ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import OpenSSL 1.1.0l

Browse Source
This commit is contained in:
Steve Dower
2019-09-16 11:19:00 +01:00
parent 697f7e1f24
commit 42e1dddc24
80 changed files with 1888 additions and 995 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitattributes vendored
View File

@@ -1,3 +0,0 @@
*.der binary
/fuzz/corpora/** binary
*.pfx binary

176
.gitignore vendored
View File

@@ -1,176 +0,0 @@
# Ignore editor artefacts
/.dir-locals.el
# Top level excludes
/Makefile.orig
/MINFO
/TABLE
/*.a
/*.pc
/rehash.time
/inc.*
/makefile.*
/out.*
/tmp.*
/configdata.pm
# *all* Makefiles
Makefile
# ... except in demos
!/demos/*/Makefile
# Links under apps
/apps/CA.pl
/apps/tsget
/apps/tsget.pl
/apps/md4.c
# Auto generated headers
/crypto/buildinf.h
/apps/progs.h
/crypto/include/internal/*_conf.h
/openssl/include/opensslconf.h
/util/domd
# Executables
/apps/openssl
/test/sha256t
/test/sha512t
/test/gost2814789t
/test/ssltest_old
/test/*test
/test/fips_aesavs
/test/fips_desmovs
/test/fips_dhvs
/test/fips_drbgvs
/test/fips_dssvs
/test/fips_ecdhvs
/test/fips_ecdsavs
/test/fips_rngvs
/test/fips_test_suite
/test/ssltest_old
/test/x509aux
/test/v3ext
/test/versions
/test/rsa_complex
# Certain files that get created by tests on the fly
/test/test-runs
/test/buildtest_*
# Fuzz stuff.
# Anything without an extension is an executable on Unix, so we keep files
# with extensions. And we keep the corpora subddir versioned as well.
# Anything more generic with extensions that should be ignored will be taken
# care of by general ignores for those extensions (*.o, *.obj, *.exe, ...)
/fuzz/*
!/fuzz/README*
!/fuzz/corpora
!/fuzz/*.*
# Misc auto generated files
/include/openssl/opensslconf.h
/tools/c_rehash
/tools/c_rehash.pl
/util/shlib_wrap.sh
/tags
/TAGS
/crypto.map
/ssl.map
# Windows (legacy)
/tmp32
/tmp32.dbg
/tmp32dll
/tmp32dll.dbg
/out32
/out32.dbg
/out32dll
/out32dll.dbg
/inc32
/MINFO
/ms/.rnd
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak
/ms/ntdll.mak
/ms/ssleay32.def
/ms/version32.rc
# Files created on other branches that are not held in git, and are not
# needed on this branch
/include/openssl/asn1_mac.h
/include/openssl/des_old.h
/include/openssl/fips.h
/include/openssl/fips_rand.h
/include/openssl/krb5_asn.h
/include/openssl/kssl.h
/include/openssl/pq_compat.h
/include/openssl/ssl23.h
/include/openssl/tmdiff.h
/include/openssl/ui_compat.h
/test/fips_aesavs.c
/test/fips_desmovs.c
/test/fips_dsatest.c
/test/fips_dssvs.c
/test/fips_hmactest.c
/test/fips_randtest.c
/test/fips_rngvs.c
/test/fips_rsagtest.c
/test/fips_rsastest.c
/test/fips_rsavtest.c
/test/fips_shatest.c
/test/fips_test_suite.c
/test/shatest.c
##### Generic patterns
# Auto generated assembly language source files
*.s
!/crypto/*/asm/*.s
/crypto/arm*.S
/crypto/*/*.S
*.asm
!/crypto/*/asm/*.asm
# Object files
*.o
*.obj
# editor artefacts
*.swp
.#*
\#*#
*~
# Certificate symbolic links
*.0
# All kinds of executables
*.so
*.so.*
*.dylib
*.dylib.*
*.dll
*.dll.*
*.exe
*.pyc
*.exp
*.lib
*.pdb
*.ilk
*.def
*.rc
*.res
# Misc generated stuff
Makefile.save
/crypto/**/lib
/engines/**/lib
/ssl/**/lib
*.bak
cscope.*
*.d
pod2htmd.tmp
# Windows manifest files
*.manifest

15
.travis-apt-pin.preferences
View File

@@ -1,15 +0,0 @@
Package: clang-3.9
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libclang-common-3.9-dev
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libclang1-3.9
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libllvm3.9v4
Pin: release o=Ubuntu
Pin-Priority: -1

11
.travis-create-release.sh
View File

@@ -1,11 +0,0 @@
#! /bin/sh
# $1 is expected to be $TRAVIS_OS_NAME
./Configure dist
if [ "$1" == osx ]; then
make NAME='_srcdist' TARFILE='_srcdist.tar' \
TAR_COMMAND='$(TAR) $(TARFLAGS) -cvf -' tar
else
make TARFILE='_srcdist.tar' NAME='_srcdist' dist
fi

208
.travis.yml
View File

@@ -1,208 +0,0 @@
dist: trusty
sudo: required
language: c
cache: ccache
before_install:
- if [ -n "$COVERALLS" ]; then
pip install --user cpp-coveralls;
fi;
addons:
apt:
packages:
- ccache
os:
- linux
compiler:
- clang
- gcc
env:
- CONFIG_OPTS="" DESTDIR="_install"
- CONFIG_OPTS="--debug no-shared enable-crypto-mdebug enable-rc5 enable-md2"
- CONFIG_OPTS="no-pic --strict-warnings" BUILDONLY="yes"
- CONFIG_OPTS="no-engine no-shared --strict-warnings" BUILDONLY="yes"
- CONFIG_OPTS="no-stdio --strict-warnings" BUILDONLY="yes"
- CONFIG_OPTS="no-ec" BUILDONLY="yes"
- CONFIG_OPTS="no-asm --strict-warnings" BUILDONLY="yes" CHECKDOCS="yes"
matrix:
include:
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="--strict-warnings no-deprecated" BUILDONLY="yes"
- os: linux
compiler: gcc
env: CONFIG_OPTS="--debug --coverage no-asm enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers" COVERALLS="yes"
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="enable-asan"
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="enable-msan"
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method -fno-sanitize=alignment"
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="no-asm enable-asan enable-rc5 enable-md2"
- os: linux
compiler: clang-3.9
env: CONFIG_OPTS="no-stdio"
- os: linux
addons:
apt:
packages:
- gcc-5
sources:
- ubuntu-toolchain-r-test
compiler: gcc-5
env: UBUNTU_GCC_HACK="yes" CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: i686-w64-mingw32-gcc
env: CONFIG_OPTS="no-pic"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: i686-w64-mingw32-gcc
env: CONFIG_OPTS="no-stdio" BUILDONLY="yes"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: x86_64-w64-mingw32-gcc
env: CONFIG_OPTS="no-pic"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: x86_64-w64-mingw32-gcc
env: CONFIG_OPTS="no-stdio" BUILDONLY="yes"
exclude:
- os: linux
compiler: clang
- os: osx
compiler: gcc
before_script:
- if [ -n "$DESTDIR" ]; then
sh .travis-create-release.sh $TRAVIS_OS_NAME;
tar -xvzf _srcdist.tar.gz;
mkdir _build;
cd _build;
srcdir=../_srcdist;
top=..;
else
srcdir=.;
top=.;
fi
- if [ -n "$UBUNTU_GCC_HACK" ]; then
$CC -dumpspecs | sed "s/--push-state//g; s/--pop-state/--as-needed/g" > gcc-specs.txt;
CC="$CC -specs=gcc-specs.txt";
fi
- if [ "$CC" == i686-w64-mingw32-gcc ]; then
export CROSS_COMPILE=${CC%%gcc}; unset CC;
$srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
export CROSS_COMPILE=${CC%%gcc}; unset CC;
$srcdir/Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
else
if [ "$CC" == clang-3.9 ]; then
sudo cp .travis-apt-pin.preferences /etc/apt/preferences.d/no-ubuntu-clang;
curl -sSL "http://apt.llvm.org/llvm-snapshot.gpg.key" | sudo -E apt-key add -;
echo "deb http://apt.llvm.org/trusty/ llvm-toolchain-trusty-3.9 main" | sudo tee -a /etc/apt/sources.list > /dev/null;
sudo -E apt-add-repository -y "ppa:ubuntu-toolchain-r/test";
sudo -E apt-get -yq update;
sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install clang-3.9;
elif which ccache >/dev/null; then
CC="ccache $CC";
fi;
$srcdir/config -v $CONFIG_OPTS;
fi
- if [ -z "$BUILDONLY" ]; then
if [ -n "$CROSS_COMPILE" ]; then
if [ "$TRAVIS_OS_NAME" == "linux" ]; then
sudo dpkg --add-architecture i386;
sudo apt-get update;
fi;
fi;
fi
- cd $top
script:
- if [ -z "$BUILDONLY" ]; then
make="make -s";
else
make="make";
fi
- if [ -n "$DESTDIR" ]; then
cd _build;
top=..;
else
top=.;
fi
- if $make update; then
echo -e '+\057 MAKE UPDATE OK';
else
echo -e '+\057 MAKE UPDATE FAILED'; false;
fi;
git diff --exit-code
- if [ -n "$CHECKDOCS" ]; then
if $make doc-nits; then
echo -e '+\057\057 MAKE DOC-NITS OK';
else
echo -e '+\057\057 MAKE DOC-NITS FAILED'; false;
fi;
fi
- if $make ; then
echo -e '+\057\057\057 MAKE OK';
else
echo -e '+\057\057\057 MAKE FAILED'; false;
fi;
- if [ -z "$BUILDONLY" ]; then
if [ -n "$CROSS_COMPILE" ]; then
sudo apt-get -yq install wine;
export EXE_SHELL="wine" WINEPREFIX=`pwd`;
fi;
HARNESS_VERBOSE=yes make test;
else
if $make build_tests; then
echo -e '+\057\057\075 MAKE BUILD_TESTS OK';
else
echo -e '+\057\057\075 MAKE BUILD_TESTS FAILEd'; false;
fi;
fi
- if [ -n "$DESTDIR" ]; then
mkdir "../$DESTDIR";
if $make install DESTDIR="../$DESTDIR"; then
echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS OK';
else
echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS FAILED'; false;
fi;
fi
- cd $top
after_success:
- if [ -n "$COVERALLS" ]; then
coveralls -b . --gcov-options '\-lp';
fi;
notifications:
email:
secure: "xeGNgWO7aoaDgRvcZubposqMsj36aU8c6F0oHfw+rUqltCQ14IgYCUwzocmR2O+Pa7B3Cx5VjMfBFHbQaajZsfod8vu7g+aGq/zkjwbhsr/SR4dljJjFJXLGZjIalm9KgP6KInmVDuINfCqP+MHIY5lZkNI7DMcyHDhVc5nSKvCXV7xTDNgmstvh8rB/z51WfHDqGqfBtiuK5FDNxmvYK8OFJ5W94Lu9LDlizcxwK3GAj7arOui7Z5w8bQ6p4seUE3IvJL1Zbj0pZHxvNb6Zeb2Pn8QF1qLlN8YmBktD4aiw0ce4wYRiL87uLgcOxZY7SVXtv2XYFIYWapU/FKjCqa6vK93V/H9eZWEIYNMKnN3wXm2beqVdnKek3OeGJ8v0y7MbSfuLfRtBqbTSNYnpU1Zuo4MQAvHvEPuwCAYkYQajOSRplMH5sULFKptuVqNtOMfjL8jHb8AEoL1acYIk43ydxeYrzzas4fqgCDJ52573/u0RNdF1lkQBLkuM365OB8VRqtpnoxcdEIY/qBc/8TzZ24fxyrs5qdHFcxGSgpN2EP6cJMqpvkemnCNSdhxUqfzm22N7a3O8+4LFSBGOnHto/PwdsvF/01yGYL0LoZTnoO1i6x7AMJPBh+eyDU0ZjGhj/msjmqeb9C8vRqQ+1WjHrIS1iqCD0Czib8tUPD4="

99
CHANGES
View File

@@ -7,6 +7,105 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
(CVE-2019-1552)
[Richard Levitte]
Changes between 1.1.0j and 1.1.0k [28 May 2019]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Prevent over long nonces in ChaCha20-Poly1305.
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every encryption operation. RFC 7539 specifies that the nonce value
(IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
and front pads the nonce with 0 bytes if it is less than 12
bytes. However it also incorrectly allows a nonce to be set of up to 16
bytes. In this case only the last 12 bytes are significant and any
additional leading bytes are ignored.
It is a requirement of using this cipher that nonce values are
unique. Messages encrypted using a reused nonce value are susceptible to
serious confidentiality and integrity attacks. If an application changes
the default nonce length to be longer than 12 bytes and then makes a
change to the leading bytes of the nonce expecting the new value to be a
new unique nonce then such an application could inadvertently encrypt
messages with a reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
is safe because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
(CVE-2019-1543)
[Matt Caswell]
*) Added SCA hardening for modular field inversion in EC_GROUP through
a new dedicated field_inv() pointer in EC_METHOD.
This also addresses a leakage affecting conversions from projective
to affine coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
re-used X509_PUBKEY object if the second PUBKEY is malformed.
[Bernd Edlinger]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
*) Remove the 'dist' target and add a tarball building script. The
'dist' target has fallen out of use, and it shouldn't be
necessary to configure just to create a source distribution.
[Richard Levitte]
Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
*) Timing vulnerability in DSA signature generation

2
Configurations/10-main.conf
View File

@@ -1444,6 +1444,7 @@ sub vms_info {
shared_extension => ".dll",
multilib => "",
apps_aux_src => add("win32_init.c"),
build_scheme => add("mingw", { separator => undef }),
},
"mingw64" => {
# As for OPENSSL_USE_APPLINK. Applink makes it possible to use
@@ -1473,6 +1474,7 @@ sub vms_info {
shared_extension => ".dll",
multilib => "64",
apps_aux_src => add("win32_init.c"),
build_scheme => add("mingw64", { separator => undef }),
},
#### UEFI

12
Configurations/dist.conf
View File

@@ -1,12 +0,0 @@
## -*- mode: perl; -*-
## Build configuration targets for openssl-team members
# This is to support 'make dist'
%targets = (
"dist" => {
inherit_from => [ 'BASE_unix' ],
cc => "cc",
cflags => "-O",
thread_scheme => "(unknown)",
},
);

127
Configurations/unix-Makefile.tmpl
View File

@@ -13,6 +13,28 @@
our $shlibextimport = $target{shared_import_extension} || "";
our $dsoext = $target{dso_extension} || ".so";
# $mingw_installroot and $mingw_commonroot is relevant for mingw only.
my $mingw_installenv =
$target{build_scheme}->[2] eq "mingw"
? "ProgramFiles(x86)" : "ProgramW6432";
my $mingw_commonenv =
$target{build_scheme}->[2] eq "mingw"
? "CommonProgramFiles(x86)" : "CommonProgramW6432";
our $mingw_installroot =
defined($ENV{$mingw_installenv})
? $mingw_installenv : 'ProgramFiles';
our $mingw_commonroot =
defined($ENV{$mingw_commonenv})
? $mingw_commonenv : 'CommonProgramFiles';
my $mingw_installdflt =
defined($ENV{$mingw_installenv})
? "C:/Program Files (x86)" : "C:/Program Files";
my $mingw_commondflt = "$mingw_installdflt/Common Files";
# expand variables early
$mingw_installroot = $ENV{$mingw_installroot} // $mingw_installdflt;
$mingw_commonroot = $ENV{$mingw_commonroot} // $mingw_commondflt;
sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
our $sover = $config{target} =~ /^mingw/
@@ -121,6 +143,7 @@ APPS_OPENSSL={- use File::Spec::Functions;
# Normally it is left empty.
DESTDIR=
{- output_off() if $config{target} =~ /^mingw/; "" -}
# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
@@ -159,6 +182,79 @@ ENGINESDIR={- use File::Spec::Functions;
# Convenience variable for those who want to set the rpath in shared
# libraries and applications
LIBRPATH=$(INSTALLTOP)/$(LIBDIR)
{- output_on() if $config{target} =~ /^mingw/;
output_off() if $config{target} !~ /^mingw/;
"" -}
# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP_dev={- # $prefix is used in the OPENSSLDIR perl snippet
#
use File::Spec::Win32;
my $prefix_default = "$mingw_installroot/OpenSSL";
our $prefix =
File::Spec::Win32->canonpath($config{prefix}
|| $prefix_default);
our ($prefix_dev, $prefix_dir, $prefix_file) =
File::Spec::Win32->splitpath($prefix, 1);
$prefix =~ s|\\|/|g;
$prefix_dir =~ s|\\|/|g;
$prefix_dev -}
INSTALLTOP_dir={- my $x = File::Spec::Win32->canonpath($prefix_dir);
$x =~ s|\\|/|g;
$x -}
OPENSSLDIR_dev={- #
# The logic here is that if no --openssldir was given,
# OPENSSLDIR will get the value "$mingw_commonroot/SSL".
# If --openssldir was given and the value is an absolute
# path, OPENSSLDIR will get its value without change.
# If the value from --openssldir is a relative path,
# OPENSSLDIR will get $prefix with the --openssldir
# value appended as a subdirectory.
#
use File::Spec::Win32;
our $openssldir =
$config{openssldir} ?
(File::Spec::Win32->file_name_is_absolute($config{openssldir}) ?
File::Spec::Win32->canonpath($config{openssldir})
: File::Spec::Win32->catdir($prefix, $config{openssldir}))
: File::Spec::Win32->canonpath("$mingw_commonroot/SSL");
our ($openssldir_dev, $openssldir_dir, $openssldir_file) =
File::Spec::Win32->splitpath($openssldir, 1);
$openssldir =~ s|\\|/|g;
$openssldir_dir =~ s|\\|/|g;
$openssldir_dev -}
OPENSSLDIR_dir={- my $x = File::Spec::Win32->canonpath($openssldir_dir);
$x =~ s|\\|/|g;
$x -}
LIBDIR={- our $libdir = $config{libdir} || "lib";
$libdir -}
ENGINESDIR_dev={- use File::Spec::Win32;
our $enginesdir =
File::Spec::Win32->catdir($prefix,$libdir,
"engines-$sover_dirname");
our ($enginesdir_dev, $enginesdir_dir, $enginesdir_file) =
File::Spec::Win32->splitpath($enginesdir, 1);
$enginesdir =~ s|\\|/|g;
$enginesdir_dir =~ s|\\|/|g;
$enginesdir_dev -}
ENGINESDIR_dir={- my $x = File::Spec::Win32->canonpath($enginesdir_dir);
$x =~ s|\\|/|g;
$x -}
# In a Windows environment, $(DESTDIR) is harder to contatenate with other
# directory variables, because both may contain devices. What we do here is
# to adapt INSTALLTOP, OPENSSLDIR and ENGINESDIR depending on if $(DESTDIR)
# has a value or not, to ensure that concatenation will always work further
# down.
ifneq "$(DESTDIR)" ""
INSTALLTOP=$(INSTALLTOP_dir)
OPENSSLDIR=$(OPENSSLDIR_dir)
ENGINESDIR=$(ENGINESDIR_dir)
else
INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)
endif
{- output_on() if $config{target} !~ /^mingw/; "" -}
MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
@@ -201,6 +297,7 @@ MAKEDEPEND={- $config{makedepprog} -}
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
# Relative to $(SRCDIR)
TARFILE= ../$(NAME).tar
# We let the C compiler driver to take care of .s files. This is done in
@@ -665,36 +762,8 @@ tags TAGS: FORCE
# Release targets (note: only available on Unix) #####################
# If your tar command doesn't support --owner and --group, make sure to
# use one that does, for example GNU tar
TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf -
PREPARE_CMD=:
tar:
set -e; \
TMPDIR=/var/tmp/openssl-copy.$$$$; \
DISTDIR=$(NAME); \
mkdir -p $$TMPDIR/$$DISTDIR; \
(cd $(SRCDIR); \
excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \
echo "$$excl_re"; \
git ls-tree -r --name-only --full-tree HEAD \
| egrep -v "$$excl_re" \
| while read F; do \
mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
cp $$F $$TMPDIR/$$DISTDIR/$$F; \
done); \
(cd $$TMPDIR/$$DISTDIR; \
$(PREPARE_CMD); \
find . -type d -print | xargs chmod 755; \
find . -type f -print | xargs chmod a+r; \
find . -type f -perm -0100 -print | xargs chmod a+x); \
(cd $$TMPDIR; $(TAR_COMMAND) $$DISTDIR) \
| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
rm -rf $$TMPDIR
cd $(SRCDIR); ls -l $(TARFILE).gz
dist:
@$(MAKE) PREPARE_CMD='$(PERL) ./Configure dist' tar
(cd $(SRCDIR); ./util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)')
# Helper targets #####################################################

3
Configure
View File

@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -142,6 +142,7 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED"
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my $clang_devteam_warn = ""
. " -Wno-unknown-warning-option"
. " -Qunused-arguments"
. " -Wno-language-extension-token"
. " -Wno-extended-offsetof"

116
Makefile.shared
View File

@@ -98,20 +98,20 @@ top:
LINK_APP= \
( $(SET_X); \
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS) $(LDFLAGS)}"; \
LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \
LDCMD=$${LDCMD:-'$(CC)'}; LDFLAGS=$${LDFLAGS:-'$(CFLAGS) $(LDFLAGS)'}; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
eval "$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}" )
LINK_SO= \
( $(SET_X); \
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \
SHAREDCMD=$${SHAREDCMD:-'$(CC)'}; \
SHAREDFLAGS=$${SHAREDFLAGS:-'$(CFLAGS) $(SHARED_LDFLAGS)'}; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
@@ -119,23 +119,23 @@ LINK_SO= \
-o $(SHLIBNAME_FULL) \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
eval "$${SHAREDCMD} $${SHAREDFLAGS} \
-o $(SHLIBNAME_FULL) \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS" \
) && $(SYMLINK_SO)
SYMLINK_SO= \
if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
if [ -n "$(SHLIBNAME_FULL)" -a -n "$(SHLIBNAME)" -a \
"$(SHLIBNAME_FULL)" != "$(SHLIBNAME)" ]; then \
if [ -n '$(SHLIBNAME_FULL)' -a -n '$(SHLIBNAME)' -a \
'$(SHLIBNAME_FULL)' != '$(SHLIBNAME)' ]; then \
( $(SET_X); \
rm -f $(SHLIBNAME); \
ln -s $(SHLIBNAME_FULL) $(SHLIBNAME) ); \
fi; \
fi
LINK_SO_SHLIB= SHOBJECTS="$(STLIBNAME) $(LIBEXTRAS)"; $(LINK_SO)
LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
LINK_SO_SHLIB= SHOBJECTS='$(STLIBNAME) $(LIBEXTRAS)'; $(LINK_SO)
LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS='$(LIBEXTRAS)'; $(LINK_SO)
LINK_SO_SHLIB_VIA_O= \
SHOBJECTS=$(STLIBNAME).o; \
@@ -147,21 +147,21 @@ LINK_SO_SHLIB_VIA_O= \
LINK_SO_SHLIB_UNPACKED= \
UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
(cd $$UNPACKDIR; ar x ../$(STLIBNAME)) && \
([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
([ -z '$(LIBEXTRAS)' ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
SHOBJECTS=$$UNPACKDIR/*.o; \
$(LINK_SO) && rm -rf $$UNPACKDIR
DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
DO_GNU_SO_COMMON=\
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$(SHLIBNAME_FULL)"
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$(SHLIBNAME_FULL)'
DO_GNU_DSO=\
$(DO_GNU_SO_COMMON)
DO_GNU_SO=\
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
$(DO_GNU_SO_COMMON)
DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)"
DO_GNU_APP=LDFLAGS='$(CFLAGS) $(LDFLAGS)'
#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to
@@ -186,21 +186,21 @@ link_shlib.linux-shared:
link_dso.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_DSO); else \
LIBDEPS=" "; \
LIBDEPS=' '; \
ALLSYMSFLAGS=; \
NOALLSYMSFLAGS=; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib'; \
fi; $(LINK_SO_DSO)
link_shlib.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
LIBDEPS=" "; \
ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
LIBDEPS=' '; \
ALLSYMSFLAGS='-Wl,-Bforcearchive'; \
NOALLSYMSFLAGS=; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib'; \
fi; $(LINK_SO_SHLIB)
link_app.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
LDFLAGS="$(CFLAGS) $(LDFLAGS)"; \
LDFLAGS='$(CFLAGS) $(LDFLAGS)'; \
fi; $(LINK_APP)
# For Darwin AKA Mac OS/X (dyld)
@@ -223,12 +223,12 @@ link_app.bsd:
link_dso.darwin:
@ ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) `echo $(SHARED_LDFLAGS) | sed s/dynamiclib/bundle/`"; \
SHAREDFLAGS='$(CFLAGS) '"`echo '$(SHARED_LDFLAGS)' | sed s/dynamiclib/bundle/`"; \
$(LINK_SO_DSO)
link_shlib.darwin:
@ ALLSYMSFLAGS='-all_load'; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -current_version $(SHLIBVERSION) -compatibility_version $(SHLIBVERSION) -install_name $(INSTALLTOP)/$(LIBDIR)/$(SHLIBNAME_FULL)"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -current_version $(SHLIBVERSION) -compatibility_version $(SHLIBVERSION) -install_name $(INSTALLTOP)/$(LIBDIR)/$(SHLIBNAME_FULL)'; \
$(LINK_SO_SHLIB)
link_app.darwin: # is there run-path on darwin?
$(LINK_APP)
@@ -237,17 +237,17 @@ link_dso.cygwin:
@ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
base=-Wl,--enable-auto-image-base; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS)'" -shared $$base -Wl,-Bsymbolic"; \
$(LINK_SO_DSO)
link_shlib.cygwin:
@ INHIBIT_SYMLINKS=yes; \
echo "$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) |" \
"$(RC) $(SHARED_RCFLAGS) -o rc.o"; \
echo '$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) |' \
'$(RC) $(SHARED_RCFLAGS) -o rc.o'; \
$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) | \
$(RC) $(SHARED_RCFLAGS) -o rc.o; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,$(SHLIBNAME) rc.o"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,$(SHLIBNAME) rc.o'; \
$(LINK_SO_SHLIB) || exit 1; \
rm rc.o
link_app.cygwin:
@@ -257,17 +257,17 @@ link_app.cygwin:
# corresponding cygwin targets, as they do the exact same thing.
link_shlib.mingw:
@ INHIBIT_SYMLINKS=yes; \
base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
base=; [ '$(LIBNAME)' = 'crypto' -a -n '$(FIPSCANLIB)' ] && base=-Wl,--image-base,0x63000000; \
$(PERL) $(SRCDIR)/util/mkdef.pl 32 $(LIBNAME) \
| sed -e 's|^\(LIBRARY *\)$(LIBNAME)32|\1$(SHLIBNAME_FULL)|' \
> $(LIBNAME).def; \
echo "$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) |" \
"$(RC) $(SHARED_RCFLAGS) -o rc.o"; \
echo '$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) |' \
'$(RC) $(SHARED_RCFLAGS) -o rc.o'; \
$(PERL) $(SRCDIR)/util/mkrc.pl $(SHLIBNAME_FULL) | \
$(RC) $(SHARED_RCFLAGS) -o rc.o; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,$(SHLIBNAME) $(LIBNAME).def rc.o"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared '"$$base"' -Wl,-Bsymbolic -Wl,--out-implib,$(SHLIBNAME) $(LIBNAME).def rc.o'; \
$(LINK_SO_SHLIB) || exit 1; \
rm $(LIBNAME).def rc.o
@@ -277,7 +277,7 @@ link_dso.alpha-osf1:
else \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic'; \
fi; \
$(LINK_SO_DSO)
link_shlib.alpha-osf1:
@@ -286,14 +286,14 @@ link_shlib.alpha-osf1:
else \
ALLSYMSFLAGS='-all'; \
NOALLSYMSFLAGS='-none'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic -set_version $(SHLIBVERSION)"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic -set_version $(SHLIBVERSION)'; \
fi; \
$(LINK_SO_SHLIB)
link_app.alpha-osf1:
@if $(DETECT_GNU_LD); then \
$(DO_GNU_APP); \
else \
LDFLAGS="$(CFLAGS) $(LDFLAGS)"; \
LDFLAGS='$(CFLAGS) $(LDFLAGS)'; \
fi; \
$(LINK_APP)
@@ -301,9 +301,9 @@ link_dso.solaris:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_DSO); \
else \
ALLSYMSFLAGS=""; \
NOALLSYMSFLAGS=""; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $(SHLIBNAME_FULL) -Wl,-Bsymbolic"; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -h $(SHLIBNAME_FULL) -Wl,-Bsymbolic'; \
fi; \
$(LINK_SO_DSO)
link_shlib.solaris:
@@ -311,16 +311,16 @@ link_shlib.solaris:
$(DO_GNU_SO); \
else \
$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
ALLSYMSFLAGS="-Wl,-z,allextract,-M,$(LIBNAME).map"; \
NOALLSYMSFLAGS="-Wl,-z,defaultextract"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $(SHLIBNAME_FULL) -Wl,-Bsymbolic"; \
ALLSYMSFLAGS='-Wl,-z,allextract,-M,$(LIBNAME).map'; \
NOALLSYMSFLAGS='-Wl,-z,defaultextract'; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -h $(SHLIBNAME_FULL) -Wl,-Bsymbolic'; \
fi; \
$(LINK_SO_SHLIB)
link_app.solaris:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_APP); \
else \
LDFLAGS="$(CFLAGS) $(LDFLAGS)"; \
LDFLAGS='$(CFLAGS) $(LDFLAGS)'; \
fi; \
$(LINK_APP)
@@ -331,7 +331,7 @@ link_dso.svr3:
else \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) -G -h $(SHLIBNAME_FULL)"; \
SHAREDFLAGS='$(CFLAGS) -G -h $(SHLIBNAME_FULL)'; \
fi; \
$(LINK_SO_DSO)
link_shlib.svr3:
@@ -340,7 +340,7 @@ link_shlib.svr3:
else \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) -G -h $(SHLIBNAME_FULL)"; \
SHAREDFLAGS='$(CFLAGS) -G -h $(SHLIBNAME_FULL)'; \
fi; \
$(LINK_SO_SHLIB_UNPACKED)
link_app.svr3:
@@ -356,7 +356,7 @@ link_dso.svr5:
($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $(SHLIBNAME_FULL)"; \
SHAREDFLAGS='$(CFLAGS) '"$${SHARE_FLAG}"' -h $(SHLIBNAME_FULL)'; \
fi; \
$(LINK_SO_DSO)
link_shlib.svr5:
@@ -367,7 +367,7 @@ link_shlib.svr5:
($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $(SHLIBNAME_FULL)"; \
SHAREDFLAGS='$(CFLAGS) '"$${SHARE_FLAG}"' -h $(SHLIBNAME_FULL)'; \
fi; \
$(LINK_SO_SHLIB_UNPACKED)
link_app.svr5:
@@ -378,24 +378,24 @@ link_dso.irix:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_DSO); \
else \
ALLSYMSFLAGS=""; \
NOALLSYMSFLAGS=""; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$(SHLIBNAME_FULL),-B,symbolic"; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$(SHLIBNAME_FULL),-B,symbolic'; \
fi; \
$(LINK_SO_DSO)
link_shlib.irix:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
MINUSWL=""; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
MINUSWL=''; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL='-Wl,'; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \
NOALLSYMSFLAGS="$${MINUSWL}-none"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$(SHLIBNAME_FULL),-B,symbolic"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$(SHLIBNAME_FULL),-B,symbolic'; \
fi; \
$(LINK_SO_SHLIB)
link_app.irix:
@LDFLAGS="$(CFLAGS) $(LDFLAGS)"; \
@LDFLAGS='$(CFLAGS) $(LDFLAGS)'; \
$(LINK_APP)
# 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
@@ -411,7 +411,7 @@ link_dso.hpux:
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$(SHLIBNAME_FULL),+cdp,../:,+cdp,./:"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$(SHLIBNAME_FULL),+cdp,../:,+cdp,./:'; \
fi; \
rm -f $(SHLIBNAME_FULL) || :; \
$(LINK_SO_DSO) && chmod a=rx $(SHLIBNAME_FULL)
@@ -420,18 +420,18 @@ link_shlib.hpux:
ALLSYMSFLAGS='-Wl,-Fl'; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$(SHLIBNAME_FULL),+cdp,../:,+cdp,./:"; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$(SHLIBNAME_FULL),+cdp,../:,+cdp,./:'; \
fi; \
rm -f $(SHLIBNAME_FULL) || :; \
$(LINK_SO_SHLIB) && chmod a=rx $(SHLIBNAME_FULL)
link_app.hpux:
@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:"; \
LDFLAGS='$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:'; \
fi; \
$(LINK_APP)
link_dso.aix:
@OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
@OBJECT_MODE=`expr 'x$(SHARED_LDFLAGS)' : 'x\-[a-z]*\(64\)'` || :; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
@@ -439,7 +439,7 @@ link_dso.aix:
rm -f $(SHLIBNAME_FULL) 2>&1 > /dev/null ; \
$(LINK_SO_DSO);
link_shlib.aix:
@ OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
@ OBJECT_MODE=`expr 'x$(SHARED_LDFLAGS)' : 'x\-[a-z]*\(64\)'` || : ; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
ALLSYMSFLAGS='-bnogc'; \
NOALLSYMSFLAGS=''; \
@@ -447,7 +447,7 @@ link_shlib.aix:
rm -f $(SHLIBNAME_FULL) 2>&1 > /dev/null ; \
$(LINK_SO_SHLIB_VIA_O)
link_app.aix:
LDFLAGS="$(CFLAGS) -Wl,-bsvr4 $(LDFLAGS)"; \
LDFLAGS='$(CFLAGS) -Wl,-bsvr4 $(LDFLAGS)'; \
$(LINK_APP)

14
NEWS
View File

@@ -5,6 +5,20 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019]
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters
o Compute ECC cofactors if not provided during EC_GROUP construction
(CVE-2019-1547)
o Use Windows installation paths in the mingw builds (CVE-2019-1552)
Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)

15
NOTES.WIN
View File

@@ -107,6 +107,21 @@
and i686-w64-mingw32-.
Independently of the method chosen to build for mingw, the installation
paths are similar to those used when building with VC-* targets, except
that in case the fallbacks mentioned there aren't possible (typically
when cross compiling on Linux), the paths will be the following:
For mingw:
PREFIX: C:/Program Files (x86)/OpenSSL
OPENSSLDIR C:/Program Files (x86)/Common Files/SSL
For mingw64:
PREFIX: C:/Program Files/OpenSSL
OPENSSLDIR C:/Program Files/Common Files/SSL
Linking your application
------------------------

4
README
View File

@@ -1,7 +1,7 @@
OpenSSL 1.1.0j 20 Nov 2018
OpenSSL 1.1.0l 10 Sep 2019
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

16
apps/req.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -743,9 +743,19 @@ int req_main(int argc, char **argv)
if (text) {
if (x509)
X509_print_ex(out, x509ss, nmflag, reqflag);
ret = X509_print_ex(out, x509ss, nmflag, reqflag);
else
X509_REQ_print_ex(out, req, nmflag, reqflag);
ret = X509_REQ_print_ex(out, req, nmflag, reqflag);
if (ret == 0) {
if (x509)
BIO_printf(bio_err, "Error printing certificate\n");
else
BIO_printf(bio_err, "Error printing certificate request\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (subject) {

3
apps/speed.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -537,7 +537,6 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhb409", R_EC_B409},
{"ecdhb571", R_EC_B571},
{"ecdhx25519", R_EC_X25519},
{NULL}
};
# define EC_NUM OSSL_NELEM(ecdh_choices)

28
crypto/asn1/ameth_lib.c
View File

@@ -179,6 +179,22 @@ int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
{
EVP_PKEY_ASN1_METHOD tmp = { 0, };
/*
* One of the following must be true:
*
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
*
* Anything else is an error and may lead to a corrupt ASN1 method table
*/
if (!((ameth->pem_str == NULL
&& (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0)
|| (ameth->pem_str != NULL
&& (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) {
EVPerr(EVP_F_EVP_PKEY_ASN1_ADD0, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
}
if (app_methods == NULL) {
app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
if (app_methods == NULL)
@@ -255,18 +271,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
goto err;
}
/*
* One of the following must be true:
*
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
*
* Anything else is an error and may lead to a corrupt ASN1 method table
*/
if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
|| (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
goto err;
if (pem_str) {
ameth->pem_str = OPENSSL_strdup(pem_str);
if (!ameth->pem_str)

19
crypto/asn1/x_bignum.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, char *free_cont, const ASN1_ITEM *it)
{
if (!*pval)
bn_secure_new(pval, it);
return bn_c2i(pval, cont, len, utype, free_cont, it);
int ret;
BIGNUM *bn;
if (!*pval && !bn_secure_new(pval, it))
return 0;
ret = bn_c2i(pval, cont, len, utype, free_cont, it);
if (!ret)
return 0;
/* Set constant-time flag for all secure BIGNUMS */
bn = (BIGNUM *)*pval;
BN_set_flags(bn, BN_FLG_CONSTTIME);
return ret;
}
static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,

11
crypto/bio/bss_file.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -255,9 +255,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
}
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
int fd = fileno((FILE *)ptr);
if (num & BIO_FP_TEXT)
setmode(fd, O_TEXT);
else
if (!(num & BIO_FP_TEXT))
setmode(fd, O_BINARY);
# endif
}
@@ -281,11 +279,14 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
break;
}
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32_CYGWIN)
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
if (!(num & BIO_FP_TEXT))
strcat(p, "b");
else
strcat(p, "t");
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
if (!(num & BIO_FP_TEXT))
strcat(p, "b");
# endif
fp = openssl_fopen(ptr, p);
if (fp == NULL) {

4
crypto/bn/bn_ctx.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
/* clear BN_FLG_CONSTTIME if leaked from previous frames */
ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;

86
crypto/bn/bn_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -132,13 +132,57 @@ int BN_num_bits_word(BN_ULONG l)
return bits;
}
/*
* This function still leaks `a->dmax`: it's caller's responsibility to
* expand the input `a` in advance to a public length.
*/
static ossl_inline
int bn_num_bits_consttime(const BIGNUM *a)
{
int j, ret;
unsigned int mask, past_i;
int i = a->top - 1;
bn_check_top(a);
for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
ret += BN_BITS2 & (~mask & ~past_i);
ret += BN_num_bits_word(a->d[j]) & mask;
past_i |= mask; /* past_i will become 0xff..ff after i==j */
}
/*
* if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
* final result.
*/
mask = ~(constant_time_eq_int(i, ((int)-1)));
return ret & mask;
}
int BN_num_bits(const BIGNUM *a)
{
int i = a->top - 1;
bn_check_top(a);
if (a->flags & BN_FLG_CONSTTIME) {
/*
* We assume that BIGNUMs flagged as CONSTTIME have also been expanded
* so that a->dmax is not leaking secret information.
*
* In other words, it's the caller's responsibility to ensure `a` has
* been preallocated in advance to a public length if we hit this
* branch.
*
*/
return bn_num_bits_consttime(a);
}
if (BN_is_zero(a))
return 0;
return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
}
@@ -499,8 +543,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
return (ret);
}
typedef enum {big, little} endianess_t;
/* ignore negative */
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
static
int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
{
int n;
size_t i, lasti, j, atop, mask;
@@ -532,10 +579,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
lasti = atop - 1;
atop = a->top * BN_BYTES;
for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
if (endianess == big)
to += tolen; /* start from the end of the buffer */
for (i = 0, j = 0; j < (size_t)tolen; j++) {
unsigned char val;
l = a->d[i / BN_BYTES];
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
*--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
if (endianess == big)
*--to = val;
else
*to++ = val;
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
}
@@ -546,12 +600,12 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
if (tolen < 0)
return -1;
return bn2binpad(a, to, tolen);
return bn2binpad(a, to, tolen, big);
}
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
{
return bn2binpad(a, to, -1);
return bn2binpad(a, to, -1, big);
}
BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
@@ -603,22 +657,9 @@ BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
{
int i;
BN_ULONG l;
bn_check_top(a);
i = BN_num_bytes(a);
if (tolen < i)
if (tolen < 0)
return -1;
/* Add trailing zeroes if necessary */
if (tolen > i)
memset(to + i, 0, tolen - i);
to += i;
while (i--) {
l = a->d[i / BN_BYTES];
to--;
*to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
}
return tolen;
return bn2binpad(a, to, tolen, little);
}
int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
@@ -780,6 +821,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
int i;
BN_ULONG aa, bb;
if (n == 0)
return 0;
aa = a[n - 1];
bb = b[n - 1];
if (aa != bb)

7
crypto/bn/bn_rand.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -215,8 +215,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
goto err;
/* We copy |priv| into a local buffer to avoid exposing its length. */
todo = sizeof(priv->d[0]) * priv->top;
if (todo > sizeof(private_bytes)) {
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
/*
* No reasonable DSA or ECDSA key should have a private key this
* large and we don't handle this case in order to avoid leaking the
@@ -225,8 +224,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
memcpy(private_bytes, priv->d, todo);
memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (done = 0; done < num_k_bytes;) {
if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)

20
crypto/cms/cms_env.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
unsigned char *ek = NULL;
size_t eklen;
int ret = 0;
size_t fixlen = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
return 0;
}
if (cms->d.envelopedData->encryptedContentInfo->havenocert
&& !cms->d.envelopedData->encryptedContentInfo->debug) {
X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
if (ciph == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
return 0;
}
fixlen = EVP_CIPHER_key_length(ciph);
}
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ktri->pctx == NULL)
return 0;
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
ktri->encryptedKey->data,
ktri->encryptedKey->length) <= 0) {
ktri->encryptedKey->length) <= 0
|| eklen == 0
|| (fixlen != 0 && eklen != fixlen)) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
goto err;
}

4
crypto/cms/cms_lcl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -129,6 +129,8 @@ struct CMS_EncryptedContentInfo_st {
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
/* Set to 1 if we have no cert and need extra safety measures for MMA */
int havenocert;
};
struct CMS_RecipientInfo_st {

6
crypto/cms/cms_smime.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
if (!cert)
cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
else
cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
if (!pk && !cert && !dcont && !out)
return 1;
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))

6
crypto/dh/dh_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -233,11 +233,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
{
if (pub_key != NULL) {
BN_free(dh->pub_key);
BN_clear_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
BN_free(dh->priv_key);
BN_clear_free(dh->priv_key);
dh->priv_key = priv_key;
}

4
crypto/dh/dh_pmeth.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -51,7 +51,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_zalloc(sizeof(*dctx));
if (dctx == NULL)
return 0;
dctx->prime_len = 1024;
dctx->prime_len = 2048;
dctx->subprime_len = -1;
dctx->generator = 2;
dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;

10
crypto/dsa/dsa_pmeth.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -20,8 +20,8 @@
typedef struct {
/* Parameter gen parameters */
int nbits; /* size of p in bits (default: 1024) */
int qbits; /* size of q in bits (default: 160) */
int nbits; /* size of p in bits (default: 2048) */
int qbits; /* size of q in bits (default: 224) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
@@ -35,8 +35,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx)
dctx = OPENSSL_malloc(sizeof(*dctx));
if (dctx == NULL)
return 0;
dctx->nbits = 1024;
dctx->qbits = 160;
dctx->nbits = 2048;
dctx->qbits = 224;
dctx->pmd = NULL;
dctx->md = NULL;

11
crypto/ec/ec2_oct.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -251,7 +251,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
BN_CTX *ctx)
{
point_conversion_form_t form;
int y_bit;
int y_bit, m;
BN_CTX *new_ctx = NULL;
BIGNUM *x, *y, *yxi;
size_t field_len, enc_len;
@@ -284,7 +284,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
return EC_POINT_set_to_infinity(group, point);
}
field_len = (EC_GROUP_get_degree(group) + 7) / 8;
m = EC_GROUP_get_degree(group);
field_len = (m + 7) / 8;
enc_len =
(form ==
POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
@@ -309,7 +310,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
if (!BN_bin2bn(buf + 1, field_len, x))
goto err;
if (BN_ucmp(x, group->field) >= 0) {
if (BN_num_bits(x) > m) {
ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
goto err;
}
@@ -321,7 +322,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
} else {
if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
goto err;
if (BN_ucmp(y, group->field) >= 0) {
if (BN_num_bits(y) > m) {
ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
goto err;
}

140
crypto/ec/ec2_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -29,67 +29,6 @@
#ifndef OPENSSL_NO_EC2M
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_characteristic_two_field,
ec_GF2m_simple_group_init,
ec_GF2m_simple_group_finish,
ec_GF2m_simple_group_clear_finish,
ec_GF2m_simple_group_copy,
ec_GF2m_simple_group_set_curve,
ec_GF2m_simple_group_get_curve,
ec_GF2m_simple_group_get_degree,
ec_group_simple_order_bits,
ec_GF2m_simple_group_check_discriminant,
ec_GF2m_simple_point_init,
ec_GF2m_simple_point_finish,
ec_GF2m_simple_point_clear_finish,
ec_GF2m_simple_point_copy,
ec_GF2m_simple_point_set_to_infinity,
0 /* set_Jprojective_coordinates_GFp */ ,
0 /* get_Jprojective_coordinates_GFp */ ,
ec_GF2m_simple_point_set_affine_coordinates,
ec_GF2m_simple_point_get_affine_coordinates,
0, 0, 0,
ec_GF2m_simple_add,
ec_GF2m_simple_dbl,
ec_GF2m_simple_invert,
ec_GF2m_simple_is_at_infinity,
ec_GF2m_simple_is_on_curve,
ec_GF2m_simple_cmp,
ec_GF2m_simple_make_affine,
ec_GF2m_simple_points_make_affine,
/*
* the following three method functions are defined in ec2_mult.c
*/
ec_GF2m_simple_mul,
ec_GF2m_precompute_mult,
ec_GF2m_have_precompute_mult,
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
ec_key_simple_priv2oct,
ec_key_simple_oct2priv,
0, /* set private */
ec_key_simple_generate_key,
ec_key_simple_check_key,
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
0 /* blind_coordinates */
};
return &ret;
}
/*
* Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
* are handled by EC_GROUP_new.
@@ -757,4 +696,81 @@ int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
return BN_GF2m_mod_div(r, a, b, group->field, ctx);
}
/*-
* Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* SCA hardening is with blinding: BN_GF2m_mod_inv does that.
*/
static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
const BIGNUM *a, BN_CTX *ctx)
{
int ret;
if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
return ret;
}
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_characteristic_two_field,
ec_GF2m_simple_group_init,
ec_GF2m_simple_group_finish,
ec_GF2m_simple_group_clear_finish,
ec_GF2m_simple_group_copy,
ec_GF2m_simple_group_set_curve,
ec_GF2m_simple_group_get_curve,
ec_GF2m_simple_group_get_degree,
ec_group_simple_order_bits,
ec_GF2m_simple_group_check_discriminant,
ec_GF2m_simple_point_init,
ec_GF2m_simple_point_finish,
ec_GF2m_simple_point_clear_finish,
ec_GF2m_simple_point_copy,
ec_GF2m_simple_point_set_to_infinity,
0 /* set_Jprojective_coordinates_GFp */ ,
0 /* get_Jprojective_coordinates_GFp */ ,
ec_GF2m_simple_point_set_affine_coordinates,
ec_GF2m_simple_point_get_affine_coordinates,
0, 0, 0,
ec_GF2m_simple_add,
ec_GF2m_simple_dbl,
ec_GF2m_simple_invert,
ec_GF2m_simple_is_at_infinity,
ec_GF2m_simple_is_on_curve,
ec_GF2m_simple_cmp,
ec_GF2m_simple_make_affine,
ec_GF2m_simple_points_make_affine,
/*
* the following three method functions are defined in ec2_mult.c
*/
ec_GF2m_simple_mul,
ec_GF2m_precompute_mult,
ec_GF2m_have_precompute_mult,
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
ec_GF2m_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
ec_key_simple_priv2oct,
ec_key_simple_oct2priv,
0, /* set private */
ec_key_simple_generate_key,
ec_key_simple_check_key,
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
0 /* blind_coordinates */
};
return &ret;
}
#endif

75
crypto/ec/ec_asn1.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -599,10 +599,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
{
int ok = 0, tmp;
EC_GROUP *ret = NULL;
EC_GROUP *ret = NULL, *dup = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
EC_POINT *point = NULL;
long field_bits;
int curve_name = NID_undef;
BN_CTX *ctx = NULL;
if (!params->fieldID || !params->fieldID->fieldType ||
!params->fieldID->p.ptr) {
@@ -815,19 +817,80 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
goto err;
}
/*
* Check if the explicit parameters group just created matches one of the
* built-in curves.
*
* We create a copy of the group just built, so that we can remove optional
* fields for the lookup: we do this to avoid the possibility that one of
* the optional parameters is used to force the library into using a less
* performant and less secure EC_METHOD instead of the specialized one.
* In any case, `seed` is not really used in any computation, while a
* cofactor different from the one in the built-in table is just
* mathematically wrong anyway and should not be used.
*/
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
goto err;
}
if ((dup = EC_GROUP_dup(ret)) == NULL
|| EC_GROUP_set_seed(dup, NULL, 0) != 1
|| !EC_GROUP_set_generator(dup, point, a, NULL)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
/*
* The input explicit parameters successfully matched one of the
* built-in curves: often for built-in curves we have specialized
* methods with better performance and hardening.
*
* In this case we replace the `EC_GROUP` created through explicit
* parameters with one created from a named group.
*/
EC_GROUP *named_group = NULL;
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
/*
* NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
* the same curve, we prefer the SECP nid when matching explicit
* parameters as that is associated with a specialized EC_METHOD.
*/
if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
curve_name = NID_secp224r1;
#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
EC_GROUP_free(ret);
ret = named_group;
/*
* Set the flag so that EC_GROUPs created from explicit parameters are
* serialized using explicit parameters by default.
*/
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
}
ok = 1;
err:
if (!ok) {
EC_GROUP_clear_free(ret);
EC_GROUP_free(ret);
ret = NULL;
}
EC_GROUP_free(dup);
BN_free(p);
BN_free(a);
BN_free(b);
EC_POINT_free(point);
return (ret);
BN_CTX_free(ctx);
return ret;
}
EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params)
@@ -887,7 +950,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
}
if (a) {
EC_GROUP_clear_free(*a);
EC_GROUP_free(*a);
*a = group;
}
@@ -935,7 +998,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
ret = *a;
if (priv_key->parameters) {
EC_GROUP_clear_free(ret->group);
EC_GROUP_free(ret->group);
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
}

157
crypto/ec/ec_curve.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -3167,3 +3167,158 @@ int EC_curve_nist2nid(const char *name)
}
return NID_undef;
}
static ossl_inline
int ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
BIGNUM *b, BN_CTX *ctx)
{
int field_nid;
field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
#ifndef OPENSSL_NO_EC2M
if (field_nid == NID_X9_62_characteristic_two_field) {
return EC_GROUP_get_curve_GF2m(group, p, a, b, ctx);
} else
#endif /* !def(OPENSSL_NO_EC2M) */
if (field_nid == NID_X9_62_prime_field) {
return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);
} else {
/* this should never happen */
return 0;
}
}
static ossl_inline
int ec_point_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point, BIGNUM *x,
BIGNUM *y, BN_CTX *ctx)
{
int field_nid;
field_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
#ifndef OPENSSL_NO_EC2M
if (field_nid == NID_X9_62_characteristic_two_field) {
return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
} else
#endif /* !def(OPENSSL_NO_EC2M) */
if (field_nid == NID_X9_62_prime_field) {
return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
} else {
/* this should never happen */
return 0;
}
}
#define NUM_BN_FIELDS 6
/*
* Validates EC domain parameter data for known named curves.
* This can be used when a curve is loaded explicitly (without a curve
* name) or to validate that domain parameters have not been modified.
*
* Returns: The nid associated with the found named curve, or NID_undef
* if not found. If there was an error it returns -1.
*/
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
{
int ret = -1, nid, len, field_type, param_len;
size_t i, seed_len;
const unsigned char *seed, *params_seed, *params;
unsigned char *param_bytes = NULL;
const EC_CURVE_DATA *data;
const EC_POINT *generator = NULL;
const EC_METHOD *meth;
const BIGNUM *cofactor = NULL;
/* An array of BIGNUMs for (p, a, b, x, y, order) */
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
meth = EC_GROUP_method_of(group);
if (meth == NULL)
return -1;
/* Use the optional named curve nid as a search field */
nid = EC_GROUP_get_curve_name(group);
field_type = EC_METHOD_get_field_type(meth);
seed_len = EC_GROUP_get_seed_len(group);
seed = EC_GROUP_get0_seed(group);
cofactor = EC_GROUP_get0_cofactor(group);
BN_CTX_start(ctx);
/*
* The built-in curves contains data fields (p, a, b, x, y, order) that are
* all zero-padded to be the same size. The size of the padding is
* determined by either the number of bytes in the field modulus (p) or the
* EC group order, whichever is larger.
*/
param_len = BN_num_bytes(group->order);
len = BN_num_bytes(group->field);
if (len > param_len)
param_len = len;
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
if (param_bytes == NULL)
goto end;
/* Create the bignums */
for (i = 0; i < NUM_BN_FIELDS; ++i) {
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
goto end;
}
/*
* Fill in the bn array with the same values as the internal curves
* i.e. the values are p, a, b, x, y, order.
*/
/* Get p, a & b */
if (!(ec_group_get_curve(group, bn[0], bn[1], bn[2], ctx)
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
/* Get x & y */
&& ec_point_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
/* Get order */
&& EC_GROUP_get_order(group, bn[5], ctx)))
goto end;
/*
* Convert the bignum array to bytes that are joined together to form
* a single buffer that contains data for all fields.
* (p, a, b, x, y, order) are all zero padded to be the same size.
*/
for (i = 0; i < NUM_BN_FIELDS; ++i) {
if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
goto end;
}
for (i = 0; i < curve_list_length; i++) {
const ec_list_element curve = curve_list[i];
data = curve.data;
/* Get the raw order byte data */
params_seed = (const unsigned char *)(data + 1); /* skip header */
params = params_seed + data->seed_len;
/* Look for unique fields in the fixed curve data */
if (data->field_type == field_type
&& param_len == data->param_len
&& (nid <= 0 || nid == curve.nid)
/* check the optional cofactor (ignore if its zero) */
&& (BN_is_zero(cofactor)
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
/* Check the optional seed (ignore if its not set) */
&& (data->seed_len == 0 || seed_len == 0
|| ((size_t)data->seed_len == seed_len
&& memcmp(params_seed, seed, seed_len) == 0))
/* Check that the groups params match the built-in curve params */
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
== 0) {
ret = curve.nid;
goto end;
}
}
/* Gets here if the group was not found */
ret = NID_undef;
end:
OPENSSL_free(param_bytes);
BN_CTX_end(ctx);
return ret;
}

7
crypto/ec/ec_err.c
View File

@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -58,6 +58,7 @@ static ERR_STRING_DATA EC_str_functs[] = {
{ERR_FUNC(EC_F_EC_ASN1_GROUP2FIELDID), "ec_asn1_group2fieldid"},
{ERR_FUNC(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY),
"ec_GF2m_montgomery_point_multiply"},
{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_FIELD_INV), "ec_GF2m_simple_field_inv"},
{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT),
"ec_GF2m_simple_group_check_discriminant"},
{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE),
@@ -72,6 +73,7 @@ static ERR_STRING_DATA EC_str_functs[] = {
"ec_GF2m_simple_set_compressed_coordinates"},
{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE), "ec_GFp_mont_field_decode"},
{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE), "ec_GFp_mont_field_encode"},
{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_INV), "ec_GFp_mont_field_inv"},
{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL), "ec_GFp_mont_field_mul"},
{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE),
"ec_GFp_mont_field_set_to_one"},
@@ -99,6 +101,7 @@ static ERR_STRING_DATA EC_str_functs[] = {
"ec_GFp_nist_group_set_curve"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES),
"ec_GFp_simple_blind_coordinates"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_FIELD_INV), "ec_GFp_simple_field_inv"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT),
"ec_GFp_simple_group_check_discriminant"},
{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE),
@@ -211,6 +214,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {
{ERR_REASON(EC_R_BAD_SIGNATURE), "bad signature"},
{ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
{ERR_REASON(EC_R_BUFFER_TOO_SMALL), "buffer too small"},
{ERR_REASON(EC_R_CANNOT_INVERT), "cannot invert"},
{ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE), "coordinates out of range"},
{ERR_REASON(EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
"curve does not support ecdh"},
@@ -269,6 +273,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {
{ERR_REASON(EC_R_SLOT_FULL), "slot full"},
{ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"},
{ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"},
{ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"},
{ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"},
{ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"},
{ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"},

15
crypto/ec/ec_lcl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -150,6 +150,13 @@ struct ec_method_st {
int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/*-
* 'field_inv' computes the multipicative inverse of a in the field,
* storing the result in r.
*
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
*/
int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
/* e.g. to Montgomery */
int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
@@ -376,6 +383,8 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx);
@@ -390,6 +399,8 @@ int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
@@ -571,6 +582,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey);
int ec_key_simple_generate_public_key(EC_KEY *eckey);
int ec_key_simple_check_key(const EC_KEY *eckey);
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
/* EC_METHOD definitions */
struct ec_key_method_st {

105
crypto/ec/ec_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -257,6 +257,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
return meth->field_type;
}
/*-
* Try computing cofactor from the generator order (n) and field cardinality (q).
* This works for all curves of cryptographic interest.
*
* Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
* h_min = (q + 1 - 2*sqrt(q))/n
* h_max = (q + 1 + 2*sqrt(q))/n
* h_max - h_min = 4*sqrt(q)/n
* So if n > 4*sqrt(q) holds, there is only one possible value for h:
* h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
*
* Otherwise, zero cofactor and return success.
*/
static int ec_guess_cofactor(EC_GROUP *group) {
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *q = NULL;
/*-
* If the cofactor is too large, we cannot guess it.
* The RHS of below is a strict overestimate of lg(4 * sqrt(q))
*/
if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
/* default to 0 */
BN_zero(group->cofactor);
/* return success */
return 1;
}
if ((ctx = BN_CTX_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((q = BN_CTX_get(ctx)) == NULL)
goto err;
/* set q = 2**m for binary fields; q = p otherwise */
if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
BN_zero(q);
if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
goto err;
} else {
if (!BN_copy(q, group->field))
goto err;
}
/* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
|| !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
/* q + 1 + n/2 */
|| !BN_add(group->cofactor, group->cofactor, BN_value_one())
/* (q + 1 + n/2)/n */
|| !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor)
{
@@ -265,6 +326,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
return 0;
}
/* require group->field >= 1 */
if (group->field == NULL || BN_is_zero(group->field)
|| BN_is_negative(group->field)) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
return 0;
}
/*-
* - require order >= 1
* - enforce upper bound due to Hasse thm: order can be no more than one bit
* longer than field cardinality
*/
if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
|| BN_num_bits(order) > BN_num_bits(group->field) + 1) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
return 0;
}
/*-
* Unfortunately the cofactor is an optional field in many standards.
* Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
* So accept cofactor == NULL or cofactor >= 0.
*/
if (cofactor != NULL && BN_is_negative(cofactor)) {
ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
return 0;
}
if (group->generator == NULL) {
group->generator = EC_POINT_new(group);
if (group->generator == NULL)
@@ -273,17 +362,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
if (!EC_POINT_copy(group->generator, generator))
return 0;
if (order != NULL) {
if (!BN_copy(group->order, order))
return 0;
} else
BN_zero(group->order);
if (!BN_copy(group->order, order))
return 0;
if (cofactor != NULL) {
/* Either take the provided positive cofactor, or try to compute it */
if (cofactor != NULL && !BN_is_zero(cofactor)) {
if (!BN_copy(group->cofactor, cofactor))
return 0;
} else
} else if (!ec_guess_cofactor(group)) {
BN_zero(group->cofactor);
return 0;
}
/*
* Some groups have an order with

4
crypto/ec/ec_mult.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -325,7 +325,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
ret = 1;
err:
EC_POINT_free(s);
EC_POINT_clear_free(s);
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);

4
crypto/ec/ecdh_ossl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -138,7 +138,7 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
ret = 1;
err:
EC_POINT_free(tmp);
EC_POINT_clear_free(tmp);
if (ctx)
BN_CTX_end(ctx);
BN_CTX_free(ctx);

51
crypto/ec/ecp_mont.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -55,6 +55,7 @@ const EC_METHOD *EC_GFp_mont_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0 /* field_div */ ,
ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,
@@ -207,6 +208,54 @@ int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
}
/*-
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* We have a Mont structure, so SCA hardening is FLT inversion.
*/
int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
BIGNUM *e = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (group->field_data1 == NULL)
return 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
/* Inverse in constant time with Fermats Little Theorem */
if (!BN_set_word(e, 2))
goto err;
if (!BN_sub(e, group->field, e))
goto err;
/*-
* Exponent e is public.
* No need for scatter-gather or BN_FLG_CONSTTIME.
*/
if (!BN_mod_exp_mont(r, a, e, group->field, ctx, group->field_data1))
goto err;
/* throw an error on zero */
if (BN_is_zero(r)) {
ECerr(EC_F_EC_GFP_MONT_FIELD_INV, EC_R_CANNOT_INVERT);
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r,
const BIGNUM *a, BN_CTX *ctx)
{

3
crypto/ec/ecp_nist.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -57,6 +57,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */

69
crypto/ec/ecp_nistp224.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -279,6 +279,7 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -319,34 +320,21 @@ static void felem_to_bin28(u8 out[28], const felem in)
}
}
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
static void flip_endian(u8 *out, const u8 *in, unsigned len)
{
unsigned i;
for (i = 0; i < len; ++i)
out[i] = in[len - 1 - i];
}
/* From OpenSSL BIGNUM to internal representation */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
felem_bytearray b_in;
felem_bytearray b_out;
unsigned num_bytes;
int num_bytes;
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
num_bytes = BN_bn2bin(bn, b_in);
flip_endian(b_out, b_in, num_bytes);
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
bin28_to_felem(out, b_out);
return 1;
}
@@ -354,10 +342,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* From internal representation to OpenSSL BIGNUM */
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
felem_bytearray b_in, b_out;
felem_to_bin28(b_in, in);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
felem_bytearray b_out;
felem_to_bin28(b_out, in);
return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/******************************************************************************/
@@ -1401,8 +1388,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
felem (*pre_comp)[17][3] = NULL;
felem *tmp_felems = NULL;
felem_bytearray tmp;
unsigned num_bytes;
int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
felem x_in, y_in, z_in, x_out, y_out, z_out;
@@ -1479,14 +1465,12 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
* i.e., they contribute nothing to the linear combination
*/
for (i = 0; i < num_points; ++i) {
if (i == num)
if (i == num) {
/* the generator */
{
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
} else
} else {
/* the i^th point */
{
p = points[i];
p_scalar = scalars[i];
}
@@ -1502,10 +1486,16 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(p_scalar, tmp);
flip_endian(secrets[i], tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar,
secrets[i], sizeof(secrets[i]));
} else {
num_bytes = BN_bn2lebinpad(p_scalar,
secrets[i], sizeof(secrets[i]));
}
if (num_bytes < 0) {
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -1548,20 +1538,21 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(scalar, tmp);
flip_endian(g_secret, tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
} else {
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
}
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const felem(*)[17][3])pre_comp, g_pre_comp);
} else
} else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
}
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);

70
crypto/ec/ecp_nistp256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -146,34 +146,21 @@ static void smallfelem_to_bin32(u8 out[32], const smallfelem in)
*((u64 *)&out[24]) = in[3];
}
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
static void flip_endian(u8 *out, const u8 *in, unsigned len)
{
unsigned i;
for (i = 0; i < len; ++i)
out[i] = in[len - 1 - i];
}
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
felem_bytearray b_in;
felem_bytearray b_out;
unsigned num_bytes;
int num_bytes;
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
num_bytes = BN_bn2bin(bn, b_in);
flip_endian(b_out, b_in, num_bytes);
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
bin32_to_felem(out, b_out);
return 1;
}
@@ -181,10 +168,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
{
felem_bytearray b_in, b_out;
smallfelem_to_bin32(b_in, in);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
felem_bytearray b_out;
smallfelem_to_bin32(b_out, in);
return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -1810,6 +1796,7 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -2018,8 +2005,8 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
smallfelem (*pre_comp)[17][3] = NULL;
smallfelem *tmp_smallfelems = NULL;
felem_bytearray tmp;
unsigned i, num_bytes;
unsigned i;
int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
smallfelem x_in, y_in, z_in;
@@ -2098,17 +2085,15 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
memset(secrets, 0, sizeof(*secrets) * num_points);
memset(pre_comp, 0, sizeof(*pre_comp) * num_points);
for (i = 0; i < num_points; ++i) {
if (i == num)
if (i == num) {
/*
* we didn't have a valid precomputation, so we pick the
* generator
*/
{
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
} else
} else {
/* the i^th point */
{
p = points[i];
p_scalar = scalars[i];
}
@@ -2124,10 +2109,16 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(p_scalar, tmp);
flip_endian(secrets[i], tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar,
secrets[i], sizeof(secrets[i]));
} else {
num_bytes = BN_bn2lebinpad(p_scalar,
secrets[i], sizeof(secrets[i]));
}
if (num_bytes < 0) {
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -2172,20 +2163,21 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(scalar, tmp);
flip_endian(g_secret, tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
} else {
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
}
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const smallfelem(*)[17][3])pre_comp, g_pre_comp);
} else
} else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const smallfelem(*)[17][3])pre_comp, NULL);
}
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);

81
crypto/ec/ecp_nistp521.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -169,34 +169,21 @@ static void felem_to_bin66(u8 out[66], const felem in)
(*((limb *) & out[58])) = in[8];
}
/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
static void flip_endian(u8 *out, const u8 *in, unsigned len)
{
unsigned i;
for (i = 0; i < len; ++i)
out[i] = in[len - 1 - i];
}
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
felem_bytearray b_in;
felem_bytearray b_out;
unsigned num_bytes;
int num_bytes;
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
num_bytes = BN_bn2bin(bn, b_in);
flip_endian(b_out, b_in, num_bytes);
num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
bin66_to_felem(out, b_out);
return 1;
}
@@ -204,10 +191,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
felem_bytearray b_in, b_out;
felem_to_bin66(b_in, in);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
felem_bytearray b_out;
felem_to_bin66(b_out, in);
return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -357,10 +343,15 @@ static void felem_diff64(felem out, const felem in)
static void felem_diff_128_64(largefelem out, const felem in)
{
/*
* In order to prevent underflow, we add 0 mod p before subtracting.
* In order to prevent underflow, we add 64p mod p (which is equivalent
* to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
* digit number with all bits set to 1. See "The representation of field
* elements" comment above for a description of how limbs are used to
* represent a number. 64p is represented with 8 limbs containing a number
* with 58 bits set and one limb with a number with 57 bits set.
*/
static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5);
static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4);
static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
out[0] += two63m6 - in[0];
out[1] += two63m5 - in[1];
@@ -1631,6 +1622,7 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -1840,8 +1832,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
felem (*pre_comp)[17][3] = NULL;
felem *tmp_felems = NULL;
felem_bytearray tmp;
unsigned i, num_bytes;
unsigned i;
int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
felem x_in, y_in, z_in, x_out, y_out, z_out;
@@ -1918,17 +1910,15 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
* i.e., they contribute nothing to the linear combination
*/
for (i = 0; i < num_points; ++i) {
if (i == num)
if (i == num) {
/*
* we didn't have a valid precomputation, so we pick the
* generator
*/
{
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
} else
} else {
/* the i^th point */
{
p = points[i];
p_scalar = scalars[i];
}
@@ -1944,10 +1934,16 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(p_scalar, tmp);
flip_endian(secrets[i], tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar,
secrets[i], sizeof(secrets[i]));
} else {
num_bytes = BN_bn2lebinpad(p_scalar,
secrets[i], sizeof(secrets[i]));
}
if (num_bytes < 0) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -1990,21 +1986,22 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(tmp_scalar, tmp);
} else
num_bytes = BN_bn2bin(scalar, tmp);
flip_endian(g_secret, tmp, num_bytes);
num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
} else {
num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
}
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const felem(*)[17][3])pre_comp,
(const felem(*)[3])g_pre_comp);
} else
} else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
}
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);

3
crypto/ec/ecp_nistz256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1525,6 +1525,7 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0, /* field_div */
ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,

51
crypto/ec/ecp_smpl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -56,6 +56,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
ec_GFp_simple_field_mul,
ec_GFp_simple_field_sqr,
0 /* field_div */ ,
ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -554,7 +555,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
}
}
} else {
if (!BN_mod_inverse(Z_1, Z_, group->field, ctx)) {
if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
ERR_R_BN_LIB);
goto err;
@@ -1267,7 +1268,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
* points[i]->Z by its inverse.
*/
if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx)) {
if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
goto err;
}
@@ -1370,6 +1371,50 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
return BN_mod_sqr(r, a, group->field, ctx);
}
/*-
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
BIGNUM *e = NULL;
BN_CTX *new_ctx = NULL;
int ret = 0;
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
return 0;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
do {
if (!BN_rand_range(e, group->field))
goto err;
} while (BN_is_zero(e));
/* r := a * e */
if (!group->meth->field_mul(group, r, a, e, ctx))
goto err;
/* r := 1/(a * e) */
if (!BN_mod_inverse(r, r, group->field, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
goto err;
}
/* r := e/(a * e) = 1/a */
if (!group->meth->field_mul(group, r, r, e, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
/*-
* Apply randomization of EC point projective coordinates:
*

16
crypto/engine/eng_cryptodev.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1228,14 +1228,14 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp)
crp->crp_p = (caddr_t) b;
crp->crp_nbits = bits;
BN_bn2bin(a, b);
BN_bn2lebinpad(a, b, bytes);
return (0);
}
/* Convert a /dev/crypto parameter to a BIGNUM */
static int crparam2bn(struct crparam *crp, BIGNUM *a)
{
u_int8_t *pd;
u_int8_t *b;
int i, bytes;
bytes = (crp->crp_nbits + 7) / 8;
@@ -1243,15 +1243,9 @@ static int crparam2bn(struct crparam *crp, BIGNUM *a)
if (bytes == 0)
return (-1);
if ((pd = OPENSSL_malloc(bytes)) == NULL)
return (-1);
for (i = 0; i < bytes; i++)
pd[i] = crp->crp_p[bytes - i - 1];
BN_bin2bn(pd, bytes, a);
free(pd);
b = (u_int8_t *)crp->crp_p;
BN_lebin2bn(b, bytes, a);
return (0);
}

39
crypto/err/err.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -19,6 +19,7 @@
#include <openssl/bio.h>
#include <openssl/opensslconf.h>
#include <internal/thread_once.h>
#include "internal/constant_time_locl.h"
static void err_load_strings(int lib, ERR_STRING_DATA *str);
@@ -463,8 +464,24 @@ static unsigned long get_error_values(int inc, int top, const char **file,
return ERR_R_INTERNAL_ERROR;
}
while (es->bottom != es->top) {
if (es->err_flags[es->top] & ERR_FLAG_CLEAR) {
err_clear(es, es->top);
es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1;
continue;
}
i = (es->bottom + 1) % ERR_NUM_ERRORS;
if (es->err_flags[i] & ERR_FLAG_CLEAR) {
es->bottom = i;
err_clear(es, es->bottom);
continue;
}
break;
}
if (es->bottom == es->top)
return 0;
if (top)
i = es->top; /* last error */
else
@@ -822,3 +839,23 @@ int ERR_pop_to_mark(void)
es->err_flags[es->top] &= ~ERR_FLAG_MARK;
return 1;
}
void err_clear_last_constant_time(int clear)
{
ERR_STATE *es;
int top;
es = ERR_get_state();
if (es == NULL)
return;
top = es->top;
/*
* Flag error as cleared but remove it elsewhere to avoid two errors
* accessing the same error stack location, revealing timing information.
*/
clear = constant_time_select_int(constant_time_eq_int(clear, 0),
0, ERR_FLAG_CLEAR);
es->err_flags[top] |= clear;
}

6
crypto/evp/e_chacha20_poly1305.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -30,6 +30,8 @@ typedef struct {
#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
#define CHACHA20_POLY1305_MAX_IVLEN 12
static int chacha_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char user_key[CHACHA_KEY_SIZE],
const unsigned char iv[CHACHA_CTR_SIZE], int enc)
@@ -357,7 +359,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
return 1;
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0 || arg > CHACHA_CTR_SIZE)
if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
return 0;
actx->nonce_len = arg;
return 1;

5
crypto/pem/pvkfmt.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -274,6 +274,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
if (!read_lebn(&p, 20, &priv_key))
goto memerr;
/* Set constant time flag before public key calculation */
BN_set_flags(priv_key, BN_FLG_CONSTTIME);
/* Calculate public key */
pub_key = BN_new();
if (pub_key == NULL)

14
crypto/pkcs7/pk7_doit.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
}
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
size_t fixlen)
{
EVP_PKEY_CTX *pctx = NULL;
unsigned char *ek = NULL;
@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
}
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
ri->enc_key->data, ri->enc_key->length) <= 0) {
ri->enc_key->data, ri->enc_key->length) <= 0
|| eklen == 0
|| (fixlen != 0 && eklen != fixlen)) {
ret = 0;
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
goto err;
@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
EVP_CIPHER_key_length(evp_cipher)) < 0)
goto err;
ERR_clear_error();
}
} else {
/* Only exit on fatal errors, not decrypt failure */
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
goto err;
ERR_clear_error();
}

8
crypto/rsa/rsa_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -184,6 +184,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_free(r->d);
r->d = d;
BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@@ -201,10 +202,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_free(r->p);
r->p = p;
BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_free(r->q);
r->q = q;
BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@@ -223,14 +226,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_free(r->dmp1);
r->dmp1 = dmp1;
BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_free(r->dmq1);
r->dmq1 = dmq1;
BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_free(r->iqmp);
r->iqmp = iqmp;
BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;

92
crypto/rsa/rsa_oaep.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -126,7 +126,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const EVP_MD *mgf1md)
{
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
unsigned int good, found_one_byte;
unsigned int good = 0, found_one_byte, mask;
const unsigned char *maskedseed, *maskeddb;
/*
* |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -149,12 +149,15 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* |num| is the length of the modulus; |flen| is the length of the
* encoded message. Therefore, for any |from| that was obtained by
* decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
* num < 2 * mdlen + 2 must hold for the modulus irrespective of
* |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
if (num < flen || num < 2 * mdlen + 2)
goto decoding_err;
if (num < flen || num < 2 * mdlen + 2) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
return -1;
}
dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen);
@@ -163,24 +166,24 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
goto cleanup;
}
if (flen != num) {
em = OPENSSL_zalloc(num);
if (em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
ERR_R_MALLOC_FAILURE);
goto cleanup;
}
em = OPENSSL_malloc(num);
if (em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
ERR_R_MALLOC_FAILURE);
goto cleanup;
}
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
* to avoid leaking that information. The copy still leaks some
* side-channel information, but it's impossible to have a fixed
* memory access pattern since we can't read out of the bounds of
* |from|.
*/
memcpy(em + num - flen, from, flen);
from = em;
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad. Trouble is that since we can't read out of |from|'s
* bounds, it's impossible to have an invariant memory access pattern
* in case |from| was not zero-padded in advance.
*/
for (from += flen, em += num, i = 0; i < num; i++) {
mask = ~constant_time_is_zero(flen);
flen -= 1 & mask;
from -= 1 & mask;
*--em = *from & mask;
}
/*
@@ -188,10 +191,10 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
good = constant_time_is_zero(from[0]);
good = constant_time_is_zero(em[0]);
maskedseed = from + 1;
maskeddb = from + 1 + mdlen;
maskedseed = em + 1;
maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@@ -228,32 +231,49 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* so plaintext-awareness ensures timing side-channels are no longer a
* concern.
*/
if (!good)
goto decoding_err;
msg_index = one_index + 1;
mlen = dblen - msg_index;
if (tlen < mlen) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
mlen = -1;
} else {
memcpy(to, db + msg_index, mlen);
goto cleanup;
/*
* For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
/*
* Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
dblen - mdlen - 1, tlen);
for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
for (i = mdlen + 1; i < dblen - msg_index; i++)
db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
}
decoding_err:
/*
* To avoid chosen ciphertext attacks, the error message should not
* reveal which kind of decoding error happened.
*/
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
err_clear_last_constant_time(1 & good);
cleanup:
OPENSSL_cleanse(seed, sizeof(seed));
OPENSSL_clear_free(db, dblen);
OPENSSL_clear_free(em, num);
return mlen;
return constant_time_select_int(good, mlen, -1);
}
int PKCS1_MGF1(unsigned char *mask, long len,

19
crypto/rsa/rsa_ossl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,6 +10,7 @@
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "rsa_locl.h"
#include "internal/constant_time_locl.h"
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
@@ -280,6 +281,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
goto err;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx))
goto err;
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
@@ -311,13 +317,6 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
rsa->n, ctx)) {
BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
@@ -472,8 +471,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
if (r < 0)
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
err_clear_last_constant_time(1 & ~constant_time_msb(r));
err:
if (ctx != NULL)

105
crypto/rsa/rsa_pk1.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -158,7 +158,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
int i;
/* |em| is the encoded message, zero-padded to exactly |num| bytes */
unsigned char *em = NULL;
unsigned int good, found_zero_byte;
unsigned int good, found_zero_byte, mask;
int zero_index = 0, msg_index, mlen = -1;
if (tlen < 0 || flen < 0)
@@ -169,48 +169,49 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* section 7.2.2.
*/
if (flen > num)
goto err;
if (num < 11)
goto err;
if (flen != num) {
em = OPENSSL_zalloc(num);
if (em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
return -1;
}
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
* to avoid leaking that information. The copy still leaks some
* side-channel information, but it's impossible to have a fixed
* memory access pattern since we can't read out of the bounds of
* |from|.
*/
memcpy(em + num - flen, from, flen);
from = em;
if (flen > num || num < 11) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
RSA_R_PKCS_DECODING_ERROR);
return -1;
}
good = constant_time_is_zero(from[0]);
good &= constant_time_eq(from[1], 2);
em = OPENSSL_malloc(num);
if (em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
return -1;
}
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad. Trouble is that since we can't read out of |from|'s
* bounds, it's impossible to have an invariant memory access pattern
* in case |from| was not zero-padded in advance.
*/
for (from += flen, em += num, i = 0; i < num; i++) {
mask = ~constant_time_is_zero(flen);
flen -= 1 & mask;
from -= 1 & mask;
*--em = *from & mask;
}
good = constant_time_is_zero(em[0]);
good &= constant_time_eq(em[1], 2);
/* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(from[i]);
zero_index =
constant_time_select_int(~found_zero_byte & equals0, i,
zero_index);
unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
found_zero_byte |= equals0;
}
/*
* PS must be at least 8 bytes long, and it starts two bytes into |from|.
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
good &= constant_time_ge(zero_index, 2 + 8);
/*
* Skip the zero byte. This is incorrect if we never found a zero-byte
@@ -220,27 +221,35 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
mlen = num - msg_index;
/*
* For good measure, do this check in constant time as well; it could
* leak something if |tlen| was assuming valid padding.
* For good measure, do this check in constant time as well.
*/
good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
good &= constant_time_ge(tlen, mlen);
/*
* We can't continue in constant-time because we need to copy the result
* and we cannot fake its length. This unavoidably leaks timing
* information at the API boundary.
* Move the result in-place by |num|-11-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |em|+11 to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
if (!good) {
mlen = -1;
goto err;
tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
num - 11, tlen);
for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
for (i = 11; i < num - msg_index; i++)
em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
memcpy(to, from + msg_index, mlen);
err:
OPENSSL_clear_free(em, num);
if (mlen == -1)
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
RSA_R_PKCS_DECODING_ERROR);
return mlen;
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
err_clear_last_constant_time(1 & good);
return constant_time_select_int(good, mlen, -1);
}

4
crypto/rsa/rsa_pmeth.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -48,7 +48,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
rctx = OPENSSL_zalloc(sizeof(*rctx));
if (rctx == NULL)
return 0;
rctx->nbits = 1024;
rctx->nbits = 2048;
rctx->pad_mode = RSA_PKCS1_PADDING;
rctx->saltlen = -2;
ctx->data = rctx;

140
crypto/rsa/rsa_ssl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,6 +12,7 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include "internal/constant_time_locl.h"
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@@ -52,57 +53,118 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
return (1);
}
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
* if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
* preserves error code reporting for backward compatibility.
*/
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num)
{
int i, j, k;
const unsigned char *p;
int i;
/* |em| is the encoded message, zero-padded to exactly |num| bytes */
unsigned char *em = NULL;
unsigned int good, found_zero_byte, mask, threes_in_row;
int zero_index = 0, msg_index, mlen = -1, err;
p = from;
if (flen < 10) {
if (tlen <= 0 || flen <= 0)
return -1;
if (flen > num || num < 11) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return (-1);
}
/* Accept even zero-padded input */
if (flen == num) {
if (*(p++) != 0) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
return -1;
}
flen--;
em = OPENSSL_malloc(num);
if (em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE);
return -1;
}
if ((num != (flen + 1)) || (*(p++) != 02)) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
return (-1);
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad. Trouble is that since we can't read out of |from|'s
* bounds, it's impossible to have an invariant memory access pattern
* in case |from| was not zero-padded in advance.
*/
for (from += flen, em += num, i = 0; i < num; i++) {
mask = ~constant_time_is_zero(flen);
flen -= 1 & mask;
from -= 1 & mask;
*--em = *from & mask;
}
good = constant_time_is_zero(em[0]);
good &= constant_time_eq(em[1], 2);
err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
mask = ~good;
/* scan over padding data */
j = flen - 1; /* one for type */
for (i = 0; i < j; i++)
if (*(p++) == 0)
break;
found_zero_byte = 0;
threes_in_row = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(em[i]);
if ((i == j) || (i < 8)) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
return (-1);
}
for (k = -9; k < -1; k++) {
if (p[k] != 0x03)
break;
}
if (k == -1) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK);
return (-1);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
found_zero_byte |= equals0;
threes_in_row += 1 & ~found_zero_byte;
threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
}
i++; /* Skip over the '\0' */
j -= i;
if (j > tlen) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
return (-1);
}
memcpy(to, p, (unsigned int)j);
/*
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
good &= constant_time_ge(zero_index, 2 + 8);
err = constant_time_select_int(mask | good, err,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
return (j);
good &= constant_time_ge(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
mask = ~good;
/*
* Skip the zero byte. This is incorrect if we never found a zero-byte
* but in this case we also do not copy the message out.
*/
msg_index = zero_index + 1;
mlen = num - msg_index;
/*
* For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
/*
* Move the result in-place by |num|-11-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |em|+11 to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(num - 11, tlen),
num - 11, tlen);
for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0);
for (i = 11; i < num - msg_index; i++)
em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, em[i + 11], to[i]);
}
OPENSSL_clear_free(em, num);
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err);
err_clear_last_constant_time(1 & good);
return constant_time_select_int(good, mlen, -1);
}

6
crypto/x509/by_dir.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -322,13 +322,13 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
/*
* we have added it to the cache so now pull it out again
*/
CRYPTO_THREAD_write_lock(ctx->lock);
X509_STORE_lock(xl->store_ctx);
j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
if (j != -1)
tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
else
tmp = NULL;
CRYPTO_THREAD_unlock(ctx->lock);
X509_STORE_unlock(xl->store_ctx);
/* If a CRL, update the last file suffix added for this */

6
crypto/x509/t_req.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -125,6 +125,10 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
if (count == 0) {
X509err(X509_F_X509_REQ_PRINT_EX, X509_R_INVALID_ATTRIBUTES);
return 0;
}
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;

12
crypto/x509/x509_cmp.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -451,9 +451,17 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
STACK_OF(X509) *ret;
int i;
ret = sk_X509_dup(chain);
if (ret == NULL)
return NULL;
for (i = 0; i < sk_X509_num(ret); i++) {
X509 *x = sk_X509_value(ret, i);
X509_up_ref(x);
if (!X509_up_ref(x))
goto err;
}
return ret;
err:
while (i-- > 0)
X509_free (sk_X509_value(ret, i));
sk_X509_free(ret);
return NULL;
}

3
crypto/x509/x509_err.c
View File

@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -97,6 +97,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_CRL_ALREADY_DELTA), "crl already delta"},
{ERR_REASON(X509_R_CRL_VERIFY_FAILURE), "crl verify failure"},
{ERR_REASON(X509_R_IDP_MISMATCH), "idp mismatch"},
{ERR_REASON(X509_R_INVALID_ATTRIBUTES), "invalid attributes"},
{ERR_REASON(X509_R_INVALID_DIRECTORY), "invalid directory"},
{ERR_REASON(X509_R_INVALID_FIELD_NAME), "invalid field name"},
{ERR_REASON(X509_R_INVALID_TRUST), "invalid trust"},

3
crypto/x509/x_pubkey.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
/* Attempt to decode public key and cache in pubkey structure. */
X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
EVP_PKEY_free(pubkey->pkey);
pubkey->pkey = NULL;
/*
* Opportunistically decode the key but remove any non fatal errors
* from the queue. Subsequent explicit attempts to decode/use the key

2
doc/apps/ca.pod
View File

@@ -223,7 +223,7 @@ the section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
is present (even if it is empty), then a V3 certificate is created. See the:w
is present (even if it is empty), then a V3 certificate is created. See the
L<x509v3_config(5)> manual page for details of the
extension section format.

10
doc/apps/genpkey.pod
View File

@@ -116,7 +116,7 @@ below.
=item B<rsa_keygen_bits:numbits>
The number of bits in the generated key. If not specified 1024 is used.
The number of bits in the generated key. If not specified 2048 is used.
=item B<rsa_keygen_pubexp:value>
@@ -154,12 +154,12 @@ below.
=item B<dsa_paramgen_bits:numbits>
The number of bits in the generated prime. If not specified 1024 is used.
The number of bits in the generated prime. If not specified 2048 is used.
=item B<dsa_paramgen_q_bits:numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 160 is used.
specified 224 is used.
=item B<dsa_paramgen_md:digest>
@@ -178,7 +178,7 @@ or B<sha256> if it is 256.
=item B<dh_paramgen_prime_len:numbits>
The number of bits in the prime parameter B<p>. The default is 1024.
The number of bits in the prime parameter B<p>. The default is 2048.
=item B<dh_paramgen_subprime_len:numbits>
@@ -289,7 +289,7 @@ OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

7
doc/crypto/RSA_padding_add_PKCS1_type_1.pod
View File

@@ -109,7 +109,12 @@ L<ERR_get_error(3)>.
The RSA_padding_check_PKCS1_type_2() padding check leaks timing
information which can potentially be used to mount a Bleichenbacher
padding oracle attack. This is an inherent weakness in the PKCS #1
v1.5 padding design. Prefer PKCS1_OAEP padding.
v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
be recommended to pass zero-padded B<f>, so that B<fl> equals to
B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
expected length. In such case leakage would be minimal, it would
take attacker's ability to observe memory access pattern with byte
granilarity as it occurs, post-factum timing analysis won't do.
=head1 SEE ALSO

15
doc/ssl/SSL_get_error.pod
View File

@@ -112,14 +112,17 @@ thread has completed.
=item SSL_ERROR_SYSCALL
Some non-recoverable I/O error occurred.
The OpenSSL error queue may contain more information on the error.
For socket I/O on Unix systems, consult B<errno> for details.
Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
contain more information on the error. For socket I/O on Unix systems, consult
B<errno> for details. If this error occurs then no further I/O operations should
be performed on the connection and SSL_shutdown() must not be called.
=item SSL_ERROR_SSL
A failure in the SSL library occurred, usually a protocol error. The
OpenSSL error queue contains more information on the error.
A non-recoverable, fatal error in the SSL library occurred, usually a protocol
error. The OpenSSL error queue contains more information on the error. If this
error occurs then no further I/O operations should be performed on the
connection and SSL_shutdown() must not be called.
=back
@@ -133,7 +136,7 @@ SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

6
doc/ssl/SSL_shutdown.pod
View File

@@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
a currently open session is considered closed and good and will be kept in the
session cache for further reuse.
Note that SSL_shutdown() must not be called if a previous fatal error has
occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
or SSL_ERROR_SSL.
The shutdown procedure consists of 2 steps: the sending of the "close notify"
shutdown alert and the reception of the peer's "close notify" shutdown
alert. According to the TLS standard, it is acceptable for an application
@@ -122,7 +126,7 @@ L<ssl(3)>, L<bio(3)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

28
include/internal/constant_time_locl.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -158,11 +158,29 @@ static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
/*
* Returns the value unmodified, but avoids optimizations.
* The barriers prevent the compiler from narrowing down the
* possible value range of the mask and ~mask in the select
* statements, which avoids the recognition of the select
* and turning it into a conditional load or branch.
*/
static ossl_inline unsigned int value_barrier(unsigned int a)
{
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
unsigned int r;
__asm__("" : "=r"(r) : "0"(a));
#else
volatile unsigned int r = a;
#endif
return r;
}
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
return (mask & a) | (~mask & b);
return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -178,6 +196,12 @@ static ossl_inline int constant_time_select_int(unsigned int mask, int a,
return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
}
/*
* Expected usage pattern is to unconditionally set error and then
* wipe it if there was no actual error. |clear| is 1 or 0.
*/
void err_clear_last_constant_time(int clear);
#ifdef __cplusplus
}
#endif

7
include/openssl/ec.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1399,6 +1399,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_ASN1_GROUP2CURVE 153
# define EC_F_EC_ASN1_GROUP2FIELDID 154
# define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 208
# define EC_F_EC_GF2M_SIMPLE_FIELD_INV 296
# define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 159
# define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 195
# define EC_F_EC_GF2M_SIMPLE_OCT2POINT 160
@@ -1408,6 +1409,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES 164
# define EC_F_EC_GFP_MONT_FIELD_DECODE 133
# define EC_F_EC_GFP_MONT_FIELD_ENCODE 134
# define EC_F_EC_GFP_MONT_FIELD_INV 297
# define EC_F_EC_GFP_MONT_FIELD_MUL 131
# define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE 209
# define EC_F_EC_GFP_MONT_FIELD_SQR 132
@@ -1425,6 +1427,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GFP_NIST_FIELD_SQR 201
# define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202
# define EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES 287
# define EC_F_EC_GFP_SIMPLE_FIELD_INV 298
# define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 165
# define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 166
# define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102
@@ -1514,6 +1517,7 @@ int ERR_load_EC_strings(void);
# define EC_R_BAD_SIGNATURE 156
# define EC_R_BIGNUM_OUT_OF_RANGE 144
# define EC_R_BUFFER_TOO_SMALL 100
# define EC_R_CANNOT_INVERT 165
# define EC_R_COORDINATES_OUT_OF_RANGE 146
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
@@ -1564,6 +1568,7 @@ int ERR_load_EC_strings(void);
# define EC_R_SLOT_FULL 108
# define EC_R_UNDEFINED_GENERATOR 113
# define EC_R_UNDEFINED_ORDER 128
# define EC_R_UNKNOWN_COFACTOR 164
# define EC_R_UNKNOWN_GROUP 129
# define EC_R_UNKNOWN_ORDER 114
# define EC_R_UNSUPPORTED_FIELD 131

3
include/openssl/err.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -37,6 +37,7 @@ extern "C" {
# define ERR_TXT_STRING 0x02
# define ERR_FLAG_MARK 0x01
# define ERR_FLAG_CLEAR 0x02
# define ERR_NUM_ERRORS 16
typedef struct err_state_st {

8
include/openssl/opensslv.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x101000afL
# define OPENSSL_VERSION_NUMBER 0x101000cfL
# ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0j-fips 20 Nov 2018"
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0l-fips 10 Sep 2019"
# else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0j 20 Nov 2018"
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0l 10 Sep 2019"
# endif
/*-

3
include/openssl/x509.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1092,6 +1092,7 @@ int ERR_load_X509_strings(void);
# define X509_R_CRL_ALREADY_DELTA 127
# define X509_R_CRL_VERIFY_FAILURE 131
# define X509_R_IDP_MISMATCH 128
# define X509_R_INVALID_ATTRIBUTES 135
# define X509_R_INVALID_DIRECTORY 113
# define X509_R_INVALID_FIELD_NAME 119
# define X509_R_INVALID_TRUST 123

3
ssl/record/rec_layer_d1.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -834,6 +834,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL3_RECORD_set_read(rr);
SSL_CTX_remove_session(s->session_ctx, s->session);
ossl_statem_set_error(s);
return (0);
} else {
al = SSL_AD_ILLEGAL_PARAMETER;

3
ssl/record/rec_layer_s3.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1410,6 +1410,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL3_RECORD_set_read(rr);
SSL_CTX_remove_session(s->session_ctx, s->session);
ossl_statem_set_error(s);
return (0);
} else {
al = SSL_AD_ILLEGAL_PARAMETER;

11
ssl/s3_msg.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -46,9 +46,12 @@ int ssl3_send_alert(SSL *s, int level, int desc)
* protocol_version alerts */
if (desc < 0)
return -1;
/* If a fatal one, remove from cache */
if ((level == SSL3_AL_FATAL) && (s->session != NULL))
SSL_CTX_remove_session(s->session_ctx, s->session);
/* If a fatal one, remove from cache and go into the error state */
if (level == SSL3_AL_FATAL) {
if (s->session != NULL)
SSL_CTX_remove_session(s->session_ctx, s->session);
ossl_statem_set_error(s);
}
s->s3->alert_dispatch = 1;
s->s3->send_alert[0] = level;

3
ssl/statem/statem.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -115,6 +115,7 @@ void ossl_statem_set_renegotiate(SSL *s)
*/
void ossl_statem_set_error(SSL *s)
{
s->statem.in_init = 1;
s->statem.state = MSG_FLOW_ERROR;
}

111
test/bntest.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -85,6 +85,7 @@ int test_sqrt(BIO *bp, BN_CTX *ctx);
int test_small_prime(BIO *bp, BN_CTX *ctx);
int test_bn2dec(BIO *bp);
int rand_neg(void);
static int test_ctx_consttime_flag(void);
static int results = 0;
static unsigned char lst[] =
@@ -312,11 +313,18 @@ int main(int argc, char *argv[])
goto err;
(void)BIO_flush(out);
#endif
/* silently flush any pre-existing error on the stack */
ERR_clear_error();
message(out, "BN_CTX_get BN_FLG_CONSTTIME");
if (!test_ctx_consttime_flag())
goto err;
(void)BIO_flush(out);
BN_CTX_free(ctx);
BIO_free(out);
ERR_print_errors_fp(stderr);
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks_fp(stderr) <= 0)
EXIT(1);
@@ -2092,3 +2100,100 @@ int rand_neg(void)
return (sign[(neg++) % 8]);
}
static int test_ctx_set_ct_flag(BN_CTX *c)
{
int st = 0;
size_t i;
BIGNUM *b[15];
BN_CTX_start(c);
for (i = 0; i < OSSL_NELEM(b); i++) {
if (NULL == (b[i] = BN_CTX_get(c))) {
fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
goto err;
}
if (i % 2 == 1)
BN_set_flags(b[i], BN_FLG_CONSTTIME);
}
st = 1;
err:
BN_CTX_end(c);
return st;
}
static int test_ctx_check_ct_flag(BN_CTX *c)
{
int st = 0;
size_t i;
BIGNUM *b[30];
BN_CTX_start(c);
for (i = 0; i < OSSL_NELEM(b); i++) {
if (NULL == (b[i] = BN_CTX_get(c))) {
fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
goto err;
}
if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) {
fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n");
goto err;
}
}
st = 1;
err:
BN_CTX_end(c);
return st;
}
static int test_ctx_consttime_flag(void)
{
/*-
* The constant-time flag should not "leak" among BN_CTX frames:
*
* - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
* sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
* from the frame before ending it.
* - test_ctx_check_ct_flag() then starts a new frame and gets a
* number of BIGNUMs from it. In absence of leaks, none of the
* BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
*
* In actual BN_CTX usage inside libcrypto the leak could happen at
* any depth level in the BN_CTX stack, with varying results
* depending on the patterns of sibling trees of nested function
* calls sharing the same BN_CTX object, and the effect of
* unintended BN_FLG_CONSTTIME on the called BN_* functions.
*
* This simple unit test abstracts away this complexity and verifies
* that the leak does not happen between two sibling functions
* sharing the same BN_CTX object at the same level of nesting.
*
*/
BN_CTX *nctx = NULL;
BN_CTX *sctx = NULL;
size_t i = 0;
int st = 0;
if (NULL == (nctx = BN_CTX_new())) {
fprintf(stderr, "ERROR: BN_CTX_new() failed.\n");
goto err;
}
if (NULL == (sctx = BN_CTX_secure_new())) {
fprintf(stderr, "ERROR: BN_CTX_secure_new() failed.\n");
goto err;
}
for (i = 0; i < 2; i++) {
BN_CTX *c = i == 0 ? nctx : sctx;
if (!test_ctx_set_ct_flag(c)
|| !test_ctx_check_ct_flag(c))
goto err;
}
st = 1;
err:
BN_CTX_free(nctx);
BN_CTX_free(sctx);
return st;
}

9
test/build.info
View File

@@ -314,6 +314,15 @@ IF[{- !$disabled{tests} -}]
INCLUDE[shlibloadtest]=../include
ENDIF
IF[{- !$disabled{ec} -}]
PROGRAMS_NO_INST=ec_internal_test
SOURCE[ec_internal_test]=ec_internal_test.c testutil.c
INCLUDE[ec_internal_test]=.. ../include ../crypto/ec ../crypto/include
DEPEND[ec_internal_test]=../libcrypto
ENDIF
SOURCE[errtest]=errtest.c testutil.c
INCLUDE[errtest]=../include
DEPEND[errtest]=../libcrypto

220
test/ec_internal_test.c Normal file
View File

@@ -0,0 +1,220 @@
/*
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/ec.h>
#include "ec_lcl.h"
#include <openssl/objects.h>
#include "testutil.h"
static size_t crv_len = 0;
static EC_builtin_curve *curves = NULL;
/* sanity checks field_inv function pointer in EC_METHOD */
static int group_field_tests(const EC_GROUP *group, BN_CTX *ctx)
{
BIGNUM *a = NULL, *b = NULL, *c = NULL;
int ret = 0;
if (group->meth->field_inv == NULL || group->meth->field_mul == NULL)
return 1;
BN_CTX_start(ctx);
a = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
TEST_check(NULL != (c = BN_CTX_get(ctx)));
/* 1/1 = 1 */
TEST_check(group->meth->field_inv(group, b, BN_value_one(), ctx));
TEST_check(BN_is_one(b));
/* (1/a)*a = 1 */
TEST_check(BN_pseudo_rand(a, BN_num_bits(group->field) - 1,
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY));
TEST_check(group->meth->field_inv(group, b, a, ctx));
if (group->meth->field_encode) {
TEST_check(group->meth->field_encode(group, a, a, ctx));
TEST_check(group->meth->field_encode(group, b, b, ctx));
}
TEST_check(group->meth->field_mul(group, c, a, b, ctx));
if (group->meth->field_decode) {
TEST_check(group->meth->field_decode(group, c, c, ctx));
}
TEST_check(BN_is_one(c));
/* 1/0 = error */
BN_zero(a);
TEST_check(!group->meth->field_inv(group, b, a, ctx));
TEST_check(ERR_GET_LIB(ERR_peek_last_error()) == ERR_LIB_EC);
TEST_check(ERR_GET_REASON(ERR_peek_last_error()) == EC_R_CANNOT_INVERT);
/* 1/p = error */
TEST_check(!group->meth->field_inv(group, b, group->field, ctx));
TEST_check(ERR_GET_LIB(ERR_peek_last_error()) == ERR_LIB_EC);
TEST_check(ERR_GET_REASON(ERR_peek_last_error()) == EC_R_CANNOT_INVERT);
ERR_clear_error();
ret = 1;
BN_CTX_end(ctx);
return ret;
}
#define EC_GROUP_set_curve(g,p,a,b,ctx) \
EC_GROUP_set_curve_GFp(g,p,a,b,ctx)
/* wrapper for group_field_tests for explicit curve params and EC_METHOD */
static int field_tests(const EC_METHOD *meth, const unsigned char *params,
int len)
{
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
EC_GROUP *group = NULL;
int ret = 0;
TEST_check(NULL != (ctx = BN_CTX_new()));
BN_CTX_start(ctx);
p = BN_CTX_get(ctx);
a = BN_CTX_get(ctx);
TEST_check(NULL != (b = BN_CTX_get(ctx)));
TEST_check(NULL != (group = EC_GROUP_new(meth)));
TEST_check(BN_bin2bn(params, len, p));
TEST_check(BN_bin2bn(params + len, len, a));
TEST_check(BN_bin2bn(params + 2 * len, len, b));
TEST_check(EC_GROUP_set_curve(group, p, a, b, ctx));
TEST_check(group_field_tests(group, ctx));
ret = 1;
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (group != NULL)
EC_GROUP_free(group);
return ret;
}
#undef EC_GROUP_set_curve
/* NIST prime curve P-256 */
static const unsigned char params_p256[] = {
/* p */
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
/* a */
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
/* b */
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B
};
#ifndef OPENSSL_NO_EC2M
/* NIST binary curve B-283 */
static const unsigned char params_b283[] = {
/* p */
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1,
/* a */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
/* b */
0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, 0xAF, 0x8A,
0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76, 0x45, 0x30, 0x9F, 0xA2,
0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26, 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5
};
#endif
/* test EC_GFp_simple_method directly */
static int field_tests_ecp_simple(void)
{
fprintf(stdout, "Testing EC_GFp_simple_method()\n");
return field_tests(EC_GFp_simple_method(), params_p256,
sizeof(params_p256) / 3);
}
/* test EC_GFp_mont_method directly */
static int field_tests_ecp_mont(void)
{
fprintf(stdout, "Testing EC_GFp_mont_method()\n");
return field_tests(EC_GFp_mont_method(), params_p256,
sizeof(params_p256) / 3);
}
#ifndef OPENSSL_NO_EC2M
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
fprintf(stdout, "Testing EC_GF2m_simple_method()\n");
return field_tests(EC_GF2m_simple_method(), params_b283,
sizeof(params_b283) / 3);
}
#endif
/* test default method for a named curve */
static int field_tests_default(int n)
{
BN_CTX *ctx = NULL;
EC_GROUP *group = NULL;
int nid = curves[n].nid;
int ret = 0;
fprintf(stdout, "Testing curve %s\n", OBJ_nid2sn(nid));
TEST_check(NULL != (group = EC_GROUP_new_by_curve_name(nid)));
TEST_check(NULL != (ctx = BN_CTX_new()));
TEST_check(group_field_tests(group, ctx));
ret = 1;
if (group != NULL)
EC_GROUP_free(group);
if (ctx != NULL)
BN_CTX_free(ctx);
return ret;
}
static int setup_tests(void)
{
crv_len = EC_get_builtin_curves(NULL, 0);
TEST_check(NULL != (curves = OPENSSL_malloc(sizeof(*curves) * crv_len)));
TEST_check(EC_get_builtin_curves(curves, crv_len));
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);
return 1;
}
static void cleanup_tests(void)
{
OPENSSL_free(curves);
}
int main(int argc, char **argv)
{
int ret;
setup_tests();
ret = run_tests(argv[0]);
cleanup_tests();
return ret;
}

19
test/recipes/03-test_internal_ec.t Normal file
View File

@@ -0,0 +1,19 @@
#! /usr/bin/env perl
# Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test; # get 'plan'
use OpenSSL::Test::Simple;
use OpenSSL::Test::Utils;
setup("test_internal_ec");
plan skip_all => "This test is unsupported in a no-ec build"
if disabled("ec");
simple_test("test_internal_ec", "ec_internal_test");

10
test/recipes/30-test_evp_data/evpciph.txt
View File

@@ -1,5 +1,5 @@
#
# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2269,3 +2269,11 @@ Tag = e0723bce23528ce6ccb10ff9627038bf
Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
Cipher = chacha20-poly1305
Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0
IV = ff000000000102030405060708
AAD = f33388860000000000004e91
Tag = e0723bce23528ce6ccb10ff9627038bf
Plaintext = 496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d
Ciphertext = 64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c299da65ba25e6a85842bf0440fd98a9a2266b061c4b3a13327c090f9a0789f58aad805275e4378a525f19232bfbfb749ede38480f405cf43ec2f1f8619ebcbc80a89e92a859c7911e674977ab17d4a7126a6b8a477358ff14a344d276ef6e504e10268ac3619fcf90c2d6c03fc2e3d1f290d9bf26c1fa1495dd8f97eec6229a55c2354e4524143551a5cc370a1c622c9390530cff21c3e1ed50c5e3daf97518ccce34156bdbd7eafab8bd417aef25c6c927301731bd319d247a1d5c3186ed10bfd9a7a24bac30e3e4503ed9204154d338b79ea276e7058e7f20f4d4fd1ac93d63f611af7b6d006c2a72add0eedc497b19cb30a198816664f0da00155f2e2d6ac61045b296d614301e0ad4983308028850dd4feffe3a8163970306e4047f5a165cb4befbc129729cd2e286e837e9b606486d402acc3dec5bf8b92387f6e486f2140
Result = INVALID_IV_LENGTH

52
test/recipes/30-test_evp_data/evppkey.txt
View File

@@ -1,5 +1,5 @@
#
# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -16147,3 +16147,53 @@ Result = KEYPAIR_MISMATCH
PrivPubKeyPair = DSA-1024-BIS:DSA-1024-PUBLIC
Result = KEYPAIR_MISMATCH
# Title=explicit parameters with no cofactor test
PrivateKey=P256_explicit
-----BEGIN PRIVATE KEY-----
MIIBMAIBADCCAQAGByqGSM49AgEwgfQCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAA
AAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXY
qjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR
8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBo
N79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8YyVRBCcwJQIBAQQgya+p2EW6dRZr
XCFXZ7HWk05Qw9s26JsSe4piKxIPZyE=
-----END PRIVATE KEY-----
PublicKey=P256_explicit_PUB
-----BEGIN PUBLIC KEY-----
MIIBSDCCAQAGByqGSM49AgEwgfQCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA
////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT
57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEs
Qkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R
9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8YyVRA0IABGD+1LolWp0xyWHrdMY1bWjA
SbiSO2H6bOZpYi5g8p+2eQP+EAi4vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=
-----END PUBLIC KEY-----
PrivPubKeyPair=P256_explicit:P256_explicit_PUB
PrivateKey=P384_explicit
-----BEGIN PRIVATE KEY-----
MIIBoQIBADCCAWEGByqGSM49AgEwggFUAgEBMDwGByqGSM49AQECMQD/////////////////////
/////////////////////v////8AAAAAAAAAAP////8wewQw////////////////////////////
//////////////7/////AAAAAAAAAAD////8BDCzMS+n4j7n5JiOBWvj+C0ZGB2cbv6BQRIDFAiP
UBOHWsZWOY2KLtGdKoXI7dPsKu8DFQCjNZJqoxmieh0AiWpnc6SCes2scwRhBKqHyiK+iwU3jrHH
HvMgrXRuHTtii6ebmFn3QeCCVCo4VQLyXb9VKWw6VF44cnYKtzYX3kqWJixvXZ6Yv5KS3Cn49B29
KJoUfOnaMRO18LjACmCxzh1+gZ16Qx18kOoOXwIxAP///////////////////////////////8dj
TYH0Ny3fWBoNskiwp3rs7BlqzMUpcwQ3MDUCAQEEMGudPa0uG4wcBbGYdbZln03iPDtme/KXupqk
d0B4cTfYltVyTkxwqCX4csnqYNLt9Q==
-----END PRIVATE KEY-----
PublicKey=P384_explicit_PUB
-----BEGIN PUBLIC KEY-----
MIIByTCCAWEGByqGSM49AgEwggFUAgEBMDwGByqGSM49AQECMQD/////////////////////////
/////////////////v////8AAAAAAAAAAP////8wewQw////////////////////////////////
//////////7/////AAAAAAAAAAD////8BDCzMS+n4j7n5JiOBWvj+C0ZGB2cbv6BQRIDFAiPUBOH
WsZWOY2KLtGdKoXI7dPsKu8DFQCjNZJqoxmieh0AiWpnc6SCes2scwRhBKqHyiK+iwU3jrHHHvMg
rXRuHTtii6ebmFn3QeCCVCo4VQLyXb9VKWw6VF44cnYKtzYX3kqWJixvXZ6Yv5KS3Cn49B29KJoU
fOnaMRO18LjACmCxzh1+gZ16Qx18kOoOXwIxAP///////////////////////////////8djTYH0
Ny3fWBoNskiwp3rs7BlqzMUpcwNiAATsOk5BW04ZpFaGGAKfQn+l2pqLxK6S4C4GquUoazAMZN74
8OqQVYZgZKJUUVSAvBOAFdm3LX1XJE6o75rAxiGJZwilk2f537n1TKhLPxydsSiLIxw64NT+c0T9
JTMmRyA=
-----END PUBLIC KEY-----
PrivPubKeyPair=P384_explicit:P384_explicit_PUB