| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.
This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.
All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.
Issue reported by Guido Vranken.
CVE-2016-0797
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The entire contents of <internal/bn_conf.h> are unwanted in the UEFI
build because we have to do it differently there. To support building
for both 32-bit and 64-bit platforms without re-running the OpenSSL
Configure script, the EDK2 environment defines THIRTY_TWO_BIT or
SIXTY_FOUR_BIT for itself according to the target platform.
The current setup is broken, though. It checks for OPENSSL_SYS_UEFI but
before it's actually defined, since opensslconf.h hasn't yet been
included.
Let's fix that by including opensslconf.h. And also let's move the
bn_conf.h doesn't even need to *exist* in the UEFI build environment.
This is also GH PR736.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
|
|
| |
There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1 && m@/\* .*\.[ch] \*/@;
close ARGV if eof; # Close file to reset $.
And then some hand-editing of other files.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
| |
|
|
|
|
|
|
| |
Move opensslconf.h.in to include/openssl.
Split off DES,BN,RC4 stuff into separate header file
templates in crypto/include/internal/*_conf.h.in
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| |
|
|
|
|
| |
Rename it to be an internal function bn_init.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
|
| |
All instances of SSLeay (any combination of case) were replaced with
the case-equivalent OpenSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| |
|
|
|
|
| |
RT#3859
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
|
|
| |
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy. Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| |
|
|
|
|
|
| |
Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| |
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
|
| |
indent will not alter them when reformatting comments
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
| |
|
|
|
|
|
| |
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| |
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
| |
|
|
|
|
|
|
| |
Generates a number coprime to 2, 3, 5, 7, 11.
Speed:
Trial div (add) : trial div (retry) : coprime
1 : 0.42 : 0.84
|
| |
|
|
| |
~2% speed improvement on trial division.
|
| |
|
|
|
|
| |
or 5.
Possibly some reduction in bias, but no speed gains.
|
| | |
|
| | |
|
| |
|
|
| |
assembler.
|
| | |
|
| |
|
|
| |
need to inspect error queue.
|
| |
|
|
|
|
| |
crypto/bn/asm/mips3.s from IRIX. Performance improvement is not as
impressive as with complete assembler, but still... it's almost 2.5x
[on R5000].
|
| |
|
|
|
|
| |
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
|
| |
|
|
| |
not used.
|
| | |
|
| | |
|
| |
|
|
| |
it from mkdef.pl.
|
| |
|
|
| |
EMT64T will hardly exhibit better performance...
|
| |
|
|
|
|
|
|
|
|
|
|
| |
timing attacks.
BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
|
| |
|
|
|
|
|
|
| |
redefine bn_clear_top2max() to be a NOP in the non-debugging case, and
remove some unnecessary usages in bn_nist.c.
Submitted by: Nils Larsch
Reviewed by: Geoff Thorpe, Ulf Möller
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
which, in turn, are used nowhere at all. This is a good thing because
bn_set_max() would currently generate code that wouldn't compile (BIGNUM
has no 'max' element).
The only apparent use for bn_set_[low|high] would be for implementing
windowing algorithms, and all of openssl's seem to use bn_***_words()
helpers instead (including the BN_div() that Nils fixed recently, which had
been using independently-coded versions of what these unused macros are
intended for). I'm therefore consigning these macros to cvs oblivion in the
name of readability.
|
| |
|
|
|
|
| |
is itself experimental, and in addition may cause execution to break on
existing openssl "bugs" that previously were harmless or at least
invisible.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
except internally to the allocator BN_CTX_new(), as such this deprecates
the use of BN_CTX_init() in the API. Moreover, the structure definition of
BN_CTX is taken out of bn_lcl.h and moved into bn_ctx.c itself.
NDEBUG should probably only be "forced" in the top-level configuration, but
until it is I will avoid removing it from bn_ctx.c which might surprise
people with massive slow-downs in their keygens. So I've left it in
bn_ctx.c but tidied up the preprocessor logic a touch and made it more
tolerant of debugging efforts.
|
| |
|
|
|
| |
irix-mips. The bug was introduced with accelerated support for x86_64.
My fault! Fixed now.
|
| | |
|
| |
|
|
| |
Submitted by: Nils Larsch
|
| |
|
|
| |
create new lock CRYPTO_LOCK_BN to avoid race condition
|
| |
|
|
| |
Submitted by: Nils Larsch
|
| |
|
|
| |
multiplication of an arbitrary number of points.
|
| |
|
|
| |
Incease the number of BIGNUMs in a BN_CTX.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.
I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
course, that means we need to handle the cases where the two arrays to
bn_mul_recursive() and bn_mul_part_recursive() differ in size.
I haven't yet changed the comments that describe bn_mul_recursive()
and bn_mul_part_recursive(). I want this to be tested by more people
before I consider this change final. Please test away!
|
| | |
|
| | |
|
| | |
|
| | |
|
