A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_4_BASE 2018-07-10T21:36:02+00:00 2018-07-10T21:36:02+00:00 tb 2018-07-10T21:36:02+00:00 urn:sha1:1160f4fd0218eb9c7787e1e38bb7f7e10e73e6bc leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing 2018-06-16T08:11:33+00:00 tb 2018-06-16T08:11:33+00:00 urn:sha1:5f165a6af7d0904da0c24e42868d1d9802b35c06 2018-06-15T19:24:13+00:00 tb 2018-06-15T19:24:13+00:00 urn:sha1:37a490a3eb5e6f687e99e269bbb85a8a39b124db the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing 2018-06-15T05:00:41+00:00 tb 2018-06-15T05:00:41+00:00 urn:sha1:51d162df4fc8b5327e3235d2baef79ffbaf42258 an upcoming diff. 2018-06-14T18:51:01+00:00 tb 2018-06-14T18:51:01+00:00 urn:sha1:685cc27d67759afe790d85e2f16a4eea7624758f reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing 2018-06-13T15:05:04+00:00 jsing 2018-06-13T15:05:04+00:00 urn:sha1:70f6c28ec4997461a2ea714457e95ada1c2287ef This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@ 2018-04-28T14:17:56+00:00 tb 2018-04-28T14:17:56+00:00 urn:sha1:14f45f5c33b8fb98a6fccb34d3a680c55fbf306b this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49. ok beck, jsing Original commit message: commit 4a089bbdf11f9e231cc68f42bba934c954d81a49 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:39 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)] 2018-04-14T07:09:21+00:00 tb 2018-04-14T07:09:21+00:00 urn:sha1:0c5418014797b1fadca3f270eb2f140fd6f5bdf8 OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi 2018-03-17T15:24:44+00:00 tb 2018-03-17T15:24:44+00:00 urn:sha1:c7258cf3d366e4675ae1398659213748993af23e ok jsing 2017-05-02T03:59:45+00:00 deraadt 2017-05-02T03:59:45+00:00 urn:sha1:5904cc0e04409fde39a97e6580535da34eeb4291 reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck