Age | Commit message (Collapse) | Author |
|
(there are no known attacks, this is just inexpensive prudence)
feedback and ok tb@ jsing@
|
|
the same curve. Some Wycheproof tests violate this assumption, making
ECDH_compute_key() compute and return garbage. Check that pub_key lies
on the curve of the private key so that the calculations make sense.
Most paths that get here have this checked (in particular those from
OpenSSH and libssl), but one might get here after using d2i_* or manual
computation.
discussed with & ok jsing;
"good catch!" markus
|
|
|
|
|
|
|
|
need <openssl/x509.h>. The functions {d2i,i2d}_DSA_params_{bio,fp}(3)
were missing from the manual, so document them. The return values
of the i2d_* functions are left undocumented, as these still need to
be audited.
ok schwarze (lots of input and help as usual)
|
|
|
|
|
|
tested in a bulk by sthen
ok jsing
|
|
Requires adding a const to the priv_decode() member of
EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode()
functions. All this is already documented this way.
tested in a bulk build by sthen
ok jsing
|
|
we can add const to PKCS8_pkey_get0(). In order for this to work,
we need to sprinkle a few consts here and there.
tested in a bulk by sthen
ok jsing
|
|
Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs().
Remove the whole broken code and simplify pkcs8_priv_key_info_st
accordingly. Based on OpenSSL commit
54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was
added later.
tested in a bulk build by sthen
ok jsing
|
|
ok jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
those that OpenSSL has had for ages.
ok jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
checking. Matches our documented behavior.
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387
tested in a bulk by sthen
ok jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
ok jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
failure accordingly.
ok jsing
|
|
failure accordingly.
ok jsing
|
|
ok jsing
|
|
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387
tested in a bulk by sthen
ok jsing
|
|
ok jsing
|
|
These functions are no-ops. Their signature was changed by OpenSSL
to allow error checking. This way we return an error and do not
indicate the (non-)existence of memory leaks.
tested in a bulk by sthen
ok jsing
|
|
CID #118791
ok jsing mestre
|
|
|
|
CID #183499.
input & ok jsing, ok mestre on first version
|
|
Prompted by a remark by jsing
|
|
the terminating NUL. EVP_read_pw_string_min() got this wrong, leading to
a one-byte buffer overrun in all callers of EVP_read_pw_string().
Found by mestre running 'openssl passwd' with MALLOC_OPTIONS including C.
Fix this by doing some basic sanity checking in EVP_read_pw_string_min().
Cap the len argument at BUFSIZ and ensure that min < len as well as
0 <= min and 1 <= len. The last two checks are important as these
numbers may end up in reallocarray().
ok bcook (on previous version), jsing, mestre
|
|
EVP_Verify*.
ok tb@
|
|
|
|
|
|
sk_BY_DIR_HASH_find already does it, removing ambiguity later in the function.
ok tb@
|
|
Found by Coverity.
Feedback and ok tb@
|
|
ok tb@
|
|
Simplify parameter checks since this is only called from one place.
Found by Coverity, CID 183502.
ok beck@
|
|
From Ross L. Richardson
|
|
from Cameron Palmer
|
|
ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.
ok inoguchi, jsing
|
|
Since bignums use ints for the same purpose, this still uses an int
internally after an overflow check.
Suggested by and discussed with jsing.
ok inoguchi, jsing
|
|
changes made in OpenSSL by Davide Galassi and others, so that one can
actually follow what is going on. There is no performance impact from
this change as the code still does essentially the same thing. There's
a ton of work still to be done to make the BN code less terrible.
ok jsing, kn
|
|
Based on an OpenSSL commit by David Benjamin.
Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library
reported that more than 200 "expected to fail" signatures among Project
Wycheproof's test vectors validated on LibreSSL. This patch makes them
all fail.
ok jsing
commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836
Author: David Benjamin <davidben@google.com>
Date: Sat Aug 20 13:35:17 2016 -0400
Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.
OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.
In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.
See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
|
|
|
|
from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR).
discussed with jsing
tested by jsg
|
|
breakage.
|