summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add DSA CMS support.jsing2019-11-011-1/+25
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Add RSA CMS support.jsing2019-11-013-5/+262
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Provide NID for pSpecified.jsing2019-11-012-0/+2
| | | | ok tb@
* Wire up PKEY methods for RSA-PSS.jsing2019-11-011-2/+6
| | | | ok tb@
* Wire up ASN.1 methods for RSA-PSS.jsing2019-11-011-1/+5
| | | | ok tb@
* In rsa.h rev. 1.45, jsing@ provided the threeschwarze2019-11-012-6/+64
| | | | | | macros EVP_PKEY_CTX_set_rsa_pss_keygen_*(3); document them. Text mostly taken from the OpenSSL 1.1.1 branch, which is still under a free license, but rearranged to fit the structure of our manual pages.
* move the PSS macros to the end in preparation for adding more macros,schwarze2019-11-011-50/+45
| | | | | reduce text duplication by forming subsections, and some minor corrections
* The EVP_PKEY_CTX_ctrl(3) manual page requires additions for RSA-PSSschwarze2019-11-014-267/+358
| | | | but it is growing to excessive size, so split out RSA_pkey_ctx_ctrl(3).
* Update RSA ASN.1 code to handle RSA-PSS.jsing2019-11-014-302/+389
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Clean up RSA_new_method().jsing2019-11-011-40/+24
| | | | | | | | | | Use calloc() instead of malloc() for initialisation and remove explicit zero initialisation of members. This ensures that new members always get initialised. Also use a single error return path, simplifying code. ok tb@
* Add RSA OAEP test for pkeyutl in appstest.shinoguchi2019-10-311-1/+21
|
* In rsa_pmeth.c rev. 1.30, jsing@ set the minimum RSA key lengthschwarze2019-10-311-2/+3
| | | | for RSA key generation to 512 bits. Document that minimum.
* Add CMS controls for RSA.jsing2019-10-311-1/+8
|
* Add support for RSA-PSS.jsing2019-10-315-65/+370
| | | | | | From OpenSSL 1.1.1d. ok inoguchi@
* Move RSA min modulus to a define and increase from 256 to 512 bits.jsing2019-10-312-4/+6
| | | | | | From OpenSSL 1.1.1d. ok inoguchi@
* Fix indent and indent before labels.jsing2019-10-311-5/+5
|
* Use braces where a statement has both multi-line and single-line blocks.jsing2019-10-311-8/+13
| | | | | | Makes code more robust and reduces differences with OpenSSL. ok inoguchi@
* Add additional validation of key size, message digest size and publicjsing2019-10-311-3/+17
| | | | | | | | exponent. From OpenSSL 1.1.1d. ok inoguchi@
* Clean up some code.jsing2019-10-311-11/+13
| | | | | | | Assign and test, explicitly test against NULL and use calloc() rather than malloc. ok inoguchi@
* Avoid potentially leaking pub_exp in pkey_rsa_copy().jsing2019-10-311-4/+4
| | | | ok inoguchi@
* In rsa.h rev. 1.41, jsing@ provided RSA_pkey_ctx_ctrl(3).schwarze2019-10-291-1/+26
| | | | Write the documentation from scratch.
* merge documentation for several macros EVP_PKEY_CTX_*_rsa_oaep_*(3)schwarze2019-10-291-4/+239
| | | | | | and EVP_PKEY_CTX_*_ecdh_*(3); from Antoine Salon <asalon at vmware dot com> via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700 from the OpenSSL 1.1.1 branch, which is still under a free license
* merge documentation for EVP_PKEY_CTX_set1_id(3), EVP_PKEY_CTX_get1_id(3),schwarze2019-10-291-2/+57
| | | | | | and EVP_PKEY_CTX_get1_id_len(3), but make it sound more like English text; from Paul Yang via OpenSSL commit f922dac8 Sep 6 10:36:11 2018 +0800 from the OpenSSL 1.1.1 branch, which is still under a free license
* merge documentation of EVP_PKEY_CTX_set_ec_param_enc(3)schwarze2019-10-291-6/+23
| | | | from Stephen Henson via OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000
* correct HISTORY of some RSA control macrosschwarze2019-10-291-5/+26
|
* list supported algorithm ids and clarify how the engine argument is usedschwarze2019-10-291-10/+50
|
* Add two controls that were missed in the previous commit.jsing2019-10-291-1/+13
|
* Update RSA OAEP code.jsing2019-10-292-21/+124
| | | | | | | This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP padding and providing various OAEP related controls. ok inoguchi@ tb@
* Provide EVP_PKEY_CTX_md().jsing2019-10-292-8/+18
| | | | | | | | | | | | This handles controls with a message digest by name, looks up the message digest and then proxies the control through with the EVP_MD *. This is internal only for now and will be used in upcoming RSA related changes. Based on OpenSSL 1.1.1d. ok inoguchi@ tb@
* Free maskHash when RSA_PSS_PARAMS is freed.jsing2019-10-251-3/+23
| | | | ok tb@
* Service names are still resolved with -nkn2019-10-241-4/+4
| | | | | | | | | Just like pfctl(8)'s -N, this flag only avoid DNS; "nc -vz ::1 socks" still works. Fix documentation by copying pfctl's wording. OK deraadt
* Provide ASN1_TYPE_{,un}pack_sequence().jsing2019-10-242-2/+36
| | | | | | | | These are internal only for now. Based on OpenSSL 1.1.1d. ok inoguchi@
* Provide RSA_OAEP_PARAMS along with ASN.1 encoding/decoding.jsing2019-10-242-2/+97
| | | | | | | | For now these are internal only. From OpenSSL 1.1.1d. ok inoguchi@
* Bump libcrypto, libssl and libtls majors due to changes in struct sizesjsing2019-10-243-6/+6
| | | | and symbol addition.
* Add RSA_PSS_PARAMS pointer to RSA struct.jsing2019-10-241-1/+8
| | | | | | This will be used by upcoming RSA-PSS code. ok tb@
* Add maskHash field to RSA_PSS_PARAMS.jsing2019-10-241-1/+4
| | | | | | | This will be soon used as an optimisation and reduces the differences between OpenSSL. ok tb@
* Provide RSA_pkey_ctx_ctrl().jsing2019-10-243-2/+20
| | | | | | | | | This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be either RSA or RSA-PSS. From OpenSSL 1.1.1d. ok tb@
* Add EVP_PKEY_RSA_PSS.jsing2019-10-241-1/+2
| | | | ok tb@
* Print IP address in verbose modejob2019-10-241-12/+34
| | | | OK kn@
* Revert previous, which works for -N case but causes regress failuresbeck2019-10-231-18/+1
| | | | | | | for tls, since the socket is shut down without calling tls_close(). Since nc appears to have a problem with this in other shutdown() cases I am simply going to bake a new diff for this. noticed by bluhm@.
* Sync RSA_padding_check_PKCS1_OAEP_mgf1().jsing2019-10-171-64/+111
| | | | | | | | | Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d (with some improvements/corrections to comments). This brings in code to make the padding check constant time. ok inoguchi@ tb@
* Fix -N flag to actually shut down the (entire) socket when the inputbeck2019-10-171-1/+18
| | | | | | | | | | | | | goes away. This allows for using nc in cases where the network server will no longer expect anything after eof, instead of hanging waiting for more input from our end. Additionaly, shut down if tls is in use if either side of the socket goes away, since we higher level TLS operations (tls_read and write) will require the socket to be both readable and writable as we can get TLS_WANT_POLLIN or TLS_WANT_POLLOUT on either operation. deraadt@ buying it. found by sthen@
* Provide err_clear_last_constant_time() as a way of clearing an error fromjsing2019-10-172-1/+24
| | | | | | | | | | the top of the error stack in constant time. This will be used by upcoming RSA changes. From OpenSSL 1.1.1d. ok inoguchi@ tb@
* bump internal version to 3.0.2bcook2019-10-101-2/+2
|
* bump to 3.0.2bcook2019-10-101-2/+2
|
* Use EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*jsing2019-10-091-7/+2
| | | | | | conditionals, now that this code handles arbitrary message digests. ok inoguchi@ tb@
* Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.tb2019-10-044-11/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Note that the CMS code is currently disabled.) Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) tests from bluhm@ ok jsing commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Author: Bernd Edlinger <bernd.edlinger@hotmail.de> Date: Sun Sep 1 00:16:28 2019 +0200 Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
* Use a valid curve when constructing an EC_KEY that looks like X25519.jsing2019-10-041-2/+3
| | | | | | | | | The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
* Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.jsing2019-10-042-10/+90
| | | | | | | | These are internal only for now and will be made public at a later date. The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around the *_mgf1() variant. ok tb@ inoguchi@ (as part of a larger diff)
* Avoid a path traversal bug in s_server on Windows.bcook2019-10-041-3/+3
| | | | | | | | openssl s_server has an arbitrary read vulnerability on Windows when run with the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to Jobert Abma for reporting. ok tb@