| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).
This brings in code to make the padding check constant time.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
the top of the error stack in constant time.
This will be used by upcoming RSA changes.
From OpenSSL 1.1.1d.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
| |
and skip 'protected' symbols when identifying which functions will be
subjects of lazy resolution
|
| |
|
|
| |
so that we can operate on libs from other archs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
| |
|
|
|
|
|
|
|
| |
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
|
| |
|
|
|
|
|
|
| |
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
| |
|
|
|
|
| |
Based on OpenSSL 1.1.1.
ok tb@, inoguchi@ (on an earlier/larger diff)
|
| | |
|
| |
|
|
|
| |
Tested in snaps
ok kettenis@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
try to compute it using Hasse's bound. This works as long as the
cofactor is small enough.
Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license)
tests & ok inoguchi
input & ok jsing
commit 30c22fa8b1d840036b8e203585738df62a03cec8
Author: Billy Brumley <bbrumley@gmail.com>
Date: Thu Sep 5 21:25:37 2019 +0300
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
|
| | |
|
| |
|
|
|
| |
2) say that the data comes from the random(4) subsystem, so that curious
people can go read up on how this works
|
| |
|
|
|
|
|
| |
it use sysarch().
From Josh Elsasser
ok kettenis@
|
| |
|
|
|
|
| |
fix issue reported by Mikolaj Kucharski.
ok martijn@ deraadt@
|
| |
|
|
|
|
| |
in our tree. Relevant is only bug fix #240. Most of the upstream
diff is automated source format change.
OK deraadt@
|
| |
|
|
| |
ok jmc
|
| | |
|
| |
|
|
|
|
|
| |
conversion suggested by deraadt, as well as renaming
from section 7 to section 5;
ok deraadt
|
| |
|
|
| |
Prompted by guenther@
|
| |
|
|
|
|
|
| |
(or XML_GetCurrentColumnNumber), and deny internal entities closing
the doctype; CVE-2019-15903
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
OK tb@
|
| |
|
|
| |
jsing@ provided it in evp.h rev. 1.77
|
| |
|
|
|
|
| |
with OpenSSL 1.1.1's version which contains a similar fix.
ok jsing
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA.
This is used by the upcoming RSA CMS code.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
now being installed).
|
| |
|
|
|
|
|
|
| |
This header includes OPENSSL_NO_CMS guards, so even if things find the
header it provides no useful content (and other code should technically
also be using OPENSSL_NO_CMS...).
ok deraadt@ inoguchi@
|
| |
|
|
|
| |
source: https://minnie.tuhs.org/cgi-bin/utree.pl?file=V4/man/man2/break.2
pointed out by Sevan Janiyan <venture37 at geeklan dot co dot uk>
|
| |
|
|
|
|
|
|
| |
This brings in EC code from OpenSSL 1.1.1b, with style(9) and whitespace
cleanups. All of this code is currently under OPENSSL_NO_CMS hence is a
no-op.
ok inoguchi@
|
| |
|
|
|
| |
a few cases that weren't altogether straightforward;
tweak and OK jmc@, OK sobrado@
|
| |
|
|
|
|
| |
This became possible because copies of the original v1 manuals
have shown up on the Internet some time ago.
Reminded by Sevan Janiyan <venture37 at geeklan dot co dot uk>.
|
| |
|
|
|
|
|
|
|
| |
These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
in revision 1.30.
ok deraadt@ tb@
|
| |
|
|
|
|
| |
Based on OpenSSL 1.1.1b.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
From OpenSSL 1.1.1b.
ok tb@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For gettimeofday(2), always copy out an empty timezone struct. For
settimeofday(2), still copyin(9) the struct but ignore the contents.
In gettimeofday(2)'s case we have not changed the original BSD semantics:
the kernel only tracks UTC time without an offset for DST, so a zeroed
timezone struct is the correct thing to return to the caller.
Future work could move these out into libc as stubs for clock_gettime and
clock_settime(2). But, definitely a "later" thing, given that we are in
beta.
Update the manpage to de-emphasize the timezone parameters for these
syscalls.
Discussed with tedu@, deraadt@, millert@, kettenis@, yasuoka@, jca@, and
guenther@. Tested by job@. Ports input from jca@ and sthen@. Manpage
input from jca@.
ok jca@ deraadt@
|
| |
|
|
|
|
|
|
| |
terminate to read buffer. This fix the bug that does not run input
command entered by vi editor. This fix is come from NetBSD
lib/libedit/vi.c 1.46 and 1.47.
ok schwarze@ deraadt@
|
jsing
bcook
deraadt
guenther
tb
patrick
jmc
eric
bluhm
otto
schwarze
asou
cheloha