openssl/crypto
Cesar Pereida Garcia 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats
This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9587)
2019-08-27 09:07:30 +01:00
..
aes Fix Typos 2019-07-02 14:22:29 +02:00
aria Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
asn1 Add missing EBCDIC strings 2019-08-14 10:41:41 +01:00
async Regenerate mkerr files 2019-07-16 05:26:28 +02:00
bf Move bf_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
bio BIO_lookup_ex: Do not retry on EAI_MEMORY 2019-08-13 11:40:55 +02:00
blake2 Move BLAKE2 MACs to the providers 2019-08-15 22:12:25 +02:00
bn crypto/bn/build.info: define OPENSL_IA32_SSE2 globally when needed 2019-08-23 17:19:08 +02:00
buffer Make the EC code available from inside the FIPS provider 2019-08-06 11:19:07 +01:00
camellia Move cmll_asm_src file information to build.info files 2019-06-17 16:08:53 +02:00
cast Move cast_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
chacha Move chacha_asm_src file information to build.info files 2019-06-17 16:08:53 +02:00
cmac Move CMAC to providers 2019-08-15 22:12:25 +02:00
cmp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
cms CAdES : lowercase name for now internal methods. 2019-07-31 19:14:12 +10:00
comp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
conf Replace FUNCerr with ERR_raise_data 2019-08-02 11:41:54 +02:00
crmf Get rid of the diversity of names for MAC parameters 2019-08-24 13:01:15 +02:00
ct Regenerate mkerr files 2019-07-16 05:26:28 +02:00
des Cleanup ciphers and Add 3des ciphers. 2019-08-26 17:05:08 +10:00
dh Enforce a minimum DH modulus size of 512 bits 2019-07-24 14:44:08 +02:00
dsa make RSA and DSA operations throw MISSING_PRIVATE_KEY if needed, adapt ECDSA 2019-07-31 16:56:22 +03:00
dso Cygwin: enable the use of Dl_info and dladdr() 2019-07-21 11:06:22 +02:00
ec Fix 9bf682f which broke nistp224_method 2019-08-16 12:58:14 +02:00
engine crypto/engine/eng_openssl.c: define TEST_ENG_OPENSSL_RC4_P_INIT conditionally 2019-08-15 11:22:34 +02:00
err Cleanup ciphers and Add 3des ciphers. 2019-08-26 17:05:08 +10:00
ess Regenerate mkerr files 2019-07-16 05:26:28 +02:00
evp Include mac_meth and mac_lib in the FIPS provider 2019-08-26 18:00:47 +10:00
hmac Move HMAC to providers 2019-08-15 22:12:25 +02:00
idea
include/internal Cleanup ciphers and Add 3des ciphers. 2019-08-26 17:05:08 +10:00
kdf Get rid of the diversity of names for MAC parameters 2019-08-24 13:01:15 +02:00
lhash Fix Typos 2019-07-02 14:22:29 +02:00
md2
md4
md5 Move md5_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
mdc2
modes Get rid of the diversity of names for MAC parameters 2019-08-24 13:01:15 +02:00
objects Load the config file by default 2019-08-01 09:59:20 +01:00
ocsp Regenerate mkerr files 2019-07-16 05:26:28 +02:00
pem Fix SCA vulnerability when using PVK and MSBLOB key formats 2019-08-27 09:07:30 +01:00
perlasm s390x assembly pack: update perlasm module 2019-04-25 23:07:36 +02:00
pkcs7 Regenerate mkerr files 2019-07-16 05:26:28 +02:00
pkcs12 Regenerate mkerr files 2019-07-16 05:26:28 +02:00
poly1305 Move Poly1305 to providers 2019-08-15 22:12:25 +02:00
property Modify ossl_method_store_add() to accept an OSSL_PROVIDER and check for it 2019-08-22 01:50:30 +02:00
rand Avoid overflowing FDSET when using select(2). 2019-08-24 16:40:34 +10:00
rc2
rc4 Move rc4_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
rc5 Change RC5_32_set_key to return an int type 2019-07-01 10:18:37 +01:00
ripemd Move rmd160_asm_src file information to build.info files 2019-06-17 16:08:52 +02:00
rsa Ensure RSA PSS correctly returns the right default digest 2019-08-09 13:19:16 +01:00
seed
sha Directly return from final sha3/keccak_final if no bytes are requested 2019-08-18 21:06:03 +02:00
siphash Move SipHash to providers 2019-08-15 22:12:25 +02:00
sm2 Support parsing of SM2 ID in hexdecimal 2019-08-22 10:29:28 +08:00
sm3 Move digests to providers 2019-06-04 12:09:50 +10:00
sm4
srp
stack Make core code available within the FIPS module 2019-05-23 11:02:04 +01:00
store Replace FUNCerr with ERR_raise_data 2019-08-02 11:41:54 +02:00
ts Regenerate mkerr files 2019-07-16 05:26:28 +02:00
txt_db
ui Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
whrlpool Fix warning C4164 in MSVC. 2019-07-31 17:25:33 +01:00
x509 Fix error handling in X509_chain_up_ref 2019-08-17 16:49:46 +02:00
alphacpuid.pl
arm64cpuid.pl
arm_arch.h
armcap.c
armv4cpuid.pl
asn1_dsa.c remove end of line whitespace 2019-07-12 06:27:19 +10:00
bsearch.c ossl_bsearch(): New generic internal binary search utility function 2019-05-08 16:17:16 +02:00
build.info Move KMAC to providers 2019-08-15 22:12:25 +02:00
c64xpluscpuid.pl
context.c Tell the FIPS provider about thread stop events 2019-06-17 16:19:44 +01:00
core_algorithm.c Add internal function ossl_algorithm_do_all() 2019-07-23 06:34:09 +02:00
core_fetch.c Modify ossl_method_store_add() to accept an OSSL_PROVIDER and check for it 2019-08-22 01:50:30 +02:00
core_namemap.c OSSL_NAMEMAP: make names case insensitive 2019-06-24 10:58:13 +02:00
cpt_err.c Add OPENSSL_hexstr2buf_ex() and OPENSSL_buf2hexstr_ex() 2019-08-12 12:50:41 +02:00
cryptlib.c Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
ctype.c Add missing EBCDIC strings 2019-08-14 10:41:41 +01:00
cversion.c Add the possibility to display and use MODULESDIR 2019-04-23 15:50:35 +02:00
dllmain.c
ebcdic.c
ex_data.c Access data after obtaining the lock not before. 2019-08-12 21:37:55 +10:00
getenv.c
ia64cpuid.S
info.c Add a way for the application to get OpenSSL configuration data 2019-04-23 15:51:39 +02:00
init.c prevent endless recursion when trace API is used within OPENSSL_init_crypto() 2019-08-20 11:16:41 +08:00
initthread.c Fix init_get_thread_local() 2019-07-18 06:20:55 +02:00
LPdir_nyi.c
LPdir_unix.c
LPdir_vms.c
LPdir_win32.c
LPdir_win.c
LPdir_wince.c
mem_clr.c
mem_dbg.c Fix deprecation inconsisteny w.r.t. CRYPTO_mem_debug_{push,pop}() 2019-08-04 13:15:30 +02:00
mem_sec.c Use vxRandLib for VxWorks7 2019-05-02 23:32:44 +02:00
mem.c Create a FIPS provider and put SHA256 in it 2019-04-04 23:09:47 +01:00
mips_arch.h
o_dir.c
o_fips.c
o_fopen.c
o_init.c
o_str.c Add OPENSSL_hexstr2buf_ex() and OPENSSL_buf2hexstr_ex() 2019-08-12 12:50:41 +02:00
o_time.c
packet.c Give WPACKET the ability to have a NULL buffer underneath it 2019-07-12 06:26:46 +10:00
param_build.c Fix ossl_param_bld_push_{utf8,octet}_string() / param_bld_convert() 2019-08-21 11:18:58 +02:00
params_from_text.c OSSL_PARAM_construct_from_text(): handle non-hex octet string input 2019-08-15 22:12:25 +02:00
params.c Fix windows compile errors in params.c 2019-08-12 14:07:41 +10:00
pariscid.pl
ppc_arch.h
ppccap.c Make the EC code available from inside the FIPS provider 2019-08-06 11:19:07 +01:00
ppccpuid.pl
provider_conf.c Load the config file by default 2019-08-01 09:59:20 +01:00
provider_core.c Add fips provider code for handling self test data 2019-08-19 09:18:33 +10:00
provider_local.h
provider_predefined.c Make core code available within the FIPS module 2019-05-23 11:02:04 +01:00
provider.c Rename provider and core get_param_types functions 2019-08-15 11:58:25 +02:00
README.sparse_array Fix Typos 2019-07-02 14:22:29 +02:00
s390x_arch.h Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
s390xcap.c s390x assembly pack: use getauxval to detect hw capabilities 2019-07-26 22:31:48 +02:00
s390xcpuid.pl s390xcpuid.pl: fix comment 2019-08-15 16:27:38 +02:00
sparc_arch.h
sparccpuid.S
sparcv9cap.c Ensure we get all the right defines for AES assembler in FIPS module 2019-06-03 12:56:53 +01:00
sparse_array.c Fix Typos 2019-07-02 14:22:29 +02:00
threads_none.c
threads_pthread.c use native atomic increment function on Solaris 2019-08-09 13:16:41 +01:00
threads_win.c
trace.c prevent endless recursion when trace API is used within OPENSSL_init_crypto() 2019-08-20 11:16:41 +08:00
uid.c Remove NextStep support 2019-07-01 13:32:46 -04:00
vms_rms.h
x86_64cpuid.pl
x86cpuid.pl

The sparse_array.c file contains an implementation of a sparse array that
attempts to be both space and time efficient.

The sparse array is represented using a tree structure.  Each node in the
tree contains a block of pointers to either the user supplied leaf values or
to another node.

There are a number of parameters used to define the block size:

    OPENSSL_SA_BLOCK_BITS   Specifies the number of bits covered by each block
    SA_BLOCK_MAX            Specifies the number of pointers in each block
    SA_BLOCK_MASK           Specifies a bit mask to perform modulo block size
    SA_BLOCK_MAX_LEVELS     Indicates the maximum possible height of the tree

These constants are inter-related:
    SA_BLOCK_MAX        = 2 ^ OPENSSL_SA_BLOCK_BITS
    SA_BLOCK_MASK       = SA_BLOCK_MAX - 1
    SA_BLOCK_MAX_LEVELS = number of bits in size_t divided by
                          OPENSSL_SA_BLOCK_BITS rounded up to the next multiple
                          of OPENSSL_SA_BLOCK_BITS

OPENSSL_SA_BLOCK_BITS can be defined at compile time and this overrides the
built in setting.

As a space and performance optimisation, the height of the tree is usually
less than the maximum possible height.  Only sufficient height is allocated to
accommodate the largest index added to the data structure.

The largest index used to add a value to the array determines the tree height:

        +----------------------+---------------------+
        | Largest Added Index  |   Height of Tree    |
        +----------------------+---------------------+
        | SA_BLOCK_MAX     - 1 |          1          |
        | SA_BLOCK_MAX ^ 2 - 1 |          2          |
        | SA_BLOCK_MAX ^ 3 - 1 |          3          |
        | ...                  |          ...        |
        | size_t max           | SA_BLOCK_MAX_LEVELS |
        +----------------------+---------------------+

The tree height is dynamically increased as needed based on additions.

An empty tree is represented by a NULL root pointer.  Inserting a value at
index 0 results in the allocation of a top level node full of null pointers
except for the single pointer to the user's data (N = SA_BLOCK_MAX for
brevity):

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|nil|...|nil|
        +-+-+---+---+---+---+
          |
          |
          |
          v
        +-+--+
        |User|
        |Data|
        +----+
    Index 0


Inserting at element 2N+1 creates a new root node and pushes down the old root
node.  It then creates a second second level node to hold the pointer to the
user's new data:

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|   |...|nil|
        +-+-+---+-+-+---+---+
          |       |
          |       +------------------+
          |                          |
          v                          v
        +-+-+---+---+---+---+      +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|      | 0 | 1 | 2 |...|N-1|
        |nil|   |nil|...|nil|      |nil|   |nil|...|nil|
        +-+-+---+---+---+---+      +---+-+-+---+---+---+
          |                              |
          |                              |
          |                              |
          v                              v
        +-+--+                         +-+--+
        |User|                         |User|
        |Data|                         |Data|
        +----+                         +----+
    Index 0                       Index 2N+1


The nodes themselves are allocated in a sparse manner.  Only nodes which exist
along a path from the root of the tree to an added leaf will be allocated.
The complexity is hidden and nodes are allocated on an as needed basis.
Because the data is expected to be sparse this doesn't result in a large waste
of space.

Values can be removed from the sparse array by setting their index position to
NULL.  The data structure does not attempt to reclaim nodes or reduce the
height of the tree on removal.  For example, now setting index 0 to NULL would
result in:

        +----+
        |Root|
        |Node|
        +-+--+
          |
          |
          |
          v
        +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|
        |   |nil|   |...|nil|
        +-+-+---+-+-+---+---+
          |       |
          |       +------------------+
          |                          |
          v                          v
        +-+-+---+---+---+---+      +-+-+---+---+---+---+
        | 0 | 1 | 2 |...|N-1|      | 0 | 1 | 2 |...|N-1|
        |nil|nil|nil|...|nil|      |nil|   |nil|...|nil|
        +---+---+---+---+---+      +---+-+-+---+---+---+
                                         |
                                         |
                                         |
                                         v
                                       +-+--+
                                       |User|
                                       |Data|
                                       +----+
                                  Index 2N+1


Accesses to elements in the sparse array take O(log n) time where n is the
largest element.  The base of the logarithm is SA_BLOCK_MAX, so for moderately
small indices (e.g. NIDs), single level (constant time) access is achievable.
Space usage is O(minimum(m, n log(n)) where m is the number of elements in the
array.

Note: sparse arrays only include pointers to types.  Thus, SPARSE_ARRAY_OF(char)
can be used to store a string.