| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
|
|
(Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
|
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
|
|
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
|
openssl s_server has an arbitrary read vulnerability on Windows when run with
the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to
Jobert Abma for reporting.
ok tb@
|
|
on html or groff. the solution, to replace the non-standard .nr macros
with a hang list, was provided by ingo - thanks!
ok schwarze
|
|
Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff)
|
|
|
|
|
|
try to compute it using Hasse's bound. This works as long as the
cofactor is small enough.
Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license)
tests & ok inoguchi
input & ok jsing
commit 30c22fa8b1d840036b8e203585738df62a03cec8
Author: Billy Brumley <bbrumley@gmail.com>
Date: Thu Sep 5 21:25:37 2019 +0300
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
|
|
|
|
Prompted by guenther@
|
|
jsing@ provided it in evp.h rev. 1.77
|
|
with OpenSSL 1.1.1's version which contains a similar fix.
ok jsing
|
|
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@
|
|
|
|
now being installed).
|
|
This header includes OPENSSL_NO_CMS guards, so even if things find the
header it provides no useful content (and other code should technically
also be using OPENSSL_NO_CMS...).
ok deraadt@ inoguchi@
|
|
This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace
cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a
no-op.
ok inoguchi@
|
|
These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Based on OpenSSL 1.1.1b.
ok inoguchi@ tb@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
