| Commit message (Collapse) | Author | Files | Lines |
|---|
|
the EC module.
From Billy Brumley and his team, via
https://github.com/libressl-portable/openbsd/pull/94
With tweaks from jsing and me.
ok jsing
|
|
two bignums. It's saner and substantially less ugly than the existing
public BN_constantime_swap() function and will be used in forthcoming work
on constant time ECC code.
From Billy Brumley and his team. Thanks!
ok jsing
|
|
leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate
a microoptimization that only converts the relevant part of the digest to
a bignum.
ok beck, jsing
|
|
|
|
freenull test from Symbols.list.
Suggested by jsing, discussed with beck and bluhm.
|
|
|
|
|
|
explicit about the servername argument of tls_connect_servername(3).
input & ok jsing, input & ok schwarze on earlier version
|
|
ok jsing, schwarze
|
|
|
|
|
|
|
|
|
|
from OpenSSL, fixing many bugs and polishing many details
|
|
fixing an awkward wording noticed by tb@.
OK tb@
|
|
right spot helps this a bit. Other whitespace and typo fixes while there.
|
|
|
|
the usual idiom. All the allocations are now handled inside conditionals as
is usually done in this part of the tree. Turn a few comments into actual
sentences and remove a few self-evident ones. Change outdated or cryptic
comments into more helpful annotations. In ecdsa_do_verify(), start
calculating only after properly truncating the message digest. More
consistent variable names: prefer 'order_bits' and 'point' over 'i' and
'tmp_point'.
ok jsing
|
|
an upcoming diff.
|
|
reduce the possibility of a side-channel attack leaking the private key.
Suggested by Keegan Ryan at NCC Group.
With input from and ok jsing
|
|
the possibility of a side-channel attack leaking the private key.
Suggested by Keegan Ryan at NCC Group.
With input from and ok tb@
|
|
Requested by and ok tb@
|
|
to occur once and not be repeated if the signature generation has to be
repeated.
ok tb@
|
|
In the very unlikely case where we have to repeat the signature generation,
the DSA_SIG return value has already been allocated. This will either
result in a leak when we allocate again on the next iteration, or it
will give a false success (with missing signature values) if any error
occurs on the next iteration.
ok tb@
|
|
ok beck@ tb@
|
|
ok beck@ tb@
|
|
|
|
This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.
Issue identified and reported by Keegan Ryan of NCC Group.
ok beck@ tb@
|
|
|
|
by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457)
and based on his diff. suggestions from tb@, ok tb@ jsing@
"During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a key
for this prime resulting in a hang until the client has finished. This could be
exploited in a Denial Of Service attack."
|
|
|
|
From Dmitry Eremin-Solenikov <dbaryshkov at gmail dot com>.
|
|
have been converted to CBS, pull it up a level.
ok inoguchi@ tb@
|
|
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.
ok beck@ inoguchi@
|
|
ok beck@ inoguchi@
|
|
Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.
ok inoguchi@ tb@
|
|
|
|
These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.
ok beck@ inoguchi@
|
|
|
|
UI_method_get_flusher(), UI_method_get_opener(),
UI_method_get_prompt_constructor(), UI_method_get_reader(), and
UI_method_get_writer().
tested in a bulk build by sthen
ok jsing
|
|
BIO_meth_get_callback_ctrl, BIO_meth_get_create, BIO_meth_get_ctrl,
BIO_meth_get_destroy, BIO_meth_get_gets, BIO_meth_get_puts,
BIO_meth_get_read, and BIO_meth_get_write.
ok jsing
|
|
a little:
Use X509_get0_pubkey() in place of X509_get_pubkey() and EVP_PKEY_free().
Check return value of the former in the appropriate place and simplify the
logic for dealing with the potentially NULL pkey argument (includes a neat
tweak from jsing). Finally, kill an ugly comment that has been rotting for
twenty years and merge the lines around it.
tested in a bulk build by sthen
ok jsing
|
|
tested in a bulk build by sthen
ok jsing
|
|
X509_NAME_get_index_by_{OBJ,NID}().
tested in a bulk build by sthen
suggested by & ok jsing
|
|
tested in a bulk build by sthen
ok jsing
|
|
tested in a bulk build by sthen
ok bcook, jsing
|
|
|
|
Diff from Jack Burton <jack at saosce dot com dot au>.
|
|
to do it a second time by hand, badly. While here, do some style cleanup.
This incomplete list of function pointers appears in EVP_PKEY_asn1_copy()
as well, fix it by adding sig_print to the members copied over.
ok bcook
|
|
to the argument of UI_create_method(3). Adjust the manual.
|
