Age | Commit message (Collapse) | Author |
|
from Matt Caswell <matt at openssl dot org>
via OpenSSL commit d45a97f4 Mar 5 17:41:49 2018 +0000.
|
|
is no need to know at which time BN_pseudo_rand(3) was made the
same as BN_rand(3). Considering that question might even mislead
people to attempt ill-advised #ifdef'ing.
Pointed out by deraadt@.
|
|
Also clarify to which algorithms it applies.
From Matt Caswell <matt at openssl dot org>
via OpenSSL commit d45a97f4 Mar 5 17:41:49 2018 +0000.
Document
EVP_PKEY_CTX_get_rsa_padding(3), EVP_PKEY_CTX_get_rsa_pss_saltlen(3),
EVP_PKEY_CTX_set_rsa_mgf1_md(3), and EVP_PKEY_CTX_get_rsa_mgf1_md(3).
From Antoine Salon <asalon at vmware dot com>
via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700
from the OpenSSL_1_1_1-stable branch, which is still under a free license.
|
|
Inspired by OpenSSL commit 6da34cfb Jun 2 16:17:32 2018 -0400
by Ken Goldman <kgoldman at us dot ibm dot com>,
but use the same wording as in ASN1_item_new(3) instead.
|
|
from <Matthias dot St dot Pierre at ncp dash e dot com>
via OpenSSL commit 5777254b May 27 09:07:07 2018 +0200.
|
|
via OpenSSL commit 521738e9 Oct 5 14:58:30 2018 -0400
|
|
Say so, and note that OpenSSL followed suit in 1.1.0 according
to OpenSSL commit 5ecff87d Jun 21 13:55:02 2017 +0100.
|
|
argument of 3; from Beat Bolli <dev at drbeat dot li>
via OpenSSL commit bd93f1ac Jul 28 16:45:22 2018 -0400.
|
|
Inspired by OpenSSL commit a130950d Aug 23 12:06:41 2017 -0400
by Rich Salz <rsalz at openssl dot org>, but using a more explicit
wording, and fixing *both* places rather than only half of them.
|
|
inspired by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang <yang sot yang at baishancloud dot com>,
but without creating a RETURN VALUES section because that makes
no sense here: it would either result in a confusing order of
information or in duplicate information.
|
|
from Jakub Wilk <jwilk at jwilk dot net> via
OpenSSL commit a21285b3 Aug 21 18:30:34 2018 +0200
|
|
drops CA certificates whose validity dates don't comply with the rules on
ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at
least RFC 2459, section 4.1.2.5).
LibreSSL strictly enforces this, so attempting to validate certificates
signed by these CAs just result in the following:
error 13 at 1 depth lookup:format error in certificate's notBefore field
"probably" beck@
|
|
Skip outputting them if invalid (e.g. GENERALIZEDTIME date before 2050).
|
|
This prototype was removed inadvertantly in r1.50.
OK jsing@
|
|
The current crypto_lock_init() function is not called early enough, meaning
that locks are already in use before it gets called. Worse, locks could be
in use when they are then initialised. Furthermore, since functions like
CRYPTO_lock() are public API, these could be called directly bypassing
initialisation.
Avoid these issues by using static initialisers.
ok bcook@
|
|
|
|
|
|
The previous code meant that a caller could set the locking callback, after
which CRYPTO_get_locking_callback() would return non-NULL. Some existing
code depends on this behaviour, specifically to identify if lock handling
has been configured. As such, always returning NULL from
CRYPTO_get_locking_callback() can result in unexpected application
behaviour.
ok bcook@
|
|
here could creates non-uniformity since very short fetches of 0 would
be excluded. blocks of 0 are just as random as any other data, including
blocks of 4 4 4.. This is a misguided attempt to identify errors from the
entropy churn/gather code doesn't make sense, errors don't happen.
ok bcook
|
|
|
|
for a timing vullnerability in ECDSA signature generation (CVE-2018-0735).
Note that the blinding that we introduced back in June for ECDSA and DSA
should mitigate this and related issues. This simply adds an additional
layer of protection.
discussed with jsing
|
|
ok bcook
|
|
ok beck@
|
|
ok beck inoguchi
|
|
|
|
tweaks from jsing and myself. The SM2/SM3/SM4 algorithms are mandatory
for legal use of cryptography within China and [are] widely applied in
the country, covering identification/financial cards, contactless,
TPM 2.0 and PKI.
ok beck inoguchi jsing
|
|
This implements automatic thread support initialization in libcrypto.
This does not remove any functions from the ABI, but does turn them into
no-ops. Stub implementations of pthread_mutex_(init|lock|unlock) are
provided for ramdisks.
This does not implement the new OpenSSL 1.1 thread API internally,
keeping the original CRYTPO_lock / CRYPTO_add_lock functions for library
locking. For -portable, crypto_lock.c can be reimplemented with
OS-specific primitives as needed.
ok beck@, tb@, looks sane guenther@
|
|
|
|
While there, eliminate a flag that was only used once.
ok beck jsing mestre
|
|
ok beck jsing mestre
|
|
CID 184282
ok beck jsing mestre
|
|
From Ben L <bobsayshilol () live ! co ! uk>
|
|
From Ben L bobsayshilol () live ! co ! uk
Similar fixes in BoringSSL and OpensSSL.
|
|
From Ben L bobsayshilol () live ! co ! uk
ok jsing
|
|
previous clean up.
Spotted by bcook@
|
|
|
|
non-overlapping *in and *out buffers as we're already implementing
the "in place (un)wrapping" algorithms as given in RFC 3394. This
removes a gratuitous API difference to OpenSSLin these undocumented
functions. Found while working on wycheproof regress tests.
ok beck jsing
|
|
ok beck jsing
|
|
re-enable coordinate blinding.
ok jsing
|
|
ok jsing
|
|
|
|
|
|
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.
ok beck@ bluhm@ tb@
|
|
ok beck jsing
|
|
from which a a BIGNUM is chosen uniformly at random.
ok beck jsing
|
|
freeing and indent nearby labels.
ok beck jsing
|
|
takes care of this internally.
ok beck jsing
|
|
Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50
by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri.
ok beck jsing
commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb
Author: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Date: Sat Jun 16 17:07:40 2018 +0300
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)
|
|
features (and possibly never will).
|
|
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.
ok bluhm@ tb@
|