#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
07e4d7f4 |
| 29-Jul-2024 |
slontis |
Add RSA Signature restrictions for X9.31 padding in the FIPS provider. In FIPS 140-3, RSA Signing with X9.31 padding is not approved, but verification is allowed for legacy purposes. An
Add RSA Signature restrictions for X9.31 padding in the FIPS provider. In FIPS 140-3, RSA Signing with X9.31 padding is not approved, but verification is allowed for legacy purposes. An indicator has been added for RSA signing with X9.31 padding. A strict restriction on the size of the RSA modulus has been added i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec). Added implementation comments to the X9.31 padding code Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24021)
show more ...
|
#
4514e02c |
| 08-Apr-2024 |
slontis |
Check range of RSA plaintext and ciphertext when using no padding. Fixes #24051 RSA with 'no padding' corresponds to RSAEP/RSADP. The code was not checking the lower bounds.
Check range of RSA plaintext and ciphertext when using no padding. Fixes #24051 RSA with 'no padding' corresponds to RSAEP/RSADP. The code was not checking the lower bounds. The bounds are specified in SP800-56Br2, section 7.1.1.1 and 7.1.2.1 Note that RFC8017 expresses the range in a sentence using the word between, and there is some ambiguity in this. The upper bounds have change to match the definition in SP800. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24061)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
eb4129e1 |
| 09-May-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Fix typos found by codespell Typos in doc/man* will be fixed in a different commit. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (M
Fix typos found by codespell Typos in doc/man* will be fixed in a different commit. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20910)
show more ...
|
#
f53479f9 |
| 12-May-2023 |
Matt Caswell |
Optimise locking in rsa_get_blinding() We optimise locking in rsa_get_blinding() so that we normally take a read lock, and only fallback to a write lock if we need to. This will be v
Optimise locking in rsa_get_blinding() We optimise locking in rsa_get_blinding() so that we normally take a read lock, and only fallback to a write lock if we need to. This will be very slightly slower in the case of single use RSA objects, but should be significantly better when an RSA object is reused in a multi-threaded environment. It's probably worth the trade off. Partially fixes #20286 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20953)
show more ...
|
#
f06ef165 |
| 13-Feb-2023 |
Bernd Edlinger |
Alternative fix for CVE-2022-4304 This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact
Alternative fix for CVE-2022-4304 This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact at least three bugs together that caused the timing leak: First and probably most important is the fact that the blinding did not use the constant time code path at all when the RSA object was used for a private decrypt, due to the fact that the Montgomery context rsa->_method_mod_n was not set up early enough in rsa_ossl_private_decrypt, when BN_BLINDING_create_param needed it, and that was persisted as blinding->m_ctx, although the RSA object creates the Montgomery context just a bit later. Then the infamous bn_correct_top was used on the secret value right after the blinding was removed. And finally the function BN_bn2binpad did not use the constant-time code path since the BN_FLG_CONSTTIME was not set on the secret value. In order to address the first problem, this patch makes sure that the rsa->_method_mod_n is initialized right before the blinding context. And to fix the second problem, we add a new utility function bn_correct_top_consttime, a const-time variant of bn_correct_top. Together with the fact, that BN_bn2binpad is already constant time if the flag BN_FLG_CONSTTIME is set, this should eliminate the timing oracle completely. In addition the no-asm variant may also have branches that depend on secret values, because the last invocation of bn_sub_words in bn_from_montgomery_word had branches when the function is compiled by certain gcc compiler versions, due to the clumsy coding style. So additionally this patch stream-lined the no-asm C-code in order to avoid branches where possible and improve the resulting code quality. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
show more ...
|
#
4209ce68 |
| 13-Feb-2023 |
Bernd Edlinger |
Revert "Fix Timing Oracle in RSA decryption" This reverts commit b1892d21f8f0435deb0250f24a97915dc641c807. Except for the moving derive_kdk to a separate function. Reviewed
Revert "Fix Timing Oracle in RSA decryption" This reverts commit b1892d21f8f0435deb0250f24a97915dc641c807. Except for the moving derive_kdk to a separate function. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
show more ...
|
#
79040cf2 |
| 20-Jan-2023 |
Juergen Christ |
S390x: Support ME and CRT offloading S390x has to ability to offload modular exponentiation and CRT operations to Crypto Express Adapters. This possible performance optimization was not
S390x: Support ME and CRT offloading S390x has to ability to offload modular exponentiation and CRT operations to Crypto Express Adapters. This possible performance optimization was not yet used by OpenSSL. Add support for offloading and implement an optimized version of RSA and DH with it. The environment variable OPENSSL_s390xcap now recognizes the token "nocex" to prevent offloading. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20113)
show more ...
|
#
b1892d21 |
| 30-Nov-2022 |
Dmitry Belyavskiy |
Fix Timing Oracle in RSA decryption A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network
Fix Timing Oracle in RSA decryption A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. Patch written by Dmitry Belyavsky and Hubert Kario CVE-2022-4304 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
show more ...
|
#
5ab3ec1b |
| 27-Oct-2022 |
Hubert Kario |
rsa: Add option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
rsa: Add option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
7fc67e0a |
| 15-Mar-2022 |
Hubert Kario |
rsa: add implicit rejection in PKCS#1 v1.5 The RSA decryption as implemented before required very careful handling of both the exit code returned by OpenSSL and the potentially returned
rsa: add implicit rejection in PKCS#1 v1.5 The RSA decryption as implemented before required very careful handling of both the exit code returned by OpenSSL and the potentially returned ciphertext. Looking at the recent security vulnerabilities (CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of OpenSSL do it correctly. Given that correct code requires side channel secure programming in application code, we can classify the existing RSA decryption methods as CWE-676, which in turn likely causes CWE-208 and CWE-385 in application code. To prevent that, we can use a technique called "implicit rejection". For that we generate a random message to be returned in case the padding check fails. We generate the message based on static secret data (the private exponent) and the provided ciphertext (so that the attacker cannot determine that the returned value is randomly generated instead of result of decryption and de-padding). We return it in case any part of padding check fails. The upshot of this approach is that then not only is the length of the returned message useless as the Bleichenbacher oracle, so are the actual bytes of the returned message. So application code doesn't have to perform any operations on the returned message in side-channel free way to remain secure against Bleichenbacher attacks. Note: this patch implements a specific algorithm, shared with Mozilla NSS, so that the attacker cannot use one library as an oracle against the other in heterogeneous environments. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
aefbcde2 |
| 05-Feb-2022 |
Jiasheng Jiang |
rsa: add check after calling BN_BLINDING_lock As the potential failure of getting lock, we need to check the return value of the BN_BLINDING_lock() in order to avoid the dirty data.
rsa: add check after calling BN_BLINDING_lock As the potential failure of getting lock, we need to check the return value of the BN_BLINDING_lock() in order to avoid the dirty data. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17642)
show more ...
|
#
79cabd7e |
| 31-May-2021 |
Pauli |
rsa: remove TODOs Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15539)
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10 |
|
#
c781eb1c |
| 08-Dec-2020 |
Andrey Matyukov |
Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU
Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13750)
show more ...
|
#
cd3f8c1b |
| 18-Feb-2021 |
Rich Salz |
Always check CRYPTO_LOCK_{read,write}_lock Some functions that lock things are void, so we just return early. Also make ossl_namemap_empty return 0 on error. Updated the docs, and
Always check CRYPTO_LOCK_{read,write}_lock Some functions that lock things are void, so we just return early. Also make ossl_namemap_empty return 0 on error. Updated the docs, and added some code to ossl_namemap_stored() to handle the failure, and updated the tests to allow for failure. Fixes: #14230 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14238)
show more ...
|
#
8020d79b |
| 11-Mar-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14512)
|
#
b0aae913 |
| 22-Feb-2021 |
Rich Salz |
Remove RSA SSLv23 padding mode Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14248)
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
9311d0c4 |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using ut
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
Revision tags: openssl-3.0.0-alpha7 |
|
#
23b2fc0b |
| 30-Sep-2020 |
Pauli |
rsa: add ossl_ prefix to internal rsa_ calls. The functions being: rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff, rsa_check_prime_factor, rsa_check_prime_fa
rsa: add ossl_ prefix to internal rsa_ calls. The functions being: rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff, rsa_check_prime_factor, rsa_check_prime_factor_range, rsa_check_private_exponent, rsa_check_public_exponent, rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata, rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30, rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names, rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid, rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx, rsa_padding_add_PKCS1_type_2_with_libctx, rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS, rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata, rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted, rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg, rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults, rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg, rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen, rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata, rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params, rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private, rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq, rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test, rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise, rsa_validate_private and rsa_validate_public. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13040)
show more ...
|
#
d8652be0 |
| 24-Sep-2020 |
Matt Caswell |
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged fro
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
Revision tags: OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g |
|
#
f844f9eb |
| 13-Apr-2020 |
Richard Levitte |
Rename FIPS_MODE to FIPS_MODULE This macro is used to determine if certain pieces of code should become part of the FIPS module or not. The old name was confusing. Fixes #11538
Rename FIPS_MODE to FIPS_MODULE This macro is used to determine if certain pieces of code should become part of the FIPS module or not. The old name was confusing. Fixes #11538 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11539)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|