Commit Graph

9836 Commits

Author SHA1 Message Date
Matt Caswell
2167239aba Use lowercase for internal SM2 symbols
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
245be5304d More more on SM2 error codes and tidy up
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
e14d6cf691 Improve use of the test framework in the SM2 internal tests
Also general clean up of those tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
44d3845d89 Further work on SM2 error codes
Also does some reformatting to tidy things up

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Jack Lloyd
2398404e00 Set SM2 error codes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Jack Lloyd
e425f90fff Make SM2 functions private
Address issue #5670

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Andy Polyakov
c4d9ef4cc5 sha/asm/sha512p8-ppc.pl: improve POWER9 performance by ~10%.
Biggest part, ~7%, of improvement resulted from omitting constants'
table index increment in each round. And minor part from rescheduling
instructions. Apparently POWER9 (and POWER8) manage to dispatch
instructions more efficiently if they are laid down as if they have
no latency...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6406)
2018-06-03 21:20:40 +02:00
Andy Polyakov
1a467bd12f chacha/asm/chacha-ppc.pl: improve POWER8 performance by 15%.
This comes at cost of minor 2.5% regression on G4, which is reasonable
trade-off. [Further improve compliance with ABI requirements.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6406)
2018-06-03 21:20:34 +02:00
Andy Polyakov
41013cd63c PPC assembly pack: correct POWER9 results.
As it turns out originally published results were skewed by "turbo"
mode. VM apparently remains oblivious to dynamic frequency scaling,
and reports that processor operates at "base" frequency at all times.
While actual frequency gets increased under load.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6406)
2018-06-03 21:20:06 +02:00
Andy Polyakov
9a708bf982 {arm64|x86_64}cpuid.pl: add special 16-byte case to OPENSSL_memcmp.
OPENSSL_memcmp is a must in GCM decrypt and general-purpose loop takes
quite a portion of execution time for short inputs, more than GHASH for
few-byte inputs according to profiler. Special 16-byte case takes it off
top five list in profiler output.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6312)
2018-06-03 21:15:18 +02:00
Andy Polyakov
c1b2569d23 modes/gcm128.c: coalesce calls to GHASH.
On contemporary platforms assembly GHASH processes multiple blocks
faster than one by one. For TLS payloads shorter than 16 bytes, e.g.
alerts, it's possible to reduce hashing operation to single call.
And for block lengths not divisible by 16 - fold two final calls to
one. Improvement is most noticeable with "reptoline", because call to
assembly GHASH is indirect.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6312)
2018-06-03 21:13:28 +02:00
Andy Polyakov
c5307d9cc0 evp/e_aes.c: replace calls to one-liners with references in GCM.
Even though calls can be viewed as styling improvement, they do come
with cost. It's not big cost and shows only on short inputs, but it is
measurable, 2-3% on some platforms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6312)
2018-06-03 21:12:52 +02:00
Kurt Roeckx
1e653d0ff7 Fix checking the return value of getentropy()
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:32 +02:00
Kurt Roeckx
2545f9446e Remove support for calling getrandom(), we now always call getentropy()
Only Linux and FreeBSD provide getrandom(), but they both also provide
getentropy() since the same version and we already tried to call that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:26 +02:00
Kurt Roeckx
cf0891b8f1 Look up availability of getentropy() at runtime.
This will actually support most OSs, and at least adds support for
Solaris and OSX

Fixes: #6403
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:20 +02:00
Kurt Roeckx
8f57662771 Add support for KERN_ARND to get random bytes on NetBSD
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:12 +02:00
Richard Levitte
5eb774324a ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method
Just because an engine implements algorithm methods, that doesn't mean
it also implements the ASN1 method.  Therefore, be careful when looking
for an ASN1 method among all engines, don't try to use one that doesn't
exist.

Fixes #6381

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6383)

(cherry picked from commit 1ac3cd6277)
(cherry picked from commit 13b578ada3)
2018-05-31 12:03:20 +02:00
Matt Caswell
1b3c89cd1e Remove some logically dead code
Found by coverity. This is an artifact left over from the original
decaf import which generated the source code for different curves. For
curve 448 this is dead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:38:51 +01:00
Matt Caswell
5be77b074c Remove some logically dead code
Issues found by Coverity

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:38:51 +01:00
Yihong Wang
a133883752 Reduce minimal out length in CRYPTO_128_unwrap_pad
In `aes_wrap_cipher()`, the minimal out buff length is `(inlen - 8)`.
Since it calls `CRYPTO_128_unwrap_pad()` underneath, it makes sense to
reduce the minimal out length in `CRYPTO_128_unwrap_pad()` to align to
its caller.

Signed-off-by: Yihong Wang <yh.wang@ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6266)
2018-05-30 23:16:52 +02:00
User
848113a30b bn/bn_exp.c: mitigation of the One-and-Done side-channel attack.
The One&Done attack, which is described in a paper to appear in the
USENIX Security'18 conference, uses EM emanations to recover the values
of the bits that are obtained using BN_is_bit_set while constructing
the value of the window in BN_mod_exp_consttime. The EM signal changes
slightly depending on the value of the bit, and since the lookup of a
bit is surrounded by highly regular execution (constant-time Montgomery
multiplications) the attack is able to isolate the (very brief) part of
the signal that changes depending on the bit. Although the change is
slight, the attack recovers it successfully >90% of the time on several
phones and IoT devices (all with ARM processors with clock rates around
1GHz), so after only one RSA decryption more than 90% of the bits in
d_p and d_q are recovered correctly, which enables rapid recovery of
the full RSA key using an algorithm (also described in the paper) that
modifies the branch-and-prune approach for a situation in which the
exponents' bits are recovered with errors, i.e. where we do not know
a priori which bits are correctly recovered.

The mitigation for the attack is relatively simple - all the bits of
the window are obtained at once, along with other bits so that an
entire integer's worth of bits are obtained together using masking and
shifts, without unnecessarily considering each bit in isolation. This
improves performance somewhat (one call to bn_get_bits is faster than
several calls to BN_is_bit_set), so the attacker now gets one signal
snippet per window (rather than one per bit) in which the signal is
affected by all bits in the integer (rather than just the one bit).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6276)
2018-05-30 23:01:56 +02:00
Andy Polyakov
c869c3ada9 chacha/asm/chacha-ppc.pl: optimize AltiVec/VMX code path.
32-bit vector rotate instruction was defined from beginning, it
not being used from the start must be a brain-slip...

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6363)
2018-05-30 22:52:51 +02:00
Andy Polyakov
95c81f8c88 perlasm/ppc-xlate.pl: add new instructions and clean up.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6363)
2018-05-30 22:51:58 +02:00
Mingtao Yang
0124f32a01 Add APIs for custom X509_LOOKUP_METHOD creation
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.

This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
2018-05-30 15:45:48 +02:00
Todd Short
47eaa32d26 Fix no-sm2 with clang
Return immediately upon discovery of bad message digest.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6298)
2018-05-29 17:03:14 +01:00
Matt Caswell
4aa5b725d5 The result of a ^ 0 mod -1 is 0 not 1
Thanks to Guido Vranken and OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
2018-05-29 16:43:18 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
Dr. Matthias St. Pierre
0396401d1c ECDSA_SIG: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
6692ff7777 RSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
e6f35b5768 DSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Matt Caswell
07824f304a Revert "Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA"
This reverts commit a6f5b11634.

The EVP_PKEY_sign() function is intended for pre-hashed input which is
not supported by our EdDSA implementation.

See the discussion in PR 5880

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6284)
2018-05-24 17:25:43 +01:00
Matt Caswell
b14e601550 Improve compatibility of point and curve checks
We check that the curve name associated with the point is the same as that
for the curve.

Fixes #6302

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6323)
2018-05-24 17:17:44 +01:00
David Benjamin
2de108dfa3 Save and restore the Windows error around TlsGetValue.
TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.

Fixes #6299.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6316)
2018-05-23 17:34:54 -04:00
David Benjamin
e363534cfe Use OPENSSL_EC_EXPLICIT_CURVE constant.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6314)
2018-05-23 17:32:41 -04:00
David Benjamin
fc6f579a9e Fix explicit EC curve encoding.
Per SEC 1, the curve coefficients must be padded up to size. See C.2's
definition of Curve, C.1's definition of FieldElement, and 2.3.5's definition
of how to encode the field elements in http://www.secg.org/sec1-v2.pdf.

This comes up for P-521, where b needs a leading zero.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6314)
2018-05-23 17:32:41 -04:00
Viktor Dukhovni
55a6250f1e Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:17 -04:00
Viktor Dukhovni
d02d80b2e8 Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:13 -04:00
Richard Levitte
8cc1dc3632 Better error code when lacking __SIZEOF_INT128__
Fixes #6327

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6328)
2018-05-23 11:57:04 +02:00
Matt Caswell
511190b691 Fix undefined behaviour in X509_NAME_cmp()
If the lengths of both names is 0 then don't attempt to do a memcmp.

Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6291)
2018-05-21 10:22:11 +01:00
Richard Levitte
c1c1783d45 Restore check of |*xn| against |name| in X509_NAME_set
A previous change of this function introduced a fragility when the
destination happens to be the same as the source.  Such alias isn't
recommended, but could still happen, for example in this kind of code:

    X509_NAME *subject = X509_get_issuer_name(x);

    /* ... some code passes ... */

    X509_set_issuer_name(x, subject);

Fixes #4710

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)
2018-05-20 09:48:58 +02:00
Matt Caswell
f3021aca4a Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it
is not possible to set the digest to "null". This adds the capability and
updates the documentation accordingly.

Fixes #6201

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6286)
2018-05-18 10:14:29 +01:00
Dr. Matthias St. Pierre
6db7fadf09 DH: add simple getters for commonly used DH struct members
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6273)
2018-05-18 08:53:48 +02:00
Matt Caswell
b336ce57f2 Make BN_GF2m_mod_arr more constant time
Experiments have shown that the lookup table used by BN_GF2m_mod_arr
introduces sufficient timing signal to recover the private key for an
attacker with access to cache timing information on the victim's host.
This only affects binary curves (which are less frequently used).

No CVE is considered necessary for this issue.

The fix is to replace the lookup table with an on-the-fly calculation of
the value from the table instead, which can be performed in constant time.

Thanks to Youngjoo Shin for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6270)
2018-05-17 16:57:11 +01:00
Richard Levitte
de03cc92d1 UI console: Restore tty settings, do not force ECHO after prompt
The Console UI method always set echo on after prompting without
echo.  However, echo might not have been on originally, so just
restore the original TTY settings.

Fixes #2373

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6156)
2018-05-14 11:00:23 +02:00
Richard Levitte
c82c346226 In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length
Fixes #4716

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6173)
2018-05-12 10:19:51 +02:00
Kurt Roeckx
3cb7c5cfef Use void in all function definitions that do not take any arguments
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6208
2018-05-11 14:37:48 +02:00
Kurt Roeckx
d4a8ba77a4 rsaz_avx2_eligible doesn't take parameters
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6208
2018-05-11 14:37:45 +02:00
Andy Polyakov
13f6857db1 PPC assembly pack: add POWER9 results.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-05-10 11:44:21 +02:00
Billy Brumley
0dae8bafce Add blinding in BN_GF2m_mod_inv for binary field inversions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
2018-05-09 13:30:42 +02:00
Billy Brumley
a7b0b69c6e ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
2018-05-09 13:30:38 +02:00