| Age | Commit message (Collapse) | Author |
|---|
|
This fixes openssl(1) rsa -text output format
ok tb@
|
|
Issue spotted by bcook@
ok bcook@ inoguchi@
|
|
works again with the horrific API that is ASN1_bn_print().
Issue spotted by inoguchi@
|
|
Prompted by inoguchi@
|
|
|
|
|
|
From OpenSSL 1.1.1d.
ok tb@
|
|
From OpenSSL 1.1.1d.
ok tb@
|
|
Use calloc() instead of malloc() for initialisation and remove explicit
zero initialisation of members. This ensures that new members always get
initialised.
Also use a single error return path, simplifying code.
ok tb@
|
|
|
|
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
|
|
Makes code more robust and reduces differences with OpenSSL.
ok inoguchi@
|
|
exponent.
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
Assign and test, explicitly test against NULL and use calloc() rather than
malloc.
ok inoguchi@
|
|
ok inoguchi@
|
|
|
|
This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP
padding and providing various OAEP related controls.
ok inoguchi@ tb@
|
|
ok tb@
|
|
For now these are internal only.
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
This will be used by upcoming RSA-PSS code.
ok tb@
|
|
This will be soon used as an optimisation and reduces the differences
between OpenSSL.
ok tb@
|
|
This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be
either RSA or RSA-PSS.
From OpenSSL 1.1.1d.
ok tb@
|
|
Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).
This brings in code to make the padding check constant time.
ok inoguchi@ tb@
|
|
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
|
|
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
|
Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff)
|
|
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@
|
|
ok tb@, jsing@, sthen@
|
|
RSA_meth_get_finish() RSA_meth_set1_name() EVP_CIPHER_CTX_(get|set)_iv()
feedback and ok jsing@ tb@
|
|
(there are no known attacks, this is just inexpensive prudence)
feedback and ok tb@ jsing@
|
|
Requires adding a const to the priv_decode() member of
EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode()
functions. All this is already documented this way.
tested in a bulk build by sthen
ok jsing
|
|
|
|
CID #183499.
input & ok jsing, ok mestre on first version
|
|
ok tb@
|
|
Based on an OpenSSL commit by David Benjamin.
Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library
reported that more than 200 "expected to fail" signatures among Project
Wycheproof's test vectors validated on LibreSSL. This patch makes them
all fail.
ok jsing
commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836
Author: David Benjamin <davidben@google.com>
Date: Sat Aug 20 13:35:17 2016 -0400
Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.
OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.
In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.
See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
|
|
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
|
Note that these functions return NULL in out-of-memory situations,
but contrary to OpenSSL's versions they do not set an error.
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key().
ok jsing
|
|
Several pieces of software expect this to be available unconditionally.
|
|
code. We removed SSLv2/SSLv3 a long time ago...
Discussed with doug@
|
|
reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.
Passes regress. ok beck
|
|
|
|
|
