(This is a pointer to a pull request:
https://github.com/openssl/openssl/pull/1027)
The “div_spoiler” was designed to always trigger the slow path division
on Intel chips and be sufficiently obfuscated to stop the compiler
optimising it away. It was always a huge hack but I didn't know the
correct
(Please note that credit for this goes to libFuzzer.)
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
The following code:
EVP_PKEY_free(d2i_AutoPrivateKey(NULL, &bufp, n));
Will leak memory when fed this input:
30390201023009060138080469303080301901029ff88b298030b01b060922be0804e930864886f70d3a0180093080060102308030013b020420308204e930c3e8300105308030013b01040202ff003029021103292902009930800
On Thu, Dec 11, 2014 at 3:30 PM, Adam Langley wrote:
> Thanks. So far that version is good to ~1B random tests. I'll leave it
> going until Monday.
It's good for ~6B random tests.
Of course, that's not as compelling for 64-bit code as it would be for
32-bit, but I think we can safely say that th
On Wed, Dec 10, 2014 at 10:05 AM, Andy Polyakov via RT wrote:
> Patching went wrong for you. As you seem to operate in 1.0.2 context
> attached is corresponding ecp_nistz256.pl.
Thanks. So far that version is good to ~1B random tests. I'll leave it
going until Monday.
Cheers
AGL
On Fri, Dec 5, 2014 at 6:33 AM, Andy Polyakov via RT wrote:
> Attached. A little bit worse performance on some CPUs. I also took
> opportunity to harmonize ecp_nistz256_from_mont by applying same pattern
> for reduction. The patch is cumulative, i.e. is not incremental to
> previously posted one[s
On Wed, Dec 3, 2014 at 10:12 AM, Andy Polyakov via RT wrote:
> Oops! Wrong patch! Correct one attached. If you feel like testing the
> wrong one, go ahead, but there are some later non-essential adjustments.
>
> diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
> index bf3fcc6..33b0
On Tue, Dec 2, 2014 at 12:33 PM, Adam Langley wrote:
> thanks! Was away last week and so didn't have a chance to try fixing this.
>
> I'll patch that it and run the tests against it.
I've run out of time tracking this down for today, but I got to the
point where setting the Jacobian coordinates:
On Mon, Dec 1, 2014 at 3:23 PM, Andy Polyakov via RT wrote:
>>> (Affects 1.0.2 only.)
>>>
>>> In crypto/ec/asm/ecp_nistz256-x86_64.pl, __ecp_nistz256_sqr_montq,
>>> under "Now the reduction" there are a number of comments saying
>>> "doesn't overflow". Unfortunately, they aren't correct.
>>
>> Got
(Affects 1.0.2 only.)
In crypto/ec/asm/ecp_nistz256-x86_64.pl, __ecp_nistz256_sqr_montq,
under "Now the reduction" there are a number of comments saying
"doesn't overflow". Unfortunately, they aren't correct.
Let f be a field element with value
5299826521937251913827731800957283452825748222386149
On Wed, Sep 24, 2014 at 7:52 AM, Emilia Käsper via RT wrote:
> If you'd like to verify that I didn't mess up the rewrite, that'd be great!
LGTM. Thanks! I'll have to steal that for BoringSSL :)
Cheers
AGL
__
OpenSSL Project
I think the above patch is good, but incomplete.
(As a niggle, it uses jl, which I think is correct because the
argument is signed, but the rest of the file is using jb. The best
answer would be to fix the file to use jl before applying it, but I've
used jb for consistency below.)
Once the crash
My last was a little premature. In order to prevent misbehavior in the
case where some field elements are less than 4 limbs long (including a
crash when dealing with the point at infinity), the following change
should also be applied.
Cheers
AGL
patch
Description: Binary data
On Mon, Aug 5, 2013 at 7:50 PM, Piotr Sikora wrote:
> While it cannot be enabled via ./config options, compiling OpenSSL
> with this define turned out to be extremely useful while adding ALPN
> support to 3rd-party software (i.e. to make sure that nothing in the
> added ALPN support relies on NPN
This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.
0011-premaster_constant_time.patch
Description: Binary data
This patch tweaks the OAEP padding check to be slightly more constant
time and rewrites the PKCS#1 v1.5 padding check to the same end.
0010-constant_time_rsa_padding.patch
Description: Binary data
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:
-BEGIN EC PRIVATE KEY-
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwE
Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.
This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
0008-small_prime_generation.patch
Description: Binary data
Ensure that x**0 mod 1 = 0.
0007-exp_zero_mod_one.patch
Description: Binary data
Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.
Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I
Don't SEGFAULT when trying to export a public DSA key as a private key.
0005-dsa_crash.patch
Description: Binary data
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.
Reported by "oftc_must_be_destroyed" and George Kadianakis.
0004-empty_record_limit.patch
Description: Binary data
This change adds the option to calculate (EC)DSA nonces by hashing the
message and private key along with entropy to avoid leaking the
private key if the PRNG fails.
Note that this depends on the build fixes in
http://rt.openssl.org/Ticket/Display.html?id=3051
dsa_nonce.patch
Description: Binar
This patch fixes a couple of minor build issues on the current master
branch (8a97a330).
patch
Description: Binary data
On Thu, Feb 9, 2012 at 4:33 PM, Adam Langley wrote:
> This is my bad, I didn't realise that s_client had any calls in it.
> I'll fix it. (By fixing s_client I think).
Dear Ben, please see attached patch.
Cheers
AGL
patch
Description: Binary data
25 matches
Mail list logo