Skip to content
  1. Apr 19, 2019
  2. Apr 18, 2019
    • Richard Levitte's avatar
      asn1parse: avoid double free · 18111b13
      Richard Levitte authored
      
      
      |str| was used for multiple conflicting purposes.  When using
      '-strictpem', it's used to uniquely hold a reference to the loaded
      payload.  However, when using '-strparse', |str| was re-used to hold
      the position from where to start parsing.
      
      So when '-strparse' and '-strictpem' are were together, |str| ended up
      pointing into data pointed at by |at|, and was yet being freed, with
      the result that the payload it held a reference to became a memory
      leak, and there was a double free conflict when both |str| and |at|
      were being freed.
      
      The situation is resolved by always having |buf| hold the pointer to
      the file data, and always and only use |str| to hold the position to
      start parsing from.  Now, we only need to free |buf| properly and not
      |str|.
      
      Fixes #8752
      
      Reviewed-by: default avatarMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
      (Merged from https://github.com/openssl/openssl/pull/8753)
      
      (cherry picked from commit 4f29f3a29b8b416a501c7166dbbca5284b198f81)
      18111b13
  3. Apr 16, 2019
  4. Apr 15, 2019
  5. Apr 14, 2019
  6. Apr 10, 2019
  7. Apr 09, 2019
  8. Apr 08, 2019
  9. Apr 06, 2019
  10. Apr 05, 2019
  11. Apr 04, 2019
  12. Apr 03, 2019
  13. Apr 02, 2019
  14. Mar 31, 2019
  15. Mar 30, 2019
  16. Mar 29, 2019
  17. Mar 28, 2019
  18. Mar 27, 2019
    • Jake Massimo's avatar
      Increase rounds of Miller-Rabin testing DH_check · af6ce3b4
      Jake Massimo authored
      DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.
      
      However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.
      
      Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032
      
       for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8593)
      
      (cherry picked from commit 2500c093aa1e9c90c11c415053c0a27a00661d0d)
      af6ce3b4
    • Matt Caswell's avatar
      Don't allow SHAKE128/SHAKE256 with HMAC · 66ed53c8
      Matt Caswell authored
      
      
      See discussion in github issue #8563
      
      Fixes #8563
      
      Reviewed-by: default avatarMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
      (Merged from https://github.com/openssl/openssl/pull/8585)
      66ed53c8