openbsd/src/lib/libcrypto/dsa, branch OPENBSD_6_4

openbsd/src/lib/libcrypto/dsa, branch OPENBSD_6_4_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_4_BASE 2018-08-24T20:22:15+00:00 Add consts to EVP_PKEY_asn1_set_private() 2018-08-24T20:22:15+00:00 tb 2018-08-24T20:22:15+00:00 urn:sha1:b9a3c83c03543369636a655128b69d56eb619b83 Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing After removing support for broken PKCS#8 formats (it was high time), 2018-08-24T20:17:33+00:00 tb 2018-08-24T20:17:33+00:00 urn:sha1:4cdbdc5207fa48804d8ed3a7929a97ae5f9f466d we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing Use a blinding value when generating a DSA signature, in order to reduce 2018-06-14T18:34:50+00:00 jsing 2018-06-14T18:34:50+00:00 urn:sha1:c24fe07c8a7f1dbb21f1b6ad11364215f3cf4827 the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@ Clarify the digest truncation comment in DSA signature generation. 2018-06-14T18:03:59+00:00 jsing 2018-06-14T18:03:59+00:00 urn:sha1:4dee824e86c9654e9dbc65146920eb67b52beb36 Requested by and ok tb@ Pull up the code that converts the digest to a BIGNUM - this only needs 2018-06-14T17:15:41+00:00 jsing 2018-06-14T17:15:41+00:00 urn:sha1:2ec5f49426848de0651964f17c8d19871d7a34df to occur once and not be repeated if the signature generation has to be repeated. ok tb@ Fix a potential leak/incorrect return value in DSA signature generation. 2018-06-14T17:14:12+00:00 jsing 2018-06-14T17:14:12+00:00 urn:sha1:621b83e1f38529468073224266e98966e7f6eedb In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@ Call DSA_SIG_new() instead of hand rolling the same. 2018-06-14T17:03:19+00:00 jsing 2018-06-14T17:03:19+00:00 urn:sha1:c335f8aac70381d5d5a390e8bef2c8a53544f083 ok beck@ tb@ DSA_SIG_new() amounts to a single calloc() call. 2018-06-14T17:01:49+00:00 jsing 2018-06-14T17:01:49+00:00 urn:sha1:8f09fd5771ec66d5c858e66dacfaea8d4cee4499 ok beck@ tb@ style(9), comments and whitespace. 2018-06-13T18:01:04+00:00 jsing 2018-06-13T18:01:04+00:00 urn:sha1:cc4832a164b06946cf8c74f7991da32974d0da27 Avoid a timing side-channel leak when generating DSA and ECDSA signatures. 2018-06-13T15:05:04+00:00 jsing 2018-06-13T15:05:04+00:00 urn:sha1:70f6c28ec4997461a2ea714457e95ada1c2287ef This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@