| #
2d285fa8 |
| 25-Apr-2024 |
Tomas Mraz |
Make ossl_gen_deterministic_nonce_rfc6979() constant time
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/ope
Make ossl_gen_deterministic_nonce_rfc6979() constant time
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)
show more ...
|
| #
d7d1bdcb |
| 11-Apr-2024 |
Tomas Mraz |
Make BN_generate_dsa_nonce() constant time and non-biased
Co-authored-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorma
Make BN_generate_dsa_nonce() constant time and non-biased
Co-authored-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)
show more ...
|
| #
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
| #
dcfeb617 |
| 16-Apr-2023 |
Alois Klink |
bn_local: remove unused `PTR_SIZE_INT` definition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openss
bn_local: remove unused `PTR_SIZE_INT` definition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
show more ...
|
| #
f06ef165 |
| 13-Feb-2023 |
Bernd Edlinger |
Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.
There are in fact
Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.
There are in fact at least three bugs together that
caused the timing leak:
First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.
Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.
And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.
In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.
And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.
Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.
In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.
So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
show more ...
|
| #
4209ce68 |
| 13-Feb-2023 |
Bernd Edlinger |
Revert "Fix Timing Oracle in RSA decryption"
This reverts commit b1892d21f8f0435deb0250f24a97915dc641c807.
Except for the moving derive_kdk to a separate function.
Reviewed
Revert "Fix Timing Oracle in RSA decryption"
This reverts commit b1892d21f8f0435deb0250f24a97915dc641c807.
Except for the moving derive_kdk to a separate function.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
show more ...
|
| #
b1892d21 |
| 30-Nov-2022 |
Dmitry Belyavskiy |
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
show more ...
|
| #
30667f5c |
| 08-Nov-2022 |
Bernd Edlinger |
Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime
Otherwise the alloca can cause an exception.
Issue reported by Jiayi Lin.
Reviewed-by: Tomas Mraz <tomas
Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime
Otherwise the alloca can cause an exception.
Issue reported by Jiayi Lin.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20005)
show more ...
|
| #
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
| #
99d3349d |
| 24-Nov-2021 |
Richard Levitte |
BIGNUM: Add a comment on chunk order in struct bignum_st
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17139)
|
|
Revision tags: openssl-3.0.0-alpha17 |
|
| #
a935791d |
| 19-May-2021 |
Rich Salz |
Rework and make DEBUG macros consistent.
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.
Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it
Rework and make DEBUG macros consistent.
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.
Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.
Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.
Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
Fixes #15357
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)
show more ...
|
| #
36ec749f |
| 25-May-2021 |
Pauli |
bn: rename bn_check_prime_int -> ossl_bn_check_primt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
|
|
Revision tags: openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14 |
|
| #
3c2bdd7d |
| 08-Apr-2021 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14801)
|
| #
5de32f22 |
| 29-Mar-2021 |
Amitay Isaacs |
Use numbers definition of int128_t and uint128_t
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@ope
Use numbers definition of int128_t and uint128_t
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
show more ...
|
|
Revision tags: OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1 |
|
| #
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
|
|
Revision tags: OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
| #
af6c6c21 |
| 01-Feb-2020 |
Wataru Ashihara |
crypto/bn: fix debug build
Fixes:
gcc -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include -Icrypto/include -DSTATIC_LEGACY -DBN_DEBUG -DREF_DEBUG
crypto/bn: fix debug build
Fixes:
gcc -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include -Icrypto/include -DSTATIC_LEGACY -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror -DOPENSSL_BUILDING_OPENSSL -DOPENSSLDIR="\"/home/wsh/opt/openssl/ssl\"" -DENGINESDIR="\"/home/wsh/opt/openssl/lib/engines-3\"" -DMODULESDIR="\"/home/wsh/opt/openssl/lib/ossl-modules\"" -MMD -MF crypto/bn/libcrypto-lib-bn_conv.d.tmp -MT crypto/bn/libcrypto-lib-bn_conv.o -c -o crypto/bn/libcrypto-lib-bn_conv.o crypto/bn/bn_conv.c
In file included from crypto/bn/bn_conv.c:12:
crypto/bn/bn_conv.c: In function 'BN_hex2bn':
crypto/bn/bn_local.h:178:31: error: implicit declaration of function 'ossl_assert'; did you mean 'ossl_ssize_t'? [-Werror=implicit-function-declaration]
(void)ossl_assert((_top == 0 && !_bnum2->neg) || \
^~~~~~~~~~~
crypto/bn/bn_conv.c:188:5: note: in expansion of macro 'bn_check_top'
bn_check_top(ret);
^~~~~~~~~~~~
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10993)
show more ...
|
|
Revision tags: OpenSSL_1_0_2u |
|
| #
42619397 |
| 06-Oct-2019 |
Kurt Roeckx |
Add BN_check_prime()
Add a new API to test for primes that can't be misused, deprecated the
old APIs.
Suggested by Jake Massimo and Kenneth Paterson
Reviewed-by: Paul D
Add BN_check_prime()
Add a new API to test for primes that can't be misused, deprecated the
old APIs.
Suggested by Jake Massimo and Kenneth Paterson
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #9272
show more ...
|
| #
ae4186b0 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below
For the public header files (in
Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below
For the public header files (in the 'include/openssl' directory), the guard
names try to match the path specified in the include directives, with
all letters converted to upper case and '/' and '.' replaced by '_'. For the
private header files files, an extra 'OSSL_' is added as prefix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
| #
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
direc
Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like
'*_lcl.h', '*_local.h', or '*_int.h'
This commit changes the different suffixes to '*_local.h' uniformly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
