| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7670)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7599)
(cherry picked from commit dd41956d80686638d74fd203bd67060f90966280)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)
(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
|
|
Commit 56fb454 backported the DSA reallocation fix to 1.1.0, however a
code block that has multiple statements in 1.1.1+ only has a `goto` in
1.1.0 so introduces a brace that causes a compile failure.
CLA:trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7516)
|
|
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
|
|
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
|
|
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)
|
|
Previously, the RNG sets `initialized=1` after the first call to
RAND_poll(), although its criterion for being initialized actually
is whether condition `entropy >= ENTROPY_NEEDED` is true.
This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`,
which has the effect that on the next call, RAND_poll() will be
called again, if it previously failed to obtain enough entropy.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7438)
|
|
{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7420)
(cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f)
|
|
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)
|
|
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)
(cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849)
|
|
BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented. Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.
include/openssl/ocsp.h had a few duplicate declarations.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)
(cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f)
|
|
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)
|
|
This is a backport of #7028 to 1.1.0.
It squashes the two original commits and applies changes for
compatibility with 1.1.0.
1. cherry picked from commit 30c41bfb158c0f595809d0eaf032926a3c2cf236
[test] ECC: make sure negative tests pass for the right reasons
2. cherry picked from commit bfb10b975818d1887d676d309fcc21a765611f6d
[test] throw error from wrapper function instead of an EC_METHOD specific one
Given that in 1.1.0 `EC_POINT_get_affine_coordinates_GFp` and
`EC_POINT_get_affine_coordinates_GF2m` have not been unified, in this
backport the tests distinguish between the 2 different functions as the
cause of the expected error.
[extended tests] to trigger sanitizer checks and coverage analysis.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7152)
|
|
Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.
CPU processor override flags are unchanged.
Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7047)
(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)
|
|
This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?). Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.
Fixes #7227
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)
(cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72)
|
|
These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.
Fixes #7271
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)
(cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067)
|
|
The latter causes problems when complex.h is #included.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)
(cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46)
|
|
- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7189)
|
|
Found by Coverity
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)
(cherry picked from commit 512d811719fc955f574090af4c3586a9aba46fa7)
|
|
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)
(cherry picked from commit 82eba370daeb6d80b01b521d9e2963451487f0cb)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
|
|
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).
For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.
If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.
This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.
Fixes #7102 .
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
|
|
Manual backport from master.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7116)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7101)
|
|
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)
(cherry picked from commit 64ed55ab033f1bfa795d46f0ecc61c313204b418)
|
|
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)
(cherry picked from commit f5cee414fa8e7e9a088d8d5ebe641f368df20801)
|
|
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)
(cherry picked from commit 0239283d99a37e8527199a62100fec867b9996cb)
|
|
fixes #7081
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)
(cherry picked from commit 6bcfcf16bf6aef4f9ec267d8b86ae1bffd8deab9)
|
|
This trivial patch removes a duplicated call to ASN1_INTEGER_set.
Fixes Issue #6977
Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)
(cherry picked from commit 59701e6363531cddef5b2114c0127b8453deb1f3)
|
|
(cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
|
|
(cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28)
Resolved conflicts:
crypto/bn/bn_blind.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
|
|
In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...
(cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59)
Resolved conflicts:
crypto/rsa/rsa_ossl.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
|
|
Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.
(cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6940)
|
|
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7015)
|
|
This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks. This in turn helps prevent
information leakage from the secure memory area.
Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.
[manual merge of #7011]
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7026)
|
|
It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)
(cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53)
|
|
Apparently after internal/numbers.h defines INTx_MIN/MAX
stdint gets included and it defines those differently:
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE\stdint.h(48):
warning C4005: 'INT8_MIN': macro redefinition
Avoid that by changing the sequence in which the include files
appear in crypto/bio/b_print.c.
[extended tests]
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6995)
|
|
gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:
crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1
(gcc 4.8 is fine with this code, as are newer compilers.)
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)
(cherry picked from commit 50f3994b513ead4da94845bf38222bb71c440fb3)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6954)
|
|
Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)
(cherry picked from commit 2369111fd94ebc9b7d37e68f3ea9629f2fe5fa2e)
|
|
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):
For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
allocated for a buffer and the encoded data written to it. In this
case B<*out> is not incremented and it points to the start of the
data just written.
i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.
Fixes #6914
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)
(cherry picked from commit cba024dc685d13dbcbd0577bed028ee6b295b56a)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)
(back-ported from commit f21b5b64cbbc279ef31389e6ae312690575187da)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6891)
(cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7)
|
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)
(cherry picked from commit 38eca7fed09a57c1b7a05d651af2c667b3e87719)
|
|
Manual backport of #2830 to 1.1.0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6861)
|
|
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)
|
|
This reverts commit 24233a0f3c491919ee3a38e2567271ccc041ee1d.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6843)
|
