated in OpenSSL
|
||||
version 1.1.0 or below.
|
||||
version 1.1.0 or below. This is a rather specialized option
|
||||
for developers. If you just intend to remove all deprecated
|
||||
APIs entirely (up to the current version), it is easier
|
||||
to add the 'no-deprecated' option instead (see below).
|
||||
|
||||
--cross-compile-prefix=PREFIX
|
||||
The PREFIX to include in front of commands for your
|
||||
@ -229,7 +241,7 @@
|
||||
source exists.
|
||||
getrandom: Use the L<getrandom(2)> or equivalent system
|
||||
call.
|
||||
devrandom: Use the the first device from the DEVRANDOM list
|
||||
devrandom: Use the first device from the DEVRANDOM list
|
||||
which can be opened to read random bytes. The
|
||||
DEVRANDOM preprocessor constant expands to
|
||||
"/dev/urandom","/dev/random","/dev/srandom" on
|
||||
@ -908,8 +920,11 @@
|
||||
$ mms install ! OpenVMS
|
||||
$ nmake install # Windows
|
||||
|
||||
This will install all the software components in this directory
|
||||
tree under PREFIX (the directory given with --prefix or its
|
||||
Note that in order to perform the install step above you need to have
|
||||
appropriate permissions to write to the installation directory.
|
||||
|
||||
The above commands will install all the software components in this
|
||||
directory tree under PREFIX (the directory given with --prefix or its
|
||||
default):
|
||||
|
||||
Unix:
|
||||
@ -965,6 +980,12 @@
|
||||
for private key files.
|
||||
misc Various scripts.
|
||||
|
||||
The installation directory should be appropriately protected to ensure
|
||||
unprivileged users cannot make changes to OpenSSL binaries or files, or
|
||||
install engines. If you already have a pre-installed version of OpenSSL as
|
||||
part of your Operating System it is recommended that you do not overwrite
|
||||
the system version and instead install to somewhere else.
|
||||
|
||||
Package builders who want to configure the library for standard
|
||||
locations, but have the package installed somewhere else so that
|
||||
it can easily be packaged, can use
|
||||
|
19
NEWS
19
NEWS
@ -5,6 +5,23 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
|
||||
|
||||
o Fixed a fork protection issue (CVE-2019-1549)
|
||||
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
|
||||
(CVE-2019-1563)
|
||||
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
|
||||
used even when parsing explicit parameters
|
||||
o Compute ECC cofactors if not provided during EC_GROUP construction
|
||||
(CVE-2019-1547)
|
||||
o Early start up entropy quality from the DEVRANDOM seed source has been
|
||||
improved for older Linux systems
|
||||
o Correct the extended master secret constant on EBCDIC systems
|
||||
o Use Windows installation paths in the mingw builds (CVE-2019-1552)
|
||||
o Changed DH_check to accept parameters with order q and 2q subgroups
|
||||
o Significantly reduce secure memory usage by the randomness pools
|
||||
o Revert the DEVRANDOM_WAIT feature for Linux systems
|
||||
|
||||
Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
|
||||
|
||||
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
|
||||
@ -601,7 +618,7 @@
|
||||
|
||||
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
|
||||
|
||||
o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
|
||||
o Give EVP_MAX_MD_SIZE its old value, except for a FIPS build.
|
||||
|
||||
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
|
||||
|
||||
|
2
README
2
README
@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 1.1.1c 28 May 2019
|
||||
OpenSSL 1.1.1d 10 Sep 2019
|
||||
|
||||
Copyright (c) 1998-2019 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
@ -40,7 +40,6 @@
|
||||
#endif
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include "s_apps.h"
|
||||
#include "apps.h"
|
||||
|
||||
#ifdef _WIN32
|
||||
@ -48,6 +47,14 @@ static int WIN32_rename(const char *from, const char *to);
|
||||
# define rename(from,to) WIN32_rename((from),(to))
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
||||
# include <conio.h>
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
|
||||
# define _kbhit kbhit
|
||||
#endif
|
||||
|
||||
typedef struct {
|
||||
const char *name;
|
||||
unsigned long flag;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -444,11 +444,9 @@ void destroy_ui_method(void);
|
||||
const UI_METHOD *get_ui_method(void);
|
||||
|
||||
int chopup_args(ARGS *arg, char *buf);
|
||||
# ifdef HEADER_X509_H
|
||||
int dump_cert_text(BIO *out, X509 *x);
|
||||
void print_name(BIO *out, const char *title, X509_NAME *nm,
|
||||
unsigned long lflags);
|
||||
# endif
|
||||
void print_bignum_var(BIO *, const BIGNUM *, const char*,
|
||||
int, unsigned char *);
|
||||
void print_array(BIO *, const char *, int, const unsigned char *);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -722,7 +722,7 @@ int ca_main(int argc, char **argv)
|
||||
|
||||
/*****************************************************************/
|
||||
if (req || gencrl) {
|
||||
if (spkac_file != NULL) {
|
||||
if (spkac_file != NULL && outfile != NULL) {
|
||||
output_der = 1;
|
||||
batch = 1;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -421,7 +421,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
size_t len;
|
||||
int i;
|
||||
|
||||
for (;;) {
|
||||
while (BIO_pending(bp) || !BIO_eof(bp)) {
|
||||
i = BIO_read(bp, (char *)buf, BUFSIZE);
|
||||
if (i < 0) {
|
||||
BIO_printf(bio_err, "Read Error in %s\n", file);
|
||||
|
@ -586,7 +586,7 @@ int enc_main(int argc, char **argv)
|
||||
if (benc != NULL)
|
||||
wbio = BIO_push(benc, wbio);
|
||||
|
||||
for (;;) {
|
||||
while (BIO_pending(rbio) || !BIO_eof(rbio)) {
|
||||
inl = BIO_read(rbio, (char *)buff, bsize);
|
||||
if (inl <= 0)
|
||||
break;
|
||||
|
@ -1416,9 +1416,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
|
||||
*q = '\0';
|
||||
|
||||
/*
|
||||
* Skip "GET / HTTP..." requests often used by load-balancers
|
||||
* Skip "GET / HTTP..." requests often used by load-balancers. Note:
|
||||
* 'p' was incremented above to point to the first byte *after* the
|
||||
* leading slash, so with 'GET / ' it is now an empty string.
|
||||
*/
|
||||
if (p[1] == '\0')
|
||||
if (p[0] == '\0')
|
||||
goto out;
|
||||
|
||||
len = urldecode(p);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -22,7 +22,6 @@
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/err.h>
|
||||
#include "s_apps.h"
|
||||
/* Needed to get the other O_xxx flags. */
|
||||
#ifdef OPENSSL_SYS_VMS
|
||||
# include <unixio.h>
|
||||
|
@ -838,7 +838,7 @@ static int alg_print(const X509_ALGOR *alg)
|
||||
goto done;
|
||||
}
|
||||
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
|
||||
"Block size(r): %ld, Paralelizm(p): %ld",
|
||||
"Block size(r): %ld, Parallelism(p): %ld",
|
||||
ASN1_STRING_length(kdf->salt),
|
||||
ASN1_INTEGER_get(kdf->costParameter),
|
||||
ASN1_INTEGER_get(kdf->blockSize),
|
||||
|
16
apps/req.c
16
apps/req.c
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -881,9 +881,19 @@ int req_main(int argc, char **argv)
|
||||
|
||||
if (text) {
|
||||
if (x509)
|
||||
X509_print_ex(out, x509ss, get_nameopt(), reqflag);
|
||||
ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
|
||||
else
|
||||
X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
|
||||
ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
|
||||
|
||||
if (ret == 0) {
|
||||
if (x509)
|
||||
BIO_printf(bio_err, "Error printing certificate\n");
|
||||
else
|
||||
BIO_printf(bio_err, "Error printing certificate request\n");
|
||||
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (subject) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -9,13 +9,7 @@
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
||||
# include <conio.h>
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
|
||||
# define _kbhit kbhit
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
#define PORT "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
@ -24,17 +18,15 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
|
||||
int do_server(int *accept_sock, const char *host, const char *port,
|
||||
int family, int type, int protocol, do_server_cb cb,
|
||||
unsigned char *context, int naccept, BIO *bio_s_out);
|
||||
#ifdef HEADER_X509_H
|
||||
|
||||
int verify_callback(int ok, X509_STORE_CTX *ctx);
|
||||
#endif
|
||||
#ifdef HEADER_SSL_H
|
||||
|
||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
|
||||
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
|
||||
STACK_OF(X509) *chain, int build_chain);
|
||||
int ssl_print_sigalgs(BIO *out, SSL *s);
|
||||
int ssl_print_point_formats(BIO *out, SSL *s);
|
||||
int ssl_print_groups(BIO *out, SSL *s, int noshared);
|
||||
#endif
|
||||
int ssl_print_tmp_key(BIO *out, SSL *s);
|
||||
int init_client(int *sock, const char *host, const char *port,
|
||||
const char *bindhost, const char *bindport,
|
||||
@ -44,13 +36,11 @@ int should_retry(int i);
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
|
||||
#ifdef HEADER_SSL_H
|
||||
void apps_ssl_info_callback(const SSL *s, int where, int ret);
|
||||
void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
size_t len, SSL *ssl, void *arg);
|
||||
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
|
||||
int len, void *arg);
|
||||
#endif
|
||||
|
||||
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
unsigned int *cookie_len);
|
||||
@ -75,7 +65,6 @@ int args_excert(int option, SSL_EXCERT **pexc);
|
||||
int load_excert(SSL_EXCERT **pexc);
|
||||
void print_verify_detail(SSL *s, BIO *bio);
|
||||
void print_ssl_summary(SSL *s);
|
||||
#ifdef HEADER_SSL_H
|
||||
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
|
||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
|
||||
int crl_download);
|
||||
@ -86,4 +75,3 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
|
||||
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
|
||||
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
|
||||
void print_ca_names(BIO *bio, SSL *s);
|
||||
#endif
|
||||
|
@ -1525,6 +1525,7 @@ void print_ca_names(BIO *bio, SSL *s)
|
||||
int i;
|
||||
|
||||
if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
|
||||
if (!SSL_is_server(s))
|
||||
BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
|
||||
return;
|
||||
}
|
||||
|
@ -2345,7 +2345,7 @@ int s_client_main(int argc, char **argv)
|
||||
(void)BIO_flush(fbio);
|
||||
/*
|
||||
* The first line is the HTTP response. According to RFC 7230,
|
||||
* it's formated exactly like this:
|
||||
* it's formatted exactly like this:
|
||||
*
|
||||
* HTTP/d.d ddd Reason text\r\n
|
||||
*/
|
||||
|
@ -1790,7 +1790,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
buflen = lengths[size_num - 1];
|
||||
if (buflen < 36) /* size of random vector in RSA bencmark */
|
||||
if (buflen < 36) /* size of random vector in RSA benchmark */
|
||||
buflen = 36;
|
||||
buflen += MAX_MISALIGNMENT + 1;
|
||||
loopargs[i].buf_malloc = app_malloc(buflen, "input buffer");
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -125,7 +125,7 @@ int storeutl_main(int argc, char *argv[])
|
||||
}
|
||||
/*
|
||||
* If expected wasn't set at this point, it means the map
|
||||
* isn't syncronised with the possible options leading here.
|
||||
* isn't synchronised with the possible options leading here.
|
||||
*/
|
||||
OPENSSL_assert(expected != 0);
|
||||
}
|
||||
|
8
config
8
config
@ -498,12 +498,12 @@ case "$GUESSOS" in
|
||||
OUT="darwin64-x86_64-cc"
|
||||
fi ;;
|
||||
armv6+7-*-iphoneos)
|
||||
__CNF_CFLAGS="$__CNF_CFLAGS -arch%20armv6 -arch%20armv7"
|
||||
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch%20armv6 -arch%20armv7"
|
||||
__CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7"
|
||||
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7"
|
||||
OUT="iphoneos-cross" ;;
|
||||
*-*-iphoneos)
|
||||
__CNF_CFLAGS="$__CNF_CFLAGS -arch%20${MACHINE}"
|
||||
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch%20${MACHINE}"
|
||||
__CNF_CFLAGS="$__CNF_CFLAGS -arch ${MACHINE}"
|
||||
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch ${MACHINE}"
|
||||
OUT="iphoneos-cross" ;;
|
||||
arm64-*-iphoneos|*-*-ios64)
|
||||
OUT="ios64-cross" ;;
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -38,14 +38,14 @@
|
||||
# Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided
|
||||
# for 128-bit keys, if hardware support is detected.
|
||||
|
||||
# Januray 2009.
|
||||
# January 2009.
|
||||
#
|
||||
# Add support for hardware AES192/256 and reschedule instructions to
|
||||
# minimize/avoid Address Generation Interlock hazard and to favour
|
||||
# dual-issue z10 pipeline. This gave ~25% improvement on z10 and
|
||||
# almost 50% on z9. The gain is smaller on z10, because being dual-
|
||||
# issue z10 makes it impossible to eliminate the interlock condition:
|
||||
# critial path is not long enough. Yet it spends ~24 cycles per byte
|
||||
# critical path is not long enough. Yet it spends ~24 cycles per byte
|
||||
# processed with 128-bit key.
|
||||
#
|
||||
# Unlike previous version hardware support detection takes place only
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -67,7 +67,7 @@ static void determine_days(struct tm *tm)
|
||||
}
|
||||
c = y / 100;
|
||||
y %= 100;
|
||||
/* Zeller's congruance */
|
||||
/* Zeller's congruence */
|
||||
tm->tm_wday = (d + (13 * m) / 5 + y + y / 4 + c / 4 + 5 * c + 6) % 7;
|
||||
}
|
||||
|
||||
@ -79,7 +79,11 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
|
||||
char *a;
|
||||
int n, i, i2, l, o, min_l = 11, strict = 0, end = 6, btz = 5, md;
|
||||
struct tm tmp;
|
||||
|
||||
#if defined(CHARSET_EBCDIC)
|
||||
const char upper_z = 0x5A, num_zero = 0x30, period = 0x2E, minus = 0x2D, plus = 0x2B;
|
||||
#else
|
||||
const char upper_z = 'Z', num_zero = '0', period = '.', minus = '-', plus = '+';
|
||||
#endif
|
||||
/*
|
||||
* ASN1_STRING_FLAG_X509_TIME is used to enforce RFC 5280
|
||||
* time string format, in which:
|
||||
@ -120,20 +124,20 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
|
||||
if (l < min_l)
|
||||
goto err;
|
||||
for (i = 0; i < end; i++) {
|
||||
if (!strict && (i == btz) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
|
||||
if (!strict && (i == btz) && ((a[o] == upper_z) || (a[o] == plus) || (a[o] == minus))) {
|
||||
i++;
|
||||
break;
|
||||
}
|
||||
if (!ossl_isdigit(a[o]))
|
||||
if (!ascii_isdigit(a[o]))
|
||||
goto err;
|
||||
n = a[o] - '0';
|
||||
n = a[o] - num_zero;
|
||||
/* incomplete 2-digital number */
|
||||
if (++o == l)
|
||||
goto err;
|
||||
|
||||
if (!ossl_isdigit(a[o]))
|
||||
if (!ascii_isdigit(a[o]))
|
||||
goto err;
|
||||
n = (n * 10) + a[o] - '0';
|
||||
n = (n * 10) + a[o] - num_zero;
|
||||
/* no more bytes to read, but we haven't seen time-zone yet */
|
||||
if (++o == l)
|
||||
goto err;
|
||||
@ -185,14 +189,14 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
|
||||
* Optional fractional seconds: decimal point followed by one or more
|
||||
* digits.
|
||||
*/
|
||||
if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == '.') {
|
||||
if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == period) {
|
||||
if (strict)
|
||||
/* RFC 5280 forbids fractional seconds */
|
||||
goto err;
|
||||
if (++o == l)
|
||||
goto err;
|
||||
i = o;
|
||||
while ((o < l) && ossl_isdigit(a[o]))
|
||||
while ((o < l) && ascii_isdigit(a[o]))
|
||||
o++;
|
||||
/* Must have at least one digit after decimal point */
|
||||
if (i == o)
|
||||
@ -207,10 +211,10 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
|
||||
* 'o' can point to '\0' is either the subsequent if or the first
|
||||
* else if is true.
|
||||
*/
|
||||
if (a[o] == 'Z') {
|
||||
if (a[o] == upper_z) {
|
||||
o++;
|
||||
} else if (!strict && ((a[o] == '+') || (a[o] == '-'))) {
|
||||
int offsign = a[o] == '-' ? 1 : -1;
|
||||
} else if (!strict && ((a[o] == plus) || (a[o] == minus))) {
|
||||
int offsign = a[o] == minus ? 1 : -1;
|
||||
int offset = 0;
|
||||
|
||||
o++;
|
||||
@ -223,13 +227,13 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
|
||||
if (o + 4 != l)
|
||||
goto err;
|
||||
for (i = end; i < end + 2; i++) {
|
||||
if (!ossl_isdigit(a[o]))
|
||||
if (!ascii_isdigit(a[o]))
|
||||
goto err;
|
||||
n = a[o] - '0';
|
||||
n = a[o] - num_zero;
|
||||
o++;
|
||||
if (!ossl_isdigit(a[o]))
|
||||
if (!ascii_isdigit(a[o]))
|
||||
goto err;
|
||||
n = (n * 10) + a[o] - '0';
|
||||
n = (n * 10) + a[o] - num_zero;
|
||||
i2 = (d->type == V_ASN1_UTCTIME) ? i + 1 : i;
|
||||
if ((n < min[i2]) || (n > max[i2]))
|
||||
goto err;
|
||||
@ -300,7 +304,7 @@ ASN1_TIME *asn1_time_from_tm(ASN1_TIME *s, struct tm *ts, int type)
|
||||
ts->tm_mday, ts->tm_hour, ts->tm_min,
|
||||
ts->tm_sec);
|
||||
|
||||
#ifdef CHARSET_EBCDIC_not
|
||||
#ifdef CHARSET_EBCDIC
|
||||
ebcdic2ascii(tmps->data, tmps->data, tmps->length);
|
||||
#endif
|
||||
return tmps;
|
||||
@ -467,6 +471,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
|
||||
char *v;
|
||||
int gmt = 0, l;
|
||||
struct tm stm;
|
||||
const char upper_z = 0x5A, period = 0x2E;
|
||||
|
||||
if (!asn1_time_to_tm(&stm, tm)) {
|
||||
/* asn1_time_to_tm will check the time type */
|
||||
@ -475,7 +480,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
|
||||
|
||||
l = tm->length;
|
||||
v = (char *)tm->data;
|
||||
if (v[l - 1] == 'Z')
|
||||
if (v[l - 1] == upper_z)
|
||||
gmt = 1;
|
||||
|
||||
if (tm->type == V_ASN1_GENERALIZEDTIME) {
|
||||
@ -486,10 +491,10 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
|
||||
* Try to parse fractional seconds. '14' is the place of
|
||||
* 'fraction point' in a GeneralizedTime string.
|
||||
*/
|
||||
if (tm->length > 15 && v[14] == '.') {
|
||||
if (tm->length > 15 && v[14] == period) {
|
||||
f = &v[14];
|
||||
f_len = 1;
|
||||
while (14 + f_len < l && ossl_isdigit(f[f_len]))
|
||||
while (14 + f_len < l && ascii_isdigit(f[f_len]))
|
||||
++f_len;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -15,7 +15,9 @@
|
||||
|
||||
int ASN1_TYPE_get(const ASN1_TYPE *a)
|
||||
{
|
||||
if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
|
||||
if (a->type == V_ASN1_BOOLEAN
|
||||
|| a->type == V_ASN1_NULL
|
||||
|| a->value.ptr != NULL)
|
||||
return a->type;
|
||||
else
|
||||
return 0;
|
||||
@ -23,7 +25,9 @@ int ASN1_TYPE_get(const ASN1_TYPE *a)
|
||||
|
||||
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
|
||||
{
|
||||
if (a->value.ptr != NULL) {
|
||||
if (a->type != V_ASN1_BOOLEAN
|
||||
&& a->type != V_ASN1_NULL
|
||||
&& a->value.ptr != NULL) {
|
||||
ASN1_TYPE **tmp_a = &a;
|
||||
asn1_primitive_free((ASN1_VALUE **)tmp_a, NULL, 0);
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
|
||||
static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
|
||||
int utype, char *free_cont, const ASN1_ITEM *it)
|
||||
{
|
||||
if (!*pval)
|
||||
bn_secure_new(pval, it);
|
||||
return bn_c2i(pval, cont, len, utype, free_cont, it);
|
||||
int ret;
|
||||
BIGNUM *bn;
|
||||
|
||||
if (!*pval && !bn_secure_new(pval, it))
|
||||
return 0;
|
||||
|
||||
ret = bn_c2i(pval, cont, len, utype, free_cont, it);
|
||||
if (!ret)
|
||||
return 0;
|
||||
|
||||
/* Set constant-time flag for all secure BIGNUMS */
|
||||
bn = (BIGNUM *)*pval;
|
||||
BN_set_flags(bn, BN_FLG_CONSTTIME);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
||||
|
@ -675,7 +675,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||
|
||||
if (1) {
|
||||
#ifdef AI_PASSIVE
|
||||
int gai_ret = 0;
|
||||
int gai_ret = 0, old_ret = 0;
|
||||
struct addrinfo hints;
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
@ -696,19 +696,33 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||
/* Note that |res| SHOULD be a 'struct addrinfo **' thanks to
|
||||
* macro magic in bio_lcl.h
|
||||
*/
|
||||
retry:
|
||||
switch ((gai_ret = getaddrinfo(host, service, &hints, res))) {
|
||||
# ifdef EAI_SYSTEM
|
||||
case EAI_SYSTEM:
|
||||
SYSerr(SYS_F_GETADDRINFO, get_last_socket_error());
|
||||
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
|
||||
break;
|
||||
# endif
|
||||
# ifdef EAI_MEMORY
|
||||
case EAI_MEMORY:
|
||||
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
|
||||
break;
|
||||
# endif
|
||||
case 0:
|
||||
ret = 1; /* Success */
|
||||
break;
|
||||
default:
|
||||
# if defined(AI_ADDRCONFIG) && defined(AI_NUMERICHOST)
|
||||
if (hints.ai_flags & AI_ADDRCONFIG) {
|
||||
hints.ai_flags &= ~AI_ADDRCONFIG;
|
||||
hints.ai_flags |= AI_NUMERICHOST;
|
||||
old_ret = gai_ret;
|
||||
goto retry;
|
||||
}
|
||||
# endif
|
||||
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
|
||||
ERR_add_error_data(1, gai_strerror(gai_ret));
|
||||
ERR_add_error_data(1, gai_strerror(old_ret ? old_ret : gai_ret));
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -784,7 +784,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
* reasons. When BIO_CTRL_DGRAM_SET_PEEK_MODE was first defined its value
|
||||
* was incorrectly clashing with BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. The
|
||||
* value has been updated to a non-clashing value. However to preserve
|
||||
* binary compatiblity we now respond to both the old value and the new one
|
||||
* binary compatibility we now respond to both the old value and the new one
|
||||
*/
|
||||
case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
|
||||
case BIO_CTRL_DGRAM_SET_PEEK_MODE:
|
||||
|
@ -7,9 +7,6 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef HEADER_BSS_FILE_C
|
||||
# define HEADER_BSS_FILE_C
|
||||
|
||||
#if defined(__linux) || defined(__sun) || defined(__hpux)
|
||||
/*
|
||||
* Following definition aliases fopen to fopen64 on above mentioned
|
||||
@ -423,5 +420,3 @@ BIO *BIO_new_file(const char *filename, const char *mode)
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_STDIO */
|
||||
|
||||
#endif /* HEADER_BSS_FILE_C */
|
||||
|
@ -259,9 +259,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
bm = bbm->buf;
|
||||
if (bm->data != NULL) {
|
||||
if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
|
||||
if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
|
||||
bm->length = bm->max;
|
||||
} else {
|
||||
if (!(b->flags & BIO_FLAGS_NONCLEAR_RST)) {
|
||||
memset(bm->data, 0, bm->max);
|
||||
bm->length = 0;
|
||||
}
|
||||
|
@ -801,7 +801,7 @@ $code.=<<___;
|
||||
#if 0
|
||||
/*
|
||||
* The bn_div_3_words entry point is re-used for constant-time interface.
|
||||
* Implementation is retained as hystorical reference.
|
||||
* Implementation is retained as historical reference.
|
||||
*/
|
||||
.align 5
|
||||
.globl bn_div_3_words
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -258,7 +258,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
*
|
||||
* - availability of constant-time bn_div_3_words;
|
||||
* - dividend is at least as "wide" as divisor, limb-wise, zero-padded
|
||||
* if so requied, which shouldn't be a privacy problem, because
|
||||
* if so required, which shouldn't be a privacy problem, because
|
||||
* divisor's length is considered public;
|
||||
*/
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -295,7 +295,7 @@ struct bn_gencb_st {
|
||||
(b) > 23 ? 3 : 1)
|
||||
|
||||
/*
|
||||
* BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
|
||||
* BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
|
||||
* line width of the target processor is at least the following value.
|
||||
*/
|
||||
# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
|
||||
|
@ -132,20 +132,66 @@ int BN_num_bits_word(BN_ULONG l)
|
||||
return bits;
|
||||
}
|
||||
|
||||
/*
|
||||
* This function still leaks `a->dmax`: it's caller's responsibility to
|
||||
* expand the input `a` in advance to a public length.
|
||||
*/
|
||||
static ossl_inline
|
||||
int bn_num_bits_consttime(const BIGNUM *a)
|
||||
{
|
||||
int j, ret;
|
||||
unsigned int mask, past_i;
|
||||
int i = a->top - 1;
|
||||
bn_check_top(a);
|
||||
|
||||
for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
|
||||
mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
|
||||
|
||||
ret += BN_BITS2 & (~mask & ~past_i);
|
||||
ret += BN_num_bits_word(a->d[j]) & mask;
|
||||
|
||||
past_i |= mask; /* past_i will become 0xff..ff after i==j */
|
||||
}
|
||||
|
||||
/*
|
||||
* if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
|
||||
* final result.
|
||||
*/
|
||||
mask = ~(constant_time_eq_int(i, ((int)-1)));
|
||||
|
||||
return ret & mask;
|
||||
}
|
||||
|
||||
int BN_num_bits(const BIGNUM *a)
|
||||
{
|
||||
int i = a->top - 1;
|
||||
bn_check_top(a);
|
||||
|
||||
if (a->flags & BN_FLG_CONSTTIME) {
|
||||
/*
|
||||
* We assume that BIGNUMs flagged as CONSTTIME have also been expanded
|
||||
* so that a->dmax is not leaking secret information.
|
||||
*
|
||||
* In other words, it's the caller's responsibility to ensure `a` has
|
||||
* been preallocated in advance to a public length if we hit this
|
||||
* branch.
|
||||
*
|
||||
*/
|
||||
return bn_num_bits_consttime(a);
|
||||
}
|
||||
|
||||
if (BN_is_zero(a))
|
||||
return 0;
|
||||
|
||||
return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
|
||||
}
|
||||
|
||||
static void bn_free_d(BIGNUM *a)
|
||||
static void bn_free_d(BIGNUM *a, int clear)
|
||||
{
|
||||
if (BN_get_flags(a, BN_FLG_SECURE))
|
||||
OPENSSL_secure_free(a->d);
|
||||
OPENSSL_secure_clear_free(a->d, a->dmax * sizeof(a->d[0]));
|
||||
else if (clear != 0)
|
||||
OPENSSL_clear_free(a->d, a->dmax * sizeof(a->d[0]));
|
||||
else
|
||||
OPENSSL_free(a->d);
|
||||
}
|
||||
@ -155,10 +201,8 @@ void BN_clear_free(BIGNUM *a)
|
||||
{
|
||||
if (a == NULL)
|
||||
return;
|
||||
if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
|
||||
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
|
||||
bn_free_d(a);
|
||||
}
|
||||
if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA))
|
||||
bn_free_d(a, 1);
|
||||
if (BN_get_flags(a, BN_FLG_MALLOCED)) {
|
||||
OPENSSL_cleanse(a, sizeof(*a));
|
||||
OPENSSL_free(a);
|
||||
@ -170,7 +214,7 @@ void BN_free(BIGNUM *a)
|
||||
if (a == NULL)
|
||||
return;
|
||||
if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
|
||||
bn_free_d(a);
|
||||
bn_free_d(a, 0);
|
||||
if (a->flags & BN_FLG_MALLOCED)
|
||||
OPENSSL_free(a);
|
||||
}
|
||||
@ -248,10 +292,8 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
|
||||
BN_ULONG *a = bn_expand_internal(b, words);
|
||||
if (!a)
|
||||
return NULL;
|
||||
if (b->d) {
|
||||
OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
|
||||
bn_free_d(b);
|
||||
}
|
||||
if (b->d != NULL)
|
||||
bn_free_d(b, 1);
|
||||
b->d = a;
|
||||
b->dmax = words;
|
||||
}
|
||||
@ -416,8 +458,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
|
||||
return ret;
|
||||
}
|
||||
|
||||
typedef enum {big, little} endianess_t;
|
||||
|
||||
/* ignore negative */
|
||||
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
static
|
||||
int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
|
||||
{
|
||||
int n;
|
||||
size_t i, lasti, j, atop, mask;
|
||||
@ -449,10 +494,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
|
||||
lasti = atop - 1;
|
||||
atop = a->top * BN_BYTES;
|
||||
for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
|
||||
if (endianess == big)
|
||||
to += tolen; /* start from the end of the buffer */
|
||||
for (i = 0, j = 0; j < (size_t)tolen; j++) {
|
||||
unsigned char val;
|
||||
l = a->d[i / BN_BYTES];
|
||||
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
|
||||
*--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
|
||||
val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
|
||||
if (endianess == big)
|
||||
*--to = val;
|
||||
else
|
||||
*to++ = val;
|
||||
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
|
||||
}
|
||||
|
||||
@ -463,12 +515,12 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
if (tolen < 0)
|
||||
return -1;
|
||||
return bn2binpad(a, to, tolen);
|
||||
return bn2binpad(a, to, tolen, big);
|
||||
}
|
||||
|
||||
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
|
||||
{
|
||||
return bn2binpad(a, to, -1);
|
||||
return bn2binpad(a, to, -1, big);
|
||||
}
|
||||
|
||||
BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
|
||||
@ -520,22 +572,9 @@ BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
|
||||
|
||||
int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
int i;
|
||||
BN_ULONG l;
|
||||
bn_check_top(a);
|
||||
i = BN_num_bytes(a);
|
||||
if (tolen < i)
|
||||
if (tolen < 0)
|
||||
return -1;
|
||||
/* Add trailing zeroes if necessary */
|
||||
if (tolen > i)
|
||||
memset(to + i, 0, tolen - i);
|
||||
to += i;
|
||||
while (i--) {
|
||||
l = a->d[i / BN_BYTES];
|
||||
to--;
|
||||
*to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
|
||||
}
|
||||
return tolen;
|
||||
return bn2binpad(a, to, tolen, little);
|
||||
}
|
||||
|
||||
int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
|
||||
|
@ -63,8 +63,12 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
|
||||
/* There are no prime numbers this small. */
|
||||
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
|
||||
return 0;
|
||||
} else if (bits == 2 && safe) {
|
||||
/* The smallest safe prime (7) is three bits. */
|
||||
} else if (add == NULL && safe && bits < 6 && bits != 3) {
|
||||
/*
|
||||
* The smallest safe prime (7) is three bits.
|
||||
* But the following two safe primes with less than 6 bits (11, 23)
|
||||
* are unreachable for BN_rand with BN_RAND_TOP_TWO.
|
||||
*/
|
||||
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -225,8 +225,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
||||
goto err;
|
||||
|
||||
/* We copy |priv| into a local buffer to avoid exposing its length. */
|
||||
todo = sizeof(priv->d[0]) * priv->top;
|
||||
if (todo > sizeof(private_bytes)) {
|
||||
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
|
||||
/*
|
||||
* No reasonable DSA or ECDSA key should have a private key this
|
||||
* large and we don't handle this case in order to avoid leaking the
|
||||
@ -235,8 +234,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
||||
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
|
||||
goto err;
|
||||
}
|
||||
memcpy(private_bytes, priv->d, todo);
|
||||
memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
|
||||
|
||||
for (done = 0; done < num_k_bytes;) {
|
||||
if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -125,7 +125,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
* = a.
|
||||
*
|
||||
* (This is due to A.O.L. Atkin,
|
||||
* <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
|
||||
* Subject: Square Roots and Cognate Matters modulo p=8n+5.
|
||||
* URL: https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind9211&L=NMBRTHRY&P=4026
|
||||
* November 1992.)
|
||||
*/
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -13,6 +13,56 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cms.h>
|
||||
#include "cms_lcl.h"
|
||||
#include "internal/nelem.h"
|
||||
|
||||
/*-
|
||||
* Attribute flags.
|
||||
* CMS attribute restrictions are discussed in
|
||||
* - RFC 5652 Section 11.
|
||||
* ESS attribute restrictions are discussed in
|
||||
* - RFC 2634 Section 1.3.4 AND
|
||||
* - RFC 5035 Section 5.4
|
||||
*/
|
||||
/* This is a signed attribute */
|
||||
#define CMS_ATTR_F_SIGNED 0x01
|
||||
/* This is an unsigned attribute */
|
||||
#define CMS_ATTR_F_UNSIGNED 0x02
|
||||
/* Must be present if there are any other attributes of the same type */
|
||||
#define CMS_ATTR_F_REQUIRED_COND 0x10
|
||||
/* There can only be one instance of this attribute */
|
||||
#define CMS_ATTR_F_ONLY_ONE 0x20
|
||||
/* The Attribute's value must have exactly one entry */
|
||||
#define CMS_ATTR_F_ONE_ATTR_VALUE 0x40
|
||||
|
||||
/* Attributes rules for different attributes */
|
||||
static const struct {
|
||||
int nid; /* The attribute id */
|
||||
int flags;
|
||||
} cms_attribute_properties[] = {
|
||||
/* See RFC Section 11 */
|
||||
{ NID_pkcs9_contentType, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE
|
||||
| CMS_ATTR_F_REQUIRED_COND },
|
||||
{ NID_pkcs9_messageDigest, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE
|
||||
| CMS_ATTR_F_REQUIRED_COND },
|
||||
{ NID_pkcs9_signingTime, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE },
|
||||
{ NID_pkcs9_countersignature, CMS_ATTR_F_UNSIGNED },
|
||||
/* ESS */
|
||||
{ NID_id_smime_aa_signingCertificate, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE },
|
||||
{ NID_id_smime_aa_signingCertificateV2, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE },
|
||||
{ NID_id_smime_aa_receiptRequest, CMS_ATTR_F_SIGNED
|
||||
| CMS_ATTR_F_ONLY_ONE
|
||||
| CMS_ATTR_F_ONE_ATTR_VALUE }
|
||||
};
|
||||
|
||||
/* CMS SignedData Attribute utilities */
|
||||
|
||||
@ -149,4 +199,86 @@ void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
|
||||
return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type);
|
||||
}
|
||||
|
||||
/* Specific attribute cases */
|
||||
/*
|
||||
* Retrieve an attribute by nid from a stack of attributes starting at index
|
||||
* *lastpos + 1.
|
||||
* Returns the attribute or NULL if there is no attribute.
|
||||
* If an attribute was found *lastpos returns the index of the found attribute.
|
||||
*/
|
||||
static X509_ATTRIBUTE *cms_attrib_get(int nid,
|
||||
const STACK_OF(X509_ATTRIBUTE) *attrs,
|
||||
int *lastpos)
|
||||
{
|
||||
X509_ATTRIBUTE *at;
|
||||
int loc;
|
||||
|
||||
loc = X509at_get_attr_by_NID(attrs, nid, *lastpos);
|
||||
if (loc < 0)
|
||||
return NULL;
|
||||
|
||||
at = X509at_get_attr(attrs, loc);
|
||||
*lastpos = loc;
|
||||
return at;
|
||||
}
|
||||
|
||||
static int cms_check_attribute(int nid, int flags, int type,
|
||||
const STACK_OF(X509_ATTRIBUTE) *attrs,
|
||||
int have_attrs)
|
||||
{
|
||||
int lastpos = -1;
|
||||
X509_ATTRIBUTE *at = cms_attrib_get(nid, attrs, &lastpos);
|
||||
|
||||
if (at != NULL) {
|
||||
int count = X509_ATTRIBUTE_count(at);
|
||||
|
||||
/* Is this attribute allowed? */
|
||||
if (((flags & type) == 0)
|
||||
/* check if multiple attributes of the same type are allowed */
|
||||
|| (((flags & CMS_ATTR_F_ONLY_ONE) != 0)
|
||||
&& cms_attrib_get(nid, attrs, &lastpos) != NULL)
|
||||
/* Check if attribute should have exactly one value in its set */
|
||||
|| (((flags & CMS_ATTR_F_ONE_ATTR_VALUE) != 0)
|
||||
&& count != 1)
|
||||
/* There should be at least one value */
|
||||
|| count == 0)
|
||||
return 0;
|
||||
} else {
|
||||
/* fail if a required attribute is missing */
|
||||
if (have_attrs
|
||||
&& ((flags & CMS_ATTR_F_REQUIRED_COND) != 0)
|
||||
&& (flags & type) != 0)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the signerinfo attributes obey the attribute rules which includes
|
||||
* the following checks
|
||||
* - If any signed attributes exist then there must be a Content Type
|
||||
* and Message Digest attribute in the signed attributes.
|
||||
* - The countersignature attribute is an optional unsigned attribute only.
|
||||
* - Content Type, Message Digest, and Signing time attributes are signed
|
||||
* attributes. Only one instance of each is allowed, with each of these
|
||||
* attributes containing a single attribute value in its set.
|
||||
*/
|
||||
int CMS_si_check_attributes(const CMS_SignerInfo *si)
|
||||
{
|
||||
int i;
|
||||
int have_signed_attrs = (CMS_signed_get_attr_count(si) > 0);
|
||||
int have_unsigned_attrs = (CMS_unsigned_get_attr_count(si) > 0);
|
||||
|
||||
for (i = 0; i < (int)OSSL_NELEM(cms_attribute_properties); ++i) {
|
||||
int nid = cms_attribute_properties[i].nid;
|
||||
int flags = cms_attribute_properties[i].flags;
|
||||
|
||||
if (!cms_check_attribute(nid, flags, CMS_ATTR_F_SIGNED,
|
||||
si->signedAttrs, have_signed_attrs)
|
||||
|| !cms_check_attribute(nid, flags, CMS_ATTR_F_UNSIGNED,
|
||||
si->unsignedAttrs, have_unsigned_attrs)) {
|
||||
CMSerr(CMS_F_CMS_SI_CHECK_ATTRIBUTES, CMS_R_ATTRIBUTE_ERROR);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
unsigned char *ek = NULL;
|
||||
size_t eklen;
|
||||
int ret = 0;
|
||||
size_t fixlen = 0;
|
||||
CMS_EncryptedContentInfo *ec;
|
||||
ec = cms->d.envelopedData->encryptedContentInfo;
|
||||
|
||||
@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (cms->d.envelopedData->encryptedContentInfo->havenocert
|
||||
&& !cms->d.envelopedData->encryptedContentInfo->debug) {
|
||||
X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
|
||||
const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
|
||||
|
||||
if (ciph == NULL) {
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
fixlen = EVP_CIPHER_key_length(ciph);
|
||||
}
|
||||
|
||||
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
|
||||
if (ktri->pctx == NULL)
|
||||
return 0;
|
||||
@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
|
||||
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
|
||||
ktri->encryptedKey->data,
|
||||
ktri->encryptedKey->length) <= 0) {
|
||||
ktri->encryptedKey->length) <= 0
|
||||
|| eklen == 0
|
||||
|| (fixlen != 0 && eklen != fixlen)) {
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -146,6 +146,8 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 0),
|
||||
"CMS_SignerInfo_verify_content"},
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGN_RECEIPT, 0), "CMS_sign_receipt"},
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SI_CHECK_ATTRIBUTES, 0),
|
||||
"CMS_si_check_attributes"},
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_STREAM, 0), "CMS_stream"},
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_UNCOMPRESS, 0), "CMS_uncompress"},
|
||||
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_VERIFY, 0), "CMS_verify"},
|
||||
@ -155,6 +157,7 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
|
||||
|
||||
static const ERR_STRING_DATA CMS_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"},
|
||||
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ATTRIBUTE_ERROR), "attribute error"},
|
||||
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT),
|
||||
"certificate already present"},
|
||||
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID),
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
|
||||
size_t keylen;
|
||||
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
|
||||
int debug;
|
||||
/* Set to 1 if we have no cert and need extra safety measures for MMA */
|
||||
int havenocert;
|
||||
};
|
||||
|
||||
struct CMS_RecipientInfo_st {
|
||||
@ -317,8 +319,6 @@ struct CMS_OtherKeyAttribute_st {
|
||||
|
||||
/* ESS structures */
|
||||
|
||||
# ifdef HEADER_X509V3_H
|
||||
|
||||
struct CMS_ReceiptRequest_st {
|
||||
ASN1_OCTET_STRING *signedContentIdentifier;
|
||||
CMS_ReceiptsFrom *receiptsFrom;
|
||||
@ -332,7 +332,6 @@ struct CMS_ReceiptsFrom_st {
|
||||
STACK_OF(GENERAL_NAMES) *receiptList;
|
||||
} d;
|
||||
};
|
||||
# endif
|
||||
|
||||
struct CMS_Receipt_st {
|
||||
int32_t version;
|
||||
@ -416,6 +415,8 @@ int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
|
||||
/* PWRI routines */
|
||||
int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
|
||||
int en_de);
|
||||
/* SignerInfo routines */
|
||||
int CMS_si_check_attributes(const CMS_SignerInfo *si);
|
||||
|
||||
DECLARE_ASN1_ITEM(CMS_CertificateChoices)
|
||||
DECLARE_ASN1_ITEM(CMS_DigestedData)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -109,6 +109,27 @@ static void cms_sd_set_version(CMS_SignedData *sd)
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC 5652 Section 11.1 Content Type
|
||||
* The content-type attribute within signed-data MUST
|
||||
* 1) be present if there are signed attributes
|
||||
* 2) match the content type in the signed-data,
|
||||
* 3) be a signed attribute.
|
||||
* 4) not have more than one copy of the attribute.
|
||||
*
|
||||
* Note that since the CMS_SignerInfo_sign() always adds the "signing time"
|
||||
* attribute, the content type attribute MUST be added also.
|
||||
* Assumptions: This assumes that the attribute does not already exist.
|
||||
*/
|
||||
static int cms_set_si_contentType_attr(CMS_ContentInfo *cms, CMS_SignerInfo *si)
|
||||
{
|
||||
ASN1_OBJECT *ctype = cms->d.signedData->encapContentInfo->eContentType;
|
||||
|
||||
/* Add the contentType attribute */
|
||||
return CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
|
||||
V_ASN1_OBJECT, ctype, -1) > 0;
|
||||
}
|
||||
|
||||
/* Copy an existing messageDigest value */
|
||||
|
||||
static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si)
|
||||
@ -328,6 +349,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
|
||||
if (flags & CMS_REUSE_DIGEST) {
|
||||
if (!cms_copy_messageDigest(cms, si))
|
||||
goto err;
|
||||
if (!cms_set_si_contentType_attr(cms, si))
|
||||
goto err;
|
||||
if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) &&
|
||||
!CMS_SignerInfo_sign(si))
|
||||
goto err;
|
||||
@ -558,8 +581,6 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
|
||||
*/
|
||||
|
||||
if (CMS_signed_get_attr_count(si) >= 0) {
|
||||
ASN1_OBJECT *ctype =
|
||||
cms->d.signedData->encapContentInfo->eContentType;
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned int mdlen;
|
||||
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
|
||||
@ -568,9 +589,9 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
|
||||
V_ASN1_OCTET_STRING, md, mdlen))
|
||||
goto err;
|
||||
/* Copy content type across */
|
||||
if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
|
||||
V_ASN1_OBJECT, ctype, -1) <= 0)
|
||||
if (!cms_set_si_contentType_attr(cms, si))
|
||||
goto err;
|
||||
|
||||
if (!CMS_SignerInfo_sign(si))
|
||||
goto err;
|
||||
} else if (si->pctx) {
|
||||
@ -650,6 +671,9 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!CMS_si_check_attributes(si))
|
||||
goto err;
|
||||
|
||||
if (si->pctx)
|
||||
pctx = si->pctx;
|
||||
else {
|
||||
@ -696,7 +720,6 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
|
||||
OPENSSL_free(abuf);
|
||||
EVP_MD_CTX_reset(mctx);
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
int CMS_SignerInfo_verify(CMS_SignerInfo *si)
|
||||
@ -711,6 +734,9 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!CMS_si_check_attributes(si))
|
||||
return -1;
|
||||
|
||||
md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
|
||||
if (md == NULL)
|
||||
return -1;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
|
||||
cms->d.envelopedData->encryptedContentInfo->debug = 1;
|
||||
else
|
||||
cms->d.envelopedData->encryptedContentInfo->debug = 0;
|
||||
if (!cert)
|
||||
cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
|
||||
else
|
||||
cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
|
||||
if (!pk && !cert && !dcont && !out)
|
||||
return 1;
|
||||
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
|
||||
|
@ -42,7 +42,7 @@ void OPENSSL_config(const char *appname)
|
||||
|
||||
int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)
|
||||
{
|
||||
int ret;
|
||||
int ret = 0;
|
||||
const char *filename;
|
||||
const char *appname;
|
||||
unsigned long flags;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -272,3 +272,9 @@ int ossl_toupper(int c)
|
||||
{
|
||||
return ossl_islower(c) ? c ^ case_change : c;
|
||||
}
|
||||
|
||||
int ascii_isdigit(const char inchar) {
|
||||
if (inchar > 0x2F && inchar < 0x3A)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -24,7 +24,8 @@ int DH_check_params_ex(const DH *dh)
|
||||
{
|
||||
int errflags = 0;
|
||||
|
||||
(void)DH_check_params(dh, &errflags);
|
||||
if (!DH_check_params(dh, &errflags))
|
||||
return 0;
|
||||
|
||||
if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
|
||||
DHerr(DH_F_DH_CHECK_PARAMS_EX, DH_R_CHECK_P_NOT_PRIME);
|
||||
@ -67,18 +68,14 @@ int DH_check_params(const DH *dh, int *ret)
|
||||
|
||||
/*-
|
||||
* Check that p is a safe prime and
|
||||
* if g is 2, 3 or 5, check that it is a suitable generator
|
||||
* where
|
||||
* for 2, p mod 24 == 11
|
||||
* for 3, p mod 12 == 5
|
||||
* for 5, p mod 10 == 3 or 7
|
||||
* should hold.
|
||||
* g is a suitable generator.
|
||||
*/
|
||||
int DH_check_ex(const DH *dh)
|
||||
{
|
||||
int errflags = 0;
|
||||
|
||||
(void)DH_check(dh, &errflags);
|
||||
if (!DH_check(dh, &errflags))
|
||||
return 0;
|
||||
|
||||
if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
|
||||
DHerr(DH_F_DH_CHECK_EX, DH_R_NOT_SUITABLE_GENERATOR);
|
||||
@ -102,10 +99,11 @@ int DH_check(const DH *dh, int *ret)
|
||||
{
|
||||
int ok = 0, r;
|
||||
BN_CTX *ctx = NULL;
|
||||
BN_ULONG l;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
|
||||
*ret = 0;
|
||||
if (!DH_check_params(dh, ret))
|
||||
return 0;
|
||||
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@ -139,21 +137,7 @@ int DH_check(const DH *dh, int *ret)
|
||||
*ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||
if (dh->j && BN_cmp(dh->j, t1))
|
||||
*ret |= DH_CHECK_INVALID_J_VALUE;
|
||||
|
||||
} else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
|
||||
l = BN_mod_word(dh->p, 24);
|
||||
if (l == (BN_ULONG)-1)
|
||||
goto err;
|
||||
if (l != 11)
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
} else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
|
||||
l = BN_mod_word(dh->p, 10);
|
||||
if (l == (BN_ULONG)-1)
|
||||
goto err;
|
||||
if ((l != 3) && (l != 7))
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
} else
|
||||
*ret |= DH_UNABLE_TO_CHECK_GENERATOR;
|
||||
}
|
||||
|
||||
r = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);
|
||||
if (r < 0)
|
||||
@ -180,7 +164,8 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
|
||||
{
|
||||
int errflags = 0;
|
||||
|
||||
(void)DH_check(dh, &errflags);
|
||||
if (!DH_check_pub_key(dh, pub_key, &errflags))
|
||||
return 0;
|
||||
|
||||
if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
|
||||
DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_SMALL);
|
||||
|
@ -30,30 +30,33 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
|
||||
|
||||
/*-
|
||||
* We generate DH parameters as follows
|
||||
* find a prime q which is prime_len/2 bits long.
|
||||
* p=(2*q)+1 or (p-1)/2 = q
|
||||
* For this case, g is a generator if
|
||||
* g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
|
||||
* Since the factors of p-1 are q and 2, we just need to check
|
||||
* g^2 mod p != 1 and g^q mod p != 1.
|
||||
* find a prime p which is prime_len bits long,
|
||||
* where q=(p-1)/2 is also prime.
|
||||
* In the following we assume that g is not 0, 1 or p-1, since it
|
||||
* would generate only trivial subgroups.
|
||||
* For this case, g is a generator of the order-q subgroup if
|
||||
* g^q mod p == 1.
|
||||
* Or in terms of the Legendre symbol: (g/p) == 1.
|
||||
*
|
||||
* Having said all that,
|
||||
* there is another special case method for the generators 2, 3 and 5.
|
||||
* Using the quadratic reciprocity law it is possible to solve
|
||||
* (g/p) == 1 for the special values 2, 3, 5:
|
||||
* (2/p) == 1 if p mod 8 == 1 or 7.
|
||||
* (3/p) == 1 if p mod 12 == 1 or 11.
|
||||
* (5/p) == 1 if p mod 5 == 1 or 4.
|
||||
* See for instance: https://en.wikipedia.org/wiki/Legendre_symbol
|
||||
*
|
||||
* Since all safe primes > 7 must satisfy p mod 12 == 11
|
||||
* and all safe primes > 11 must satisfy p mod 5 != 1
|
||||
* we can further improve the condition for g = 2, 3 and 5:
|
||||
* for 2, p mod 24 == 23
|
||||
* for 3, p mod 12 == 11
|
||||
* for 5, p mod 60 == 59
|
||||
*
|
||||
* However for compatibilty with previous versions we use:
|
||||
* for 2, p mod 24 == 11
|
||||
* for 3, p mod 12 == 5 <<<<< does not work for safe primes.
|
||||
* for 5, p mod 10 == 3 or 7
|
||||
*
|
||||
* Thanks to Phil Karn for the pointers about the
|
||||
* special generators and for answering some of my questions.
|
||||
*
|
||||
* I've implemented the second simple method :-).
|
||||
* Since DH should be using a safe prime (both p and q are prime),
|
||||
* this generator function can take a very very long time to run.
|
||||
*/
|
||||
/*
|
||||
* Actually there is no reason to insist that 'generator' be a generator.
|
||||
* It's just as OK (and in some sense better) to use a generator of the
|
||||
* order-q subgroup.
|
||||
* for 5, p mod 60 == 23
|
||||
*/
|
||||
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||
BN_GENCB *cb)
|
||||
@ -88,13 +91,10 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||
goto err;
|
||||
g = 2;
|
||||
} else if (generator == DH_GENERATOR_5) {
|
||||
if (!BN_set_word(t1, 10))
|
||||
if (!BN_set_word(t1, 60))
|
||||
goto err;
|
||||
if (!BN_set_word(t2, 3))
|
||||
if (!BN_set_word(t2, 23))
|
||||
goto err;
|
||||
/*
|
||||
* BN_set_word(t3,7); just have to miss out on these ones :-(
|
||||
*/
|
||||
g = 5;
|
||||
} else {
|
||||
/*
|
||||
@ -102,9 +102,9 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||
* not: since we are using safe primes, it will generate either an
|
||||
* order-q or an order-2q group, which both is OK
|
||||
*/
|
||||
if (!BN_set_word(t1, 2))
|
||||
if (!BN_set_word(t1, 12))
|
||||
goto err;
|
||||
if (!BN_set_word(t2, 1))
|
||||
if (!BN_set_word(t2, 11))
|
||||
goto err;
|
||||
g = generator;
|
||||
}
|
||||
|
@ -125,6 +125,15 @@ static int generate_key(DH *dh)
|
||||
l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
|
||||
if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
|
||||
goto err;
|
||||
/*
|
||||
* We handle just one known case where g is a quadratic non-residue:
|
||||
* for g = 2: p % 8 == 3
|
||||
*/
|
||||
if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
|
||||
/* clear bit 0, since it won't be a secret anyway */
|
||||
if (!BN_clear_bit(priv_key, 0))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -136,11 +145,11 @@ static int generate_key(DH *dh)
|
||||
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
|
||||
|
||||
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
|
||||
BN_free(prk);
|
||||
BN_clear_free(prk);
|
||||
goto err;
|
||||
}
|
||||
/* We MUST free prk before any further use of priv_key */
|
||||
BN_free(prk);
|
||||
BN_clear_free(prk);
|
||||
}
|
||||
|
||||
dh->pub_key = pub_key;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -234,11 +234,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
|
||||
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
|
||||
{
|
||||
if (pub_key != NULL) {
|
||||
BN_free(dh->pub_key);
|
||||
BN_clear_free(dh->pub_key);
|
||||
dh->pub_key = pub_key;
|
||||
}
|
||||
if (priv_key != NULL) {
|
||||
BN_free(dh->priv_key);
|
||||
BN_clear_free(dh->priv_key);
|
||||
dh->priv_key = priv_key;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
|
||||
|
||||
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
||||
*(int *)arg2 = NID_sha256;
|
||||
return 2;
|
||||
return 1;
|
||||
|
||||
default:
|
||||
return -2;
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -52,6 +52,8 @@ static const ERR_STRING_DATA DSA_str_reasons[] = {
|
||||
"invalid digest type"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
|
||||
"missing private key"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
|
||||
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
|
||||
|
@ -72,6 +72,10 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
reason = DSA_R_MISSING_PARAMETERS;
|
||||
goto err;
|
||||
}
|
||||
if (dsa->priv_key == NULL) {
|
||||
reason = DSA_R_MISSING_PRIVATE_KEY;
|
||||
goto err;
|
||||
}
|
||||
|
||||
ret = DSA_SIG_new();
|
||||
if (ret == NULL)
|
||||
@ -195,6 +199,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS);
|
||||
return 0;
|
||||
}
|
||||
if (dsa->priv_key == NULL) {
|
||||
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PRIVATE_KEY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
k = BN_new();
|
||||
l = BN_new();
|
||||
@ -248,7 +256,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
* one bit longer than the modulus.
|
||||
*
|
||||
* There are some concerns about the efficacy of doing this. More
|
||||
* specificly refer to the discussion starting with:
|
||||
* specifically refer to the discussion starting with:
|
||||
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
|
||||
* The fix is to rework BN so these gymnastics aren't required.
|
||||
*/
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -27,8 +27,7 @@
|
||||
# endif
|
||||
# include <dlfcn.h>
|
||||
# define HAVE_DLINFO 1
|
||||
# if defined(__CYGWIN__) || \
|
||||
defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
|
||||
# if defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
|
||||
(defined(__osf__) && !defined(RTLD_NEXT)) || \
|
||||
(defined(__OpenBSD__) && !defined(RTLD_SELF)) || \
|
||||
defined(__ANDROID__)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -2301,7 +2301,6 @@ my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
|
||||
# !in1infty, !in2infty and result of check for zero.
|
||||
|
||||
$code.=<<___;
|
||||
.globl ecp_nistz256_point_add_vis3
|
||||
.align 32
|
||||
ecp_nistz256_point_add_vis3:
|
||||
save %sp,-STACK64_FRAME-32*18-32,%sp
|
||||
|
@ -1301,7 +1301,7 @@ ecp_nistz256_ord_mul_montx:
|
||||
|
||||
################################# reduction
|
||||
mulx 8*0+128(%r14), $t0, $t1
|
||||
adcx $t0, $acc3 # guranteed to be zero
|
||||
adcx $t0, $acc3 # guaranteed to be zero
|
||||
adox $t1, $acc4
|
||||
|
||||
mulx 8*1+128(%r14), $t0, $t1
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -451,7 +451,7 @@ x25519_fe64_tobytes:
|
||||
and $t0,$t0,$t1
|
||||
sldi $a3,$a3,1
|
||||
add $t0,$t0,$t1 # compare to modulus in the same go
|
||||
srdi $a3,$a3,1 # most signifcant bit cleared
|
||||
srdi $a3,$a3,1 # most significant bit cleared
|
||||
|
||||
addc $a0,$a0,$t0
|
||||
addze $a1,$a1
|
||||
@ -462,7 +462,7 @@ x25519_fe64_tobytes:
|
||||
sradi $t0,$a3,63 # most significant bit -> mask
|
||||
sldi $a3,$a3,1
|
||||
andc $t0,$t1,$t0
|
||||
srdi $a3,$a3,1 # most signifcant bit cleared
|
||||
srdi $a3,$a3,1 # most significant bit cleared
|
||||
|
||||
subi $rp,$rp,1
|
||||
subfc $a0,$t0,$a0
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -568,10 +568,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
|
||||
EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
|
||||
{
|
||||
int ok = 0, tmp;
|
||||
EC_GROUP *ret = NULL;
|
||||
EC_GROUP *ret = NULL, *dup = NULL;
|
||||
BIGNUM *p = NULL, *a = NULL, *b = NULL;
|
||||
EC_POINT *point = NULL;
|
||||
long field_bits;
|
||||
int curve_name = NID_undef;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
if (!params->fieldID || !params->fieldID->fieldType ||
|
||||
!params->fieldID->p.ptr) {
|
||||
@ -789,18 +791,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check if the explicit parameters group just created matches one of the
|
||||
* built-in curves.
|
||||
*
|
||||
* We create a copy of the group just built, so that we can remove optional
|
||||
* fields for the lookup: we do this to avoid the possibility that one of
|
||||
* the optional parameters is used to force the library into using a less
|
||||
* performant and less secure EC_METHOD instead of the specialized one.
|
||||
* In any case, `seed` is not really used in any computation, while a
|
||||
* cofactor different from the one in the built-in table is just
|
||||
* mathematically wrong anyway and should not be used.
|
||||
*/
|
||||
if ((ctx = BN_CTX_new()) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if ((dup = EC_GROUP_dup(ret)) == NULL
|
||||
|| EC_GROUP_set_seed(dup, NULL, 0) != 1
|
||||
|| !EC_GROUP_set_generator(dup, point, a, NULL)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
|
||||
/*
|
||||
* The input explicit parameters successfully matched one of the
|
||||
* built-in curves: often for built-in curves we have specialized
|
||||
* methods with better performance and hardening.
|
||||
*
|
||||
* In this case we replace the `EC_GROUP` created through explicit
|
||||
* parameters with one created from a named group.
|
||||
*/
|
||||
EC_GROUP *named_group = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
/*
|
||||
* NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
|
||||
* the same curve, we prefer the SECP nid when matching explicit
|
||||
* parameters as that is associated with a specialized EC_METHOD.
|
||||
*/
|
||||
if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
|
||||
curve_name = NID_secp224r1;
|
||||
#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
|
||||
|
||||
if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
EC_GROUP_free(ret);
|
||||
ret = named_group;
|
||||
|
||||
/*
|
||||
* Set the flag so that EC_GROUPs created from explicit parameters are
|
||||
* serialized using explicit parameters by default.
|
||||
*/
|
||||
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
|
||||
}
|
||||
|
||||
ok = 1;
|
||||
|
||||
err:
|
||||
if (!ok) {
|
||||
EC_GROUP_clear_free(ret);
|
||||
EC_GROUP_free(ret);
|
||||
ret = NULL;
|
||||
}
|
||||
EC_GROUP_free(dup);
|
||||
|
||||
BN_free(p);
|
||||
BN_free(a);
|
||||
BN_free(b);
|
||||
EC_POINT_free(point);
|
||||
|
||||
BN_CTX_free(ctx);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -861,7 +924,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
|
||||
}
|
||||
|
||||
if (a) {
|
||||
EC_GROUP_clear_free(*a);
|
||||
EC_GROUP_free(*a);
|
||||
*a = group;
|
||||
}
|
||||
|
||||
@ -909,7 +972,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
|
||||
ret = *a;
|
||||
|
||||
if (priv_key->parameters) {
|
||||
EC_GROUP_clear_free(ret->group);
|
||||
EC_GROUP_free(ret->group);
|
||||
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -3197,3 +3197,115 @@ int EC_curve_nist2nid(const char *name)
|
||||
}
|
||||
return NID_undef;
|
||||
}
|
||||
|
||||
#define NUM_BN_FIELDS 6
|
||||
/*
|
||||
* Validates EC domain parameter data for known named curves.
|
||||
* This can be used when a curve is loaded explicitly (without a curve
|
||||
* name) or to validate that domain parameters have not been modified.
|
||||
*
|
||||
* Returns: The nid associated with the found named curve, or NID_undef
|
||||
* if not found. If there was an error it returns -1.
|
||||
*/
|
||||
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||
{
|
||||
int ret = -1, nid, len, field_type, param_len;
|
||||
size_t i, seed_len;
|
||||
const unsigned char *seed, *params_seed, *params;
|
||||
unsigned char *param_bytes = NULL;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_POINT *generator = NULL;
|
||||
const EC_METHOD *meth;
|
||||
const BIGNUM *cofactor = NULL;
|
||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||
|
||||
meth = EC_GROUP_method_of(group);
|
||||
if (meth == NULL)
|
||||
return -1;
|
||||
/* Use the optional named curve nid as a search field */
|
||||
nid = EC_GROUP_get_curve_name(group);
|
||||
field_type = EC_METHOD_get_field_type(meth);
|
||||
seed_len = EC_GROUP_get_seed_len(group);
|
||||
seed = EC_GROUP_get0_seed(group);
|
||||
cofactor = EC_GROUP_get0_cofactor(group);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
/*
|
||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||
* all zero-padded to be the same size. The size of the padding is
|
||||
* determined by either the number of bytes in the field modulus (p) or the
|
||||
* EC group order, whichever is larger.
|
||||
*/
|
||||
param_len = BN_num_bytes(group->order);
|
||||
len = BN_num_bytes(group->field);
|
||||
if (len > param_len)
|
||||
param_len = len;
|
||||
|
||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||
if (param_bytes == NULL)
|
||||
goto end;
|
||||
|
||||
/* Create the bignums */
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Fill in the bn array with the same values as the internal curves
|
||||
* i.e. the values are p, a, b, x, y, order.
|
||||
*/
|
||||
/* Get p, a & b */
|
||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||
/* Get x & y */
|
||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||
/* Get order */
|
||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Convert the bignum array to bytes that are joined together to form
|
||||
* a single buffer that contains data for all fields.
|
||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||
*/
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
const ec_list_element curve = curve_list[i];
|
||||
|
||||
data = curve.data;
|
||||
/* Get the raw order byte data */
|
||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||
params = params_seed + data->seed_len;
|
||||
|
||||
/* Look for unique fields in the fixed curve data */
|
||||
if (data->field_type == field_type
|
||||
&& param_len == data->param_len
|
||||
&& (nid <= 0 || nid == curve.nid)
|
||||
/* check the optional cofactor (ignore if its zero) */
|
||||
&& (BN_is_zero(cofactor)
|
||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||
/* Check the optional seed (ignore if its not set) */
|
||||
&& (data->seed_len == 0 || seed_len == 0
|
||||
|| ((size_t)data->seed_len == seed_len
|
||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||
/* Check that the groups params match the built-in curve params */
|
||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||
== 0) {
|
||||
ret = curve.nid;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Gets here if the group was not found */
|
||||
ret = NID_undef;
|
||||
end:
|
||||
OPENSSL_free(param_bytes);
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
@ -154,7 +154,7 @@ struct ec_method_st {
|
||||
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *b, BN_CTX *);
|
||||
/*-
|
||||
* 'field_inv' computes the multipicative inverse of a in the field,
|
||||
* 'field_inv' computes the multiplicative inverse of a in the field,
|
||||
* storing the result in r.
|
||||
*
|
||||
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
|
||||
@ -595,6 +595,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey);
|
||||
int ec_key_simple_generate_public_key(EC_KEY *eckey);
|
||||
int ec_key_simple_check_key(const EC_KEY *eckey);
|
||||
|
||||
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
|
||||
|
||||
/* EC_METHOD definitions */
|
||||
|
||||
struct ec_key_method_st {
|
||||
|
@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
|
||||
|
||||
static int ec_precompute_mont_data(EC_GROUP *);
|
||||
|
||||
/*-
|
||||
* Try computing cofactor from the generator order (n) and field cardinality (q).
|
||||
* This works for all curves of cryptographic interest.
|
||||
*
|
||||
* Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
|
||||
* h_min = (q + 1 - 2*sqrt(q))/n
|
||||
* h_max = (q + 1 + 2*sqrt(q))/n
|
||||
* h_max - h_min = 4*sqrt(q)/n
|
||||
* So if n > 4*sqrt(q) holds, there is only one possible value for h:
|
||||
* h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
|
||||
*
|
||||
* Otherwise, zero cofactor and return success.
|
||||
*/
|
||||
static int ec_guess_cofactor(EC_GROUP *group) {
|
||||
int ret = 0;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *q = NULL;
|
||||
|
||||
/*-
|
||||
* If the cofactor is too large, we cannot guess it.
|
||||
* The RHS of below is a strict overestimate of lg(4 * sqrt(q))
|
||||
*/
|
||||
if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
|
||||
/* default to 0 */
|
||||
BN_zero(group->cofactor);
|
||||
/* return success */
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ((ctx = BN_CTX_new()) == NULL)
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((q = BN_CTX_get(ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
/* set q = 2**m for binary fields; q = p otherwise */
|
||||
if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
|
||||
BN_zero(q);
|
||||
if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
|
||||
goto err;
|
||||
} else {
|
||||
if (!BN_copy(q, group->field))
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
|
||||
if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
|
||||
|| !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
|
||||
/* q + 1 + n/2 */
|
||||
|| !BN_add(group->cofactor, group->cofactor, BN_value_one())
|
||||
/* (q + 1 + n/2)/n */
|
||||
|| !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
BN_CTX_free(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
const BIGNUM *order, const BIGNUM *cofactor)
|
||||
{
|
||||
@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* require group->field >= 1 */
|
||||
if (group->field == NULL || BN_is_zero(group->field)
|
||||
|| BN_is_negative(group->field)) {
|
||||
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*-
|
||||
* - require order >= 1
|
||||
* - enforce upper bound due to Hasse thm: order can be no more than one bit
|
||||
* longer than field cardinality
|
||||
*/
|
||||
if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
|
||||
|| BN_num_bits(order) > BN_num_bits(group->field) + 1) {
|
||||
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Unfortunately the cofactor is an optional field in many standards.
|
||||
* Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
|
||||
* So accept cofactor == NULL or cofactor >= 0.
|
||||
*/
|
||||
if (cofactor != NULL && BN_is_negative(cofactor)) {
|
||||
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (group->generator == NULL) {
|
||||
group->generator = EC_POINT_new(group);
|
||||
if (group->generator == NULL)
|
||||
@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
if (!EC_POINT_copy(group->generator, generator))
|
||||
return 0;
|
||||
|
||||
if (order != NULL) {
|
||||
if (!BN_copy(group->order, order))
|
||||
return 0;
|
||||
} else
|
||||
BN_zero(group->order);
|
||||
|
||||
if (cofactor != NULL) {
|
||||
/* Either take the provided positive cofactor, or try to compute it */
|
||||
if (cofactor != NULL && !BN_is_zero(cofactor)) {
|
||||
if (!BN_copy(group->cofactor, cofactor))
|
||||
return 0;
|
||||
} else
|
||||
} else if (!ec_guess_cofactor(group)) {
|
||||
BN_zero(group->cofactor);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Some groups have an order with
|
||||
|
@ -58,7 +58,7 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
|
||||
|
||||
priv_key = EC_KEY_get0_private_key(ecdh);
|
||||
if (priv_key == NULL) {
|
||||
ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE);
|
||||
ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_MISSING_PRIVATE_KEY);
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -41,11 +41,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
|
||||
const EC_GROUP *group;
|
||||
int ret = 0;
|
||||
int order_bits;
|
||||
const BIGNUM *priv_key;
|
||||
|
||||
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
|
||||
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
|
||||
return 0;
|
||||
}
|
||||
if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
|
||||
ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_MISSING_PRIVATE_KEY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!EC_KEY_can_sign(eckey)) {
|
||||
ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
||||
@ -83,8 +88,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
|
||||
/* get random k */
|
||||
do {
|
||||
if (dgst != NULL) {
|
||||
if (!BN_generate_dsa_nonce(k, order,
|
||||
EC_KEY_get0_private_key(eckey),
|
||||
if (!BN_generate_dsa_nonce(k, order, priv_key,
|
||||
dgst, dlen, ctx)) {
|
||||
ECerr(EC_F_ECDSA_SIGN_SETUP,
|
||||
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
||||
@ -162,10 +166,14 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
||||
group = EC_KEY_get0_group(eckey);
|
||||
priv_key = EC_KEY_get0_private_key(eckey);
|
||||
|
||||
if (group == NULL || priv_key == NULL) {
|
||||
if (group == NULL) {
|
||||
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
|
||||
return NULL;
|
||||
}
|
||||
if (priv_key == NULL) {
|
||||
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!EC_KEY_can_sign(eckey)) {
|
||||
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
||||
|
@ -324,34 +324,21 @@ static void felem_to_bin28(u8 out[28], const felem in)
|
||||
}
|
||||
}
|
||||
|
||||
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
|
||||
static void flip_endian(u8 *out, const u8 *in, unsigned len)
|
||||
{
|
||||
unsigned i;
|
||||
for (i = 0; i < len; ++i)
|
||||
out[i] = in[len - 1 - i];
|
||||
}
|
||||
|
||||
/* From OpenSSL BIGNUM to internal representation */
|
||||
static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
{
|
||||
felem_bytearray b_in;
|
||||
felem_bytearray b_out;
|
||||
unsigned num_bytes;
|
||||
int num_bytes;
|
||||
|
||||
/* BN_bn2bin eats leading zeroes */
|
||||
memset(b_out, 0, sizeof(b_out));
|
||||
num_bytes = BN_num_bytes(bn);
|
||||
if (num_bytes > sizeof(b_out)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
if (BN_is_negative(bn)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
num_bytes = BN_bn2bin(bn, b_in);
|
||||
flip_endian(b_out, b_in, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
bin28_to_felem(out, b_out);
|
||||
return 1;
|
||||
}
|
||||
@ -359,10 +346,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
/* From internal representation to OpenSSL BIGNUM */
|
||||
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
|
||||
{
|
||||
felem_bytearray b_in, b_out;
|
||||
felem_to_bin28(b_in, in);
|
||||
flip_endian(b_out, b_in, sizeof(b_out));
|
||||
return BN_bin2bn(b_out, sizeof(b_out), out);
|
||||
felem_bytearray b_out;
|
||||
felem_to_bin28(b_out, in);
|
||||
return BN_lebin2bn(b_out, sizeof(b_out), out);
|
||||
}
|
||||
|
||||
/******************************************************************************/
|
||||
@ -1402,8 +1388,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
felem_bytearray *secrets = NULL;
|
||||
felem (*pre_comp)[17][3] = NULL;
|
||||
felem *tmp_felems = NULL;
|
||||
felem_bytearray tmp;
|
||||
unsigned num_bytes;
|
||||
int num_bytes;
|
||||
int have_pre_comp = 0;
|
||||
size_t num_points = num;
|
||||
felem x_in, y_in, z_in, x_out, y_out, z_out;
|
||||
@ -1478,14 +1463,12 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
* i.e., they contribute nothing to the linear combination
|
||||
*/
|
||||
for (i = 0; i < num_points; ++i) {
|
||||
if (i == num)
|
||||
if (i == num) {
|
||||
/* the generator */
|
||||
{
|
||||
p = EC_GROUP_get0_generator(group);
|
||||
p_scalar = scalar;
|
||||
} else
|
||||
} else {
|
||||
/* the i^th point */
|
||||
{
|
||||
p = points[i];
|
||||
p_scalar = scalars[i];
|
||||
}
|
||||
@ -1501,10 +1484,16 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(p_scalar, tmp);
|
||||
flip_endian(secrets[i], tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(p_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
}
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
/* precompute multiples */
|
||||
if ((!BN_to_felem(x_out, p->X)) ||
|
||||
(!BN_to_felem(y_out, p->Y)) ||
|
||||
@ -1547,20 +1536,21 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(scalar, tmp);
|
||||
flip_endian(g_secret, tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
|
||||
}
|
||||
/* do the multiplication with generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
g_secret,
|
||||
mixed, (const felem(*)[17][3])pre_comp, g_pre_comp);
|
||||
} else
|
||||
} else {
|
||||
/* do the multiplication without generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
|
||||
}
|
||||
/* reduce the output to its unique minimal representation */
|
||||
felem_contract(x_in, x_out);
|
||||
felem_contract(y_in, y_out);
|
||||
|
@ -146,34 +146,21 @@ static void smallfelem_to_bin32(u8 out[32], const smallfelem in)
|
||||
*((u64 *)&out[24]) = in[3];
|
||||
}
|
||||
|
||||
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
|
||||
static void flip_endian(u8 *out, const u8 *in, unsigned len)
|
||||
{
|
||||
unsigned i;
|
||||
for (i = 0; i < len; ++i)
|
||||
out[i] = in[len - 1 - i];
|
||||
}
|
||||
|
||||
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
|
||||
static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
{
|
||||
felem_bytearray b_in;
|
||||
felem_bytearray b_out;
|
||||
unsigned num_bytes;
|
||||
int num_bytes;
|
||||
|
||||
/* BN_bn2bin eats leading zeroes */
|
||||
memset(b_out, 0, sizeof(b_out));
|
||||
num_bytes = BN_num_bytes(bn);
|
||||
if (num_bytes > sizeof(b_out)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
if (BN_is_negative(bn)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
num_bytes = BN_bn2bin(bn, b_in);
|
||||
flip_endian(b_out, b_in, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
bin32_to_felem(out, b_out);
|
||||
return 1;
|
||||
}
|
||||
@ -181,10 +168,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
|
||||
static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
|
||||
{
|
||||
felem_bytearray b_in, b_out;
|
||||
smallfelem_to_bin32(b_in, in);
|
||||
flip_endian(b_out, b_in, sizeof(b_out));
|
||||
return BN_bin2bn(b_out, sizeof(b_out), out);
|
||||
felem_bytearray b_out;
|
||||
smallfelem_to_bin32(b_out, in);
|
||||
return BN_lebin2bn(b_out, sizeof(b_out), out);
|
||||
}
|
||||
|
||||
/*-
|
||||
@ -2024,8 +2010,8 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
felem_bytearray *secrets = NULL;
|
||||
smallfelem (*pre_comp)[17][3] = NULL;
|
||||
smallfelem *tmp_smallfelems = NULL;
|
||||
felem_bytearray tmp;
|
||||
unsigned i, num_bytes;
|
||||
unsigned i;
|
||||
int num_bytes;
|
||||
int have_pre_comp = 0;
|
||||
size_t num_points = num;
|
||||
smallfelem x_in, y_in, z_in;
|
||||
@ -2102,17 +2088,15 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
memset(secrets, 0, sizeof(*secrets) * num_points);
|
||||
memset(pre_comp, 0, sizeof(*pre_comp) * num_points);
|
||||
for (i = 0; i < num_points; ++i) {
|
||||
if (i == num)
|
||||
if (i == num) {
|
||||
/*
|
||||
* we didn't have a valid precomputation, so we pick the
|
||||
* generator
|
||||
*/
|
||||
{
|
||||
p = EC_GROUP_get0_generator(group);
|
||||
p_scalar = scalar;
|
||||
} else
|
||||
} else {
|
||||
/* the i^th point */
|
||||
{
|
||||
p = points[i];
|
||||
p_scalar = scalars[i];
|
||||
}
|
||||
@ -2128,10 +2112,16 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(p_scalar, tmp);
|
||||
flip_endian(secrets[i], tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(p_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
}
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
/* precompute multiples */
|
||||
if ((!BN_to_felem(x_out, p->X)) ||
|
||||
(!BN_to_felem(y_out, p->Y)) ||
|
||||
@ -2176,20 +2166,21 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(scalar, tmp);
|
||||
flip_endian(g_secret, tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
|
||||
}
|
||||
/* do the multiplication with generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
g_secret,
|
||||
mixed, (const smallfelem(*)[17][3])pre_comp, g_pre_comp);
|
||||
} else
|
||||
} else {
|
||||
/* do the multiplication without generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
NULL, mixed, (const smallfelem(*)[17][3])pre_comp, NULL);
|
||||
}
|
||||
/* reduce the output to its unique minimal representation */
|
||||
felem_contract(x_in, x_out);
|
||||
felem_contract(y_in, y_out);
|
||||
|
@ -169,34 +169,21 @@ static void felem_to_bin66(u8 out[66], const felem in)
|
||||
(*((limb *) & out[58])) = in[8];
|
||||
}
|
||||
|
||||
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
|
||||
static void flip_endian(u8 *out, const u8 *in, unsigned len)
|
||||
{
|
||||
unsigned i;
|
||||
for (i = 0; i < len; ++i)
|
||||
out[i] = in[len - 1 - i];
|
||||
}
|
||||
|
||||
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
|
||||
static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
{
|
||||
felem_bytearray b_in;
|
||||
felem_bytearray b_out;
|
||||
unsigned num_bytes;
|
||||
int num_bytes;
|
||||
|
||||
/* BN_bn2bin eats leading zeroes */
|
||||
memset(b_out, 0, sizeof(b_out));
|
||||
num_bytes = BN_num_bytes(bn);
|
||||
if (num_bytes > sizeof(b_out)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
if (BN_is_negative(bn)) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
num_bytes = BN_bn2bin(bn, b_in);
|
||||
flip_endian(b_out, b_in, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
|
||||
return 0;
|
||||
}
|
||||
bin66_to_felem(out, b_out);
|
||||
return 1;
|
||||
}
|
||||
@ -204,10 +191,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
|
||||
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
|
||||
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
|
||||
{
|
||||
felem_bytearray b_in, b_out;
|
||||
felem_to_bin66(b_in, in);
|
||||
flip_endian(b_out, b_in, sizeof(b_out));
|
||||
return BN_bin2bn(b_out, sizeof(b_out), out);
|
||||
felem_bytearray b_out;
|
||||
felem_to_bin66(b_out, in);
|
||||
return BN_lebin2bn(b_out, sizeof(b_out), out);
|
||||
}
|
||||
|
||||
/*-
|
||||
@ -1269,7 +1255,7 @@ static void point_add(felem x3, felem y3, felem z3,
|
||||
* ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
|
||||
* 71e913863f7, in that case the penultimate intermediate is -9G and
|
||||
* the final digit is also -9G. Since this only happens for a single
|
||||
* scalar, the timing leak is irrelevent. (Any attacker who wanted to
|
||||
* scalar, the timing leak is irrelevant. (Any attacker who wanted to
|
||||
* check whether a secret scalar was that exact value, can already do
|
||||
* so.)
|
||||
*/
|
||||
@ -1866,8 +1852,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
felem_bytearray *secrets = NULL;
|
||||
felem (*pre_comp)[17][3] = NULL;
|
||||
felem *tmp_felems = NULL;
|
||||
felem_bytearray tmp;
|
||||
unsigned i, num_bytes;
|
||||
unsigned i;
|
||||
int num_bytes;
|
||||
int have_pre_comp = 0;
|
||||
size_t num_points = num;
|
||||
felem x_in, y_in, z_in, x_out, y_out, z_out;
|
||||
@ -1942,17 +1928,15 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
* i.e., they contribute nothing to the linear combination
|
||||
*/
|
||||
for (i = 0; i < num_points; ++i) {
|
||||
if (i == num)
|
||||
if (i == num) {
|
||||
/*
|
||||
* we didn't have a valid precomputation, so we pick the
|
||||
* generator
|
||||
*/
|
||||
{
|
||||
p = EC_GROUP_get0_generator(group);
|
||||
p_scalar = scalar;
|
||||
} else
|
||||
} else {
|
||||
/* the i^th point */
|
||||
{
|
||||
p = points[i];
|
||||
p_scalar = scalars[i];
|
||||
}
|
||||
@ -1968,10 +1952,16 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(p_scalar, tmp);
|
||||
flip_endian(secrets[i], tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(p_scalar,
|
||||
secrets[i], sizeof(secrets[i]));
|
||||
}
|
||||
if (num_bytes < 0) {
|
||||
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
/* precompute multiples */
|
||||
if ((!BN_to_felem(x_out, p->X)) ||
|
||||
(!BN_to_felem(y_out, p->Y)) ||
|
||||
@ -2014,21 +2004,22 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
num_bytes = BN_bn2bin(tmp_scalar, tmp);
|
||||
} else
|
||||
num_bytes = BN_bn2bin(scalar, tmp);
|
||||
flip_endian(g_secret, tmp, num_bytes);
|
||||
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
|
||||
} else {
|
||||
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
|
||||
}
|
||||
/* do the multiplication with generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
g_secret,
|
||||
mixed, (const felem(*)[17][3])pre_comp,
|
||||
(const felem(*)[3])g_pre_comp);
|
||||
} else
|
||||
} else {
|
||||
/* do the multiplication without generator precomputation */
|
||||
batch_mul(x_out, y_out, z_out,
|
||||
(const felem_bytearray(*))secrets, num_points,
|
||||
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
|
||||
}
|
||||
/* reduce the output to its unique minimal representation */
|
||||
felem_contract(x_in, x_out);
|
||||
felem_contract(y_in, y_out);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -160,11 +160,11 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
|
||||
*
|
||||
* b_k b_(k-1) ... b_2 b_1 b_0
|
||||
* - b_k ... b_3 b_2 b_1 b_0
|
||||
* -------------------------------------
|
||||
* s_k b_(k-1) ... s_3 s_2 s_1 s_0
|
||||
* -----------------------------------------
|
||||
* s_(k+1) s_k ... s_3 s_2 s_1 s_0
|
||||
*
|
||||
* A left-shift followed by subtraction of the original value yields a new
|
||||
* representation of the same value, using signed bits s_i = b_(i+1) - b_i.
|
||||
* representation of the same value, using signed bits s_i = b_(i-1) - b_i.
|
||||
* This representation from Booth's paper has since appeared in the
|
||||
* literature under a variety of different names including "reversed binary
|
||||
* form", "alternating greedy expansion", "mutual opposite form", and
|
||||
@ -188,7 +188,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
|
||||
* (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
|
||||
* signed bits into a signed digit:
|
||||
*
|
||||
* s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
|
||||
* s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j)
|
||||
*
|
||||
* The sign-alternating property implies that the resulting digit values are
|
||||
* integers from -16 to 16.
|
||||
@ -196,14 +196,14 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
|
||||
* Of course, we don't actually need to compute the signed digits s_i as an
|
||||
* intermediate step (that's just a nice way to see how this scheme relates
|
||||
* to the wNAF): a direct computation obtains the recoded digit from the
|
||||
* six bits b_(4j + 4) ... b_(4j - 1).
|
||||
* six bits b_(5j + 4) ... b_(5j - 1).
|
||||
*
|
||||
* This function takes those five bits as an integer (0 .. 63), writing the
|
||||
* This function takes those six bits as an integer (0 .. 63), writing the
|
||||
* recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
|
||||
* value, in the range 0 .. 8). Note that this integer essentially provides the
|
||||
* input bits "shifted to the left" by one position: for example, the input to
|
||||
* compute the least significant recoded digit, given that there's no bit b_-1,
|
||||
* has to be b_4 b_3 b_2 b_1 b_0 0.
|
||||
* value, in the range 0 .. 16). Note that this integer essentially provides
|
||||
* the input bits "shifted to the left" by one position: for example, the input
|
||||
* to compute the least significant recoded digit, given that there's no bit
|
||||
* b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.
|
||||
*
|
||||
*/
|
||||
void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
|
||||
|
@ -532,7 +532,7 @@ static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
|
||||
X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
|
||||
if (alg2)
|
||||
X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
|
||||
/* Algorithm idetifiers set: carry on as normal */
|
||||
/* Algorithm identifiers set: carry on as normal */
|
||||
return 3;
|
||||
}
|
||||
|
||||
|
@ -26,7 +26,7 @@
|
||||
|
||||
/* #define ENGINE_DEVCRYPTO_DEBUG */
|
||||
|
||||
#ifdef CRYPTO_ALGORITHM_MIN
|
||||
#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
|
||||
# define CHECK_BSD_STYLE_MACROS
|
||||
#endif
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -34,7 +34,9 @@
|
||||
/* #define TEST_ENG_OPENSSL_HMAC */
|
||||
/* #define TEST_ENG_OPENSSL_HMAC_INIT */
|
||||
/* #define TEST_ENG_OPENSSL_RC4_OTHERS */
|
||||
#ifndef OPENSSL_NO_STDIO
|
||||
# define TEST_ENG_OPENSSL_RC4_P_INIT
|
||||
#endif
|
||||
/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
|
||||
#define TEST_ENG_OPENSSL_SHA
|
||||
/* #define TEST_ENG_OPENSSL_SHA_OTHERS */
|
||||
|
@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
/* A measurement on Linux 2018-11-21 showed about 3.5kib */
|
||||
# define SPACE_SYS_STR_REASONS 4 * 1024
|
||||
/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
|
||||
# define SPACE_SYS_STR_REASONS 8 * 1024
|
||||
# define NUM_SYS_STR_REASONS 127
|
||||
|
||||
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
||||
@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
|
||||
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
|
||||
|
||||
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
|
||||
if (str->string == NULL) {
|
||||
/*
|
||||
* If we have used up all the space in strerror_pool,
|
||||
* there's no point in calling openssl_strerror_r()
|
||||
*/
|
||||
if (str->string == NULL && cnt < sizeof(strerror_pool)) {
|
||||
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
|
||||
size_t l = strlen(cur);
|
||||
|
||||
str->string = cur;
|
||||
cnt += l;
|
||||
if (cnt > sizeof(strerror_pool))
|
||||
cnt = sizeof(strerror_pool);
|
||||
cur += l;
|
||||
|
||||
/*
|
||||
* VMS has an unusual quirk of adding spaces at the end of
|
||||
* some (most? all?) messages. Lets trim them off.
|
||||
*/
|
||||
while (ossl_isspace(cur[-1])) {
|
||||
while (cur > strerror_pool && ossl_isspace(cur[-1])) {
|
||||
cur--;
|
||||
cnt--;
|
||||
}
|
||||
|
@ -314,6 +314,7 @@ CMS_F_CMS_SIGNERINFO_VERIFY:152:CMS_SignerInfo_verify
|
||||
CMS_F_CMS_SIGNERINFO_VERIFY_CERT:153:cms_signerinfo_verify_cert
|
||||
CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT:154:CMS_SignerInfo_verify_content
|
||||
CMS_F_CMS_SIGN_RECEIPT:163:CMS_sign_receipt
|
||||
CMS_F_CMS_SI_CHECK_ATTRIBUTES:183:CMS_si_check_attributes
|
||||
CMS_F_CMS_STREAM:155:CMS_stream
|
||||
CMS_F_CMS_UNCOMPRESS:156:CMS_uncompress
|
||||
CMS_F_CMS_VERIFY:157:CMS_verify
|
||||
@ -713,11 +714,14 @@ ENGINE_F_INT_ENGINE_CONFIGURE:188:int_engine_configure
|
||||
ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init
|
||||
ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init
|
||||
EVP_F_AESNI_INIT_KEY:165:aesni_init_key
|
||||
EVP_F_AESNI_XTS_INIT_KEY:207:aesni_xts_init_key
|
||||
EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl
|
||||
EVP_F_AES_INIT_KEY:133:aes_init_key
|
||||
EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher
|
||||
EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
|
||||
EVP_F_AES_T4_XTS_INIT_KEY:208:aes_t4_xts_init_key
|
||||
EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher
|
||||
EVP_F_AES_XTS_INIT_KEY:209:aes_xts_init_key
|
||||
EVP_F_ALG_MODULE_INIT:177:alg_module_init
|
||||
EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key
|
||||
EVP_F_ARIA_GCM_CTRL:197:aria_gcm_ctrl
|
||||
@ -808,6 +812,7 @@ EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
|
||||
EVP_F_PKEY_SET_TYPE:158:pkey_set_type
|
||||
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
|
||||
EVP_F_RC5_CTRL:125:rc5_ctrl
|
||||
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
|
||||
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
|
||||
EVP_F_UPDATE:173:update
|
||||
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
|
||||
@ -1020,6 +1025,7 @@ RAND_F_RAND_POOL_ADD_BEGIN:113:rand_pool_add_begin
|
||||
RAND_F_RAND_POOL_ADD_END:114:rand_pool_add_end
|
||||
RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach
|
||||
RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed
|
||||
RAND_F_RAND_POOL_GROW:125:rand_pool_grow
|
||||
RAND_F_RAND_POOL_NEW:116:rand_pool_new
|
||||
RAND_F_RAND_WRITE_FILE:112:RAND_write_file
|
||||
RSA_F_CHECK_PADDING_MD:140:check_padding_md
|
||||
@ -1930,6 +1936,7 @@ BN_R_P_IS_NOT_PRIME:112:p is not prime
|
||||
BN_R_TOO_MANY_ITERATIONS:113:too many iterations
|
||||
BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables
|
||||
CMS_R_ADD_SIGNER_ERROR:99:add signer error
|
||||
CMS_R_ATTRIBUTE_ERROR:161:attribute error
|
||||
CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present
|
||||
CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid
|
||||
CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error
|
||||
@ -2094,6 +2101,7 @@ DSA_R_DECODE_ERROR:104:decode error
|
||||
DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type
|
||||
DSA_R_INVALID_PARAMETERS:112:invalid parameters
|
||||
DSA_R_MISSING_PARAMETERS:101:missing parameters
|
||||
DSA_R_MISSING_PRIVATE_KEY:111:missing private key
|
||||
DSA_R_MODULUS_TOO_LARGE:103:modulus too large
|
||||
DSA_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
@ -2218,6 +2226,7 @@ ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility
|
||||
EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed
|
||||
EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed
|
||||
EVP_R_BAD_DECRYPT:100:bad decrypt
|
||||
EVP_R_BAD_KEY_LENGTH:195:bad key length
|
||||
EVP_R_BUFFER_TOO_SMALL:155:buffer too small
|
||||
EVP_R_CAMELLIA_KEY_SETUP_FAILED:157:camellia key setup failed
|
||||
EVP_R_CIPHER_PARAMETER_ERROR:122:cipher parameter error
|
||||
@ -2287,6 +2296,7 @@ EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:118:unsupported private key algorithm
|
||||
EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
|
||||
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
|
||||
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
|
||||
EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
|
||||
KDF_R_INVALID_DIGEST:100:invalid digest
|
||||
KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
|
||||
KDF_R_MISSING_KEY:104:missing key
|
||||
@ -2527,6 +2537,7 @@ RSA_R_KEY_PRIME_NUM_INVALID:165:key prime num invalid
|
||||
RSA_R_KEY_SIZE_TOO_SMALL:120:key size too small
|
||||
RSA_R_LAST_OCTET_INVALID:134:last octet invalid
|
||||
RSA_R_MGF1_DIGEST_NOT_ALLOWED:152:mgf1 digest not allowed
|
||||
RSA_R_MISSING_PRIVATE_KEY:179:missing private key
|
||||
RSA_R_MODULUS_TOO_LARGE:105:modulus too large
|
||||
RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r
|
||||
RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d
|
||||
@ -3003,6 +3014,7 @@ X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
|
||||
X509_R_CRL_ALREADY_DELTA:127:crl already delta
|
||||
X509_R_CRL_VERIFY_FAILURE:131:crl verify failure
|
||||
X509_R_IDP_MISMATCH:128:idp mismatch
|
||||
X509_R_INVALID_ATTRIBUTES:138:invalid attributes
|
||||
X509_R_INVALID_DIRECTORY:113:invalid directory
|
||||
X509_R_INVALID_FIELD_NAME:119:invalid field name
|
||||
X509_R_INVALID_TRUST:123:invalid trust
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -38,9 +38,9 @@
|
||||
of memory.
|
||||
|
||||
BIO_f_reliable splits data stream into blocks. Each block is prefixed
|
||||
with it's length and suffixed with it's digest. So you need only
|
||||
with its length and suffixed with its digest. So you need only
|
||||
several Kbytes of memory to buffer single block before verifying
|
||||
it's digest.
|
||||
its digest.
|
||||
|
||||
BIO_f_reliable goes further and adds several important capabilities:
|
||||
|
||||
|
@ -176,7 +176,7 @@ static void ctr64_inc(unsigned char *counter)
|
||||
# define HWAES_xts_decrypt aes_p8_xts_decrypt
|
||||
#endif
|
||||
|
||||
#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
|
||||
#if !defined(OPENSSL_NO_ASM) && ( \
|
||||
((defined(__i386) || defined(__i386__) || \
|
||||
defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
|
||||
defined(__x86_64) || defined(__x86_64__) || \
|
||||
@ -383,10 +383,25 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
|
||||
|
||||
if (!iv && !key)
|
||||
return 1;
|
||||
|
||||
if (key) {
|
||||
/* The key is two half length keys in reality */
|
||||
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
|
||||
|
||||
/*
|
||||
* Verify that the two keys are different.
|
||||
*
|
||||
* This addresses Rogaway's vulnerability.
|
||||
* See comment in aes_xts_init_key() below.
|
||||
*/
|
||||
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
|
||||
EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* key_len is two AES keys */
|
||||
if (enc) {
|
||||
aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
|
||||
@ -787,11 +802,26 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
|
||||
|
||||
if (!iv && !key)
|
||||
return 1;
|
||||
|
||||
if (key) {
|
||||
int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
|
||||
/* The key is two half length keys in reality */
|
||||
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
|
||||
const int bits = bytes * 8;
|
||||
|
||||
/*
|
||||
* Verify that the two keys are different.
|
||||
*
|
||||
* This addresses Rogaway's vulnerability.
|
||||
* See comment in aes_xts_init_key() below.
|
||||
*/
|
||||
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
|
||||
EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
|
||||
return 0;
|
||||
}
|
||||
|
||||
xctx->stream = NULL;
|
||||
/* key_len is two AES keys */
|
||||
if (enc) {
|
||||
@ -1578,7 +1608,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
|
||||
switch (type) {
|
||||
case EVP_CTRL_INIT:
|
||||
ivlen = EVP_CIPHER_CTX_iv_length(c);
|
||||
ivlen = EVP_CIPHER_iv_length(c->cipher);
|
||||
iv = EVP_CIPHER_CTX_iv_noconst(c);
|
||||
gctx->key_set = 0;
|
||||
gctx->iv_set = 0;
|
||||
@ -1589,6 +1619,10 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
gctx->tls_aad_len = -1;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = gctx->ivlen;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
if (arg <= 0)
|
||||
return 0;
|
||||
@ -2299,6 +2333,10 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
cctx->aes.ccm.tls_aad_len = -1;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = 15 - cctx->aes.ccm.l;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_TLS1_AAD:
|
||||
if (arg != EVP_AEAD_TLS1_AAD_LEN)
|
||||
return 0;
|
||||
@ -2817,13 +2855,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
case EVP_CTRL_INIT:
|
||||
gctx->key_set = 0;
|
||||
gctx->iv_set = 0;
|
||||
gctx->ivlen = c->cipher->iv_len;
|
||||
gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
|
||||
gctx->iv = c->iv;
|
||||
gctx->taglen = -1;
|
||||
gctx->iv_gen = 0;
|
||||
gctx->tls_aad_len = -1;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = gctx->ivlen;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
if (arg <= 0)
|
||||
return 0;
|
||||
@ -3273,7 +3315,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
|
||||
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
|
||||
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
|
||||
| EVP_CIPH_CUSTOM_COPY)
|
||||
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
|
||||
|
||||
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
|
||||
EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
|
||||
@ -3285,9 +3327,11 @@ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
|
||||
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
{
|
||||
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
|
||||
|
||||
if (type == EVP_CTRL_COPY) {
|
||||
EVP_CIPHER_CTX *out = ptr;
|
||||
EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
|
||||
|
||||
if (xctx->xts.key1) {
|
||||
if (xctx->xts.key1 != &xctx->ks1)
|
||||
return 0;
|
||||
@ -3311,11 +3355,36 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
|
||||
|
||||
if (!iv && !key)
|
||||
return 1;
|
||||
|
||||
if (key)
|
||||
do {
|
||||
/* The key is two half length keys in reality */
|
||||
const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
|
||||
|
||||
/*
|
||||
* Verify that the two keys are different.
|
||||
*
|
||||
* This addresses the vulnerability described in Rogaway's
|
||||
* September 2004 paper:
|
||||
*
|
||||
* "Efficient Instantiations of Tweakable Blockciphers and
|
||||
* Refinements to Modes OCB and PMAC".
|
||||
* (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
|
||||
*
|
||||
* FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
|
||||
* that:
|
||||
* "The check for Key_1 != Key_2 shall be done at any place
|
||||
* BEFORE using the keys in the XTS-AES algorithm to process
|
||||
* data with them."
|
||||
*/
|
||||
if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
|
||||
EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef AES_XTS_ASM
|
||||
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
|
||||
#else
|
||||
@ -3448,7 +3517,9 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
cctx->len_set = 0;
|
||||
cctx->tls_aad_len = -1;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = 15 - cctx->L;
|
||||
return 1;
|
||||
case EVP_CTRL_AEAD_TLS1_AAD:
|
||||
/* Save the AAD for later use */
|
||||
if (arg != EVP_AEAD_TLS1_AAD_LEN)
|
||||
@ -3897,13 +3968,17 @@ static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
case EVP_CTRL_INIT:
|
||||
octx->key_set = 0;
|
||||
octx->iv_set = 0;
|
||||
octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
|
||||
octx->ivlen = EVP_CIPHER_iv_length(c->cipher);
|
||||
octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
|
||||
octx->taglen = 16;
|
||||
octx->data_buf_len = 0;
|
||||
octx->aad_buf_len = 0;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = octx->ivlen;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
/* IV len must be 1 to 15 */
|
||||
if (arg <= 0 || arg > 15)
|
||||
|
@ -252,7 +252,7 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
case EVP_CTRL_INIT:
|
||||
gctx->key_set = 0;
|
||||
gctx->iv_set = 0;
|
||||
gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
|
||||
gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
|
||||
gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
|
||||
gctx->taglen = -1;
|
||||
gctx->iv_gen = 0;
|
||||
@ -274,6 +274,10 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
gctx->ivlen = arg;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = gctx->ivlen;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_TAG:
|
||||
if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
|
||||
return 0;
|
||||
@ -573,6 +577,10 @@ static int aria_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = 15 - cctx->L;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
arg = 15 - arg;
|
||||
/* fall thru */
|
||||
@ -742,7 +750,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
#define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
|
||||
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
|
||||
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
|
||||
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER)
|
||||
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER \
|
||||
| EVP_CIPH_CUSTOM_IV_LENGTH)
|
||||
|
||||
#define BLOCK_CIPHER_aead(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
|
||||
static const EVP_CIPHER aria_##keylen##_##mode = { \
|
||||
|
@ -534,6 +534,10 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
}
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_GET_IVLEN:
|
||||
*(int *)ptr = actx->nonce_len;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_AEAD_SET_IVLEN:
|
||||
if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
|
||||
return 0;
|
||||
@ -613,7 +617,8 @@ static EVP_CIPHER chacha20_poly1305 = {
|
||||
12, /* iv_len, 96-bit nonce in the context */
|
||||
EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
|
||||
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
|
||||
EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
|
||||
EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER |
|
||||
EVP_CIPH_CUSTOM_IV_LENGTH,
|
||||
chacha20_poly1305_init_key,
|
||||
chacha20_poly1305_cipher,
|
||||
chacha20_poly1305_cleanup,
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -66,6 +66,10 @@ static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
|
||||
static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
if (EVP_CIPHER_CTX_key_length(ctx) > 255) {
|
||||
EVPerr(EVP_F_R_32_12_16_INIT_KEY, EVP_R_BAD_KEY_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
RC5_32_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_key_length(ctx),
|
||||
key, data(ctx)->rounds);
|
||||
return 1;
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -15,11 +15,15 @@
|
||||
|
||||
static const ERR_STRING_DATA EVP_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
|
||||
"aes_t4_xts_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
|
||||
@ -149,6 +153,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
|
||||
"r_32_12_16_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
|
||||
{0, NULL}
|
||||
@ -160,6 +166,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ARIA_KEY_SETUP_FAILED),
|
||||
"aria key setup failed"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_DECRYPT), "bad decrypt"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_KEY_LENGTH), "bad key length"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "buffer too small"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CAMELLIA_KEY_SETUP_FAILED),
|
||||
"camellia key setup failed"},
|
||||
@ -266,6 +273,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
|
||||
"wrap mode not allowed"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
|
||||
"wrong final block length"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
|
||||
"xts duplicated keys"},
|
||||
{0, NULL}
|
||||
};
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -242,6 +242,13 @@ int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher)
|
||||
|
||||
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx)
|
||||
{
|
||||
int i, rv;
|
||||
|
||||
if ((EVP_CIPHER_flags(ctx->cipher) & EVP_CIPH_CUSTOM_IV_LENGTH) != 0) {
|
||||
rv = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN,
|
||||
0, &i);
|
||||
return (rv == 1) ? i : -1;
|
||||
}
|
||||
return ctx->cipher->iv_len;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -108,6 +108,9 @@ static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
|
||||
size_t bsz = ctx->block_size;
|
||||
size_t num = ctx->num;
|
||||
|
||||
if (ctx->md_size == 0)
|
||||
return 1;
|
||||
|
||||
/*
|
||||
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
|
||||
* in which case both byte operations below are performed on
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -57,6 +57,8 @@ int ossl_ctype_check(int c, unsigned int mask);
|
||||
int ossl_tolower(int c);
|
||||
int ossl_toupper(int c);
|
||||
|
||||
int ascii_isdigit(const char inchar);
|
||||
|
||||
# define ossl_isalnum(c) (ossl_ctype_check((c), CTYPE_MASK_alnum))
|
||||
# define ossl_isalpha(c) (ossl_ctype_check((c), CTYPE_MASK_alpha))
|
||||
# ifdef CHARSET_EBCDIC
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -26,7 +26,6 @@ typedef struct rand_pool_st RAND_POOL;
|
||||
void rand_cleanup_int(void);
|
||||
void rand_drbg_cleanup_int(void);
|
||||
void drbg_delete_thread_state(void);
|
||||
void rand_fork(void);
|
||||
|
||||
/* Hardware-based seeding functions. */
|
||||
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
|
||||
@ -52,7 +51,8 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, int secure,
|
||||
size_t min_len, size_t max_len);
|
||||
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
|
||||
size_t entropy);
|
||||
void rand_pool_free(RAND_POOL *pool);
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -11,6 +11,10 @@
|
||||
#ifndef HEADER_SM2ERR_H
|
||||
# define HEADER_SM2ERR_H
|
||||
|
||||
# ifndef HEADER_SYMHACKS_H
|
||||
# include <openssl/symhacks.h>
|
||||
# endif
|
||||
|
||||
# include <openssl/opensslconf.h>
|
||||
|
||||
# ifndef OPENSSL_NO_SM2
|
||||
|
@ -40,7 +40,7 @@ static int stopped = 0;
|
||||
* destructor for threads terminating before libcrypto is initialized or
|
||||
* after it's de-initialized. Access to the key doesn't have to be
|
||||
* serialized for the said threads, because they didn't use libcrypto
|
||||
* and it doesn't matter if they pick "impossible" or derefernce real
|
||||
* and it doesn't matter if they pick "impossible" or dereference real
|
||||
* key value and pull NULL past initialization in the first thread that
|
||||
* intends to use libcrypto.
|
||||
*/
|
||||
@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
|
||||
|
||||
void OPENSSL_fork_child(void)
|
||||
{
|
||||
rand_fork();
|
||||
}
|
||||
#endif
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -19,14 +19,14 @@
|
||||
|
||||
/*
|
||||
* A hashing implementation that appears to be based on the linear hashing
|
||||
* alogrithm:
|
||||
* algorithm:
|
||||
* https://en.wikipedia.org/wiki/Linear_hashing
|
||||
*
|
||||
* Litwin, Witold (1980), "Linear hashing: A new tool for file and table
|
||||
* addressing", Proc. 6th Conference on Very Large Databases: 212-223
|
||||
* http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
|
||||
* https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
|
||||
*
|
||||
* From the wikipedia article "Linear hashing is used in the BDB Berkeley
|
||||
* From the Wikipedia article "Linear hashing is used in the BDB Berkeley
|
||||
* database system, which in turn is used by many software systems such as
|
||||
* OpenLDAP, using a C implementation derived from the CACM article and first
|
||||
* published on the Usenet in 1988 by Esmond Pitt."
|
||||
|
@ -231,7 +231,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
|
||||
* buf is left unused.
|
||||
*/
|
||||
err = strerror_r(errnum, buf, buflen);
|
||||
if (err == NULL)
|
||||
if (err == NULL || buflen == 0)
|
||||
return 0;
|
||||
/*
|
||||
* If err is statically allocated, err != buf and we need to copy the data.
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -274,6 +274,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
|
||||
if (!read_lebn(&p, 20, &priv_key))
|
||||
goto memerr;
|
||||
|
||||
/* Set constant time flag before public key calculation */
|
||||
BN_set_flags(priv_key, BN_FLG_CONSTTIME);
|
||||
|
||||
/* Calculate public key */
|
||||
pub_key = BN_new();
|
||||
if (pub_key == NULL)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
|
||||
}
|
||||
|
||||
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
|
||||
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
|
||||
size_t fixlen)
|
||||
{
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
unsigned char *ek = NULL;
|
||||
@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||
}
|
||||
|
||||
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
|
||||
ri->enc_key->data, ri->enc_key->length) <= 0) {
|
||||
ri->enc_key->data, ri->enc_key->length) <= 0
|
||||
|| eklen == 0
|
||||
|| (fixlen != 0 && eklen != fixlen)) {
|
||||
ret = 0;
|
||||
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
|
||||
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
|
||||
|
||||
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
|
||||
EVP_CIPHER_key_length(evp_cipher)) < 0)
|
||||
goto err;
|
||||
ERR_clear_error();
|
||||
}
|
||||
} else {
|
||||
/* Only exit on fatal errors, not decrypt failure */
|
||||
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
|
||||
goto err;
|
||||
ERR_clear_error();
|
||||
}
|
||||
|
@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secure,
|
||||
}
|
||||
|
||||
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
|
||||
drbg->fork_count = rand_fork_count;
|
||||
drbg->fork_id = openssl_get_fork_id();
|
||||
drbg->parent = parent;
|
||||
|
||||
if (parent == NULL) {
|
||||
@ -318,7 +318,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
|
||||
/*
|
||||
* NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy
|
||||
* and nonce in 1 call by increasing the entropy with 50% and increasing
|
||||
* the minimum length to accomadate the length of the nonce.
|
||||
* the minimum length to accommodate the length of the nonce.
|
||||
* We do this in case a nonce is require and get_nonce is NULL.
|
||||
*/
|
||||
if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
|
||||
@ -578,6 +578,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
int fork_id;
|
||||
int reseed_required = 0;
|
||||
|
||||
if (drbg->state != DRBG_READY) {
|
||||
@ -603,8 +604,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (drbg->fork_count != rand_fork_count) {
|
||||
drbg->fork_count = rand_fork_count;
|
||||
fork_id = openssl_get_fork_id();
|
||||
|
||||
if (drbg->fork_id != fork_id) {
|
||||
drbg->fork_id = fork_id;
|
||||
reseed_required = 1;
|
||||
}
|
||||
|
||||
@ -664,7 +667,7 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
|
||||
if (drbg->adin_pool == NULL) {
|
||||
if (drbg->type == 0)
|
||||
goto err;
|
||||
drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);
|
||||
drbg->adin_pool = rand_pool_new(0, 0, 0, drbg->max_adinlen);
|
||||
if (drbg->adin_pool == NULL)
|
||||
goto err;
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -47,6 +47,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ATTACH, 0), "rand_pool_attach"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_BYTES_NEEDED, 0),
|
||||
"rand_pool_bytes_needed"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_GROW, 0), "rand_pool_grow"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"},
|
||||
{0, NULL}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -45,7 +45,6 @@
|
||||
# define DRBG_MAX_LENGTH INT32_MAX
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Maximum allocation size for RANDOM_POOL buffers
|
||||
*
|
||||
@ -72,6 +71,24 @@
|
||||
* 1.5 * (RAND_DRBG_STRENGTH / 8))
|
||||
*/
|
||||
|
||||
/*
|
||||
* Initial allocation minimum.
|
||||
*
|
||||
* There is a distinction between the secure and normal allocation minimums.
|
||||
* Ideally, the secure allocation size should be a power of two. The normal
|
||||
* allocation size doesn't have any such restriction.
|
||||
*
|
||||
* The secure value is based on 128 bits of secure material, which is 16 bytes.
|
||||
* Typically, the DRBGs will set a minimum larger than this so optimal
|
||||
* allocation ought to take place (for full quality seed material).
|
||||
*
|
||||
* The normal value has been chosed by noticing that the rand_drbg_get_nonce
|
||||
* function is usually the largest of the built in allocation (twenty four
|
||||
* bytes and then appending another sixteen bytes). This means the buffer ends
|
||||
* with 40 bytes. The value of forty eight is comfortably above this which
|
||||
* allows some slack in the platform specific values used.
|
||||
*/
|
||||
# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48)
|
||||
|
||||
/* DRBG status values */
|
||||
typedef enum drbg_status_e {
|
||||
@ -150,9 +167,11 @@ struct rand_pool_st {
|
||||
size_t len; /* current number of random bytes contained in the pool */
|
||||
|
||||
int attached; /* true pool was attached to existing buffer */
|
||||
int secure; /* 1: allocated on the secure heap, 0: otherwise */
|
||||
|
||||
size_t min_len; /* minimum number of random bytes requested */
|
||||
size_t max_len; /* maximum number of random bytes (allocated buffer size) */
|
||||
size_t alloc_len; /* current number of bytes allocated */
|
||||
size_t entropy; /* current entropy count in bits */
|
||||
size_t entropy_requested; /* requested entropy count in bits */
|
||||
};
|
||||
@ -167,12 +186,12 @@ struct rand_drbg_st {
|
||||
int secure; /* 1: allocated on the secure heap, 0: otherwise */
|
||||
int type; /* the nid of the underlying algorithm */
|
||||
/*
|
||||
* Stores the value of the rand_fork_count global as of when we last
|
||||
* reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
|
||||
* rand_fork_count. Used to provide fork-safety and reseed this DRBG in
|
||||
* the child process.
|
||||
* Stores the return value of openssl_get_fork_id() as of when we last
|
||||
* reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
|
||||
* openssl_get_fork_id(). Used to provide fork-safety and reseed this
|
||||
* DRBG in the child process.
|
||||
*/
|
||||
int fork_count;
|
||||
int fork_id;
|
||||
unsigned short flags; /* various external flags */
|
||||
|
||||
/*
|
||||
@ -264,19 +283,6 @@ struct rand_drbg_st {
|
||||
/* The global RAND method, and the global buffer and DRBG instance. */
|
||||
extern RAND_METHOD rand_meth;
|
||||
|
||||
/*
|
||||
* A "generation count" of forks. Incremented in the child process after a
|
||||
* fork. Since rand_fork_count is increment-only, and only ever written to in
|
||||
* the child process of the fork, which is guaranteed to be single-threaded, no
|
||||
* locking is needed for normal (read) accesses; the rest of pthread fork
|
||||
* processing is assumed to introduce the necessary memory barriers. Sibling
|
||||
* children of a given parent will produce duplicate values, but this is not
|
||||
* problematic because the reseeding process pulls input from the system CSPRNG
|
||||
* and/or other global sources, so the siblings will end up generating
|
||||
* different output streams.
|
||||
*/
|
||||
extern int rand_fork_count;
|
||||
|
||||
/* DRBG helpers */
|
||||
int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
const unsigned char *buffer, size_t len, size_t entropy);
|
||||
|
@ -26,8 +26,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
|
||||
static const RAND_METHOD *default_RAND_meth;
|
||||
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
|
||||
|
||||
int rand_fork_count;
|
||||
|
||||
static CRYPTO_RWLOCK *rand_nonce_lock;
|
||||
static int rand_nonce_count;
|
||||
|
||||
@ -150,7 +148,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
pool = drbg->seed_pool;
|
||||
pool->entropy_requested = entropy;
|
||||
} else {
|
||||
pool = rand_pool_new(entropy, min_len, max_len);
|
||||
pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
}
|
||||
@ -163,7 +161,9 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
size_t bytes = 0;
|
||||
|
||||
/*
|
||||
* Get random from parent, include our state as additional input.
|
||||
* Get random data from parent. Include our address as additional input,
|
||||
* in order to provide some additional distinction between different
|
||||
* DRBG child instances.
|
||||
* Our lock is already held, but we need to lock our parent before
|
||||
* generating bits from it. (Note: taking the lock will be a no-op
|
||||
* if locking if drbg->parent->lock == NULL.)
|
||||
@ -172,7 +172,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
if (RAND_DRBG_generate(drbg->parent,
|
||||
buffer, bytes_needed,
|
||||
prediction_resistance,
|
||||
NULL, 0) != 0)
|
||||
(unsigned char *)&drbg, sizeof(drbg)) != 0)
|
||||
bytes = bytes_needed;
|
||||
drbg->reseed_next_counter
|
||||
= tsan_load(&drbg->parent->reseed_prop_counter);
|
||||
@ -216,8 +216,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
|
||||
unsigned char *out, size_t outlen)
|
||||
{
|
||||
if (drbg->seed_pool == NULL)
|
||||
if (drbg->seed_pool == NULL) {
|
||||
if (drbg->secure)
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
else
|
||||
OPENSSL_clear_free(out, outlen);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -235,9 +239,10 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
|
||||
struct {
|
||||
void * instance;
|
||||
int count;
|
||||
} data = { NULL, 0 };
|
||||
} data;
|
||||
|
||||
pool = rand_pool_new(0, min_len, max_len);
|
||||
memset(&data, 0, sizeof(data));
|
||||
pool = rand_pool_new(0, 0, min_len, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
|
||||
@ -266,7 +271,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
|
||||
void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
|
||||
unsigned char *out, size_t outlen)
|
||||
{
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
OPENSSL_clear_free(out, outlen);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -298,11 +303,6 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out)
|
||||
rand_pool_reattach(pool, out);
|
||||
}
|
||||
|
||||
void rand_fork(void)
|
||||
{
|
||||
rand_fork_count++;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(do_rand_init)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
@ -362,7 +362,7 @@ void rand_cleanup_int(void)
|
||||
}
|
||||
|
||||
/*
|
||||
* RAND_close_seed_files() ensures that any seed file decriptors are
|
||||
* RAND_close_seed_files() ensures that any seed file descriptors are
|
||||
* closed after use.
|
||||
*/
|
||||
void RAND_keep_random_devices_open(int keep)
|
||||
@ -401,7 +401,7 @@ int RAND_poll(void)
|
||||
|
||||
} else {
|
||||
/* fill random pool and seed the current legacy RNG */
|
||||
pool = rand_pool_new(RAND_DRBG_STRENGTH,
|
||||
pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,
|
||||
(RAND_DRBG_STRENGTH + 7) / 8,
|
||||
RAND_POOL_MAX_LENGTH);
|
||||
if (pool == NULL)
|
||||
@ -428,9 +428,11 @@ int RAND_poll(void)
|
||||
* Allocate memory and initialize a new random pool
|
||||
*/
|
||||
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, int secure,
|
||||
size_t min_len, size_t max_len)
|
||||
{
|
||||
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
|
||||
size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);
|
||||
|
||||
if (pool == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
|
||||
@ -440,14 +442,22 @@ RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
|
||||
pool->min_len = min_len;
|
||||
pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
|
||||
RAND_POOL_MAX_LENGTH : max_len;
|
||||
pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len;
|
||||
if (pool->alloc_len > pool->max_len)
|
||||
pool->alloc_len = pool->max_len;
|
||||
|
||||
if (secure)
|
||||
pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len);
|
||||
else
|
||||
pool->buffer = OPENSSL_zalloc(pool->alloc_len);
|
||||
|
||||
pool->buffer = OPENSSL_secure_zalloc(pool->max_len);
|
||||
if (pool->buffer == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
pool->entropy_requested = entropy_requested;
|
||||
pool->secure = secure;
|
||||
|
||||
return pool;
|
||||
|
||||
@ -482,7 +492,7 @@ RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
|
||||
|
||||
pool->attached = 1;
|
||||
|
||||
pool->min_len = pool->max_len = pool->len;
|
||||
pool->min_len = pool->max_len = pool->alloc_len = pool->len;
|
||||
pool->entropy = entropy;
|
||||
|
||||
return pool;
|
||||
@ -502,8 +512,13 @@ void rand_pool_free(RAND_POOL *pool)
|
||||
* to rand_pool_attach() as `const unsigned char*`.
|
||||
* (see corresponding comment in rand_pool_attach()).
|
||||
*/
|
||||
if (!pool->attached)
|
||||
OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
|
||||
if (!pool->attached) {
|
||||
if (pool->secure)
|
||||
OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
|
||||
else
|
||||
OPENSSL_clear_free(pool->buffer, pool->alloc_len);
|
||||
}
|
||||
|
||||
OPENSSL_free(pool);
|
||||
}
|
||||
|
||||
@ -596,6 +611,42 @@ size_t rand_pool_entropy_needed(RAND_POOL *pool)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Increase the allocation size -- not usable for an attached pool */
|
||||
static int rand_pool_grow(RAND_POOL *pool, size_t len)
|
||||
{
|
||||
if (len > pool->alloc_len - pool->len) {
|
||||
unsigned char *p;
|
||||
const size_t limit = pool->max_len / 2;
|
||||
size_t newlen = pool->alloc_len;
|
||||
|
||||
if (pool->attached || len > pool->max_len - pool->len) {
|
||||
RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
do
|
||||
newlen = newlen < limit ? newlen * 2 : pool->max_len;
|
||||
while (len > newlen - pool->len);
|
||||
|
||||
if (pool->secure)
|
||||
p = OPENSSL_secure_zalloc(newlen);
|
||||
else
|
||||
p = OPENSSL_zalloc(newlen);
|
||||
if (p == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
memcpy(p, pool->buffer, pool->len);
|
||||
if (pool->secure)
|
||||
OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
|
||||
else
|
||||
OPENSSL_clear_free(pool->buffer, pool->alloc_len);
|
||||
pool->buffer = p;
|
||||
pool->alloc_len = newlen;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns the number of bytes needed to fill the pool, assuming
|
||||
* the input has 1 / |entropy_factor| entropy bits per data bit.
|
||||
@ -625,6 +676,24 @@ size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor)
|
||||
/* to meet the min_len requirement */
|
||||
bytes_needed = pool->min_len - pool->len;
|
||||
|
||||
/*
|
||||
* Make sure the buffer is large enough for the requested amount
|
||||
* of data. This guarantees that existing code patterns where
|
||||
* rand_pool_add_begin, rand_pool_add_end or rand_pool_add
|
||||
* are used to collect entropy data without any error handling
|
||||
* whatsoever, continue to be valid.
|
||||
* Furthermore if the allocation here fails once, make sure that
|
||||
* we don't fall back to a less secure or even blocking random source,
|
||||
* as that could happen by the existing code patterns.
|
||||
* This is not a concern for additional data, therefore that
|
||||
* is not needed if rand_pool_grow fails in other places.
|
||||
*/
|
||||
if (!rand_pool_grow(pool, bytes_needed)) {
|
||||
/* persistent error for this pool */
|
||||
pool->max_len = pool->len = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return bytes_needed;
|
||||
}
|
||||
|
||||
@ -657,6 +726,27 @@ int rand_pool_add(RAND_POOL *pool,
|
||||
}
|
||||
|
||||
if (len > 0) {
|
||||
/*
|
||||
* This is to protect us from accidentally passing the buffer
|
||||
* returned from rand_pool_add_begin.
|
||||
* The check for alloc_len makes sure we do not compare the
|
||||
* address of the end of the allocated memory to something
|
||||
* different, since that comparison would have an
|
||||
* indeterminate result.
|
||||
*/
|
||||
if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) {
|
||||
RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
/*
|
||||
* We have that only for cases when a pool is used to collect
|
||||
* additional data.
|
||||
* For entropy data, as long as the allocation request stays within
|
||||
* the limits given by rand_pool_bytes_needed this rand_pool_grow
|
||||
* below is guaranteed to succeed, thus no allocation happens.
|
||||
*/
|
||||
if (!rand_pool_grow(pool, len))
|
||||
return 0;
|
||||
memcpy(pool->buffer + pool->len, buffer, len);
|
||||
pool->len += len;
|
||||
pool->entropy += entropy;
|
||||
@ -692,6 +782,18 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* As long as the allocation request stays within the limits given
|
||||
* by rand_pool_bytes_needed this rand_pool_grow below is guaranteed
|
||||
* to succeed, thus no allocation happens.
|
||||
* We have that only for cases when a pool is used to collect
|
||||
* additional data. Then the buffer might need to grow here,
|
||||
* and of course the caller is responsible to check the return
|
||||
* value of this function.
|
||||
*/
|
||||
if (!rand_pool_grow(pool, len))
|
||||
return NULL;
|
||||
|
||||
return pool->buffer + pool->len;
|
||||
}
|
||||
|
||||
@ -706,7 +808,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
|
||||
*/
|
||||
int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
|
||||
{
|
||||
if (len > pool->max_len - pool->len) {
|
||||
if (len > pool->alloc_len - pool->len) {
|
||||
RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW);
|
||||
return 0;
|
||||
}
|
||||
|
@ -14,14 +14,19 @@
|
||||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "rand_lcl.h"
|
||||
#include "internal/rand_int.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
#if defined(__linux)
|
||||
# include <asm/unistd.h>
|
||||
#ifdef __linux
|
||||
# include <sys/syscall.h>
|
||||
# ifdef DEVRANDOM_WAIT
|
||||
# include <sys/shm.h>
|
||||
# include <sys/utsname.h>
|
||||
# endif
|
||||
#if defined(__FreeBSD__)
|
||||
#endif
|
||||
#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
|
||||
# include <sys/types.h>
|
||||
# include <sys/sysctl.h>
|
||||
# include <sys/param.h>
|
||||
@ -275,6 +280,17 @@ static ssize_t sysctl_random(char *buf, size_t buflen)
|
||||
# endif
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||
|
||||
# if defined(__linux) && !defined(__NR_getrandom)
|
||||
# if defined(__arm__) && defined(__NR_SYSCALL_BASE)
|
||||
# define __NR_getrandom (__NR_SYSCALL_BASE+384)
|
||||
# elif defined(__i386__)
|
||||
# define __NR_getrandom 355
|
||||
# elif defined(__x86_64__) && !defined(__ILP32__)
|
||||
# define __NR_getrandom 318
|
||||
# endif
|
||||
# endif
|
||||
|
||||
/*
|
||||
* syscall_random(): Try to get random data using a system call
|
||||
* returns the number of bytes returned in buf, or < 0 on error.
|
||||
@ -346,6 +362,91 @@ static struct random_device {
|
||||
} random_devices[OSSL_NELEM(random_device_paths)];
|
||||
static int keep_random_devices_open = 1;
|
||||
|
||||
# if defined(__linux) && defined(DEVRANDOM_WAIT)
|
||||
static void *shm_addr;
|
||||
|
||||
static void cleanup_shm(void)
|
||||
{
|
||||
shmdt(shm_addr);
|
||||
}
|
||||
|
||||
/*
|
||||
* Ensure that the system randomness source has been adequately seeded.
|
||||
* This is done by having the first start of libcrypto, wait until the device
|
||||
* /dev/random becomes able to supply a byte of entropy. Subsequent starts
|
||||
* of the library and later reseedings do not need to do this.
|
||||
*/
|
||||
static int wait_random_seeded(void)
|
||||
{
|
||||
static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0;
|
||||
static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL };
|
||||
int kernel[2];
|
||||
int shm_id, fd, r;
|
||||
char c, *p;
|
||||
struct utsname un;
|
||||
fd_set fds;
|
||||
|
||||
if (!seeded) {
|
||||
/* See if anything has created the global seeded indication */
|
||||
if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) {
|
||||
/*
|
||||
* Check the kernel's version and fail if it is too recent.
|
||||
*
|
||||
* Linux kernels from 4.8 onwards do not guarantee that
|
||||
* /dev/urandom is properly seeded when /dev/random becomes
|
||||
* readable. However, such kernels support the getentropy(2)
|
||||
* system call and this should always succeed which renders
|
||||
* this alternative but essentially identical source moot.
|
||||
*/
|
||||
if (uname(&un) == 0) {
|
||||
kernel[0] = atoi(un.release);
|
||||
p = strchr(un.release, '.');
|
||||
kernel[1] = p == NULL ? 0 : atoi(p + 1);
|
||||
if (kernel[0] > kernel_version[0]
|
||||
|| (kernel[0] == kernel_version[0]
|
||||
&& kernel[1] >= kernel_version[1])) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
/* Open /dev/random and wait for it to be readable */
|
||||
if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) {
|
||||
if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) {
|
||||
FD_ZERO(&fds);
|
||||
FD_SET(fd, &fds);
|
||||
while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0
|
||||
&& errno == EINTR);
|
||||
} else {
|
||||
while ((r = read(fd, &c, 1)) < 0 && errno == EINTR);
|
||||
}
|
||||
close(fd);
|
||||
if (r == 1) {
|
||||
seeded = 1;
|
||||
/* Create the shared memory indicator */
|
||||
shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1,
|
||||
IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (shm_id != -1) {
|
||||
seeded = 1;
|
||||
/*
|
||||
* Map the shared memory to prevent its premature destruction.
|
||||
* If this call fails, it isn't a big problem.
|
||||
*/
|
||||
shm_addr = shmat(shm_id, NULL, SHM_RDONLY);
|
||||
if (shm_addr != (void *)-1)
|
||||
OPENSSL_atexit(&cleanup_shm);
|
||||
}
|
||||
}
|
||||
return seeded;
|
||||
}
|
||||
# else /* defined __linux */
|
||||
static int wait_random_seeded(void)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
# endif
|
||||
|
||||
/*
|
||||
* Verify that the file descriptor associated with the random source is
|
||||
* still valid. The rationale for doing this is the fact that it is not
|
||||
@ -472,12 +573,12 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
# if defined(OPENSSL_RAND_SEED_NONE)
|
||||
return rand_pool_entropy_available(pool);
|
||||
# else
|
||||
size_t bytes_needed;
|
||||
size_t entropy_available = 0;
|
||||
unsigned char *buffer;
|
||||
size_t entropy_available;
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||
{
|
||||
size_t bytes_needed;
|
||||
unsigned char *buffer;
|
||||
ssize_t bytes;
|
||||
/* Maximum allowed number of consecutive unsuccessful attempts */
|
||||
int attempts = 3;
|
||||
@ -507,36 +608,16 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
# endif
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
{
|
||||
if (wait_random_seeded()) {
|
||||
size_t bytes_needed;
|
||||
unsigned char *buffer;
|
||||
size_t i;
|
||||
#ifdef DEVRANDOM_WAIT
|
||||
static int wait_done = 0;
|
||||
|
||||
/*
|
||||
* On some implementations reading from /dev/urandom is possible
|
||||
* before it is initialized. Therefore we wait for /dev/random
|
||||
* to be readable to make sure /dev/urandom is initialized.
|
||||
*/
|
||||
if (!wait_done && bytes_needed > 0) {
|
||||
int f = open(DEVRANDOM_WAIT, O_RDONLY);
|
||||
|
||||
if (f >= 0) {
|
||||
fd_set fds;
|
||||
|
||||
FD_ZERO(&fds);
|
||||
FD_SET(f, &fds);
|
||||
while (select(f+1, &fds, NULL, NULL, NULL) < 0
|
||||
&& errno == EINTR);
|
||||
close(f);
|
||||
}
|
||||
wait_done = 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) {
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths);
|
||||
i++) {
|
||||
ssize_t bytes = 0;
|
||||
/* Maximum allowed number of consecutive unsuccessful attempts */
|
||||
/* Maximum number of consecutive unsuccessful attempts */
|
||||
int attempts = 3;
|
||||
const int fd = get_random_device(i);
|
||||
|
||||
@ -550,7 +631,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
if (bytes > 0) {
|
||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||
bytes_needed -= bytes;
|
||||
attempts = 3; /* reset counter after successful attempt */
|
||||
attempts = 3; /* reset counter on successful attempt */
|
||||
} else if (bytes < 0 && errno != EINTR) {
|
||||
break;
|
||||
}
|
||||
@ -558,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
if (bytes < 0 || !keep_random_devices_open)
|
||||
close_random_device(i);
|
||||
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1);
|
||||
}
|
||||
entropy_available = rand_pool_entropy_available(pool);
|
||||
if (entropy_available > 0)
|
||||
@ -579,27 +660,30 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
# endif
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_EGD)
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
if (bytes_needed > 0) {
|
||||
{
|
||||
static const char *paths[] = { DEVRANDOM_EGD, NULL };
|
||||
size_t bytes_needed;
|
||||
unsigned char *buffer;
|
||||
int i;
|
||||
|
||||
for (i = 0; paths[i] != NULL; i++) {
|
||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||
if (buffer != NULL) {
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) {
|
||||
size_t bytes = 0;
|
||||
int num = RAND_query_egd_bytes(paths[i],
|
||||
int num;
|
||||
|
||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||
num = RAND_query_egd_bytes(paths[i],
|
||||
buffer, (int)bytes_needed);
|
||||
if (num == (int)bytes_needed)
|
||||
bytes = bytes_needed;
|
||||
|
||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||
entropy_available = rand_pool_entropy_available(pool);
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1);
|
||||
}
|
||||
entropy_available = rand_pool_entropy_available(pool);
|
||||
if (entropy_available > 0)
|
||||
return entropy_available;
|
||||
}
|
||||
}
|
||||
# endif
|
||||
|
||||
return rand_pool_entropy_available(pool);
|
||||
@ -632,15 +716,18 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
|
||||
int rand_pool_add_additional_data(RAND_POOL *pool)
|
||||
{
|
||||
struct {
|
||||
int fork_id;
|
||||
CRYPTO_THREAD_ID tid;
|
||||
uint64_t time;
|
||||
} data = { 0 };
|
||||
|
||||
/*
|
||||
* Add some noise from the thread id and a high resolution timer.
|
||||
* The fork_id adds some extra fork-safety.
|
||||
* The thread id adds a little randomness if the drbg is accessed
|
||||
* concurrently (which is the case for the <master> drbg).
|
||||
*/
|
||||
data.fork_id = openssl_get_fork_id();
|
||||
data.tid = CRYPTO_THREAD_get_current_id();
|
||||
data.time = get_timer_bits();
|
||||
|
||||
|
@ -458,6 +458,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
|
||||
static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
|
||||
{
|
||||
X509_ALGOR *alg = NULL;
|
||||
const EVP_MD *md;
|
||||
const EVP_MD *mgf1md;
|
||||
int min_saltlen;
|
||||
|
||||
switch (op) {
|
||||
|
||||
@ -497,6 +500,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
|
||||
#endif
|
||||
|
||||
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
||||
if (pkey->pkey.rsa->pss != NULL) {
|
||||
if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
|
||||
&min_saltlen)) {
|
||||
RSAerr(0, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
*(int *)arg2 = EVP_MD_type(md);
|
||||
/* Return of 2 indicates this MD is mandatory */
|
||||
return 2;
|
||||
}
|
||||
*(int *)arg2 = NID_sha256;
|
||||
return 1;
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -174,6 +174,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
|
||||
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MGF1_DIGEST_NOT_ALLOWED),
|
||||
"mgf1 digest not allowed"},
|
||||
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MISSING_PRIVATE_KEY),
|
||||
"missing private key"},
|
||||
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
|
||||
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R),
|
||||
"mp coefficient not inverse of r"},
|
||||
|
@ -250,7 +250,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
|
||||
*
|
||||
* This strategy has the following goals:
|
||||
*
|
||||
* 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
|
||||
* 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
|
||||
* 2. stay the same logic with normal 2-prime key
|
||||
*/
|
||||
bitse -= bitsr[i];
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -198,6 +198,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
|
||||
if (d != NULL) {
|
||||
BN_clear_free(r->d);
|
||||
r->d = d;
|
||||
BN_set_flags(r->d, BN_FLG_CONSTTIME);
|
||||
}
|
||||
|
||||
return 1;
|
||||
@ -215,10 +216,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
|
||||
if (p != NULL) {
|
||||
BN_clear_free(r->p);
|
||||
r->p = p;
|
||||
BN_set_flags(r->p, BN_FLG_CONSTTIME);
|
||||
}
|
||||
if (q != NULL) {
|
||||
BN_clear_free(r->q);
|
||||
r->q = q;
|
||||
BN_set_flags(r->q, BN_FLG_CONSTTIME);
|
||||
}
|
||||
|
||||
return 1;
|
||||
@ -237,14 +240,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
|
||||
if (dmp1 != NULL) {
|
||||
BN_clear_free(r->dmp1);
|
||||
r->dmp1 = dmp1;
|
||||
BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
|
||||
}
|
||||
if (dmq1 != NULL) {
|
||||
BN_clear_free(r->dmq1);
|
||||
r->dmq1 = dmq1;
|
||||
BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
|
||||
}
|
||||
if (iqmp != NULL) {
|
||||
BN_clear_free(r->iqmp);
|
||||
r->iqmp = iqmp;
|
||||
BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
|
||||
}
|
||||
|
||||
return 1;
|
||||
@ -276,12 +282,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
|
||||
if (pinfo == NULL)
|
||||
goto err;
|
||||
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
|
||||
BN_free(pinfo->r);
|
||||
BN_free(pinfo->d);
|
||||
BN_free(pinfo->t);
|
||||
BN_clear_free(pinfo->r);
|
||||
BN_clear_free(pinfo->d);
|
||||
BN_clear_free(pinfo->t);
|
||||
pinfo->r = primes[i];
|
||||
pinfo->d = exps[i];
|
||||
pinfo->t = coeffs[i];
|
||||
BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
|
||||
} else {
|
||||
rsa_multip_info_free(pinfo);
|
||||
goto err;
|
||||
|
@ -321,6 +321,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
|
||||
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (rsa->d == NULL) {
|
||||
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
|
||||
BN_free(d);
|
||||
goto err;
|
||||
}
|
||||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
||||
@ -438,6 +443,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (rsa->d == NULL) {
|
||||
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
|
||||
BN_free(d);
|
||||
goto err;
|
||||
}
|
||||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2010-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -29,7 +29,7 @@ struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
|
||||
void OPENSSL_cpuid_setup(void)
|
||||
{
|
||||
sigset_t oset;
|
||||
struct sigaction ill_act, oact;
|
||||
struct sigaction ill_act, oact_ill, oact_fpe;
|
||||
|
||||
if (OPENSSL_s390xcap_P.stfle[0])
|
||||
return;
|
||||
@ -44,8 +44,8 @@ void OPENSSL_cpuid_setup(void)
|
||||
sigdelset(&ill_act.sa_mask, SIGFPE);
|
||||
sigdelset(&ill_act.sa_mask, SIGTRAP);
|
||||
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
|
||||
sigaction(SIGILL, &ill_act, &oact);
|
||||
sigaction(SIGFPE, &ill_act, &oact);
|
||||
sigaction(SIGILL, &ill_act, &oact_ill);
|
||||
sigaction(SIGFPE, &ill_act, &oact_fpe);
|
||||
|
||||
/* protection against missing store-facility-list-extended */
|
||||
if (sigsetjmp(ill_jmp, 1) == 0)
|
||||
@ -61,7 +61,7 @@ void OPENSSL_cpuid_setup(void)
|
||||
| S390X_CAPBIT(S390X_VXE));
|
||||
}
|
||||
|
||||
sigaction(SIGFPE, &oact, NULL);
|
||||
sigaction(SIGILL, &oact, NULL);
|
||||
sigaction(SIGFPE, &oact_fpe, NULL);
|
||||
sigaction(SIGILL, &oact_ill, NULL);
|
||||
sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
}
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user