summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix infinite loop in BN_mod_sqrt()OPENBSD_7_0tb2022-03-151-14/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in the implementation of the Tonelli-Shanks algorithm can lead to an infinite loop. This loop can be hit in various ways, in particular on decompressing an elliptic curve public key via EC_POINT_oct2point() - to do this, one must solve y^2 = x^3 + ax + b for y, given x. If a certificate uses explicit encoding for elliptic curve parameters, this operation needs to be done during certificate verification, leading to a DoS. In particular, everything dealing with untrusted certificates is affected, notably TLS servers explicitly configured to request client certificates (httpd, smtpd, various VPN implementations, ...). Ordinary TLS servers do not consume untrusted certificates. The problem is that we cannot assume that x^3 + ax + b is actually a square on untrusted input and neither can we assume that the modulus p is a prime. Ensuring that p is a prime is too expensive (it would likely itself lead to a DoS). To avoid the infinite loop, fix the logic to be more resilient and explicitly limit the number of iterations that can be done. The bug is such that the infinite loop can also be hit for primes = 3 (mod 4) but fortunately that case is optimized earlier. It's also worth noting that there is a size bound on the field size enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate further DoS vectors in presence of this fix. Reported by Tavis Ormandy and David Benjamin, Google Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL ok beck inoguchi This is errata/7.0/016_bignum.patch.sig
* In some situations, the verifier would discard the error on an unvalidatedlibressl-v3.4.3libressl-v3.4.2tb2021-11-243-50/+91
| | | | | | | | certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. This is patches/common/006_x509.patch.sig
* This commit was manufactured by cvs2git to create branch 'OPENBSD_7_0'.libressl-v3.4.1cvs2svn2021-09-302-49/+10
|
* bump to LibreSSL 3.4.1tb2021-09-151-3/+3
|
* As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEschwarze2021-09-141-9/+15
| | | | | | | | | | | | | | and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
* In X509_check_issued() do the same dance around x509v3_cache_extensions()claudio2021-09-131-3/+11
| | | | | | as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
* Default to using named curve parameter encodingtb2021-09-122-4/+5
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* Merge documentation of EC_GROUP_order_bits(3) from the OpenSSL 1.1.1schwarze2021-09-111-26/+70
| | | | | | | | | branch, which is still under a free license. While here, also merge a few other improvements, mostly regarding EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular, some statements below RETURN VALUES were outright wrong. This patch includes a few minor tweaks and an addition to HISTORY by me. Feedback and OK tb@.
* Add BGPSec Router (RFC 8209) Key Purpose OIDjob2021-09-112-0/+2
| | | | OK tb@
* Merge documentation for BN_bn2binpad(3), BN_bn2lebinpad(3),schwarze2021-09-111-13/+77
| | | | | | | and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch, which is still under a free license. While here, tweak a number of details for clarity. OK tb@
* Calling OpenSSL_add_all_digests() is no longer needed since the librarymillert2021-09-101-7/+2
| | | | automatically initializes itself. OK tb@
* crank major for libcrypto as welltb2021-09-101-2/+2
| | | | 'may as well' deraadt
* Bump minor after symbol additiontb2021-09-101-1/+1
|
* Add BN_bn2{,le}binpad(), BN_lebin2bn(), EC_GROUP_order_bits to Symbols.listtb2021-09-101-0/+4
| | | | ok beck inoguchi jsing
* Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.htb2021-09-101-2/+2
|
* Use BN_RAND_* instead of mysterious values in the documentation oftb2021-09-101-7/+19
| | | | | | | | BN_rand_range() From OpenSSL 1.1.1l ok beck jsing
* Expose EC_GROUP_order_bits() in <openssl/ec.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck inoguchi
* Expose BN_RAND_* in <openssl/bn.h>tb2021-09-101-3/+1
| | | | ok beck jsing
* Prepare to provide BN_RAND_* flags for BN_rand_range()tb2021-09-101-1/+12
| | | | ok beck jsing
* When calling the legacy callback, ensure we catch the case where itbeck2021-09-091-2/+5
| | | | | | | | | has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@
* Prepare to provide EC_GROUP_order_bits()tb2021-09-0811-18/+45
| | | | ok jsing
* Fix leak in cms_RecipientInfo_kekri_decrypt()tb2021-09-081-1/+2
| | | | | | | | Free ec->key before reassigning it. From OpenSSL 1.1.1, 58e1e397 ok inoguchi
* Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()tb2021-09-082-9/+137
| | | | | | | | | As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi
* Replace bare ; with continue;job2021-09-081-7/+7
| | | | OK tb@
* Fix indentation of comments and labelsjob2021-09-082-165/+167
| | | | OK tb@
* Replace (&(x)) pattern with &xjob2021-09-072-32/+32
| | | | | | No functional changes. OK tb@
* KNFjob2021-09-072-1478/+1548
| | | | OK tb@ jsing@ beck@
* Add X509 Extensions for IP Addresses and AS Identifiersjob2021-09-031-1/+2
| | | | | | (subordinate code paths are include guarded) OK tb@
* Call the callback on success in new verifier in a compatible waybeck2021-09-033-16/+55
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Unroll ASN1_ITEM_ref()job2021-09-021-1/+1
| | | | OK @tb
* Change OPENSSL_strdup() to strdup()job2021-09-021-1/+1
| | | | OK tb@
* Change OPENSSL_malloc to calloc()job2021-09-021-1/+2
| | | | OK tb@
* Repair unrolling of static ASN1_ITEM IPAddrBlocks_itjob2021-09-021-0/+11
| | | | | | The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END' OK tb@
* Make v3_addr and v3_asid extern constjob2021-09-021-2/+2
| | | | OK tb@
* Add err.h for X509error() and friendsjob2021-09-022-0/+2
| | | | OK tb@
* Fix OPENSSL_assert() and assert()job2021-09-022-35/+17
| | | | OK tb@
* Unroll ASN1_EX_TEMPLATE_TYPE IPAddrBlocksjob2021-09-021-4/+7
| | | | OK tb@
* Change the OPENSSL_strdup() to strdup()job2021-09-021-3/+4
| | | | OK beck@ tb@
* Fix header file includesjob2021-09-022-8/+9
| | | | OK tb@
* Move the error put functions from X509V3err() to X509V3error()job2021-09-022-52/+32
| | | | OK tb@
* Unroll ASN1_SEQUENCE() ASN1_CHOICE() ASN1_ITEM_TEMPLATE()job2021-09-022-46/+218
| | | | OK jsing@
* OPENSSL_assert() is not appropriate in this contextjob2021-09-021-2/+3
| | | | | | Feedback from tb@ OK tb@
* Replace ossl_assert()/assert() with OPENSSL_assert()job2021-09-022-14/+14
| | | | OK tb@
* Replace OPENSSL_free() with free()job2021-09-022-7/+7
| | | | OK tb@
* Unroll IMPLEMENT_ASN1_FUNCTIONS()job2021-09-022-8/+197
| | | | OK jsing@
* Unroll DECLARE_ASN1_FUNCTIONS()job2021-09-021-9/+56
| | | | OK jsing@
* Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()job2021-09-021-4/+4
| | | | OK tb@ jsing@
* Lay groundwork to support X.509 v3 extensions for IP Addresses and AS ↵job2021-09-027-5/+2386
| | | | | | | | | | | Identifiers These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
* Remove assignment of value that is never read.beck2021-09-011-2/+1
| | | | ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 05:35:18 +0000