| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
from OpenSSL, fixing many bugs and polishing many details
|
| |
|
|
|
| |
fixing an awkward wording noticed by tb@.
OK tb@
|
| |
|
|
| |
right spot helps this a bit. Other whitespace and typo fixes while there.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the usual idiom. All the allocations are now handled inside conditionals as
is usually done in this part of the tree. Turn a few comments into actual
sentences and remove a few self-evident ones. Change outdated or cryptic
comments into more helpful annotations. In ecdsa_do_verify(), start
calculating only after properly truncating the message digest. More
consistent variable names: prefer 'order_bits' and 'point' over 'i' and
'tmp_point'.
ok jsing
|
| |
|
|
| |
an upcoming diff.
|
| |
|
|
|
|
|
|
| |
reduce the possibility of a side-channel attack leaking the private key.
Suggested by Keegan Ryan at NCC Group.
With input from and ok jsing
|
| |
|
|
|
|
|
|
| |
the possibility of a side-channel attack leaking the private key.
Suggested by Keegan Ryan at NCC Group.
With input from and ok tb@
|
| |
|
|
| |
Requested by and ok tb@
|
| |
|
|
|
|
|
| |
to occur once and not be repeated if the signature generation has to be
repeated.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
In the very unlikely case where we have to repeat the signature generation,
the DSA_SIG return value has already been allocated. This will either
result in a leak when we allocate again on the next iteration, or it
will give a false success (with missing signature values) if any error
occurs on the next iteration.
ok tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.
Issue identified and reported by Keegan Ryan of NCC Group.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457)
and based on his diff. suggestions from tb@, ok tb@ jsing@
"During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a key
for this prime resulting in a hang until the client has finished. This could be
exploited in a Denial Of Service attack."
|
| | |
|
| |
|
|
| |
From Dmitry Eremin-Solenikov <dbaryshkov at gmail dot com>.
|
| |
|
|
|
|
| |
have been converted to CBS, pull it up a level.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.
ok beck@ inoguchi@
|
| |
|
|
| |
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.
ok beck@ inoguchi@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
UI_method_get_flusher(), UI_method_get_opener(),
UI_method_get_prompt_constructor(), UI_method_get_reader(), and
UI_method_get_writer().
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
| |
BIO_meth_get_callback_ctrl, BIO_meth_get_create, BIO_meth_get_ctrl,
BIO_meth_get_destroy, BIO_meth_get_gets, BIO_meth_get_puts,
BIO_meth_get_read, and BIO_meth_get_write.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
a little:
Use X509_get0_pubkey() in place of X509_get_pubkey() and EVP_PKEY_free().
Check return value of the former in the appropriate place and simplify the
logic for dealing with the potentially NULL pkey argument (includes a neat
tweak from jsing). Finally, kill an ugly comment that has been rotting for
twenty years and merge the lines around it.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_NAME_get_index_by_{OBJ,NID}().
tested in a bulk build by sthen
suggested by & ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok bcook, jsing
|
| | |
|
| |
|
|
| |
Diff from Jack Burton <jack at saosce dot com dot au>.
|
| |
|
|
|
|
|
|
| |
to do it a second time by hand, badly. While here, do some style cleanup.
This incomplete list of function pointers appears in EVP_PKEY_asn1_copy()
as well, fix it by adding sig_print to the members copied over.
ok bcook
|
| |
|
|
| |
to the argument of UI_create_method(3). Adjust the manual.
|
| |
|
|
|
| |
to the ASN1_OBJECT argment of X509_NAME_add_entry_by_OBJ(3).
Adjust the manual.
|
| |
|
|
| |
to the input argument of ASN1_STRING_to_UTF8(3). Adjust the manual.
|
| |
|
|
| |
to the input argument of i2o_ECPublicKey(3). Adjust the manual.
|
| |
|
|
| |
to both arguments of X509_check_private_key(3). Adjust the manual.
|
| |
|
|
|
| |
tb@ added const qualifiers to the pointer arguments of some X509_get_ext*(3)
and X509_REVOKED_get_ext*(3) functions. Adjust the manual.
|
| |
|
|
|
| |
tb@ added a const qualifier to the X509_NAME argument of these output
functions. Adjust the manual.
|
| |
|
|
|
| |
tb@ added const qualifiers to some arguments of X509_NAME read accessors.
Adjust the manual.
|
| |
|
|
|
|
|
| |
to the X509_NAME_ENTRY argument of X509_NAME_add_entry(3) and in
x509.h rev. 1.55 2018/05/18 18:02:07 to the "bytes" argument of
X509_NAME_add_entry_by_OBJ(3) and X509_NAME_add_entry_by_NID(3).
Adjust the manual.
|
| |
|
|
|
| |
added const qualifiers to some arguments of some X509_NAME_ENTRY functions.
Adjust the manual.
|
| |
|
|
|
| |
to one argument each of X509_EXTENSION_set_object(3)
and X509_EXTENSION_get_critical(3). Adjust the manual.
|
