| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly
instead.
ok tb@
|
| |
|
|
| |
This should have been included in a previous diff/commit...
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The assembly bn_mul_mont() implementations effectively use alloca() to
allocate space for computation (at up to 8x the input size), without
any limitation. This means that sufficiently large inputs lead to the
stack being blown. Prevent this by using the C based implementation
instead.
Thanks to Jiayi Lin <jlin139 at asu dot edu> for reporting this to us.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Provide a constant-time-style Montgomery multiplication implementation.
Use this in place of the assembly bn_mul_mont() on platforms that either
do not have an assembly implementation or have not compiled it in.
Also use this as the fallback version for bn_mul_mont(), rather than
falling back to a non-constant time implementation.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Pull out the simplistic implementation (using BN_mul() or BN_sqr()) into a
bn_mod_mul_montgomery_simple() function. Provide bn_mod_mul_montgomery()
with an implementation that changes depending on if the assembly
bn_mul_mont() is available or not. Turn BN_mod_mul_montgomery() and
BN_to_montgomery() into callers of bn_mod_mul_montgomery().
ok beck@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This came from bn_asm.c and did not even compile until recently.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Most of the implemeentation functions for EC_GFp_simple_method() are reused
by other code, hence they cannot be made static. However, this keeps the
pattern consistent.
ok tb@
|
| |
|
|
| |
Drop extra parentheses, unwrap some lines, compare pointers against NULL.
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows implementation
functions to become static. Remove unneeded prototypes.
ok tb@
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows implementation
functions to become static. Remove unneeded prototypes.
ok tb@
|
| |
|
|
|
|
|
| |
Move the EC_METHOD to the bottom of the file, which allows all
implementation functions to become static. Remove unneeded prototypes.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Use a fang dangled thing (known as a function) to avoid duplicating the
same code in five places.
ok tb@
|
| |
|
|
|
|
|
|
| |
These functions are rather similar, so there's no need for the code to
be wildly different. Add a missing NULL check to ndef_prefix_free() since
that will be needed in a subsequent commit.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
All the structs are static and we need to reach into them many times.
Having a shorter name is more concise and results in less visual clutter.
It also avoids many overlong lines and we will be able to get rid of some
unfortunate line wrapping down the road.
Discussed with jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Loosely based on OpenSSL commit 6692ff77.
Prodded by job
|
| |
|
|
|
|
|
|
| |
Flip the logic of NULL checks on out and *out to unindent, use calloc()
instead of malloc() and check on assign. Also drop the newly added len2
again, it isn't needed.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
i2d functions return <= 0 on error, so check for that instead of == 0.
The issue with CMS_SharedInfo_encode() was found by Niels Dossche.
OpenSSL review overlooked that they had turned penclen into a size_t.
In principle the issue with i2d_X509_ALGOR() is purely cosmetic. Why do
a strange check when there is an idiomatic check? Then again this is CMS...
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
RSA_public_decrypt() returns <= 0 on error. Assigning to a size_t and
checking for == 0 is not the right thing to do here. Neither is blindly
turning the check into <= 0...
Found by Niels Dossche
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The i2d API design is: call a function first with a pointer to NULL, get
the length, allocate a buffer, call the function passing the buffer in.
Both calls should be checked since ther are still internal allocations.
At the heart of ASN.1 encoding, this idiom is used and the second call
is assumed to succeed after the length was determined. This is far from
guaranteed. Check that the second call returns the same length and error
otherwise.
ok jsing
|
| |
|
|
|
|
| |
This was presumably intended to be OPENSSL_NO_EC_NISTP_64_GCC_128, however
generic code has ended up inside the ifdef (and none of the NISTP code
or prototypes now remain).
|
| |
|
|
| |
This code has been deleted, however the prototypes managed to hang around.
|
| | |
|
| |
|
|
|
| |
These are per-app, so per-file. Most of them already are static, adjust
the rest of them.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Do not display such ciphers in the usage display and error out if
they are given. As pointed out by Pauli Dale, the current situation
is confusing.
Fixes GH issues #786 and #819
ok jsing
|
| |
|
|
|
|
|
|
| |
We have long had expensive checks for DSA domain parameters in
old_dsa_priv_decode(). These were implemented in a more complicated
way than necesary.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
This makes sure that the elliptic curve is not completely stupid.
This is conservative enough: the smallest named groups that we support
have an order of 112 bits.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ECDSA is essentially the same thing as DSA, except that it is slightly
less stupid. Signing specifies an infinite loop, which is only possible
with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA
in the wild is based on well-known groups, so it is known a priori that
the loop is not infinite. Still, infinite loops are bad. A retry is
unlikely, 32 retries have a probability of ~2^-8000. So it's pretty
safe to error out.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DSA standard specifies an infinite loop: if either r or s is zero
in the signature calculation, a new random number k shall be generated
and the whole thing is to be redone. The rationale is that, as the
standard puts it, "[i]t is extremely unlikely that r = 0 or s = 0 if
signatures are generated properly."
The problem is... There is no cheap way to know that the DSA domain
parameters we are handed are actually DSA domain parameters, so even
if all our calculations are carefully done to do all the checks needed,
we cannot know if we generate the signatures properly. For this we would
need to do two primality checks as well as various congruences and
divisibility properties. Doing this easily leads to DoS, so nobody does
it.
Unfortunately, it is relatively easy to generate parameters that pass
all sorts of sanity checks and will always compute s = 0 since g
is nilpotent. Thus, as unlikely as it is, if we are in the mathematical
model, in practice it is very possible to ensure that s = 0.
Read David Benjamin's glorious commit message for more information
https://boringssl-review.googlesource.com/c/boringssl/+/57228
Thanks to Guido Vranken for reporting this issue, also thanks to
Hanno Boeck who apparently found and reported similar problems earlier.
ok beck jsing
|
| |
|
|
|
|
| |
Explicitly check against NULL and turn early return into goto err.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
We already had some checks on both sides, but they were less precise
and differed between the functions. The code here is messy enough, so
any simplification is helpful...
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When decoding a public or a private key, use dsa_check_key() to ensure
consistency of the DSA parameters. We do not always have sufficient
information to do that, so this is not always possible.
This adds new checks and replaces incomplete existing ones. On decoding
the private key we will now only calculate the corresponding public key,
if the sizes are sensible. This avoids potentially expensive operations.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a cheap check that ensures basid parameter consistency per
FIPS 186-4: 1 < g < q, that q has the allowed bit sizes 160, 224, 256
and that p is neither too small nor too large. Unfortunately, enforcing
the three allowed sizes for p is not possible since the default dsa key
generation has not respected this limitation.
Instead of checking that p and q are prime, we only check that they
are odd. Check that public and private keys, if set, are in the proper
range. In particular, disallow zero values.
Various versions of these checks have been added to the dsa code
over time. This consolidates and extends them and in a subsequent
commit wewill replace the incomplete checks. BoringSSL has a similar
function of the same name, thanks to David Benjamin for pointing it
out.
ok beck jsing
|
| |
|
|
|
|
|
| |
This has been missing for a while already and will be used in a
few upcoming commits.
ok beck jsing
|
| |
|
|
|
| |
This is `unifdef -m -DOPENSSL_NO_EC_NISTP_64_GCC_128 -UECP_NISTZ256_ASM`
and some manual tidy up.
|
| |
|
|
|
|
|
|
| |
Rather than pretending that these "generic" variables are used for multiple
things, rename them to reflect their actual usage and use appropriate types
instead of void *.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the BIO_write() in the ASN1_STATE_DATA_COPY state fails, incorrect
error handling will break out of the switch without changing the state,
and the infinite for loop will immediately try the same write again,
which is unlikely to succeed... Clearly this code intended to break out
of the loop instead.
Via OpenSSL 1.1 commit 723f616df81ea05f31407f7417f49eea89bb459a
ok millert
|
| |
|
|
|
|
|
| |
Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new()
aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero().
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
BN_get_mem_data() returns a non-positive long on error, so assigning
it to a size_t and displaying that in error messages is incorrect.
|
