| Age | Commit message (Collapse) | Author |
|---|
|
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
|
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.
Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.
ok jsing@
|
|
ok guenther@
|
|
ok jsing@
|
|
ok jsing@
|
|
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
|
with some style cleanup after. no binary change
ok jsing@
|
|
about it and it's ok to remove it. This only came up as our clang
is targeted at armv7 which enables the NEON instructions.
ok kettenis@
|
|
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting
the bn_* symbols. These are documented as only being intended for internal
use, so why they were placed in a public header is beyond me...
This hides 363 previously exported symbols, most of which exist in headers
that are not installed and were never intended to be public. This also
removes a few crusty old things that should have died long ago (like
_ossl_old_des_read_pw). But don't worry... there are still 3451 symbols
exported from the library.
With input and testing from inoguchi@.
ok beck@ inoguchi@
|
|
ok miod@
|
|
return statement.
ok beck@ jsing@
|
|
meaningful constants in a private header file, so that reviewers can actually
get a chance to figure out what the code is attempting to do without knowing
all cpuid bits.
While there, turn it from an array of two 32-bit ints into a properly aligned
64-bit int.
Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will
now always use OPENSSL_cpu_caps() and check for the proper bits in the
whole 64-bit word it returns.
i386 tests and ok jsing@
|
|
|
|
fails to reduce the input in the expected space then fail out instead
of overflowing the allocated buffer.
combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and
3612ff6fcec0e3d1f2a598135fe12177c0419582
ok doug@ beck@
|
|
ok deraadt@
|
|
ok deraadt@
|
|
|
|
from OpenSSL commit 7f98aa7403a1244cf17d1aa489f5bb0f39bae431
CVE-2016-0702
ok beck@
|
|
Patch based on OpenSSL commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0
"Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%."
CVE-2016-0702
ok beck@
|
|
Don't dereference d when top is zero.
Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
ok jsing@
|
|
Don't dereference d when top is zero.
Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
ok jsing@
|
|
Found with STACK, originally from OpenSSL, ok @beck
|
|
|
|
|
|
ok beck@
|
|
BN_mod_word() can return incorrect results if the supplied modulus is
too big, so we need to fall back to BN_div_word.
Now that BN_mod_word may fail, handle errors properly update the man page.
Thanks to Brian Smith for pointing out these fixes from BoringSSL:
https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89
https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be
ok beck@
|
|
Started by diff from Mical Mazurek.
|
|
Noticed by pascal-cuoq from Github:
https://github.com/libressl-portable/openbsd/issues/56
ok beck@
|
|
uses a macro with multiple-evaluations of arguments (different amount
than the previous version..), but doug/bcook's inline version makes
BIGNUM not opaque [problem spotted by naddy]
ok doug
|
|
|
|
Need to make sure i * 4 won't overflow. Based on OpenSSL:
commit 99ba9fd02fd481eb971023a3a0a251a37eb87e4c
input + ok bcook@
ok beck@
|
|
|
|
reported by Ruslan Babayev.
|
|
becoming negative in probable_prime_dh_safe(). Reported by Franck Denis who
noticed `openssl gendh 0' would segfault.
Fix adapted from OpenSSL RT#2701.
ok beck@ jsing@
|
|
|
|
|
|
ok sthen@ bcook@
|
|
now, it has a NULL deref. Segfault reported by Mikolaj Kucharski, ok bcook
|
|
ok miod
|
|
BN_bn2hex() had a 1-byte overflow when creating "-0\0". Reported to
me a while back by unknown person -- did not have enough experience
to push this through then.
advice from jsing, ok miod
|
|
|
|
|
|
Fixes builds gcc + Apple's assembler, working on reenabling builds with older
OpenBSD releases.
based on OpenSSL commit:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=902b30df193afc3417a96ba72a81ed390bd50de3
ok miod@
|
|
ok miod@
|
|
|
|
ECParameters structure that has a specially malformed binary polynomial
field.
Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
Fixes CVE-2015-1788.
ok doug@ miod@
|
|
After calling BN_CTX_start(), there must be a BN_CTX_end() before
returning. There were missing BN_CTX_end() calls in error paths. One diff
chunk was simply removing redundant code related to this.
ok deraadt@
|
|
The actual control flow is intentional while the indenting is incorrect.
This is intended to be a cosmetic change.
Verified that each of these was part of a KNF commit that wasn't intending
to change behavior. Also, double checked against the history of changes in
OpenSSL and BoringSSL.
Addresses Coverity CIDs: 78842, 78859, 78863.
ok tedu@
|
|
See https://www.openssl.org/news/secadv_20150108.txt for a more detailed
discussion.
Original OpenSSL patch here:
https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0
The regression test is modified a little for KNF.
ok miod@
|
|
BN_bin2bn() will helpfully allocate a BN which is then leaked. Avoid this
by explicitly checking for NULL at the start of the bnrand() function.
Fixes Coverity ID 78831.
ok miod@
|
