Skip to content
  1. May 22, 2019
  3. May 21, 2019
  5. May 08, 2019
    • Tobias Nießen's avatar
      Allow specifying the tag after AAD in CCM mode · b48e3be9
      Tobias Nießen authored 
      

This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)

(cherry picked from commit 67c81ec311d696464bdbf4c6d6f8a887a3ddf9f8)
      b48e3be9
  7. Apr 10, 2019
  9. Apr 06, 2019
  11. Mar 27, 2019
  13. Mar 21, 2019
  15. Mar 06, 2019
    • Matt Caswell's avatar
      Prevent over long nonces in ChaCha20-Poly1305 · f426625b
      Matt Caswell authored 
      

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

CVE-2019-1543

Fixes #8345

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 2a3d0ee9)
      f426625b
  17. Dec 22, 2018
  19. Dec 10, 2018
  21. Nov 20, 2018
  23. Oct 02, 2018
  25. Sep 21, 2018
  27. Sep 13, 2018
  29. Sep 11, 2018
  31. Sep 07, 2018
  33. Sep 06, 2018
  35. Sep 05, 2018
  37. Aug 07, 2018
  39. Aug 06, 2018
  41. Aug 03, 2018
  43. Aug 01, 2018
  45. Jul 12, 2018
  47. Jul 06, 2018
  49. Jun 29, 2018
  51. Jun 20, 2018
  53. Jun 19, 2018
  55. Jun 18, 2018
  57. Jun 08, 2018
  59. Jun 03, 2018
  61. Apr 17, 2018
  63. Apr 13, 2018
    • Matt Caswell's avatar
      Add support for the SRP base64 alphabet · 3fd59700
      Matt Caswell authored 
      Historically we used to implement standalone base64 code for SRP. This
was replaced by commit 3d3f21aa

 with the standard base64 processing code.

However, the SRP base64 code was designed to be compatible with other SRP
libraries (notably libsrp, but also others) that use a variant of standard
base64. Specifically a different alphabet is used and no padding '='
characters are used. Instead 0 padding is added to the front of the string.
By changing to standard base64 we change the behaviour of the API which may
impact interoperability. It also means that SRP verifier files created prior
to 1.1.1 would not be readable in 1.1.1 and vice versa.

Instead we expand our standard base64 processing with the capability to be
able to read and generate the SRP base64 variant.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
      3fd59700
    • Matt Caswell's avatar
      Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions · c0804614
      Matt Caswell authored 
      

Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
level functions that do not handle padding characters. This was causing
the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
it inserts newlines which is not what we need in SRP so we add a flag to
avoid that.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
      c0804614