| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
From OpenSSL 1.1.1d.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Use calloc() instead of malloc() for initialisation and remove explicit
zero initialisation of members. This ensures that new members always get
initialised.
Also use a single error return path, simplifying code.
ok tb@
|
| | |
|
| |
|
|
|
|
| |
From OpenSSL 1.1.1d.
ok inoguchi@
|
| |
|
|
|
|
| |
From OpenSSL 1.1.1d.
ok inoguchi@
|
| | |
|
| |
|
|
|
|
| |
Makes code more robust and reduces differences with OpenSSL.
ok inoguchi@
|
| |
|
|
|
|
|
|
| |
exponent.
From OpenSSL 1.1.1d.
ok inoguchi@
|
| |
|
|
|
|
|
| |
Assign and test, explicitly test against NULL and use calloc() rather than
malloc.
ok inoguchi@
|
| |
|
|
| |
ok inoguchi@
|
| | |
|
| |
|
|
|
|
|
| |
This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP
padding and providing various OAEP related controls.
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
For now these are internal only.
From OpenSSL 1.1.1d.
ok inoguchi@
|
| |
|
|
|
|
| |
This will be used by upcoming RSA-PSS code.
ok tb@
|
| |
|
|
|
|
|
| |
This will be soon used as an optimisation and reduces the differences
between OpenSSL.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be
either RSA or RSA-PSS.
From OpenSSL 1.1.1d.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).
This brings in code to make the padding check constant time.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
| |
|
|
|
|
| |
Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff)
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@, jsing@, sthen@
|
| |
|
|
|
|
| |
RSA_meth_get_finish() RSA_meth_set1_name() EVP_CIPHER_CTX_(get|set)_iv()
feedback and ok jsing@ tb@
|
| |
|
|
|
|
| |
(there are no known attacks, this is just inexpensive prudence)
feedback and ok tb@ jsing@
|
| |
|
|
|
|
|
|
|
| |
Requires adding a const to the priv_decode() member of
EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode()
functions. All this is already documented this way.
tested in a bulk build by sthen
ok jsing
|
| | |
|
| |
|
|
|
|
| |
CID #183499.
input & ok jsing, ok mestre on first version
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on an OpenSSL commit by David Benjamin.
Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library
reported that more than 200 "expected to fail" signatures among Project
Wycheproof's test vectors validated on LibreSSL. This patch makes them
all fail.
ok jsing
commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836
Author: David Benjamin <davidben@google.com>
Date: Sat Aug 20 13:35:17 2016 -0400
Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.
OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.
In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.
See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
| |
|
|
|
|
|
| |
Note that these functions return NULL in out-of-memory situations,
but contrary to OpenSSL's versions they do not set an error.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key().
ok jsing
|
| |
|
|
| |
Several pieces of software expect this to be available unconditionally.
|
| |
|
|
|
|
| |
code. We removed SSLv2/SSLv3 a long time ago...
Discussed with doug@
|
| |
|
|
|
|
|
|
|
|
| |
reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.
Passes regress. ok beck
|
| | |
|
| | |
|
| |
|
|
|
|
| |
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
| |
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.
Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting
the bn_* symbols. These are documented as only being intended for internal
use, so why they were placed in a public header is beyond me...
This hides 363 previously exported symbols, most of which exist in headers
that are not installed and were never intended to be public. This also
removes a few crusty old things that should have died long ago (like
_ossl_old_des_read_pw). But don't worry... there are still 3451 symbols
exported from the library.
With input and testing from inoguchi@.
ok beck@ inoguchi@
|
