https://github.com/openssl/openssl
- HEAD
- refs/heads/OpenSSL-engine-0_9_6-stable
- refs/heads/OpenSSL-fips-0_9_7-stable
- refs/heads/OpenSSL-fips-0_9_8-stable
- refs/heads/OpenSSL-fips-1_2-stable
- refs/heads/OpenSSL-fips-2_0-dev
- refs/heads/OpenSSL-fips-2_0-stable
- refs/heads/OpenSSL-fips2-0_9_7-stable
- refs/heads/OpenSSL_0_9_6-stable
- refs/heads/OpenSSL_0_9_7-stable
- refs/heads/OpenSSL_0_9_8-stable
- refs/heads/OpenSSL_0_9_8fg-stable
- refs/heads/OpenSSL_1_0_0-stable
- refs/heads/OpenSSL_1_0_1-stable
- refs/heads/OpenSSL_1_0_2-stable
- refs/heads/OpenSSL_1_1_0-stable
- refs/heads/OpenSSL_1_1_1-stable
- refs/heads/SSLeay
- refs/heads/feature/dtls-1.3
- refs/heads/feature/quic-server
- refs/heads/master
- refs/heads/openssl-3.0
- refs/heads/openssl-3.1
- refs/heads/openssl-3.2
- refs/heads/openssl-3.3
- refs/heads/tls1.3-draft-18
- refs/heads/tls1.3-draft-19
- refs/tags/AFTER_COMPAQ_PATCH
- refs/tags/BEFORE_COMPAQ_PATCH
- refs/tags/BEFORE_engine
- refs/tags/BEN_FIPS_TEST_1
- refs/tags/BEN_FIPS_TEST_2
- refs/tags/BEN_FIPS_TEST_3
- refs/tags/BEN_FIPS_TEST_4
- refs/tags/BEN_FIPS_TEST_5
- refs/tags/BEN_FIPS_TEST_6
- refs/tags/BEN_FIPS_TEST_7
- refs/tags/BEN_FIPS_TEST_8
- refs/tags/FIPS_098_TEST_1
- refs/tags/FIPS_098_TEST_2
- refs/tags/FIPS_098_TEST_3
- refs/tags/FIPS_098_TEST_4
- refs/tags/FIPS_098_TEST_5
- refs/tags/FIPS_098_TEST_6
- refs/tags/FIPS_098_TEST_7
- refs/tags/FIPS_098_TEST_8
- refs/tags/FIPS_TEST_10
- refs/tags/FIPS_TEST_9
- refs/tags/LEVITTE_after_const
- refs/tags/LEVITTE_before_const
- refs/tags/OpenSSL-engine-0_9_6
- refs/tags/OpenSSL-engine-0_9_6-beta1
- refs/tags/OpenSSL-engine-0_9_6-beta2
- refs/tags/OpenSSL-engine-0_9_6-beta3
- refs/tags/OpenSSL-engine-0_9_6a
- refs/tags/OpenSSL-engine-0_9_6a-beta1
- refs/tags/OpenSSL-engine-0_9_6a-beta2
- refs/tags/OpenSSL-engine-0_9_6a-beta3
- refs/tags/OpenSSL-engine-0_9_6b
- refs/tags/OpenSSL-engine-0_9_6c
- refs/tags/OpenSSL-engine-0_9_6d
- refs/tags/OpenSSL-engine-0_9_6d-beta1
- refs/tags/OpenSSL-engine-0_9_6e
- refs/tags/OpenSSL-engine-0_9_6f
- refs/tags/OpenSSL-engine-0_9_6g
- refs/tags/OpenSSL-engine-0_9_6h
- refs/tags/OpenSSL-engine-0_9_6i
- refs/tags/OpenSSL-engine-0_9_6j
- refs/tags/OpenSSL-engine-0_9_6k
- refs/tags/OpenSSL-engine-0_9_6l
- refs/tags/OpenSSL-engine-0_9_6m
- refs/tags/OpenSSL-fips-1_2_0
- refs/tags/OpenSSL-fips-1_2_1
- refs/tags/OpenSSL-fips-1_2_2
- refs/tags/OpenSSL-fips-1_2_3
- refs/tags/OpenSSL-fips-2_0
- refs/tags/OpenSSL-fips-2_0-pl1
- refs/tags/OpenSSL-fips-2_0-rc1
- refs/tags/OpenSSL-fips-2_0-rc2
- refs/tags/OpenSSL-fips-2_0-rc3
- refs/tags/OpenSSL-fips-2_0-rc4
- refs/tags/OpenSSL-fips-2_0-rc5
- refs/tags/OpenSSL-fips-2_0-rc6
- refs/tags/OpenSSL-fips-2_0-rc7
- refs/tags/OpenSSL-fips-2_0-rc8
- refs/tags/OpenSSL-fips-2_0-rc9
- refs/tags/OpenSSL-fips-2_0_1
- refs/tags/OpenSSL_0_9_1c
- refs/tags/OpenSSL_0_9_2b
- refs/tags/OpenSSL_0_9_3
- refs/tags/OpenSSL_0_9_3a
- refs/tags/OpenSSL_0_9_3beta1
- refs/tags/OpenSSL_0_9_3beta2
- refs/tags/OpenSSL_0_9_4
- refs/tags/OpenSSL_0_9_5
- refs/tags/OpenSSL_0_9_5a
- refs/tags/OpenSSL_0_9_5a-beta1
- refs/tags/OpenSSL_0_9_5a-beta2
- refs/tags/OpenSSL_0_9_5beta1
- refs/tags/OpenSSL_0_9_5beta2
- refs/tags/OpenSSL_0_9_6
- refs/tags/OpenSSL_0_9_6-beta1
- refs/tags/OpenSSL_0_9_6-beta2
- refs/tags/OpenSSL_0_9_6-beta3
- refs/tags/OpenSSL_0_9_6a
- refs/tags/OpenSSL_0_9_6a-beta1
- refs/tags/OpenSSL_0_9_6a-beta2
- refs/tags/OpenSSL_0_9_6a-beta3
- refs/tags/OpenSSL_0_9_6b
- refs/tags/OpenSSL_0_9_6c
- refs/tags/OpenSSL_0_9_6d
- refs/tags/OpenSSL_0_9_6d-beta1
- refs/tags/OpenSSL_0_9_6e
- refs/tags/OpenSSL_0_9_6f
- refs/tags/OpenSSL_0_9_6g
- refs/tags/OpenSSL_0_9_6h
- refs/tags/OpenSSL_0_9_6i
- refs/tags/OpenSSL_0_9_6j
- refs/tags/OpenSSL_0_9_6k
- refs/tags/OpenSSL_0_9_6l
- refs/tags/OpenSSL_0_9_6m
- refs/tags/OpenSSL_0_9_7
- refs/tags/OpenSSL_0_9_7-beta1
- refs/tags/OpenSSL_0_9_7-beta2
- refs/tags/OpenSSL_0_9_7-beta3
- refs/tags/OpenSSL_0_9_7-beta4
- refs/tags/OpenSSL_0_9_7-beta5
- refs/tags/OpenSSL_0_9_7-beta6
- refs/tags/OpenSSL_0_9_7a
- refs/tags/OpenSSL_0_9_7b
- refs/tags/OpenSSL_0_9_7c
- refs/tags/OpenSSL_0_9_7d
- refs/tags/OpenSSL_0_9_7e
- refs/tags/OpenSSL_0_9_7f
- refs/tags/OpenSSL_0_9_7g
- refs/tags/OpenSSL_0_9_7h
- refs/tags/OpenSSL_0_9_7i
- refs/tags/OpenSSL_0_9_7j
- refs/tags/OpenSSL_0_9_7k
- refs/tags/OpenSSL_0_9_7l
- refs/tags/OpenSSL_0_9_7m
- refs/tags/OpenSSL_0_9_8
- refs/tags/OpenSSL_0_9_8-beta1
- refs/tags/OpenSSL_0_9_8-beta2
- refs/tags/OpenSSL_0_9_8-beta3
- refs/tags/OpenSSL_0_9_8-beta4
- refs/tags/OpenSSL_0_9_8-beta5
- refs/tags/OpenSSL_0_9_8-beta6
- refs/tags/OpenSSL_0_9_8a
- refs/tags/OpenSSL_0_9_8b
- refs/tags/OpenSSL_0_9_8c
- refs/tags/OpenSSL_0_9_8d
- refs/tags/OpenSSL_0_9_8e
- refs/tags/OpenSSL_0_9_8f
- refs/tags/OpenSSL_0_9_8g
- refs/tags/OpenSSL_0_9_8h
- refs/tags/OpenSSL_0_9_8i
- refs/tags/OpenSSL_0_9_8j
- refs/tags/OpenSSL_0_9_8k
- refs/tags/OpenSSL_0_9_8l
- refs/tags/OpenSSL_0_9_8m
- refs/tags/OpenSSL_0_9_8m-beta1
- refs/tags/OpenSSL_0_9_8n
- refs/tags/OpenSSL_0_9_8o
- refs/tags/OpenSSL_0_9_8p
- refs/tags/OpenSSL_0_9_8q
- refs/tags/OpenSSL_0_9_8r
- refs/tags/OpenSSL_0_9_8s
- refs/tags/OpenSSL_0_9_8t
- refs/tags/OpenSSL_0_9_8u
- refs/tags/OpenSSL_0_9_8v
- refs/tags/OpenSSL_0_9_8w
- refs/tags/OpenSSL_0_9_8x
- refs/tags/OpenSSL_1_0_0
- refs/tags/OpenSSL_1_0_0-beta1
- refs/tags/OpenSSL_1_0_0-beta2
- refs/tags/OpenSSL_1_0_0-beta3
- refs/tags/OpenSSL_1_0_0-beta4
- refs/tags/OpenSSL_1_0_0-beta5
- refs/tags/OpenSSL_1_0_0a
- refs/tags/OpenSSL_1_0_0b
- refs/tags/OpenSSL_1_0_0c
- refs/tags/OpenSSL_1_0_0d
- refs/tags/OpenSSL_1_0_0e
- refs/tags/OpenSSL_1_0_0f
- refs/tags/OpenSSL_1_0_0g
- refs/tags/OpenSSL_1_0_0h
- refs/tags/OpenSSL_1_0_0i
- refs/tags/OpenSSL_1_0_0j
- refs/tags/OpenSSL_1_0_1
- refs/tags/OpenSSL_1_0_1-beta1
- refs/tags/OpenSSL_1_0_1-beta2
- refs/tags/OpenSSL_1_0_1-beta3
- refs/tags/OpenSSL_1_0_1a
- refs/tags/OpenSSL_1_0_1b
- refs/tags/OpenSSL_1_0_1c
- refs/tags/OpenSSL_FIPS_1_0
- refs/tags/SSLeay_0_8_1b
- refs/tags/SSLeay_0_9_0b
- refs/tags/SSLeay_0_9_1b
- refs/tags/STATE_after_zlib
- refs/tags/STATE_before_zlib
- refs/tags/rsaref
- openssl-3.3.0-beta1
- openssl-3.3.0-alpha1
- openssl-3.3.0
- openssl-3.2.1
- openssl-3.2.0-beta1
- openssl-3.2.0-alpha2
- openssl-3.2.0-alpha1
- openssl-3.2.0
- openssl-3.1.5
- openssl-3.1.4
- openssl-3.1.3
- openssl-3.1.2
- openssl-3.1.1
- openssl-3.1.0-beta1
- openssl-3.1.0-alpha1
- openssl-3.1.0
- openssl-3.0.9
- openssl-3.0.8
- openssl-3.0.7
- openssl-3.0.6
- openssl-3.0.5
- openssl-3.0.4
- openssl-3.0.3
- openssl-3.0.2
- openssl-3.0.13
- openssl-3.0.12
- openssl-3.0.11
- openssl-3.0.10
- openssl-3.0.1
- openssl-3.0.0-beta2
- openssl-3.0.0-beta1
- openssl-3.0.0-alpha9
- openssl-3.0.0-alpha8
- openssl-3.0.0-alpha7
- openssl-3.0.0-alpha6
- openssl-3.0.0-alpha5
- openssl-3.0.0-alpha4
- openssl-3.0.0-alpha3
- openssl-3.0.0-alpha2
- openssl-3.0.0-alpha17
- openssl-3.0.0-alpha16
- openssl-3.0.0-alpha15
- openssl-3.0.0-alpha14
- openssl-3.0.0-alpha13
- openssl-3.0.0-alpha12
- openssl-3.0.0-alpha11
- openssl-3.0.0-alpha10
- openssl-3.0.0-alpha1
- openssl-3.0.0
- master-pre-reformat
- master-pre-auto-reformat
- master-post-reformat
- master-post-auto-reformat
- OpenSSL_1_1_1w
- OpenSSL_1_1_1v
- OpenSSL_1_1_1u
- OpenSSL_1_1_1t
- OpenSSL_1_1_1s
- OpenSSL_1_1_1r
- OpenSSL_1_1_1q
- OpenSSL_1_1_1p
- OpenSSL_1_1_1o
- OpenSSL_1_1_1n
- OpenSSL_1_1_1m
- OpenSSL_1_1_1l
- OpenSSL_1_1_1k
- OpenSSL_1_1_1j
- OpenSSL_1_1_1i
- OpenSSL_1_1_1h
- OpenSSL_1_1_1g
- OpenSSL_1_1_1f
- OpenSSL_1_1_1e
- OpenSSL_1_1_1d
- OpenSSL_1_1_1c
- OpenSSL_1_1_1b
- OpenSSL_1_1_1a
- OpenSSL_1_1_1-pre9
- OpenSSL_1_1_1-pre8
- OpenSSL_1_1_1-pre7
- OpenSSL_1_1_1-pre6
- OpenSSL_1_1_1-pre5
- OpenSSL_1_1_1-pre4
- OpenSSL_1_1_1-pre3
- OpenSSL_1_1_1-pre2
- OpenSSL_1_1_1-pre1
- OpenSSL_1_1_1
- OpenSSL_1_1_0l
- OpenSSL_1_1_0k
- OpenSSL_1_1_0j
- OpenSSL_1_1_0i
- OpenSSL_1_1_0h
- OpenSSL_1_1_0g
- OpenSSL_1_1_0f
- OpenSSL_1_1_0e
- OpenSSL_1_1_0d
- OpenSSL_1_1_0c
- OpenSSL_1_1_0b
- OpenSSL_1_1_0a
- OpenSSL_1_1_0-pre6
- OpenSSL_1_1_0-pre5
- OpenSSL_1_1_0-pre4
- OpenSSL_1_1_0-pre3
- OpenSSL_1_1_0-pre2
- OpenSSL_1_1_0-pre1
- OpenSSL_1_1_0
- OpenSSL_1_0_2u
- OpenSSL_1_0_2t
- OpenSSL_1_0_2s
- OpenSSL_1_0_2r
- OpenSSL_1_0_2q
- OpenSSL_1_0_2p
- OpenSSL_1_0_2o
- OpenSSL_1_0_2n
- OpenSSL_1_0_2m
- OpenSSL_1_0_2l
- OpenSSL_1_0_2k
- OpenSSL_1_0_2j
- OpenSSL_1_0_2i
- OpenSSL_1_0_2h
- OpenSSL_1_0_2g
- OpenSSL_1_0_2f
- OpenSSL_1_0_2e
- OpenSSL_1_0_2d
- OpenSSL_1_0_2c
- OpenSSL_1_0_2b
- OpenSSL_1_0_2a
- OpenSSL_1_0_2-pre-reformat
- OpenSSL_1_0_2-pre-auto-reformat
- OpenSSL_1_0_2-post-reformat
- OpenSSL_1_0_2-post-auto-reformat
- OpenSSL_1_0_2-beta3
- OpenSSL_1_0_2-beta2
- OpenSSL_1_0_2-beta1
- OpenSSL_1_0_2
- OpenSSL_1_0_1u
- OpenSSL_1_0_1t
- OpenSSL_1_0_1s
- OpenSSL_1_0_1r
- OpenSSL_1_0_1q
- OpenSSL_1_0_1p
- OpenSSL_1_0_1o
- OpenSSL_1_0_1n
- OpenSSL_1_0_1m
- OpenSSL_1_0_1l
- OpenSSL_1_0_1k
- OpenSSL_1_0_1j
- OpenSSL_1_0_1i
- OpenSSL_1_0_1h
- OpenSSL_1_0_1g
- OpenSSL_1_0_1f
- OpenSSL_1_0_1e
- OpenSSL_1_0_1d
- OpenSSL_1_0_1-pre-reformat
- OpenSSL_1_0_1-pre-auto-reformat
- OpenSSL_1_0_1-post-reformat
- OpenSSL_1_0_1-post-auto-reformat
- OpenSSL_1_0_0t
- OpenSSL_1_0_0s
- OpenSSL_1_0_0r
- OpenSSL_1_0_0q
- OpenSSL_1_0_0p
- OpenSSL_1_0_0o
- OpenSSL_1_0_0n
- OpenSSL_1_0_0m
- OpenSSL_1_0_0l
- OpenSSL_1_0_0k
- OpenSSL_1_0_0-pre-reformat
- OpenSSL_1_0_0-pre-auto-reformat
- OpenSSL_1_0_0-post-reformat
- OpenSSL_1_0_0-post-auto-reformat
- OpenSSL_0_9_8zh
- OpenSSL_0_9_8zg
- OpenSSL_0_9_8zf
- OpenSSL_0_9_8ze
- OpenSSL_0_9_8zd
- OpenSSL_0_9_8zc
- OpenSSL_0_9_8zb
- OpenSSL_0_9_8za
- OpenSSL_0_9_8y
- OpenSSL_0_9_8-pre-reformat
- OpenSSL_0_9_8-pre-auto-reformat
- OpenSSL_0_9_8-post-reformat
- OpenSSL_0_9_8-post-auto-reformat
- OpenSSL-fips-2_0_9
- OpenSSL-fips-2_0_8
- OpenSSL-fips-2_0_7
- OpenSSL-fips-2_0_6
- OpenSSL-fips-2_0_5
- OpenSSL-fips-2_0_4
- OpenSSL-fips-2_0_3
- OpenSSL-fips-2_0_2
- OpenSSL-fips-2_0_16
- OpenSSL-fips-2_0_15
- OpenSSL-fips-2_0_14
- OpenSSL-fips-2_0_13
- OpenSSL-fips-2_0_12
- OpenSSL-fips-2_0_11
- OpenSSL-fips-2_0_10
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| e818b74 | Matt Caswell | 20 December 2019, 13:09:21 UTC | Prepare for 1.0.2u release Reviewed-by: Paul Yang <kaishen.yy@antfin.com> | 20 December 2019, 13:09:21 UTC |
| 7e0b689 | Matt Caswell | 19 December 2019, 17:29:26 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10664) | 20 December 2019, 09:33:50 UTC |
| b10ccf7 | Matt Caswell | 19 December 2019, 14:33:26 UTC | Updates NEWS for new release Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10663) | 19 December 2019, 17:28:18 UTC |
| 4975571 | Bernd Edlinger | 05 December 2019, 00:20:14 UTC | Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10576) | 05 December 2019, 00:26:16 UTC |
| ec8fcae | Bernd Edlinger | 04 December 2019, 11:57:41 UTC | Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10576) | 04 December 2019, 21:57:18 UTC |
| f1c5eea | Andy Polyakov | 04 December 2019, 11:48:21 UTC | Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10576) | 04 December 2019, 21:57:16 UTC |
| b39c047 | Matt Caswell | 18 October 2019, 15:40:44 UTC | Fix an s_server arbitrary file read issue on Windows Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10215) (cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9) | 28 October 2019, 13:20:02 UTC |
| 0159a1b | Cesar Pereida Garcia | 12 September 2019, 14:09:51 UTC | [crypto/asn1/x_bignum.c] Explicit test against NULL As a fixup to https://github.com/openssl/openssl/pull/9779 to better conform to the project code style guidelines, this commit amends the original changeset to explicitly test against NULL, i.e. writing ``` if (p != NULL) ``` rather than ``` if (!p) ``` (This is a backport of https://github.com/openssl/openssl/pull/9881) Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9882) | 16 October 2019, 13:01:58 UTC |
| 4e545c6 | Nicola Tuveri | 10 October 2019, 17:30:58 UTC | [ec_asn1.c] Avoid injecting seed when built-in matches An unintended consequence of https://github.com/openssl/openssl/pull/9808 is that when an explicit parameters curve is matched against one of the well-known builtin curves we automatically inherit also the associated seed parameter, even if the input parameters excluded such parameter. This later affects the serialization of such parsed keys, causing their input DER encoding and output DER encoding to differ due to the additional optional field. This does not cause problems internally but could affect external applications, as reported in https://github.com/openssl/openssl/pull/9811#issuecomment-536153288 This commit fixes the issue by conditionally clearing the seed field if the original input parameters did not include it. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10141) | 15 October 2019, 12:28:36 UTC |
| 1c10029 | Bernd Edlinger | 13 September 2019, 04:37:50 UTC | Fix no-asm build in windows Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9885) | 13 September 2019, 04:37:50 UTC |
| fc437d8 | Bernd Edlinger | 12 September 2019, 18:02:06 UTC | Remove known to fail versions from matrix Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9883) | 12 September 2019, 18:02:06 UTC |
| a1ff24a | Matt Caswell | 10 September 2019, 13:37:06 UTC | Prepare for 1.0.2u-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 10 September 2019, 13:37:06 UTC |
| cd7c7fc | Matt Caswell | 10 September 2019, 13:36:07 UTC | Prepare for 1.0.2t release Reviewed-by: Richard Levitte <levitte@openssl.org> | 10 September 2019, 13:36:07 UTC |
| c98ce13 | Matt Caswell | 10 September 2019, 13:36:07 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> | 10 September 2019, 13:36:07 UTC |
| b5decf6 | Matt Caswell | 10 September 2019, 13:32:15 UTC | Fix the NEWS file The NEWS file was missing an entry for 1.0.2s. This confuses the release scripts - so add an empty entry. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9852) | 10 September 2019, 13:34:22 UTC |
| 32ef049 | Matt Caswell | 10 September 2019, 13:01:06 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9849) | 10 September 2019, 13:01:06 UTC |
| 2608005 | Matt Caswell | 10 September 2019, 10:58:18 UTC | Remove duplicate CHANGES entry Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9846) | 10 September 2019, 11:09:49 UTC |
| e21f8cf | Bernd Edlinger | 31 August 2019, 22:16:28 UTC | Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9777) (cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) | 10 September 2019, 10:45:41 UTC |
| 8bf7d77 | Matt Caswell | 10 September 2019, 09:26:07 UTC | Update CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9843) | 10 September 2019, 09:55:08 UTC |
| 66fd724 | Nicola Tuveri | 07 September 2019, 15:05:31 UTC | [ec] Match built-in curves on EC_GROUP_new_from_ecparameters Description ----------- Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any of the built-in curves. If that is the case, return a new `EC_GROUP_new_by_curve_name()` object instead of the explicit parameters `EC_GROUP`. This affects all users of `EC_GROUP_new_from_ecparameters()`: - direct calls to `EC_GROUP_new_from_ecparameters()` - direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit parameters argument - ASN.1 parsing of explicit parameters keys (as it eventually ends up calling `EC_GROUP_new_from_ecpkparameters()`) A parsed explicit parameter key will still be marked with the `OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless programmatically forced otherwise, if the key is eventually serialized the output will still be encoded with explicit parameters, even if internally it is treated as a named curve `EC_GROUP`. Before this change, creating any `EC_GROUP` object using `EC_GROUP_new_from_ecparameters()`, yielded an object associated with the default generic `EC_METHOD`, but this was never guaranteed in the documentation. After this commit, users of the library that intentionally want to create an `EC_GROUP` object using a specific `EC_METHOD` can still explicitly call `EC_GROUP_new(foo_method)` and then manually set the curve parameters using `EC_GROUP_set_*()`. Motivation ---------- This has obvious performance benefits for the built-in curves with specialized `EC_METHOD`s and subtle but important security benefits: - the specialized methods have better security hardening than the generic implementations - optional fields in the parameter encoding, like the `cofactor`, cannot be leveraged by an attacker to force execution of the less secure code-paths for single point scalar multiplication - in general, this leads to reducing the attack surface Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth analysis of the issues related to this commit. It should be noted that `libssl` does not allow to negotiate explicit parameters (as per RFC 8422), so it is not directly affected by the consequences of using explicit parameters that this commit fixes. On the other hand, we detected external applications and users in the wild that use explicit parameters by default (and sometimes using 0 as the cofactor value, which is technically not a valid value per the specification, but is tolerated by parsers for wider compatibility given that the field is optional). These external users of `libcrypto` are exposed to these vulnerabilities and their security will benefit from this commit. Related commits --------------- While this commit is beneficial for users using built-in curves and explicit parameters encoding for serialized keys, commit b783beeadf6b80bc431e6f3230b5d5585c87ef87 (and its equivalents for the 1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the invalid cofactor values more in general also for other curves (CVE-2019-1547). The following list covers commits in `master` that are related to the vulnerabilities presented in the manuscript motivating this commit: - d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too - 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation. - b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it - 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats Note that the PRs that contributed the listed commits also include other commits providing related testing and documentation, in addition to links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and 1.1.1 branches. This commit includes a partial backport of https://github.com/openssl/openssl/pull/8555 (commit 8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38) for which the main author is Shane Lontis. Responsible Disclosure ---------------------- This and the other issues presented in https://arxiv.org/abs/1909.01785 were reported by Cesar Pereida GarcÃa, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the NISEC group at Tampere University, FINLAND. The OpenSSL Security Team evaluated the security risk for this vulnerability as low, and encouraged to propose fixes using public Pull Requests. _______________________________________________________________________________ Co-authored-by: Shane Lontis <shane.lontis@oracle.com> (Backport from https://github.com/openssl/openssl/pull/9808) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9811) | 09 September 2019, 15:57:57 UTC |
| 21c856b | Billy Brumley | 07 September 2019, 07:50:58 UTC | [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9799) | 09 September 2019, 07:34:44 UTC |
| adaebd8 | Cesar Pereida Garcia | 05 September 2019, 14:47:40 UTC | [crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation. This commit addresses multiple side-channel vulnerabilities present during RSA key validation. Private key parameters are re-computed using variable-time functions. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9785) | 09 September 2019, 07:16:47 UTC |
| 6a7bad0 | Dr. Matthias St. Pierre | 23 July 2019, 18:18:43 UTC | Configure: clang: add -Wno-unknown-warning-option Fixes travis build errors due to clang error: unknown warning option '-Wno-extended-offsetof' It seems like '-Wextended-offsetof' was removed from clang in version 6.0.0, (see [1], [2]). While gcc ignores unknown options of the type '-Wno-xxx', clang by default issues a warning [-Wunknown-warning-option] (see [3]), which together with '-Werror' causes the build to fail. This commit adds the '-Wno-unknown-warning-option' option to make clang behave more relaxed like gcc. [1] https://reviews.llvm.org/D40267 [2] https://github.com/llvm/llvm-project/commit/52a3ca9e2909 [3] https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9446) | 07 September 2019, 23:12:04 UTC |
| 920e37e | Nicola Tuveri | 06 September 2019, 11:05:26 UTC | [ec/ecp_nistp*.c] restyle: use {} around `else` too Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9793) | 06 September 2019, 13:55:42 UTC |
| e3679b1 | Nicola Tuveri | 05 September 2019, 22:31:45 UTC | [ec/ecp_nistp*.c] remove flip_endian() Replace flip_endian() by using the little endian specific bn_bn2lebinpad() and bn_lebin2bn(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9793) | 06 September 2019, 13:51:58 UTC |
| bde4a00 | Nicola Tuveri | 05 September 2019, 21:18:36 UTC | Uniform bn_bn2binpad() and bn_bn2lebinpad() implementations Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9793) | 06 September 2019, 13:37:57 UTC |
| 853950f | Nicola Tuveri | 01 August 2019, 23:08:34 UTC | Make BN_num_bits() consttime upon BN_FLG_CONSTTIME This issue was partially addressed by commit 972c87dfc7e765bd28a4964519c362f0d3a58ca4, which hardened its callee BN_num_bits_word() to avoid leaking the most-significant word of its argument via branching and memory access pattern. The commit message also reported: > There are a few places where BN_num_bits is called on an input where > the bit length is also secret. This does *not* fully resolve those > cases as we still only look at the top word. BN_num_bits() is called directly or indirectly (e.g., through BN_num_bytes() or BN_bn2binpad() ) in various parts of the `crypto/ec` code, notably in all the currently supported implementations of scalar multiplication (in the generic path through ec_scalar_mul_ladder() as well as in dedicated methods like ecp_nistp{224,256,521}.c and ecp_nistz256.c). Under the right conditions, a motivated SCA attacker could retrieve the secret bitlength of a secret nonce through this vulnerability, potentially leading, ultimately, to recover a long-term secret key. With this commit, exclusively for BIGNUMs that are flagged with BN_FLG_CONSTTIME, instead of accessing only bn->top, all the limbs of the BIGNUM are accessed up to bn->dmax and bitwise masking is used to avoid branching. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this should be already done at the top level alongside setting the BN_FLG_CONSTTIME. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9793) | 06 September 2019, 13:37:57 UTC |
| 2e9d293 | Nicola Tuveri | 01 August 2019, 22:33:05 UTC | Fix a SCA leak using BN_bn2bin() BN_bn2bin() is not constant-time and leaks the number of bits in the processed BIGNUM. The specialized methods in ecp_nistp224.c, ecp_nistp256.c and ecp_nistp521.c internally used BN_bn2bin() to convert scalars into the internal fixed length representation. This can leak during ECDSA/ECDH key generation or handling the nonce while generating an ECDSA signature, when using these implementations. The amount and risk of leaked information useful for a SCA attack varies for each of the three curves, as it depends mainly on the ratio between the bitlength of the curve subgroup order (governing the size of the secret nonce/key) and the limb size for the internal BIGNUM representation (which depends on the compilation target architecture). To fix this, we replace BN_bn2bin() with bn_bn2binpad(), bounding the output length to the width of the internal representation buffer: this length is public. Internally the final implementation of both bn_bn2binpad() and BN_bn2bin() already has masking in place to avoid leaking bn->top through memory access patterns. Memory access pattern still leaks bn->dmax, the size of the lazily allocated buffer for representing the BIGNUM, which is inevitable with the current BIGNUM architecture: reading past bn->dmax would be an out-of-bound read. As such, it's the caller responsibility to ensure that bn->dmax does not leak secret information, by explicitly expanding the internal BIGNUM buffer to a public value sufficient to avoid any lazy reallocation while manipulating it: this is already done at the top level alongside setting the BN_FLG_CONSTTIME. Finally, the internal implementation of bn_bn2binpad() indirectly calls BN_num_bits() via BN_num_bytes(): the current implementation of BN_num_bits() can leak information to a SCA attacker, and is addressed in the next commit. Thanks to David Schrammel and Samuel Weiser for reporting this issue through responsible disclosure. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9793) | 06 September 2019, 12:56:45 UTC |
| 55611d5 | Cesar Pereida Garcia | 19 August 2019, 07:33:14 UTC | Fix SCA vulnerability when using PVK and MSBLOB key formats This commit addresses a side-channel vulnerability present when PVK and MSBLOB key formats are loaded into OpenSSL. The public key was not computed using a constant-time exponentiation function. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9638) | 27 August 2019, 08:25:51 UTC |
| 7fafaf2 | Bernd Edlinger | 16 August 2019, 13:32:32 UTC | Fix error handling in X509_chain_up_ref Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9615) | 16 August 2019, 13:32:32 UTC |
| d333eba | Richard Levitte | 25 July 2019, 10:21:33 UTC | Document issue with default installation paths on diverse Windows targets For all config targets (except VMS, because it has a completely different set of scripts), '/usr/local/ssl' is the default prefix for installation of programs and libraries, as well as the path for OpenSSL run-time configuration. For programs built to run in a Windows environment, this default is unsafe, and the user should set a different prefix. This has been hinted at in some documentation but not all, and the danger of leaving the default as is hasn't been documented at all. This change documents the issue as a caveat lector, and all configuration examples now include an example --prefix. CVE-2019-1552 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9456) | 25 July 2019, 16:58:35 UTC |
| 0bc650d | Bernd Edlinger | 21 July 2019, 08:41:39 UTC | Use trusty for travis builds this works around build failures due to clang error: unknown warning option '-Wno-extended-offsetof' [extended tests] Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9425) | 21 July 2019, 09:07:45 UTC |
| aa8b244 | Bernd Edlinger | 21 June 2019, 19:26:19 UTC | Add value_barriers in constant time select functions The barriers prevent the compiler from narrowing down the possible value range of the mask and ~mask in the select statements, which avoids the recognition of the select and turning it into a conditional load or branch. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9419) | 19 July 2019, 18:45:25 UTC |
| 7a7afc5 | Bernd Edlinger | 19 April 2018, 20:17:24 UTC | Fix a warning about missing prototype on arm (cherry picked from commit 5fc89c1af837026b5812526ef6f519bf7ca42f16) Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8243) | 11 June 2019, 15:45:33 UTC |
| 3750879 | Bernd Edlinger | 19 April 2018, 18:56:46 UTC | Fix building linux-armv4 with --strict-warnings (cherry picked from commit 0e0f8116e247912f5c48f8b3786e543f37fc1f87) Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8243) | 11 June 2019, 15:45:33 UTC |
| 8479e9e | Acheev Bhagat | 07 June 2019, 00:05:49 UTC | Replace BIO_printf with ASN1_STRING_print in GENERAL_NAME_print Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9101) | 07 June 2019, 08:38:49 UTC |
| ec36b32 | Richard Levitte | 28 May 2019, 12:56:42 UTC | Prepare for 1.0.2t-dev Reviewed-by: Matt Caswell <matt@openssl.org> | 28 May 2019, 12:56:42 UTC |
| cf9143f | Richard Levitte | 28 May 2019, 12:56:29 UTC | Prepare for 1.0.2s release Reviewed-by: Matt Caswell <matt@openssl.org> | 28 May 2019, 12:56:29 UTC |
| 66c236c | Richard Levitte | 28 May 2019, 12:41:38 UTC | Update copyright year Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9032) | 28 May 2019, 12:41:38 UTC |
| bb36ec5 | Richard Levitte | 27 May 2019, 19:38:00 UTC | Add CHANGES for 1.0.2s Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9019) | 28 May 2019, 08:07:44 UTC |
| 0f283c9 | Kurt Roeckx | 13 April 2019, 10:32:48 UTC | Change default RSA, DSA and DH size to 2048 bit Fixes: #8737 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #8741 (cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e) | 21 May 2019, 14:58:42 UTC |
| cea83f9 | Emilia Kasper | 03 June 2016, 12:42:04 UTC | RT 4242: reject invalid EC point coordinates This is a backport of commit 1e2012b7 to 1.0.2. This hardening change was made to 1.1.0 but was not backported to 1.0.2. Recent CVEs in user applications have shown this additional hardening in 1.0.2 would be beneficial. E.g. see the patch for CVE-2019-9498 https://w1.fi/security/2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch and CVE-2019-9499 https://w1.fi/security/2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch The original commit had this description: We already test in EC_POINT_oct2point that points are on the curve. To be on the safe side, move this check to EC_POINT_set_affine_coordinates_* so as to also check point coordinates received through some other method. We do not check projective coordinates, though, as - it's unlikely that applications would be receiving this primarily internal representation from untrusted sources, and - it's possible that the projective setters are used in a setting where performance matters. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8750) | 25 April 2019, 12:09:22 UTC |
| f937540 | Dr. Matthias St. Pierre | 09 April 2019, 13:04:29 UTC | Add FIPS support for Android Arm 64-bit Fixes #2490 Fixes #8711 In commit 6db8e3bdc9e, support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This commit adds the missing target. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8713) | 16 April 2019, 23:58:26 UTC |
| d3299a3 | Shane Lontis | 27 March 2019, 07:38:28 UTC | fixed public range check in ec_GF2m_simple_oct2point Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/8607) (cherry picked from commit cad8347be23c5e0c0d9eea02d090d42daf2dd7a9) | 30 March 2019, 14:12:07 UTC |
| c3e7bea | Bernd Edlinger | 20 March 2019, 21:02:58 UTC | Modify the RSA_private_decrypt functions to check the padding in constant time with a memory access pattern that does not depend on secret information. [extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8543) (cherry picked from commit 9c0cf214e7836eb5aaf1ea5d3cbf6720533f86b5) | 22 March 2019, 13:48:37 UTC |
| d284d27 | Bernd Edlinger | 20 March 2019, 19:01:12 UTC | Make err_clear_constant_time really constant time [extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8558) | 22 March 2019, 13:39:02 UTC |
| 94eb7d0 | Bernd Edlinger | 17 March 2019, 16:28:24 UTC | Clear the point S before freeing in ec_mul_consttime The secret point R can be recovered from S using the equation R = S - P. The X and Z coordinates should be sufficient for that. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8505) (cherry picked from commit 502b871ad4eacc96a31f89d9a9470ca2858da998) | 18 March 2019, 21:50:08 UTC |
| dbf71ae | Bernd Edlinger | 17 March 2019, 09:02:07 UTC | Clear the secret point in ecdh_compute_key Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8502) | 17 March 2019, 09:02:07 UTC |
| 6555a89 | Bernd Edlinger | 28 February 2019, 09:08:18 UTC | Fix memory overrun in rsa padding check functions Backported from d7f5e5ae6d5 Fixes #8364 and #8357 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/8438) | 07 March 2019, 22:36:55 UTC |
| d5e37fc | Matt Caswell | 05 March 2019, 13:26:45 UTC | Avoid an underflow in ecp_nistp521.c The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in| from |out| mod p. In order to avoid underflow it first adds 32p mod p (which is equivalent to 0 mod p) to |out|. The comments and variable naming suggest that the original author intended to add 64p mod p. In fact it has been shown that with certain unusual co-ordinates it is possible to cause an underflow in this function when only adding 32p mod p while performing a point double operation. By changing this to 64p mod p the underflow is avoided. It turns out to be quite difficult to construct points that satisfy the underflow criteria although this has been done and the underflow demonstrated. However none of these points are actually on the curve. Finding points that satisfy the underflow criteria and are also *on* the curve is considered significantly more difficult. For this reason we do not believe that this issue is currently practically exploitable and therefore no CVE has been assigned. This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure option. With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant help in investigating this issue. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8405) (cherry picked from commit 13fbce17fc9f02e2401fc3868f3f8e02d6647e5f) | 07 March 2019, 14:53:28 UTC |
| 56ff0f6 | Matt Caswell | 26 February 2019, 14:21:45 UTC | Prepare for 1.0.2s-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 26 February 2019, 14:21:45 UTC |
| b34cf4e | Matt Caswell | 26 February 2019, 14:20:55 UTC | Prepare for 1.0.2r release Reviewed-by: Richard Levitte <levitte@openssl.org> | 26 February 2019, 14:20:55 UTC |
| 28c43df | Matt Caswell | 26 February 2019, 10:21:24 UTC | Updates CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <levitte@openssl.org> | 26 February 2019, 14:13:05 UTC |
| 48c8bcf | Matt Caswell | 20 February 2019, 14:21:36 UTC | Clarify that SSL_shutdown() must not be called after a fatal error Follow on from CVE-2019-1559 Reviewed-by: Richard Levitte <levitte@openssl.org> | 26 February 2019, 14:13:05 UTC |
| e9bbefb | Matt Caswell | 14 December 2018, 07:28:30 UTC | Go into the error state if a fatal alert is sent or received If an application calls SSL_shutdown after a fatal alert has occured and then behaves different based on error codes from that function then the application may be vulnerable to a padding oracle. CVE-2019-1559 Reviewed-by: Richard Levitte <levitte@openssl.org> | 26 February 2019, 14:13:05 UTC |
| c81f169 | Matt Caswell | 26 February 2019, 14:07:28 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8348) | 26 February 2019, 14:11:34 UTC |
| b250f2a | Matt Caswell | 25 February 2019, 11:28:32 UTC | Ensure bn_cmp_words can handle the case where n == 0 Thanks to David Benjamin who reported this, performed the analysis and suggested the patch. I have incorporated some of his analysis in the comments below. This issue can cause an out-of-bounds read. It is believed that this was not reachable until the recent "fixed top" changes. Analysis has so far only identified one code path that can encounter this - although it is possible that others may be found. The one code path only impacts 1.0.2 in certain builds. The fuzzer found a path in RSA where iqmp is too large. If the input is all zeros, the RSA CRT logic will multiply a padded zero by iqmp. Two mitigating factors: - Private keys which trip this are invalid (iqmp is not reduced mod p). Only systems which take untrusted private keys care. - In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp, so the bug is only reproducible in 1.0.2 so far. Fortunately, the bug appears to be relatively harmless. The consequences of bn_cmp_word's misbehavior are: - OpenSSL may crash if the buffers are page-aligned and the previous page is non-existent. - OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they are equal. - Side channel concerns. The first is indeed a concern and is a DoS bug. The second is fine in this context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1) in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or a1 - a0. The third would be worth thinking about, but it is overshadowed by the entire Karatsuba implementation not being constant time. Due to the difficulty of tripping this and the low impact no CVE is felt necessary for this issue. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8326) (cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d) | 25 February 2019, 16:37:52 UTC |
| 9acdddf | Nicola Tuveri | 08 February 2019, 10:42:25 UTC | Clear BN_FLG_CONSTTIME on BN_CTX_get() (cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8295) | 20 February 2019, 21:02:09 UTC |
| d769ce0 | Nicola Tuveri | 11 February 2019, 22:37:25 UTC | Test for constant-time flag leakage in BN_CTX This commit adds a simple unit test to make sure that the constant-time flag does not "leak" among BN_CTX frames: - test_ctx_consttime_flag() initializes (and later frees before returning) a BN_CTX object, then it calls in sequence test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same BN_CTX object. - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame before ending it. - test_ctx_check_ct_flag() then starts a new frame and gets a number of BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. In actual BN_CTX usage inside libcrypto the leak could happen at any depth level in the BN_CTX stack, with varying results depending on the patterns of sibling trees of nested function calls sharing the same BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the called BN_* functions. This simple unit test abstracts away this complexity and verifies that the leak does not happen between two sibling functions sharing the same BN_CTX object at the same level of nesting. (manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8295) | 20 February 2019, 20:57:19 UTC |
| e30dfbe | Richard Levitte | 18 February 2019, 20:47:33 UTC | Move stray POD file into the fold Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8273) | 18 February 2019, 20:47:33 UTC |
| 3077dd4 | Corinna Vinschen | 15 February 2019, 11:22:07 UTC | cygwin: drop explicit O_TEXT Cygwin binaries should not enforce text mode these days, just use text mode if the underlying mount point requests it CLA: trivial Signed-off-by: Corinna Vinschen <vinschen@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8249) | 15 February 2019, 16:44:28 UTC |
| fff469b | Richard Levitte | 12 December 2018, 10:22:52 UTC | test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7856) | 15 January 2019, 17:32:36 UTC |
| 7ab24d9 | Richard Levitte | 10 December 2018, 09:23:01 UTC | make update Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7856) | 15 January 2019, 17:32:36 UTC |
| cfa9a7c | Richard Levitte | 10 December 2018, 09:18:10 UTC | Prevent calling decryption in an encryption context and vice versa Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7856) | 15 January 2019, 17:32:36 UTC |
| eed51aa | Matt Caswell | 02 January 2019, 17:05:27 UTC | make update Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/7974) | 03 January 2019, 09:33:25 UTC |
| 668d643 | Richard Levitte | 15 December 2018, 10:06:00 UTC | Makefile.org: prevent .bak files to become part of the tarball Fixes #7903 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7910) | 15 December 2018, 10:12:45 UTC |
| ab061e7 | Dr. Matthias St. Pierre | 12 December 2018, 06:38:07 UTC | doc/man3: remove copy&paste leftover Fixes #7883 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7884) (cherry picked from commit 00eb879f74971e3c048286ef44f6f544676f90d7) | 12 December 2018, 19:05:14 UTC |
| 4960e84 | Tobias Stoeckmann | 11 December 2018, 19:34:21 UTC | Fixed typo (vi leftover). There was a trailing :w at a line, which didn't make sense in context of the sentence/styling. Removed it, because I think it's a leftover vi command. CLA: trivial Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7875) (cherry picked from commit 143b631639f95822e5e00768254fa35c787f6396) | 12 December 2018, 09:41:32 UTC |
| e42e531 | Richard Levitte | 07 December 2018, 08:26:04 UTC | Make EVP_PKEY_asn1_add0() stricter about its input It turns out that the strictness that was implemented in EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed for some usages, and that it's better to do this check only when the method is getting registered. Fixes #7758 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7847) (cherry picked from commit a86003162138031137727147c9b642d99db434b1) | 07 December 2018, 11:06:04 UTC |
| 110ef88 | Andy Polyakov | 14 September 2018, 15:24:13 UTC | rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time. Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding if nul delimiter is preceded by 8 consecutive 0x03 bytes. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c) Resolved conflicts: crypto/rsa/rsa_ssl.c (Merged from https://github.com/openssl/openssl/pull/7737) | 06 December 2018, 11:18:35 UTC |
| b29b91b | Andy Polyakov | 06 September 2018, 19:54:23 UTC | rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP. And make RSAErr call unconditional. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06) Resolved conflicts: crypto/rsa/rsa_oaep.c (Merged from https://github.com/openssl/openssl/pull/7737) | 06 December 2018, 11:18:35 UTC |
| 47f8fba | Andy Polyakov | 01 September 2018, 10:00:33 UTC | rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2. And make RSAErr call unconditional. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c) Resolved conflicts: crypto/rsa/rsa_pk1.c (Merged from https://github.com/openssl/openssl/pull/7737) | 06 December 2018, 11:18:35 UTC |
| 3b776fd | Andy Polyakov | 30 November 2018, 20:07:18 UTC | rsa/rsa_eay.c: make RSAerr call in rsa_ossl_private_decrypt unconditional. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1) (Merged from https://github.com/openssl/openssl/pull/7737) | 06 December 2018, 11:18:35 UTC |
| 8db50d6 | Andy Polyakov | 01 September 2018, 10:19:30 UTC | err/err.c: add err_clear_last_constant_time. Expected usage pattern is to unconditionally set error and then wipe it if there was no actual error. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b) Resolved conflicts: crypto/err/err.c crypto/constant_time_locl.h (Merged from https://github.com/openssl/openssl/pull/7737) | 06 December 2018, 11:18:35 UTC |
| 0235443 | Richard Levitte | 03 December 2018, 09:57:01 UTC | Docs fixup: some man3 pages had unindented code in SYNOPSIS Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7744) (cherry picked from commit 7b4a3515a4ddb567d48000e61d7cb640d0c5f261) | 03 December 2018, 10:50:27 UTC |
| 63262bd | David Woodhouse | 16 October 2018, 14:59:46 UTC | Honour mandatory digest on private key in tls1_process_sigalgs() If the private key says it can only support one specific digest, then don't ask it to perform a different one. Fixes: #7348 (cherry picked from commit 2d263a4a73f852005b16359873475d48755999ad and reworked for 1.0.2) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7610) | 24 November 2018, 07:01:07 UTC |
| cf68eb3 | David Woodhouse | 16 October 2018, 14:41:17 UTC | Stop marking default digest for EC keys as mandatory ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory digest algorithm, when the key can't support any others. That isn't true here, so return 1 instead. Partially fixes #7348 (cherry picked from commit eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7610) | 24 November 2018, 07:00:25 UTC |
| 23bfb5b | Andy Polyakov | 07 November 2018, 21:07:22 UTC | rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier. Blinding is performed more efficiently and securely if MONT_CTX for public modulus is available by the time blinding parameter are instantiated. So make sure it's the case. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (manually cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575) (Merged from https://github.com/openssl/openssl/pull/7586) | 23 November 2018, 12:05:16 UTC |
| 8bfde25 | Richard Levitte | 22 November 2018, 10:05:31 UTC | VMS: ensure x509_time_test is built A lacking DCL variable to indicate where it's located was missing. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7685) | 22 November 2018, 10:05:31 UTC |
| 49d07eb | Matt Caswell | 20 November 2018, 13:46:11 UTC | Prepare for 1.0.2r-dev Reviewed-by: Richard Levitte <levitte@openssl.org> | 20 November 2018, 13:46:11 UTC |
| 5707219 | Matt Caswell | 20 November 2018, 13:45:20 UTC | Prepare for 1.0.2q release Reviewed-by: Richard Levitte <levitte@openssl.org> | 20 November 2018, 13:45:20 UTC |
| d98ff54 | Matt Caswell | 20 November 2018, 13:45:20 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> | 20 November 2018, 13:45:20 UTC |
| 8ea1672 | Matt Caswell | 20 November 2018, 13:23:36 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7671) | 20 November 2018, 13:29:53 UTC |
| 548cce6 | Matt Caswell | 20 November 2018, 10:52:53 UTC | Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7667) | 20 November 2018, 11:57:17 UTC |
| d88ff89 | Richard Levitte | 20 November 2018, 11:11:38 UTC | VMS: ensure crypto/getenv.c is included in the build Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7665) | 20 November 2018, 11:47:40 UTC |
| 84b4759 | Vitezslav Cizek | 25 October 2018, 11:53:26 UTC | DSA: Check for sanity of input parameters dsa_builtin_paramgen2 expects the L parameter to be greater than N, otherwise the generation will get stuck in an infinite loop. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (cherry picked from commit 3afd38b277a806b901e039c6ad281c5e5c97ef67) (Merged from https://github.com/openssl/openssl/pull/7493) | 14 November 2018, 12:09:41 UTC |
| b18162a | Billy Brumley | 08 November 2018, 11:57:54 UTC | CVE-2018-5407 fix: ECC ladder Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7593) | 12 November 2018, 14:00:30 UTC |
| 59b9c67 | Dr. Matthias St. Pierre | 09 November 2018, 20:37:38 UTC | Fix 'no-ecdh' build Fixes #3302 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7606) | 09 November 2018, 23:45:24 UTC |
| f1e5009 | Matt Caswell | 16 October 2018, 16:08:11 UTC | Properly handle duplicated messages from the next epoch Since 3884b47b7c we may attempt to buffer a record from the next epoch that has already been buffered. Prior to that this never occurred. We simply ignore a failure to buffer a duplicated record. Fixes #6902 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7415) | 02 November 2018, 10:00:14 UTC |
| 880d1c7 | Pauli | 31 October 2018, 22:44:11 UTC | Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) | 01 November 2018, 22:18:20 UTC |
| ebf65db | Pauli | 28 October 2018, 21:18:09 UTC | Merge to 1.0.2: DSA mod inverse fix. There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7512) | 29 October 2018, 21:30:12 UTC |
| 43e6a58 | Pauli | 28 October 2018, 22:24:22 UTC | Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7513) | 28 October 2018, 22:24:22 UTC |
| 896e8c5 | Dr. Matthias St. Pierre | 18 October 2018, 21:17:46 UTC | md_rand.c: don't stop polling until properly initialized Previously, the RNG sets `initialized=1` after the first call to RAND_poll(), although its criterion for being initialized actually is whether condition `entropy >= ENTROPY_NEEDED` is true. This commit now assigns `initialized=(entropy >= ENTROPY_NEEDED)`, which has the effect that on the next call, RAND_poll() will be called again, if it previously failed to obtain enough entropy. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7439) | 18 October 2018, 21:46:31 UTC |
| 35cf781 | Viktor Dukhovni | 08 October 2018, 16:05:14 UTC | Apply self-imposed path length also to root CAs Also, some readers of the code find starting the count at 1 for EE cert confusing (since RFC5280 counts only non-self-issued intermediate CAs, but we also counted the leaf). Therefore, never count the EE cert, and adjust the path length comparison accordinly. This may be more clear to the reader. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6) | 18 October 2018, 04:43:52 UTC |
| c8ce9e5 | Viktor Dukhovni | 05 October 2018, 03:53:01 UTC | Only CA certificates can be self-issued At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph of above https://tools.ietf.org/html/rfc5280#section-3.3), we see: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. that the term "self-issued" is only applicable to CAs, not end-entity certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9 the description of path length constraints says: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) This makes it clear that exclusion of self-issued certificates from the path length count applies only to some *intermediate* CA certificates. A leaf certificate whether it has identical issuer and subject or whether it is a CA or not is never part of the intermediate certificate count. The handling of all leaf certificates must be the same, in the case of our code to post-increment the path count by 1, so that we ultimately reach a non-self-issued intermediate it will be the first one (not zeroth) in the chain of intermediates. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f) | 18 October 2018, 04:40:44 UTC |
| b1016c9 | Andy Polyakov | 05 September 2018, 12:33:21 UTC | rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) | 12 October 2018, 20:38:10 UTC |
| 6be3286 | Andy Polyakov | 23 September 2018, 14:38:11 UTC | util/domd: omit superfluous shift in -MD handling. While reviewing last modification in GH#6261 Richard actually spotted the inconsistency, but withdrew the remark, correct one in aftermath... Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7298) | 12 October 2018, 18:46:44 UTC |
| fff1da4 | Nicola Tuveri | 06 September 2018, 21:44:36 UTC | Access `group->mont_data` conditionally in EC_GROUP_set_generator() It appears that, in FIPS mode, `ec_precompute_mont_data()` always failed but the error was ignored until commit e3ab8cc from #6810. The actual problem lies in the fact that access to the `mont_data` field of an `EC_GROUP` struct should always be guarded by an `EC_GROUP_VERSION(group)` check to avoid OOB accesses, because `group` might come from the FIPS module, which does not define the `mont_data` field inside the EC_GROUP structure. This commit adds the required check before any access to `group->mont_data` in `EC_GROUP_set_generator()`. Fixes #7127 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7135) | 02 October 2018, 10:46:02 UTC |
| 788d2fa | Pauli | 24 September 2018, 04:06:45 UTC | Merge 1.0.2 setuid calls to getenv(3) safety. Manual merge of #7047 to 1.0.2-stable. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7300) | 26 September 2018, 23:26:35 UTC |
| 2b87256 | Manikantan Subramanian | 18 September 2018, 01:54:13 UTC | Use gethostbyname_r if available Fixes #7228 The function BIO_get_host_ip uses gethostbyname, which is not thread safe and hence we grab a lock. In multi-threaded applications, this lock sometimes causes performance bottlenecks. This patch uses the function gethostbyname_r (thread safe version), when available. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7250) | 26 September 2018, 06:37:59 UTC |
