1
0
Fork 0
mirror of https://github.com/ossrs/srs.git synced 2025-03-09 15:49:59 +00:00

AppleM1: Update openssl to v1.1.1l

This commit is contained in:
winlin 2022-08-14 19:05:01 +08:00
parent 1fe12b8e8c
commit b787656eea
990 changed files with 13406 additions and 18710 deletions

View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -13,9 +13,9 @@
#include <openssl/x509.h>
#include <openssl/bn.h>
#include <openssl/cms.h>
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
#include "rsa_locl.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "rsa_local.h"
#ifndef OPENSSL_NO_CMS
static int rsa_cms_sign(CMS_SignerInfo *si);
@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
/*
* Don't check the public/private key, this is mostly for smart
* cards.
*/
if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
|| (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
return 1;
}
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
return 0;
@ -458,6 +467,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
{
X509_ALGOR *alg = NULL;
const EVP_MD *md;
const EVP_MD *mgf1md;
int min_saltlen;
switch (op) {
@ -497,6 +509,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
#endif
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
if (pkey->pkey.rsa->pss != NULL) {
if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
&min_saltlen)) {
RSAerr(0, ERR_R_INTERNAL_ERROR);
return 0;
}
*(int *)arg2 = EVP_MD_type(md);
/* Return of 2 indicates this MD is mandatory */
return 2;
}
*(int *)arg2 = NID_sha256;
return 1;
@ -583,10 +605,12 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
return NULL;
if (saltlen == -1) {
saltlen = EVP_MD_size(sigmd);
} else if (saltlen == -2) {
} else if (saltlen == -2 || saltlen == -3) {
saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;
if ((EVP_PKEY_bits(pk) & 0x7) == 1)
saltlen--;
if (saltlen < 0)
return NULL;
}
return rsa_pss_params_create(sigmd, mgf1md, saltlen);

View file

@ -12,7 +12,7 @@
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/asn1t.h>
#include "rsa_locl.h"
#include "rsa_local.h"
/*
* Override the default free and new methods,

View file

@ -9,7 +9,7 @@
#include <openssl/bn.h>
#include <openssl/err.h>
#include "rsa_locl.h"
#include "rsa_local.h"
int RSA_check_key(const RSA *key)
{

View file

@ -10,9 +10,9 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "crypto/bn.h"
#include <openssl/rand.h>
#include "rsa_locl.h"
#include "rsa_local.h"
int RSA_bits(const RSA *r)
{

View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -174,6 +174,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MGF1_DIGEST_NOT_ALLOWED),
"mgf1 digest not allowed"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MISSING_PRIVATE_KEY),
"missing private key"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R),
"mp coefficient not inverse of r"},

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -17,7 +17,7 @@
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include "rsa_locl.h"
#include "rsa_local.h"
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb);
@ -250,7 +250,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
*
* This strategy has the following goals:
*
* 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
* 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
* 2. stay the same logic with normal 2-prime key
*/
bitse -= bitsr[i];
@ -387,8 +387,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
ok = 0;
}
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ok;
}

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -11,11 +11,11 @@
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
#include "internal/refcount.h"
#include "internal/bn_int.h"
#include "crypto/bn.h"
#include <openssl/engine.h>
#include <openssl/evp.h>
#include "internal/evp_int.h"
#include "rsa_locl.h"
#include "crypto/evp.h"
#include "rsa_local.h"
RSA *RSA_new(void)
{
@ -198,6 +198,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@ -215,10 +216,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@ -237,14 +240,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;
@ -276,12 +282,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
if (pinfo == NULL)
goto err;
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
BN_free(pinfo->r);
BN_free(pinfo->d);
BN_free(pinfo->t);
BN_clear_free(pinfo->r);
BN_clear_free(pinfo->d);
BN_clear_free(pinfo->t);
pinfo->r = primes[i];
pinfo->d = exps[i];
pinfo->t = coeffs[i];
BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
} else {
rsa_multip_info_free(pinfo);
goto err;
@ -442,6 +451,11 @@ const BIGNUM *RSA_get0_iqmp(const RSA *r)
return r->iqmp;
}
const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
{
return r->pss;
}
void RSA_clear_flags(RSA *r, int flags)
{
r->flags &= ~flags;

View file

@ -8,7 +8,7 @@
*/
#include <string.h>
#include "rsa_locl.h"
#include "rsa_local.h"
#include <openssl/err.h>
RSA_METHOD *RSA_meth_new(const char *name, int flags)

View file

@ -10,7 +10,7 @@
#include <openssl/bn.h>
#include <openssl/err.h>
#include "rsa_locl.h"
#include "rsa_local.h"
void rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo)
{

View file

@ -1,5 +1,5 @@
/*
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -20,7 +20,7 @@
* one-wayness. For the RSA function, this is an equivalent notion.
*/
#include "internal/constant_time_locl.h"
#include "internal/constant_time.h"
#include <stdio.h>
#include "internal/cryptlib.h"
@ -28,7 +28,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"
#include "rsa_local.h"
int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *from, int flen,
@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* |num| is the length of the modulus; |flen| is the length of the
* encoded message. Therefore, for any |from| that was obtained by
* decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
* num < 2 * mdlen + 2 must hold for the modulus irrespective of
* |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
@ -179,17 +179,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
from = em;
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
good = constant_time_is_zero(from[0]);
good = constant_time_is_zero(em[0]);
maskedseed = from + 1;
maskeddb = from + 1 + mdlen;
maskedseed = em + 1;
maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@ -230,29 +229,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
mlen = dblen - msg_index;
/*
* For good measure, do this check in constant tine as well.
* For good measure, do this check in constant time as well.
*/
good &= constant_time_ge(tlen, mlen);
/*
* Even though we can't fake result's length, we can pretend copying
* |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
* bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
* where |mlen'| is "saturated" |mlen| value. Deducing information
* about failure or |mlen| would take attacker's ability to observe
* memory access pattern with byte granularity *as it occurs*. It
* should be noted that failure is indistinguishable from normal
* operation if |tlen| is fixed by protocol.
* Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
mlen = dblen - msg_index;
for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
unsigned int equals = constant_time_eq(i, mlen);
from -= dblen & equals; /* if (i == dblen) rewind */
mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
to[i] = constant_time_select_8(mask, from[i], to[i]);
tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
dblen - mdlen - 1, tlen);
for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
for (i = mdlen + 1; i < dblen - msg_index; i++)
db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
}
/*

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,9 +8,9 @@
*/
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "rsa_locl.h"
#include "internal/constant_time_locl.h"
#include "crypto/bn.h"
#include "rsa_local.h"
#include "internal/constant_time.h"
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
@ -148,8 +148,7 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
*/
r = BN_bn2binpad(ret, to, num);
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@ -322,6 +321,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
if (rsa->d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
BN_free(d);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
@ -354,8 +358,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
*/
r = BN_bn2binpad(res, to, num);
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@ -440,6 +443,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
if (rsa->d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
BN_free(d);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
@ -481,11 +489,10 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
err_clear_last_constant_time(r >= 0);
err_clear_last_constant_time(1 & ~constant_time_msb(r));
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;
@ -581,8 +588,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
return r;

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "internal/constant_time_locl.h"
#include "internal/constant_time.h"
#include <stdio.h>
#include "internal/cryptlib.h"
@ -57,7 +57,7 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
* D - data.
*/
if (num < 11)
if (num < RSA_PKCS1_PADDING_SIZE)
return -1;
/* Accept inputs with and without the leading 0-byte. */
@ -120,7 +120,7 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
int i, j;
unsigned char *p;
if (flen > (tlen - 11)) {
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
@ -169,7 +169,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* section 7.2.2.
*/
if (flen > num || num < 11) {
if (flen > num || num < RSA_PKCS1_PADDING_SIZE) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
RSA_R_PKCS_DECODING_ERROR);
return -1;
@ -192,15 +192,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
from = em;
good = constant_time_is_zero(from[0]);
good &= constant_time_eq(from[1], 2);
good = constant_time_is_zero(em[0]);
good &= constant_time_eq(em[1], 2);
/* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(from[i]);
unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
@ -208,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
}
/*
* PS must be at least 8 bytes long, and it starts two bytes into |from|.
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@ -227,24 +226,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
good &= constant_time_ge(tlen, mlen);
/*
* Even though we can't fake result's length, we can pretend copying
* |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
* bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
* where |mlen'| is "saturated" |mlen| value. Deducing information
* about failure or |mlen| would take attacker's ability to observe
* memory access pattern with byte granularity *as it occurs*. It
* should be noted that failure is indistinguishable from normal
* operation if |tlen| is fixed by protocol.
* Move the result in-place by |num|-RSA_PKCS1_PADDING_SIZE-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
msg_index = constant_time_select_int(good, msg_index, num - tlen);
mlen = num - msg_index;
for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
unsigned int equals = constant_time_eq(i, mlen);
from -= tlen & equals; /* if (i == mlen) rewind */
mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
to[i] = constant_time_select_8(mask, from[i], to[i]);
tlen = constant_time_select_int(constant_time_lt(num - RSA_PKCS1_PADDING_SIZE, tlen),
num - RSA_PKCS1_PADDING_SIZE, tlen);
for (msg_index = 1; msg_index < num - RSA_PKCS1_PADDING_SIZE; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (num - RSA_PKCS1_PADDING_SIZE - mlen), 0);
for (i = RSA_PKCS1_PADDING_SIZE; i < num - msg_index; i++)
em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, em[i + RSA_PKCS1_PADDING_SIZE], to[i]);
}
OPENSSL_clear_free(em, num);

View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#include "internal/constant_time.h"
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
@ -16,8 +18,8 @@
#include <openssl/evp.h>
#include <openssl/x509v3.h>
#include <openssl/cms.h>
#include "internal/evp_int.h"
#include "rsa_locl.h"
#include "crypto/evp.h"
#include "rsa_local.h"
/* RSA pkey context structure */
@ -54,7 +56,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
if (rctx == NULL)
return 0;
rctx->nbits = 1024;
rctx->nbits = 2048;
rctx->primes = RSA_DEFAULT_PRIME_NUM;
if (pkey_ctx_is_pss(ctx))
rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
rctx->pad_mode);
}
if (ret < 0)
return ret;
*outlen = ret;
return 1;
*outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
return ret;
}
static int check_padding_md(const EVP_MD *md, int padding)

View file

@ -1,5 +1,5 @@
/*
* Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -34,9 +34,11 @@ int RSA_print(BIO *bp, const RSA *x, int off)
EVP_PKEY *pk;
int ret;
pk = EVP_PKEY_new();
if (pk == NULL || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
if (pk == NULL)
return 0;
ret = EVP_PKEY_print_private(bp, pk, off, NULL);
ret = EVP_PKEY_set1_RSA(pk, (RSA *)x);
if (ret)
ret = EVP_PKEY_print_private(bp, pk, off, NULL);
EVP_PKEY_free(pk);
return ret;
}

View file

@ -14,7 +14,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "rsa_locl.h"
#include "rsa_local.h"
static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };

View file

@ -13,8 +13,8 @@
#include <openssl/rsa.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "internal/x509_int.h"
#include "rsa_locl.h"
#include "crypto/x509.h"
#include "rsa_local.h"
/* Size of an SSL signature: MD5+SHA1 */
#define SSL_SIG_LENGTH 36

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -12,7 +12,7 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include "internal/constant_time_locl.h"
#include "internal/constant_time.h"
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@ -20,7 +20,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
int i, j;
unsigned char *p;
if (flen > (tlen - 11)) {
if (flen > (tlen - RSA_PKCS1_PADDING_SIZE)) {
RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
@ -67,7 +67,10 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
unsigned int good, found_zero_byte, mask, threes_in_row;
int zero_index = 0, msg_index, mlen = -1, err;
if (flen < 10) {
if (tlen <= 0 || flen <= 0)
return -1;
if (flen > num || num < RSA_PKCS1_PADDING_SIZE) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return -1;
}
@ -89,10 +92,9 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
from = em;
good = constant_time_is_zero(from[0]);
good &= constant_time_eq(from[1], 2);
good = constant_time_is_zero(em[0]);
good &= constant_time_eq(em[1], 2);
err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
mask = ~good;
@ -100,18 +102,18 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
found_zero_byte = 0;
threes_in_row = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(from[i]);
unsigned int equals0 = constant_time_is_zero(em[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
found_zero_byte |= equals0;
threes_in_row += 1 & ~found_zero_byte;
threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3);
}
/*
* PS must be at least 8 bytes long, and it starts two bytes into |from|.
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@ -120,6 +122,12 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
/*
* Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note
* that RFC5246 incorrectly states this the other way around, i.e. reject
* if it is not preceded by 8 consecutive 0x03 bytes. However this is
* corrected in subsequent errata for that RFC.
*/
good &= constant_time_lt(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
@ -139,24 +147,25 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
/*
* Even though we can't fake result's length, we can pretend copying
* |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
* bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
* where |mlen'| is "saturated" |mlen| value. Deducing information
* about failure or |mlen| would take attacker's ability to observe
* memory access pattern with byte granularity *as it occurs*. It
* should be noted that failure is indistinguishable from normal
* operation if |tlen| is fixed by protocol.
* Move the result in-place by |num|-RSA_PKCS1_PADDING_SIZE-|mlen| bytes to the left.
* Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to |to|.
* Otherwise leave |to| unchanged.
* Copy the memory back in a way that does not reveal the size of
* the data being copied via a timing side channel. This requires copying
* parts of the buffer multiple times based on the bits set in the real
* length. Clear bits do a non-copy with identical access pattern.
* The loop below has overall complexity of O(N*log(N)).
*/
tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
msg_index = constant_time_select_int(good, msg_index, num - tlen);
mlen = num - msg_index;
for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
unsigned int equals = constant_time_eq(i, mlen);
from -= tlen & equals; /* if (i == mlen) rewind */
mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
to[i] = constant_time_select_8(mask, from[i], to[i]);
tlen = constant_time_select_int(constant_time_lt(num - RSA_PKCS1_PADDING_SIZE, tlen),
num - RSA_PKCS1_PADDING_SIZE, tlen);
for (msg_index = 1; msg_index < num - RSA_PKCS1_PADDING_SIZE; msg_index <<= 1) {
mask = ~constant_time_eq(msg_index & (num - RSA_PKCS1_PADDING_SIZE - mlen), 0);
for (i = RSA_PKCS1_PADDING_SIZE; i < num - msg_index; i++)
em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
}
for (i = 0; i < tlen; i++) {
mask = good & constant_time_lt(i, mlen);
to[i] = constant_time_select_8(mask, em[i + RSA_PKCS1_PADDING_SIZE], to[i]);
}
OPENSSL_clear_free(em, num);

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -12,7 +12,7 @@
#include <time.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include "rsa_locl.h"
#include "rsa_local.h"
/* X9.31 RSA key derivation and generation */
@ -133,8 +133,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
ret = 1;
err:
if (ctx)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
@ -188,8 +187,7 @@ int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
ok = 1;
error:
if (ctx)
BN_CTX_end(ctx);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (ok)