Bernd Edlinger [Mon, 13 Feb 2023 16:46:41 +0000 (17:46 +0100)]
Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.
There are in fact at least three bugs together that
caused the timing leak:
First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.
Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.
And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.
In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.
And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.
Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.
In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.
So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or
heap allocated) to store serialized bignum, but after deserializing it
into BIGNUM*, the buffer is not erased and may contain sensitive data.
This change makes sure the buffer is erased if it was successfully
filled before. Unfortunately, it does not distinguish between public and
private key components, and will always erase the buffer.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20639)
Matt Caswell [Fri, 31 Mar 2023 09:35:32 +0000 (10:35 +0100)]
Don't call OPENSSL_init_crypto from inside a RUN_ONCE
Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea.
This is especially bad if OPENSSL_init_crypto can recursively end up
attempting to call the RUN_ONCE that we're already inside.
The initialisation in OPENSSL_init_crypto is already "run once" protected.
There is no need to protect it "twice".
Fixes #20653
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20662)
Matt Caswell [Wed, 29 Mar 2023 15:25:00 +0000 (16:25 +0100)]
Make sure we can query the SSL object for version info when using QUIC
We have the existing functions SSL_version(), SSL_get_version() and
SSL_is_dtls(). We extend the first two to return something sensible when
using QUIC. We additionally provide the new functions SSL_is_tls() and
SSL_is_quic() to provide a mechanism to figure out what protocol we are
using.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
slontis [Wed, 22 Feb 2023 04:16:05 +0000 (14:16 +1000)]
FFC cleanups
Discovered during coverage testing.
Remove unneccesary check when using ossl_dh_get0_params() and
ossl_dsa_get0_params(). These point to addresses and can not fail
for any existing calls.
Make dsa keygen tests only available in the FIPS module - as they are
not used in the default provider.
Change ossl_ffc_set_digest() to return void as it cannot fail.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20359)
Tomas Mraz [Fri, 31 Mar 2023 13:46:15 +0000 (15:46 +0200)]
Avoid calling into provider with the same iv_len or key_len
Fixes #20625
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20664)
slontis [Tue, 21 Mar 2023 05:52:34 +0000 (15:52 +1000)]
Make DSA_sign() test for negative p,q,g values.
Related to #20268
DSA_sign() assumes that the signature passed in is related to DSA_size().
If q is negative then DSA_size() actually fails and returns 0.
A test that tries to allocate the signature buffer using DSA_size() and then
pass it to DSA_sign() will then either.
(1) Have a signature buffer of NULL. In this case it was leaking data
returned via i2d_DSA_SIG.
(2) Cause a seg fault because we created a buffer that was not large
enough to hold the signature. As it already checked zero we also now
check for negative values also.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20553)
afshinpir [Wed, 29 Mar 2023 22:26:44 +0000 (11:26 +1300)]
Incorrect null pointer check
CLA: trivial
There is an incorrect null pointer check and this ccommit resolves it.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20646)
slontis [Tue, 21 Mar 2023 06:06:06 +0000 (16:06 +1000)]
Fix mem leak in ECDSA_sign().
Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.
Note that this does not affect the higher level EVP
functions as they correctly handle NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20645)
/dev/crypto: Suppress warning when open /dev/crypto fails with ENXIO.
On NetBSD the device node is essentially always present, but these
days it's mostly not useful except for testing the kernel crypto
stack since the cost of CPU crypto has gone down much faster than the
cost of I/O to external crypto engines. So on most systems it is
disabled in a way that makes open fail with ENXIO. NetBSD has had
this warning for ENXIO patched away for years.
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20636)
Matt Caswell [Tue, 28 Mar 2023 15:25:22 +0000 (16:25 +0100)]
Add a test for an app data record appearing before epoch change in DTLS
We had a test for a handshake record appearing before epoch change, and
a test for an app data record appearing before Finished - but not one for
the app data record appearing before epoch change.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20628)
Matt Caswell [Mon, 27 Mar 2023 14:59:41 +0000 (15:59 +0100)]
Handle app data records from the next epoch
It is possible that DTLS records are received out of order such that
records from the next epoch arrive before we have finished processing the
current epoch. We are supposed to buffer such records but for some reason
we only did that for handshake and alert records. This is incorrect since
it is perfectly possible for app data records to arrive early too.
Fixes #20597
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20628)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20629)
Matt Caswell [Thu, 16 Mar 2023 15:08:04 +0000 (15:08 +0000)]
Add a new advanced command mode to s_client
The s_client command mode just looks at the first letter on a line
and if it is one that maps to a "command" then that command is executed
and everything else on the line is ignored.
This means it is impossible to send anything over s_client that starts with
one of the "magic" letters unless you switch off command processing
entirely.
With the forthcoming quic support that will be added to s_client we expect
a significant new number of commands being added (for example to send fin
on a stream, or to list or swap between different streams, etc). This will
use up more "letters" and reduces the usability of s_client.
This PR adds a new "advanced" command processing mode. Commands are enclosed
in braces {}, and can appear anywhere in the text typed into s_client. A
brace can be escaped by sending a double {{. This gives much more
flexibility without reducing the usability of s_client. Commands can also
have "arguments" which also extends the scope of what they can be used for.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20566)
Michael Baentsch [Sat, 25 Mar 2023 12:06:46 +0000 (13:06 +0100)]
remove DSA512 from speed testing
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20603)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20620)
doc: add HOWTO document about Documenting public Functions and Macros
Co-authored-by: Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Co-authored-by: Tomáš Mráz <tm@t8m.info> Co-authored-by: Lin2Jing4 <35728132+Lin2Jing4@users.noreply.github.com> Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17926)
Pauli [Thu, 16 Mar 2023 03:12:09 +0000 (14:12 +1100)]
DRBG: restrict the digests that can be used with HMAC and Hash DRBGs.
According to FIP 140-3 IG D.R: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
Outside of FIPS, there remains no restriction other than not allowing
XOF digests.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)
Todd Short [Wed, 27 Jan 2021 19:23:33 +0000 (14:23 -0500)]
RFC7250 (RPK) support
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).
Add APIs
Add unit tests
Add documentation
Add s_client/s_server support
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
Tomas Mraz [Tue, 21 Mar 2023 15:15:47 +0000 (16:15 +0100)]
Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.
Fixes: CVE-2023-0466 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20561)
Matt Caswell [Thu, 23 Mar 2023 15:31:25 +0000 (15:31 +0000)]
Updated CHANGES.md and NEWS.md for CVE-2023-0465
Also updated the entries for CVE-2023-0464
Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
Matt Caswell [Tue, 7 Mar 2023 17:07:57 +0000 (17:07 +0000)]
Add a Certificate Policies Test
Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.
Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
Matt Caswell [Tue, 7 Mar 2023 16:52:55 +0000 (16:52 +0000)]
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
Matt Caswell [Tue, 7 Mar 2023 15:22:40 +0000 (15:22 +0000)]
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
afshinpir [Wed, 22 Mar 2023 23:25:45 +0000 (12:25 +1300)]
`EVP_PKEY_CTX_dup` segmentation fault fix
CLA: trivial
The the provider, context duplication method for signature, key
exchange, asymmetric cipher, and key encapsulation is optional. But if
they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup`
because they are called without null pointer checking.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20581)
Tomas Mraz [Tue, 21 Mar 2023 14:31:15 +0000 (15:31 +0100)]
Avoid duplication of OPENSSL_armcap_P on 32bit ARM
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20558)
Tomas Mraz [Tue, 21 Mar 2023 14:05:47 +0000 (15:05 +0100)]
Print the duplicate symbols found in test
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20558)
apps/lib/http_server.c: improve diagnostics, e.g., on port number already in use
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19947)
80-test_cmp_http.t: fix server port and confusion client vs. server config
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19947)
CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
apps/cmp.c: make sure that last -reqin argument is actually used
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
CMP app: improve doc and help output on -{req,rsp}{in,out} options
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
Michael Baentsch [Mon, 13 Mar 2023 13:27:01 +0000 (14:27 +0100)]
Update the EVP_PKEY_get_id documentation
The documentation didn't mention the development where EVP_PKEY_get_id()
returns a negative value for provider-only implementations, and the
migration guide didn't mention how to cope with that.
Fixes #20497
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20501)
Peter Kaestle [Thu, 16 Feb 2023 14:02:46 +0000 (15:02 +0100)]
tls1_set_groups_list: freeing *pext before overwriting
calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory
leak visible in valgrind:
4 bytes in 1 blocks are definitely lost in loss record 1 of 1
at 0x4841888: malloc (vg_replace_malloc.c:381)
by 0x4B1EE96: CRYPTO_memdup (in libcrypto.so.3)
by 0x48993A0: tls1_set_groups_list (in libssl.so.3)
by 0x487AA7E: ssl3_ctx_ctrl (in libssl.so.3)
by 0x1091EA: main (mem_leak.c:10)
LEAK SUMMARY:
definitely lost: 4 bytes in 1 blocks
Freeing *pext to fix it.
CLA: trivial
Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20317)
Tomas Mraz [Tue, 21 Mar 2023 10:36:56 +0000 (11:36 +0100)]
OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undef
Fixes a regression from 3.0 from the obj creation refactoring.
Fixes #20555
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20556)
Georgi Valkov [Tue, 21 Mar 2023 10:49:23 +0000 (12:49 +0200)]
VC++ 2010 x86 compilers do not have InterlockedOr64
The changes from the following commit should also apply to
Visual Studio 2010
https://github.com/openssl/openssl/commit/2d46a44ff24173d2cf5ea2196360cb79470d49c7#r104867505
Fixes build errors: undefined symbol InterlockedOr64
on Windows 2003, Visual Studio 2010 for x86 target.
CLA: trivial
Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20557)
Evan Miller [Sat, 18 Mar 2023 15:03:22 +0000 (11:03 -0400)]
Do not build P10-specific AES-GCM assembler on macOS
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20543)
Pauli [Wed, 8 Mar 2023 04:28:20 +0000 (15:28 +1100)]
x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
VeronikaNguyen [Fri, 10 Mar 2023 22:13:46 +0000 (23:13 +0100)]
Added `CERTIFICATE_VERIFY_MAX_LENGTH` constant
- Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539
(2 bytes for the algorithm identifier + 2 bytes of signature length
+ 65535 bytes of signature)
- Changed `SSL3_RT_MAX_PLAIN_LENGTH` to `CERTIFICATE_VERIFY_MAX_LENGTH`
in `statem_srvr.c` and `statem_clnt.c`
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20486)
Milan Broz [Fri, 17 Mar 2023 08:02:21 +0000 (09:02 +0100)]
Add Argon2 KDF demo.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20531)
FdaSilvaYY [Fri, 10 Mar 2023 14:16:01 +0000 (15:16 +0100)]
cmp: fix --strict-warnings windows builds
remove unneeded const qualifier to keep method declaration
and definition in sync.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20436)
projects / thirdparty / openssl.git / log
