openbsd/src/lib, branch libressl-v3.0.1 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.0.1 2019-09-30T07:56:14+00:00 bump for LibreSSL 3.0.1 2019-09-30T07:56:14+00:00 bcook 2019-09-30T07:56:14+00:00 urn:sha1:e0e087c630862e12b332f9d7bdabaeca460c538d zap trailing whitespace; 2019-09-29T16:30:35+00:00 jmc 2019-09-29T16:30:35+00:00 urn:sha1:636626a8886eb9c68c9ab9328b4270ba95482eeb If a NULL or zero cofactor is passed to EC_GROUP_set_generator(), 2019-09-29T10:09:09+00:00 tb 2019-09-29T10:09:09+00:00 urn:sha1:5d19ba5fbb605cdab0233383db708bad870da750 try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781) Xr random 4 in a better way 2019-09-28T15:00:44+00:00 deraadt 2019-09-28T15:00:44+00:00 urn:sha1:5f24aac68172fe082be82e041834d6d8f2ff3592 Add comment line saying S is described vaguely on purpose. 2019-09-14T13:16:50+00:00 otto 2019-09-14T13:16:50+00:00 urn:sha1:1403c773c21872e9d09f3939eaca11814e22d31d Prompted by guenther@ document EVP_PKEY_CTX_get_signature_md(3); 2019-09-10T19:44:32+00:00 schwarze 2019-09-10T19:44:32+00:00 urn:sha1:686f7ef651a46ffa877695c1d55c055523653f56 jsing@ provided it in evp.h rev. 1.77 Plug memory leak in error paths. Found while comparing this file 2019-09-09T20:26:16+00:00 tb 2019-09-09T20:26:16+00:00 urn:sha1:d49d20054e040ce4430db9cfc4805d021c35c549 with OpenSSL 1.1.1's version which contains a similar fix. ok jsing Provide EVP_PKEY_CTX_get_signature_md() macro and implement the 2019-09-09T18:06:26+00:00 jsing 2019-09-09T18:06:26+00:00 urn:sha1:18a2a567e136745ffdad4c3346ee0b435f927909 EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@ Load CMS error strings. 2019-09-09T17:56:21+00:00 jsing 2019-09-09T17:56:21+00:00 urn:sha1:c146bc97665a82b9895f2ad378d2f00bb0978c03 Move #include <openssl/cms.h> to more appropriate location (since it is 2019-09-09T17:56:00+00:00 jsing 2019-09-09T17:56:00+00:00 urn:sha1:b80e4b6d577f24dd4a0a25bf26adc1fbc6f8310b now being installed).