From 01e82720abe2d153c398438e70221575de3136ba Mon Sep 17 00:00:00 2001 From: delphij Date: Mon, 7 Mar 2016 16:18:07 +0000 Subject: [PATCH] Fix multiple OpenSSL vulnerabilities as published in OpenSSL advisory on 2016/03/01: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF. [CVE-2016-0702, upstream d6482a8. 5ea08bd, d6d422e, 8fc8f48 317be63 skipped intentionally as we are not using the code on FreeBSD. Backport done by jkim@. Fix memory issues in BIO_*printf functions. [CVE-2016-0799, upstream d889682, a801bf2]. Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption. [CVE-2016-0797, upstream 8f65132]. Disable SSLv2 in default negotiation and weak ciphers. [CVE-2016-0800 "DROWN", upstream 56f1acf5]. Note that support of SSLv2 is not removed in order to preserve ABI compatibility, and application may still explicitly ask for vulnerable protocol or ciphers. In collaboration with: jkim git-svn-id: svn://svn.freebsd.org/base/stable/9@296462 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- crypto/openssl/crypto/bio/b_print.c | 578 +++++++++++++++------------ crypto/openssl/crypto/bn/bn.h | 38 +- crypto/openssl/crypto/bn/bn_exp.c | 159 +++++--- crypto/openssl/crypto/bn/bn_print.c | 81 ++-- crypto/openssl/doc/apps/ciphers.pod | 22 +- crypto/openssl/ssl/s2_lib.c | 84 ++-- crypto/openssl/ssl/ssl_lib.c | 19 +- secure/usr.bin/openssl/man/ciphers.1 | 22 +- 8 files changed, 565 insertions(+), 438 deletions(-) diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index 6c93f9381..9f7f6344a 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -122,20 +122,20 @@ # define LLONG long long # endif #else -# define LLONG long -#endif - -static void fmtstr(char **, char **, size_t *, size_t *, - const char *, int, int, int); -static void fmtint(char **, char **, size_t *, size_t *, - LLONG, int, int, int, int); -static void fmtfp(char **, char **, size_t *, size_t *, - LDOUBLE, int, int, int); -static void doapr_outch(char **, char **, size_t *, size_t *, int); -static void _dopr(char **sbuffer, char **buffer, - size_t *maxlen, size_t *retlen, int *truncated, - const char *format, va_list args); - +# define LLONG long +#endif + +static int fmtstr(char **, char **, size_t *, size_t *, + const char *, int, int, int); +static int fmtint(char **, char **, size_t *, size_t *, + LLONG, int, int, int, int); +static int fmtfp(char **, char **, size_t *, size_t *, + LDOUBLE, int, int, int); +static int doapr_outch(char **, char **, size_t *, size_t *, int); +static int _dopr(char **sbuffer, char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, + const char *format, va_list args); + /* format read states */ #define DP_S_DEFAULT 0 #define DP_S_FLAGS 1 @@ -162,13 +162,13 @@ static void _dopr(char **sbuffer, char **buffer, #define DP_C_LLONG 4 /* some handy macros */ -#define char_to_int(p) (p - '0') -#define OSSL_MAX(p,q) ((p >= q) ? p : q) - -static void -_dopr(char **sbuffer, - char **buffer, - size_t *maxlen, +#define char_to_int(p) (p - '0') +#define OSSL_MAX(p,q) ((p >= q) ? p : q) + +static int +_dopr(char **sbuffer, + char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, const char *format, va_list args) { char ch; @@ -193,13 +193,14 @@ _dopr(char **sbuffer, switch (state) { case DP_S_DEFAULT: - if (ch == '%') - state = DP_S_FLAGS; - else - doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); - ch = *format++; - break; - case DP_S_FLAGS: + if (ch == '%') + state = DP_S_FLAGS; + else + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) + return 0; + ch = *format++; + break; + case DP_S_FLAGS: switch (ch) { case '-': flags |= DP_F_MINUS; @@ -299,14 +300,15 @@ _dopr(char **sbuffer, value = va_arg(args, LLONG); break; default: - value = va_arg(args, int); - break; - } - fmtint(sbuffer, buffer, &currlen, maxlen, - value, 10, min, max, flags); - break; - case 'X': - flags |= DP_F_UP; + value = va_arg(args, int); + break; + } + if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min, + max, flags)) + return 0; + break; + case 'X': + flags |= DP_F_UP; /* FALLTHROUGH */ case 'x': case 'o': @@ -323,23 +325,25 @@ _dopr(char **sbuffer, value = va_arg(args, unsigned LLONG); break; default: - value = (LLONG) va_arg(args, unsigned int); - break; - } - fmtint(sbuffer, buffer, &currlen, maxlen, value, - ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), - min, max, flags); - break; - case 'f': - if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, LDOUBLE); - else - fvalue = va_arg(args, double); - fmtfp(sbuffer, buffer, &currlen, maxlen, - fvalue, min, max, flags); - break; - case 'E': - flags |= DP_F_UP; + value = (LLONG) va_arg(args, unsigned int); + break; + } + if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, + ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), + min, max, flags)) + return 0; + break; + case 'f': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); + if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max, + flags)) + return 0; + break; + case 'E': + flags |= DP_F_UP; case 'e': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -352,30 +356,33 @@ _dopr(char **sbuffer, if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else - fvalue = va_arg(args, double); - break; - case 'c': - doapr_outch(sbuffer, buffer, &currlen, maxlen, - va_arg(args, int)); - break; - case 's': - strvalue = va_arg(args, char *); + fvalue = va_arg(args, double); + break; + case 'c': + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, + va_arg(args, int))) + return 0; + break; + case 's': + strvalue = va_arg(args, char *); if (max < 0) { if (buffer) max = INT_MAX; - else - max = *maxlen; - } - fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, - flags, min, max); - break; - case 'p': - value = (long)va_arg(args, void *); - fmtint(sbuffer, buffer, &currlen, maxlen, - value, 16, min, max, flags | DP_F_NUM); - break; - case 'n': /* XXX */ - if (cflags == DP_C_SHORT) { + else + max = *maxlen; + } + if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, + flags, min, max)) + return 0; + break; + case 'p': + value = (long)va_arg(args, void *); + if (!fmtint(sbuffer, buffer, &currlen, maxlen, + value, 16, min, max, flags | DP_F_NUM)) + return 0; + break; + case 'n': /* XXX */ + if (cflags == DP_C_SHORT) { short int *num; num = va_arg(args, short int *); *num = currlen; @@ -391,13 +398,14 @@ _dopr(char **sbuffer, int *num; num = va_arg(args, int *); *num = currlen; - } - break; - case '%': - doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); - break; - case 'w': - /* not supported yet, treat as next char */ + } + break; + case '%': + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) + return 0; + break; + case 'w': + /* not supported yet, treat as next char */ ch = *format++; break; default: @@ -415,52 +423,62 @@ _dopr(char **sbuffer, break; } } - *truncated = (currlen > *maxlen - 1); - if (*truncated) - currlen = *maxlen - 1; - doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); - *retlen = currlen - 1; - return; -} - -static void -fmtstr(char **sbuffer, - char **buffer, - size_t *currlen, - size_t *maxlen, const char *value, int flags, int min, int max) -{ - int padlen, strln; - int cnt = 0; - - if (value == 0) - value = ""; - for (strln = 0; value[strln]; ++strln) ; - padlen = min - strln; - if (padlen < 0) - padlen = 0; - if (flags & DP_F_MINUS) - padlen = -padlen; - - while ((padlen > 0) && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --padlen; - ++cnt; - } - while (*value && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); - ++cnt; - } - while ((padlen < 0) && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++padlen; - ++cnt; - } -} - -static void -fmtint(char **sbuffer, - char **buffer, - size_t *currlen, + *truncated = (currlen > *maxlen - 1); + if (*truncated) + currlen = *maxlen - 1; + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0')) + return 0; + *retlen = currlen - 1; + return 1; +} + +static int +fmtstr(char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, const char *value, int flags, int min, int max) +{ + int padlen; + size_t strln; + int cnt = 0; + + if (value == 0) + value = ""; + + strln = strlen(value); + if (strln > INT_MAX) + strln = INT_MAX; + + padlen = min - strln; + if (min < 0 || padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; + + while ((padlen > 0) && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --padlen; + ++cnt; + } + while (*value && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++)) + return 0; + ++cnt; + } + while ((padlen < 0) && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++padlen; + ++cnt; + } + return 1; +} + +static int +fmtint(char **sbuffer, + char **buffer, + size_t *currlen, size_t *maxlen, LLONG value, int base, int min, int max, int flags) { int signvalue = 0; @@ -514,43 +532,50 @@ fmtint(char **sbuffer, } if (flags & DP_F_MINUS) spadlen = -spadlen; - - /* spaces */ - while (spadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --spadlen; - } - - /* sign */ - if (signvalue) - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - - /* prefix */ - while (*prefix) { - doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); - prefix++; - } - - /* zeros */ - if (zpadlen > 0) { - while (zpadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --zpadlen; - } - } - /* digits */ - while (place > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); - - /* left justified spaces */ - while (spadlen < 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++spadlen; - } - return; -} - -static LDOUBLE abs_val(LDOUBLE value) + + /* spaces */ + while (spadlen > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --spadlen; + } + + /* sign */ + if (signvalue) + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + + /* prefix */ + while (*prefix) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix)) + return 0; + prefix++; + } + + /* zeros */ + if (zpadlen > 0) { + while (zpadlen > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --zpadlen; + } + } + /* digits */ + while (place > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place])) + return 0; + } + + /* left justified spaces */ + while (spadlen < 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++spadlen; + } + return 1; +} + +static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; if (value < 0) @@ -575,13 +600,13 @@ static long roundv(LDOUBLE value) value = value - intpart; if (value >= 0.5) intpart++; - return intpart; -} - -static void -fmtfp(char **sbuffer, - char **buffer, - size_t *currlen, + return intpart; +} + +static int +fmtfp(char **sbuffer, + char **buffer, + size_t *currlen, size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags) { int signvalue = 0; @@ -657,87 +682,107 @@ fmtfp(char **sbuffer, padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; - - if ((flags & DP_F_ZERO) && (padlen > 0)) { - if (signvalue) { - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - --padlen; - signvalue = 0; - } - while (padlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --padlen; - } - } - while (padlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --padlen; - } - if (signvalue) - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - - while (iplace > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); - - /* - * Decimal point. This should probably use locale to find the correct - * char to print out. - */ - if (max > 0 || (flags & DP_F_NUM)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); - - while (fplace > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); - } - while (zpadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --zpadlen; - } - - while (padlen < 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++padlen; - } -} - -static void -doapr_outch(char **sbuffer, - char **buffer, size_t *currlen, size_t *maxlen, int c) -{ - /* If we haven't at least one buffer, someone has doe a big booboo */ - assert(*sbuffer != NULL || buffer != NULL); - - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - } - } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); - } - - if (*currlen < *maxlen) { - if (*sbuffer) + + if ((flags & DP_F_ZERO) && (padlen > 0)) { + if (signvalue) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + --padlen; + signvalue = 0; + } + while (padlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --padlen; + } + } + while (padlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --padlen; + } + if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + + while (iplace > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace])) + return 0; + } + + /* + * Decimal point. This should probably use locale to find the correct + * char to print out. + */ + if (max > 0 || (flags & DP_F_NUM)) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.')) + return 0; + + while (fplace > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, + fconvert[--fplace])) + return 0; + } + } + while (zpadlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --zpadlen; + } + + while (padlen < 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++padlen; + } + return 1; +} + +#define BUFFER_INC 1024 + +static int +doapr_outch(char **sbuffer, + char **buffer, size_t *currlen, size_t *maxlen, int c) +{ + /* If we haven't at least one buffer, someone has doe a big booboo */ + assert(*sbuffer != NULL || buffer != NULL); + + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + if (*maxlen > INT_MAX - BUFFER_INC) + return 0; + + *maxlen += BUFFER_INC; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (*buffer == NULL) + return 0; + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + char *tmpbuf; + tmpbuf = OPENSSL_realloc(*buffer, *maxlen); + if (tmpbuf == NULL) + return 0; + *buffer = tmpbuf; + } + } + + if (*currlen < *maxlen) { + if (*sbuffer) (*sbuffer)[(*currlen)++] = (char)c; else - (*buffer)[(*currlen)++] = (char)c; - } - - return; -} - -/***************************************************************************/ + (*buffer)[(*currlen)++] = (char)c; + } + + return 1; +} + +/***************************************************************************/ int BIO_printf(BIO *bio, const char *format, ...) { @@ -763,13 +808,17 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args) size_t hugebufsize = sizeof(hugebuf); char *dynbuf = NULL; int ignored; - - dynbuf = NULL; - CRYPTO_push_info("doapr()"); - _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args); - if (dynbuf) { - ret = BIO_write(bio, dynbuf, (int)retlen); - OPENSSL_free(dynbuf); + + dynbuf = NULL; + CRYPTO_push_info("doapr()"); + if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, + args)) { + OPENSSL_free(dynbuf); + return -1; + } + if (dynbuf) { + ret = BIO_write(bio, dynbuf, (int)retlen); + OPENSSL_free(dynbuf); } else { ret = BIO_write(bio, hugebuf, (int)retlen); } @@ -798,13 +847,14 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) { - size_t retlen; - int truncated; - - _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); - - if (truncated) - /* + size_t retlen; + int truncated; + + if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args)) + return -1; + + if (truncated) + /* * In case of truncation, return -1 like traditional snprintf. * (Current drafts for ISO/IEC 9899 say snprintf should return the * number of characters that would have been written, had the buffer diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index fa3520b36..894fed135 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -69,12 +69,13 @@ * */ -#ifndef HEADER_BN_H -# define HEADER_BN_H - -# include -# ifndef OPENSSL_NO_FP_API -# include /* FILE */ +#ifndef HEADER_BN_H +# define HEADER_BN_H + +# include +# include +# ifndef OPENSSL_NO_FP_API +# include /* FILE */ # endif # include @@ -701,14 +702,23 @@ const BIGNUM *BN_get0_nist_prime_224(void); const BIGNUM *BN_get0_nist_prime_256(void); const BIGNUM *BN_get0_nist_prime_384(void); const BIGNUM *BN_get0_nist_prime_521(void); - -/* library internal functions */ - -# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ - (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) -# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) -BIGNUM *bn_expand2(BIGNUM *a, int words); -# ifndef OPENSSL_NO_DEPRECATED + +/* library internal functions */ + +# define bn_expand(a,bits) \ + ( \ + bits > (INT_MAX - BN_BITS2 + 1) ? \ + NULL \ + : \ + (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \ + (a) \ + : \ + bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \ + ) + +# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) +BIGNUM *bn_expand2(BIGNUM *a, int words); +# ifndef OPENSSL_NO_DEPRECATED BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ # endif diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c index ef67843fc..797d19e91 100644 --- a/crypto/openssl/crypto/bn/bn_exp.c +++ b/crypto/openssl/crypto/bn/bn_exp.c @@ -107,12 +107,13 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - */ - -#include "cryptlib.h" -#include "bn_lcl.h" - -/* maximum precomputation table size for *variable* sliding windows */ + */ + +#include "cryptlib.h" +#include "constant_time_locl.h" +#include "bn_lcl.h" + +/* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 /* this one works - simple but works */ @@ -520,41 +521,79 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * pattern as far as cache lines are concerned. The following functions are * used to transfer a BIGNUM from/to that table. */ - -static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int width) -{ - size_t i, j; - - if (bn_wexpand(b, top) == NULL) - return 0; + +static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + BN_ULONG *table = (BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; while (b->top < top) { - b->d[b->top++] = 0; - } - - for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { - buf[j] = ((unsigned char *)b->d)[i]; - } - - bn_correct_top(b); + b->d[b->top++] = 0; + } + + for (i = 0, j = idx; i < top; i++, j += width) { + table[j] = b->d[i]; + } + + bn_correct_top(b); return 1; } - -static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int width) -{ - size_t i, j; - - if (bn_wexpand(b, top) == NULL) - return 0; - - for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { - ((unsigned char *)b->d)[i] = buf[j]; - } - - b->top = top; + +static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + volatile BN_ULONG *table = (volatile BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; + + if (window <= 3) { + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < width; j++) { + acc |= table[j] & + ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } else { + int xstride = 1 << (window - 2); + BN_ULONG y0, y1, y2, y3; + + i = idx >> (window - 2); /* equivalent of idx / xstride */ + idx &= xstride - 1; /* equivalent of idx % xstride */ + + y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); + y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); + y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); + y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); + + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < xstride; j++) { + acc |= ( (table[j + 0 * xstride] & y0) | + (table[j + 1 * xstride] & y1) | + (table[j + 2 * xstride] & y2) | + (table[j + 3 * xstride] & y3) ) + & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } + + b->top = top; bn_correct_top(b); return 1; } @@ -645,13 +684,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* * Initialize the intermediate result. Do this early to save double * conversion, once each for a^0 and intermediate result. - */ - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) - goto err; - - /* Initialize computeTemp as a^1 with montgomery precalcs */ + */ + if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window)) + goto err; + + /* Initialize computeTemp as a^1 with montgomery precalcs */ computeTemp = BN_CTX_get(ctx); am = BN_CTX_get(ctx); if (computeTemp == NULL || am == NULL) @@ -664,13 +703,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } else aa = a; if (!BN_to_montgomery(am, aa, mont, ctx)) - goto err; - if (!BN_copy(computeTemp, am)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) - goto err; - - /* + goto err; + if (!BN_copy(computeTemp, am)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window)) + goto err; + + /* * If the window size is greater than 1, then calculate * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even powers * could instead be computed as (a^(i/2))^2 to use the slight performance @@ -679,14 +718,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (window > 1) { for (i = 2; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery - (computeTemp, am, computeTemp, mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF - (computeTemp, top, powerbuf, i, numPowers)) - goto err; - } - } + if (!BN_mod_mul_montgomery + (computeTemp, am, computeTemp, mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, + window)) + goto err; + } + } /* * Adjust the number of bits up to a multiple of the window size. If the diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c index 611765341..aa8432760 100644 --- a/crypto/openssl/crypto/bn/bn_print.c +++ b/crypto/openssl/crypto/bn/bn_print.c @@ -55,12 +55,13 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ - -#include -#include -#include "cryptlib.h" -#include -#include "bn_lcl.h" + +#include +#include +#include +#include "cryptlib.h" +#include +#include "bn_lcl.h" static const char Hex[] = "0123456789ABCDEF"; @@ -186,14 +187,18 @@ int BN_hex2bn(BIGNUM **bn, const char *a) if (*a == '-') { neg = 1; - a++; - } - - for (i = 0; isxdigit((unsigned char)a[i]); i++) ; - - num = i + neg; - if (bn == NULL) - return (num); + a++; + } + + for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; + + num = i + neg; + if (bn == NULL) + return (num); /* a is the start of the hex digits, and it is 'i' long */ if (*bn == NULL) { @@ -201,13 +206,13 @@ int BN_hex2bn(BIGNUM **bn, const char *a) return (0); } else { ret = *bn; - BN_zero(ret); - } - - /* i is the number of hex digests; */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - + BN_zero(ret); + } + + /* i is the number of hex digits */ + if (bn_expand(ret, i * 4) == NULL) + goto err; + j = i; /* least significant 'hex' */ m = 0; h = 0; @@ -257,14 +262,18 @@ int BN_dec2bn(BIGNUM **bn, const char *a) return (0); if (*a == '-') { neg = 1; - a++; - } - - for (i = 0; isdigit((unsigned char)a[i]); i++) ; - - num = i + neg; - if (bn == NULL) - return (num); + a++; + } + + for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; + + num = i + neg; + if (bn == NULL) + return (num); /* * a is the start of the digits, and it is 'i' long. We chop it into @@ -275,13 +284,13 @@ int BN_dec2bn(BIGNUM **bn, const char *a) return (0); } else { ret = *bn; - BN_zero(ret); - } - - /* i is the number of digests, a bit of an over expand; */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - + BN_zero(ret); + } + + /* i is the number of digits, a bit of an over expand */ + if (bn_expand(ret, i * 4) == NULL) + goto err; + j = BN_DEC_NUM - (i % BN_DEC_NUM); if (j == BN_DEC_NUM) j = 0; diff --git a/crypto/openssl/doc/apps/ciphers.pod b/crypto/openssl/doc/apps/ciphers.pod index 01d31ddfc..f763cdc95 100644 --- a/crypto/openssl/doc/apps/ciphers.pod +++ b/crypto/openssl/doc/apps/ciphers.pod @@ -380,17 +380,17 @@ Note: these ciphers can also be used in SSL v3. TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA -=head2 SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 - SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - -=head1 NOTES +=head2 SSL v2.0 cipher suites. + + SSL_CK_RC4_128_WITH_MD5 RC4-MD5 + SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. + SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. + SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 + SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. + SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 + +=head1 NOTES The non-ephemeral DH modes are currently unimplemented in OpenSSL because there is no support for DH certificates. diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 4386ac53b..6739afc9d 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -94,12 +94,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC4_128_EXPORT40_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +# if 0 +/* RC4_128_EXPORT40_WITH_MD5 */ + { + 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC4 | SSL_MD5 | SSL_SSLV2, @@ -107,12 +109,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC2_128_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* RC2_128_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC2 | SSL_MD5 | SSL_SSLV2, @@ -120,12 +124,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC2_128_CBC_EXPORT40_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +# if 0 +/* RC2_128_CBC_EXPORT40_WITH_MD5 */ + { + 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC2 | SSL_MD5 | SSL_SSLV2, @@ -133,12 +139,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* IDEA_128_CBC_WITH_MD5 */ -# ifndef OPENSSL_NO_IDEA - { + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* IDEA_128_CBC_WITH_MD5 */ +# ifndef OPENSSL_NO_IDEA + { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, @@ -148,12 +156,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { 128, 128, SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -# endif -/* DES_64_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_STRENGTHS, + }, +# endif + +# if 0 +/* DES_64_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_DES | SSL_MD5 | SSL_SSLV2, @@ -161,12 +171,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* DES_192_EDE3_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* DES_192_EDE3_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_3DES | SSL_MD5 | SSL_SSLV2, diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 7182bd225..e70cfb5fc 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -1632,12 +1632,19 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) /* * Default is to connect to non-RI servers. When RI is more widely * deployed might change this. - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + + /* + * Disable SSLv2 by default, callers that want to enable SSLv2 will have to + * explicitly clear this option via either of SSL_CTX_clear_options() or + * SSL_clear_options(). + */ + ret->options |= SSL_OP_NO_SSLv2; + + return (ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); err2: if (ret != NULL) SSL_CTX_free(ret); diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index 9ede83ce0..d3b0a59f5 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -472,17 +472,17 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. \& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA .Ve .SS "\s-1SSL\s0 v2.0 cipher suites." -.IX Subsection "SSL v2.0 cipher suites." -.Vb 7 -\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP\-RC4\-MD5 -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP\-RC2\-MD5 -\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 DES\-CBC\-MD5 -\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 -.Ve -.SH "NOTES" +.IX Subsection "SSL v2.0 cipher suites." +.Vb 7 +\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 +\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-CBC\-MD5 +\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. +\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 +\& SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. +\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 +.Ve +.SH "NOTES" .IX Header "NOTES" The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL because there is no support for \s-1DH\s0 certificates. -- 2.45.0