1. 08 11月, 2019 1 次提交
  2. 03 9月, 2019 1 次提交
  3. 14 6月, 2019 1 次提交
  4. 30 5月, 2019 1 次提交
  5. 28 5月, 2019 1 次提交
  6. 27 5月, 2019 1 次提交
  7. 20 4月, 2019 1 次提交
    • G
      TicketNo:AR000C11BK · 17ac3fa9
      g00368537 提交于
      Description: Prevent over long nonces in ChaCha20-Poly1305
      
      ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
      every encryption operation. RFC 7539 specifies that the nonce value (IV)
      should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
      front pads the nonce with 0 bytes if it is less than 12 bytes. However it
      also incorrectly allows a nonce to be set of up to 16 bytes. In this case
      only the last 12 bytes are significant and any additional leading bytes are
      ignored.
      
      It is a requirement of using this cipher that nonce values are unique.
      Messages encrypted using a reused nonce value are susceptible to serious
      confidentiality and integrity attacks. If an application changes the
      default nonce length to be longer than 12 bytes and then makes a change to
      the leading bytes of the nonce expecting the new value to be a new unique
      nonce then such an application could inadvertently encrypt messages with a
      reused nonce.
      
      Additionally the ignored bytes in a long nonce are not covered by the
      integrity guarantee of this cipher. Any application that relies on the
      integrity of these ignored leading bytes of a long nonce may be further
      affected.
      
      Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
      because no such use sets such a long nonce value. However user
      applications that use this cipher directly and set a non-default nonce
      length to be longer than 12 bytes may be vulnerable.
      
      CVE-2019-1543
      
      Team:PDU_DRV
      Feature or Bugfix:Feature
      Binary Source:No
      PrivateCode(Yes/No):No
      
      Change-Id: I5085b1e79835cfae4d7122311d857c09a14e2420
      Reviewed-on: http://mgit-tm.rnd.huawei.com/4573465Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com>
      Reviewed-by: Nwangyanbo 00291255 <wangyanbo3@huawei.com>
      Reviewed-by: Nxiaofuzhou 00203296 <xiaofuzhou@huawei.com>
      17ac3fa9
  8. 18 4月, 2019 1 次提交
  9. 20 11月, 2018 4 次提交
  10. 19 11月, 2018 1 次提交
  11. 16 11月, 2018 2 次提交
  12. 15 11月, 2018 1 次提交
  13. 14 11月, 2018 6 次提交
  14. 13 11月, 2018 1 次提交
    • V
      Added missing signature algorithm reflection functions · 45f24725
      Viktor Dukhovni 提交于
          SSL_get_signature_nid()      -- local signature algorithm
          SSL_get_signature_type_nid() -- local signature algorithm key type
          SSL_get_peer_tmp_key()       -- Peer key-exchange public key
          SSL_get_tmp_key              -- local key exchange public key
      
      Aliased pre-existing SSL_get_server_tmp_key(), which was formerly
      just for clients, to SSL_get_peer_tmp_key().  Changed internal
      calls to use the new name.
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      45f24725
  15. 12 11月, 2018 8 次提交
  16. 11 11月, 2018 1 次提交
  17. 10 11月, 2018 2 次提交
  18. 09 11月, 2018 5 次提交
  19. 08 11月, 2018 1 次提交
    • D
      rand_unix.c: open random devices on first use only · abf58ed3
      Dr. Matthias St. Pierre 提交于
      Commit c7504aeb (pr #6432) fixed a regression for applications in
      chroot environments, which compensated the fact that the new OpenSSL CSPRNG
      (based on the NIST DRBG) now reseeds periodically, which the previous
      one didn't. Now the reseeding could fail in the chroot environment if the
      DEVRANDOM devices were not present anymore and no other entropy source
      (e.g. getrandom()) was available.
      
      The solution was to keep the file handles for the DEVRANDOM devices open
      by default. In fact, the fix did more than this, it opened the DEVRANDOM
      devices early and unconditionally in rand_pool_init(), which had the
      unwanted side effect that the devices were opened (and kept open) even
      in cases when they were not used at all, for example when the getrandom()
      system call was available. Due  to a bug (issue #7419) this even happened
      when the feature was disabled by the application.
      
      This commit removes the unconditional opening of all DEVRANDOM devices.
      They will now only be opened (and kept open) on first use. In particular,
      if getrandom() is available, the handles will not be opened unnecessarily.
      
      This change does not introduce a regression for applications compiled for
      libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the
      above constellation the CSPRNG will only be properly seeded if it is happens
      before the forking and chrooting.
      
      Fixes #7419
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7437)
      
      (cherry picked from commit 8cfc19716c22dac737ec8cfc5f7d085e7c37f4d8)
      abf58ed3