| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
try to compute it using Hasse's bound. This works as long as the
cofactor is small enough.
Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license)
tests & ok inoguchi
input & ok jsing
commit 30c22fa8b1d840036b8e203585738df62a03cec8
Author: Billy Brumley <bbrumley@gmail.com>
Date: Thu Sep 5 21:25:37 2019 +0300
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
|
| |
|
|
| |
jsing@ provided it in evp.h rev. 1.77
|
| |
|
|
|
|
| |
with OpenSSL 1.1.1's version which contains a similar fix.
ok jsing
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
now being installed).
|
| |
|
|
|
|
|
|
| |
This header includes OPENSSL_NO_CMS guards, so even if things find the
header it provides no useful content (and other code should technically
also be using OPENSSL_NO_CMS...).
ok deraadt@ inoguchi@
|
| |
|
|
|
|
|
|
| |
This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace
cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a
no-op.
ok inoguchi@
|
| |
|
|
|
|
|
|
|
| |
These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Based on OpenSSL 1.1.1b.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
From OpenSSL 1.1.1b.
ok tb@ inoguchi@
|
| |
|
|
|
| |
and EVP_PKEY_set_type(3). While here, clarify a few points regarding
reference count and type checking.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ASN1_OCTET_STRING_set(3)
|
| |
|
|
|
|
|
|
|
|
|
| |
not being prime depends on the intended use based on the size of
the input. For larger primes this will result in more rounds of
Miller-Rabin. The maximal error rate for primes with more than
1080 bits is lowered to 2^-128.
Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar
via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200,
still under a free license.
OK tb@.
|
| |
|
|
| |
OpenSSL 1.1.1 pages, which are still under a free license
|
| |
|
|
|
| |
from Martin Ukrop <mukrop at mail dot muni dot cz>
via OpenSSL commit bb00b040 Aug 5 14:14:54 2019 +0200
|
| |
|
|
|
| |
from Jan Macku <jamacku at redhat dot com>
via OpenSSL commit a9b9d265 Jan 30 16:09:50 2019 +0100
|
| |
|
|
|
|
|
| |
d2i_ECDSA_SIG(3); triggered by OpenSSL commit da4ea0cf Aug 5 16:13:24
2019 +0100, but solved differently. While here, adjust argument
placeholders and wording to our usual conventions, and don't try
to reiterate the complicated contents of ASN1_item_d2i(3) here.
|
| |
|
|
| |
still under a free license, tweaked by me
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
as in OpenSSL 1.1.1. I rewrote most of the text for clarity, precision,
and conciseness and added some additional information. A few sentences
from Paul Yang remain.
|
| |
|
|
| |
- Add static_ASN1_* macro. Patch was provided by steils AT gentoo.org
|
| |
|
|
|
|
|
|
|
| |
in OpenSSL 1.1.1 even though in general, letting random functions
accept NULL is not advisable because it can hide programming errors;
"yes please" tb@
"unfortunately I suspect you're right" jsing@
"oh well" deraadt@
|
| | |
|
| |
|
|
| |
feedback and OK tb@
|
| |
|
|
|
| |
all CMS pages are linked to CMS_ContentInfo_new(3) both ways
and that closely related pages reference each other.
|
| |
|
|
|
|
| |
* avoid jumping back and forth between use cases
* delete duplicate information
* and minor wording improvements
|
| |
|
|
|
|
|
| |
* add the missing STANDARDS sections
* mark up ASN.1 type names
* GOST does not need an ENGINE in LibreSSL, so don't use it as an example
* and minor wording improvements and typo fixes
|
| |
|
|
|
|
| |
* mark up ASN.1 type and field names
* move the RFC reference to STANDARDS
* and minor wording improvements
|
| |
|
|
|
|
|
|
|
|
| |
* do not jump back and forth among functions
* show data type - NID correspondance in a table
* make the difference between content type and embedded content clearer
* add the missing STANDARDS section
* mark up ASN.1 type names
* remove some text that says nothing
* and minor wording improvements
|
| |
|
|
|
|
|
|
| |
* add the missing STANDARDS section
* more precision below RETURN VALUES
* simplify some overly verbose text
* mark up ASN.1 type names
* and minor wording improvements and typo fixes
|
| |
|
|
|
|
|
|
| |
* add the missing STANDARDS section
* mark up ASN.1 type names
* avoid some repetitions
* make some lists more palatable in -column form
* and minor wording improvements and typo fixes
|
| |
|
|
| |
and mention a trap set by EC_KEY_copy(3)
|
