Commit Graph

472 Commits

Author SHA1 Message Date
Pauli
a9cfb8c2aa Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized.  Increasing the size of the BNs
prior to doing anything with them suppresses the attack.

Thanks due to Samuel Weiser for finding and locating this.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
2018-10-29 07:46:20 +10:00
Pauli
415c335635 DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
2018-10-29 06:50:51 +10:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Nicola Tuveri
544648a8e0 Harmonize the error handling codepath
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Nicola Tuveri
0c5d725ebf Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).

For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.

If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.

This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.

Fixes #7102 .

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Bryan Donlan
665d9d1c06 Remove DSA digest length checks when no digest is passed
FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
2018-07-29 21:26:29 +02:00
Nicola Tuveri
4f1b96f9fc Use DEPRECATEDIN_1_2_0 macro for DSA_sign_setup declaration
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6467)
2018-06-21 11:01:32 +01:00
Matt Caswell
7f9822a482 Add blinding to a DSA signature
This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6522)
2018-06-21 10:15:57 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
Dr. Matthias St. Pierre
e6f35b5768 DSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Matt Caswell
d54897cf54 Pick a q size consistent with the digest for DSA param generation
There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.

These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.

dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:

            if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                goto err;
            if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                goto err;
            for (i = 0; i < qsize; i++)
                md[i] ^= buf2[i];

            /* step 3 */
            md[0] |= 0x80;
            md[qsize - 1] |= 0x01;
            if (!BN_bin2bn(md, qsize, q))
                goto err;

qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.

If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.

This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:24 +01:00
Matt Caswell
06d3b485db Don't crash if an unrecognised digest is used with dsa_paramgen_md
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:24 +01:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00
Jack Bates
693be9a2cb Convert _meth_get_ functions to const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2181)
2018-03-21 10:37:05 +00:00
Pavel Kopyl
7760384b40 Check return value of OBJ_nid2obj in dsa_pub_encode.
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)
2017-11-03 15:46:51 +01:00
Pauli
c0caa945f6 Address a timing side channel whereby it is possible to determine some
information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
2017-11-01 15:47:28 +00:00
KaoruToda
26a7d938c9 Remove parentheses of return.
Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
2017-10-18 16:05:06 +01:00
Rich Salz
e3713c365c Remove email addresses from source code.
Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)
2017-10-13 10:06:59 -04:00
KaoruToda
208fb891e3 Since return is inconsistent, I removed unnecessary parentheses and
unified them.
- return (0); -> return 0;
- return (1); -> return 1;
- return (-1); -> return -1;

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4500)
2017-10-09 13:17:09 +01:00
Samuel Weiser
6364475a99 Added const-time flag to DSA key decoding to avoid potential leak of privkey
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)
2017-09-29 13:06:25 -04:00
Pauli
cd420b0b1f Move the REF_PRINT support from e_os.h to internal/refcount.h.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:44 +10:00
Pauli
677963e5a4 e_os.h removal from other headers and source files.
Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and
ssl/ssl_locl.h).

Added e_os.h into the files that need it now.

Directly reference internal/nelem.h when required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:43 +10:00
Rich Salz
ddc6a5c8f5 Add RAND_priv_bytes() for private keys
Add a new global DRBG for private keys used by RAND_priv_bytes.

Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
2017-08-03 10:45:17 -04:00
Rich Salz
75e2c87765 Switch from ossl_rand to DRBG rand
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.

Re-order seeding and stop after first success.

Add RAND_poll_ex()

Use the DF and therefore lower RANDOMNESS_NEEDED.  Also, for child DRBG's,
mix in the address as the personalization bits.

Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.

Various code cleanups:
    -Make state an enum; inline RANDerr calls.
    -Add RAND_POLL_RETRIES (thanks Pauli for the idea)
    -Remove most RAND_seed calls from rest of library
    -Rename DRBG_CTX to RAND_DRBG, etc.
    -Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
     implementation of NIST DRBG.
    -Remove blocklength

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
2017-08-03 09:23:28 -04:00
Bernd Edlinger
fb0a64126b Fix a possible crash in dsa_builtin_paramgen2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3675)
2017-06-14 09:35:48 -04:00
Rich Salz
52df25cf2e make error tables const and separate header file
Run perltidy on util/mkerr
Change some mkerr flags, write some doc comments
Make generated tables "const" when genearting lib-internal ones.
Add "state" file for mkerr
Renerate error tables and headers
Rationalize declaration of ERR_load_XXX_strings
Fix out-of-tree build
Add -static; sort flags/vars for options.
Also tweak code output
Moved engines/afalg to engines (from master)
Use -static flag
Standard engine #include's of errors
Don't linewrap err string tables unless necessary

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3392)
2017-06-07 15:12:03 -04:00
Richard Levitte
9612e15760 ASN.1: adapt our use of INTxx et al by making them explicitely embedded
Fixes #3191

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)
2017-04-13 10:23:31 +02:00
Richard Levitte
6a32a3c058 Act on deprecation of LONG and ZLONG, step 2
Replace all remaining uses of LONG and ZLONG with INT32 / ZINT32.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
2017-04-10 12:11:00 +02:00
Rich Salz
076fc55527 Make default_method mostly compile-time
Document thread-safety issues
Have RSA_null return NULL (always fails)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)
2017-04-07 12:19:46 -04:00
FdaSilvaYY
e705fcf197 Style
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
FdaSilvaYY
28b86f313b Fix some extra or missing whitespaces...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
Richard Levitte
8a05c4d3b5 Fix DSA parameter generation control error
When setting the digest parameter for DSA parameter generation, the
signature MD was set instead of the parameter generation one.
Fortunately, that's also the one that was used for parameter
generation, but it ultimately meant the parameter generator MD and the
signature MD would always be the same.

Fixes github issue #2016

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2250)
2017-01-20 08:29:46 +01:00
Kurt Roeckx
2f545ae45d Add support for reference counting using C11 atomics
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
2016-11-17 22:02:25 +01:00
FdaSilvaYY
bad6b116a2 Raise an error on memory alloc failure.
Both strdup or malloc failure should raise à err.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
2016-11-16 20:54:53 -05:00
Sebastian Andrzej Siewior
af54741265 dsa/dsa_gen: add error message for seed_len < 0
prio openssl 1.1.0 seed_len < q was accepted and the seed argument was
then ignored. Now DSA_generate_parameters_ex() returns an error in such
a case but no error string.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1657)
2016-11-14 08:56:09 -05:00
Matt Caswell
1ff7425d61 Fix a missing NULL check in dsa_builtin_paramgen
We should check the last BN_CTX_get() call to ensure that it isn't NULL
before we try and use any of the allocated BIGNUMs.

Issue reported by Shi Lei.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-21 13:32:30 +01:00
Dr. Stephen Henson
245c6bc33b Constify private key decode.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 12:01:29 +01:00
Dr. Stephen Henson
ac4e257747 constify X509_ALGOR_get0()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 12:01:29 +01:00
Dr. Stephen Henson
5d8d9a8efa Add DSA_bits() function.
RT#4637

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 19:37:42 +01:00
Kurt Roeckx
69588edbaa Check for errors allocating the error strings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
2016-07-20 19:20:53 +02:00
Dr. Stephen Henson
8cc44d970c Don't allocate r/s in DSA_SIG and ECDSA_SIG
To avoid having to immediately free up r/s when setting them
don't allocate them automatically in DSA_SIG_new() and ECDSA_SIG_new().

RT#4590

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-20 14:02:54 +01:00
Ben Laurie
24bf6f3c7f Deal with API changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-24 14:40:33 +01:00
Emilia Kasper
9267c11bb5 Make DSA_SIG and ECDSA_SIG getters const.
Reorder arguments to follow convention.

Also allow r/s to be NULL in DSA_SIG_get0, similarly to ECDSA_SIG_get0.

This complements GH1193 which adds non-const setters.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 14:58:36 +02:00
FdaSilvaYY
823146d65f Useless header include of openssl/rand.h
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1168)
2016-06-18 16:30:24 -04:00
Matt Caswell
b84e12266f Fix the build and tests following constification of DH, DSA, RSA
Misc fixes following the constification of the DH, DSA and RSA
getters.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-06-16 13:34:44 +01:00
Richard Levitte
fd809cfdbd Constify the parameter getters for RSA, DSA and DH
Including documentation changes

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-06-15 20:09:27 +02:00
TJ Saunders
bbaa9dd850 Ensure that NULL r and s parameters cannot be set on DSA_SIG/ECDSA_SIGs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1193)
2016-06-13 15:44:49 -04:00
TJ Saunders
7ca3ea22c1 Reorder the setter arguments to more consistently match that of other APIs,
per review comments.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1193)
2016-06-13 15:44:49 -04:00
TJ Saunders
6a571a18dd Implement DSA_SIG_set0() and ECDSA_SIG_set0(), for setting signature values.
SSH2 implementations which use DSA_do_verify() and ECDSA_do_verify() are given
the R and S values, and the data to be signed, by the client.  Thus in order
to validate these signatures, SSH2 implementations will digest and sign
the data -- and then pass in properly provisioned DSA_SIG and ECDSA_SIG objects.

Unfortunately, the existing OpenSSL-1.1.0 APIs do not allow for directly setting
those R and S values in these objects, which makes using OpenSSL for such
SSH2 implementations much more difficult.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1193)
2016-06-13 15:44:49 -04:00