ada66e78 | 03-Feb-2020 |
Pauli |
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
show more ...
|
0ad05b19 | 16-Feb-2020 |
Pauli |
DH: add CHANGES entry listing the deprecated DH functions. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024) |
2c64df66 | 03-Feb-2020 |
Pauli |
DH: fix header file indentation Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024) |
c5f87134 | 12-Feb-2020 |
Pauli |
Deprecate the low level RSA functions. Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard L
Deprecate the low level RSA functions. Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063)
show more ...
|
b9f733c2 | 12-Feb-2020 |
Pauli |
rsa: document deprecated RSA command line apps Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063) |
4fd8a3e1 | 12-Feb-2020 |
Pauli |
rsa: document deprecated low level functions Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063) |
f6358b44 | 12-Feb-2020 |
Pauli |
NEWS: DH, DSA, ECDH, ECDSA and RSA public key function deprecation note Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063) |
f93107d8 | 12-Feb-2020 |
Pauli |
rsa.h: fix preprocessor indentation Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063) |
1f2235ea | 19-Feb-2020 |
Dane (4cad@silvertoque) |
Remove unneeded switch statement to fix warning https://github.com/openssl/openssl/issues/10958 CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed
Remove unneeded switch statement to fix warning https://github.com/openssl/openssl/issues/10958 CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11125)
show more ...
|
cc0663f6 | 14-Feb-2020 |
Simon Cornish <7t9jna402@sneakemail.com> |
Handle max_fragment_length overflow for DTLS Allow for encryption overhead in early DTLS size check and send overflow if validated record is too long Reviewed-by: Matt Caswell <
Handle max_fragment_length overflow for DTLS Allow for encryption overhead in early DTLS size check and send overflow if validated record is too long Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11096)
show more ...
|
ce82b892 | 09-Feb-2020 |
Nicola Tuveri |
[PROV][EC] Update documentation Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
[PROV][EC] Update documentation Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
2d9167ed | 21-Jan-2020 |
Nicola Tuveri |
[BN] harden `BN_copy()` against leaks from memory accesses `BN_copy()` (and indirectly `BN_dup()`) do not propagate the `BN_FLG_CONSTTIME` flag: the propagation has been turned on and of
[BN] harden `BN_copy()` against leaks from memory accesses `BN_copy()` (and indirectly `BN_dup()`) do not propagate the `BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a few times in the past years, because in some conditions it has shown unintended consequences in some code paths. Without turning the propagation on once more, we can still improve `BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with `BN_FLG_CONSTTIME`. In this case we can instead use `src->dmax` as the number of words allocated for `dst` and for the `memcpy` operation. Barring compiler or runtime optimizations, if the caller provides `src` flagged as const time and preallocated to a public size, no leak should happen due to the copy operation. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
0401d766 | 21-Jan-2020 |
Nicola Tuveri |
[EC] harden EC_KEY against leaks from memory accesses We should never leak the bit length of the secret scalar in the key, so we always set the `BN_FLG_CONSTTIME` flag on the internal `B
[EC] harden EC_KEY against leaks from memory accesses We should never leak the bit length of the secret scalar in the key, so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` holding the secret scalar. This is important also because `BN_dup()` (and `BN_copy()`) do not propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and this brings an extra risk of inadvertently losing the flag, even when the called specifically set it. The propagation has been turned on and off a few times in the past years because in some conditions has shown unintended consequences in some code paths, so at the moment we can't fix this in the BN layer. In `EC_KEY_set_private_key()` we can work around the propagation by manually setting the flag after `BN_dup()` as we know for sure that inside the EC module the `BN_FLG_CONSTTIME` is always treated correctly and should not generate unintended consequences. Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have to preallocate the `BIGNUM` internal buffer to a fixed public size big enough that operations performed during the processing never trigger a realloc which would leak the size of the scalar through memory accesses. Fixed Length ------------ The order of the large prime subgroup of the curve is our choice for a fixed public size, as that is generally the upper bound for generating a private key in EC cryptosystems and should fit all valid secret scalars. For preallocating the `BIGNUM` storage we look at the number of "words" required for the internal representation of the order, and we preallocate 2 extra "words" in case any of the subsequent processing might temporarily overflow the order length. Future work ----------- A separate commit addresses further hardening of `BN_copy()` (and indirectly `BN_dup()`). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
a377871d | 21-Jan-2020 |
Nicola Tuveri |
[PROV][KEYMGMT][EC] Import/export of priv_key as padded const time BN For EC keys it is particularly important to avoid leaking the bit length of the secret scalar. Key import/e
[PROV][KEYMGMT][EC] Import/export of priv_key as padded const time BN For EC keys it is particularly important to avoid leaking the bit length of the secret scalar. Key import/export should never leak the bit length of the secret scalar in the key. For this reason, on export we use padded BIGNUMs with fixed length, using the new `ossl_param_bld_push_BN_pad()`. When importing we also should make sure that, even if short lived, the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as soon as possible, so that any processing of this BIGNUM might opt for constant time implementations in the backend. Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have to preallocate the BIGNUM internal buffer to a fixed size big enough that operations performed during the processing never trigger a realloc which would leak the size of the scalar through memory accesses. Fixed length ------------ The order of the large prime subgroup of the curve is our choice for a fixed public size, as that is generally the upper bound for generating a private key in EC cryptosystems and should fit all valid secret scalars. For padding on export we just use the bit length of the order converted to bytes (rounding up). For preallocating the BIGNUM storage we look at the number of "words" required for the internal representation of the order, and we preallocate 2 extra "words" in case any of the subsequent processing might temporarily overflow the order length. Future work ----------- To ensure the flag and fixed size preallocation persists upon `EC_KEY_set_private_key()`, we need to further harden `EC_KEY_set_private_key()` and `BN_copy()`. This is done in separate commits. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
4fe54d67 | 14-Dec-2019 |
Nicola Tuveri |
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shan
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
cf6404b1 | 25-Jan-2020 |
Nicola Tuveri |
[CMS] Test decryption of a ciphertext encrypted from 1.1.1 Current CMS en/decryption tests only validate that our current decyption and encryption algorithms are compatible, but they say
[CMS] Test decryption of a ciphertext encrypted from 1.1.1 Current CMS en/decryption tests only validate that our current decyption and encryption algorithms are compatible, but they say nothing about correctness of the output for the given set of parameters. As a partial fix in absence of proper KAT tests, we decrypt ciphertexts generated with OpenSSL 1.1.1. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
cd701de9 | 06-Jan-2020 |
Nicola Tuveri |
[EC] Constify internal EC_KEY pointer usage A pair of internal functions related to EC_KEY handling could benefit from declaring `EC_KEY *` variables as `const`, providing clarity for
[EC] Constify internal EC_KEY pointer usage A pair of internal functions related to EC_KEY handling could benefit from declaring `EC_KEY *` variables as `const`, providing clarity for callers and readers of the code, in addition to enlisting the compiler in preventing some mistakes. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
afa2b389 | 14-Dec-2019 |
Nicola Tuveri |
[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shan
[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
0d51cf3c | 09-Jan-2020 |
H.J. Lu |
x86_64: Don't assume 8-byte pointer size Since pointer in x32 is 4 bytes, add x86_64-support.pl to define pointer_size and pointer_register based on flavour to support stuctures like
x86_64: Don't assume 8-byte pointer size Since pointer in x32 is 4 bytes, add x86_64-support.pl to define pointer_size and pointer_register based on flavour to support stuctures like: struct { void *ptr; int blocks; } This fixes 90-test_sslapi.t on x32. Verified with $ ./Configure shared linux-x86_64 $ make $ make test and $ ./Configure shared linux-x32 $ make $ make test Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10988)
show more ...
|
21542a48 | 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in x509v3_config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <le
DOC:Fix typos in x509v3_config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
0587a3af | 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in man5/config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levi
DOC:Fix typos in man5/config.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
e02b13ad | 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in openssl-enc.pod.in + openssl.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Rich
DOC:Fix typos in openssl-enc.pod.in + openssl.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
7354f781 | 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in ossl_cmp_print_log.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitt
DOC:Fix typos in ossl_cmp_print_log.pod CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
af61cbca | 16-Feb-2020 |
Alex Boboc |
DOC:Fix typos in ossl_param_bld_init CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <
DOC:Fix typos in ossl_param_bld_init CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11104)
show more ...
|
d1eec097 | 12-Feb-2020 |
Pauli |
Deprecate EC command line apps. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11106) |