Commit Graph

24507 Commits

Author SHA1 Message Date
Pauli
64115f05ac Usages of KDFs converted to use the name macros
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
69333af49d Register KDF's using their name macros rather than strings
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
2e548ac9a1 Make FIPS provider use KDF name for PBKDF2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
27e27cd7ef Update tests to (mostly) use KDF names
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
1732c260db Convert SSL functions to use KDF names not SN_ strings
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
d810cc1977 Add macros for the KDF algorithm names.
This avoids the problems with PBKDF2 and SCRYPT not being of the same form
as the rest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
2019-09-11 10:22:49 +10:00
Pauli
4a3dd62923 Coverity 1453629 and 1453638: Error handling issues (NEGATIVE_RETURNS)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:27 +10:00
Pauli
f20a59cb1c Coverity 1453634: Resource leaks (RESOURCE_LEAK)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:27 +10:00
Pauli
d111712f6a Coverity 1453633: Error handling issues (CHECKED_RETURN)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:27 +10:00
Pauli
64da55a64f Coverity 1453632 & 1453635: Null pointer dereferences (FORWARD_NULL)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:26 +10:00
Pauli
085f1d11a0 Coverity 1453630: Null pointer dereferences (FORWARD_NULL)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:26 +10:00
Pauli
6ce4ff1915 Coverity 1453628: Null pointer dereferences (REVERSE_INULL)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:26 +10:00
Pauli
7e56c62693 Coverity 1453627: Null pointer dereferences (REVERSE_INULL)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:26 +10:00
Pauli
92475712a9 Coverity 1414465: Resource leaks (RESOURCE_LEAK)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9805)
2019-09-11 08:27:26 +10:00
Bernd Edlinger
5840ed0cd1 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.

As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.

The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
2019-09-10 11:31:25 +01:00
Bernd Edlinger
fa3eb248e2 Fix a potential crash in rand_unix.c
Due to the dynamic allocation that was added to rand_pool_add_begin
this function could now return a null pointer where it was previously
guaranteed to succeed. But the return value of this function does
not need to be checked by design.

Move rand_pool_grow from rand_pool_add_begin to rand_pool_bytes_needed.
Make an allocation error persistent to avoid falling back to less secure
or blocking entropy sources.

Fixes: a6a66e4511 ("Make rand_pool buffers more dynamic in their sizing.")

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)
2019-09-10 09:57:30 +01:00
Bernd Edlinger
e301c147a7 Fix a strict warnings error in rand_pool_acquire_entropy
There was a warning about unused variables in this config:
./config --strict-warnings --with-rand-seed=rdcpu

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9687)
2019-09-10 09:57:20 +01:00
Billy Brumley
1d3cd983f5 [test] ECC: check the bounds for auto computing cofactor
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9821)
2019-09-09 18:10:10 +03:00
Bernd Edlinger
d3a1128bc2 Fix build with VS2008
crypto/rand/rand_win.c(70) : error C2065: 'BCRYPT_USE_SYSTEM_PREFERRED_RNG' : undeclared identifier

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9827)
2019-09-09 16:43:52 +02:00
Matt Caswell
20bf3d8b22 Use simple names in core_names.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
864b89ce49 Move EVP_PKEY algorithm implementations into a union
An EVP_PKEY can be used for multiple different algorithm operations.
Only one can be used at a time, so we move those into a union.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
9c45222ddc Revise EVP_PKEY param handling
We add new functions for getting parameters and discovering the gettable
and settable parameters. We also make EVP_PKEY_CTX_get_signature_md() a
function and implement it in terms of the new functions.

This enables applications to discover the set of parameters that are
supported for a given algorithm implementation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
21fb706722 Enable DH "keys" which only contain domain parameters
It is valid for a pub_key and priv_key to be missing from a DH "key".

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
4f62f5d9af Add docs for the provider interface for signature operations
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
11031468c3 Add public API docs for newly added EVP_SIGNATURE related functions
Documentation for EVP_SIGNATURE_*() as well as EVP_PKEY_sign_init_ex(),
EVP_PKEY_verify_init_ex() and EVP_PKEY_verify_recover_init_ex().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
390acbebfa Add support for verify/verify_recover functions to EVP_SIGNATURE
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
4889dadcb8 Implement DSA in the default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 14:00:00 +01:00
Matt Caswell
dfcb5d29b5 Add the ability to perform signatures in a provider
This makes EVP_PKEY_sign and EVP_PKEY_sign_init provider aware. It
also introduces the new type EVP_SIGNATURE to represent signature
algorithms. This also automatically makes the EVP_Sign* APIs provider
aware because they use EVP_Digest* (which is already provider aware)
and EVP_PKEY_sign(_init) under the covers.

At this stage there are no signature algorithms in any providers. That
will come in the following commits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
2019-09-09 13:52:26 +01:00
Bernd Edlinger
2b95e8efcf DH_check_pub_key_ex was accidentally calling DH_check,
so results were undefined.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
2019-09-09 14:43:57 +02:00
Bernd Edlinger
fa01370f7d Use BN_clear_free in DH_set0_key
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
2019-09-09 14:43:57 +02:00
Bernd Edlinger
feeb7ecd2f Check the DH modulus bit length
The check was missing in DH_check and DH_check_params.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
2019-09-09 14:43:57 +02:00
Nicola Tuveri
bfed4fc836 Uniform TEST_*() check usage in test/ectest.c
- Replace a `TEST_true()` with `!TEST_false()` to avoid reporting
  confusing errors
- We tend to use `if (!TEST_foo() || !TEST_bar())` and it's a bit
  confusing to switch to `if(!(TEST_foo() && TEST_bar()))`: replace it
  with the more common style

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9813)
2019-09-09 14:44:47 +03:00
Nicola Tuveri
65936a5646 Fix spacing nit in test/ectest.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9813)
2019-09-09 14:44:47 +03:00
Jakub Zelenka
3f37050e33 Fix typos in the OSSL_METHOD_STORE doc
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9825)
2019-09-09 13:19:19 +02:00
Nicola Tuveri
bacaa618c2 [ec] Match built-in curves on EC_GROUP_new_from_ecparameters
Description
-----------

Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any
of the built-in curves. If that is the case, return a new
`EC_GROUP_new_by_curve_name()` object instead of the explicit parameters
`EC_GROUP`.

This affects all users of `EC_GROUP_new_from_ecparameters()`:
- direct calls to `EC_GROUP_new_from_ecparameters()`
- direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit
  parameters argument
- ASN.1 parsing of explicit parameters keys (as it eventually
  ends up calling `EC_GROUP_new_from_ecpkparameters()`)

A parsed explicit parameter key will still be marked with the
`OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless
programmatically forced otherwise, if the key is eventually serialized
the output will still be encoded with explicit parameters, even if
internally it is treated as a named curve `EC_GROUP`.

Before this change, creating any `EC_GROUP` object using
`EC_GROUP_new_from_ecparameters()`, yielded an object associated with
the default generic `EC_METHOD`, but this was never guaranteed in the
documentation.
After this commit, users of the library that intentionally want to
create an `EC_GROUP` object using a specific `EC_METHOD` can still
explicitly call `EC_GROUP_new(foo_method)` and then manually set the
curve parameters using `EC_GROUP_set_*()`.

Motivation
----------

This has obvious performance benefits for the built-in curves with
specialized `EC_METHOD`s and subtle but important security benefits:
- the specialized methods have better security hardening than the
  generic implementations
- optional fields in the parameter encoding, like the `cofactor`, cannot
  be leveraged by an attacker to force execution of the less secure
  code-paths for single point scalar multiplication
- in general, this leads to reducing the attack surface

Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth
analysis of the issues related to this commit.

It should be noted that `libssl` does not allow to negotiate explicit
parameters (as per RFC 8422), so it is not directly affected by the
consequences of using explicit parameters that this commit fixes.
On the other hand, we detected external applications and users in the
wild that use explicit parameters by default (and sometimes using 0 as
the cofactor value, which is technically not a valid value per the
specification, but is tolerated by parsers for wider compatibility given
that the field is optional).
These external users of `libcrypto` are exposed to these vulnerabilities
and their security will benefit from this commit.

Related commits
---------------

While this commit is beneficial for users using built-in curves and
explicit parameters encoding for serialized keys, commit
b783beeadf (and its equivalents for the
1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the
invalid cofactor values more in general also for other curves
(CVE-2019-1547).

The following list covers commits in `master` that are related to the
vulnerabilities presented in the manuscript motivating this commit:

- d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too
- 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
- b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
- 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats

Note that the PRs that contributed the listed commits also include other
commits providing related testing and documentation, in addition to
links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and
1.1.1 branches.

Responsible Disclosure
----------------------

This and the other issues presented in https://arxiv.org/abs/1909.01785
were reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri,
Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the
NISEC group at Tampere University, FINLAND.

The OpenSSL Security Team evaluated the security risk for this
vulnerability as low, and encouraged to propose fixes using public Pull
Requests.

_______________________________________________________________________________

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9808)
2019-09-09 14:03:25 +03:00
Richard Levitte
bd9faf117d Do no mention private headers in public headers
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9812)
2019-09-09 12:06:43 +02:00
Dr. Matthias St. Pierre
03e5668343 Configure: clang: move -Wno-unknown-warning-option to the front
While gcc ignores unknown options of the type '-Wno-xxx', clang by default issues
a warning [-Wunknown-warning-option] (see [3]), which together with '-Werror'
causes the build to fail. This turned out to be a problem on the 1.0.2 stable branch
in the case of the '-Wextended-offsetof' option, which was removed in version 6.0.0,
but needs to be kept here in order to support older clang versions, too (see #9446).

Incidentally, master and 1.1.1 branch already contained the -Wno-unknown-warning-option
option. Due to its special role and its importance, this commit adds an explaining
commit message and moves the option to the front.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9447)
2019-09-08 10:59:56 +02:00
Billy Brumley
a1a0e6f285 CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it
This is a forward port from https://github.com/openssl/openssl/pull/9781
of the CHANGES entry for the functionality added in
https://github.com/openssl/openssl/pull/9727

(cherry picked from commit 4b965086cb)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9797)
2019-09-07 15:37:13 +03:00
Billy Brumley
5041ea38c9 [test] computing ECC cofactors: regression test
This is a forward port from
    https://github.com/openssl/openssl/pull/9781
for the test logic introduced by
    https://github.com/openssl/openssl/pull/9727

As @mattcaswell commented
(https://github.com/openssl/openssl/pull/9781#discussion_r321621541):

> These `TEST_true` calls should be `!TEST_false` because we are
> *expecting* a failure.
> The difference is that the test framework will print error details if
> the test doesn't give the expected answer.
> So by using `TEST_true` instead of `!TEST_false` we'll get error
> details printed, but the test will succeed anyway.

(cherry picked from commit e8aafc891d)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9797)
2019-09-07 15:37:13 +03:00
Pauli
e97bab6929 Use common digest getter for X942 KDF
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:54 +10:00
Pauli
a1de4680fb Use common digest getter for SSH KDF
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:54 +10:00
Pauli
0f0db4dc25 Use common digest getter for TLS1 PRF
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
7e149b3928 Use common digest getter for single step KDF
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
e957226a0c Use common digest getter for PBKDF2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
86f17ed64c Use common digest getter for HKDF
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
cb74317b4f Use common define for properties, engine, cipher and digest params
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
c69561de00 Add 'engine' param to KDFs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
96d7e2733e KMAC using common digest get code
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
103d8b0be4 HMAC using common digest get code
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00
Pauli
76497acf52 GMAC using common cipher get code
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
2019-09-07 16:01:53 +10:00