summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Provide NID for pSpecified.jsing2019-11-012-0/+2
| | | | ok tb@
* Wire up PKEY methods for RSA-PSS.jsing2019-11-011-2/+6
| | | | ok tb@
* Wire up ASN.1 methods for RSA-PSS.jsing2019-11-011-1/+5
| | | | ok tb@
* In rsa.h rev. 1.45, jsing@ provided the threeschwarze2019-11-012-6/+64
| | | | | | macros EVP_PKEY_CTX_set_rsa_pss_keygen_*(3); document them. Text mostly taken from the OpenSSL 1.1.1 branch, which is still under a free license, but rearranged to fit the structure of our manual pages.
* move the PSS macros to the end in preparation for adding more macros,schwarze2019-11-011-50/+45
| | | | | reduce text duplication by forming subsections, and some minor corrections
* The EVP_PKEY_CTX_ctrl(3) manual page requires additions for RSA-PSSschwarze2019-11-014-267/+358
| | | | but it is growing to excessive size, so split out RSA_pkey_ctx_ctrl(3).
* Update RSA ASN.1 code to handle RSA-PSS.jsing2019-11-014-302/+389
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Clean up RSA_new_method().jsing2019-11-011-40/+24
| | | | | | | | | | Use calloc() instead of malloc() for initialisation and remove explicit zero initialisation of members. This ensures that new members always get initialised. Also use a single error return path, simplifying code. ok tb@
* In rsa_pmeth.c rev. 1.30, jsing@ set the minimum RSA key lengthschwarze2019-10-311-2/+3
| | | | for RSA key generation to 512 bits. Document that minimum.
* Add CMS controls for RSA.jsing2019-10-311-1/+8
|
* Add support for RSA-PSS.jsing2019-10-315-65/+370
| | | | | | From OpenSSL 1.1.1d. ok inoguchi@
* Move RSA min modulus to a define and increase from 256 to 512 bits.jsing2019-10-312-4/+6
| | | | | | From OpenSSL 1.1.1d. ok inoguchi@
* Fix indent and indent before labels.jsing2019-10-311-5/+5
|
* Use braces where a statement has both multi-line and single-line blocks.jsing2019-10-311-8/+13
| | | | | | Makes code more robust and reduces differences with OpenSSL. ok inoguchi@
* Add additional validation of key size, message digest size and publicjsing2019-10-311-3/+17
| | | | | | | | exponent. From OpenSSL 1.1.1d. ok inoguchi@
* Clean up some code.jsing2019-10-311-11/+13
| | | | | | | Assign and test, explicitly test against NULL and use calloc() rather than malloc. ok inoguchi@
* Avoid potentially leaking pub_exp in pkey_rsa_copy().jsing2019-10-311-4/+4
| | | | ok inoguchi@
* In rsa.h rev. 1.41, jsing@ provided RSA_pkey_ctx_ctrl(3).schwarze2019-10-291-1/+26
| | | | Write the documentation from scratch.
* merge documentation for several macros EVP_PKEY_CTX_*_rsa_oaep_*(3)schwarze2019-10-291-4/+239
| | | | | | and EVP_PKEY_CTX_*_ecdh_*(3); from Antoine Salon <asalon at vmware dot com> via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700 from the OpenSSL 1.1.1 branch, which is still under a free license
* merge documentation for EVP_PKEY_CTX_set1_id(3), EVP_PKEY_CTX_get1_id(3),schwarze2019-10-291-2/+57
| | | | | | and EVP_PKEY_CTX_get1_id_len(3), but make it sound more like English text; from Paul Yang via OpenSSL commit f922dac8 Sep 6 10:36:11 2018 +0800 from the OpenSSL 1.1.1 branch, which is still under a free license
* merge documentation of EVP_PKEY_CTX_set_ec_param_enc(3)schwarze2019-10-291-6/+23
| | | | from Stephen Henson via OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000
* correct HISTORY of some RSA control macrosschwarze2019-10-291-5/+26
|
* list supported algorithm ids and clarify how the engine argument is usedschwarze2019-10-291-10/+50
|
* Add two controls that were missed in the previous commit.jsing2019-10-291-1/+13
|
* Update RSA OAEP code.jsing2019-10-292-21/+124
| | | | | | | This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP padding and providing various OAEP related controls. ok inoguchi@ tb@
* Provide EVP_PKEY_CTX_md().jsing2019-10-292-8/+18
| | | | | | | | | | | | This handles controls with a message digest by name, looks up the message digest and then proxies the control through with the EVP_MD *. This is internal only for now and will be used in upcoming RSA related changes. Based on OpenSSL 1.1.1d. ok inoguchi@ tb@
* Free maskHash when RSA_PSS_PARAMS is freed.jsing2019-10-251-3/+23
| | | | ok tb@
* Provide ASN1_TYPE_{,un}pack_sequence().jsing2019-10-242-2/+36
| | | | | | | | These are internal only for now. Based on OpenSSL 1.1.1d. ok inoguchi@
* Provide RSA_OAEP_PARAMS along with ASN.1 encoding/decoding.jsing2019-10-242-2/+97
| | | | | | | | For now these are internal only. From OpenSSL 1.1.1d. ok inoguchi@
* Bump libcrypto, libssl and libtls majors due to changes in struct sizesjsing2019-10-243-6/+6
| | | | and symbol addition.
* Add RSA_PSS_PARAMS pointer to RSA struct.jsing2019-10-241-1/+8
| | | | | | This will be used by upcoming RSA-PSS code. ok tb@
* Add maskHash field to RSA_PSS_PARAMS.jsing2019-10-241-1/+4
| | | | | | | This will be soon used as an optimisation and reduces the differences between OpenSSL. ok tb@
* Provide RSA_pkey_ctx_ctrl().jsing2019-10-243-2/+20
| | | | | | | | | This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be either RSA or RSA-PSS. From OpenSSL 1.1.1d. ok tb@
* Add EVP_PKEY_RSA_PSS.jsing2019-10-241-1/+2
| | | | ok tb@
* Sync RSA_padding_check_PKCS1_OAEP_mgf1().jsing2019-10-171-64/+111
| | | | | | | | | Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d (with some improvements/corrections to comments). This brings in code to make the padding check constant time. ok inoguchi@ tb@
* Provide err_clear_last_constant_time() as a way of clearing an error fromjsing2019-10-172-1/+24
| | | | | | | | | | the top of the error stack in constant time. This will be used by upcoming RSA changes. From OpenSSL 1.1.1d. ok inoguchi@ tb@
* bump internal version to 3.0.2bcook2019-10-101-2/+2
|
* bump to 3.0.2bcook2019-10-101-2/+2
|
* Use EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*jsing2019-10-091-7/+2
| | | | | | conditionals, now that this code handles arbitrary message digests. ok inoguchi@ tb@
* Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.tb2019-10-044-11/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Note that the CMS code is currently disabled.) Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) tests from bluhm@ ok jsing commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Author: Bernd Edlinger <bernd.edlinger@hotmail.de> Date: Sun Sep 1 00:16:28 2019 +0200 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
* Use a valid curve when constructing an EC_KEY that looks like X25519.jsing2019-10-041-2/+3
| | | | | | | | | The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
* Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.jsing2019-10-042-10/+90
| | | | | | | | These are internal only for now and will be made public at a later date. The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around the *_mgf1() variant. ok tb@ inoguchi@ (as part of a larger diff)
* Move towards making RSA OAEP functions handle arbitrary message digests.jsing2019-10-031-53/+59
| | | | | | Based on OpenSSL 1.1.1. ok tb@, inoguchi@ (on an earlier/larger diff)
* bump for LibreSSL 3.0.1libressl-v3.0.1bcook2019-09-301-3/+3
|
* zap trailing whitespace;jmc2019-09-291-3/+3
|
* If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),tb2019-09-293-11/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
* Xr random 4 in a better wayderaadt2019-09-281-3/+5
|
* Add comment line saying S is described vaguely on purpose.otto2019-09-141-2/+3
| | | | Prompted by guenther@
* document EVP_PKEY_CTX_get_signature_md(3);schwarze2019-09-101-4/+17
| | | | jsing@ provided it in evp.h rev. 1.77
* Plug memory leak in error paths. Found while comparing this filetb2019-09-091-5/+5
| | | | | | with OpenSSL 1.1.1's version which contains a similar fix. ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 11:47:28 +0000