summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* bump internal version to 3.0.2bcook2019-10-101-2/+2
|
* bump to 3.0.2bcook2019-10-101-2/+2
|
* Use EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*jsing2019-10-091-7/+2
| | | | | | conditionals, now that this code handles arbitrary message digests. ok inoguchi@ tb@
* Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.tb2019-10-044-11/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Note that the CMS code is currently disabled.) Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) tests from bluhm@ ok jsing commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Author: Bernd Edlinger <bernd.edlinger@hotmail.de> Date: Sun Sep 1 00:16:28 2019 +0200 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
* Use a valid curve when constructing an EC_KEY that looks like X25519.jsing2019-10-041-2/+3
| | | | | | | | | The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
* Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.jsing2019-10-042-10/+90
| | | | | | | | These are internal only for now and will be made public at a later date. The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around the *_mgf1() variant. ok tb@ inoguchi@ (as part of a larger diff)
* Move towards making RSA OAEP functions handle arbitrary message digests.jsing2019-10-031-53/+59
| | | | | | Based on OpenSSL 1.1.1. ok tb@, inoguchi@ (on an earlier/larger diff)
* bump for LibreSSL 3.0.1libressl-v3.0.1bcook2019-09-301-3/+3
|
* zap trailing whitespace;jmc2019-09-291-3/+3
|
* If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),tb2019-09-293-11/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
* Xr random 4 in a better wayderaadt2019-09-281-3/+5
|
* Add comment line saying S is described vaguely on purpose.otto2019-09-141-2/+3
| | | | Prompted by guenther@
* document EVP_PKEY_CTX_get_signature_md(3);schwarze2019-09-101-4/+17
| | | | jsing@ provided it in evp.h rev. 1.77
* Plug memory leak in error paths. Found while comparing this filetb2019-09-091-5/+5
| | | | | | with OpenSSL 1.1.1's version which contains a similar fix. ok jsing
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-094-7/+25
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Load CMS error strings.jsing2019-09-091-1/+5
|
* Move #include <openssl/cms.h> to more appropriate location (since it isjsing2019-09-091-3/+2
| | | | now being installed).
* Install the openssl/cms.h header.jsing2019-09-091-1/+3
| | | | | | | | This header includes OPENSSL_NO_CMS guards, so even if things find the header it provides no useful content (and other code should technically also be using OPENSSL_NO_CMS...). ok deraadt@ inoguchi@
* Add CMS ECC support.jsing2019-09-081-2/+370
| | | | | | | | This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a no-op. ok inoguchi@
* Add various macros and controls for EC_PKEY_CTX.jsing2019-09-064-28/+316
| | | | | | | | | These are needed for the upcoming EC CMS support (nothing else appears to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b. With input from inoguchi@ and tb@. ok inoguchi@ tb@
* Handle CMS PEM headers.jsing2019-09-061-1/+11
| | | | ok inoguchi@ tb@
* Add objects for ECDH schemes in RFC 5753.jsing2019-09-052-0/+32
| | | | | | Based on OpenSSL 1.1.1b. ok inoguchi@ tb@
* Build ecdh_kdf.cjsing2019-09-051-2/+2
|
* Replace OPENSSL_cleanse() with explicit_bzero().jsing2019-09-051-1/+1
|
* Provide prototype for ecdh_KDF_X9_63()jsing2019-09-051-1/+7
|
* Include correct header.jsing2019-09-051-1/+1
|
* style(9) and whitespace.jsing2019-09-051-65/+72
|
* Restore per-file license/copyright removed in OpenSSL commit 4f22f40507f.jsing2019-09-051-5/+48
|
* Remove ECDH_KDF_X9_62 wrapper.jsing2019-09-051-12/+0
|
* Provide ECDH KDF for X9.63 as needed for CMS ECC.jsing2019-09-051-0/+81
| | | | | | From OpenSSL 1.1.1b. ok tb@ inoguchi@
* Document EVP_PKEY_get0(3), EVP_PKEY_assign_GOST(3), EVP_PKEY_assign(3),schwarze2019-09-012-31/+116
| | | | | and EVP_PKEY_set_type(3). While here, clarify a few points regarding reference count and type checking.
* mop up resolver.3 rename; ok deraadtjmc2019-08-305-15/+15
|
* mop up for inet_net rename; ok deraadtjmc2019-08-303-9/+9
|
* adapt to bitstring(3) renaming, and look at that bit_ffs(3) is the actualderaadt2019-08-301-3/+3
| | | | | name we want to Xr... ok jmc
* Move 4 manual pages from not-a-function filenames to a correct filename,deraadt2019-08-306-16/+16
| | | | | and correct Xr. ok jmc
* new manual page AES_encrypt(3)schwarze2019-08-284-5/+181
|
* document OCSP_parse_url(3)schwarze2019-08-271-6/+75
|
* document OCSP_cert_status_str(3)schwarze2019-08-271-3/+19
|
* document OCSP_response_status_str(3)schwarze2019-08-271-4/+19
|
* document i2a_ASN1_INTEGER(3)schwarze2019-08-261-5/+50
|
* document ASN1_put_object(3) and ASN1_put_eoc(3)schwarze2019-08-263-3/+186
|
* document ASN1_OCTET_STRING_cmp(3), ASN1_OCTET_STRING_dup(3), andschwarze2019-08-261-12/+45
| | | | ASN1_OCTET_STRING_set(3)
* Change generating and checking of primes so that the error rate ofschwarze2019-08-252-26/+93
| | | | | | | | | | | not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200, still under a free license. OK tb@.
* document EVP_sm3(3) and EVP_whirlpool(3), loosely based on theschwarze2019-08-255-6/+177
| | | | OpenSSL 1.1.1 pages, which are still under a free license
* fix reversed meaning of error codes;schwarze2019-08-251-7/+7
| | | | | from Martin Ukrop <mukrop at mail dot muni dot cz> via OpenSSL commit bb00b040 Aug 5 14:14:54 2019 +0200
* typo in function argument type;schwarze2019-08-251-4/+4
| | | | | from Jan Macku <jamacku at redhat dot com> via OpenSSL commit a9b9d265 Jan 30 16:09:50 2019 +0100
* Correctly document the return values of i2d_ECDSA_SIG(3) andschwarze2019-08-251-25/+28
| | | | | | | d2i_ECDSA_SIG(3); triggered by OpenSSL commit da4ea0cf Aug 5 16:13:24 2019 +0100, but solved differently. While here, adjust argument placeholders and wording to our usual conventions, and don't try to reiterate the complicated contents of ASN1_item_d2i(3) here.
* import the CRYPTO_memcmp(3) manual from OpenSSL 1.1.1,schwarze2019-08-252-1/+97
| | | | still under a free license, tweaked by me
* document RSAPrivateKey_dup(3) and RSAPublicKey_dup(3)schwarze2019-08-231-11/+55
|
* document X509_get1_email(3), X509_get1_ocsp(3), X509_email_free(3)schwarze2019-08-236-12/+141
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 11:12:21 +0000