A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.5.3 2022-04-07T17:38:24+00:00 2022-04-07T17:38:24+00:00 tb 2022-04-07T17:38:24+00:00 urn:sha1:3340c71f78097b15a0cacb114e0b6c483ad85c02 DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing 2022-02-24T21:07:03+00:00 tb 2022-02-24T21:07:03+00:00 urn:sha1:77e973878ed13a3d844c3bc80a403a9cf7fa7869 2022-02-24T08:35:45+00:00 tb 2022-02-24T08:35:45+00:00 urn:sha1:3b61a55adb8a0b30bbbd01f93b4fa61fc433a455 i is a silly name for BN_num_bits(dsa->q); move a comment for readability. 2022-02-24T08:31:11+00:00 tb 2022-02-24T08:31:11+00:00 urn:sha1:f2e5689ff5fbb1dbc22de717daa5566fe3a613b4 dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing 2022-01-15T04:02:37+00:00 tb 2022-01-15T04:02:37+00:00 urn:sha1:3acf8220188afadd585d7c460624c4fbbc9e49e5 This function has a weird dance of allocating an ASN1_STRING in an inner scope and assigning it to a void pointer in an outer scope for passing it to X509_PUBKEY_set0_param() and ASN1_STRING_free() on error. This can be simplified and streamlined. ok inoguchi 2022-01-14T08:29:06+00:00 tb 2022-01-14T08:29:06+00:00 urn:sha1:f72ed7892736508b786a5179457e131dedb2fe9a This was obtained by porting the OpenSSL commit below and then using expand_crypto_asn1.go to unroll the new ASN.1 macros - actually the ones from 987157f6f63 which fixed the omission of dsa_cb() in the first commit. ok inoguchi jsing commit ea6b07b54c1f8fc2275a121cdda071e2df7bd6c1 Author: Dr. Stephen Henson <steve@openssl.org> Date: Thu Mar 26 14:35:49 2015 +0000 Simplify DSA public key handling. DSA public keys could exist in two forms: a single Integer type or a SEQUENCE containing the parameters and public key with a field called "write_params" deciding which form to use. These forms are non standard and were only used by functions containing "DSAPublicKey" in the name. Simplify code to only use the parameter form and encode the public key component directly in the DSA public key method. Reviewed-by: Richard Levitte <levitte@openssl.org> 2022-01-14T08:27:23+00:00 tb 2022-01-14T08:27:23+00:00 urn:sha1:43a07c5bf62fc943f425ba6b37529b49902e9934 This moves DSA_SIG, DSA and DSA_METHOD to dsa_locl.h. ok inoguchi jsing 2022-01-14T07:49:49+00:00 tb 2022-01-14T07:49:49+00:00 urn:sha1:82ec18edf4e632f36b6f79c239fdb6961d421a82 This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits). 2022-01-07T09:35:36+00:00 tb 2022-01-07T09:35:36+00:00 urn:sha1:72ddf309b6ca09529e5603af312e92fbefe2d810 including the local header where it will be needed. discussed with jsing 2022-01-07T09:27:13+00:00 tb 2022-01-07T09:27:13+00:00 urn:sha1:01c3a3efcb3377bc530d4bf225668754e137d085 it will be needed in the upcoming bump. discussed with jsing