summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create tag 'OPENBSD_6_6_BASE'.OPENBSD_6_6_BASEcvs2svn2019-10-100-0/+0
|
* bump internal version to 3.0.2bcook2019-10-101-2/+2
|
* bump to 3.0.2bcook2019-10-101-2/+2
|
* Use EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*jsing2019-10-091-7/+2
| | | | | | conditionals, now that this code handles arbitrary message digests. ok inoguchi@ tb@
* Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.tb2019-10-044-11/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Note that the CMS code is currently disabled.) Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) tests from bluhm@ ok jsing commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Author: Bernd Edlinger <bernd.edlinger@hotmail.de> Date: Sun Sep 1 00:16:28 2019 +0200 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
* Use a valid curve when constructing an EC_KEY that looks like X25519.jsing2019-10-041-2/+3
| | | | | | | | | The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
* Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.jsing2019-10-042-10/+90
| | | | | | | | These are internal only for now and will be made public at a later date. The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around the *_mgf1() variant. ok tb@ inoguchi@ (as part of a larger diff)
* Avoid a path traversal bug in s_server on Windows.bcook2019-10-041-3/+3
| | | | | | | | openssl s_server has an arbitrary read vulnerability on Windows when run with the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to Jobert Abma for reporting. ok tb@
* the formatting for the mini synopses in this page did not render welljmc2019-10-041-115/+179
| | | | | | | on html or groff. the solution, to replace the non-standard .nr macros with a hang list, was provided by ingo - thanks! ok schwarze
* Move towards making RSA OAEP functions handle arbitrary message digests.jsing2019-10-031-53/+59
| | | | | | Based on OpenSSL 1.1.1. ok tb@, inoguchi@ (on an earlier/larger diff)
* bump for LibreSSL 3.0.1libressl-v3.0.1bcook2019-09-301-3/+3
|
* zap trailing whitespace;jmc2019-09-291-3/+3
|
* If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),tb2019-09-293-11/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
* Xr random 4 in a better wayderaadt2019-09-281-3/+5
|
* Add comment line saying S is described vaguely on purpose.otto2019-09-141-2/+3
| | | | Prompted by guenther@
* document EVP_PKEY_CTX_get_signature_md(3);schwarze2019-09-101-4/+17
| | | | jsing@ provided it in evp.h rev. 1.77
* Plug memory leak in error paths. Found while comparing this filetb2019-09-091-5/+5
| | | | | | with OpenSSL 1.1.1's version which contains a similar fix. ok jsing
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-094-7/+25
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Load CMS error strings.jsing2019-09-091-1/+5
|
* Move #include <openssl/cms.h> to more appropriate location (since it isjsing2019-09-091-3/+2
| | | | now being installed).
* Install the openssl/cms.h header.jsing2019-09-091-1/+3
| | | | | | | | This header includes OPENSSL_NO_CMS guards, so even if things find the header it provides no useful content (and other code should technically also be using OPENSSL_NO_CMS...). ok deraadt@ inoguchi@
* Add CMS ECC support.jsing2019-09-081-2/+370
| | | | | | | | This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a no-op. ok inoguchi@
* Add various macros and controls for EC_PKEY_CTX.jsing2019-09-064-28/+316
| | | | | | | | | These are needed for the upcoming EC CMS support (nothing else appears to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b. With input from inoguchi@ and tb@. ok inoguchi@ tb@
* Handle CMS PEM headers.jsing2019-09-061-1/+11
| | | | ok inoguchi@ tb@
* Add objects for ECDH schemes in RFC 5753.jsing2019-09-052-0/+32
| | | | | | Based on OpenSSL 1.1.1b. ok inoguchi@ tb@
* Build ecdh_kdf.cjsing2019-09-051-2/+2
|
* Replace OPENSSL_cleanse() with explicit_bzero().jsing2019-09-051-1/+1
|
* Provide prototype for ecdh_KDF_X9_63()jsing2019-09-051-1/+7
|
* Include correct header.jsing2019-09-051-1/+1
|
* style(9) and whitespace.jsing2019-09-051-65/+72
|
* Restore per-file license/copyright removed in OpenSSL commit 4f22f40507f.jsing2019-09-051-5/+48
|
* Remove ECDH_KDF_X9_62 wrapper.jsing2019-09-051-12/+0
|
* Provide ECDH KDF for X9.63 as needed for CMS ECC.jsing2019-09-051-0/+81
| | | | | | From OpenSSL 1.1.1b. ok tb@ inoguchi@
* Feed the bntest output to bc(1). This checks the result of the bigbluhm2019-09-052-13/+16
| | | | | | num calculations and avoids lots of ugly output to stdout. Remove fflush(3) of stderr, it is unbuffered anyway. with Moritz Buhl
* Document EVP_PKEY_get0(3), EVP_PKEY_assign_GOST(3), EVP_PKEY_assign(3),schwarze2019-09-012-31/+116
| | | | | and EVP_PKEY_set_type(3). While here, clarify a few points regarding reference count and type checking.
* mop up resolver.3 rename; ok deraadtjmc2019-08-305-15/+15
|
* mop up for inet_net rename; ok deraadtjmc2019-08-303-9/+9
|
* adapt to bitstring(3) renaming, and look at that bit_ffs(3) is the actualderaadt2019-08-301-3/+3
| | | | | name we want to Xr... ok jmc
* Move 4 manual pages from not-a-function filenames to a correct filename,deraadt2019-08-306-16/+16
| | | | | and correct Xr. ok jmc
* Remove unnecessary NULL check before free function in openssl(1) dgstinoguchi2019-08-301-11/+6
|
* Wrap lines over 80 cols and put space before goto label in openssl(1) dgstinoguchi2019-08-301-20/+30
|
* Simplify checking and more readable descriptions in openssl(1) dgstinoguchi2019-08-301-8/+8
| | | | suggested from jsing@
* Convert openssl(1) dgst to the newer style of option handlinginoguchi2019-08-301-99/+216
| | | | | | | | Adapt openssl(1) dgst command to new option handling. Added dgst_options struct and option handlers, and replaced for-if-strcmp handling with options_parse(). ok bcook@ jsing@
* new manual page AES_encrypt(3)schwarze2019-08-284-5/+181
|
* document OCSP_parse_url(3)schwarze2019-08-271-6/+75
|
* document OCSP_cert_status_str(3)schwarze2019-08-271-3/+19
|
* document OCSP_response_status_str(3)schwarze2019-08-271-4/+19
|
* document i2a_ASN1_INTEGER(3)schwarze2019-08-261-5/+50
|
* document ASN1_put_object(3) and ASN1_put_eoc(3)schwarze2019-08-263-3/+186
|
* document ASN1_OCTET_STRING_cmp(3), ASN1_OCTET_STRING_dup(3), andschwarze2019-08-261-12/+45
| | | | ASN1_OCTET_STRING_set(3)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-27 22:17:41 +0000