- Jun 19, 2018
-
-
Sohaib ul Hassan authored
This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by:
Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by:
Billy Brumley <bbrumley@gmail.com> Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6501)
-
- Jun 13, 2018
-
-
Matt Caswell authored
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an ECDSA signature operation. During signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order The addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. Reviewed-by:Rich Salz <rsalz@openssl.org>
-
- May 24, 2018
-
-
Matt Caswell authored
When signing or verifying a file using pkeyutl the input is supposed to be a hash. Some algorithms sanity check the length of the input, while others don't and silently truncate. To avoid accidents we check that the length of the input looks sane. Reviewed-by:
-
- May 22, 2018
-
-
Kurt Roeckx authored
Because TLS 1.3 sends more non-application data records some clients run into problems because they don't expect SSL_read() to return and set SSL_ERROR_WANT_READ after processing it. This can cause problems for clients that use blocking I/O and use select() to see if data is available. It can be cleared using SSL_CTX_clear_mode(). Reviewed-by:
-
- May 12, 2018
-
-
Richard Levitte authored
Fixes #4716 Reviewed-by:
-
- May 09, 2018
-
-
Nicola Tuveri authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
-
Billy Brumley authored
Reviewed-by:
-
Billy Brumley authored
Reviewed-by:
-
Billy Brumley authored
* EC_POINT_mul is now responsible for constant time point multiplication (for single fixed or variable point multiplication, when the scalar is in the range [0,group_order), so we need to strip the nonce padding from ECDSA. * Entry added to CHANGES * Updated EC_POINT_mul documentation - Integrate existing EC_POINT_mul and EC_POINTs_mul entries in the manpage to reflect the shift in constant-time expectations when performing a single fixed or variable point multiplication; - Add documentation to ec_method_st to reflect the updated "contract" between callers and implementations of ec_method_st.mul. Reviewed-by:
-
- Apr 19, 2018
-
-
A. Schulze authored
CLA: trivial Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- Apr 17, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Apr 05, 2018
-
-
Matt Caswell authored
When libssl is initialised it will attempt to load any config file. This ensures any system_default configuration (as per https://github.com/openssl/openssl/pull/4848 ) is used. Reviewed-by:
-
- Apr 04, 2018
-
-
Bernd Edlinger authored
Reviewed-by:
-
- Apr 03, 2018
-
-
Matt Caswell authored
Where a CMS detached signature is used with text content the text goes through a canonicalisation process first prior to signing or verifying a signature. This process strips trailing space at the end of lines, converts line terminators to CRLF and removes additional trailing line terminators at the end of a file. A bug in the canonicalisation process meant that some characters, such as form-feed, were incorrectly treated as whitespace and removed. This is contrary to the specification (RFC5485). This fix could mean that detached text data signed with an earlier version of OpenSSL 1.1.0 may fail to verify using the fixed version, or text data signed with a fixed OpenSSL may fail to verify with an earlier version of OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data and use the "-binary" flag (for the "cms" command line application) or set the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Matt Caswell authored
Fix the last release version number in CHANGES Reviewed-by:
-
- Mar 29, 2018
-
-
Dr. Matthias St. Pierre authored
The RAND_DRBG API was added in PR #5462 and modified by PR #5547. This commit adds the corresponding documention. Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
- Mar 27, 2018
-
-
Matt Caswell authored
Reviewed-by:
-
- Mar 26, 2018
-
-
Rich Salz authored
Reviewed-by:
-
- Mar 19, 2018
-
-
Matt Caswell authored
Reviewed-by:
-
- Mar 14, 2018
-
-
Matt Caswell authored
Reviewed-by:
-
- Mar 07, 2018
-
-
Viktor Dukhovni authored
With "-multi" the OCSP responder forks multiple child processes, and respawns them as needed. This can be used as a long-running service, not just a demo program. Therefore the index file is automatically re-read when changed. The responder also now optionally times out client requests. Reviewed-by:
-
- Mar 05, 2018
-
-
Matt Caswell authored
Reviewed-by:
-
- Mar 04, 2018
-
-
Rich Salz authored
Reviewed-by:
-
- Mar 02, 2018
-
-
Matt Caswell authored
Reviewed-by:
-
- Feb 23, 2018
-
-
Richard Levitte authored
[extended tests] Reviewed-by:
-
- Feb 13, 2018
-
-
Matt Caswell authored
Reviewed-by: -
Dr. Matthias St. Pierre authored
Removed mixed tabs (converted tabs to eight spaces) Reviewed-by:
-
Dr. Matthias St. Pierre authored
Reviewed-by:
-
- Feb 12, 2018
-
-
Matt Caswell authored
Fix a typo in INSTALL and update the link in CHANGES Reviewed-by:
-
- Feb 07, 2018
-
-
Matt Caswell authored
[extended tests] Reviewed-by:
-
- Jan 29, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Jan 28, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Jan 23, 2018
-
-
Pauli authored
Support added for these two digests, available only via the EVP interface. Reviewed-by:
-
- Jan 07, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
- Jan 02, 2018
-
-
Daniel Bevenius authored
Similar to commit 17b60280 ( "Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes typos where additional 'the' have been added. Reviewed-by:
-
- Dec 12, 2017
-
-
Richard Levitte authored
Reviewed-by:
-
- Dec 07, 2017
-
-
Richard Levitte authored
Reviewed-by:
-
- Dec 06, 2017
-
-
Matt Caswell authored
Reviewed-by:
-
- Nov 21, 2017
-
-
Paul Yang authored
* Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by:Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241)
-
