A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.5.3 2022-04-07T17:37:25+00:00 2022-04-07T17:37:25+00:00 tb 2022-04-07T17:37:25+00:00 urn:sha1:1061feec63ce8eec5e559ca2697b80bc73044484 If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing 2022-03-31T13:00:58+00:00 tb 2022-03-31T13:00:58+00:00 urn:sha1:91087446015ebb4341a9f7c6accff0e586a0ba5d d2i_EC_PRIVATEKEY() can handle the allocation of priv_key internally, no need to do this up front and reach it through the dangerous reuse mechanism. There's also no point in freeing a variable we know to be NULL. ok jsing 2022-03-29T14:03:12+00:00 tb 2022-03-29T14:03:12+00:00 urn:sha1:89475160d42bc14609305f5d10c30b9f6042c4b0 Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version) 2022-03-29T13:48:40+00:00 tb 2022-03-29T13:48:40+00:00 urn:sha1:5c5a9e687c0eb72164516557865831f499cc3e04 The cofactor we tried to calculate should only be zeroed if we failed to compute it. ok inoguchi jsing 2022-03-29T13:44:06+00:00 tb 2022-03-29T13:44:06+00:00 urn:sha1:3fc8be7aebd117c9b94a0b0c21bb6903fdff41e3 2022-01-20T11:12:14+00:00 inoguchi 2022-01-20T11:12:14+00:00 urn:sha1:1ca471b8e14d63d9b7059b86938ef989ff0857db ok jsing@ millert@ tb@ 2022-01-14T08:16:13+00:00 tb 2022-01-14T08:16:13+00:00 urn:sha1:ec5f7af843436771be5081c868e0fb0b44069ead This is unused and was removed in OpenSSL 5b70372d when it was replaced with an ASN.1 ADB callback (which we don't support). ok inoguchi jsing 2022-01-10T12:10:26+00:00 tb 2022-01-10T12:10:26+00:00 urn:sha1:875eb616f98cd0720501dc97ee72ed96343b0b33 This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing 2022-01-10T11:52:43+00:00 tb 2022-01-10T11:52:43+00:00 urn:sha1:c4f6925dc73274ba5f411d30fbd78b6be1580782 This allows checking the validity of an EVP_PKEY. Only RSA and EC keys are supported. If a check function is set the EVP_PKEY_METHOD, it will be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is used. The default ASN.1 methods wrap RSA_check_key() and EC_KEY_check_key(), respectively. The corresponding setters are EVP_PKEY_{asn1,meth}_set_check(). It is unclear why the PKEY method has no const while the ASN.1 method has const. Requested by tobhe and used by PHP 8.1. Based on OpenSSL commit 2aee35d3 ok inoguchi jsing 2021-12-12T21:30:14+00:00 tb 2021-12-12T21:30:14+00:00 urn:sha1:b632ec4f99386efc52214c580c9f233748302224 evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi