1. 10 8月, 2021 1 次提交
  2. 27 2月, 2020 1 次提交
  3. 28 9月, 2019 1 次提交
  4. 09 9月, 2019 1 次提交
  5. 24 7月, 2019 1 次提交
  6. 28 5月, 2019 1 次提交
  7. 27 3月, 2019 1 次提交
    • J
      Increase rounds of Miller-Rabin testing DH_check · af6ce3b4
      Jake Massimo 提交于
      DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.
      
      However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.
      
      Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8593)
      
      (cherry picked from commit 2500c093aa1e9c90c11c415053c0a27a00661d0d)
      af6ce3b4
  8. 19 3月, 2019 1 次提交
  9. 20 11月, 2017 1 次提交
  10. 18 10月, 2017 1 次提交
  11. 26 6月, 2017 1 次提交
  12. 26 1月, 2017 1 次提交
  13. 25 1月, 2017 1 次提交
  14. 25 6月, 2016 2 次提交
  15. 18 5月, 2016 1 次提交
  16. 09 4月, 2016 1 次提交
  17. 29 1月, 2016 1 次提交
  18. 28 1月, 2016 1 次提交
    • M
      Prevent small subgroup attacks on DH/DHE · b128abc3
      Matt Caswell 提交于
      Historically OpenSSL only ever generated DH parameters based on "safe"
      primes. More recently (in version 1.0.2) support was provided for
      generating X9.42 style parameter files such as those required for RFC
      5114 support. The primes used in such files may not be "safe". Where an
      application is using DH configured with parameters based on primes that
      are not "safe" then an attacker could use this fact to find a peer's
      private DH exponent. This attack requires that the attacker complete
      multiple handshakes in which the peer uses the same DH exponent.
      
      A simple mitigation is to ensure that y^q (mod p) == 1
      
      CVE-2016-0701
      
      Issue reported by Antonio Sanso.
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      b128abc3
  19. 27 1月, 2016 1 次提交
    • R
      Remove /* foo.c */ comments · 34980760
      Rich Salz 提交于
      This was done by the following
              find . -name '*.[ch]' | /tmp/pl
      where /tmp/pl is the following three-line script:
              print unless $. == 1 && m@/\* .*\.[ch] \*/@;
              close ARGV if eof; # Close file to reset $.
      
      And then some hand-editing of other files.
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      34980760
  20. 14 5月, 2015 1 次提交
  21. 01 5月, 2015 1 次提交
    • R
      free NULL cleanup 7 · 23a1d5e9
      Rich Salz 提交于
      This gets BN_.*free:
          BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
          BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free
      
      Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
      dead code in engines/e_ubsec.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      23a1d5e9
  22. 04 2月, 2015 1 次提交
  23. 22 1月, 2015 1 次提交
  24. 31 12月, 2014 1 次提交
  25. 06 3月, 2014 1 次提交
  26. 02 12月, 2011 1 次提交
  27. 24 9月, 2007 1 次提交
    • L
      Typos · 5f0477f4
      Lutz Jänicke 提交于
      PR: 1578
      Submitted by: Charles Longeau <chl@tuxfamily.org>
      5f0477f4
  28. 22 8月, 2005 1 次提交
  29. 08 12月, 2002 1 次提交
    • G
      This is a first-cut at improving the callback mechanisms used in · e9224c71
      Geoff Thorpe 提交于
      key-generation and prime-checking functions. Rather than explicitly passing
      callback functions and caller-defined context data for the callbacks, a new
      structure BN_GENCB is defined that encapsulates this; a pointer to the
      structure is passed to all such functions instead.
      
      This wrapper structure allows the encapsulation of "old" and "new" style
      callbacks - "new" callbacks return a boolean result on the understanding
      that returning FALSE should terminate keygen/primality processing.  The
      BN_GENCB abstraction will allow future callback modifications without
      needing to break binary compatibility nor change the API function
      prototypes. The new API functions have been given names ending in "_ex" and
      the old functions are implemented as wrappers to the new ones.  The
      OPENSSL_NO_DEPRECATED symbol has been introduced so that, if defined,
      declaration of the older functions will be skipped. NB: Some
      openssl-internal code will stick with the older callbacks for now, so
      appropriate "#undef" logic will be put in place - this is in case the user
      is *building* openssl (rather than *including* its headers) with this
      symbol defined.
      
      There is another change in the new _ex functions; the key-generation
      functions do not return key structures but operate on structures passed by
      the caller, the return value is a boolean. This will allow for a smoother
      transition to having key-generation as "virtual function" in the various
      ***_METHOD tables.
      e9224c71
  30. 07 11月, 2000 1 次提交
  31. 23 1月, 2000 1 次提交
  32. 12 1月, 2000 1 次提交
  33. 24 4月, 1999 1 次提交
  34. 20 4月, 1999 1 次提交
  35. 21 12月, 1998 2 次提交