From nobody Sat Jun 29 20:29:28 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WBP6d305Gz5PjXT; Sat, 29 Jun 2024 20:29:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WBP6c3bDqz4GDy; Sat, 29 Jun 2024 20:29:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719692968; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=K9u5kgdROx4knUBXqs9GrRBZsBVWBjNVOZRxSAUPzOw=; b=CH1jMdpYvd/kZ4yBIa3MYPmUfJ0Y8P8U5t25ExnlGirtw6tKXRflwXlGchh4ljn4AAnsQX +EHGkOcKXCcRNOqXm9iBqjhtHFf2Qp5sUcyxXkPH5Cgvf+aOTJkFa3JvFgpfHAslwzeraD IjOzzHNpr0CEhxZ1gqBgyb20TCMRhsVs0HW+omerR09sr3i1HoTmCZOtwjUGj1JId+1qZt acAeqke2ODA76L9gul6P4ymCu+r85f9PzgpURL5I05HBVNfVatycHJdIj2Fz+rjOSLO5P8 kQj5gu9G+RjU3ejhK0LHCKDM229mWjOMGcIfzI8vzsdJsrh+UFBRMPaoG2AOKA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719692968; a=rsa-sha256; cv=none; b=Yajtcr2pogYGBQshVxq8l4phmeiRUUEZ1n1+GI4kEduAZzb/pgXp3HFC/SSVxeSaElM507 zIFPDnK26duRbRQdL47nXko9hd33WrEnHzK22smDIYAhbbOkxffoaHoe5wuQ/RXm4m4gzH 8m+VIF8FZhw+gyyDLJtGAlDissF9JEsrOPI3lGwzsGs12+mn4HwyZHtXEyDRqPcj8xKHMt EBfel1vLdHdY2YcJSfLVCVBVsli0NY2+43TrMLgQVDydYqqIczMB6IZ2LVSmaC/CQFPZTW 63eTDLgomvzvvGyS+Py1m31OydWXOkpBVLzvpVgyV9TaKiOD7sWfVHlf7o8TwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719692968; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=K9u5kgdROx4knUBXqs9GrRBZsBVWBjNVOZRxSAUPzOw=; b=BOxZfjI/NeMVaKr6SjucOuxjSgCW1UL35rm3tuiSyFtguIxaI3AorSs6Lvy08ehdm44GhT TOjmm1SVOUXNAXTAgO3msSj/xToG0MkSsWJoghgUO6iD5Jr1AgPj7vmKn29SFaMTPr4+8q G+BJ8ZUmL7NCS8kxEkGmy0GdyVsxT7JYZPNHxbZAlWCIYzmpiMIcrySg+XxM33vMACqLwC K4T93Rqay4cHEoqye/zuRBZDe+KuhrlkQueDLryqLbdJIv0VdLvIuwcq3klk8yUZdRIKX/ Fd5GD8g6fWNbRZX/EVZPNLvK6VF0AA9adU3gG3SA89P4Oa0UNfRg6CfGqiQKcw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WBP6c3703zt5h; Sat, 29 Jun 2024 20:29:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 45TKTSe6034218; Sat, 29 Jun 2024 20:29:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 45TKTSoB034215; Sat, 29 Jun 2024 20:29:28 GMT (envelope-from git) Date: Sat, 29 Jun 2024 20:29:28 GMT Message-Id: <202406292029.45TKTSoB034215@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Enji Cooper Subject: git: 13a031f0d73d - stable/14 - Update to OpenSSL 3.0.14 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ngie X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 13a031f0d73dd39bcf89c152168f9c1d454f2d2a Auto-Submitted: auto-generated The branch stable/14 has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=13a031f0d73dd39bcf89c152168f9c1d454f2d2a commit 13a031f0d73dd39bcf89c152168f9c1d454f2d2a Author: Enji Cooper AuthorDate: 2024-06-26 23:50:13 +0000 Commit: Enji Cooper CommitDate: 2024-06-29 20:29:18 +0000 Update to OpenSSL 3.0.14 This release resolves 3 upstream found CVEs: - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) MFC after: 3 days Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c' (cherry picked from commit 44096ebd22ddd0081a357011714eff8963614b65) --- crypto/openssl/CHANGES.md | 69 ++++ crypto/openssl/CONTRIBUTING.md | 6 +- crypto/openssl/Configurations/10-main.conf | 9 +- crypto/openssl/Configurations/15-ios.conf | 6 +- crypto/openssl/Configurations/unix-Makefile.tmpl | 14 +- crypto/openssl/Configure | 3 +- crypto/openssl/INSTALL.md | 9 +- crypto/openssl/NEWS.md | 15 + crypto/openssl/NOTES-NONSTOP.md | 5 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/lib/s_cb.c | 8 +- crypto/openssl/apps/list.c | 3 +- crypto/openssl/apps/ocsp.c | 4 +- crypto/openssl/apps/pkcs12.c | 16 +- crypto/openssl/apps/req.c | 2 +- crypto/openssl/apps/speed.c | 6 +- crypto/openssl/apps/ts.c | 11 +- crypto/openssl/crypto/aes/build.info | 2 +- crypto/openssl/crypto/bio/bio_lib.c | 10 +- crypto/openssl/crypto/bio/bio_sock.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 53 ++- crypto/openssl/crypto/bn/bn_rand.c | 166 ++++++-- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/dsa/dsa_check.c | 46 ++- crypto/openssl/crypto/dsa/dsa_ossl.c | 11 +- crypto/openssl/crypto/dsa/dsa_sign.c | 9 +- crypto/openssl/crypto/ec/build.info | 2 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 15 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 7 +- crypto/openssl/crypto/engine/eng_pkey.c | 44 +-- crypto/openssl/crypto/err/openssl.ec | 4 +- crypto/openssl/crypto/ess/ess_lib.c | 4 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 9 +- crypto/openssl/crypto/evp/p_lib.c | 12 +- crypto/openssl/crypto/evp/pmeth_lib.c | 69 +++- crypto/openssl/crypto/evp/signature.c | 33 +- crypto/openssl/crypto/init.c | 14 +- crypto/openssl/crypto/o_str.c | 4 +- crypto/openssl/crypto/property/property_parse.c | 3 +- crypto/openssl/crypto/provider_core.c | 11 +- crypto/openssl/crypto/sha/build.info | 2 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 37 +- crypto/openssl/crypto/sm2/sm2_sign.c | 18 +- crypto/openssl/crypto/x509/v3_addr.c | 4 +- crypto/openssl/demos/digest/EVP_MD_demo.c | 4 +- crypto/openssl/demos/digest/EVP_MD_stdin.c | 4 +- crypto/openssl/doc/fingerprints.txt | 3 + crypto/openssl/doc/internal/man3/OPTIONS.pod | 4 +- .../doc/internal/man3/ossl_method_construct.pod | 4 +- .../doc/internal/man3/ossl_provider_new.pod | 4 +- .../internal/man3/ossl_random_add_conf_module.pod | 4 +- crypto/openssl/doc/internal/man7/EVP_PKEY.pod | 4 +- crypto/openssl/doc/man1/openssl-crl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-mac.pod.in | 17 +- crypto/openssl/doc/man1/openssl-req.pod.in | 33 +- crypto/openssl/doc/man1/openssl-smime.pod.in | 18 +- crypto/openssl/doc/man1/openssl-storeutl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-ts.pod.in | 8 +- crypto/openssl/doc/man3/DEFINE_STACK_OF.pod | 6 +- crypto/openssl/doc/man3/EVP_DigestInit.pod | 4 +- crypto/openssl/doc/man3/EVP_KDF.pod | 4 +- .../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod | 6 +- crypto/openssl/doc/man3/EVP_PKEY_check.pod | 7 +- crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod | 4 +- crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod | 6 +- crypto/openssl/doc/man3/SSL_CTX_set_verify.pod | 5 +- .../openssl/doc/man3/SSL_CTX_use_certificate.pod | 5 +- .../openssl/doc/man3/SSL_load_client_CA_file.pod | 20 +- crypto/openssl/doc/man7/EVP_PKEY-SM2.pod | 5 +- crypto/openssl/doc/man7/migration_guide.pod | 28 +- crypto/openssl/e_os.h | 20 +- crypto/openssl/engines/e_afalg.c | 6 +- crypto/openssl/engines/e_dasync.c | 4 +- crypto/openssl/fuzz/asn1.c | 16 +- crypto/openssl/include/crypto/bn.h | 10 +- crypto/openssl/include/internal/constant_time.h | 25 +- crypto/openssl/include/openssl/sslerr.h | 4 +- crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy | 23 ++ crypto/openssl/providers/fips-sources.checksums | 272 ++++++------- crypto/openssl/providers/fips.checksum | 2 +- crypto/openssl/providers/fips/fipsprov.c | 4 +- .../providers/implementations/exchange/kdf_exch.c | 44 ++- .../implementations/include/prov/ciphercommon.h | 15 +- .../openssl/providers/implementations/kdfs/hkdf.c | 10 +- .../openssl/providers/implementations/rands/drbg.c | 5 +- .../providers/implementations/rands/drbg_ctr.c | 7 +- .../providers/implementations/rands/drbg_hash.c | 5 +- .../providers/implementations/rands/drbg_hmac.c | 5 +- .../providers/implementations/rands/drbg_local.h | 3 +- crypto/openssl/ssl/record/rec_layer_s3.c | 15 + crypto/openssl/ssl/record/record.h | 3 +- crypto/openssl/ssl/record/ssl3_buffer.c | 4 +- crypto/openssl/ssl/ssl_err.c | 6 +- crypto/openssl/ssl/ssl_lib.c | 10 +- crypto/openssl/ssl/ssl_sess.c | 36 +- crypto/openssl/ssl/statem/statem_srvr.c | 9 +- crypto/openssl/ssl/t1_lib.c | 5 +- crypto/openssl/test/bad_dtls_test.c | 4 +- crypto/openssl/test/build.info | 1 + crypto/openssl/test/cmp_hdr_test.c | 51 ++- crypto/openssl/test/ct_test.c | 11 +- crypto/openssl/test/dsatest.c | 10 +- crypto/openssl/test/ecdsatest.c | 30 +- crypto/openssl/test/ecstresstest.c | 4 +- crypto/openssl/test/evp_extra_test.c | 48 ++- crypto/openssl/test/evp_pkey_provided_test.c | 63 ++- crypto/openssl/test/evp_test.c | 15 +- crypto/openssl/test/helpers/ssltestlib.c | 35 +- crypto/openssl/test/helpers/ssltestlib.h | 3 +- crypto/openssl/test/keymgmt_internal_test.c | 10 +- crypto/openssl/test/pathed.cnf | 22 ++ crypto/openssl/test/pkey_meth_kdf_test.c | 55 ++- crypto/openssl/test/prov_config_test.c | 56 ++- .../invalid/p10240_q256_too_big.pem | 57 +++ crypto/openssl/test/recipes/25-test_req.t | 3 +- crypto/openssl/test/recipes/30-test_prov_config.t | 8 +- crypto/openssl/test/recipes/80-test_pkcs12.t | 14 +- crypto/openssl/test/recipes/90-test_shlibload.t | 3 +- crypto/openssl/test/sm2_internal_test.c | 37 +- crypto/openssl/test/ssl-tests/14-curves.cnf.in | 7 +- crypto/openssl/test/ssl-tests/20-cert-select.cnf | 216 +++++------ .../openssl/test/ssl-tests/20-cert-select.cnf.in | 70 ++-- crypto/openssl/test/ssl-tests/28-seclevel.cnf.in | 8 +- crypto/openssl/test/sslapitest.c | 426 ++++++++++++++++++--- crypto/openssl/test/sslbuffertest.c | 176 ++++++++- crypto/openssl/test/test.cnf | 6 + crypto/openssl/test/tls-provider.c | 13 +- crypto/openssl/test/v3ext.c | 17 +- 129 files changed, 2301 insertions(+), 764 deletions(-) diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md index bd876eb89dd4..19e0fd6e25a5 100644 --- a/crypto/openssl/CHANGES.md +++ b/crypto/openssl/CHANGES.md @@ -28,6 +28,72 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.13 and 3.0.14 [4 Jun 2024] + + * Fixed potential use after free after SSL_free_buffers() is called. + + The SSL_free_buffers function is used to free the internal OpenSSL + buffer used when processing an incoming record from the network. + The call is only expected to succeed if the buffer is not currently + in use. However, two scenarios have been identified where the buffer + is freed even when still in use. + + The first scenario occurs where a record header has been received + from the network and processed by OpenSSL, but the full record body + has not yet arrived. In this case calling SSL_free_buffers will succeed + even though a record has only been partially processed and the buffer + is still in use. + + The second scenario occurs where a full record containing application + data has been received and processed by OpenSSL but the application has + only read part of this data. Again a call to SSL_free_buffers will + succeed even though the buffer is still in use. + + ([CVE-2024-4741]) + + *Matt Caswell* + + * Fixed an issue where checking excessively long DSA keys or parameters may + be very slow. + + Applications that use the functions EVP_PKEY_param_check() or + EVP_PKEY_public_check() to check a DSA public key or DSA parameters may + experience long delays. Where the key or parameters that are being checked + have been obtained from an untrusted source this may lead to a Denial of + Service. + + To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS + will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error + reason. + + ([CVE-2024-4603]) + + *Tomáš Mráz* + + * Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. An attacker may + exploit certain server configurations to trigger unbounded memory growth that + would lead to a Denial of Service + + This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option + is being used (but not if early_data is also configured and the default + anti-replay protection is in use). In this case, under certain conditions, + the session cache can get into an incorrect state and it will fail to flush + properly as it fills. The session cache will continue to grow in an unbounded + manner. A malicious client could deliberately create the scenario for this + failure to force a Denial of Service. It may also happen by accident in + normal operation. + + ([CVE-2024-2511]) + + *Matt Caswell* + + * New atexit configuration switch, which controls whether the OPENSSL_cleanup + is registered when libcrypto is unloaded. This can be used on platforms + where using atexit() from shared libraries causes crashes on exit. + + *Randall S. Becker* + ### Changes between 3.0.12 and 3.0.13 [30 Jan 2024] * A file in PKCS12 format can contain certificates and keys and may come from @@ -19824,6 +19890,9 @@ ndif +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 diff --git a/crypto/openssl/CONTRIBUTING.md b/crypto/openssl/CONTRIBUTING.md index 15490fd9f620..fec6616e21fe 100644 --- a/crypto/openssl/CONTRIBUTING.md +++ b/crypto/openssl/CONTRIBUTING.md @@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository. [openssl/openssl]: -To request new a feature, ask a question, or report a bug, +To request a new feature, ask a question, or report a bug, please open an [issue on GitHub](https://github.com/openssl/openssl/issues). To submit a patch or implement a new feature, please open a @@ -67,7 +67,8 @@ guidelines: often. We do not accept merge commits, you will have to remove them (usually by rebasing) before it will be acceptable. - 4. Code provided should follow our [coding style] and compile without warnings. + 4. Code provided should follow our [coding style] and [documentation policy] + and compile without warnings. There is a [Perl tool](util/check-format.pl) that helps finding code formatting mistakes and other coding style nits. Where `gcc` or `clang` is available, you should use the @@ -77,6 +78,7 @@ guidelines: whenever a PR is created or updated by committers. [coding style]: https://www.openssl.org/policies/technical/coding-style.html + [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html 5. When at all possible, code contributions should include tests. These can either be added to an existing test, or completely new. Please see diff --git a/crypto/openssl/Configurations/10-main.conf b/crypto/openssl/Configurations/10-main.conf index ff8af7146318..1155d9859c56 100644 --- a/crypto/openssl/Configurations/10-main.conf +++ b/crypto/openssl/Configurations/10-main.conf @@ -784,7 +784,14 @@ my %targets = ( asm_arch => 'aarch64', perlasm_scheme => "linux64", }, - + "linux-arm64ilp32-clang" => { # clang config abi by --target + inherit_from => [ "linux-generic32" ], + CC => "clang", + CXX => "clang++", + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + asm_arch => 'aarch64', + perlasm_scheme => "linux64", + }, "linux-mips32" => { # Configure script adds minimally required -march for assembly # support, if no -march was specified at command line. diff --git a/crypto/openssl/Configurations/15-ios.conf b/crypto/openssl/Configurations/15-ios.conf index 54d37f63f445..81e3d68bc7f0 100644 --- a/crypto/openssl/Configurations/15-ios.conf +++ b/crypto/openssl/Configurations/15-ios.conf @@ -49,16 +49,16 @@ my %targets = ( # "iphoneos-cross" => { inherit_from => [ "ios-common" ], - cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), + cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"), }, "ios-cross" => { inherit_from => [ "ios-xcrun" ], CC => "cc", - cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"), + cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""), }, "ios64-cross" => { inherit_from => [ "ios64-xcrun" ], CC => "cc", - cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"), + cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""), }, ); diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl index 3754595d38b5..644540397de5 100644 --- a/crypto/openssl/Configurations/unix-Makefile.tmpl +++ b/crypto/openssl/Configurations/unix-Makefile.tmpl @@ -21,7 +21,7 @@ sub dependmagic { my $target = shift; - return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target"; + return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target"; } our $COLUMNS = $ENV{COLUMNS}; @@ -527,7 +527,7 @@ all: build_sw build_docs test: tests {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils - $(MAKE) run_tests + "$(MAKE)" run_tests run_tests: FORCE @ : {- output_off() if $disabled{tests}; "" -} ( SRCTOP=$(SRCDIR) \ @@ -542,7 +542,7 @@ run_tests: FORCE list-tests: @ : {- output_off() if $disabled{tests}; "" -} - $(MAKE) run_tests TESTS=list + "$(MAKE)" run_tests TESTS=list @ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} @echo "Tests are not supported with your chosen Configure options" @ : {- output_on() if !$disabled{tests}; "" -} @@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm cd sources-tmp \ && $$srcdir/Configure --banner=Configured enable-fips -O0 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \ - && $(MAKE) -sj 4 build_generated providers/fips.so \ + && "$(MAKE)" -sj 4 build_generated providers/fips.so \ && find . -name '*.d' | xargs cat > dep1 \ - && $(MAKE) distclean \ + && "$(MAKE)" distclean \ && $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \ - && $(MAKE) -sj 4 build_generated providers/fips.so \ + && "$(MAKE)" -sj 4 build_generated providers/fips.so \ && find . -name '*.d' | xargs cat > dep2 \ && cat sources1 sources2 \ | grep -v ' : \\$$' | grep -v util/providers.num \ @@ -1332,7 +1332,7 @@ ordinals: build_generated $(SSLHEADERS) test_ordinals: - $(MAKE) run_tests TESTS=test_ordinals + "$(MAKE)" run_tests TESTS=test_ordinals tags TAGS: FORCE rm -f TAGS tags diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 84cc4094644a..40c03ad0af32 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -405,6 +405,7 @@ my @disablables = ( "asan", "asm", "async", + "atexit", "autoalginit", "autoerrinit", "autoload-config", diff --git a/crypto/openssl/INSTALL.md b/crypto/openssl/INSTALL.md index fef408e9d1e3..c0dae491c94d 100644 --- a/crypto/openssl/INSTALL.md +++ b/crypto/openssl/INSTALL.md @@ -480,7 +480,7 @@ Setting the FIPS HMAC key As part of its self-test validation, the FIPS module must verify itself by performing a SHA-256 HMAC computation on itself. The default key is -the SHA256 value of "the holy handgrenade of antioch" and is sufficient +the SHA256 value of "holy hand grenade of antioch" and is sufficient for meeting the FIPS requirements. To change the key to a different value, use this flag. The value should @@ -546,6 +546,13 @@ be used even with this option. Do not build support for async operations. +### no-atexit + +Do not use `atexit()` in libcrypto builds. + +`atexit()` has varied semantics between platforms and can cause SIGSEGV in some +circumstances. This option disables the atexit registration of OPENSSL_cleanup. + ### no-autoalginit Don't automatically load all supported ciphers and digests. diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md index d9a48b157eb1..fb231bcd8459 100644 --- a/crypto/openssl/NEWS.md +++ b/crypto/openssl/NEWS.md @@ -18,6 +18,18 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024] + + * Fixed potential use after free after SSL_free_buffers() is called + ([CVE-2024-4741]) + + * Fixed an issue where checking excessively long DSA keys or parameters may + be very slow + ([CVE-2024-4603]) + + * Fixed unbounded memory growth with session handling in TLSv1.3 + ([CVE-2024-2511]) + ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024] * Fixed PKCS12 Decoding crashes @@ -1470,6 +1482,9 @@ OpenSSL 0.9.x +[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 +[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 diff --git a/crypto/openssl/NOTES-NONSTOP.md b/crypto/openssl/NOTES-NONSTOP.md index 68438b998884..ab13de7d3a76 100644 --- a/crypto/openssl/NOTES-NONSTOP.md +++ b/crypto/openssl/NOTES-NONSTOP.md @@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when the program terminates. This limitation applies to all OpenSSL shared library components. -A resolution to this situation is under investigation. +It is possible to configure the build with `no-atexit` to avoid the SIGSEGV. +Preferably, you can explicitly call `OPENSSL_cleanup()` from your application. +It is not mandatory as it just deallocates various global data structures +OpenSSL allocated. About Prefix and OpenSSLDir --------------------------- diff --git a/crypto/openssl/VERSION.dat b/crypto/openssl/VERSION.dat index 3ee1a6f829f4..5de9bf3d01ba 100644 --- a/crypto/openssl/VERSION.dat +++ b/crypto/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=13 +PATCH=14 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="30 Jan 2024" +RELEASE_DATE="4 Jun 2024" SHLIB_VERSION=3 diff --git a/crypto/openssl/apps/lib/s_cb.c b/crypto/openssl/apps/lib/s_cb.c index f2ddd94c3de4..7881c1667626 100644 --- a/crypto/openssl/apps/lib/s_cb.c +++ b/crypto/openssl/apps/lib/s_cb.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1318,7 +1318,8 @@ int ssl_load_stores(SSL_CTX *ctx, if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore)) goto err; add_crls_store(vfy, crls); - SSL_CTX_set1_verify_cert_store(ctx, vfy); + if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0) + goto err; if (crl_download) store_setup_crl_download(vfy); } @@ -1332,7 +1333,8 @@ int ssl_load_stores(SSL_CTX *ctx, goto err; if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore)) goto err; - SSL_CTX_set1_chain_cert_store(ctx, ch); + if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0) + goto err; } rv = 1; err: diff --git a/crypto/openssl/apps/list.c b/crypto/openssl/apps/list.c index 0fcbcbb083cb..7d3136a8a161 100644 --- a/crypto/openssl/apps/list.c +++ b/crypto/openssl/apps/list.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1230,6 +1230,7 @@ static void list_provider_info(void) } if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) { + sk_OSSL_PROVIDER_free(providers); BIO_printf(bio_err, "ERROR: Memory allocation\n"); return; } diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index 821e224c6ce4..fb3105da5526 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,7 +11,7 @@ #ifdef OPENSSL_SYS_VMS /* So fd_set and friends get properly defined on OpenVMS */ -# define _XOPEN_SOURCE_EXTENDED +# define _XOPEN_SOURCE_EXTENDED 1 #endif #include diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index b442d358f8b7..ab78903ee9cd 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -712,9 +712,6 @@ int pkcs12_main(int argc, char **argv) in = bio_open_default(infile, 'r', FORMAT_PKCS12); if (in == NULL) goto end; - out = bio_open_owner(outfile, FORMAT_PEM, private); - if (out == NULL) - goto end; p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq()); if (p12 == NULL) { @@ -814,6 +811,11 @@ int pkcs12_main(int argc, char **argv) dump: assert(private); + + out = bio_open_owner(outfile, FORMAT_PEM, private); + if (out == NULL) + goto end; + if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors(bio_err); @@ -855,7 +857,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass, } else if (bagnid == NID_pkcs7_encrypted) { if (options & INFO) { BIO_printf(bio_err, "PKCS7 Encrypted data: "); - alg_print(p7->d.encrypted->enc_data->algorithm); + if (p7->d.encrypted == NULL) { + BIO_printf(bio_err, "\n"); + } else { + alg_print(p7->d.encrypted->enc_data->algorithm); + } } bags = PKCS12_unpack_p7encdata(p7, pass, passlen); } else { diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index c7d4c7822cda..2fc53d4bfcfa 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -569,7 +569,7 @@ int req_main(int argc, char **argv) X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); - X509V3_set_nconf(&ctx, addext_conf); + X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { BIO_printf(bio_err, "Error checking extensions defined using -addext\n"); goto end; diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index 1113d775b8ab..d8e2c70e6128 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -727,8 +727,12 @@ static int EVP_Update_loop(void *args) unsigned char *buf = tempargs->buf; EVP_CIPHER_CTX *ctx = tempargs->ctx; int outl, count, rc; + unsigned char faketag[16] = { 0xcc }; if (decrypt) { + if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) { + (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag); + } for (count = 0; COND(c[D_EVP][testnum]); count++) { rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); if (rc != 1) { diff --git a/crypto/openssl/apps/ts.c b/crypto/openssl/apps/ts.c index 57292e187cd2..01b73f380428 100644 --- a/crypto/openssl/apps/ts.c +++ b/crypto/openssl/apps/ts.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -535,15 +535,18 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md, *md_value = OPENSSL_hexstr2buf(digest, &digest_len); if (*md_value == NULL || md_value_len != digest_len) { - OPENSSL_free(*md_value); - *md_value = NULL; BIO_printf(bio_err, "bad digest, %d bytes " "must be specified\n", md_value_len); - return 0; + goto err; } } rv = md_value_len; err: + if (rv <= 0) { + OPENSSL_free(*md_value); + *md_value = NULL; + rv = 0; + } EVP_MD_CTX_free(md_ctx); return rv; } diff --git a/crypto/openssl/crypto/aes/build.info b/crypto/openssl/crypto/aes/build.info index b250903fa6e2..271015e35e1b 100644 --- a/crypto/openssl/crypto/aes/build.info +++ b/crypto/openssl/crypto/aes/build.info @@ -76,7 +76,7 @@ DEFINE[../../providers/libdefault.a]=$AESDEF # already gets everything that the static libcrypto.a has, and doesn't need it # added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - DEFINE[../providers/liblegacy.a]=$AESDEF + DEFINE[../../providers/liblegacy.a]=$AESDEF ENDIF GENERATE[aes-ia64.s]=asm/aes-ia64.S diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c index c86b9ac198ca..245a75afa1b8 100644 --- a/crypto/openssl/crypto/bio/bio_lib.c +++ b/crypto/openssl/crypto/bio/bio_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -869,8 +869,12 @@ static int bio_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds) return 1; #ifndef OPENSSL_NO_SOCK - if (BIO_get_fd(bio, &fd) > 0 && fd < FD_SETSIZE) - return BIO_socket_wait(fd, BIO_should_read(bio), max_time); + if (BIO_get_fd(bio, &fd) > 0) { + int ret = BIO_socket_wait(fd, BIO_should_read(bio), max_time); + + if (ret != -1) + return ret; + } #endif /* fall back to polling since no sockets are available */ diff --git a/crypto/openssl/crypto/bio/bio_sock.c b/crypto/openssl/crypto/bio/bio_sock.c index 476cbcc5cef1..12e6a68e3a25 100644 --- a/crypto/openssl/crypto/bio/bio_sock.c +++ b/crypto/openssl/crypto/bio/bio_sock.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -396,7 +396,11 @@ int BIO_socket_wait(int fd, int for_read, time_t max_time) struct timeval tv; time_t now; +#ifdef _WIN32 + if ((SOCKET)fd == INVALID_SOCKET) +#else if (fd < 0 || fd >= FD_SETSIZE) +#endif return -1; if (max_time == 0) return 1; diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index cf1bfe8ab085..9677a603cb2d 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -618,14 +618,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b) int i; BN_ULONG t1, t2, *ap, *bp; + ap = a->d; + bp = b->d; + + if (BN_get_flags(a, BN_FLG_CONSTTIME) + && a->top == b->top) { + int res = 0; + + for (i = 0; i < b->top; i++) { + res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]), + -1, res); + res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]), + 1, res); + } + return res; + } + bn_check_top(a); bn_check_top(b); i = a->top - b->top; if (i != 0) return i; - ap = a->d; - bp = b->d; + for (i = a->top - 1; i >= 0; i--) { t1 = ap[i]; t2 = bp[i]; @@ -737,11 +752,10 @@ int BN_is_bit_set(const BIGNUM *a, int n) return (int)(((a->d[i]) >> j) & ((BN_ULONG)1)); } -int BN_mask_bits(BIGNUM *a, int n) +int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n) { int b, w; - bn_check_top(a); if (n < 0) return 0; @@ -755,10 +769,21 @@ int BN_mask_bits(BIGNUM *a, int n) a->top = w + 1; a->d[w] &= ~(BN_MASK2 << b); } - bn_correct_top(a); + a->flags |= BN_FLG_FIXED_TOP; return 1; } +int BN_mask_bits(BIGNUM *a, int n) +{ + int ret; + + bn_check_top(a); + ret = ossl_bn_mask_bits_fixed_top(a, n); + if (ret) + bn_correct_top(a); + return ret; +} + void BN_set_negative(BIGNUM *a, int b) { if (b && !BN_is_zero(a)) @@ -935,6 +960,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w) return BN_abs_is_word(a, w) && (!w || !a->neg); } +int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w) +{ + int res, i; + const BN_ULONG *ap = a->d; + + if (a->neg || a->top == 0) + return 0; + + res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0); + + for (i = 1; i < a->top; i++) + res = constant_time_select_int(constant_time_is_zero_bn(ap[i]), + res, 0); + return res; +} + int BN_is_odd(const BIGNUM *a) { return (a->top > 0) && (a->d[0] & 1); diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c index 2ca426ff76ed..ba0970b1f87d 100644 --- a/crypto/openssl/crypto/bn/bn_rand.c +++ b/crypto/openssl/crypto/bn/bn_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -186,8 +186,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range, } else { do { /* range = 11..._2 or range = 101..._2 */ - if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, - ctx)) + if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, + strength, ctx)) return 0; if (!--count) { @@ -240,17 +240,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) # endif #endif +int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range, + unsigned int strength, BN_CTX *ctx) +{ + int n; + int count = 100; + + if (r == NULL) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + if (range->neg || BN_is_zero(range)) { + ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + /* BN_is_bit_set(range, n - 1) always holds */ + + if (n == 1) { + BN_zero(r); + } else { + BN_set_flags(r, BN_FLG_CONSTTIME); + do { + if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, + strength, ctx)) + return 0; + + if (!--count) { + ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); + return 0; + } + ossl_bn_mask_bits_fixed_top(r, n); + } + while (BN_ucmp(r, range) >= 0); +#ifdef BN_DEBUG + /* With BN_DEBUG on a fixed top number cannot be returned */ + bn_correct_top(r); +#endif + } + + return 1; +} + /* - * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike - * BN_rand_range, it also includes the contents of |priv| and |message| in - * the generation so that an RNG failure isn't fatal as long as |priv| + * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range. + * Unlike BN_rand_range, it also includes the contents of |priv| and |message| + * in the generation so that an RNG failure isn't fatal as long as |priv| * remains secret. This is intended for use in DSA and ECDSA where an RNG * weakness leads directly to private key exposure unless this function is * used. */ -int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, - const BIGNUM *priv, const unsigned char *message, - size_t message_len, BN_CTX *ctx) +int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range, + const BIGNUM *priv, + const unsigned char *message, + size_t message_len, BN_CTX *ctx) { EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); /* @@ -260,20 +306,24 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, unsigned char random_bytes[64]; unsigned char digest[SHA512_DIGEST_LENGTH]; unsigned done, todo; - /* We generate |range|+8 bytes of random output. */ - const unsigned num_k_bytes = BN_num_bytes(range) + 8; + /* We generate |range|+1 bytes of random output. */ + const unsigned num_k_bytes = BN_num_bytes(range) + 1; unsigned char private_bytes[96]; unsigned char *k_bytes = NULL; + const int max_n = 64; /* Pr(failure to generate) < 2^max_n */ + int n; int ret = 0; EVP_MD *md = NULL; OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx); if (mdctx == NULL) - goto err; + goto end; k_bytes = OPENSSL_malloc(num_k_bytes); if (k_bytes == NULL) - goto err; + goto end; + /* Ensure top byte is set to avoid non-constant time in bin2bn */ + k_bytes[0] = 0xff; /* We copy |priv| into a local buffer to avoid exposing its length. */ if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { @@ -283,41 +333,60 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, * length of the private key. */ ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE); - goto err; + goto end; } md = EVP_MD_fetch(libctx, "SHA512", NULL); if (md == NULL) { ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST); - goto err; - } - for (done = 0; done < num_k_bytes;) { - if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0) - goto err; - - if (!EVP_DigestInit_ex(mdctx, md, NULL) - || !EVP_DigestUpdate(mdctx, &done, sizeof(done)) - || !EVP_DigestUpdate(mdctx, private_bytes, - sizeof(private_bytes)) - || !EVP_DigestUpdate(mdctx, message, message_len) - || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes)) - || !EVP_DigestFinal_ex(mdctx, digest, NULL)) - goto err; - - todo = num_k_bytes - done; - if (todo > SHA512_DIGEST_LENGTH) - todo = SHA512_DIGEST_LENGTH; - memcpy(k_bytes + done, digest, todo); - done += todo; + goto end; } + for (n = 0; n < max_n; n++) { + unsigned char i = 0; *** 5529 LINES SKIPPED ***