Skip to content
  1. Jun 21, 2018
    • Matt Caswell's avatar
      Add blinding to a DSA signature · 7f9822a4
      Matt Caswell authored
      
      
      This extends the recently added ECDSA signature blinding to blind DSA too.
      
      This is based on side channel attacks demonstrated by Keegan Ryan (NCC
      Group) for ECDSA which are likely to be able to be applied to DSA.
      
      Normally, as in ECDSA, during signing the signer calculates:
      
      s:= k^-1 * (m + r * priv_key) mod order
      
      In ECDSA, the addition operation above provides a sufficient signal for a
      flush+reload attack to derive the private key given sufficient signature
      operations.
      
      As a mitigation (based on a suggestion from Keegan) we add blinding to
      the operation so that:
      
      s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
      
      Since this attack is a localhost side channel only no CVE is assigned.
      
      This commit also tweaks the previous ECDSA blinding so that blinding is
      only removed at the last possible step.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6522)
      7f9822a4
  2. Jun 19, 2018
    • Sohaib ul Hassan's avatar
      Implement coordinate blinding for EC_POINT · f667820c
      Sohaib ul Hassan authored
      This commit implements coordinate blinding, i.e., it randomizes the
      representative of an elliptic curve point in its equivalence class, for
      prime curves implemented through EC_GFp_simple_method,
      EC_GFp_mont_method, and EC_GFp_nist_method.
      
      This commit is derived from the patch
      https://marc.info/?l=openssl-dev&m=131194808413635
      
       by Billy Brumley.
      
      Coordinate blinding is a generally useful side-channel countermeasure
      and is (mostly) free. The function itself takes a few field
      multiplicationss, but is usually only necessary at the beginning of a
      scalar multiplication (as implemented in the patch). When used this way,
      it makes the values that variables take (i.e., field elements in an
      algorithm state) unpredictable.
      
      For instance, this mitigates chosen EC point side-channel attacks for
      settings such as ECDH and EC private key decryption, for the
      aforementioned curves.
      
      For EC_METHODs using different coordinate representations this commit
      does nothing, but the corresponding coordinate blinding function can be
      easily added in the future to extend these changes to such curves.
      
      Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6501)
      f667820c
  3. Jun 13, 2018
    • Matt Caswell's avatar
      Add blinding to an ECDSA signature · a3e9d5aa
      Matt Caswell authored
      
      
      Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
      ECDSA signature operation. During signing the signer calculates:
      
      s:= k^-1 * (m + r * priv_key) mod order
      
      The addition operation above provides a sufficient signal for a
      flush+reload attack to derive the private key given sufficient signature
      operations.
      
      As a mitigation (based on a suggestion from Keegan) we add blinding to
      the operation so that:
      
      s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
      
      Since this attack is a localhost side channel only no CVE is assigned.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a3e9d5aa
  4. May 24, 2018
  5. May 22, 2018
    • Kurt Roeckx's avatar
      Enable SSL_MODE_AUTO_RETRY by default · 693cf80c
      Kurt Roeckx authored
      
      
      Because TLS 1.3 sends more non-application data records some clients run
      into problems because they don't expect SSL_read() to return and set
      SSL_ERROR_WANT_READ after processing it.
      
      This can cause problems for clients that use blocking I/O and use
      select() to see if data is available. It can be cleared using
      SSL_CTX_clear_mode().
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      GH: #6260
      693cf80c
  6. May 12, 2018
  7. May 09, 2018
  8. Apr 19, 2018
  9. Apr 17, 2018
  10. Apr 05, 2018
  11. Apr 04, 2018
  12. Apr 03, 2018
    • Matt Caswell's avatar
      Fix a text canonicalisation bug in CMS · bcc63714
      Matt Caswell authored
      
      
      Where a CMS detached signature is used with text content the text goes
      through a canonicalisation process first prior to signing or verifying a
      signature. This process strips trailing space at the end of lines, converts
      line terminators to CRLF and removes additional trailing line terminators
      at the end of a file. A bug in the canonicalisation process meant that
      some characters, such as form-feed, were incorrectly treated as whitespace
      and removed. This is contrary to the specification (RFC5485). This fix
      could mean that detached text data signed with an earlier version of
      OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
      signed with a fixed OpenSSL may fail to verify with an earlier version of
      OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
      and use the "-binary" flag (for the "cms" command line application) or set
      the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5790)
      bcc63714
    • Matt Caswell's avatar
      Fix CHANGES · ba505435
      Matt Caswell authored
      
      
      Fix the last release version number in CHANGES
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5852)
      ba505435
  13. Mar 29, 2018
  14. Mar 27, 2018
  15. Mar 26, 2018
  16. Mar 19, 2018
  17. Mar 14, 2018
  18. Mar 07, 2018
    • Viktor Dukhovni's avatar
      Implement multi-process OCSP responder. · 3e3c7c36
      Viktor Dukhovni authored
      
      
      With "-multi" the OCSP responder forks multiple child processes,
      and respawns them as needed.  This can be used as a long-running
      service, not just a demo program.  Therefore the index file is
      automatically re-read when changed.  The responder also now optionally
      times out client requests.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      3e3c7c36
  19. Mar 05, 2018
  20. Mar 04, 2018
  21. Mar 02, 2018
  22. Feb 23, 2018
  23. Feb 13, 2018
  24. Feb 12, 2018
  25. Feb 07, 2018
  26. Jan 29, 2018
  27. Jan 28, 2018
  28. Jan 23, 2018
  29. Jan 07, 2018
  30. Jan 02, 2018
  31. Dec 12, 2017
  32. Dec 07, 2017
  33. Dec 06, 2017