- Jul 24, 2018
-
-
Richard Levitte authored
On the same note, change the 'NASM not found' message to give specific advice on how to handle the failure. Fixes #6765 Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6771) (cherry picked from commit 8937a4ed)
-
- Jul 22, 2018
-
-
Andy Polyakov authored
ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit 8fc4aeb9)
-
Andy Polyakov authored
The ecp_nistz256_scatter_w7 function is called when application attempts to use custom generator, i.e. rarely. Even though non-x86_64 versions were wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6758) (cherry picked from commit 708c28f2)
-
Richard Levitte authored
Fixes #6755 Reviewed-by:
-
Richard Levitte authored
As per RFC 7292. Fixes #6665 Reviewed-by:
-
- Jul 18, 2018
-
-
Andy Polyakov authored
It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by:
-
- Jul 14, 2018
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
"Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by:
-
- Jul 13, 2018
-
-
Alexandre Perrin authored
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype. CLA: trivial Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6712)
-
- Jul 12, 2018
-
-
Andy Polyakov authored
Reviewed-by:
David Benjamin <davidben@google.com> (Merged from https://github.com/openssl/openssl/pull/6662) (cherry picked from commit 6c90182a)
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Trouble is that addition is postponing expansion till carry is calculated, and if addition carries, top word can be zero, which triggers assertion in bn_check_top. Reviewed-by:
-
- Jul 11, 2018
-
-
Richard Levitte authored
We need to check that __GNUC__ is defined before trying to use it. This demands a slightly different way to define DECLARE_DEPRECATED. Reviewed-by:
-
Richard Levitte authored
To avoid the possibility that someone creates rem.exe, rem.bat or rem.cmd, simply don't use it. In the cases it was used, it was to avoid empty lines, but it turns out that nmake handles those fine, so no harm done. Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/6686) (cherry picked from commit 1b6a0a26)
-
Richard Levitte authored
It seems that nmake first tries to run executables on its own, and only pass commands to cmd if that fails. That means it's possible to have nmake run something like 'echo.exe' when the builtin 'echo' command was expected, which might give us unexpected results. To get around this, we create our own echoing script and call it explicitly from the nmake makefile. Fixes #6670 Reviewed-by:
-
- Jul 10, 2018
-
-
Richard Levitte authored
The reason is that we override Text::Template::append_text_to_output(), and it didn't exist before Text::Template 1.46. Fixes #6641 Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
This enables us to require module versions, and to fall back to a bundled version if the system version is too low. Reviewed-by:
-
- Jul 06, 2018
-
-
Bernd Edlinger authored
[extended tests] Reviewed-by:
-
- Jul 04, 2018
-
-
Richard Levitte authored
Fixes #6644 Reviewed-by:
-
- Jul 03, 2018
-
-
Matt Caswell authored
We should validate that the various fields we put into the CertificateRequest are not too long. Otherwise we will construct an invalid message. Fixes #6609 Reviewed-by:
-
- Jul 02, 2018
-
-
Matt Caswell authored
Fixes #6574 Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
- Jul 01, 2018
-
-
Andy Polyakov authored
Reviewed-by:
-
- Jun 29, 2018
-
-
Pauli authored
In ssl/t1_lib.c. Reviewed-by:
-
- Jun 28, 2018
-
-
Rich Salz authored
Fixes uninitialized memory read reported by Nick Mathewson Reviewed-by:
-
- Jun 25, 2018
-
-
Richard Levitte authored
The 1.1.1 branch has a different location for documentation, this is the obvious result of a cherry-pick from there. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6589)
-
Richard Levitte authored
This function is documented to be deprecated since OpenSSL 1.1.0. We need to make it so in openssl/ssl.h as well. Fixes #6565 Reviewed-by:
-
- Jun 24, 2018
-
-
Bernd Edlinger authored
Reviewed-by:
-
- Jun 23, 2018
-
-
Kurt Roeckx authored
The parameters where switched Reviewed-by:
-
Richard Levitte authored
We don't want an indentation step inside a 'extern "C" {' .. '}' block. Apparently, cc-mode has a c-offsets-alist keyword to allow exactly this. Reviewed-by:
-
- Jun 22, 2018
-
-
Andy Polyakov authored
Reviewed-by:
-
- Jun 21, 2018
-
-
David von Oheimb authored
Reviewed-by:
-
Nick Mathewson authored
Also, modernize the code, so that it isn't trying to store a size_t into an int, and then check the int's sign. :/ Reviewed-by:
-
Nick Mathewson authored
In previous versions of OpenSSL, the documentation for PEM_read_* said: The callback B<must> return the number of characters in the passphrase or 0 if an error occurred. But since c82c3462 , 0 is now treated as a non-error return value. Applications that want to indicate an error need to return -1 instead. Reviewed-by:
-
Billy Brumley authored
(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006) Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
-
Andy Polyakov authored
Triggered by Coverity analysis. Reviewed-by:
-
Matt Caswell authored
This extends the recently added ECDSA signature blinding to blind DSA too. This is based on side channel attacks demonstrated by Keegan Ryan (NCC Group) for ECDSA which are likely to be able to be applied to DSA. Normally, as in ECDSA, during signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order In ECDSA, the addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. This commit also tweaks the previous ECDSA blinding so that blinding is only removed at the last possible step. Reviewed-by:
-
