- Sep 04, 2018
-
-
Richard Levitte authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7112)
-
Matt Caswell authored
They did not make it clear how the memory management works for the |pctx| parameter. Reviewed-by:
-
Jakub Wilk authored
The default input format is PEM, so explicit "-inform DER" is needed to read DER-encoded CRL. CLA: trivial Reviewed-by:
Paul Yang <yang.yang@baishancloud.com> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7094) (cherry picked from commit 785e614a) (cherry picked from commit e25fc6b5)
-
Matt Caswell authored
Just remove that statement. It's not been true since 2005. Reviewed-by:
Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/6906)
-
- Sep 03, 2018
-
-
Pauli authored
Reviewed-by:
-
- Sep 02, 2018
-
-
Eric Brown authored
This trivial patch removes a duplicated call to ASN1_INTEGER_set. Fixes Issue #6977 Signed-off-by:
Eric Brown <browne@vmware.com> Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6984) (cherry picked from commit 59701e63)
-
- Aug 28, 2018
-
-
Andy Polyakov authored
(cherry picked from commit 324b9560 ) Reviewed-by:
-
Andy Polyakov authored
(cherry picked from commit e02c519c ) Resolved conflicts: crypto/bn/bn_blind.c Reviewed-by:
-
Andy Polyakov authored
In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... (cherry picked from commit 41bfd5e7 ) Resolved conflicts: crypto/rsa/rsa_eay.c Reviewed-by:
-
Andy Polyakov authored
Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. (cherry picked from commit fcc4ee09 ) Resolved conflicts: crypto/bn/bn_mod.c crypto/bn_int.h Reviewed-by:
-
- Aug 27, 2018
-
-
Hubert Kario authored
the option is provided in the -help message of the s_server utility but it is not documented in the man page, this fixes it Reviewed-by:
-
- Aug 17, 2018
-
-
Andy Polyakov authored
Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6916) (cherry picked from commit 0da7358b) Resolved conflicts: crypto/x509v3/v3_purp.c
-
- Aug 14, 2018
-
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6957)
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Richard Levitte authored
Just as was done recently for i2d_ASN1_OBJECT, we also make i2d_ASN1_BOOLEAN comply with the documentation. Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6943)
-
- Aug 11, 2018
-
-
Richard Levitte authored
Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by:Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6918) (cherry picked from commit 61140415)
-
- Aug 10, 2018
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by:
-
Andy Polyakov authored
"Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by:
-
- Aug 07, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Aug 01, 2018
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
(back-ported from commit 37132c97 ) Reviewed-by:
-
Billy Brumley authored
Those even order that do not play nicely with Montgomery arithmetic (back-ported from commit 3a6a4a93 ) Reviewed-by:
-
Andy Polyakov authored
New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by:
-
Andy Polyakov authored
Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by:
-
Andy Polyakov authored
Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by:
-
Andy Polyakov authored
The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Trouble is that addition is postponing expansion till carry is calculated, and if addition carries, top word can be zero, which triggers assertion in bn_check_top. Reviewed-by:
-
- Jul 26, 2018
-
-
Kurt Roeckx authored
Reviewed-by:
-
Kurt Roeckx authored
The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by:
-
Kurt Roeckx authored
This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by:
-
- Jul 25, 2018
-
-
Rich Salz authored
Thanks to Jiecheng Wu, Zuxing Gu for the report. Reviewed-by:
-
- Jul 23, 2018
-
-
Andy Polyakov authored
ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by:
-
- Jul 22, 2018
-
-
Richard Levitte authored
As per RFC 7292. Fixes #6665 Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6708) (cherry picked from commit b709babb)
-
- Jul 13, 2018
-
-
Alexandre Perrin authored
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype. CLA: trivial Reviewed-by:
-
