Age | Commit message (Collapse) | Author |
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
|
|
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 208a6012be3077d83df4475f32dd1b1446f3a02e)
Conflicts:
crypto/dsa/dsa_vrf.c
|
|
(these are needed for certificate fingerprint fixes)
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 86edf13b1c97526c0cf63c37342aaa01f5442688)
|
|
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f5e4b6b5b566320a8d774f9475540f7d0e6a704d)
Conflicts:
crypto/asn1/asn1_err.c
|
|
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.
This reverts commit 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7cd9b97ed1479f8b8af713337fce57f5)
|
|
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
so the Win32 compile picks it up correctly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e2e5326e5b068411999f62b4ba67835d64764ca5)
|
|
The different -I compiler parameters will take care of the rest...
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8202802fadf7f70c656b92f3697da39c9c4271d7)
Conflicts:
crypto/evp/evp_enc.c
|
|
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955c14a7c1371f9c7555fb429a406a3d3)
|
|
The 1**0 test will fail for FIPS capable builds because it uses the
old BIGNUM code in the 1.2 FIPS module which can't be fixed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.
Note: this is a precautionary measure, there is no known attack
which can exploit this.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e8cf4cfd9330d5df9883f42cf5648ad)
|
|
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319f880adc874b8c95957adf2003117d42b)
Conflicts:
crypto/evp/Makefile
crypto/evp/evp_enc.c
|
|
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab0de51c9f67b3c909311770f2b3f801)
Conflicts:
ssl/Makefile
|
|
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
|
|
(cherry picked from commit 2b0180c37fa6ffc48ee40caa831ca398b828e680)
Reviewed-by: Ben Laurie <ben@openssl.org>
|
|
string returns 0 with errno = ENOENT.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0f16dde70e26841bbf9e1af727e8b8f)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576e7a14a46ba14df8be8fe478536b4fb)
|
|
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e63275a916b147f9d8764e3c0c060fdb)
|
|
PR2693
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)
|
|
Pull constant-time methods out to a separate header, add tests.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 73729e4cf3961e36b5534d270c11ff7cd811aa43)
Conflicts:
ssl/Makefile
test/Makefile
|
|
eliminating them as dead code.
Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.
(cherry picked from commit 7753a3a68431aa81b82beea4c3f5374b41454679)
Conflicts:
crypto/bn/asm/x86_64-gcc.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a90b1e32d2f697d1aa39b49038469e2ea40d5e7b)
|
|
group_order_tests (ectest.c). Also fix the EC_POINTs_mul documentation (ec.h).
Reviewed-by: emilia@openssl.org
Conflicts:
crypto/ec/ectest.c
Conflicts:
crypto/ec/ec.h
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
CVE-2014-3508
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
(which didn't always handle value 0 correctly).
Reviewed-by: emilia@openssl.org
Conflicts:
CHANGES
crypto/ec/ectest.c
|
|
PR#2569
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce161fd301a72194827327128191de7e)
|
|
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.
This does have the impact of masking any *real* unitialised data reads in bn though.
Patch based on approach suggested by Rich Salz.
PR#3415
(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
|
|
Detected by dcruette@qualitesys.com
(cherry picked from commit 8b5dd340919e511137696792279f595a70ae2762)
|
|
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>
PR#3439
(cherry picked from commit 66816c53bea0ecddb9448da7ea9a51a334496127)
|
|
PR#2985
(cherry picked from commit 9d23f422a32cb333a5e803199ae230706b1bf9f5)
|
|
PR#3418.
(cherry picked from commit fdea4fff8fb058be928980600b24cf4c62ef3630)
|
|
Primitive encodings shouldn't use indefinite length constructed
form.
PR#2438 (partial).
(cherry picked from commit 398e99fe5e06edb11f55a39ce0883d9aa633ffa9)
|
|
(cherry picked from commit d1d4382dcb3fdcad4758ef7e7dd7b61dbf5abbfe)
|
|
PR#2783
(cherry picked from commit b36f35cda964544a15d53d3fdfec9b2bab8cacb1)
|
|
PR#3403
(cherry picked from commit d2aea038297e0c64ca66e6844cbb37377365885e)
Conflicts:
apps/crl2p7.c
crypto/asn1/a_utctm.c
crypto/asn1/ameth_lib.c
crypto/asn1/bio_asn1.c
|
|
(cherry picked from commit 7be6b27aaf5ed77f13c93dc89a2c27a42082db3f)
|
|
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
|