| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This matches Cohen's text better and makes the entire thing easier to
read.
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
| |
Instead of "Cohen's step N" explain in words what is being done. Things
such as (A & B & 2) != 0 being equivalent to (-1)^((A-1)(B-1)/4) being
negative are not entirely obvious... Remove the strange error dance and
adjust variable names to what Cohen's book uses. Simplify various curly
bits.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If gcd(a, primes[i]) == 0 then a could still be a prime, namely in the
case that a == primes[i], so check for that case as well.
Problem noted by Martin Grenouilloux
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The optimised code path switches from processing data via unsigned long to
processing data via unsigned int, which requires type punning. This is
currently attempted via a union (for one case), however this fails since
a pointer to a union member is passed to another function (these unions
were added to "fix strict-aliasing compiler warning" - it would seem the
warnings stopped but the undefined behaviour remained). The second case
does not use a union and simply casts from one type to another.
Undefined behaviour is currently triggered when compiling with clang 14
using -03 and -fstrict-aliasing, while disabling assembly (in order to use
this C code). The resulting binary produces incorrect results.
Avoid strict aliasing violations by copying from an unsigned long array to
an unsigned int array, then copying back the result. Any sensible compiler
will omit the copies, while avoiding undefined behaviour that would result
from unsafe type punning via pointer type casting.
Thanks to Guido Vranken for reporting the issue and testing the fix.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
If either of the two initial BN_CTX_get() fails, we will call
BN_RECP_CTX_free() on the uninitialized recp, which won't end
well, so hoist the BN_RECP_CTX_init() call a few lines up.
From Pauli, OpenSSL ad249412
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A bug in the implementation of the Tonelli-Shanks algorithm can lead to
an infinite loop. This loop can be hit in various ways, in particular on
decompressing an elliptic curve public key via EC_POINT_oct2point() - to
do this, one must solve y^2 = x^3 + ax + b for y, given x.
If a certificate uses explicit encoding for elliptic curve parameters,
this operation needs to be done during certificate verification, leading
to a DoS. In particular, everything dealing with untrusted certificates
is affected, notably TLS servers explicitly configured to request
client certificates (httpd, smtpd, various VPN implementations, ...).
Ordinary TLS servers do not consume untrusted certificates.
The problem is that we cannot assume that x^3 + ax + b is actually a
square on untrusted input and neither can we assume that the modulus
p is a prime. Ensuring that p is a prime is too expensive (it would
likely itself lead to a DoS). To avoid the infinite loop, fix the logic
to be more resilient and explicitly limit the number of iterations that
can be done. The bug is such that the infinite loop can also be hit for
primes = 3 (mod 4) but fortunately that case is optimized earlier.
It's also worth noting that there is a size bound on the field size
enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate
further DoS vectors in presence of this fix.
Reported by Tavis Ormandy and David Benjamin, Google
Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
| |
This is a very rarely used function and the crash is hard to reach in
practice. Instead of implementing BN_is_odd() badly by hand, just call
the real thing.
Reported by Guido Vranken
ok beck jsing
|
| |
|
|
|
|
| |
From OpenSSL 6a009812, prompted by a report by Guido Vranken
ok beck jsing
|
| |
|
|
| |
ok jsing@ millert@ tb@
|
| |
|
|
|
|
|
| |
CID 21665 24835
comment from jsing@ and tb@
ok jsing@ millert@ tb@
|
| |
|
|
|
|
| |
This makes all structs in bn.h opaque that are also opaque in OpenSSL.
ok inoguchi jsing
|
| |
|
|
|
| |
This marks the start of major surgery in libcrypto. Do not attempt to
build the tree for a while (~50 commits).
|
| |
|
|
| |
Discussed with tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this doesn't matter since we don't free the cloned BIGNUMs anyway.
As jsing points out, these are mostly pointless noise and should be
garbage collected. I'll leave that for another rainy day.
Coverity flagged one instance BN_gcd_no_branch(), the rest was found by
the ever so helpful grep(1).
CID 345122
ok jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are
now implemented as functions for internal use. They will be exposed
publicly to replace the macros reaching into BIGNUM in the next bump.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
The function implementations are necessary to make BIGNUM opaque.
They will be used in libcrypto internally until they will replace
the macro implementations with the next bump.
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok beck inoguchi
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
As found by jsg and patrick, this is needed for newer uboot and
will also be used in upcoming elliptic curve work.
This is from OpenSSL 1.1.1l with minor style tweaks.
ok beck inoguchi
|
| | |
|
| |
|
|
| |
figure out whether top > 0 or top == 0.
|
| |
|
|
|
|
|
|
|
|
| |
If BN_rand() is called with top > 0 and bits == 1, it would allocate
a buf[] of size 1 and set the top bit of buf[1].
Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while
looking for something else.
ok beck djm inoguchi
|
| |
|
|
|
|
|
|
|
|
|
| |
not being prime depends on the intended use based on the size of
the input. For larger primes this will result in more rounds of
Miller-Rabin. The maximal error rate for primes with more than
1080 bits is lowered to 2^-128.
Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar
via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200,
still under a free license.
OK tb@.
|
| |
|
|
|
|
|
|
|
| |
in OpenSSL 1.1.1 even though in general, letting random functions
accept NULL is not advisable because it can hide programming errors;
"yes please" tb@
"unfortunately I suspect you're right" jsing@
"oh well" deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, this function would leak the most significant word of its
argument due to branching and memory access pattern. This patch is
enough to fix the use of BN_num_bits() on RSA prime factors in the
library.
The diff is a simplified and more readable (but perhaps less efficient)
version of https://github.com/openssl/openssl/commit/972c87df
by Andy Polyakov and David Benjamin (pre license change). Consult that
commit message for details. Subsequent fixes to follow in the near future.
Issue pointed out by David Schrammel and Samuel Weiser as part of
a larger report.
tests & ok inoguchi, ok jsing
|
| |
|
|
|
|
| |
sizes used remain a positive integer. Should address issue
13799 from oss-fuzz
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
by David Benjamin.
ok djm, jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
from which a a BIGNUM is chosen uniformly at random.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Since bignums use ints for the same purpose, this still uses an int
internally after an overflow check.
Suggested by and discussed with jsing.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
|
| |
changes made in OpenSSL by Davide Galassi and others, so that one can
actually follow what is going on. There is no performance impact from
this change as the code still does essentially the same thing. There's
a ton of work still to be done to make the BN code less terrible.
ok jsing, kn
|
| |
|
|
|
|
|
|
| |
be set in condition. This makes the constant time bit-twiddling a bit
trickier, but it's not too bad. Thanks to halex for an extensive rubber
ducking session over a non-spicy spicy tabouleh falafel..
ok jsing, kn
|
| |
|
|
|
|
| |
Makes it a tad easier to read through and compare with BN_swap_ct().
OK tb
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
two bignums. It's saner and substantially less ugly than the existing
public BN_constantime_swap() function and will be used in forthcoming work
on constant time ECC code.
From Billy Brumley and his team. Thanks!
ok jsing
|
| | |
|
| |
|
|
| |
ok bcook@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.
Passes regress. ok beck
|
| |
|
|
|
|
| |
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
