summaryrefslogtreecommitdiffstats
path: root/crypto
AgeCommit message (Collapse)Author
2015-01-08Prepare for 0.9.8zd releaseOpenSSL_0_9_8zdMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08make updateMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08Fix for CVE-2014-3570.Andy Polyakov
Reviewed-by: Emilia Kasper <emilia@openssl.org> (cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
2015-01-06use correct function nameDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
2015-01-05Fix various certificate fingerprint issues.Dr. Stephen Henson
By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). CVE-2014-8275 Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 208a6012be3077d83df4475f32dd1b1446f3a02e) Conflicts: crypto/dsa/dsa_vrf.c
2015-01-05Add ASN1_TYPE_cmp and X509_ALGOR_cmp.Dr. Stephen Henson
(these are needed for certificate fingerprint fixes) Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05Return error when a bit string indicates an invalid amount of bits leftKurt Roeckx
Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 86edf13b1c97526c0cf63c37342aaa01f5442688)
2015-01-05Reject invalid constructed encodings.Dr. Stephen Henson
According to X6.90 null, object identifier, boolean, integer and enumerated types can only have primitive encodings: return an error if any of these are received with a constructed encoding. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit f5e4b6b5b566320a8d774f9475540f7d0e6a704d) Conflicts: crypto/asn1/asn1_err.c
2014-12-17Revert "RT3425: constant-time evp_enc"Emilia Kasper
Causes more problems than it fixes: even though error codes are not part of the stable API, several users rely on the specific error code, and the change breaks them. Conversely, we don't have any concrete use-cases for constant-time behaviour here. This reverts commit 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9. Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-11-11Fix warning about negative unsigned intergersKurt Roeckx
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-10-29md32_common.h: address compiler warning in HOST_c2l.Andy Polyakov
Reviewed-by: Stephen Henson <steve@openssl.org> (cherry picked from commit d45282fc7cd9b97ed1479f8b8af713337fce57f5)
2014-10-28Use only unsigned arithmetic in constant-time operationsSamuel Neves
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-17Add constant_time_locl.h to HEADERS,Tim Hudson
so the Win32 compile picks it up correctly. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit e2e5326e5b068411999f62b4ba67835d64764ca5)
2014-10-17Include "constant_time_locl.h" rather than "../constant_time_locl.h".Richard Levitte
The different -I compiler parameters will take care of the rest... Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 8202802fadf7f70c656b92f3697da39c9c4271d7) Conflicts: crypto/evp/evp_enc.c
2014-10-17RT3547: Add missing static qualifierKurt Cancemi
Reviewed-by: Ben Laurie <ben@openssl.org> (cherry picked from commit 87d388c955c14a7c1371f9c7555fb429a406a3d3)
2014-10-16Don't try 1**0 test with FIPS.Dr. Stephen Henson
The 1**0 test will fail for FIPS capable builds because it uses the old BIGNUM code in the 1.2 FIPS module which can't be fixed. Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-15Prepare for 0.9.8zd-devMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15Prepare for 0.9.8zc releaseOpenSSL_0_9_8zcMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15Fix SSL_R naming inconsistency.Bodo Moeller
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15Support TLS_FALLBACK_SCSV.Bodo Moeller
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-09-29Add additional DigestInfo checks.Dr. Stephen Henson
Reencode DigestInto in DER and check against the original: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure, there is no known attack which can exploit this. Thanks to Brian Smith for reporting this issue. Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-25Add missing testsEmilia Kasper
Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801 Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit fdc35a9d3e8cf4cfd9330d5df9883f42cf5648ad)
2014-09-24RT3425: constant-time evp_encEmilia Kasper
Do the final padding check in EVP_DecryptFinal_ex in constant time to avoid a timing leak from padding failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit b55ff319f880adc874b8c95957adf2003117d42b) Conflicts: crypto/evp/Makefile crypto/evp/evp_enc.c
2014-09-24RT3067: simplify patchEmilia Kasper
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b) Use the new constant-time methods consistently in s3_srvr.c Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 455b65dfab0de51c9f67b3c909311770f2b3f801) Conflicts: ssl/Makefile
2014-09-24RT3066: rewrite RSA padding checks to be slightly more constant time.Emilia Kasper
Also tweak s3_cbc.c to use new constant-time methods. Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1 This patch is based on the original RT submission by Adam Langley <agl@chromium.org>, as well as code from BoringSSL and OpenSSL. Reviewed-by: Kurt Roeckx <kurt@openssl.org> Conflicts: crypto/rsa/rsa_oaep.c
2014-09-04Ensure that x**0 mod 1 = 0.Adam Langley
(cherry picked from commit 2b0180c37fa6ffc48ee40caa831ca398b828e680) Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-03Followup on RT3334 fix: make sure that a directory that's the emptyRichard Levitte
string returns 0 with errno = ENOENT. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 360928b7d0f16dde70e26841bbf9e1af727e8b8f)
2014-09-03RT3334: Fix crypto/LPdir_win.cPhil Mesnier
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 6a14fe7576e7a14a46ba14df8be8fe478536b4fb)
2014-09-02Make the inline const-time functions static.Emilia Kasper
"inline" without static is not correct as the compiler may choose to ignore it and will then either emit an external definition, or expect one. Reviewed-by: Geoff Thorpe <geoff@openssl.org> (cherry picked from commit 86f50b36e63275a916b147f9d8764e3c0c060fdb)
2014-08-29Fixed double inclusion of string.hMatt Caswell
PR2693 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)
2014-08-28Constant-time utilitiesEmilia Kasper
Pull constant-time methods out to a separate header, add tests. Reviewed-by: Bodo Moeller <bodo@openssl.org> (cherry picked from commit 73729e4cf3961e36b5534d270c11ff7cd811aa43) Conflicts: ssl/Makefile test/Makefile
2014-08-19Add volatile qualifications to two blocks of inline asm to stop GCC fromAdam Langley
eliminating them as dead code. Both volatile and "memory" are used because of some concern that the compiler may still cache values across the asm block without it, and because this was such a painful debugging session that I wanted to ensure that it's never repeated. (cherry picked from commit 7753a3a68431aa81b82beea4c3f5374b41454679) Conflicts: crypto/bn/asm/x86_64-gcc.c Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit a90b1e32d2f697d1aa39b49038469e2ea40d5e7b)
2014-08-13Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) andBodo Moeller
group_order_tests (ectest.c). Also fix the EC_POINTs_mul documentation (ec.h). Reviewed-by: emilia@openssl.org Conflicts: crypto/ec/ectest.c Conflicts: crypto/ec/ec.h
2014-08-06Prepare for 0.9.8zc-devMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06Prepare for 0.9.8zb releaseOpenSSL_0_9_8zbMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06Fix OID handling:Emilia Kasper
- Upon parsing, reject OIDs with invalid base-128 encoding. - Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. CVE-2014-3508 Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06fix warn_unused_result warningsDr. Stephen Henson
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01Simplify and fix ec_GFp_simple_points_make_affineBodo Moeller
(which didn't always handle value 0 correctly). Reviewed-by: emilia@openssl.org Conflicts: CHANGES crypto/ec/ectest.c
2014-07-21"EC_POINT_invert" was checking "dbl" function pointer instead of "invert".Billy Brumley
PR#2569 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit cba11f57ce161fd301a72194827327128191de7e)
2014-07-13Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.Matt Caswell
This is actually ok for this function, but initialised to zero anyway if PURIFY defined. This does have the impact of masking any *real* unitialised data reads in bn though. Patch based on approach suggested by Rich Salz. PR#3415 (cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13* crypto/ui/ui_lib.c: misplaced brace in switch statement.Richard Levitte
Detected by dcruette@qualitesys.com (cherry picked from commit 8b5dd340919e511137696792279f595a70ae2762)
2014-07-09Fix memory leak in BIO_free if there is no destroy function.Matt Caswell
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com> PR#3439 (cherry picked from commit 66816c53bea0ecddb9448da7ea9a51a334496127)
2014-07-07Prevent infinite loop loading config files.David Lloyd
PR#2985 (cherry picked from commit 9d23f422a32cb333a5e803199ae230706b1bf9f5)
2014-07-05Return smaller of ret and f.Alan Hryngle
PR#3418. (cherry picked from commit fdea4fff8fb058be928980600b24cf4c62ef3630)
2014-07-02ASN1 sanity check.Dr. Stephen Henson
Primitive encodings shouldn't use indefinite length constructed form. PR#2438 (partial). (cherry picked from commit 398e99fe5e06edb11f55a39ce0883d9aa633ffa9)
2014-06-28Fix typo in ideatest.cAndreas Westfeld
(cherry picked from commit d1d4382dcb3fdcad4758ef7e7dd7b61dbf5abbfe)
2014-06-27Handle IPv6 addresses in OCSP_parse_url.Tom Greenslade
PR#2783 (cherry picked from commit b36f35cda964544a15d53d3fdfec9b2bab8cacb1)
2014-06-27Memory leak and NULL dereference fixes.Dr. Stephen Henson
PR#3403 (cherry picked from commit d2aea038297e0c64ca66e6844cbb37377365885e) Conflicts: apps/crl2p7.c crypto/asn1/a_utctm.c crypto/asn1/ameth_lib.c crypto/asn1/bio_asn1.c
2014-06-27Remove ancient obsolete files under pkcs7.Dr. Stephen Henson
(cherry picked from commit 7be6b27aaf5ed77f13c93dc89a2c27a42082db3f)
2014-06-26Make sure BN_sqr can never return a negative value.Huzaifa Sidhpurwala
PR#3410 (cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 04:07:30 +0000