#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
962431d5 |
| 13-Sep-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
that open brace { should be on the previous line Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed
that open brace { should be on the previous line Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)
show more ...
|
#
2d285fa8 |
| 25-Apr-2024 |
Tomas Mraz |
Make ossl_gen_deterministic_nonce_rfc6979() constant time Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/ope
Make ossl_gen_deterministic_nonce_rfc6979() constant time Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265)
show more ...
|
#
d7d1bdcb |
| 11-Apr-2024 |
Tomas Mraz |
Make BN_generate_dsa_nonce() constant time and non-biased Co-authored-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorma
Make BN_generate_dsa_nonce() constant time and non-biased Co-authored-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
69b9a992 |
| 11-Aug-2023 |
Matt Caswell |
Don't call ossl_assert on the result of bn_wexpand bn_wexpand can fail as the result of a memory allocation failure. We should not be calling ossl_assert() on its result because it can f
Don't call ossl_assert on the result of bn_wexpand bn_wexpand can fail as the result of a memory allocation failure. We should not be calling ossl_assert() on its result because it can fail in normal operation. Found via the reproducible error injection in #21668 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/21725)
show more ...
|
#
060f370e |
| 09-May-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Fix a typo found by codespell in a variable name The change is limited to a single C file. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Rich
Fix a typo found by codespell in a variable name The change is limited to a single C file. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20912)
show more ...
|
#
f06ef165 |
| 13-Feb-2023 |
Bernd Edlinger |
Alternative fix for CVE-2022-4304 This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact
Alternative fix for CVE-2022-4304 This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact at least three bugs together that caused the timing leak: First and probably most important is the fact that the blinding did not use the constant time code path at all when the RSA object was used for a private decrypt, due to the fact that the Montgomery context rsa->_method_mod_n was not set up early enough in rsa_ossl_private_decrypt, when BN_BLINDING_create_param needed it, and that was persisted as blinding->m_ctx, although the RSA object creates the Montgomery context just a bit later. Then the infamous bn_correct_top was used on the secret value right after the blinding was removed. And finally the function BN_bn2binpad did not use the constant-time code path since the BN_FLG_CONSTTIME was not set on the secret value. In order to address the first problem, this patch makes sure that the rsa->_method_mod_n is initialized right before the blinding context. And to fix the second problem, we add a new utility function bn_correct_top_consttime, a const-time variant of bn_correct_top. Together with the fact, that BN_bn2binpad is already constant time if the flag BN_FLG_CONSTTIME is set, this should eliminate the timing oracle completely. In addition the no-asm variant may also have branches that depend on secret values, because the last invocation of bn_sub_words in bn_from_montgomery_word had branches when the function is compiled by certain gcc compiler versions, due to the clumsy coding style. So additionally this patch stream-lined the no-asm C-code in order to avoid branches where possible and improve the resulting code quality. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
show more ...
|
#
c9466f38 |
| 13-Jan-2023 |
Richard Levitte |
bn2bin(): Don't accept len < 0 Test included Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl
bn2bin(): Don't accept len < 0 Test included Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20033)
show more ...
|
#
1b24b5a1 |
| 12-Jan-2023 |
Richard Levitte |
bin2bn(): When len==0, just return a zero BIGNUM This allows calls with s==NULL and len==0 to be safe. It probably already was, but address sanitizers could still complain. Rev
bin2bn(): When len==0, just return a zero BIGNUM This allows calls with s==NULL and len==0 to be safe. It probably already was, but address sanitizers could still complain. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20033)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
a644cb7c |
| 09-Jun-2022 |
Billy Brumley |
[crypto/bn] BN_consttime_swap: remove superfluous early exit Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@op
[crypto/bn] BN_consttime_swap: remove superfluous early exit Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18518)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
649999dc |
| 22-Jan-2022 |
Kelvin Lee |
bn_lib.c: Change Endianess check to as a binary condition. This prevents VS2022 from mis-identify an uninitialized local pointer variable. CLA: trivial Reviewed-by: Ben
bn_lib.c: Change Endianess check to as a binary condition. This prevents VS2022 from mis-identify an uninitialized local pointer variable. CLA: trivial Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17567)
show more ...
|
#
07c5465e |
| 03-Feb-2022 |
Dimitris Apostolou |
Fix typos Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17634)
|
#
f5e8050f |
| 25-Nov-2021 |
Richard Levitte |
Add signed bn2bin and bin2bn functions This adds the functions BN_signed_bin2bn(), BN_signed_bn2bin(), BN_signed_lebin2bn(), BN_signed_bn2lebin(), BN_signed_native2bn(), and BN_signe
Add signed bn2bin and bin2bn functions This adds the functions BN_signed_bin2bn(), BN_signed_bn2bin(), BN_signed_lebin2bn(), BN_signed_bn2lebin(), BN_signed_native2bn(), and BN_signed_bn2native(), all essentially doing the same job as BN_bin2bn(), BN_bn2binpad(), BN_lebin2bn(), BN_bn2lebinpad(), BN_native2bn(), and BN_bn2nativepad(), except that the 'signed' ones operate on signed number bins in 2's complement form. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17139)
show more ...
|
#
c30de601 |
| 24-Nov-2021 |
Richard Levitte |
[refactor] BIGNUM: Modify bin2bn() to work from least to most significant chunk This will make it easier to introduce the possibility for signed input numbers. We also refactor
[refactor] BIGNUM: Modify bin2bn() to work from least to most significant chunk This will make it easier to introduce the possibility for signed input numbers. We also refactor the inner loop to simplify the calculation of each bignum chunk. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17139)
show more ...
|
#
4e26fe50 |
| 24-Nov-2021 |
Richard Levitte |
[refactor] BIGNUM: Modify bn2binpad()'s setup to be more like bin2bn()'s Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17139)
|
#
c2cab435 |
| 24-Nov-2021 |
Richard Levitte |
[refactor] BIGNUM: collapse BN_bin2bn() and BN_lebin2bn() into one BN_lebin2bn() is a block copy of BN_bin2bn() with just a couple of very minute details changed. For better maintainabi
[refactor] BIGNUM: collapse BN_bin2bn() and BN_lebin2bn() into one BN_lebin2bn() is a block copy of BN_bin2bn() with just a couple of very minute details changed. For better maintainability, we collapse them into the internal function bn2bin(), and change BN_bin2bn() and BN_lebin2bn() to become simple wrappers. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17139)
show more ...
|
#
858d5ac1 |
| 08-Dec-2021 |
Tomas Mraz |
bn2binpad: Use memset as the buffer will be used later Apparently using OPENSSL_cleanse() confuses the fuzzer so it makes the buffer to appear uninitialized. And memset can be safely
bn2binpad: Use memset as the buffer will be used later Apparently using OPENSSL_cleanse() confuses the fuzzer so it makes the buffer to appear uninitialized. And memset can be safely used here and it is also potentially faster. Fixes #17237 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/17240)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
9311d0c4 |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using ut
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
Revision tags: openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g |
|
#
7a09fab2 |
| 11-Apr-2020 |
aSoujyuTanaka |
Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to its miscompilation of the function. https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to its miscompilation of the function. https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html Reviewed-by: Mark J. Cox <mark@awe.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11526)
show more ...
|
#
310a0edb |
| 09-Jul-2020 |
Richard Levitte |
BN: Check endianness in run-time, in BN_native2bn() and BN_bn2nativepad() The code relied on B_ENDIAN being defined on all big-endian platform, which turned out to not always be the case
BN: Check endianness in run-time, in BN_native2bn() and BN_bn2nativepad() The code relied on B_ENDIAN being defined on all big-endian platform, which turned out to not always be the case. Fixes #12387 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/12390)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
2d9167ed |
| 21-Jan-2020 |
Nicola Tuveri |
[BN] harden `BN_copy()` against leaks from memory accesses `BN_copy()` (and indirectly `BN_dup()`) do not propagate the `BN_FLG_CONSTTIME` flag: the propagation has been turned on and of
[BN] harden `BN_copy()` against leaks from memory accesses `BN_copy()` (and indirectly `BN_dup()`) do not propagate the `BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a few times in the past years, because in some conditions it has shown unintended consequences in some code paths. Without turning the propagation on once more, we can still improve `BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with `BN_FLG_CONSTTIME`. In this case we can instead use `src->dmax` as the number of words allocated for `dst` and for the `memcpy` operation. Barring compiler or runtime optimizations, if the caller provides `src` flagged as const time and preallocated to a public size, no leak should happen due to the copy operation. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|