summaryrefslogtreecommitdiffstats
path: root/crypto/rsa
AgeCommit message (Collapse)Author
2015-01-22mark all block comments that need format preserving so thatTim Hudson
indent will not alter them when reformatting comments (cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960) Conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_prime.c crypto/engine/eng_all.c crypto/rc4/rc4_utl.c crypto/sha/sha.h ssl/kssl.c ssl/t1_lib.c Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29Add additional DigestInfo checks.Dr. Stephen Henson
Reencode DigestInto in DER and check against the original: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure, there is no known attack which can exploit this. Thanks to Brian Smith for reporting this issue. Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-25Include "constant_time_locl.h" rather than "../constant_time_locl.h".Richard Levitte
The different -I compiler parameters will take care of the rest... Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-24RT3066: rewrite RSA padding checks to be slightly more constant time.Emilia Kasper
Also tweak s3_cbc.c to use new constant-time methods. Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1 This patch is based on the original RT submission by Adam Langley <agl@chromium.org>, as well as code from BoringSSL and OpenSSL. Reviewed-by: Kurt Roeckx <kurt@openssl.org> Conflicts: crypto/rsa/rsa_oaep.c crypto/rsa/rsa_pk1.c ssl/s3_cbc.c
2014-09-08RT2626: Change default_bits from 1K to 2KKurt Roeckx
This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 44e0c2bae4bfd87d770480902618dbccde84fd81)
2014-07-05Return smaller of ret and f.Alan Hryngle
PR#3418. (cherry picked from commit fdea4fff8fb058be928980600b24cf4c62ef3630)
2014-05-29remove duplicate 0x for default RSASSA-PSS salt lenMartin Kaiser
(cherry picked from commit 3820fec3a09faecba7fe9912aa20ef7fcda8337b)
2014-03-19Workaround for some CMS signature formats.Dr. Stephen Henson
Some CMS SignedData structure use a signature algorithm OID such as SHA1WithRSA instead of the RSA algorithm OID. Workaround this case by tolerating the signature if we recognise the OID. (cherry picked from commit 3a98f9cf20c6af604799ee079bec496b296bb5cc)
2013-12-01make updateDr. Stephen Henson
2013-11-09Check for missing components in RSA_check.Dr. Stephen Henson
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
2013-10-01Return correct enveloped data type in ASN1 methods.Dr. Stephen Henson
For RSA and DSA keys return an appropriate RecipientInfo type. By setting CMS_RECIPINFO_NONE for DSA keys an appropriate error is returned if an attempt is made to use DSA with enveloped data. (cherry picked from commit 41b920ef01abeb4c4b1c0f11e647370ae6533d02)
2013-10-01CMS RSA-OAEP and RSA-PSS support.Dr. Stephen Henson
Extend RSA ASN1 method to support CMS PSS signatures for both sign and verify. For signing the EVP_PKEY_CTX parameters are read and the appropriate CMS structures set up. For verification the CMS structures are analysed and the corresponding parameters in the EVP_PKEY_CTX set. Also add RSA-OAEP support. For encrypt the EVP_PKEY_CTX parameters are used. For decrypt the CMS structure is uses to set the appropriate EVP_PKEY_CTX parameters. (cherry picked from commit 0574cadf857b19485465b9d71b7dec9549857a4d) Also sync error codes with OpenSSL 1.0.1 and add new ones.
2013-10-01Update to OAEP support.Dr. Stephen Henson
Add OAEP ctrls to retrieve MD and label. Return errors if an attempt is made to set or retrieve OAEP parameters when padding mode is not OAEP. (cherry picked from commit 211a14f6279f127f7a5a59948819bd939131b0b6)
2013-10-01Exetended OAEP support.Dr. Stephen Henson
Extend OAEP support. Generalise the OAEP padding functions to support arbitrary digests. Extend EVP_PKEY RSA method to handle the new OAEP padding functions and add ctrls to set the additional parameters. (cherry picked from commit 271fef0ef39a1c0cb5233a5adf3ff8733abb375e) Conflicts: CHANGES
2013-10-01Add FIPS RSA error code.Dr. Stephen Henson
Add some RSA error codes used by the FIPS module.
2013-10-01Add control to retrieve signature MD.Dr. Stephen Henson
(cherry picked from commit 810639536cfa66df0c232fa4f15a7e5f00f31ce8)
2013-06-05Fix PSS signature printing.Dr. Stephen Henson
Fix PSS signature printing: consistently use 0x prefix for hex values for padding length and trailer fields. (cherry picked from commit deb24ad53147f5a8dd63416224a5edd7bbc0e74a)
2013-03-31Typo.Dr. Stephen Henson
(cherry picked from commit 0ded2a06891a4d5a207d8f29aa9a89a755158170)
2013-02-06Add and use a constant-time memcmp.Ben Laurie
This change adds CRYPTO_memcmp, which compares two vectors of bytes in an amount of time that's independent of their contents. It also changes several MAC compares in the code to use this over the standard memcmp, which may leak information about the size of a matching prefix. (cherry picked from commit 2ee798880a246d648ecddadc5b91367bee4a5d98)
2012-06-06Version skew reduction.Ben Laurie
2012-06-03Reduce version skew: trivia (I hope).Ben Laurie
2012-05-13Experimental multi-implementation support for FIPS capable OpenSSL.Dr. Stephen Henson
When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. This means that the FIPS capable OpenSSL isn't forced to use the (often lower perfomance) FIPS implementations outside FIPS mode.
2012-02-15Additional compatibility fix for MDC2 signature format.Dr. Stephen Henson
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature: this will make all versions of MDC2 signature equivalent.
2012-02-15An incompatibility has always existed between the format used for RSADr. Stephen Henson
signatures and MDC2 using EVP or RSA_sign. This has become more apparent when the dgst utility in OpenSSL 1.0.0 and later switched to using the EVP_DigestSign functions which call RSA_sign. This means that the signature format OpenSSL 1.0.0 and later used with dgst -sign and MDC2 is incompatible with previous versions. Add detection in RSA_verify so either format works. Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
2012-01-02incomplete provisional OAEP CMS decrypt supportDr. Stephen Henson
2011-10-19"make update"Bodo Möller
2011-10-19BN_BLINDING multi-threading fix.Bodo Möller
Submitted by: Emilia Kasper (Google)
2011-10-09Backport PSS signature support from HEAD.Dr. Stephen Henson
2011-06-20Don't set default public key methods in FIPS mode so applicationsDr. Stephen Henson
can switch between modes.
2011-06-09Use method rsa keygen first if FIPS mode if it is a FIPS method.Dr. Stephen Henson
2011-06-06Function not used outside FIPS builds.Dr. Stephen Henson
2011-06-03Backport libcrypto audit: check return values of EVP functions insteadDr. Stephen Henson
of assuming they will always suceed.
2011-06-03Redirect RSA keygen, sign, verify to FIPS module.Dr. Stephen Henson
2011-06-02Redirection of low level APIs to FIPS module.Dr. Stephen Henson
Digest sign, verify operations are not redirected at this stage.
2011-06-02Backport extended PSS support from HEAD: allow setting of mgf1Hash explicitly.Dr. Stephen Henson
This is needed to handle FIPS redirection fully.
2011-03-23make update (1.0.1-stable)Richard Levitte
This meant a slight renumbering in util/libeay.num due to symbols appearing in 1.0.0-stable. However, since there's been no release on this branch yet, it should be harmless.
2011-01-25Move RSA encryption functions to new file crypto/rsa/rsa_crpt.c to separateDr. Stephen Henson
crypto and ENGINE dependencies in RSA library.
2010-10-11PR: 2295Dr. Stephen Henson
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com> Reviewed by: steve OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code elimination.
2010-06-01Fix CVE-2010-1633 and CVE-2010-0742.Dr. Stephen Henson
2009-12-09PR: 2124Dr. Stephen Henson
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM> Check for memory allocation failures.
2009-09-13Submitted by: Julia Lawall <julia@diku.dk>Dr. Stephen Henson
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix so the return code is checked correctly.
2009-08-05Update from HEAD.Dr. Stephen Henson
2009-06-26Fix from 0.9.8-stableDr. Stephen Henson
2008-12-29If we're going to return errors (no matter how stupid), then we shouldBen Laurie
test for them!
2008-12-29Make sure a bad parameter to RSA_verify_PKCS1_PSS() doesn't lead to a crash.Ben Laurie
(Coverity ID 135).
2008-11-12Revert the size_t modifications from HEAD that had led to moreGeoff Thorpe
knock-on work than expected - they've been extracted into a patch series that can be completed elsewhere, or in a different branch, before merging back to HEAD.
2008-11-05Update obsolete email address...Dr. Stephen Henson
2008-11-01More size_tification.Ben Laurie
2008-09-14Really get rid of unsafe double-checked locking.Bodo Möller
Also, "CHANGES" clean-ups.
2008-08-06Remove the dual-callback scheme for numeric and pointer thread IDs,Geoff Thorpe
deprecate the original (numeric-only) scheme, and replace with the CRYPTO_THREADID object. This hides the platform-specifics and should reduce the possibility for programming errors (where failing to explicitly check both thread ID forms could create subtle, platform-specific bugs). Thanks to Bodo, for invaluable review and feedback.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-19 00:38:36 +0000