- May 08, 2019
-
-
Tobias Nießen authored
This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior. GCM and OCB also support to set the tag at any point before the call to `EVP_*Final`, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data. This commit also adds a test case for setting the tag after supplying plaintext length and AAD. Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7243) (cherry picked from commit 67c81ec311d696464bdbf4c6d6f8a887a3ddf9f8)
-
- May 07, 2019
-
-
Matt Caswell authored
Fixes #8875 Reviewed-by:
-
- Apr 25, 2019
-
-
Guido Vranken authored
Return error if the output tag buffer size doesn't match the tag size exactly. This prevents the caller from using that portion of the tag buffer that remains uninitialized after an otherwise succesfull call to CRYPTO_ccm128_tag. Bug found by OSS-Fuzz. Fix suggested by Kurt Roeckx. Signed-off-by:
Guido Vranken <guidovranken@gmail.com> Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- Apr 16, 2019
-
-
Tomas Mraz authored
Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
- Apr 14, 2019
-
-
Bernd Edlinger authored
This happens in ec_key_simple_check_key and EC_GROUP_check. Since the the group order is not a secret scalar, it is unnecessary to use coordinate blinding. Fixes: #8731 Reviewed-by:
-
- Apr 10, 2019
-
-
Shane Lontis authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Richard Levitte authored
Even with custome ciphers, the combination in == NULL && inl == 0 should not be passed down to the backend cipher function. The reason is that these are the values passed by EVP_*Final, and some of the backend cipher functions do check for these to see if a "final" call is made. Fixes #8675 Reviewed-by:
-
Richard Levitte authored
'no-dso' is meaningless, as it doesn't get any macro defined. Therefore, we remove all checks of OPENSSL_NO_DSO. However, there may be some odd platforms with no DSO scheme. For those, we generate the internal macro DSO_NONE aand use it. Reviewed-by:
-
- Apr 09, 2019
-
-
Matt Caswell authored
If using a custom X509_LOOKUP_METHOD then calls to X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised X509_OBJECT being passed to the callback get_by_subject function. Fixes #8673 Reviewed-by:
-
- Apr 06, 2019
-
-
Bernd Edlinger authored
Reviewed-by:
-
- Apr 05, 2019
-
-
Richard Levitte authored
It was assumed that the config functionality returned a boolean. However, it may return a negative number on error, so we need to take that into account. Reviewed-by:
-
- Apr 03, 2019
-
-
Tomas Mraz authored
This prevents failure of openssl s_server socket binding to wildcard address on hosts with disabled IPv6. Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
- Apr 02, 2019
-
-
Richard Levitte authored
I turns out that this made crypto/rand/rand_win.c to never build with BCrypt support unless the user sets _WIN32_WINNT. That wasn't the intent. This reverts commit cc8926ec . Reviewed-by:
-
Dr. Matthias St. Pierre authored
BCryptGenRandom() is available for Windows Vista and newer versions, see https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/nf-bcrypt-bcryptgenrandom Reviewed-by:
-
Richard Levitte authored
This helps decide if the BCrypt API should be used or not. Fixes #8635 Reviewed-by:
-
- Mar 30, 2019
-
-
Shane Lontis authored
Reviewed-by:
-
- Mar 29, 2019
-
-
Soujyu Tanaka authored
Revert win32_pathbyaddr() which is used in DSO_dsobyaddr(). Reviewed-by:
-
Soujyu Tanaka authored
Reviewed-by:
-
Soujyu Tanaka authored
Replace it with InitializeCriticalSection() Reviewed-by:
-
- Mar 28, 2019
-
-
Matt Caswell authored
Fixes #8589 Reviewed-by:
-
- Mar 27, 2019
-
-
Jake Massimo authored
DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested. However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed. Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c. Reviewed-by:
-
Matt Caswell authored
See discussion in github issue #8563 Fixes #8563 Reviewed-by:
-
Matt Caswell authored
Fixes #8567 Reviewed-by:
-
Matt Caswell authored
We treat that as automatic success. Other EVP_*Update functions already do this (e.g. EVP_EncryptUpdate, EVP_DecryptUpdate etc). EVP_EncodeUpdate is a bit of an anomoly. That treats 0 byte input length as an error. Fixes #8576 Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8587) (cherry picked from commit a8274ea351988aa754cb9983b27d7059613ee11e)
-
- Mar 22, 2019
-
-
Bernd Edlinger authored
constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by:
-
Bernd Edlinger authored
[extended tests] Reviewed-by:
-
Pauli authored
Reviewed-by:
-
- Mar 21, 2019
-
-
Dmitry Belyavskiy authored
Reviewed-by:
-
- Mar 20, 2019
-
-
Richard Levitte authored
Great effort has been made to make initialization more configurable. However, the behavior of OPENSSL_config() was lost in the process, having it suddenly generate errors it didn't previously, which is not how it's documented to behave. A simple setting of default flags fixes this problem. Fixes #8528 Reviewed-by:
-
- Mar 19, 2019
-
-
Hua Zhang authored
There are some compiling errors for mips32r6 and mips64r6: crypto/bn/bn-mips.S:56: Error: opcode not supported on this processor: mips2 (mips2) `mulu $1,$12,$7' crypto/mips_arch.h: Assembler messages: crypto/mips_arch.h:15: Error: junk at end of line, first unrecognized character is `&' Signed-off-by:
Hua Zhang <hua.zhang1974@hotmail.com> Reviewed-by:
-
Richard Levitte authored
Fixes #8495 Reviewed-by:
-
Shane Lontis authored
Reviewed-by:
-
- Mar 18, 2019
-
-
Bernd Edlinger authored
The secret point R can be recovered from S using the equation R = S - P. The X and Z coordinates should be sufficient for that. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Daniel Axtens authored
There are two copy-paste errors in handling CTR mode. When dealing with a 2 or 3 block tail, the code branches to the CBC decryption exit path, rather than to the CTR exit path. This can lead to data corruption: in the Linux kernel we have a copy of this file, and the bug leads to corruption of the IV, which leads to data corruption when we call the encryption function again later to encrypt subsequent blocks. Originally reported to the Linux kernel by Ondrej Mosnáček <omosnacek@gmail.com> CLA: trivial Reviewed-by:
-
- Mar 15, 2019
-
-
Dr. Matthias St. Pierre authored
Fixes #8487 Amends #7230 Reviewed-by:
-
- Mar 11, 2019
-
-
Shane Lontis authored
Reviewed-by:
-
- Mar 07, 2019
-
-
Bernd Edlinger authored
Reviewed-by:
-
