|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | Makes code more robust and reduces differences with OpenSSL.
ok inoguchi@ | 
|  | exponent.
From OpenSSL 1.1.1d.
ok inoguchi@ | 
|  | Assign and test, explicitly test against NULL and use calloc() rather than
malloc.
ok inoguchi@ | 
|  | ok inoguchi@ | 
|  | Write the documentation from scratch. | 
|  | and EVP_PKEY_CTX_*_ecdh_*(3); from Antoine Salon <asalon at vmware dot com>
via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700
from the OpenSSL 1.1.1 branch, which is still under a free license | 
|  | and EVP_PKEY_CTX_get1_id_len(3), but make it sound more like English text;
from Paul Yang via OpenSSL commit f922dac8 Sep 6 10:36:11 2018 +0800
from the OpenSSL 1.1.1 branch, which is still under a free license | 
|  | from Stephen Henson via OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 | 
|  |  | 
|  |  | 
|  |  | 
|  | This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP
padding and providing various OAEP related controls.
ok inoguchi@ tb@ | 
|  | This handles controls with a message digest by name, looks up the message
digest and then proxies the control through with the EVP_MD *.
This is internal only for now and will be used in upcoming RSA related
changes.
Based on OpenSSL 1.1.1d.
ok inoguchi@ tb@ | 
|  | ok tb@ | 
|  | Just like pfctl(8)'s -N, this flag only avoid DNS;
"nc -vz ::1 socks" still works.
Fix documentation by copying pfctl's wording.
OK deraadt | 
|  | These are internal only for now.
Based on OpenSSL 1.1.1d.
ok inoguchi@ | 
|  | For now these are internal only.
From OpenSSL 1.1.1d.
ok inoguchi@ | 
|  | and symbol addition. | 
|  | This will be used by upcoming RSA-PSS code.
ok tb@ | 
|  | This will be soon used as an optimisation and reduces the differences
between OpenSSL.
ok tb@ | 
|  | This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be
either RSA or RSA-PSS.
From OpenSSL 1.1.1d.
ok tb@ | 
|  | ok tb@ | 
|  | OK kn@ | 
|  | for tls, since the socket is shut down without calling tls_close().
Since nc appears to have a problem with this in other shutdown() cases
I am simply going to bake a new diff for this.
noticed by bluhm@. | 
|  | Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).
This brings in code to make the padding check constant time.
ok inoguchi@ tb@ | 
|  | goes away. This allows for using nc in cases where the network server
will no longer expect anything after eof, instead of hanging waiting
for more input from our end.
Additionaly, shut down if tls is in use if either side of the socket
goes away, since we higher level TLS operations (tls_read and write)
will require the socket to be both readable and writable as we can
get TLS_WANT_POLLIN or TLS_WANT_POLLOUT on either operation.
deraadt@ buying it.  found by sthen@ | 
|  | the top of the error stack in constant time.
This will be used by upcoming RSA changes.
From OpenSSL 1.1.1d.
ok inoguchi@ tb@ | 
|  |  | 
|  |  | 
|  | conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@ | 
|  | (Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date:   Sun Sep 1 00:16:28 2019 +0200
    Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    An attack is simple, if the first CMS_recipientInfo is valid but the
    second CMS_recipientInfo is chosen ciphertext. If the second
    recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
    encryption key will be replaced by garbage, and the message cannot be
    decoded, but if the RSA decryption fails, the correct encryption key is
    used and the recipient will not notice the attack.
    As a work around for this potential attack the length of the decrypted
    key must be equal to the cipher default key length, in case the
    certifiate is not given and all recipientInfo are tried out.
    The old behaviour can be re-enabled in the CMS code by setting the
    CMS_DEBUG_DECRYPT flag.
    Reviewed-by: Matt Caswell <matt@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9777)
    (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) | 
|  | The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@ | 
|  | These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff) | 
|  | openssl s_server has an arbitrary read vulnerability on Windows when run with
the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to
Jobert Abma for reporting.
ok tb@ | 
|  | on html or groff. the solution, to replace the non-standard .nr macros
with a hang list, was provided by ingo - thanks!
ok schwarze | 
|  | Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff) | 
|  |  | 
|  |  | 
|  | try to compute it using Hasse's bound.  This works as long as the
cofactor is small enough.
Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license)
tests & ok inoguchi
input & ok jsing
commit 30c22fa8b1d840036b8e203585738df62a03cec8
Author: Billy Brumley <bbrumley@gmail.com>
Date:   Thu Sep 5 21:25:37 2019 +0300
    [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
    The cofactor argument to EC_GROUP_set_generator is optional, and SCA
    mitigations for ECC currently use it. So the library currently falls
    back to very old SCA-vulnerable code if the cofactor is not present.
    This PR allows EC_GROUP_set_generator to compute the cofactor for all
    curves of cryptographic interest. Steering scalar multiplication to more
    SCA-robust code.
    This issue affects persisted private keys in explicit parameter form,
    where the (optional) cofactor field is zero or absent.
    It also affects curves not built-in to the library, but constructed
    programatically with explicit parameters, then calling
    EC_GROUP_set_generator with a nonsensical value (NULL, zero).
    The very old scalar multiplication code is known to be vulnerable to
    local uarch attacks, outside of the OpenSSL threat model. New results
    suggest the code path is also vulnerable to traditional wall clock
    timing attacks.
    CVE-2019-1547
    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
    Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/9781) | 
|  |  | 
|  | Prompted by guenther@ | 
|  | jsing@ provided it in evp.h rev. 1.77 | 
|  | with OpenSSL 1.1.1's version which contains a similar fix.
ok jsing | 
|  | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@ | 
|  |  | 
|  | now being installed). | 
|  | This header includes OPENSSL_NO_CMS guards, so even if things find the
header it provides no useful content (and other code should technically
also be using OPENSSL_NO_CMS...).
ok deraadt@ inoguchi@ | 
|  | This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace
cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a
no-op.
ok inoguchi@ | 
|  | These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@ | 
|  | ok inoguchi@ tb@ |