summaryrefslogtreecommitdiff
path: root/lib/libcrypto
AgeCommit message (Collapse)Author
2018-09-05use timing-safe compares for checking results in signature verificationDamien Miller
(there are no known attacks, this is just inexpensive prudence) feedback and ok tb@ jsing@
2018-09-02Elliptic curve arithmetic only makes sense between points that belong toTheo Buehler
the same curve. Some Wycheproof tests violate this assumption, making ECDH_compute_key() compute and return garbage. Check that pub_key lies on the curve of the private key so that the calculations make sense. Most paths that get here have this checked (in particular those from OpenSSH and libssl), but one might get here after using d2i_* or manual computation. discussed with & ok jsing; "good catch!" markus
2018-09-01Tweak comment.Theo Buehler
2018-08-28Remove extra "and" in "These functions and have been available"Theo Buehler
2018-08-26fix the same "an non" issue found by tb in EVP_EncryptInit.3;Jason McIntyre
2018-08-26Some of the functions in this manual need <openssl/dsa.h>, othersTheo Buehler
need <openssl/x509.h>. The functions {d2i,i2d}_DSA_params_{bio,fp}(3) were missing from the manual, so document them. The return values of the i2d_* functions are left undocumented, as these still need to be audited. ok schwarze (lots of input and help as usual)
2018-08-26typo: an nonce -> a nonceTheo Buehler
2018-08-24crank majors after symbol addition/modification/removalTheo Buehler
2018-08-24Add const to EVP_PKCS82PKEY().Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24Add consts to EVP_PKEY_asn1_set_private()Theo Buehler
Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
2018-08-24After removing support for broken PKCS#8 formats (it was high time),Theo Buehler
we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
2018-08-24Remove EVP_PKEY2PKCS8_broken() and PKCS8_set_broken()Theo Buehler
Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs(). Remove the whole broken code and simplify pkcs8_priv_key_info_st accordingly. Based on OpenSSL commit 54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was added later. tested in a bulk build by sthen ok jsing
2018-08-24Document const change for OCSP_cert_to_id()Theo Buehler
ok jsing
2018-08-24Add const to two arguments of OCSP_cert_to_id()Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24Provide X509_get0_serialNumber()Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24Turn a number of #defines into proper functions with prototypes matchingTheo Buehler
those that OpenSSL has had for ages. ok jsing
2018-08-24Change PEM_Sign{Init,Update}() to return an int.Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24Check return value of EVP_EncodeUpdate() in PEM_write_bio().Theo Buehler
ok jsing
2018-08-24Check return value of EVP_EncodeUpdate() in b64_write().Theo Buehler
ok jsing
2018-08-24Convert EVP_EncodeUpdate() to return an int to allow for errorTheo Buehler
checking. Matches our documented behavior. Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
2018-08-24Provide EVP_CIPHER_CTX_encrypting().Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24Document prototype change and return values for BIO_set_cipher()Theo Buehler
ok jsing
2018-08-24Return an int in BIO_set_cipher() to be able to report errors.Theo Buehler
tested in a bulk by sthen ok jsing
2018-08-24In DSO_up_ref(), check return value of CRYPTO_add() and reportTheo Buehler
failure accordingly. ok jsing
2018-08-24In ENGINE_up_ref(), check return value of CRYPTO_add() and reportTheo Buehler
failure accordingly. ok jsing
2018-08-24Document new prototype and return values of X509_OBJECT_up_ref_count()Theo Buehler
ok jsing
2018-08-24Make X509_OBJECT_up_ref_count return an int.Theo Buehler
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
2018-08-24Update documentation of CRYPTO_mem_leaks*.Theo Buehler
ok jsing
2018-08-24Let CRYPTO_mem_leaks{,_fp,_cb}() return -1.Theo Buehler
These functions are no-ops. Their signature was changed by OpenSSL to allow error checking. This way we return an error and do not indicate the (non-)existence of memory leaks. tested in a bulk by sthen ok jsing
2018-08-19Don't leak sktmp in X509_verify_cert().Theo Buehler
CID #118791 ok jsing mestre
2018-08-19whitespace fixTheo Buehler
2018-08-19Don't leak db on error in RSA_padding_check_PKCS1_OAEP().Theo Buehler
CID #183499. input & ok jsing, ok mestre on first version
2018-08-14Add a comment that explains what the check is doing and why len >= 1.Theo Buehler
Prompted by a remark by jsing
2018-08-14The UI_add_{input,verify}_string() functions want a length not includingTheo Buehler
the terminating NUL. EVP_read_pw_string_min() got this wrong, leading to a one-byte buffer overrun in all callers of EVP_read_pw_string(). Found by mestre running 'openssl passwd' with MALLOC_OPTIONS including C. Fix this by doing some basic sanity checking in EVP_read_pw_string_min(). Cap the len argument at BUFSIZ and ensure that min < len as well as 0 <= min and 1 <= len. The last two checks are important as these numbers may end up in reallocarray(). ok bcook (on previous version), jsing, mestre
2018-08-10Add glue to EVP_md5_sha1() so that it can be used with EVP_Sign* andJoel Sing
EVP_Verify*. ok tb@
2018-08-10Add missing include to X25519 synopsis.Joel Sing
2018-08-08typo: macro-generates wrappers -> macro-generated wrappersTheo Buehler
2018-08-05Remove unnecessary NULL check from get_cert_by_subject sinceBrent Cook
sk_BY_DIR_HASH_find already does it, removing ambiguity later in the function. ok tb@
2018-08-05Fix a memory leak in i2d_RSA_NET on failure of ASN1_STRING_set.Brent Cook
Found by Coverity. Feedback and ok tb@
2018-08-05In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.Brent Cook
ok tb@
2018-08-05Fix memory leak in i2b_PVK in error handling.Brent Cook
Simplify parameter checks since this is only called from one place. Found by Coverity, CID 183502. ok beck@
2018-07-29Document that X509_{NAME,REQ,REQ_INFO}_free() are all NULL safe.Theo Buehler
From Ross L. Richardson
2018-07-24add c++ symbol annotationsBrent Cook
from Cameron Palmer
2018-07-23Use BN_swap_ct() instead of BN_consttime_swap() inTheo Buehler
ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows error checking, doesn't assert(), and has fewer assumptions on the input. This diff eliminates the last use of BN_consttime_swap() in our tree. ok inoguchi, jsing
2018-07-23Use a size_t instead of an int for the byte count in BN_swap_ct().Theo Buehler
Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
2018-07-23Clean up our disgusting implementations of BN_{,u}{add,sub}(), followingTheo Buehler
changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn
2018-07-23Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.Theo Buehler
Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin <davidben@google.com> Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1474
2018-07-16Document behavior change of EC_POINTs_mul() again.Theo Buehler
2018-07-16Recommit Billy Brumley's ECC constant time patch with a fix for sparc64Theo Buehler
from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
2018-07-15recommit label indentation part of the backout; clearly unrelated to theTheo Buehler
breakage.