Age | Commit message (Collapse) | Author |
|
As per RFC 7292.
Fixes #6665
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
(cherry picked from commit b709babbca0498cd2b05f543b09f57f4a670298e)
|
|
It was false positive, but one can as well view it as readability issue.
Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions
with signed dividend vs. 1 (one) with unsigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205)
|
|
"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5254)
(cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a)
|
|
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit 6c90182a5f87af1a1e462536e7123ad2afb84c43)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit 3c97e4121ecec20cfac433883cd4709580a05620)
|
|
Trouble is that addition is postponing expansion till carry is
calculated, and if addition carries, top word can be zero, which
triggers assertion in bn_check_top.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6662)
(cherry picked from commit e42395e637c3507b80b25c7ed63236898822d2f1)
|
|
We need to check that __GNUC__ is defined before trying to use it.
This demands a slightly different way to define DECLARE_DEPRECATED.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6688)
|
|
To avoid the possibility that someone creates rem.exe, rem.bat or
rem.cmd, simply don't use it. In the cases it was used, it was to
avoid empty lines, but it turns out that nmake handles those fine, so
no harm done.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)
(cherry picked from commit 1b6a0a261e22eb5a574bdb75da208817ffa2fbba)
|
|
It seems that nmake first tries to run executables on its own, and
only pass commands to cmd if that fails. That means it's possible to
have nmake run something like 'echo.exe' when the builtin 'echo'
command was expected, which might give us unexpected results.
To get around this, we create our own echoing script and call it
explicitly from the nmake makefile.
Fixes #6670
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6686)
(cherry picked from commit 9abce88b4b0055d6238a838aa00360152e185f02)
|
|
The reason is that we override Text::Template::append_text_to_output(),
and it didn't exist before Text::Template 1.46.
Fixes #6641
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit 4e351ca92e3a1f447cef3d2e330f13941f9412c6)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit f7dce50f21c13520d36f51bed83d19d3eb0bf698)
|
|
This enables us to require module versions, and to fall back to a
bundled version if the system version is too low.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6682)
(cherry picked from commit e9bc5706744213a1a6748dbbcd1b43a6ad4ca09e)
|
|
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6663)
|
|
Fixes #6644
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6645)
(cherry picked from commit a9cf71a3716f8f624b711faa0d5ea391bb26d9f6)
|
|
We should validate that the various fields we put into the
CertificateRequest are not too long. Otherwise we will construct an
invalid message.
Fixes #6609
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6628)
|
|
Fixes #6574
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6594)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6614)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6615)
(cherry picked from commit ce5eb5e8149d8d03660575f4b8504c993851988a)
|
|
In ssl/t1_lib.c.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6613)
(cherry picked from commit 8eab767a718f44ccba9888eeb81a5328cff47bab)
|
|
Fixes uninitialized memory read reported by Nick Mathewson
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6603)
(cherry picked from commit 10c3c1c1ec41ce16e51b92bb18fab92d1a42b49c)
|
|
The 1.1.1 branch has a different location for documentation, this is
the obvious result of a cherry-pick from there.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6589)
|
|
This function is documented to be deprecated since OpenSSL 1.1.0. We
need to make it so in openssl/ssl.h as well.
Fixes #6565
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6588)
(cherry picked from commit 71419442a279a12c2e19a097b5c7e01c29d1fc9c)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6581)
(cherry picked from commit dc6c374bdb4872f6d5d727e73a2ed834e972842c)
|
|
The parameters where switched
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6578
(cherry picked from commit eaf39a9fe6f55feb5251e235069e02f7f50d9a49)
|
|
We don't want an indentation step inside a 'extern "C" {' .. '}'
block. Apparently, cc-mode has a c-offsets-alist keyword to allow
exactly this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6557)
(cherry picked from commit 8973112884e67feb46384b573db14e62ad18d4cb)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2e51557bc93f90ca2274230b042acb53cc3a268d)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6227)
(cherry picked from commit b8c32081e02b7008a90d878eccce46da256dfe86)
|
|
Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit c8c250333cd254ab3f4d709ebc5ed86a7c065721)
|
|
In previous versions of OpenSSL, the documentation for PEM_read_*
said:
The callback B<must> return the number of characters in the
passphrase or 0 if an error occurred.
But since c82c3462267afdbbaa5, 0 is now treated as a non-error
return value. Applications that want to indicate an error need to
return -1 instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
(cherry picked from commit bbbf752a3c8b5a966bcb48fc71a3dc03832e7b27)
|
|
(cherry picked from commit 01fd5df77d401c87f926552ec24c0a09e5735006)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
|
|
Triggered by Coverity analysis.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7d859d1c8868b81c5d810021af0b40f355af4e1f)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6549)
|
|
This extends the recently added ECDSA signature blinding to blind DSA too.
This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.
Normally, as in ECDSA, during signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)
|
|
Fixes #6544
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6546)
(cherry picked from commit 63871d9f810fec1e8a441d82c9ac79c58b19e2ad)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 575045f59fc393abc9d49604d82ccd17c82925fa)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 27635a4ecb1bc4852ccf456a9374a68931dc330f)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6499)
(cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 693be9a2cb0fc79fe856259feea54772c18a3637)
(Merged from https://github.com/openssl/openssl/pull/5750)
|
|
Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb
differently.
Fixes: #6493
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6494)
|
|
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6460)
(cherry picked from commit 8fe4c0b001f85c5a918c6a6d4687813ea3d2945f)
|
|
CVE-2018-0732
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
|
|
Fixes #6449
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6450)
|
|
This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6440)
(cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231)
|
|
Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or
indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent
variables in the OCB_CTX.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6420)
(cherry picked from commit bbb02a5b6d27f76931c3385321b2c594781c7a1b)
|
|
If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:
- The session cache is full
(SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
(that is, ctx->session_cache_tail->references == 1)
Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.
The free before calling the callback behavior was introduced in
commit e4612d02c53cccd24fa97b08fc01250d1238cca1 ("Remove sessions
from external cache, even if internal cache not used.").
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)
(cherry picked from commit c0a58e034d3eff68ca5e0d36d7b4d147425b0599)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6413)
(cherry picked from commit 630fe1da888490b7dfef3fe0928b813ddff5d51a)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6404)
(cherry picked from commit 886c2e614fc1e78e658122bf6f6bccdd7dd23857)
|