| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
try to compute it using Hasse's bound. This works as long as the
cofactor is small enough.
Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license)
tests & ok inoguchi
input & ok jsing
commit 30c22fa8b1d840036b8e203585738df62a03cec8
Author: Billy Brumley <bbrumley@gmail.com>
Date: Thu Sep 5 21:25:37 2019 +0300
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
|
| |
|
|
|
|
|
|
|
| |
These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Pass const method to EC_KEY_METHOD_get_*() to get rid
of an XXX.
from markus
|
| |
|
|
|
|
| |
This commit adds missing API for ECDH/ECDSA_verify.
from markus
|
| |
|
|
|
|
|
| |
This commit adds init/free, support for signing, setting and
getting the method, engine support as well as extra data.
from markus
|
| |
|
|
|
|
|
|
|
| |
one to the last argument of each one of i2s_ASN1_OCTET_STRING(),
s2i_ASN1_OCTET_STRING(), i2s_ASN1_INTEGER(), i2s_ASN1_ENUMERATED(),
and i2s_ASN1_ENUMERATED_TABLE().
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Intel. Obtained from BoringSSL, with some integration work borrowed from
OpenSSL 1.0.2; assembler code for arm and sparc64 borrowed from OpenSSL 1.1.0.
None of this code is enabled in libcrypto yet.
ok beck@ jsing@
|
| |
|
|
|
|
| |
actual function. This removes the last ASN1_dup_of usage from the tree.
Feedback from doug@ and miod@
|
| |
|
|
|
|
|
|
| |
From OpenSSL.
Rides libcrypto bump.
ok miod@ (a while ago)
|
| | |
|
| |
|
|
| |
ok to firebomb from tedu@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
