- 21 Jun, 2018 4 commits
-
-
Billy Brumley authored
(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006) Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6549)
-
Andy Polyakov authored
Triggered by Coverity analysis. Reviewed-by:
Rich Salz <rsalz@openssl.org> (cherry picked from commit 7d859d1c ) Reviewed-by:
-
Matt Caswell authored
This extends the recently added ECDSA signature blinding to blind DSA too. This is based on side channel attacks demonstrated by Keegan Ryan (NCC Group) for ECDSA which are likely to be able to be applied to DSA. Normally, as in ECDSA, during signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order In ECDSA, the addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. This commit also tweaks the previous ECDSA blinding so that blinding is only removed at the last possible step. Reviewed-by:
-
Richard Levitte authored
Fixes #6544 Reviewed-by:
-
- 18 Jun, 2018 5 commits
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Jack Bates authored
Reviewed-by:
Matt Caswell <matt@openssl.org> (cherry picked from commit 693be9a2) (Merged from https://github.com/openssl/openssl/pull/5750)
-
- 15 Jun, 2018 1 commit
-
-
Bernd Edlinger authored
Prevent a possible recursion in ERR_get_state and fix the problem that was pointed out in commit aef84bb4 differently. Fixes: #6493 Reviewed-by:
-
- 13 Jun, 2018 1 commit
-
-
Matt Caswell authored
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an ECDSA signature operation. During signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order The addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. Reviewed-by:
-
- 12 Jun, 2018 2 commits
-
-
Nicola Tuveri authored
Reviewed-by:
-
Guido Vranken authored
CVE-2018-0732 Signed-off-by:
Guido Vranken <guidovranken@gmail.com> (cherry picked from commit 91f7361f ) Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
- 11 Jun, 2018 1 commit
-
-
Richard Levitte authored
Fixes #6449 Reviewed-by:
-
- 09 Jun, 2018 1 commit
-
-
Andy Polyakov authored
This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by:
-
- 08 Jun, 2018 1 commit
-
-
Mingtao Yang authored
Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent variables in the OCB_CTX. Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
-
- 07 Jun, 2018 1 commit
-
-
Marcus Huewe authored
If the remove_session_cb accesses the session's data (for instance, via SSL_SESSION_get_protocol_version), a potential use after free can occur. For this, consider the following scenario when adding a new session via SSL_CTX_add_session: - The session cache is full (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) - Only the session cache has a reference to ctx->session_cache_tail (that is, ctx->session_cache_tail->references == 1) Since the cache is full, remove_session_lock is called to remove ctx->session_cache_tail from the cache. That is, it SSL_SESSION_free()s the session, which free()s the data. Afterwards, the free()d session is passed to the remove_session_cb. If the callback accesses the session's data, we have a use after free. The free before calling the callback behavior was introduced in commit e4612d02 ("Remove sessions from external cache, even if internal cache not used."). CLA: trivial Reviewed-by:
-
- 05 Jun, 2018 2 commits
-
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
- 02 Jun, 2018 1 commit
-
-
Ken Goldman authored
ECDSA_SIG_new() returns NULL on error. Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- 31 May, 2018 2 commits
-
-
Richard Levitte authored
Just because an engine implements algorithm methods, that doesn't mean it also implements the ASN1 method. Therefore, be careful when looking for an ASN1 method among all engines, don't try to use one that doesn't exist. Fixes #6381 Reviewed-by:
-
Richard Levitte authored
XN_FLAG_COMPAT has a unique property, its zero for value. This means it needs special treatment; if it has been set (which can only be determined indirectly) and set alone (*), no other flags should be set. (*) if any other nameopt flag has been set by the user, compatibility mode is blown away. Reviewed-by:
-
- 30 May, 2018 1 commit
-
-
Mingtao Yang authored
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so applications that were previously able to define a custom lookup method are not able to be ported. This commit adds getters and setters for each of the current fields of X509_LOOKUP_METHOD, along with getters and setters on several associated opaque types (such as X509_LOOKUP and X509_OBJECT). Reviewed-by:
-
- 29 May, 2018 1 commit
-
-
Matt Caswell authored
Thanks to Guido Vranken and OSSFuzz for finding this issue. Reviewed-by:
-
- 26 May, 2018 1 commit
-
-
Bernd Edlinger authored
[extended tests] Reviewed-by:
-
- 24 May, 2018 2 commits
-
-
David Benjamin authored
TlsGetValue clears the last error even on success, so that callers may distinguish it successfully returning NULL or failing. This error-mangling behavior interferes with the caller's use of GetLastError. In particular SSL_get_error queries the error queue to determine whether the caller should look at the OS's errors. To avoid destroying state, save and restore the Windows error. Fixes #6299. Reviewed-by:
-
Matt Caswell authored
We check that the curve name associated with the point is the same as that for the curve. Fixes #6302 Reviewed-by:
-
- 23 May, 2018 2 commits
-
-
Viktor Dukhovni authored
Only check the CN against DNS name contraints if the `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the certificate has no DNS subject alternative names or the `X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set. Add pertinent documentation, and touch up some stale text about name checks and DANE. Reviewed-by:
-
Viktor Dukhovni authored
Don't apply DNS name constraints to the subject CN when there's a least one DNS-ID subjectAlternativeName. Don't apply DNS name constraints to subject CN's that are sufficiently unlike DNS names. Checked name must have at least two labels, with all labels non-empty, no trailing '.' and all hyphens must be internal in each label. In addition to the usual LDH characters, we also allow "_", since some sites use these for hostnames despite all the standards. Reviewed-by:
-
- 21 May, 2018 2 commits
-
-
Tilman Keskinöz authored
NULL-check for cipher is redundant, instead check if cipher->name is NULL While here fix formatting of BIO_printf calls as suggested by Andy Polyakov. CLA: trivial Reviewed-by:
-
Matt Caswell authored
If the lengths of both names is 0 then don't attempt to do a memcmp. Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky. Reviewed-by:
-
- 20 May, 2018 3 commits
-
-
Richard Levitte authored
This adds the possibility to exclude files by regexp in util/copy.pl Partial fix for #3254 Reviewed-by:
-
Richard Levitte authored
--quiet stops warnings of this sort: Cannot find "BIO_read_ex" in podpath: cannot find suitable replacement path, cannot resolve link We know what causes these warnings, it's perfectly innocuous, and we don't want to hear it any more. Partial fix for #3254 Reviewed-by: -
Richard Levitte authored
A previous change of this function introduced a fragility when the destination happens to be the same as the source. Such alias isn't recommended, but could still happen, for example in this kind of code: X509_NAME *subject = X509_get_issuer_name(x); /* ... some code passes ... */ X509_set_issuer_name(x, subject); Fixes #4710 Reviewed-by:
-
- 19 May, 2018 1 commit
-
-
Bernd Edlinger authored
Thanks to Darovskikh Andrei for for reporting this issue. Fixes: #5785 Fixes: #6302 Cherry-picked from f91e026e (without test/bntest.c) Reviewed-by:
-
- 18 May, 2018 1 commit
-
-
FdaSilvaYY authored
because there are actually 17 curves defined, but only 16 are plugged for ecdsa test. Deduce array size using OSSL_NELEM and so remove various magic numbers, which required some declarations moving. Implement OPT_PAIR list search without a null-ending element. Fix some comparison between signed and unsigned integer expressions. cherry-picking from commit 5c6a69f5 . Partial Back-port of #6133 to 1.1.0 Reviewed-by:
-
- 17 May, 2018 2 commits
-
-
Matt Caswell authored
Experiments have shown that the lookup table used by BN_GF2m_mod_arr introduces sufficient timing signal to recover the private key for an attacker with access to cache timing information on the victim's host. This only affects binary curves (which are less frequently used). No CVE is considered necessary for this issue. The fix is to replace the lookup table with an on-the-fly calculation of the value from the table instead, which can be performed in constant time. Thanks to Youngjoo Shin for reporting this issue. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- 16 May, 2018 1 commit
-
-
Richard Levitte authored
There are *roff parsers that are strict about the NAME section being one line only. The man(7) on Debian GNU/Linux suggests that this is appropriate, so we compensate our multi-line NAME sections by fixing the *roff output. Noted by Eric S. Raymond Related to #6264 Reviewed-by:
-
- 15 May, 2018 1 commit
-
-
Matt Caswell authored
The TLS code marks records as read when its finished using a record. The DTLS code did not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent. Reviewed-by:
-
