A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.3.1 2020-12-04T08:55:30+00:00 2020-12-04T08:55:30+00:00 tb 2020-12-04T08:55:30+00:00 urn:sha1:19beb136cce42fbe56d004577d27ddc0ca69f793 Bad API design makes it possible to set an EC_KEY public key to a point not on the curve. As a consequence, it was possible to have bogus ECDSA signatures validated. In practice, all software uses either EC_POINT_oct2point*() to unmarshal public keys or issues a call to EC_KEY_check_key() after setting it. This way, a point on curve check is performed and the problem is mitigated. In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia Kasper moved the point-on-curve check from EC_POINT_oct2point to EC_POINT_set_affine_coordinates_*, which results in more checking. In addition to this commit, we also check in the currently unused codepath of a user set callback for setting compressed coordinates, just in case this will be used at some point in the future. The documentation of EC_KEY_check_key() is very vague on what it checks and when checks are needed. It could certainly be improved a lot. It's also strange that EC_KEY_set_key() performs no checks, while EC_KEY_set_public_key_affine_coordinates() implicitly calls EC_KEY_check_key(). It's a mess. Issue found and reported by Guido Vranken who also tested an earlier version of this fix. ok jsing 2020-06-05T17:12:09+00:00 jsing 2020-06-05T17:12:09+00:00 urn:sha1:372a12a5475c24c2858db2b25bf642082d1b6820 These GOST curves are defined in RFC 7836 and draft-deremin-rfc4491-bis. Add aliases for 256-bit GOST curves (see draft-smyshlyaev-tls12-gost-suites) and rename the 512-bit curve ids to follow names defined in tc26 OID registry. Diff from Dmitry Baryshkov <dbaryshkov@gmail.com> Sponsored by ROSA Linux. ok inoguchi@ 2019-09-29T10:09:09+00:00 tb 2019-09-29T10:09:09+00:00 urn:sha1:5d19ba5fbb605cdab0233383db708bad870da750 try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781) 2019-09-09T20:26:16+00:00 tb 2019-09-09T20:26:16+00:00 urn:sha1:d49d20054e040ce4430db9cfc4805d021c35c549 with OpenSSL 1.1.1's version which contains a similar fix. ok jsing 2019-09-09T18:06:26+00:00 jsing 2019-09-09T18:06:26+00:00 urn:sha1:18a2a567e136745ffdad4c3346ee0b435f927909 EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@ 2019-09-09T17:56:00+00:00 jsing 2019-09-09T17:56:00+00:00 urn:sha1:b80e4b6d577f24dd4a0a25bf26adc1fbc6f8310b now being installed). 2019-09-08T17:00:05+00:00 jsing 2019-09-08T17:00:05+00:00 urn:sha1:633c0b7b298b56e623ca77728f2044b8179ed6fd This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a no-op. ok inoguchi@ 2019-09-06T17:59:25+00:00 jsing 2019-09-06T17:59:25+00:00 urn:sha1:428d94e41ffb941e459939409f837aa7a3ab188c These are needed for the upcoming EC CMS support (nothing else appears to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b. With input from inoguchi@ and tb@. ok inoguchi@ tb@ 2019-05-10T19:15:06+00:00 bcook 2019-05-10T19:15:06+00:00 urn:sha1:1acf1dca346bb7d5709e09f8ca115fbec8cea94e Fixes COV-186146 ok tb, beck 2019-01-19T01:18:56+00:00 tb 2019-01-19T01:18:56+00:00 urn:sha1:b06dfc928cc93f45b249d94d8d77a37df942bf31