Commit Graph

32847 Commits

Author SHA1 Message Date
Bernd Edlinger
f06ef1657a Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.

There are in fact at least three bugs together that
caused the timing leak:

First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.

Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.

And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.

In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.

And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.

Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.

In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.

So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
2023-04-04 12:13:27 +02:00
Bernd Edlinger
4209ce68d8 Revert "Fix Timing Oracle in RSA decryption"
This reverts commit b1892d21f8.

Except for the moving derive_kdk to a separate function.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
2023-04-04 12:13:27 +02:00
Anatolii Lishchynskyi
34e4a962bc Erase temporary buffer in EVP_PKEY_get_bn_param()
Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or
heap allocated) to store serialized bignum, but after deserializing it
into BIGNUM*, the buffer is not erased and may contain sensitive data.

This change makes sure the buffer is erased if it was successfully
filled before. Unfortunately, it does not distinguish between public and
private key components, and will always erase the buffer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20639)
2023-04-04 12:05:25 +02:00
Matt Caswell
540c2d175d Don't call OPENSSL_init_crypto from inside a RUN_ONCE
Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea.
This is especially bad if OPENSSL_init_crypto can recursively end up
attempting to call the RUN_ONCE that we're already inside.

The initialisation in OPENSSL_init_crypto is already "run once" protected.
There is no need to protect it "twice".

Fixes #20653

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20662)

(cherry picked from commit a9745427cd)
2023-04-04 09:36:42 +02:00
Matt Caswell
418c6c5207 Update the documentation for SSL_version et al
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:31 +10:00
Matt Caswell
843f6e277f Add a test for SSL_version(), SSL_get_version() etc
We also test SSL_is_dtls(), SSL_is_tls() and SSL_is_quic().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:31 +10:00
Matt Caswell
50769b15ea Make sure we can query the SSL object for version info when using QUIC
We have the existing functions SSL_version(), SSL_get_version() and
SSL_is_dtls(). We extend the first two to return something sensible when
using QUIC. We additionally provide the new functions SSL_is_tls() and
SSL_is_quic() to provide a mechanism to figure out what protocol we are
using.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20650)
2023-04-04 09:06:18 +10:00
slontis
a76ccb9d0d FFC cleanups
Discovered during coverage testing.

Remove unneccesary check when using ossl_dh_get0_params() and
ossl_dsa_get0_params(). These point to addresses and can not fail
for any existing calls.

Make dsa keygen tests only available in the FIPS module - as they are
not used in the default provider.

Change ossl_ffc_set_digest() to return void as it cannot fail.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20359)
2023-04-03 10:31:04 +02:00
Tomas Mraz
eb52450f51 Avoid calling into provider with the same iv_len or key_len
Fixes #20625

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20664)
2023-04-03 08:22:28 +10:00
Anthony Roberts
fae5a15573 Fix compilation error when using clang-cl 16 or higher
Fixes a "Incompatible function pointer types" error.

In prior versions, this was a warning, but is now an error.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20654)
2023-04-03 08:19:43 +10:00
slontis
9559ad0e8d Make DSA_sign() test for negative p,q,g values.
Related to #20268

DSA_sign() assumes that the signature passed in is related to DSA_size().
If q is negative then DSA_size() actually fails and returns 0.

A test that tries to allocate the signature buffer using DSA_size() and then
pass it to DSA_sign() will then either.

(1) Have a signature buffer of NULL. In this case it was leaking data
returned via i2d_DSA_SIG.

(2) Cause a seg fault because we created a buffer that was not large
enough to hold the signature. As it already checked zero we also now
check for negative values also.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20553)
2023-03-31 15:17:27 -04:00
afshinpir
6469043bba Incorrect null pointer check
CLA: trivial
There is an incorrect null pointer check and this ccommit resolves it.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20646)
2023-03-31 15:09:18 -04:00
slontis
4befe81a99 Fix mem leak in ECDSA_sign().
Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.

Note that this does not affect the higher level EVP
functions as they correctly handle NULL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)
2023-03-31 14:57:47 -04:00
Samuel Lee (ENS/CRYPTO)
027226eb22 doc: Fix typo in EVP_EncryptInit.pod
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20645)
2023-03-31 14:29:12 -04:00
Michael Baentsch
4557e28008 Provider-based KEM and SIG alg speed testing added
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19968)
2023-03-31 14:19:18 -04:00
Taylor R Campbell
1636b355ad /dev/crypto: Suppress warning when open /dev/crypto fails with ENXIO.
On NetBSD the device node is essentially always present, but these
days it's mostly not useful except for testing the kernel crypto
stack since the cost of CPU crypto has gone down much faster than the
cost of I/O to external crypto engines.  So on most systems it is
disabled in a way that makes open fail with ENXIO.  NetBSD has had
this warning for ENXIO patched away for years.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20636)
2023-03-31 12:23:45 +02:00
Matt Caswell
8189fe242b Add a test for an app data record appearing before epoch change in DTLS
We had a test for a handshake record appearing before epoch change, and
a test for an app data record appearing before Finished - but not one for
the app data record appearing before epoch change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20628)
2023-03-31 09:14:24 +01:00
Matt Caswell
5c476976ab Handle app data records from the next epoch
It is possible that DTLS records are received out of order such that
records from the next epoch arrive before we have finished processing the
current epoch. We are supposed to buffer such records but for some reason
we only did that for handshake and alert records. This is incorrect since
it is perfectly possible for app data records to arrive early too.

Fixes #20597

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20628)
2023-03-31 09:14:24 +01:00
Pauli
bbe9d2de6c Coverity 1524597: null pointer dereference
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20629)
2023-03-30 20:17:12 +02:00
Hugo Landau
712360631f Use correct function to wait for condvar
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:17 +01:00
Hugo Landau
652fbb62a3 Revise build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:17 +01:00
Hugo Landau
5129e59494 QUIC: Ensure locking when injecting datagrams
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:17 +01:00
Hugo Landau
54b86b7fa3 QUIC test fix
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:16 +01:00
Hugo Landau
9cf091a3c5 QUIC Thread Assisted mode: miscellaneous fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:16 +01:00
Hugo Landau
6c091ca968 Refactor build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:16 +01:00
Hugo Landau
20f457436d QUIC Thread Assisted Mode: Refactor locking to be infallible
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:16 +01:00
Hugo Landau
c4208a6a98 QUIC Thread Assisted Mode: Fix typos and use of CRYPTO_RWLOCK type
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:10 +01:00
Hugo Landau
1dd04a0fe2 QUIC Thread Assisted Mode: Support Windows XP
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
99ed85bba9 Avoid races in tserver test code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
dbe7b51a8e Minor fixes to thread assisted mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
27c49c06f1 QUIC Thread Assisted Mode: Add design document
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
3b1ab5a3a0 Enhance quic_tserver test to fully test thread assisted mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
4648eac533 QUIC CHANNEL: Fix idle timeout handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
b212d554e7 QUIC CHANNEL: Allow time source to be overridden
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:09 +01:00
Hugo Landau
134b79c056 QUIC TXP: Allow caller to determine if an ACK-eliciting packet was sent
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
bbc646e91a Add basic test for thread assisted mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
ffce2946c7 Switch to using ossl_crypto_mutex from CRYPTO_RWLOCK
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
ccd3103771 Add channel-only tick mode and use it for thread assisted mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
f2f7c4f15a Front End for QUIC Thread Assisted Mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
9f7acf071c QUIC Thread Assist Core
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
4a530180e5 Fix handshake locking
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
e053505f0c Add mutex to tserver
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:08 +01:00
Hugo Landau
a8489257e6 Add locking to QUIC front-end
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Hugo Landau
4847599b54 Move channel mutex out of QUIC_CHANNEL for init/teardown flexibility
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Hugo Landau
d7b1faddab Annotate functions needing locking
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Hugo Landau
fb2245c44b QUIC Channel: Add a mutex
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Hugo Landau
c019e1efe9 QUIC Reactor: Allow a mutex to be released during waits
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Hugo Landau
2b2b26788e threading: Add ossl_crypto_condvar_wait_timeout
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30 11:14:07 +01:00
Matt Caswell
b21306b930 Add some documentation for the new advanced s_client command mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20566)
2023-03-30 08:53:39 +01:00
Matt Caswell
d07b763bb9 Add a new advanced command mode to s_client
The s_client command mode just looks at the first letter on a line
and if it is one that maps to a "command" then that command is executed
and everything else on the line is ignored.

This means it is impossible to send anything over s_client that starts with
one of the "magic" letters unless you switch off command processing
entirely.

With the forthcoming quic support that will be added to s_client we expect
a significant new number of commands being added (for example to send fin
on a stream, or to list or swap between different streams, etc). This will
use up more "letters" and reduces the usability of s_client.

This PR adds a new "advanced" command processing mode. Commands are enclosed
in braces {}, and can appear anywhere in the text typed into s_client. A
brace can be escaped by sending a double {{. This gives much more
flexibility without reducing the usability of s_client. Commands can also
have "arguments" which also extends the scope of what they can be used for.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20566)
2023-03-30 08:53:39 +01:00