- Mar 28, 2019
-
-
Paul Monson authored
CLA: trivial Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8590) (cherry picked from commit 0b885f72)
-
Dmitry Belyavskiy authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Matt Caswell authored
Fixes #8589 Reviewed-by:
-
- Mar 27, 2019
-
-
Jake Massimo authored
DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested. However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed. Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c. Reviewed-by:
-
Matt Caswell authored
See discussion in github issue #8563 Fixes #8563 Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8585)
-
Matt Caswell authored
Fixes #8567 Reviewed-by:
-
Matt Caswell authored
We treat that as automatic success. Other EVP_*Update functions already do this (e.g. EVP_EncryptUpdate, EVP_DecryptUpdate etc). EVP_EncodeUpdate is a bit of an anomoly. That treats 0 byte input length as an error. Fixes #8576 Reviewed-by:
-
Dr. Matthias St. Pierre authored
Reported by Mak Kolybabi Reviewed-by:
-
- Mar 25, 2019
-
-
Hubert Kario authored
not specifying the digest both on command line and in the config file will lead to response generation aborting with 140617514493760:error:2F098088:time stamp routines:ts_CONF_lookup_fail: \ cannot find config variable:crypto/ts/ts_conf.c:106:tsr_test::signer_digest Reviewed-by:
-
- Mar 22, 2019
-
-
Bernd Edlinger authored
constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by:
-
Bernd Edlinger authored
[extended tests] Reviewed-by:
-
Pauli authored
Reviewed-by:
-
- Mar 21, 2019
-
-
Dmitry Belyavskiy authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
-
- Mar 20, 2019
-
-
Lorinczy Zsigmond authored
So far, it only handled hash-and-algorithm pairs from TLS1.2, now it also handles 'schemes' defined in TLS1.3 like 0x0807=ed25519 or 0x0809=rsa_pss_pss_sha256 Now it prints information in one of these formats: ... Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128 ... TLS1.3 ... Algorithm digest=SHA384, algorithm=DSA, security bits=192 ... TLS1.2 ... Algorithm scheme=unknown(0x0e01), security bits=128 ... unhandled case To implement this added three new lookup-tables: signature_tls13_scheme_list, signature_tls12_alg_list, signature_tls12_hash_list. Also minor changes in 'security_callback_debug', eg adding variable 'show_nm' to indicate if we should show 'nm'. Also coding-styles fixes from matcaswell Reviewed-by:
-
Richard Levitte authored
Great effort has been made to make initialization more configurable. However, the behavior of OPENSSL_config() was lost in the process, having it suddenly generate errors it didn't previously, which is not how it's documented to behave. A simple setting of default flags fixes this problem. Fixes #8528 Reviewed-by:
-
Shane Lontis authored
Reviewed-by:
-
- Mar 19, 2019
-
-
Matt Caswell authored
DSA can accept other digests other than SHA1. EC ignores the digest option altogether. Fixes #8425 Reviewed-by:
-
Vitezslav Cizek authored
The ecdh_c array is allocated of the same size as ecdh_choices, whose size depends on whether the support for binary curves is enabled or not. (The same goes for ecdsa_c). On systems without SIGALRM, ecdh_c is indexed by predefined constants intended for representing the index of the ciphers in the ecdh_choices array. However, in case of NO_EC2M some of the #defined constants won't match and would actually access the ecdh_c out-of-bounds. Use enum instead of a macro to define the curve indexes so they're within the bounds of the ecdh_c array. Reviewed-by:
-
Vitezslav Cizek authored
openssl speed doesn't take into account that the library could be compiled without the support for the binary curves and happily uses them, which results in EC_GROUP_new_by_curve_name() errors. Reviewed-by:
-
Dr. Matthias St. Pierre authored
The indentation in the Configure file is currently very strange when viewed in an editor with a tab width of four spaces, because it has mixed tab-and-whitespace indentation, which was apparently done with a tab width of eight spaces. This commit converts all tabs to spaces using expand(1) with default settings. To verify that there are only whitespace changes, use git show --ignore-space-change <this commit> Reviewed-by: -
Hua Zhang authored
There are some compiling errors for mips32r6 and mips64r6: crypto/bn/bn-mips.S:56: Error: opcode not supported on this processor: mips2 (mips2) `mulu $1,$12,$7' crypto/mips_arch.h: Assembler messages: crypto/mips_arch.h:15: Error: junk at end of line, first unrecognized character is `&' Signed-off-by:
Hua Zhang <hua.zhang1974@hotmail.com> Reviewed-by:
-
Richard Levitte authored
Fixes #8495 Reviewed-by:
-
Shane Lontis authored
Reviewed-by:
-
- Mar 18, 2019
-
-
Bernd Edlinger authored
The secret point R can be recovered from S using the equation R = S - P. The X and Z coordinates should be sufficient for that. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Daniel Axtens authored
There are two copy-paste errors in handling CTR mode. When dealing with a 2 or 3 block tail, the code branches to the CBC decryption exit path, rather than to the CTR exit path. This can lead to data corruption: in the Linux kernel we have a copy of this file, and the bug leads to corruption of the IV, which leads to data corruption when we call the encryption function again later to encrypt subsequent blocks. Originally reported to the Linux kernel by Ondrej Mosnáček <omosnacek@gmail.com> CLA: trivial Reviewed-by:
-
Shane Lontis authored
Reviewed-by:
Paul Yang <yang.yang@baishancloud.com> Reviewed-by:
-
- Mar 15, 2019
-
-
Dr. Matthias St. Pierre authored
Fixes #8487 Amends #7230 Reviewed-by:
-
- Mar 13, 2019
-
-
Nicola Tuveri authored
Fixes #8462 (cherry picked from commit 81d61a62faa809e6c51f5fc2b86fb0d31146fd5e) Reviewed-by:
-
Matt Caswell authored
Also make various changes to bring the file into line with current coding style. Fixes #8456 Reviewed-by:
-
- Mar 11, 2019
-
-
Shane Lontis authored
Reviewed-by:
-
- Mar 10, 2019
-
-
A. Schulze authored
CLA: trivial Reviewed-by:
-
- Mar 07, 2019
-
-
Bernd Edlinger authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/8365) (cherry picked from commit f0e4a860)
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
of RSA_private_decrypt/RSA_public_encrypt. Reviewed-by:
-
Bernd Edlinger authored
Fixes #8364 and #8357 Reviewed-by:
-
Bernd Edlinger authored
Fixes #8416 Reviewed-by:
-
Matt Caswell authored
The previous commit fixed an underflow that may occur in ecp_nistp521.c. This commit adds a test for that condition. It is heavily based on an original test harness by Billy Brumley. Reviewed-by:
Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8405) (cherry picked from commit 6855b496b205c067ecb276221c31c6212f4fdbae)
-
Matt Caswell authored
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in| from |out| mod p. In order to avoid underflow it first adds 32p mod p (which is equivalent to 0 mod p) to |out|. The comments and variable naming suggest that the original author intended to add 64p mod p. In fact it has been shown that with certain unusual co-ordinates it is possible to cause an underflow in this function when only adding 32p mod p while performing a point double operation. By changing this to 64p mod p the underflow is avoided. It turns out to be quite difficult to construct points that satisfy the underflow criteria although this has been done and the underflow demonstrated. However none of these points are actually on the curve. Finding points that satisfy the underflow criteria and are also *on* the curve is considered significantly more difficult. For this reason we do not believe that this issue is currently practically exploitable and therefore no CVE has been assigned. This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure option. With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant help in investigating this issue. Reviewed-by:
-
