| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
| |
this in ossl_ecdsa_sign() and propagate the return code.
OK jsing@ tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly
instead.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes sure that the elliptic curve is not completely stupid.
This is conservative enough: the smallest named groups that we support
have an order of 112 bits.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ECDSA is essentially the same thing as DSA, except that it is slightly
less stupid. Signing specifies an infinite loop, which is only possible
with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA
in the wild is based on well-known groups, so it is known a priori that
the loop is not infinite. Still, infinite loops are bad. A retry is
unlikely, 32 retries have a probability of ~2^-8000. So it's pretty
safe to error out.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
| |
Pointed out by and ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
|
| |
|
|
| |
ok jsing@ millert@ tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
of ckinv.
Pointed out and fix suggested by David Schrammel and Samuel Weiser
ok jsing
|
| |
|
|
|
|
| |
This commit adds missing API for ECDH/ECDSA_verify.
from markus
|
| |
|
|
|
|
|
| |
This commit adds init/free, support for signing, setting and
getting the method, engine support as well as extra data.
from markus
|
| |
|
|
|
|
|
|
| |
leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate
a microoptimization that only converts the relevant part of the digest to
a bignum.
ok beck, jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the usual idiom. All the allocations are now handled inside conditionals as
is usually done in this part of the tree. Turn a few comments into actual
sentences and remove a few self-evident ones. Change outdated or cryptic
comments into more helpful annotations. In ecdsa_do_verify(), start
calculating only after properly truncating the message digest. More
consistent variable names: prefer 'order_bits' and 'point' over 'i' and
'tmp_point'.
ok jsing
|
| |
|
|
| |
an upcoming diff.
|
| |
|
|
|
|
|
|
| |
reduce the possibility of a side-channel attack leaking the private key.
Suggested by Keegan Ryan at NCC Group.
With input from and ok jsing
|
| |
|
|
|
|
|
|
|
| |
This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.
Issue identified and reported by Keegan Ryan of NCC Group.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49.
ok beck, jsing
Original commit message:
commit 4a089bbdf11f9e231cc68f42bba934c954d81a49
Author: Pauli <paul.dale@oracle.com>
Date: Wed Nov 1 06:58:39 2017 +1000
Address a timing side channel whereby it is possible to determine some
information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)]
|
| |
|
|
|
|
| |
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
keys when signing. This is due to BN_mod_inverse() being used without the
constant time flag being set.
This issue was reported by Cesar Pereida Garcia and Billy Brumley
(Tampere University of Technology). The fix was developed by Cesar Pereida
Garcia.
|
| | |
|
| |
|
|
|
|
|
| |
Improves readability, keeps the code smaller so that it is warmer in your
cache.
review & ok deraadt@
|
| |
|
|
|
|
|
|
|
| |
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.
This also includes some miscellaneous sorting/tidying of headers.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
avoid unreadable/unmaintainable constructs like that:
const EVP_PKEY_ASN1_METHOD cmac_asn1_meth =
{
EVP_PKEY_CMAC,
EVP_PKEY_CMAC,
0,
"CMAC",
"OpenSSL CMAC method",
0,0,0,0,
0,0,0,
cmac_size,
0,
0,0,0,0,0,0,0,
cmac_key_free,
0,
0,0
};
ok matthew@ deraadt@
|
| | |
|
| | |
|
| | |
|
| |
|
