Age | Commit message (Collapse) | Author | Files | Lines |
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcca4f8445ed35b6995a035b75409590c)
|
|
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005fe006044d0e4a795421447deca3c9f2c)
|
|
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e)
Conflicts:
crypto/evp/evp_enc.c
(cherry picked from commit 738911cde68b2b3706e502cf8daf5b14738f2f42)
|
|
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab0de51c9f67b3c909311770f2b3f801)
|
|
that bad encryptions are treated like random session keys in constant
time.
(cherry picked from commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
|
|
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit
Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff90124c6fd53bbb49dae5edb4e821e0a)
|
|
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980e9fbf158aafe487fb729c492b241fb)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e4bad6303e7d214cdcf2536487aabe4)
|
|
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.
OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.
This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
(Original patch amended to achieve strnlen in a different way.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732bad7370640702bc9c4a33189ede287)
|
|
(cherry picked from commit 2b0180c37fa6ffc48ee40caa831ca398b828e680)
Reviewed-by: Ben Laurie <ben@openssl.org>
|
|
string returns 0 with errno = ENOENT.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0f16dde70e26841bbf9e1af727e8b8f)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576e7a14a46ba14df8be8fe478536b4fb)
|
|
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e63275a916b147f9d8764e3c0c060fdb)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6be69ed13abb73fd564f1f894eea0a98)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 9d6253cfd3395dfe7147dae134579c6b16544c53)
|
|
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6aa9dbab0f9b90060b7ee609b8c3c726ce4faf21)
|
|
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b397174a8a6b1cc84ff68aba34ed5941)
|
|
The doc says that port can be "*" to mean any port.
That's wrong.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae98b985d3d2aad7066144b11833f688)
|
|
Pull constant-time methods out to a separate header, add tests.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401cae443f115ff19921d347b20aa396b)
Conflicts:
test/Makefile
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176ad2a914108cd2b403425dc1ebc7262)
|
|
Add the wrapper to all public header files (Configure
generates one). Don't bother for those that are just
lists of #define's that do renaming.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 089f10e69ece75ce31540501fe0898b15e898552)
|
|
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
|
|
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)
Conflicts:
doc/crypto/EC_KEY_new.pod
|
|
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:
-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
|
|
I also removed some trailing whitespace and cleaned
up the "see also" list.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c54466f1da8b707c932e308d345fd61101)
|
|
The description of when the server creates a DH key is
confusing. This cleans it up.
(rsalz: also removed trailing whitespace.)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors. Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
|
|
This patch was submitted by user "Kox" via the wiki
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b9593f528d9537aa6a003d5c93df1e3c5)
|
|
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.
Reported by "oftc_must_be_destroyed" and George Kadianakis.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82fbaf2bc23ee62f24611e5883d3e7b97)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e19c93811f0db499c98d2888f1c0c0ab65e6238a)
|
|
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a207f7b6d86c3bc8ffb053e5f4d0c1ca0)
|
|
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a7370c775dc9fd6198dbacd1706cf242b)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68bec81030838e3228ef0238c565af85)
|
|
eliminating them as dead code.
Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.
(cherry picked from commit 7753a3a68431aa81b82beea4c3f5374b41454679)
Conflicts:
crypto/bn/asm/x86_64-gcc.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
PR#3450
Conflicts:
ssl/s3_clnt.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
group_order_tests (ectest.c). Also fix the EC_POINTs_mul documentation (ec.h).
Reviewed-by: emilia@openssl.org
|
|
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)
Conflicts:
ssl/s3_clnt.c
ssl/s3_lib.c
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
|
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.
CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|