| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
OpenSSL sends an empty record before each new data record in TLS v1.0
to randomize the IV, as a countermeasure to the BEAST attack. Most
implementations use 1/(n-1) splitting for this instead.
Bug introduced with the const time changes in 1.11.23
|
|
|
|
|
|
|
| |
Fixes GH #460
Closes GH #474
[ci skip]
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
|
| |
|
|\ |
|
| | |
|
| |
| |
| |
| |
| |
| | |
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2
Update todo
|
|\ \ |
|
| | |
| | |
| | |
| | | |
equivalent to mlock on Unix to prevent swapping out of memory
|
|/ / |
|
|/
|
|
| |
New key is signed with my existing key.
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|
|
|
| |
When building for iOS, you want to build for all three architectures, so you can run your app on an iOS device and on the simulator.
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
|
|
|
|
|
|
| |
It first computed the first i for q**(2**i) == 1, then checked that i
was smaller than s. Given a composite modulus (for which the algorithm
does not work), the loop might do a very large amount of work before
returning the failure.
|
| |
|
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
Based on GH #362 by emilymaier
|
|
|
|
|
|
|
|
|
|
| |
Expose provider param in PK_Key_Agreement API
Handle multiple providers in key agreement tests
Fix some funky formatting of P-521 EC points in ecdh.vec which was
being rejected by OpenSSL; for whatever reason the CAVS file had
the affine coords with far more leading zeros than necessary.
|
|
|
|
|
|
|
| |
Has the same effect as using ctgrind, but without requiring a
custom-compiled valgrind binary.
Add ct checking annotations to the SSSE3 AES code.
|
|
|
|
| |
Interop tested with mbed TLS
|
|
|
|
|
|
| |
There was a special case for small scalars which managed to forget
that the integer 3 also fits into two bits. Found by adding a new set
of ECC point mul tests for the NIST curves.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It works on x86, but C says it is undefined and it makes UBSan
unhappy. Happily, this memcpy approach probably also works fine under
processors which previously used the byte-at-a-time approach such as
ARM. But for right now using memcpy here is still gated under the
processor alignment flags.
In my tests recent GCC and Clang seemed to produce basically identical
code for either approach when using -O3; I imagine most compilers
these days are very good at analyzing/inlining/unrolling memcpys.
Also remove the manually unrolled versions of xor_buf, which caused
problems with GCC and -O3 due to it vectorizing the loads into
(aligned) SSE2 loads, which would fail when a misaligned pointer was
passed. Which always seemed kind of bogus to me, but I guess that's
what undefined behavior is for. Enable -O3 for GCC.
With this change the test suite is clean under GCC ASan+UBSan and
Clang ASan+UBSan, with the exception of one failure due to a bug in
libstdc++ (GCC bug 60734) when compiled by Clang.
|
|
|
|
| |
Reported on the mailing list by Falko
|
| |
|
|
|
|
|
|
| |
Convert McEliece KEM to use it
Add RSA-KEM
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Calling memset, memmove, memcpy with an undefined or null pointer,
even with length zero, causes undefined behavior. Prevent that from
happening within the functions that call these dangerous things
since allowing a caller to pass length == 0 with null or just
past the end and not have things explode is nice.
Oh C, you so crazy.
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Add support for Intel RdSeed instruction
|
| | |
|