summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use a size_t instead of an int for the byte count in BN_swap_ct().tb2018-07-232-8/+11
| | | | | | | | Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
* Clean up our disgusting implementations of BN_{,u}{add,sub}(), followingtb2018-07-231-157/+67
| | | | | | | | | changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn
* Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.tb2018-07-231-120/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin <davidben@google.com> Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1474
* Document behavior change of EC_POINTs_mul() again.tb2018-07-161-4/+22
|
* Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb2018-07-166-47/+341
| | | | | | | from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
* recommit label indentation part of the backout; clearly unrelated to thetb2018-07-1519-91/+93
| | | | breakage.
* back out ecc constant time changesjsg2018-07-1521-448/+137
| | | | | | | | after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
* Eliminate the weird condition in the BN_swap_ct() API that at most one bittb2018-07-131-3/+3
| | | | | | | | be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
* Sync commentkn2018-07-111-3/+5
| | | | | | Makes it a tad easier to read through and compare with BN_swap_ct(). OK tb
* Document behavior change of EC_POINTs_mul(3) from EC constant time changes.tb2018-07-111-4/+22
| | | | ok beck on earlier version, markup help from Schwarze.
* Turn yesterday's optimistic ! in an XXX comment into a more cautious ?tb2018-07-111-2/+2
|
* Indent labels by a space so they don't obliterate function names in diffs.tb2018-07-1019-91/+93
|
* ECC constant time scalar multiplication support. First step in overhaulingtb2018-07-105-46/+337
| | | | | | | | | | | the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
* Provide BN_swap_ct(), a constant time function that conditionally swapstb2018-07-102-2/+53
| | | | | | | | | | two bignums. It's saner and substantially less ugly than the existing public BN_constantime_swap() function and will be used in forthcoming work on constant time ECC code. From Billy Brumley and his team. Thanks! ok jsing
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* Move a detail on tls_connect(3) to its documentation and be a bit moretb2018-07-091-5/+7
| | | | | | explicit about the servername argument of tls_connect_servername(3). input & ok jsing, input & ok schwarze on earlier version
* wording tweak for tls_init() from jsingtb2018-07-091-4/+4
| | | | ok jsing, schwarze
* sync with const changes in x509.h r1.68.tb2018-07-091-4/+4
|
* sync with const changes in evp.h r1.64.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.44.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.45.tb2018-07-091-10/+10
|
* import the relevant parts of a new ASN1_INTEGER_get(3) manual pageschwarze2018-07-082-1/+240
| | | | from OpenSSL, fixing many bugs and polishing many details
* Simplify and shorten the description of tls_init(3),schwarze2018-07-081-4/+4
| | | | | fixing an awkward wording noticed by tb@. OK tb@
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
* Use a blinding value when generating an ECDSA signature, in order totb2018-06-141-14/+65
| | | | | | | | reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing
* Use a blinding value when generating a DSA signature, in order to reducejsing2018-06-141-9/+39
| | | | | | | | the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
* Clarify the digest truncation comment in DSA signature generation.jsing2018-06-141-3/+4
| | | | Requested by and ok tb@
* Pull up the code that converts the digest to a BIGNUM - this only needsjsing2018-06-141-10/+10
| | | | | | | to occur once and not be repeated if the signature generation has to be repeated. ok tb@
* Fix a potential leak/incorrect return value in DSA signature generation.jsing2018-06-141-4/+6
| | | | | | | | | | In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
* Call DSA_SIG_new() instead of hand rolling the same.jsing2018-06-141-5/+2
| | | | ok beck@ tb@
* DSA_SIG_new() amounts to a single calloc() call.jsing2018-06-141-10/+3
| | | | ok beck@ tb@
* style(9), comments and whitespace.jsing2018-06-131-30/+32
|
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-132-7/+4
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* zap stray tabsthen2018-06-121-2/+2
|
* Reject excessively large primes in DH key generation. Problem reportedsthen2018-06-121-1/+6
| | | | | | | | | | | by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack."
* fix odd whitespacetb2018-06-101-3/+3
|
* Remove a handrolled GOST_le2bn().jsing2018-06-101-8/+4
| | | | From Dmitry Eremin-Solenikov <dbaryshkov at gmail dot com>.
* Now that all of the server-side client key exchange processing functionsjsing2018-06-101-53/+40
| | | | | | have been converted to CBS, pull it up a level. ok inoguchi@ tb@
* Allocate a dedicated buffer for use when deriving a shared key duringjsing2018-06-031-10/+18
| | | | | | | client KEX DHE processing, rather than reusing the buffer that is used to send/receive handshake messages. ok beck@ inoguchi@
* Check the return value from DH_size() in ssl3_send_client_kex_dhe().jsing2018-06-031-4/+6
| | | | ok beck@ inoguchi@
* Convert ssl3_get_client_kex_ecdhe_ecp() to CBS.jsing2018-06-021-44/+42
| | | | | | | Also allocate a dedicated buffer to hold the shared secret, rather than reusing init_buf. ok inoguchi@ tb@
* Remove the three remaining single DES cipher suites.jsing2018-06-021-49/+1
| | | | | | | | | These are insecure and should not be used - furthermore, we would should not have been allowing their negotiation with TLSv1.2 (as noted by Robert Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher suites also fixes this issue. ok beck@ inoguchi@
* Add a const qualifier to the argument of UI_method_get_closer(),tb2018-06-022-14/+14
| | | | | | | | | UI_method_get_flusher(), UI_method_get_opener(), UI_method_get_prompt_constructor(), UI_method_get_reader(), and UI_method_get_writer(). tested in a bulk build by sthen ok jsing
* Add const to the argument of the following callback getters:tb2018-06-022-18/+18
| | | | | | | | BIO_meth_get_callback_ctrl, BIO_meth_get_create, BIO_meth_get_ctrl, BIO_meth_get_destroy, BIO_meth_get_gets, BIO_meth_get_puts, BIO_meth_get_read, and BIO_meth_get_write. ok jsing
* Add const to both arguments of X509_certificate_type() and clean uptb2018-05-302-17/+10
| | | | | | | | | | | | | a little: Use X509_get0_pubkey() in place of X509_get_pubkey() and EVP_PKEY_free(). Check return value of the former in the appropriate place and simplify the logic for dealing with the potentially NULL pkey argument (includes a neat tweak from jsing). Finally, kill an ugly comment that has been rotting for twenty years and merge the lines around it. tested in a bulk build by sthen ok jsing
* Add a const qualifier to the argument of EVP_PKEY_size().tb2018-05-302-4/+4
| | | | | tested in a bulk build by sthen ok jsing
* Add a const qualifier to the `name' argument oftb2018-05-302-6/+8
| | | | | | | X509_NAME_get_index_by_{OBJ,NID}(). tested in a bulk build by sthen suggested by & ok jsing
* Add a const qualifier to the `uni' argument of OPENSSL_uni2asc().tb2018-05-302-4/+4
| | | | | tested in a bulk build by sthen ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-22 22:34:49 +0000