Age | Commit message (Collapse) | Author |
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
(which didn't always handle value 0 correctly).
Reviewed-by: emilia@openssl.org
Conflicts:
CHANGES
crypto/ec/ectest.c
|
|
PR#2569
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce161fd301a72194827327128191de7e)
|
|
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.
This does have the impact of masking any *real* unitialised data reads in bn though.
Patch based on approach suggested by Rich Salz.
PR#3415
(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
|
|
Detected by dcruette@qualitesys.com
(cherry picked from commit 8b5dd340919e511137696792279f595a70ae2762)
|
|
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>
PR#3439
(cherry picked from commit 66816c53bea0ecddb9448da7ea9a51a334496127)
|
|
PR#2985
(cherry picked from commit 9d23f422a32cb333a5e803199ae230706b1bf9f5)
|
|
PR#3418.
(cherry picked from commit fdea4fff8fb058be928980600b24cf4c62ef3630)
|
|
Primitive encodings shouldn't use indefinite length constructed
form.
PR#2438 (partial).
(cherry picked from commit 398e99fe5e06edb11f55a39ce0883d9aa633ffa9)
|
|
(cherry picked from commit d1d4382dcb3fdcad4758ef7e7dd7b61dbf5abbfe)
|
|
PR#2783
(cherry picked from commit b36f35cda964544a15d53d3fdfec9b2bab8cacb1)
|
|
PR#3403
(cherry picked from commit d2aea038297e0c64ca66e6844cbb37377365885e)
Conflicts:
apps/crl2p7.c
crypto/asn1/a_utctm.c
crypto/asn1/ameth_lib.c
crypto/asn1/bio_asn1.c
|
|
(cherry picked from commit 7be6b27aaf5ed77f13c93dc89a2c27a42082db3f)
|
|
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
|
|
PR#3394
(cherry picked from commit 7a9d59c148b773f59a41f8697eeecf369a0974c2)
|
|
The object file bn_lib.o is excluded from FIPS builds which causes
a linker error for BN_consttime_swap. So move definition from bn_lib.c
to bn_gf2m.c
This change is *only* needed for OpenSSL 0.9.8 which uses the 1.2
FIPS module.
|
|
|
|
|
|
(cherry picked from commit 3009244da47b989c4cc59ba02cf81a4e9d8f8431)
|
|
PR#3249
(cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)
|
|
PR#3278
(cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)
|
|
Use triple DES for certificate encryption if no-rc2 is
specified.
PR#3357
(cherry picked from commit 03b5b78c09fb10839a565f341cdc527c675e89ce)
|
|
If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.
PR#3348
(cherry picked from commit 83a3182e0560f76548f4378325393461f6275493)
|
|
This patch resolves RT ticket #2608.
Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
|
|
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
|
|
PR#3289
PR#3345
(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155)
|
|
(cherry picked from commit 9c5d953a07f472452ae2cb578e39eddea2de2b9c)
|
|
A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.
PR#3289
(cherry picked from commit 10378fb5f4c67270b800e8f7c600cd0548874811)
|
|
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
Thanks for mancha for backporting the fix to OpenSSL 0.9.8 branch.
|
|
Fix OpenSSL 0.9.8 alert handling.
PR#3038
|
|
(cherry picked from commit 5a7652c3e585e970e5b778074c92e617e48fde38)
|
|
|
|
- EC_GROUP_cmp shouldn't consider curves equal just because
the curve name is the same. (They really *should* be the same
in this case, but there's an EC_GROUP_set_curve_name API,
which could be misused.)
- EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
equality (not an error).
Reported by: king cope
(cherry picked from commit ca567a03ad4595589b6062465a8404764da4e3fa)
Conflicts:
Configure
|
|
In DSA_print DSA parameters can be absent (e.g inherited) it is
not a fatal error.
|
|
PR: 3005, from master
|
|
If an ASN1_INTEGER structure is allocated but not explicitly set encode
it as zero: don't generate an invalid zero length INTEGER.
|
|
Note: it was decided that after 0.9.8y it should be 0.9.8za then
0.9.8zb etc.
|
|
|
|
(cherry picked from commit 134c00659a1bc67ad35a1e4620e16bc4315e6e37)
|
|
is in the fips module for fips capable builds.
|
|
|
|
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
Conflicts:
crypto/evp/c_allc.c
ssl/ssl_algs.c
ssl/ssl_locl.h
ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)
Conflicts:
ssl/d1_enc.c
ssl/s3_enc.c
ssl/s3_pkt.c
ssl/ssl3.h
ssl/ssl_algs.c
ssl/t1_enc.c
|
|
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a246d648ecddadc5b91367bee4a5d98)
Conflicts:
crypto/crypto.h
ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)
Conflicts:
crypto/crypto.h
ssl/d1_pkt.c
ssl/s3_pkt.c
|
|
Add additional check to catch this in ASN1_item_verify too.
|
|
|
|
|
|
Submitted by: jean-etienne.schwartz@bull.net
In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
|
|
Submitted by: Adam Langley
|
|
Submitted by: Adam Langley
|
|
Have the new names start in column 48, that makes it easy to see when
the 31 character limit is reached (on a 80 column display, do the math)
|