openbsd/src/lib/libcrypto/rsa, branch OPENBSD_6_4_BASE

Add some accessor functions:

2018-09-12T06:35:38+00:00

RSA_meth_get_finish() RSA_meth_set1_name() EVP_CIPHER_CTX_(get|set)_iv() feedback and ok jsing@ tb@

use timing-safe compares for checking results in signature verification

2018-09-05T00:55:33+00:00

(there are no known attacks, this is just inexpensive prudence) feedback and ok tb@ jsing@

Add consts to EVP_PKEY_asn1_set_private()

2018-08-24T20:22:15+00:00

Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing

whitespace fix

2018-08-19T20:17:20+00:00

Don't leak db on error in RSA_padding_check_PKCS1_OAEP().

2018-08-19T20:15:30+00:00

CID #183499. input & ok jsing, ok mestre on first version

In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.

2018-08-05T13:30:04+00:00

ok tb@

Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.

2018-07-23T17:37:17+00:00

Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx Reviewed-by: Rich Salz GH: #1474

make ENGINE_finish() succeed on NULL and simplify callers as in

2018-04-14T07:09:21+00:00

OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi

Provide RSA_meth_{dup,free,new,set_{finish,priv_{dec,enc}}}()

2018-03-17T15:12:56+00:00

Note that these functions return NULL in out-of-memory situations, but contrary to OpenSSL's versions they do not set an error. ok jsing

Provide RSA_{clear,set,test}_flasg()

2018-02-20T17:42:32+00:00

ok jsing