diff --git a/modules/openssl/SCsub b/modules/openssl/SCsub index ffce93aca8e..cf521b21754 100644 --- a/modules/openssl/SCsub +++ b/modules/openssl/SCsub @@ -381,6 +381,7 @@ if (env['builtin_openssl'] != 'no'): "crypto/evp/p_verify.c", "crypto/ex_data.c", "crypto/fips_ers.c", + "crypto/getenv.c", "crypto/hmac/hmac.c", "crypto/hmac/hm_ameth.c", "crypto/hmac/hm_pmeth.c", diff --git a/thirdparty/README.md b/thirdparty/README.md index 2356d124512..806bd97d61b 100644 --- a/thirdparty/README.md +++ b/thirdparty/README.md @@ -241,7 +241,7 @@ Collection of single-file libraries used in Godot components. ## openssl - Upstream: https://www.openssl.org -- Version: 1.0.2o +- Version: 1.0.2q - License: OpenSSL license / BSD-like Files extracted from the upstream source: @@ -262,7 +262,12 @@ Files extracted from the upstream source: ``` For the rest check the `git status` and decide. - e_os.h -- Apply the Godot-specific patches in the `patches/` folder. +- MacOS/buildinf.h +- LICENSE +- Apply the Godot-specific patches in the `patches/` folder + (make sure not to commit .orig/.rej files generated by `patch`). +- Review `openssl/opensslconf.h` changes and make sure they make sense + for our "one size fits all" config. ## opus diff --git a/thirdparty/openssl/crypto/asn1/a_bool.c b/thirdparty/openssl/crypto/asn1/a_bool.c index 1b85bc9e61c..3bf676eb6fb 100644 --- a/thirdparty/openssl/crypto/asn1/a_bool.c +++ b/thirdparty/openssl/crypto/asn1/a_bool.c @@ -63,17 +63,31 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) { int r; - unsigned char *p; + unsigned char *p, *allocated = NULL; r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN); if (pp == NULL) return (r); - p = *pp; + + if (*pp == NULL) { + if ((p = allocated = OPENSSL_malloc(r)) == NULL) { + ASN1err(ASN1_F_I2D_ASN1_BOOLEAN, ERR_R_MALLOC_FAILURE); + return 0; + } + } else { + p = *pp; + } ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL); - *(p++) = (unsigned char)a; - *pp = p; - return (r); + *p = (unsigned char)a; + + + /* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ + *pp = allocated != NULL ? allocated : p + 1; + return r; } int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length) diff --git a/thirdparty/openssl/crypto/asn1/a_object.c b/thirdparty/openssl/crypto/asn1/a_object.c index ad6b12a5366..ce05cf4c4b9 100644 --- a/thirdparty/openssl/crypto/asn1/a_object.c +++ b/thirdparty/openssl/crypto/asn1/a_object.c @@ -66,7 +66,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) { - unsigned char *p; + unsigned char *p, *allocated = NULL; int objsize; if ((a == NULL) || (a->data == NULL)) @@ -76,13 +76,24 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) if (pp == NULL || objsize == -1) return objsize; - p = *pp; + if (*pp == NULL) { + if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { + ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); + return 0; + } + } else { + p = *pp; + } + ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); - p += a->length; - *pp = p; - return (objsize); + /* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ + *pp = allocated != NULL ? allocated : p + a->length; + return objsize; } int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) diff --git a/thirdparty/openssl/crypto/asn1/a_strex.c b/thirdparty/openssl/crypto/asn1/a_strex.c index 95f04162073..11b21c2af7b 100644 --- a/thirdparty/openssl/crypto/asn1/a_strex.c +++ b/thirdparty/openssl/crypto/asn1/a_strex.c @@ -4,7 +4,7 @@ * 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -194,18 +194,38 @@ static int do_buf(unsigned char *buf, int buflen, int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg) { - int i, outlen, len; + int i, outlen, len, charwidth; unsigned char orflags, *p, *q; unsigned long c; p = buf; q = buf + buflen; outlen = 0; + charwidth = type & BUF_TYPE_WIDTH_MASK; + + switch (charwidth) { + case 4: + if (buflen & 3) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH); + return -1; + } + break; + case 2: + if (buflen & 1) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH); + return -1; + } + break; + default: + break; + } + while (p != q) { if (p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; - switch (type & BUF_TYPE_WIDTH_MASK) { + + switch (charwidth) { case 4: c = ((unsigned long)*p++) << 24; c |= ((unsigned long)*p++) << 16; @@ -226,6 +246,7 @@ static int do_buf(unsigned char *buf, int buflen, i = UTF8_getc(p, buflen, &c); if (i < 0) return -1; /* Invalid UTF8String */ + buflen -= i; p += i; break; default: diff --git a/thirdparty/openssl/crypto/asn1/ameth_lib.c b/thirdparty/openssl/crypto/asn1/ameth_lib.c index 43ddebba33a..cc8f9a8243e 100644 --- a/thirdparty/openssl/crypto/asn1/ameth_lib.c +++ b/thirdparty/openssl/crypto/asn1/ameth_lib.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, } else ameth->info = NULL; + /* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ + if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) + || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) + goto err; + if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) diff --git a/thirdparty/openssl/crypto/asn1/asn1_err.c b/thirdparty/openssl/crypto/asn1/asn1_err.c index cfc1512f9d0..9e273dcf5f2 100644 --- a/thirdparty/openssl/crypto/asn1/asn1_err.c +++ b/thirdparty/openssl/crypto/asn1/asn1_err.c @@ -166,7 +166,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"}, {ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"}, {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, + {ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, + {ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"}, + {ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, diff --git a/thirdparty/openssl/crypto/asn1/tasn_enc.c b/thirdparty/openssl/crypto/asn1/tasn_enc.c index 081a9d534f8..1824b2fc80f 100644 --- a/thirdparty/openssl/crypto/asn1/tasn_enc.c +++ b/thirdparty/openssl/crypto/asn1/tasn_enc.c @@ -4,7 +4,7 @@ * 2000. */ /* ==================================================================== - * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -588,6 +588,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, otmp = (ASN1_OBJECT *)*pval; cont = otmp->data; len = otmp->length; + if (cont == NULL || len == 0) + return -1; break; case V_ASN1_NULL: diff --git a/thirdparty/openssl/crypto/bio/b_sock.c b/thirdparty/openssl/crypto/bio/b_sock.c index 5bad0a2bada..d32b76bc8ff 100644 --- a/thirdparty/openssl/crypto/bio/b_sock.c +++ b/thirdparty/openssl/crypto/bio/b_sock.c @@ -56,6 +56,9 @@ * [including the GNU Public Licence.] */ +#define _DEFAULT_SOURCE +#define _BSD_SOURCE + #include #include #include @@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT static int wsa_init_done = 0; # endif +# if defined(__GLIBC__) +# define HAVE_GETHOSTBYNAME_R +# define GETHOSTNAME_R_BUF (2 * 1024) +# endif + /* * WSAAPI specifier is required to make indirect calls to run-time * linked WinSock 2 functions used in this module, to be specific @@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) int i; int err = 1; int locked = 0; - struct hostent *he; + struct hostent *he = NULL; +# ifdef HAVE_GETHOSTBYNAME_R + char buf[GETHOSTNAME_R_BUF]; + struct hostent hostent; + int h_errnop; +# endif i = get_ip(str, ip); if (i < 0) { @@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) if (i > 0) return (1); + /* if gethostbyname_r is supported, use it. */ +# ifdef HAVE_GETHOSTBYNAME_R + memset(&hostent, 0x00, sizeof(hostent)); + /* gethostbyname_r() sets |he| to NULL on error, we check it further down */ + gethostbyname_r(str, &hostent, buf, sizeof(buf), &he, &h_errnop); +# else /* do a gethostbyname */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); locked = 1; he = BIO_gethostbyname(str); +# endif + if (he == NULL) { BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP); goto err; diff --git a/thirdparty/openssl/crypto/bio/bss_log.c b/thirdparty/openssl/crypto/bio/bss_log.c index 1283a525b44..1b063fc2813 100644 --- a/thirdparty/openssl/crypto/bio/bss_log.c +++ b/thirdparty/openssl/crypto/bio/bss_log.c @@ -1,6 +1,6 @@ /* crypto/bio/bss_log.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -242,7 +242,7 @@ static int MS_CALLBACK slg_write(BIO *b, const char *in, int inl) if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) { return (0); } - strncpy(buf, in, inl); + memcpy(buf, in, inl); buf[inl] = '\0'; i = 0; diff --git a/thirdparty/openssl/crypto/bio/bss_mem.c b/thirdparty/openssl/crypto/bio/bss_mem.c index b0394a960da..6ccb8e27886 100644 --- a/thirdparty/openssl/crypto/bio/bss_mem.c +++ b/thirdparty/openssl/crypto/bio/bss_mem.c @@ -188,6 +188,8 @@ static int mem_write(BIO *b, const char *in, int inl) } BIO_clear_retry_flags(b); + if (inl == 0) + return 0; blen = bm->length; if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl)) goto end; diff --git a/thirdparty/openssl/crypto/bn/asm/x86_64-gcc.c b/thirdparty/openssl/crypto/bn/asm/x86_64-gcc.c index 1729b479d43..aa94a13d3b1 100644 --- a/thirdparty/openssl/crypto/bn/asm/x86_64-gcc.c +++ b/thirdparty/openssl/crypto/bn/asm/x86_64-gcc.c @@ -55,12 +55,6 @@ * machine. */ -# if defined(_WIN64) || !defined(__LP64__) -# define BN_ULONG unsigned long long -# else -# define BN_ULONG unsigned long -# endif - # undef mul # undef mul_add diff --git a/thirdparty/openssl/crypto/bn/bn_blind.c b/thirdparty/openssl/crypto/bn/bn_blind.c index d448daa3c77..a1e5e139d12 100644 --- a/thirdparty/openssl/crypto/bn/bn_blind.c +++ b/thirdparty/openssl/crypto/bn/bn_blind.c @@ -1,6 +1,6 @@ /* crypto/bn/bn_blind.c */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { - if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) - goto err; - if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) - goto err; + if (b->m_ctx != NULL) { + if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) + || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) + goto err; + } else { + if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) + || !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) + goto err; + } } ret = 1; @@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return (0); - if (r != NULL) { - if (!BN_copy(r, b->Ai)) - ret = 0; - } + if (r != NULL && (BN_copy(r, b->Ai) == NULL)) + return 0; - if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) - ret = 0; + if (b->m_ctx != NULL) + ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); + else + ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); - if (r != NULL) - ret = BN_mod_mul(n, n, r, b->mod, ctx); - else { - if (b->Ai == NULL) { - BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); - return (0); + if (r == NULL && (r = b->Ai) == NULL) { + BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); + return 0; + } + + if (b->m_ctx != NULL) { + /* ensure that BN_mod_mul_montgomery takes pre-defined path */ + if (n->dmax >= r->top) { + size_t i, rtop = r->top, ntop = n->top; + BN_ULONG mask; + + for (i = 0; i < rtop; i++) { + mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1)); + n->d[i] &= mask; + } + mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1)); + /* always true, if (rtop >= ntop) n->top = r->top; */ + n->top = (int)(rtop & ~mask) | (ntop & mask); + n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); + ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + } else { + ret = BN_mod_mul(n, n, r, b->mod, ctx); } bn_check_top(n); @@ -366,14 +386,19 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, } while (1); if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { - if (!ret->bn_mod_exp - (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) + if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) goto err; } else { if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) goto err; } + if (ret->m_ctx != NULL) { + if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx) + || !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx)) + goto err; + } + return ret; err: if (b == NULL && ret != NULL) { diff --git a/thirdparty/openssl/crypto/bn/bn_div.c b/thirdparty/openssl/crypto/bn/bn_div.c index bc37671cf13..460d8b7396f 100644 --- a/thirdparty/openssl/crypto/bn/bn_div.c +++ b/thirdparty/openssl/crypto/bn/bn_div.c @@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; + wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/thirdparty/openssl/crypto/bn/bn_exp.c b/thirdparty/openssl/crypto/bn/bn_exp.c index 40115fc7205..36b7ba69ade 100644 --- a/thirdparty/openssl/crypto/bn/bn_exp.c +++ b/thirdparty/openssl/crypto/bn/bn_exp.c @@ -290,8 +290,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { @@ -432,8 +432,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -473,17 +473,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } - if (!BN_to_montgomery(val[0], aa, mont, ctx)) + if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) + if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) + !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx)) goto err; } } @@ -505,19 +505,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; - /* - * Upper words will be zero if the corresponding words of 'm' were - * 0xfff[...], so decrement r->top accordingly. - */ - bn_correct_top(r); + r->flags |= BN_FLG_FIXED_TOP; } else #endif - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } if (wstart == 0) @@ -548,12 +544,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx)) goto err; /* move the 'window' down further */ @@ -563,6 +559,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (wstart < 0) break; } + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { j = mont->N.top; /* borrow j */ @@ -681,7 +682,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, } b->top = top; - bn_correct_top(b); + b->flags |= BN_FLG_FIXED_TOP; return 1; } @@ -733,8 +734,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, */ bits = p->top * BN_BITS2; if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -852,16 +853,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, tmp.top = top; } else #endif - if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx)) goto err; /* prepare a^1 in Montgomery domain */ if (a->neg || BN_ucmp(a, m) >= 0) { if (!BN_mod(&am, a, m, ctx)) goto err; - if (!BN_to_montgomery(&am, &am, mont, ctx)) + if (!bn_to_mont_fixed_top(&am, &am, mont, ctx)) goto err; - } else if (!BN_to_montgomery(&am, a, mont, ctx)) + } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; #if defined(SPARC_T4_MONT) @@ -1128,14 +1129,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * performance advantage of sqr over mul). */ if (window > 1) { - if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err; for (i = 3; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, window)) @@ -1159,7 +1160,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* Scan the window, squaring the result as we go */ for (i = 0; i < window; i++, bits--) { - if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx)) goto err; wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); } @@ -1172,12 +1173,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; /* Multiply the result into the intermediate result */ - if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx)) goto err; } } - /* Convert the final result from montgomery to standard format */ + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { am.d[0] = 1; /* borrow am */ @@ -1247,8 +1252,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -1369,9 +1374,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (bits == 0) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { diff --git a/thirdparty/openssl/crypto/bn/bn_gf2m.c b/thirdparty/openssl/crypto/bn/bn_gf2m.c index 2c61da11093..1d8a271c028 100644 --- a/thirdparty/openssl/crypto/bn/bn_gf2m.c +++ b/thirdparty/openssl/crypto/bn/bn_gf2m.c @@ -36,7 +36,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,30 +103,32 @@ */ # define MAX_ITERATIONS 50 -static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21, - 64, 65, 68, 69, 80, 81, 84, 85 -}; +# define SQR_nibble(w) ((((w) & 8) << 3) \ + | (((w) & 4) << 2) \ + | (((w) & 2) << 1) \ + | ((w) & 1)) + /* Platform-specific macros to accelerate squaring. */ # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) # define SQR1(w) \ - SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \ - SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \ - SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \ - SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF] + SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \ + SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \ + SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \ + SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32) # define SQR0(w) \ - SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \ - SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \ + SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \ + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # ifdef THIRTY_TWO_BIT # define SQR1(w) \ - SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \ - SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF] + SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \ + SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16) # define SQR0(w) \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # if !defined(OPENSSL_BN_ASM_GF2m) diff --git a/thirdparty/openssl/crypto/bn/bn_lcl.h b/thirdparty/openssl/crypto/bn/bn_lcl.h index 00f4f09945b..6f7335b7a5c 100644 --- a/thirdparty/openssl/crypto/bn/bn_lcl.h +++ b/thirdparty/openssl/crypto/bn/bn_lcl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -113,6 +113,7 @@ # define HEADER_BN_LCL_H # include +# include "bn_int.h" #ifdef __cplusplus extern "C" { diff --git a/thirdparty/openssl/crypto/bn/bn_lib.c b/thirdparty/openssl/crypto/bn/bn_lib.c index 27b9bdbc3c2..9b95e5f2bd9 100644 --- a/thirdparty/openssl/crypto/bn/bn_lib.c +++ b/thirdparty/openssl/crypto/bn/bn_lib.c @@ -263,8 +263,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) const BN_ULONG *B; int i; - bn_check_top(b); - if (words > (INT_MAX / (4 * BN_BITS2))) { BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); return NULL; @@ -398,8 +396,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words) { - bn_check_top(b); - if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (!a) @@ -433,7 +429,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) assert(A == &(b->d[b->dmax])); } #endif - bn_check_top(b); return b; } @@ -497,12 +492,18 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); #endif - a->top = b->top; a->neg = b->neg; + a->top = b->top; + a->flags |= b->flags & BN_FLG_FIXED_TOP; bn_check_top(a); return (a); } +#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \ + | BN_FLG_CONSTTIME \ + | BN_FLG_FIXED_TOP)) +#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED)) + void BN_swap(BIGNUM *a, BIGNUM *b) { int flags_old_a, flags_old_b; @@ -530,10 +531,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) b->dmax = tmp_dmax; b->neg = tmp_neg; - a->flags = - (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA); - b->flags = - (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA); + a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b); + b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a); bn_check_top(a); bn_check_top(b); } @@ -545,6 +544,7 @@ void BN_clear(BIGNUM *a) OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); a->top = 0; a->neg = 0; + a->flags &= ~BN_FLG_FIXED_TOP; } BN_ULONG BN_get_word(const BIGNUM *a) @@ -565,6 +565,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w) a->neg = 0; a->d[0] = w; a->top = (w ? 1 : 0); + a->flags &= ~BN_FLG_FIXED_TOP; bn_check_top(a); return (1); } @@ -613,6 +614,55 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) } /* ignore negative */ +static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + int n; + size_t i, lasti, j, atop, mask; + BN_ULONG l; + + /* + * In case |a| is fixed-top, BN_num_bytes can return bogus length, + * but it's assumed that fixed-top inputs ought to be "nominated" + * even for padded output, so it works out... + */ + n = BN_num_bytes(a); + if (tolen == -1) { + tolen = n; + } else if (tolen < n) { /* uncommon/unlike case */ + BIGNUM temp = *a; + + bn_correct_top(&temp); + n = BN_num_bytes(&temp); + if (tolen < n) + return -1; + } + + /* Swipe through whole available data and don't give away padded zero. */ + atop = a->dmax * BN_BYTES; + if (atop == 0) { + OPENSSL_cleanse(to, tolen); + return tolen; + } + + lasti = atop - 1; + atop = a->top * BN_BYTES; + for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) { + l = a->d[i / BN_BYTES]; + mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); + *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ + } + + return tolen; +} + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + return bn2binpad(a, to, tolen); +} + int BN_bn2bin(const BIGNUM *a, unsigned char *to) { int n, i; @@ -711,6 +761,7 @@ int BN_set_bit(BIGNUM *a, int n) for (k = a->top; k < i + 1; k++) a->d[k] = 0; a->top = i + 1; + a->flags &= ~BN_FLG_FIXED_TOP; } a->d[i] |= (((BN_ULONG)1) << j); @@ -852,6 +903,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) a->top ^= t; b->top ^= t; + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /*- + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it + */ + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; + a->flags ^= t; + b->flags ^= t; + #define BN_CONSTTIME_SWAP(ind) \ do { \ t = (a->d[ind] ^ b->d[ind]) & condition; \ diff --git a/thirdparty/openssl/crypto/bn/bn_mod.c b/thirdparty/openssl/crypto/bn/bn_mod.c index ffbce890cf2..255e6e47239 100644 --- a/thirdparty/openssl/crypto/bn/bn_mod.c +++ b/thirdparty/openssl/crypto/bn/bn_mod.c @@ -4,7 +4,7 @@ * for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -149,16 +149,72 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + * if (!BN_uadd(r, a, b)) + * return 0; + * if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) +{ + size_t i, ai, bi, mtop = m->top; + BN_ULONG storage[1024 / BN_BITS2]; + BN_ULONG carry, temp, mask, *rp, *tp = storage; + const BN_ULONG *ap, *bp; + + if (bn_wexpand(r, m->top) == NULL) + return 0; + + if (mtop > sizeof(storage) / sizeof(storage[0]) + && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + + ap = a->d != NULL ? a->d : tp; + bp = b->d != NULL ? b->d : tp; + + for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) { + mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); + temp = ((ap[ai] & mask) + carry) & BN_MASK2; + carry = (temp < carry); + + mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); + tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2; + carry += (tp[i] < temp); + + i++; + ai += (i - a->dmax) >> (8 * sizeof(i) - 1); + bi += (i - b->dmax) >> (8 * sizeof(i) - 1); + } + rp = r->d; + carry -= bn_sub_words(rp, tp, m->d, mtop); + for (i = 0; i < mtop; i++) { + rp[i] = (carry & tp[i]) | (~carry & rp[i]); + ((volatile BN_ULONG *)tp)[i] = 0; + } + r->top = mtop; + r->flags |= BN_FLG_FIXED_TOP; + r->neg = 0; + + if (tp != storage) + OPENSSL_free(tp); + + return 1; +} + int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { - if (!BN_uadd(r, a, b)) - return 0; - if (BN_ucmp(r, m) >= 0) - return BN_usub(r, r, m); - return 1; + int ret = bn_mod_add_fixed_top(r, a, b, m); + + if (ret) + bn_correct_top(r); + + return ret; } int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, @@ -169,6 +225,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, return BN_nnmod(r, r, m, ctx); } +/* + * BN_mod_sub variant that may be used if both a and b are non-negative, + * a is less than m, while b is of same bit width as m. It's implemented + * as subtraction followed by two conditional additions. + * + * 0 <= a < m + * 0 <= b < 2^w < 2*m + * + * after subtraction + * + * -2*m < r = a - b < m + * + * Thus it takes up to two conditional additions to make |r| positive. + */ +int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) +{ + size_t i, ai, bi, mtop = m->top; + BN_ULONG borrow, carry, ta, tb, mask, *rp; + const BN_ULONG *ap, *bp; + + if (bn_wexpand(r, m->top) == NULL) + return 0; + + rp = r->d; + ap = a->d != NULL ? a->d : rp; + bp = b->d != NULL ? b->d : rp; + + for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) { + mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); + ta = ap[ai] & mask; + + mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); + tb = bp[bi] & mask; + rp[i] = ta - tb - borrow; + if (ta != tb) + borrow = (ta < tb); + + i++; + ai += (i - a->dmax) >> (8 * sizeof(i) - 1); + bi += (i - b->dmax) >> (8 * sizeof(i) - 1); + } + ap = m->d; + for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) { + ta = ((ap[i] & mask) + carry) & BN_MASK2; + carry = (ta < carry); + rp[i] = (rp[i] + ta) & BN_MASK2; + carry += (rp[i] < ta); + } + borrow -= carry; + for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) { + ta = ((ap[i] & mask) + carry) & BN_MASK2; + carry = (ta < carry); + rp[i] = (rp[i] + ta) & BN_MASK2; + carry += (rp[i] < ta); + } + + r->top = mtop; + r->flags |= BN_FLG_FIXED_TOP; + r->neg = 0; + + return 1; +} + /* * BN_mod_sub variant that may be used if both a and b are non-negative and * less than m diff --git a/thirdparty/openssl/crypto/bn/bn_mont.c b/thirdparty/openssl/crypto/bn/bn_mont.c index c1703650ef1..76eca50d32f 100644 --- a/thirdparty/openssl/crypto/bn/bn_mont.c +++ b/thirdparty/openssl/crypto/bn/bn_mont.c @@ -123,11 +123,22 @@ #define MONT_WORD /* use the faster word-based algorithm */ #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); #endif int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx) +{ + int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx) { BIGNUM *tmp; int ret = 0; @@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { r->neg = a->neg ^ b->neg; r->top = num; - bn_correct_top(r); - return (1); + r->flags |= BN_FLG_FIXED_TOP; + return 1; } } #endif @@ -153,21 +164,20 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, bn_check_top(tmp); if (a == b) { - if (!BN_sqr(tmp, a, ctx)) + if (!bn_sqr_fixed_top(tmp, a, ctx)) goto err; } else { - if (!BN_mul(tmp, a, b, ctx)) + if (!bn_mul_fixed_top(tmp, a, b, ctx)) goto err; } /* reduce from aRR to aR */ #ifdef MONT_WORD - if (!BN_from_montgomery_word(r, tmp, mont)) + if (!bn_from_montgomery_word(r, tmp, mont)) goto err; #else if (!BN_from_montgomery(r, tmp, mont, ctx)) goto err; #endif - bn_check_top(r); ret = 1; err: BN_CTX_end(ctx); @@ -175,11 +185,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) { BIGNUM *n; BN_ULONG *ap, *np, *rp, n0, v, carry; int nl, max, i; + unsigned int rtop; n = &(mont->N); nl = n->top; @@ -197,14 +208,13 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) rp = r->d; /* clear the top words of T */ -# if 1 - for (i = r->top; i < max; i++) /* memset? XXX */ - rp[i] = 0; -# else - memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG)); -# endif + for (rtop = r->top, i = 0; i < max; i++) { + v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1)); + rp[i] &= v; + } r->top = max; + r->flags |= BN_FLG_FIXED_TOP; n0 = mont->n0[0]; /* @@ -223,6 +233,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) if (bn_wexpand(ret, nl) == NULL) return (0); ret->top = nl; + ret->flags |= BN_FLG_FIXED_TOP; ret->neg = r->neg; rp = ret->d; @@ -233,20 +244,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) */ ap = &(r->d[nl]); + carry -= bn_sub_words(rp, ap, np, nl); /* - * |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v| - * cannot be -1. That would imply the subtraction did not fit in |nl| words, - * and we know at most one subtraction is needed. + * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note + * |carry| cannot be 1. That would imply the subtraction did not fit in + * |nl| words, and we know at most one subtraction is needed. */ - v = bn_sub_words(rp, ap, np, nl) - carry; - v = 0 - v; for (i = 0; i < nl; i++) { - rp[i] = (v & ap[i]) | (~v & rp[i]); + rp[i] = (carry & ap[i]) | (~carry & rp[i]); ap[i] = 0; } - bn_correct_top(r); - bn_correct_top(ret); - bn_check_top(ret); return (1); } @@ -254,14 +261,27 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) +{ + int retn; + + retn = bn_from_mont_fixed_top(ret, a, mont, ctx); + bn_correct_top(ret); + bn_check_top(ret); + + return retn; +} + +int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx) { int retn = 0; #ifdef MONT_WORD BIGNUM *t; BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) - retn = BN_from_montgomery_word(ret, t, mont); + if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) { + retn = bn_from_montgomery_word(ret, t, mont); + } BN_CTX_end(ctx); #else /* !MONT_WORD */ BIGNUM *t1, *t2; @@ -299,6 +319,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, return (retn); } +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx) +{ + return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx); +} + BN_MONT_CTX *BN_MONT_CTX_new(void) { BN_MONT_CTX *ret; @@ -335,7 +361,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { - int ret = 0; + int i, ret = 0; BIGNUM *Ri, *R; if (BN_is_zero(mod)) @@ -466,6 +492,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) goto err; + for (i = mont->RR.top, ret = mont->N.top; i < ret; i++) + mont->RR.d[i] = 0; + mont->RR.top = ret; + mont->RR.flags |= BN_FLG_FIXED_TOP; + ret = 1; err: BN_CTX_end(ctx); diff --git a/thirdparty/openssl/crypto/bn/bn_mul.c b/thirdparty/openssl/crypto/bn/bn_mul.c index 6b455a755f7..f44e5e5c1e0 100644 --- a/thirdparty/openssl/crypto/bn/bn_mul.c +++ b/thirdparty/openssl/crypto/bn/bn_mul.c @@ -935,6 +935,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, #endif /* BN_RECURSION */ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +{ + int ret = bn_mul_fixed_top(r, a, b, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { int ret = 0; int top, al, bl; @@ -1042,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) #if defined(BN_MUL_COMBA) || defined(BN_RECURSION) end: #endif - bn_correct_top(rr); + rr->flags |= BN_FLG_FIXED_TOP; if (r != rr && BN_copy(r, rr) == NULL) goto err; diff --git a/thirdparty/openssl/crypto/bn/bn_sqr.c b/thirdparty/openssl/crypto/bn/bn_sqr.c index 256d26e8dbe..44bc55473f1 100644 --- a/thirdparty/openssl/crypto/bn/bn_sqr.c +++ b/thirdparty/openssl/crypto/bn/bn_sqr.c @@ -65,6 +65,16 @@ * I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96 */ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) +{ + int ret = bn_sqr_fixed_top(r, a, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { int max, al; int ret = 0; @@ -135,14 +145,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) } rr->neg = 0; - /* - * If the most-significant half of the top word of 'a' is zero, then the - * square of 'a' will max-1 words. - */ - if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) - rr->top = max - 1; - else - rr->top = max; + rr->top = max; + rr->flags |= BN_FLG_FIXED_TOP; if (r != rr && BN_copy(r, rr) == NULL) goto err; diff --git a/thirdparty/openssl/crypto/bn/bn_x931p.c b/thirdparty/openssl/crypto/bn/bn_x931p.c index f444af3feab..e40241ffc99 100644 --- a/thirdparty/openssl/crypto/bn/bn_x931p.c +++ b/thirdparty/openssl/crypto/bn/bn_x931p.c @@ -4,7 +4,7 @@ * 2005. */ /* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) for (i = 0; i < 1000; i++) { if (!BN_rand(Xq, nbits, 1, 0)) goto err; + /* Check that |Xp - Xq| > 2^(nbits - 100) */ - BN_sub(t, Xp, Xq); + if (!BN_sub(t, Xp, Xq)) + goto err; if (BN_num_bits(t) > (nbits - 100)) break; } diff --git a/thirdparty/openssl/crypto/bn_int.h b/thirdparty/openssl/crypto/bn_int.h new file mode 100644 index 00000000000..a552cc20be9 --- /dev/null +++ b/thirdparty/openssl/crypto/bn_int.h @@ -0,0 +1,21 @@ +/* + * Some BIGNUM functions assume most significant limb to be non-zero, which + * is customarily arranged by bn_correct_top. Output from below functions + * is not processed with bn_correct_top, and for this reason it may not be + * returned out of public API. It may only be passed internally into other + * functions known to support non-minimal or zero-padded BIGNUMs. + */ +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); +int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); +int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); diff --git a/thirdparty/openssl/crypto/conf/conf_api.c b/thirdparty/openssl/crypto/conf/conf_api.c index 4cf7553376e..480781d205c 100644 --- a/thirdparty/openssl/crypto/conf/conf_api.c +++ b/thirdparty/openssl/crypto/conf/conf_api.c @@ -66,6 +66,7 @@ #include #include #include +#include "cryptlib.h" #include #include #include "e_os.h" @@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *section, if (v != NULL) return (v->value); if (strcmp(section, "ENV") == 0) { - p = getenv(name); + p = ossl_safe_getenv(name); if (p != NULL) return (p); } @@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *section, else return (NULL); } else - return (getenv(name)); + return (ossl_safe_getenv(name)); } #if 0 /* There's no way to provide error checking @@ -290,6 +291,8 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) vv = lh_CONF_VALUE_insert(conf->data, v); OPENSSL_assert(vv == NULL); + if (lh_CONF_VALUE_error(conf->data) > 0) + goto err; ok = 1; err: if (!ok) { diff --git a/thirdparty/openssl/crypto/conf/conf_mod.c b/thirdparty/openssl/crypto/conf/conf_mod.c index e2a9a81678e..1df463dd1bc 100644 --- a/thirdparty/openssl/crypto/conf/conf_mod.c +++ b/thirdparty/openssl/crypto/conf/conf_mod.c @@ -4,7 +4,7 @@ * 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void) char *file; int len; - file = getenv("OPENSSL_CONF"); + file = ossl_safe_getenv("OPENSSL_CONF"); if (file) return BUF_strdup(file); diff --git a/thirdparty/openssl/crypto/cryptlib.h b/thirdparty/openssl/crypto/cryptlib.h index fba180a6b2f..cdbddf17350 100644 --- a/thirdparty/openssl/crypto/cryptlib.h +++ b/thirdparty/openssl/crypto/cryptlib.h @@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...); void *OPENSSL_stderr(void); extern int OPENSSL_NONPIC_relocated; +char *ossl_safe_getenv(const char *); + #ifdef __cplusplus } #endif diff --git a/thirdparty/openssl/crypto/dh/dh_key.c b/thirdparty/openssl/crypto/dh/dh_key.c index 387558f1467..f235e0d682b 100644 --- a/thirdparty/openssl/crypto/dh/dh_key.c +++ b/thirdparty/openssl/crypto/dh/dh_key.c @@ -130,10 +130,15 @@ static int generate_key(DH *dh) int ok = 0; int generate_new_key = 0; unsigned l; - BN_CTX *ctx; + BN_CTX *ctx = NULL; BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err; diff --git a/thirdparty/openssl/crypto/dh/dh_pmeth.c b/thirdparty/openssl/crypto/dh/dh_pmeth.c index 6452482c87d..162753af071 100644 --- a/thirdparty/openssl/crypto/dh/dh_pmeth.c +++ b/thirdparty/openssl/crypto/dh/dh_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -486,7 +486,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, return ret; } #endif - return 1; + return 0; } const EVP_PKEY_METHOD dh_pkey_meth = { diff --git a/thirdparty/openssl/crypto/dsa/dsa_err.c b/thirdparty/openssl/crypto/dsa/dsa_err.c index f5ddc66b8a7..7e507faa36c 100644 --- a/thirdparty/openssl/crypto/dsa/dsa_err.c +++ b/thirdparty/openssl/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* crypto/dsa/dsa_err.c */ /* ==================================================================== - * Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -95,6 +95,7 @@ static ERR_STRING_DATA DSA_str_functs[] = { {ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"}, {ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"}, {ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "PKEY_DSA_CTRL"}, + {ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "PKEY_DSA_CTRL_STR"}, {ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "PKEY_DSA_KEYGEN"}, {ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"}, {0, NULL} diff --git a/thirdparty/openssl/crypto/dsa/dsa_gen.c b/thirdparty/openssl/crypto/dsa/dsa_gen.c index 21af2e159fb..e55d585890d 100644 --- a/thirdparty/openssl/crypto/dsa/dsa_gen.c +++ b/thirdparty/openssl/crypto/dsa/dsa_gen.c @@ -146,9 +146,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* invalid q size */ return 0; - if (evpmd == NULL) - /* use SHA1 as default */ - evpmd = EVP_sha1(); + if (evpmd == NULL) { + if (qsize == SHA_DIGEST_LENGTH) + evpmd = EVP_sha1(); + else if (qsize == SHA224_DIGEST_LENGTH) + evpmd = EVP_sha224(); + else + evpmd = EVP_sha256(); + } else { + qsize = EVP_MD_size(evpmd); + } if (bits < 512) bits = 512; @@ -428,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, EVP_MD_CTX_init(&mctx); + /* make sure L > N, otherwise we'll get trapped in an infinite loop */ + if (L <= N) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); + goto err; + } + if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); diff --git a/thirdparty/openssl/crypto/dsa/dsa_ossl.c b/thirdparty/openssl/crypto/dsa/dsa_ossl.c index aa10dd12f6f..c887c3c34e3 100644 --- a/thirdparty/openssl/crypto/dsa/dsa_ossl.c +++ b/thirdparty/openssl/crypto/dsa/dsa_ossl.c @@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -133,17 +135,13 @@ const DSA_METHOD *DSA_OpenSSL(void) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv = NULL, *r = NULL, *s = NULL; - BIGNUM m; - BIGNUM xr; + BIGNUM *m, *blind, *blindm, *tmp; BN_CTX *ctx = NULL; int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int noredo = 0; - BN_init(&m); - BN_init(&xr); - - if (!dsa->p || !dsa->q || !dsa->g) { + if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { reason = DSA_R_MISSING_PARAMETERS; goto err; } @@ -154,6 +152,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ctx = BN_CTX_new(); if (ctx == NULL) goto err; + m = BN_CTX_get(ctx); + blind = BN_CTX_get(ctx); + blindm = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; + redo: if ((dsa->kinv == NULL) || (dsa->r == NULL)) { if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) @@ -173,20 +178,52 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) * 4.2 */ dlen = BN_num_bytes(dsa->q); - if (BN_bin2bn(dgst, dlen, &m) == NULL) + if (BN_bin2bn(dgst, dlen, m) == NULL) goto err; - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) - goto err; /* s = xr */ - if (!BN_add(s, &xr, &m)) - goto err; /* s = m + xr */ - if (BN_cmp(s, dsa->q) > 0) - if (!BN_sub(s, s, dsa->q)) + /* + * The normal signature calculation is: + * + * s := k^-1 * (m + r * priv_key) mod q + * + * We will blind this to protect against side channel attacks + * + * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q + */ + + /* Generate a blinding value */ + do { + if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0)) goto err; + } while (BN_is_zero(blind)); + BN_set_flags(blind, BN_FLG_CONSTTIME); + BN_set_flags(blindm, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + + /* tmp := blind * priv_key * r mod q */ + if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx)) + goto err; + if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx)) + goto err; + + /* blindm := blind * m mod q */ + if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx)) + goto err; + + /* s : = (blind * priv_key * r) + (blind * m) mod q */ + if (!BN_mod_add_quick(s, tmp, blindm, dsa->q)) + goto err; + + /* s := s * k^-1 mod q */ if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) goto err; + /* s:= s * blind^-1 mod q */ + if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL) + goto err; + if (!BN_mod_mul(s, s, blind, dsa->q, ctx)) + goto err; + /* * Redo if r or s is zero as required by FIPS 186-3: this is very * unlikely. @@ -210,13 +247,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_free(r); BN_free(s); } - if (ctx != NULL) - BN_CTX_free(ctx); - BN_clear_free(&m); - BN_clear_free(&xr); - if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ - BN_clear_free(kinv); - return (ret); + BN_CTX_free(ctx); + BN_clear_free(kinv); + return ret; } static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, @@ -248,7 +281,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; /* Preallocate space */ - q_bits = BN_num_bits(dsa->q); + q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; if (!BN_set_bit(&k, q_bits) || !BN_set_bit(&l, q_bits) || !BN_set_bit(&m, q_bits)) @@ -262,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(&l, BN_FLG_CONSTTIME); } - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) @@ -302,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_mod(r, r, dsa->q, ctx)) goto err; - /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) + /* Compute part of 's = inv(k) (m + xr) mod q' */ + if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) goto err; if (*kinvp != NULL) @@ -437,3 +470,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return (1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ + BIGNUM *res = NULL; + BIGNUM *r, e; + + if ((r = BN_new()) == NULL) + return NULL; + + BN_init(&e); + + if (BN_set_word(r, 2) + && BN_sub(&e, q, r) + && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) + res = r; + else + BN_free(r); + BN_free(&e); + return res; +} diff --git a/thirdparty/openssl/crypto/dsa/dsa_pmeth.c b/thirdparty/openssl/crypto/dsa/dsa_pmeth.c index 78724839b52..7f00e97036f 100644 --- a/thirdparty/openssl/crypto/dsa/dsa_pmeth.c +++ b/thirdparty/openssl/crypto/dsa/dsa_pmeth.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -230,10 +230,16 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, NULL); } - if (!strcmp(type, "dsa_paramgen_md")) { + if (strcmp(type, "dsa_paramgen_md") == 0) { + const EVP_MD *md = EVP_get_digestbyname(value); + + if (md == NULL) { + DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE); + return 0; + } return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, - (void *)EVP_get_digestbyname(value)); + (void *)md); } return -2; } diff --git a/thirdparty/openssl/crypto/ec/ec_ameth.c b/thirdparty/openssl/crypto/ec/ec_ameth.c index 2c41c6e7a9f..aa5f3056af7 100644 --- a/thirdparty/openssl/crypto/ec/ec_ameth.c +++ b/thirdparty/openssl/crypto/ec/ec_ameth.c @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -143,19 +143,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) static EC_KEY *eckey_type2param(int ptype, void *pval) { EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + if (ptype == V_ASN1_SEQUENCE) { - ASN1_STRING *pstr = pval; - const unsigned char *pm = NULL; - int pmlen; - pm = pstr->data; - pmlen = pstr->length; - if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) { + const ASN1_STRING *pstr = pval; + const unsigned char *pm = pstr->data; + int pmlen = pstr->length; + + if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { - ASN1_OBJECT *poid = pval; - EC_GROUP *group; + const ASN1_OBJECT *poid = pval; /* * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID @@ -179,8 +179,8 @@ static EC_KEY *eckey_type2param(int ptype, void *pval) return eckey; ecerr: - if (eckey) - EC_KEY_free(eckey); + EC_KEY_free(eckey); + EC_GROUP_free(group); return NULL; } diff --git a/thirdparty/openssl/crypto/ec/ec_lcl.h b/thirdparty/openssl/crypto/ec/ec_lcl.h index 969fd147ef9..8665a4c9c7d 100644 --- a/thirdparty/openssl/crypto/ec/ec_lcl.h +++ b/thirdparty/openssl/crypto/ec/ec_lcl.h @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -214,7 +214,7 @@ struct ec_group_st { int asn1_flag; /* flag to control the asn1 encoding */ /* * Kludge: upper bit of ans1_flag is used to denote structure - * version. Is set, then last field is present. This is done + * version. If set, then last field is present. This is done * for interoperation with FIPS code. */ #define EC_GROUP_ASN1_FLAG_MASK 0x7fffffff @@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in); #endif -int ec_precompute_mont_data(EC_GROUP *); #ifdef ECP_NISTZ256_ASM /** Returns GFp methods using montgomery multiplication, with x86-64 optimized diff --git a/thirdparty/openssl/crypto/ec/ec_lib.c b/thirdparty/openssl/crypto/ec/ec_lib.c index 3241aa51d9f..df56484b5ee 100644 --- a/thirdparty/openssl/crypto/ec/ec_lib.c +++ b/thirdparty/openssl/crypto/ec/ec_lib.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,10 @@ const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT; +/* local function prototypes */ + +static int ec_precompute_mont_data(EC_GROUP *group); + /* functions for EC_GROUP objects */ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) @@ -318,12 +322,24 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, } else BN_zero(&group->cofactor); - /* - * We ignore the return value because some groups have an order with - * factors of two, which makes the Montgomery setup fail. - * |group->mont_data| will be NULL in this case. + /*- + * Access to the `mont_data` field of an EC_GROUP struct should always be + * guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the + * group might come from the FIPS module, which does not define the + * `mont_data` field inside the EC_GROUP structure. */ - ec_precompute_mont_data(group); + if (EC_GROUP_VERSION(group)) { + /*- + * Some groups have an order with + * factors of two, which makes the Montgomery setup fail. + * |group->mont_data| will be NULL in this case. + */ + if (BN_is_odd(&group->order)) + return ec_precompute_mont_data(group); + + BN_MONT_CTX_free(group->mont_data); + group->mont_data = NULL; + } return 1; } @@ -1094,18 +1110,23 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group) * been performed */ } -/* +/*- * ec_precompute_mont_data sets |group->mont_data| from |group->order| and * returns one on success. On error it returns zero. + * + * Note: this function must be called only after verifying that + * EC_GROUP_VERSION(group) returns true. + * The reason for this is that access to the `mont_data` field of an EC_GROUP + * struct should always be guarded by an EC_GROUP_VERSION(group) check to avoid + * OOB accesses, as the group might come from the FIPS module, which does not + * define the `mont_data` field inside the EC_GROUP structure. */ +static int ec_precompute_mont_data(EC_GROUP *group) { BN_CTX *ctx = BN_CTX_new(); int ret = 0; - if (!EC_GROUP_VERSION(group)) - goto err; - if (group->mont_data) { BN_MONT_CTX_free(group->mont_data); group->mont_data = NULL; diff --git a/thirdparty/openssl/crypto/ec/ec_mult.c b/thirdparty/openssl/crypto/ec/ec_mult.c index 2231f9957ef..da71526818f 100644 --- a/thirdparty/openssl/crypto/ec/ec_mult.c +++ b/thirdparty/openssl/crypto/ec/ec_mult.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -310,6 +310,224 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) return r; } +#define EC_POINT_BN_set_flags(P, flags) do { \ + BN_set_flags(&(P)->X, (flags)); \ + BN_set_flags(&(P)->Y, (flags)); \ + BN_set_flags(&(P)->Z, (flags)); \ +} while(0) + +/*- + * This functions computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed scalar point multiplication + * (scalar * generator) + * when point is NULL, or a generic scalar point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx) +{ + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; + EC_POINT *s = NULL; + BIGNUM *k = NULL; + BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; + BN_CTX *new_ctx = NULL; + int ret = 0; + + if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + + s = EC_POINT_new(group); + if (s == NULL) + goto err; + + if (point == NULL) { + if (!EC_POINT_copy(s, group->generator)) + goto err; + } else { + if (!EC_POINT_copy(s, point)) + goto err; + } + + EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); + + cardinality = BN_CTX_get(ctx); + lambda = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) + goto err; + + /* + * Group cardinalities are often on a word boundary. + * So when we pad the scalar, some timing diff might + * pop if it needs to be expanded due to carries. + * So expand ahead of time. + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = cardinality->top; + if ((bn_wexpand(k, group_top + 2) == NULL) + || (bn_wexpand(lambda, group_top + 2) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) + goto err; + + BN_set_flags(k, BN_FLG_CONSTTIME); + + if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { + /*- + * this is an unusual input, and we don't guarantee + * constant-timeness + */ + if (!BN_nnmod(k, k, cardinality, ctx)) + goto err; + } + + if (!BN_add(lambda, k, cardinality)) + goto err; + BN_set_flags(lambda, BN_FLG_CONSTTIME); + if (!BN_add(k, lambda, cardinality)) + goto err; + /* + * lambda := scalar + cardinality + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); + BN_consttime_swap(kbit, k, lambda, group_top + 2); + + group_top = group->field.top; + if ((bn_wexpand(&s->X, group_top) == NULL) + || (bn_wexpand(&s->Y, group_top) == NULL) + || (bn_wexpand(&s->Z, group_top) == NULL) + || (bn_wexpand(&r->X, group_top) == NULL) + || (bn_wexpand(&r->Y, group_top) == NULL) + || (bn_wexpand(&r->Z, group_top) == NULL)) + goto err; + + /* top bit is a 1, in a fixed pos */ + if (!EC_POINT_copy(r, s)) + goto err; + + EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); + + if (!EC_POINT_dbl(group, s, s, ctx)) + goto err; + + pbit = 0; + +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ + BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ + BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ + BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ + t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ + (a)->Z_is_one ^= (t); \ + (b)->Z_is_one ^= (t); \ +} while(0) + + /*- + * The ladder step, with branches, is + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * Swapping R, S conditionally on k[i] leaves you with state + * + * k[i] == 0: T, U = R, S + * k[i] == 1: T, U = S, R + * + * Then perform the ECC ops. + * + * U = add(T, U) + * T = dbl(T) + * + * Which leaves you with state + * + * k[i] == 0: U = add(R, S), T = dbl(R) + * k[i] == 1: U = add(S, R), T = dbl(S) + * + * Swapping T, U conditionally on k[i] leaves you with state + * + * k[i] == 0: R, S = T, U + * k[i] == 1: R, S = U, T + * + * Which leaves you with state + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * So we get the same logic, but instead of a branch it's a + * conditional swap, followed by ECC ops, then another conditional swap. + * + * Optimization: The end of iteration i and start of i-1 looks like + * + * ... + * CSWAP(k[i], R, S) + * ECC + * CSWAP(k[i], R, S) + * (next iteration) + * CSWAP(k[i-1], R, S) + * ECC + * CSWAP(k[i-1], R, S) + * ... + * + * So instead of two contiguous swaps, you can merge the condition + * bits and do a single swap. + * + * k[i] k[i-1] Outcome + * 0 0 No Swap + * 0 1 Swap + * 1 0 Swap + * 1 1 No Swap + * + * This is XOR. pbit tracks the previous bit of k. + */ + + for (i = cardinality_bits - 1; i >= 0; i--) { + kbit = BN_is_bit_set(k, i) ^ pbit; + EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); + if (!EC_POINT_add(group, s, r, s, ctx)) + goto err; + if (!EC_POINT_dbl(group, r, r, ctx)) + goto err; + /* + * pbit logic merges this cswap with that of the + * next iteration + */ + pbit ^= kbit; + } + /* one final cswap to move the right value into r */ + EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); +#undef EC_POINT_CSWAP + + ret = 1; + + err: + EC_POINT_free(s); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + return ret; +} + +#undef EC_POINT_BN_set_flags + /* * TODO: table should be optimised for the wNAF-based implementation, * sometimes smaller windows will give better performance (thus the @@ -369,6 +587,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } + if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) { + /*- + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. + */ + if ((scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return ec_mul_consttime(group, r, scalar, NULL, ctx); + } + if ((scalar == NULL) && (num == 1)) { + /*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ + return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + } + } + for (i = 0; i < num; i++) { if (group->meth != points[i]->meth) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); diff --git a/thirdparty/openssl/crypto/ec/ecp_nistz256.c b/thirdparty/openssl/crypto/ec/ecp_nistz256.c index 9a53a39a25b..0579cac3a96 100644 --- a/thirdparty/openssl/crypto/ec/ecp_nistz256.c +++ b/thirdparty/openssl/crypto/ec/ecp_nistz256.c @@ -1118,23 +1118,32 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, const P256_POINT_AFFINE *in, BN_CTX *ctx) { - BIGNUM x, y; - BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; + BIGNUM x, y, z; int ret = 0; - memcpy(d_x, in->X, sizeof(d_x)); - x.d = d_x; + /* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ + x.d = (BN_ULONG *)in->X; x.dmax = x.top = P256_LIMBS; x.neg = 0; x.flags = BN_FLG_STATIC_DATA; - memcpy(d_y, in->Y, sizeof(d_y)); - y.d = d_y; + y.d = (BN_ULONG *)in->Y; y.dmax = y.top = P256_LIMBS; y.neg = 0; y.flags = BN_FLG_STATIC_DATA; - ret = EC_POINT_set_affine_coordinates_GFp(group, out, &x, &y, ctx); + z.d = (BN_ULONG *)ONE; + z.dmax = z.top = P256_LIMBS; + z.neg = 0; + z.flags = BN_FLG_STATIC_DATA; + + if ((ret = (BN_copy(&out->X, &x) != NULL)) + && (ret = (BN_copy(&out->Y, &y) != NULL)) + && (ret = (BN_copy(&out->Z, &z) != NULL))) + out->Z_is_one = 1; return ret; } diff --git a/thirdparty/openssl/crypto/ecdsa/ecs_ossl.c b/thirdparty/openssl/crypto/ecdsa/ecs_ossl.c index 16d4f59b9ba..63c18273fd8 100644 --- a/thirdparty/openssl/crypto/ecdsa/ecs_ossl.c +++ b/thirdparty/openssl/crypto/ecdsa/ecs_ossl.c @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project */ /* ==================================================================== - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -60,6 +60,7 @@ #include #include #include +#include "bn_int.h" static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, const BIGNUM *, const BIGNUM *, @@ -251,13 +252,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; - BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; + BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL; const BIGNUM *ckinv; BN_CTX *ctx = NULL; const EC_GROUP *group; ECDSA_SIG *ret; ECDSA_DATA *ecdsa; const BIGNUM *priv_key; + BN_MONT_CTX *mont_data; ecdsa = ecdsa_check(eckey); group = EC_KEY_get0_group(eckey); @@ -276,7 +278,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, s = ret->s; if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || - (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { + (m = BN_new()) == NULL) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -285,6 +287,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); goto err; } + mont_data = EC_GROUP_get_mont_data(group); + i = BN_num_bits(order); /* * Need to truncate digest if it is too long: first truncate whole bytes. @@ -315,15 +319,27 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, } } - if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { + /* + * With only one multiplicant being in Montgomery domain + * multiplication yields real result without post-conversion. + * Also note that all operations but last are performed with + * zero-padded vectors. Last operation, BN_mod_mul_montgomery + * below, returns user-visible value with removed zero padding. + */ + if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) { + goto err; + } + if (!bn_mod_add_fixed_top(s, s, m, order)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } - if (!BN_mod_add_quick(s, tmp, m, order)) { - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); - goto err; - } - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + /* + * |s| can still be larger than modulus, because |m| can be. In + * such case we count on Montgomery reduction to tie it up. + */ + if (!bn_to_mont_fixed_top(s, s, mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } @@ -353,8 +369,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, BN_CTX_free(ctx); if (m) BN_clear_free(m); - if (tmp) - BN_clear_free(tmp); if (order) BN_free(order); if (kinv) diff --git a/thirdparty/openssl/crypto/engine/eng_lib.c b/thirdparty/openssl/crypto/engine/eng_lib.c index dc2abd28ec6..e605b978ead 100644 --- a/thirdparty/openssl/crypto/engine/eng_lib.c +++ b/thirdparty/openssl/crypto/engine/eng_lib.c @@ -4,7 +4,7 @@ * 2000. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -188,8 +188,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) if (!int_cleanup_check(1)) return; item = int_cleanup_item(cb); - if (item) - sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) + OPENSSL_free(item); + } } /* The API function that performs all cleanup */ diff --git a/thirdparty/openssl/crypto/engine/eng_list.c b/thirdparty/openssl/crypto/engine/eng_list.c index 83c95d56f46..5d7eee40852 100644 --- a/thirdparty/openssl/crypto/engine/eng_list.c +++ b/thirdparty/openssl/crypto/engine/eng_list.c @@ -4,7 +4,7 @@ * 2000. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -62,6 +62,7 @@ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ +#include "cryptlib.h" #include "eng_int.h" /* @@ -369,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id) */ if (strcmp(id, "dynamic")) { # ifdef OPENSSL_SYS_VMS - if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) + if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; # else - if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) + if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; # endif iterator = ENGINE_by_id("dynamic"); diff --git a/thirdparty/openssl/crypto/engine/tb_asnmth.c b/thirdparty/openssl/crypto/engine/tb_asnmth.c index a1a9b88c43c..04cb466eb3e 100644 --- a/thirdparty/openssl/crypto/engine/tb_asnmth.c +++ b/thirdparty/openssl/crypto/engine/tb_asnmth.c @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -215,7 +215,7 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg) ENGINE *e = sk_ENGINE_value(sk, i); EVP_PKEY_ASN1_METHOD *ameth; e->pkey_asn1_meths(e, &ameth, NULL, nid); - if (((int)strlen(ameth->pem_str) == lk->len) && + if (ameth != NULL && ((int)strlen(ameth->pem_str) == lk->len) && !strncasecmp(ameth->pem_str, lk->str, lk->len)) { lk->e = e; lk->ameth = ameth; diff --git a/thirdparty/openssl/crypto/getenv.c b/thirdparty/openssl/crypto/getenv.c new file mode 100644 index 00000000000..53f1dfd457a --- /dev/null +++ b/thirdparty/openssl/crypto/getenv.c @@ -0,0 +1,31 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef _GNU_SOURCE +# define _GNU_SOURCE +#endif + +#include +#include "cryptlib.h" + +char *ossl_safe_getenv(const char *name) +{ +#if defined(__GLIBC__) && defined(__GLIBC_PREREQ) +# if __GLIBC_PREREQ(2, 17) +# define SECURE_GETENV + return secure_getenv(name); +# endif +#endif + +#ifndef SECURE_GETENV + if (OPENSSL_issetugid()) + return NULL; + return getenv(name); +#endif +} diff --git a/thirdparty/openssl/crypto/o_time.c b/thirdparty/openssl/crypto/o_time.c index 61927439eaf..a763b2ce202 100755 --- a/thirdparty/openssl/crypto/o_time.c +++ b/thirdparty/openssl/crypto/o_time.c @@ -109,6 +109,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) if (gmtime_r(timer, result) == NULL) return NULL; ts = result; +#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 + if (gmtime_s(result, timer)) + return NULL; + ts = result; #elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK) ts = gmtime(timer); if (ts == NULL) diff --git a/thirdparty/openssl/crypto/pem/pem_lib.c b/thirdparty/openssl/crypto/pem/pem_lib.c index 4d5f053e468..4ccc676ed74 100644 --- a/thirdparty/openssl/crypto/pem/pem_lib.c +++ b/thirdparty/openssl/crypto/pem/pem_lib.c @@ -82,51 +82,39 @@ static int load_iv(char **fromp, unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int pem_check_suffix(const char *pem_str, const char *suffix); -int PEM_def_callback(char *buf, int num, int w, void *key) +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata) { -#ifdef OPENSSL_NO_FP_API - /* - * We should not ever call the default callback routine from windows. - */ - PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (-1); -#else - int i, j; + int i, min_len; const char *prompt; - if (key) { - i = strlen(key); + + /* We assume that the user passes a default password as userdata */ + if (userdata) { + i = strlen(userdata); i = (i > num) ? num : i; - memcpy(buf, key, i); - return (i); + memcpy(buf, userdata, i); + return i; } prompt = EVP_get_pw_prompt(); if (prompt == NULL) prompt = "Enter PEM pass phrase:"; - for (;;) { - /* - * We assume that w == 0 means decryption, - * while w == 1 means encryption - */ - int min_len = w ? MIN_LENGTH : 0; + /* + * rwflag == 0 means decryption + * rwflag == 1 means encryption + * + * We assume that for encryption, we want a minimum length, while for + * decryption, we cannot know any minimum length, so we assume zero. + */ + min_len = rwflag ? MIN_LENGTH : 0; - i = EVP_read_pw_string_min(buf, min_len, num, prompt, w); - if (i != 0) { - PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)num); - return (-1); - } - j = strlen(buf); - if (min_len && j < min_len) { - fprintf(stderr, - "phrase is too short, needs to be at least %d chars\n", - min_len); - } else - break; + i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag); + if (i != 0) { + PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); + memset(buf, 0, (unsigned int)num); + return -1; } - return (j); -#endif + return strlen(buf); } void PEM_proc_type(char *buf, int type) @@ -459,7 +447,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u); else klen = callback(buf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ); return (0); } @@ -499,6 +487,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) char **header_pp = &header; cipher->cipher = NULL; + memset(cipher->iv, 0, sizeof(cipher->iv)); if ((header == NULL) || (*header == '\0') || (*header == '\n')) return (1); if (strncmp(header, "Proc-Type: ", 11) != 0) { diff --git a/thirdparty/openssl/crypto/pem/pem_pk8.c b/thirdparty/openssl/crypto/pem/pem_pk8.c index daf210fde0f..ae18d26043e 100644 --- a/thirdparty/openssl/crypto/pem/pem_pk8.c +++ b/thirdparty/openssl/crypto/pem/pem_pk8.c @@ -171,7 +171,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); return NULL; diff --git a/thirdparty/openssl/crypto/pem/pem_pkey.c b/thirdparty/openssl/crypto/pem/pem_pkey.c index e8b3a1b92c8..a189cd274c3 100644 --- a/thirdparty/openssl/crypto/pem/pem_pkey.c +++ b/thirdparty/openssl/crypto/pem/pem_pkey.c @@ -113,7 +113,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; diff --git a/thirdparty/openssl/crypto/pem/pvkfmt.c b/thirdparty/openssl/crypto/pem/pvkfmt.c index 1ce5a1e319c..f376f594b12 100644 --- a/thirdparty/openssl/crypto/pem/pvkfmt.c +++ b/thirdparty/openssl/crypto/pem/pvkfmt.c @@ -3,7 +3,7 @@ * 2005. */ /* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -702,7 +702,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, inlen = cb(psbuf, PEM_BUFSIZE, 0, u); else inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (inlen <= 0) { + if (inlen < 0) { PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); goto err; } diff --git a/thirdparty/openssl/crypto/pkcs12/p12_asn.c b/thirdparty/openssl/crypto/pkcs12/p12_asn.c index 370ddbd6e77..78c7f40350d 100644 --- a/thirdparty/openssl/crypto/pkcs12/p12_asn.c +++ b/thirdparty/openssl/crypto/pkcs12/p12_asn.c @@ -4,7 +4,7 @@ * 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -100,7 +100,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ ASN1_ADB(PKCS12_SAFEBAG) = { ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), - ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), + ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) diff --git a/thirdparty/openssl/crypto/pkcs12/p12_init.c b/thirdparty/openssl/crypto/pkcs12/p12_init.c index 0322df944a4..a074b94a0c5 100644 --- a/thirdparty/openssl/crypto/pkcs12/p12_init.c +++ b/thirdparty/openssl/crypto/pkcs12/p12_init.c @@ -4,7 +4,7 @@ * 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,7 +70,8 @@ PKCS12 *PKCS12_init(int mode) PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE); return NULL; } - ASN1_INTEGER_set(pkcs12->version, 3); + if (!ASN1_INTEGER_set(pkcs12->version, 3)) + goto err; pkcs12->authsafes->type = OBJ_nid2obj(mode); switch (mode) { case NID_pkcs7_data: diff --git a/thirdparty/openssl/crypto/pkcs7/pk7_lib.c b/thirdparty/openssl/crypto/pkcs7/pk7_lib.c index 0c5fcaa6aa2..866a863e54d 100644 --- a/thirdparty/openssl/crypto/pkcs7/pk7_lib.c +++ b/thirdparty/openssl/crypto/pkcs7/pk7_lib.c @@ -185,7 +185,6 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type diff --git a/thirdparty/openssl/crypto/rand/md_rand.c b/thirdparty/openssl/crypto/rand/md_rand.c index a7af9f9d867..2983a3fda48 100644 --- a/thirdparty/openssl/crypto/rand/md_rand.c +++ b/thirdparty/openssl/crypto/rand/md_rand.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -345,7 +345,6 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) static volatile int stirred_pool = 0; int i, j, k; size_t num_ceil, st_idx, st_num; - int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; EVP_MD_CTX m; @@ -400,14 +399,13 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) if (!initialized) { RAND_poll(); - initialized = 1; + initialized = (entropy >= ENTROPY_NEEDED); } if (!stirred_pool) do_stir_pool = 1; - ok = (entropy >= ENTROPY_NEEDED); - if (!ok) { + if (!initialized) { /* * If the PRNG state is not yet unpredictable, then seeing the PRNG * output may help attackers to determine the new state; thus we have @@ -446,7 +444,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0); n -= MD_DIGEST_LENGTH; } - if (ok) + if (initialized) stirred_pool = 1; } @@ -539,7 +537,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_cleanup(&m); - if (ok) + if (initialized) return (1); else if (pseudo) return 0; @@ -555,6 +553,18 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) return (0); } +/* + * Returns ssleay_rand_bytes(), enforcing a reseeding from the + * system entropy sources using RAND_poll() before generating +`* the random bytes. + */ + +int ssleay_rand_bytes_from_system(unsigned char *buf, int num) +{ + initialized = 0; + return ssleay_rand_bytes(buf, num, 0, 0); +} + static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num) { return ssleay_rand_bytes(buf, num, 0, 1); @@ -600,10 +610,10 @@ static int ssleay_rand_status(void) if (!initialized) { RAND_poll(); - initialized = 1; + initialized = (entropy >= ENTROPY_NEEDED); } - ret = entropy >= ENTROPY_NEEDED; + ret = initialized; if (!do_not_lock) { /* before unlocking, we must clear 'crypto_lock_rand' */ diff --git a/thirdparty/openssl/crypto/rand/rand_lcl.h b/thirdparty/openssl/crypto/rand/rand_lcl.h index f9fda3eb89c..7b4dbcf5fb7 100644 --- a/thirdparty/openssl/crypto/rand/rand_lcl.h +++ b/thirdparty/openssl/crypto/rand/rand_lcl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -154,5 +154,5 @@ # endif int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock); - +int ssleay_rand_bytes_from_system(unsigned char *buf, int num); #endif diff --git a/thirdparty/openssl/crypto/rand/rand_lib.c b/thirdparty/openssl/crypto/rand/rand_lib.c index 88a78d35065..6094c83e407 100644 --- a/thirdparty/openssl/crypto/rand/rand_lib.c +++ b/thirdparty/openssl/crypto/rand/rand_lib.c @@ -185,11 +185,29 @@ int RAND_status(void) /* * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather - * entropy internally through RAND_poll(). + * entropy internally through RAND_poll()). */ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) +{ + /* Round up request to multiple of block size */ + min_len = ((min_len + 19) / 20) * 20; + *pout = OPENSSL_malloc(min_len); + if (!*pout) + return 0; + + /* Enforces a reseed of the SSLEAY PRNG before generating random bytes */ + if (ssleay_rand_bytes_from_system(*pout, min_len) <= 0) { + OPENSSL_free(*pout); + *pout = NULL; + return 0; + } + return min_len; +} + +static size_t drbg_get_nonce(DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) { /* Round up request to multiple of block size */ min_len = ((min_len + 19) / 20) * 20; @@ -281,7 +299,7 @@ int RAND_init_fips(void) FIPS_drbg_set_callbacks(dctx, drbg_get_entropy, drbg_free_entropy, 20, - drbg_get_entropy, drbg_free_entropy); + drbg_get_nonce, drbg_free_entropy); FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0, drbg_rand_seed, drbg_rand_add); /* Personalisation string: a string followed by date time vector */ diff --git a/thirdparty/openssl/crypto/rand/randfile.c b/thirdparty/openssl/crypto/rand/randfile.c index 728fd0a721b..c93812cfb92 100644 --- a/thirdparty/openssl/crypto/rand/randfile.c +++ b/thirdparty/openssl/crypto/rand/randfile.c @@ -61,6 +61,7 @@ #include #include +#include "cryptlib.h" #include "e_os.h" #include #include @@ -327,14 +328,12 @@ const char *RAND_file_name(char *buf, size_t size) struct stat sb; #endif - if (OPENSSL_issetugid() == 0) - s = getenv("RANDFILE"); + s = ossl_safe_getenv("RANDFILE"); if (s != NULL && *s && strlen(s) + 1 < size) { if (BUF_strlcpy(buf, s, size) >= size) return NULL; } else { - if (OPENSSL_issetugid() == 0) - s = getenv("HOME"); + s = ossl_safe_getenv("HOME"); #ifdef DEFAULT_HOME if (s == NULL) { s = DEFAULT_HOME; diff --git a/thirdparty/openssl/crypto/rsa/rsa_eay.c b/thirdparty/openssl/crypto/rsa/rsa_eay.c index b147fff8bd6..be948a4cf8b 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_eay.c +++ b/thirdparty/openssl/crypto/rsa/rsa_eay.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -114,6 +114,7 @@ #include #include #include +#include "bn_int.h" #ifndef RSA_NULL @@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -223,8 +224,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) goto err; if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, @@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(ret); - i = BN_bn2bin(ret, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = bn_bn2binpad(ret, to, num); err: if (ctx != NULL) { BN_CTX_end(ctx); @@ -349,7 +345,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret, *res; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -436,8 +432,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, d = rsa->d; if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) goto err; if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, @@ -459,15 +455,10 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, res = ret; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(res); - i = BN_bn2bin(res, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = bn_bn2binpad(res, to, num); err: if (ctx != NULL) { BN_CTX_end(ctx); @@ -485,7 +476,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int j, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -564,8 +554,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, d = rsa->d; if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) goto err; if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) @@ -576,8 +566,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - p = buf; - j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ + j = bn_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -592,7 +581,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_SSLv23(to, num, buf, j, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, j, num); + memcpy(to, buf, (r = j)); break; default: RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); @@ -619,7 +608,6 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int i, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -672,8 +660,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) goto err; if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, @@ -684,8 +672,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, if (!BN_sub(ret, rsa->n, ret)) goto err; - p = buf; - i = BN_bn2bin(ret, p); + i = bn_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -695,7 +682,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_X931(to, num, buf, i, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, i, num); + memcpy(to, buf, (r = i)); break; default: RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); @@ -721,7 +708,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) BIGNUM *r1, *m1, *vrfy; BIGNUM local_dmp1, local_dmq1, local_c, local_r1; BIGNUM *dmp1, *dmq1, *c, *pr1; - int ret = 0; + int ret = 0, smooth = 0; BN_CTX_start(ctx); r1 = BN_CTX_get(ctx); @@ -750,20 +737,64 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) } if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, + p, ctx)) goto err; - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, + q, ctx)) goto err; + + smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont) + && (BN_num_bits(q) == BN_num_bits(p)); } } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked - (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, + rsa->n, ctx)) goto err; + if (smooth) { + /* + * Conversion from Montgomery domain, a.k.a. Montgomery reduction, + * accepts values in [0-m*2^w) range. w is m's bit width rounded up + * to limb width. So that at the very least if |I| is fully reduced, + * i.e. less than p*q, we can count on from-to round to perform + * below modulo operations on |I|. Unlike BN_mod it's constant time. + */ + if (/* m1 = I moq q */ + !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx) + || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx) + /* m1 = m1^dmq1 mod q */ + || !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx, + rsa->_method_mod_q) + /* r1 = I mod p */ + || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx) + || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) + /* r1 = r1^dmp1 mod p */ + || !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx, + rsa->_method_mod_p) + /* r1 = (r1 - m1) mod p */ + /* + * bn_mod_sub_fixed_top is not regular modular subtraction, + * it can tolerate subtrahend to be larger than modulus, but + * not bit-wise wider. This makes up for uncommon q>p case, + * when |m1| can be larger than |rsa->p|. + */ + || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) + + /* r1 = r1 * iqmp mod p */ + || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) + || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, + ctx) + /* r0 = r1 * q + m1 */ + || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) + || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) + goto err; + + goto tail; + } + /* compute I mod q */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { c = &local_c; @@ -841,10 +872,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) if (!BN_add(r0, r1, m1)) goto err; + tail: if (rsa->e && rsa->n) { - if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, - rsa->_method_mod_n)) - goto err; + if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) { + if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, + rsa->_method_mod_n)) + goto err; + } else { + bn_correct_top(r0); + if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, + rsa->_method_mod_n)) + goto err; + } /* * If 'I' was greater than (or equal to) rsa->n, the operation will * be equivalent to using 'I mod n'. However, the result of the @@ -853,6 +892,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ if (!BN_sub(vrfy, vrfy, I)) goto err; + if (BN_is_zero(vrfy)) { + bn_correct_top(r0); + ret = 1; + goto err; /* not actually error */ + } if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; if (BN_is_negative(vrfy)) @@ -878,6 +922,15 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; } } + /* + * It's unfortunate that we have to bn_correct_top(r0). What hopefully + * saves the day is that correction is highly unlike, and private key + * operations are customarily performed on blinded message. Which means + * that attacker won't observe correlation with chosen plaintext. + * Secondly, remaining code would still handle it in same computational + * time and even conceal memory access pattern around corrected top. + */ + bn_correct_top(r0); ret = 1; err: BN_CTX_end(ctx); diff --git a/thirdparty/openssl/crypto/rsa/rsa_gen.c b/thirdparty/openssl/crypto/rsa/rsa_gen.c index 9ca5dfefb70..42b89a8dfaa 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_gen.c +++ b/thirdparty/openssl/crypto/rsa/rsa_gen.c @@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); BN_set_flags(r2, BN_FLG_CONSTTIME); /* generate p and q */ for (;;) { diff --git a/thirdparty/openssl/crypto/rsa/rsa_oaep.c b/thirdparty/openssl/crypto/rsa/rsa_oaep.c index 9a01b4afc11..3fb8f6b33d4 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_oaep.c +++ b/thirdparty/openssl/crypto/rsa/rsa_oaep.c @@ -120,7 +120,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { - int i, dblen, mlen = -1, one_index = 0, msg_index; + int i, dblen = 0, mlen = -1, one_index = 0, msg_index; unsigned int good, found_one_byte; const unsigned char *maskedseed, *maskeddb; /* @@ -153,32 +153,41 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); - em = OPENSSL_malloc(num); - if (db == NULL || em == NULL) { + if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); + if (flen != num) { + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); + goto cleanup; + } + + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memset(em, 0, num); + memcpy(em + num - flen, from, flen); + from = em; + } /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(em[0]); + good = constant_time_is_zero(from[0]); - maskedseed = em + 1; - maskeddb = em + 1 + mdlen; + maskedseed = from + 1; + maskeddb = from + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; diff --git a/thirdparty/openssl/crypto/rsa/rsa_pk1.c b/thirdparty/openssl/crypto/rsa/rsa_pk1.c index 50397c335a5..5d7882a3bfc 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_pk1.c +++ b/thirdparty/openssl/crypto/rsa/rsa_pk1.c @@ -98,6 +98,27 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *p; p = from; + + /* + * The format is + * 00 || 01 || PS || 00 || D + * PS - padding string, at least 8 bytes of FF + * D - data. + */ + + if (num < 11) + return -1; + + /* Accept inputs with and without the leading 0-byte. */ + if (num == flen) { + if ((*p++) != 0x00) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, + RSA_R_INVALID_PADDING); + return -1; + } + flen--; + } + if ((num != (flen + 1)) || (*(p++) != 01)) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_BLOCK_TYPE_IS_NOT_01); @@ -203,28 +224,31 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, if (num < 11) goto err; - em = OPENSSL_malloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); - return -1; + if (flen != num) { + em = OPENSSL_malloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); + return -1; + } + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memset(em, 0, num); + memcpy(em + num - flen, from, flen); + from = em; } - memset(em, 0, num); - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memcpy(em + num - flen, from, flen); - good = constant_time_is_zero(em[0]); - good &= constant_time_eq(em[1], 2); + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(em[i]); + unsigned int equals0 = constant_time_is_zero(from[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -232,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |em|. + * PS must be at least 8 bytes long, and it starts two bytes into |from|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -261,7 +285,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, goto err; } - memcpy(to, em + msg_index, mlen); + memcpy(to, from + msg_index, mlen); err: if (em != NULL) { diff --git a/thirdparty/openssl/crypto/rsa/rsa_sign.c b/thirdparty/openssl/crypto/rsa/rsa_sign.c index 82ca8324dfb..b7fff43530f 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_sign.c +++ b/thirdparty/openssl/crypto/rsa/rsa_sign.c @@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return 0; } #endif - if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { + if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); } /* Special case: SSL signature, just check the length */ @@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { - if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { + if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); } diff --git a/thirdparty/openssl/crypto/rsa/rsa_ssl.c b/thirdparty/openssl/crypto/rsa/rsa_ssl.c index 746e01f64a9..831f75aaf43 100644 --- a/thirdparty/openssl/crypto/rsa/rsa_ssl.c +++ b/thirdparty/openssl/crypto/rsa/rsa_ssl.c @@ -112,6 +112,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } + /* Accept even zero-padded input */ + if (flen == num) { + if (*(p++) != 0) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); + return -1; + } + flen--; + } if ((num != (flen + 1)) || (*(p++) != 02)) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); return (-1); diff --git a/thirdparty/openssl/crypto/ui/ui_openssl.c b/thirdparty/openssl/crypto/ui/ui_openssl.c index 8a43590319f..4b4eb81a5e6 100644 --- a/thirdparty/openssl/crypto/ui/ui_openssl.c +++ b/thirdparty/openssl/crypto/ui/ui_openssl.c @@ -4,7 +4,7 @@ * OpenSSL project 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -509,6 +509,24 @@ static int open_console(UI *ui) is_a_tty = 0; else # endif +# ifdef ENXIO + /* + * Solaris can return ENXIO. + * This should be ok + */ + if (errno == ENXIO) + is_a_tty = 0; + else +# endif +# ifdef EIO + /* + * Linux can return EIO. + * This should be ok + */ + if (errno == EIO) + is_a_tty = 0; + else +# endif # ifdef ENODEV /* * MacOS X returns ENODEV (Operation not supported by device), @@ -567,17 +585,13 @@ static int echo_console(UI *ui) { #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig)); - tty_new.TTY_FLAGS |= ECHO; -#endif - -#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1)) return 0; #endif #ifdef OPENSSL_SYS_VMS if (is_a_tty) { tty_new[0] = tty_orig[0]; - tty_new[1] = tty_orig[1] & ~TT$M_NOECHO; + tty_new[1] = tty_orig[1]; tty_new[2] = tty_orig[2]; status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0, 0); diff --git a/thirdparty/openssl/crypto/x509/by_dir.c b/thirdparty/openssl/crypto/x509/by_dir.c index 6f0209a275e..92120763838 100644 --- a/thirdparty/openssl/crypto/x509/by_dir.c +++ b/thirdparty/openssl/crypto/x509/by_dir.c @@ -128,7 +128,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, switch (cmd) { case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - dir = (char *)getenv(X509_get_default_cert_dir_env()); + dir = (char *)ossl_safe_getenv(X509_get_default_cert_dir_env()); if (dir) ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); else diff --git a/thirdparty/openssl/crypto/x509/by_file.c b/thirdparty/openssl/crypto/x509/by_file.c index 82ce4e8d87c..e6d0e6e1a64 100644 --- a/thirdparty/openssl/crypto/x509/by_file.c +++ b/thirdparty/openssl/crypto/x509/by_file.c @@ -97,7 +97,8 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, switch (cmd) { case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - file = getenv(X509_get_default_cert_file_env()); + file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) ok = (X509_load_cert_crl_file(ctx, file, X509_FILETYPE_PEM) != 0); diff --git a/thirdparty/openssl/crypto/x509/x509_cmp.c b/thirdparty/openssl/crypto/x509/x509_cmp.c index 49c71b91280..2d82f8fa8b2 100644 --- a/thirdparty/openssl/crypto/x509/x509_cmp.c +++ b/thirdparty/openssl/crypto/x509/x509_cmp.c @@ -219,7 +219,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) ret = a->canon_enclen - b->canon_enclen; - if (ret) + if (ret != 0 || a->canon_enclen == 0) return ret; return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); diff --git a/thirdparty/openssl/crypto/x509/x509_lu.c b/thirdparty/openssl/crypto/x509/x509_lu.c index b7424809fdb..3d18ea90beb 100644 --- a/thirdparty/openssl/crypto/x509/x509_lu.c +++ b/thirdparty/openssl/crypto/x509/x509_lu.c @@ -311,7 +311,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT stmp, *tmp; int i, j; + if (ctx == NULL) + return 0; + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); @@ -506,6 +510,10 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) STACK_OF(X509) *sk; X509 *x; X509_OBJECT *obj; + + if (ctx->ctx == NULL) + return NULL; + sk = sk_X509_new_null(); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); @@ -551,6 +559,11 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) STACK_OF(X509_CRL) *sk; X509_CRL *x; X509_OBJECT *obj, xobj; + + + if (ctx->ctx == NULL) + return NULL; + sk = sk_X509_CRL_new_null(); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); @@ -651,6 +664,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } X509_OBJECT_free_contents(&obj); + if (ctx->ctx == NULL) + return 0; + /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); diff --git a/thirdparty/openssl/crypto/x509/x509_vfy.c b/thirdparty/openssl/crypto/x509/x509_vfy.c index b1472018baf..da778d47b1c 100644 --- a/thirdparty/openssl/crypto/x509/x509_vfy.c +++ b/thirdparty/openssl/crypto/x509/x509_vfy.c @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include #include @@ -620,7 +621,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) * A hack to keep people who don't want to modify their software * happy */ - if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + if (ossl_safe_getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; } @@ -693,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) goto end; } } - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + /* Check pathlen */ + if ((i > 1) && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; @@ -704,8 +704,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } - /* Increment path length if not self issued */ - if (!(x->ex_flags & EXFLAG_SI)) + /* Increment path length if not a self issued intermediate CA */ + if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; /* * If this certificate is a proxy certificate, the next certificate @@ -1937,119 +1937,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { - char *str; - ASN1_TIME atm; - long offset; - char buff1[24], buff2[24], *p; - int i, j, remaining; + static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1; + static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1; + ASN1_TIME *asn1_cmp_time = NULL; + int i, day, sec, ret = 0; - p = buff1; - remaining = ctm->length; - str = (char *)ctm->data; /* - * Note that the following (historical) code allows much more slack in the - * time format than RFC5280. In RFC5280, the representation is fixed: + * Note that ASN.1 allows much more slack in the time format than RFC5280. + * In RFC5280, the representation is fixed: * UTCTime: YYMMDDHHMMSSZ * GeneralizedTime: YYYYMMDDHHMMSSZ + * + * We do NOT currently enforce the following RFC 5280 requirement: + * "CAs conforming to this profile MUST always encode certificate + * validity dates through the year 2049 as UTCTime; certificate validity + * dates in 2050 or later MUST be encoded as GeneralizedTime." */ - if (ctm->type == V_ASN1_UTCTIME) { - /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ - int min_length = sizeof("YYMMDDHHMMZ") - 1; - int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + switch (ctm->type) { + case V_ASN1_UTCTIME: + if (ctm->length != (int)(utctime_length)) return 0; - memcpy(p, str, 10); - p += 10; - str += 10; - remaining -= 10; - } else { - /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ - int min_length = sizeof("YYYYMMDDHHMMZ") - 1; - int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + break; + case V_ASN1_GENERALIZEDTIME: + if (ctm->length != (int)(generalizedtime_length)) return 0; - memcpy(p, str, 12); - p += 12; - str += 12; - remaining -= 12; - } - - if ((*str == 'Z') || (*str == '-') || (*str == '+')) { - *(p++) = '0'; - *(p++) = '0'; - } else { - /* SS (seconds) */ - if (remaining < 2) - return 0; - *(p++) = *(str++); - *(p++) = *(str++); - remaining -= 2; - /* - * Skip any (up to three) fractional seconds... - * TODO(emilia): in RFC5280, fractional seconds are forbidden. - * Can we just kill them altogether? - */ - if (remaining && *str == '.') { - str++; - remaining--; - for (i = 0; i < 3 && remaining; i++, str++, remaining--) { - if (*str < '0' || *str > '9') - break; - } - } - - } - *(p++) = 'Z'; - *(p++) = '\0'; - - /* We now need either a terminating 'Z' or an offset. */ - if (!remaining) + break; + default: return 0; - if (*str == 'Z') { - if (remaining != 1) - return 0; - offset = 0; - } else { - /* (+-)HHMM */ - if ((*str != '+') && (*str != '-')) - return 0; - /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ - if (remaining != 5) - return 0; - if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || - str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') - return 0; - offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; - offset += (str[3] - '0') * 10 + (str[4] - '0'); - if (*str == '-') - offset = -offset; } - atm.type = ctm->type; - atm.flags = 0; - atm.length = sizeof(buff2); - atm.data = (unsigned char *)buff2; - if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) + /** + * Verify the format: the ASN.1 functions we use below allow a more + * flexible format than what's mandated by RFC 5280. + * Digit and date ranges will be verified in the conversion methods. + */ + for (i = 0; i < ctm->length - 1; i++) { + if (!isdigit(ctm->data[i])) + return 0; + } + if (ctm->data[ctm->length - 1] != 'Z') return 0; - if (ctm->type == V_ASN1_UTCTIME) { - i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); - if (i < 50) - i += 100; /* cf. RFC 2459 */ - j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); - if (j < 50) - j += 100; + /* + * There is ASN1_UTCTIME_cmp_time_t but no + * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t, + * so we go through ASN.1 + */ + asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time); + if (asn1_cmp_time == NULL) + goto err; + if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time)) + goto err; - if (i < j) - return -1; - if (i > j) - return 1; - } - i = strcmp(buff1, buff2); - if (i == 0) /* wait a second then return younger :-) */ - return -1; - else - return i; + /* + * X509_cmp_time comparison is <=. + * The return value 0 is reserved for errors. + */ + ret = (day >= 0 && sec >= 0) ? -1 : 1; + + err: + ASN1_TIME_free(asn1_cmp_time); + return ret; } ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) diff --git a/thirdparty/openssl/crypto/x509v3/v3_purp.c b/thirdparty/openssl/crypto/x509v3/v3_purp.c index 96e629a9301..6d3aa8f731d 100644 --- a/thirdparty/openssl/crypto/x509v3/v3_purp.c +++ b/thirdparty/openssl/crypto/x509v3/v3_purp.c @@ -4,7 +4,7 @@ * 2001. */ /* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -128,11 +128,10 @@ int X509_check_purpose(X509 *x, int id, int ca) { int idx; const X509_PURPOSE *pt; - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } + + x509v3_cache_extensions(x); + + /* Return if side-effect only call */ if (id == -1) return 1; idx = X509_PURPOSE_get_by_id(id); @@ -397,10 +396,14 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; - if (x->ex_flags & EXFLAG_SET) + + CRYPTO_w_lock(CRYPTO_LOCK_X509); + if (x->ex_flags & EXFLAG_SET) { + CRYPTO_w_unlock(CRYPTO_LOCK_X509); return; + } + #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif @@ -536,6 +539,7 @@ static void x509v3_cache_extensions(X509 *x) } } x->ex_flags |= EXFLAG_SET; + CRYPTO_w_unlock(CRYPTO_LOCK_X509); } /*- @@ -578,11 +582,7 @@ static int check_ca(const X509 *x) int X509_check_ca(X509 *x) { - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } + x509v3_cache_extensions(x); return check_ca(x); } @@ -796,6 +796,7 @@ int X509_check_issued(X509 *issuer, X509 *subject) if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); diff --git a/thirdparty/openssl/openssl/asn1.h b/thirdparty/openssl/openssl/asn1.h index 35a2b2aa023..36e79d5ecd2 100644 --- a/thirdparty/openssl/openssl/asn1.h +++ b/thirdparty/openssl/openssl/asn1.h @@ -1164,6 +1164,7 @@ int SMIME_text(BIO *in, BIO *out); * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ + void ERR_load_ASN1_strings(void); /* Error codes for the ASN1 functions. */ @@ -1264,7 +1265,10 @@ void ERR_load_ASN1_strings(void); # define ASN1_F_D2I_X509 156 # define ASN1_F_D2I_X509_CINF 157 # define ASN1_F_D2I_X509_PKEY 159 +# define ASN1_F_DO_BUF 221 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_BOOLEAN 223 +# define ASN1_F_I2D_ASN1_OBJECT 222 # define ASN1_F_I2D_ASN1_SET 188 # define ASN1_F_I2D_ASN1_TIME 160 # define ASN1_F_I2D_DSA_PUBKEY 161 @@ -1414,7 +1418,7 @@ void ERR_load_ASN1_strings(void); # define ASN1_R_WRONG_TAG 168 # define ASN1_R_WRONG_TYPE 169 -#ifdef __cplusplus +# ifdef __cplusplus } -#endif +# endif #endif diff --git a/thirdparty/openssl/openssl/bn.h b/thirdparty/openssl/openssl/bn.h index 633d1b1f601..d4b9f27bb39 100644 --- a/thirdparty/openssl/openssl/bn.h +++ b/thirdparty/openssl/openssl/bn.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -375,25 +375,76 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b); * on the size of the number */ /* - * number of Miller-Rabin iterations for an error rate of less than 2^-80 for - * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of - * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error - * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) - * 177-194) + * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations + * that will be done for checking that a random number is probably prime. The + * error rate for accepting a composite number as prime depends on the size of + * the prime |b|. The error rates used are for calculating an RSA key with 2 primes, + * and so the level is what you would expect for a key of double the size of the + * prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section F.1, page 117. + * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) + * + * The following magma script was used to generate the output: + * securitybits:=125; + * k:=1024; + * for t:=1 to 65 do + * for M:=3 to Floor(2*Sqrt(k-1)-1) do + * S:=0; + * // Sum over m + * for m:=3 to M do + * s:=0; + * // Sum over j + * for j:=2 to m do + * s+:=(RealField(32)!2)^-(j+(k-1)/j); + * end for; + * S+:=2^(m-(m-1)*t)*s; + * end for; + * A:=2^(k-2-M*t); + * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; + * pkt:=2.00743*Log(2)*k*2^-k*(A+B); + * seclevel:=Floor(-Log(2,pkt)); + * if seclevel ge securitybits then + * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; + * break; + * end if; + * end for; + * if seclevel ge securitybits then break; end if; + * end for; + * + * It can be run online at: + * http://magma.maths.usyd.edu.au/calc + * + * And will output: + * k: 1024, security: 129 bits (t: 6, M: 23) + * + * k is the number of bits of the prime, securitybits is the level we want to + * reach. + * + * prime length | RSA key size | # MR tests | security level + * -------------+--------------|------------+--------------- + * (b) >= 6394 | >= 12788 | 3 | 256 bit + * (b) >= 3747 | >= 7494 | 3 | 192 bit + * (b) >= 1345 | >= 2690 | 4 | 128 bit + * (b) >= 1080 | >= 2160 | 5 | 128 bit + * (b) >= 852 | >= 1704 | 5 | 112 bit + * (b) >= 476 | >= 952 | 5 | 80 bit + * (b) >= 400 | >= 800 | 6 | 80 bit + * (b) >= 347 | >= 694 | 7 | 80 bit + * (b) >= 308 | >= 616 | 8 | 80 bit + * (b) >= 55 | >= 110 | 27 | 64 bit + * (b) >= 6 | >= 12 | 34 | 64 bit */ -# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) + +# define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ + (b) >= 1345 ? 4 : \ + (b) >= 476 ? 5 : \ + (b) >= 400 ? 6 : \ + (b) >= 347 ? 7 : \ + (b) >= 308 ? 8 : \ + (b) >= 55 ? 27 : \ + /* b >= 6 */ 34) # define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) @@ -773,6 +824,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ /* We only need assert() when debugging */ # include +/* + * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with + * bn_correct_top, in other words such vectors are permitted to have zeros + * in most significant limbs. Such vectors are used internally to achieve + * execution time invariance for critical operations with private keys. + * It's BN_DEBUG-only flag, because user application is not supposed to + * observe it anyway. Moreover, optimizing compiler would actually remove + * all operations manipulating the bit in question in non-BN_DEBUG build. + */ +# define BN_FLG_FIXED_TOP 0x10000 # ifdef BN_DEBUG_RAND /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ # ifndef RAND_pseudo_bytes @@ -805,8 +866,10 @@ int RAND_pseudo_bytes(unsigned char *buf, int num); do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ - assert((_bnum2->top == 0) || \ - (_bnum2->d[_bnum2->top - 1] != 0)); \ + int _top = _bnum2->top; \ + assert((_top == 0) || \ + (_bnum2->flags & BN_FLG_FIXED_TOP) || \ + (_bnum2->d[_top - 1] != 0)); \ bn_pollute(_bnum2); \ } \ } while(0) @@ -824,6 +887,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num); # else /* !BN_DEBUG */ +# define BN_FLG_FIXED_TOP 0 # define bn_pollute(a) # define bn_check_top(a) # define bn_fix_top(a) bn_correct_top(a) diff --git a/thirdparty/openssl/openssl/dsa.h b/thirdparty/openssl/openssl/dsa.h index 545358fd02b..3e6984eabdf 100644 --- a/thirdparty/openssl/openssl/dsa.h +++ b/thirdparty/openssl/openssl/dsa.h @@ -249,10 +249,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); int DSA_print_fp(FILE *bp, const DSA *x, int off); # endif -# define DSS_prime_checks 50 +# define DSS_prime_checks 64 /* - * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of - * Rabin-Miller + * Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only + * have one value here we set the number of checks to 64 which is the 128 bit + * security level that is the highest level and valid for creating a 3072 bit + * DSA key. */ # define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) @@ -307,6 +309,7 @@ void ERR_load_DSA_strings(void); # define DSA_F_I2D_DSA_SIG 111 # define DSA_F_OLD_DSA_PRIV_DECODE 122 # define DSA_F_PKEY_DSA_CTRL 120 +# define DSA_F_PKEY_DSA_CTRL_STR 127 # define DSA_F_PKEY_DSA_KEYGEN 121 # define DSA_F_SIG_CB 114 diff --git a/thirdparty/openssl/openssl/opensslconf.h b/thirdparty/openssl/openssl/opensslconf.h index 19fad234234..9eebdbee410 100644 --- a/thirdparty/openssl/openssl/opensslconf.h +++ b/thirdparty/openssl/openssl/opensslconf.h @@ -67,6 +67,9 @@ extern "C" { #endif /* OPENSSL_DOING_MAKEDEPEND */ +#ifndef OPENSSL_THREADS +# define OPENSSL_THREADS +#endif #ifndef OPENSSL_NO_DYNAMIC_ENGINE # define OPENSSL_NO_DYNAMIC_ENGINE #endif diff --git a/thirdparty/openssl/openssl/opensslv.h b/thirdparty/openssl/openssl/opensslv.h index 77f124e2cb3..73d22b399a8 100644 --- a/thirdparty/openssl/openssl/opensslv.h +++ b/thirdparty/openssl/openssl/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x100020ffL +# define OPENSSL_VERSION_NUMBER 0x1000211fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o-fips 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-fips 20 Nov 2018" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q 20 Nov 2018" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/thirdparty/openssl/openssl/pem.h b/thirdparty/openssl/openssl/pem.h index aac72fb21ed..9c1d939a919 100644 --- a/thirdparty/openssl/openssl/pem.h +++ b/thirdparty/openssl/openssl/pem.h @@ -442,7 +442,8 @@ void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt); int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, EVP_PKEY *pkey); -int PEM_def_callback(char *buf, int num, int w, void *key); +/* The default pem_password_cb that's used internally */ +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata); void PEM_proc_type(char *buf, int type); void PEM_dek_info(char *buf, const char *type, int len, char *str); diff --git a/thirdparty/openssl/openssl/ssl.h b/thirdparty/openssl/openssl/ssl.h index 3cf96a239ba..4bc1f4e60b8 100644 --- a/thirdparty/openssl/openssl/ssl.h +++ b/thirdparty/openssl/openssl/ssl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -548,7 +548,7 @@ struct ssl_session_st { const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used * to load the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* * These are used to make removal of session-ids more efficient and to @@ -2149,7 +2149,7 @@ int SSL_get_fd(const SSL *s); int SSL_get_rfd(const SSL *s); int SSL_get_wfd(const SSL *s); const char *SSL_get_cipher_list(const SSL *s, int n); -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len); +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); int SSL_get_read_ahead(const SSL *s); int SSL_pending(const SSL *s); # ifndef OPENSSL_NO_SOCK @@ -2954,6 +2954,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_KRB5_S_TKT_NYV 294 # define SSL_R_KRB5_S_TKT_SKEW 295 # define SSL_R_LENGTH_MISMATCH 159 +# define SSL_R_LENGTH_TOO_LONG 404 # define SSL_R_LENGTH_TOO_SHORT 160 # define SSL_R_LIBRARY_BUG 274 # define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 diff --git a/thirdparty/openssl/ssl/d1_both.c b/thirdparty/openssl/ssl/d1_both.c index e6bc761e8bf..8888beddc0a 100644 --- a/thirdparty/openssl/ssl/d1_both.c +++ b/thirdparty/openssl/ssl/d1_both.c @@ -4,7 +4,7 @@ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -656,7 +656,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) al = dtls1_preprocess_fragment(s, &frag->msg_header, max); - if (al == 0) { /* no alert */ + /* al will be 0 if no alert */ + if (al == 0 && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, diff --git a/thirdparty/openssl/ssl/d1_pkt.c b/thirdparty/openssl/ssl/d1_pkt.c index f5deddf7706..23aa9dbce48 100644 --- a/thirdparty/openssl/ssl/d1_pkt.c +++ b/thirdparty/openssl/ssl/d1_pkt.c @@ -293,14 +293,12 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (-1); } - /* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + /* Must be a duplicate so ignore it */ if (rdata->rbuf.buf != NULL) OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return (-1); } return (1); diff --git a/thirdparty/openssl/ssl/s3_lib.c b/thirdparty/openssl/ssl/s3_lib.c index 7e27dae35b0..10c6db683b6 100644 --- a/thirdparty/openssl/ssl/s3_lib.c +++ b/thirdparty/openssl/ssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -4228,8 +4228,13 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) #ifndef OPENSSL_NO_ECDSA int have_ecdsa_sign = 0; #endif +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) int nostrict = 1; +#endif +#if !defined(OPENSSL_NO_GOST) || !defined(OPENSSL_NO_DH) || \ + !defined(OPENSSL_NO_ECDH) unsigned long alg_k; +#endif /* If we have custom certificate types set, use them */ if (s->cert->ctypes) { @@ -4238,8 +4243,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) } /* get configured sigalgs */ siglen = tls12_get_psigalgs(s, 1, &sig); +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) nostrict = 0; +#endif for (i = 0; i < siglen; i += 2, sig += 2) { switch (sig[1]) { case TLSEXT_signature_rsa: @@ -4257,7 +4264,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) } } +#if !defined(OPENSSL_NO_GOST) || !defined(OPENSSL_NO_DH) || \ + !defined(OPENSSL_NO_ECDH) alg_k = s->s3->tmp.new_cipher->algorithm_mkey; +#endif #ifndef OPENSSL_NO_GOST if (s->version >= TLS1_VERSION) { diff --git a/thirdparty/openssl/ssl/s3_srvr.c b/thirdparty/openssl/ssl/s3_srvr.c index 96d973cd02b..70340181bf9 100644 --- a/thirdparty/openssl/ssl/s3_srvr.c +++ b/thirdparty/openssl/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1959,11 +1959,12 @@ int ssl3_send_server_key_exchange(SSL *s) #ifndef OPENSSL_NO_PSK if (type & SSL_kPSK) { + size_t len = strlen(s->ctx->psk_identity_hint); + /* copy PSK identity hint */ - s2n(strlen(s->ctx->psk_identity_hint), p); - strncpy((char *)p, s->ctx->psk_identity_hint, - strlen(s->ctx->psk_identity_hint)); - p += strlen(s->ctx->psk_identity_hint); + s2n(len, p); + memcpy(p, s->ctx->psk_identity_hint, len); + p += len; } #endif @@ -2090,6 +2091,11 @@ int ssl3_send_certificate_request(SSL *s) if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; nl = tls12_get_psigalgs(s, 1, &psigs); + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } s2n(nl, p); memcpy(p, psigs, nl); p += nl; @@ -2106,6 +2112,11 @@ int ssl3_send_certificate_request(SSL *s) for (i = 0; i < sk_X509_NAME_num(sk); i++) { name = sk_X509_NAME_value(sk, i); j = i2d_X509_NAME(name, NULL); + if (j > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } if (!BUF_MEM_grow_clean (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, @@ -2127,6 +2138,11 @@ int ssl3_send_certificate_request(SSL *s) n += j; nl += j; } + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } } } /* else no CA names */ diff --git a/thirdparty/openssl/ssl/ssl_ciph.c b/thirdparty/openssl/ssl/ssl_ciph.c index ccdf00fa1b3..58dcddfddc2 100644 --- a/thirdparty/openssl/ssl/ssl_ciph.c +++ b/thirdparty/openssl/ssl/ssl_ciph.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1406,11 +1406,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str, static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { - unsigned int suiteb_flags = 0, suiteb_comb2 = 0; + unsigned int suiteb_flags = 0; +# ifndef OPENSSL_NO_ECDH + unsigned int suiteb_comb2 = 0; +#endif + if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) { +# ifndef OPENSSL_NO_ECDH suiteb_comb2 = 1; +# endif suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; diff --git a/thirdparty/openssl/ssl/ssl_lib.c b/thirdparty/openssl/ssl/ssl_lib.c index 3a6c1b14d4a..cfcfe76b9ce 100644 --- a/thirdparty/openssl/ssl/ssl_lib.c +++ b/thirdparty/openssl/ssl/ssl_lib.c @@ -58,7 +58,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1404,28 +1404,37 @@ int SSL_set_cipher_list(SSL *s, const char *str) } /* works well for SSLv2, not so good for SSLv3 */ -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) { char *p; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; SSL_CIPHER *c; int i; - if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) - return (NULL); - - p = buf; - sk = s->session->ciphers; - - if (sk_SSL_CIPHER_num(sk) == 0) + if (!s->server + || s->session == NULL + || s->session->ciphers == NULL + || size < 2) return NULL; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + p = buf; + clntsk = s->session->ciphers; + srvrsk = SSL_get_ciphers(s); + if (clntsk == NULL || srvrsk == NULL) + return NULL; + + if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) + return NULL; + + for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { int n; - c = sk_SSL_CIPHER_value(sk, i); + c = sk_SSL_CIPHER_value(clntsk, i); + if (sk_SSL_CIPHER_find(srvrsk, c) < 0) + continue; + n = strlen(c->name); - if (n + 1 > len) { + if (n + 1 > size) { if (p != buf) --p; *p = '\0'; @@ -1434,7 +1443,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) strcpy(p, c->name); p += n; *(p++) = ':'; - len -= n + 1; + size -= n + 1; } p[-1] = '\0'; return (buf); @@ -2250,10 +2259,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int rsa_tmp_export, dh_tmp_export, kl; unsigned long mask_k, mask_a, emask_k, emask_a; #ifndef OPENSSL_NO_ECDSA - int have_ecc_cert, ecdsa_ok, ecc_pkey_size; + int have_ecc_cert, ecdsa_ok; #endif #ifndef OPENSSL_NO_ECDH - int have_ecdh_tmp, ecdh_ok; + int have_ecdh_tmp, ecdh_ok, ecc_pkey_size; #endif #ifndef OPENSSL_NO_EC X509 *x = NULL; @@ -2396,7 +2405,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (!(cpk->valid_flags & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); +# ifndef OPENSSL_NO_ECDH ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; +# endif EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); @@ -2458,7 +2469,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECDH int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { diff --git a/thirdparty/openssl/ssl/ssl_locl.h b/thirdparty/openssl/ssl/ssl_locl.h index aeffc006347..43789ad757d 100644 --- a/thirdparty/openssl/ssl/ssl_locl.h +++ b/thirdparty/openssl/ssl/ssl_locl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -259,6 +259,8 @@ c[1]=(unsigned char)(((l)>> 8)&0xff), \ c[2]=(unsigned char)(((l) )&0xff)),c+=3) +# define SSL_MAX_2_BYTE_LEN (0xffff) + /* LOCAL STUFF */ # define SSL_DECRYPT 0 diff --git a/thirdparty/openssl/ssl/t1_lib.c b/thirdparty/openssl/ssl/t1_lib.c index 75c2f4154df..55f918d1085 100644 --- a/thirdparty/openssl/ssl/t1_lib.c +++ b/thirdparty/openssl/ssl/t1_lib.c @@ -500,7 +500,11 @@ static int tls1_get_curvelist(SSL *s, int sess, } else # endif { - if (!s->server || s->cert->ecdh_tmp_auto) { + if (!s->server +# ifndef OPENSSL_NO_ECDH + || s->cert->ecdh_tmp_auto +# endif + ) { *pcurves = eccurves_auto; pcurveslen = sizeof(eccurves_auto); } else { @@ -2408,8 +2412,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, goto err; if (!tls1_save_sigalgs(s, data, dsize)) goto err; - } else if (type == TLSEXT_TYPE_status_request) { - + } else if (type == TLSEXT_TYPE_status_request && !s->hit) { if (size < 5) goto err; @@ -3166,7 +3169,7 @@ int tls1_set_server_sigalgs(SSL *s) if (!s->cert->shared_sigalgs) { SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); - al = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_HANDSHAKE_FAILURE; goto err; } } else diff --git a/thirdparty/openssl/ssl/t1_trce.c b/thirdparty/openssl/ssl/t1_trce.c index dc62df8f94c..3e6194a5356 100644 --- a/thirdparty/openssl/ssl/t1_trce.c +++ b/thirdparty/openssl/ssl/t1_trce.c @@ -4,7 +4,7 @@ * project. */ /* ==================================================================== - * Copyright (c) 2012 The OpenSSL Project. All rights reserved. + * Copyright (c) 2012-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -645,6 +645,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server, BIO_puts(bio, "No Extensions\n"); return 1; } + if (msglen < 2) + return 0; extslen = (msg[0] << 8) | msg[1]; if (extslen != msglen - 2) return 0; @@ -1021,6 +1023,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, msglen -= xlen + 2; skip_sig: + if (msglen < 2) + return 0; xlen = (msg[0] << 8) | msg[1]; BIO_indent(bio, indent, 80); if (msglen < xlen + 2) @@ -1209,7 +1213,15 @@ void SSL_trace(int write_p, int version, int content_type, switch (content_type) { case SSL3_RT_HEADER: { - int hvers = msg[1] << 8 | msg[2]; + int hvers; + + /* avoid overlapping with length at the end of buffer */ + if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) { + BIO_puts(bio, write_p ? "Sent" : "Received"); + ssl_print_hex(bio, 0, " too short message", msg, msglen); + break; + } + hvers = msg[1] << 8 | msg[2]; BIO_puts(bio, write_p ? "Sent" : "Received"); BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n", ssl_trace_str(hvers, ssl_version_tbl), hvers);