summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dh (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Expose new API in headers.tb2022-07-071-3/+1
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-271-1/+8
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Prepare to provide DH_security_bits()tb2022-06-272-2/+18
| | | | ok beck jsing
* Add check for BIO_indent return valueinoguchi2022-01-201-3/+5
| | | | | | CID 24812 ok jsing@ millert@ tb@
* Make structs in dh.h opaquetb2022-01-142-51/+44
| | | | | | This moves the struct internals for DH and DH_METHOD to dh_local.h. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-5/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Prepare to provide EVP_PKEY_{public,param}_checktb2022-01-101-1/+31
| | | | | | | | | | | | | | This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing
* Provide DH_check*_ex and many error codestb2022-01-104-4/+102
| | | | | | | | | | | | | | | | | | | | | DH_check{,_pub_key}_ex() wrap their non-ex versions to translate the flags argument of the original functions into OpenSSL errors. For this almost a dozen new error codes need to be added. DH_params_check{,_ex}() is a new version of DH_check that only performs a cheap subset of the checks. They are needed to implement EVP_PKEY_{public,param}_check() (observe the consistent naming) although the actual implementation of EVP_PKEY_param_check() chose to use DH_check_ex(). As far as I can tell, the only raison d'être of the _ex functions and error codes is to spew them to stderr in a couple of openssl(1) commands. This couldn't have been solved differently... These functions will not be exposed publicly. ok inoguchi jsing
* zap trailing whitespacetb2022-01-101-5/+5
|
* Add an essentially empty dh_local.h and include it in the files wheretb2022-01-078-7/+83
| | | | | | it will be needed in the upcoming bump. discussed with jsing
* zap trailing whitespacetb2022-01-071-9/+9
|
* Prepare to provide DH_get_length()tb2022-01-052-2/+11
| | | | | | Will be needed by openssl(1) dhparam. ok inoguchi jsing
* Prepare to provide DH_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | | | | | | | | These are accessors that allow getting one specific DH member. They are less error prone than the current getters DH_get0_{pqg,key}(). They are used by many ports and will also be used in base for this reason. Who can remember whether the pub_key or the priv_key goes first in DH_get0_key()? ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Simplify DH_check_params a bit.tb2021-12-051-12/+4
| | | | | | | | It makes no sense to allocate an entire BN_CTX if we only use it to get a single BIGNUM, from which we subtract 1 to compare it to g. We can just use a plain BIGNUM and delete a bunch of lines. ok inoguchi jsing
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-042-2/+5
| | | | ok inoguchi jsing
* Clean up DH_check_pub_key() and ensure that y^q (mod p) == 1.tb2021-11-291-18/+53
| | | | | | | | | | This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation for small subgroup attacks. This did not affect LibreSSL since we do not support X9.42 style parameter files or RFC 5114. The meat of this commit is from Matt Caswell, OpenSSL b128abc3 ok inoguchi jsing
* Increase number of iterations in Miller-Rabin checks for DH.tb2021-11-291-4/+9
| | | | | | | | | | BN_prime_checks is only to be used for random input. Here, the input isn't random, so increase the number of checks. According to https://eprint.iacr.org/2019/032, 64 rounds is suitable. From Jake Massimo, OpenSSL 1.1.1, af6ce3b4 ok inoguchi jsing
* Synchronize DH_check() mostly with OpenSSL 1.1.1 with sometb2021-11-291-32/+47
| | | | | | | | | | | | simplifications and readability tweaks. This ensures in particular that dh->q is suitable if present. Based on work by Stephen Henson and Bernd Edlinger in OpenSSL. Issues with the current implementation found via regression tests in py-cryptography. ok inoguchi jsing
* Provide a version of DH_check_params() for internal use.tb2021-11-291-1/+43
| | | | | | Based on the version in OpenSSL 1.1.1l with minor tweaks. ok inoguchi jsing
* Provide a number of flags for DH_check and DH_check_pubkeytb2021-11-291-1/+5
| | | | | | that will be used in subsequent commits. ok inoguchi jsing
* In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do.tb2021-11-231-1/+2
| | | | ok inoguchi jsing
* Avoid leak in error path of dh_priv_decodeinoguchi2020-01-041-1/+2
| | | | ok jsing@ tb@
* Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.tb2019-01-201-5/+12
| | | | | | | From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
* Missing initialization for pub_key. CID 184303.tb2018-11-121-2/+2
| | | | ok bcook
* Initialize priv_key and pub_key on first use instead of at the top.tb2018-11-091-6/+4
| | | | | | While there, eliminate a flag that was only used once. ok beck jsing mestre
* unrevert the use of bn_rand_interval().tb2018-11-061-6/+9
| | | | ok beck jsing
* revert use of bn_rand_interval due to failures with ECDHE and TLStb2018-11-061-9/+6
|
* Make use of bn_rand_interval() where appropriate.tb2018-11-051-6/+9
| | | | ok beck jsing
* Eliminate a few "} else" branches, a few unneeded NULL checks beforetb2018-11-051-16/+12
| | | | | | freeing and indent nearby labels. ok beck jsing
* Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadytb2018-11-051-12/+4
| | | | | | takes care of this internally. ok beck jsing
* Add consts to EVP_PKEY_asn1_set_private()tb2018-08-241-2/+2
| | | | | | | | | Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
* After removing support for broken PKCS#8 formats (it was high time),tb2018-08-241-2/+2
| | | | | | | | we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
* zap stray tabsthen2018-06-121-2/+2
|
* Reject excessively large primes in DH key generation. Problem reportedsthen2018-06-121-1/+6
| | | | | | | | | | | by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack."
* Remove incorrect NULL checks in DH_set0_key().tb2018-05-021-5/+1
| | | | | | Reported by Ondřej Surý, LibreSSL-portable issue #92. ok inoguchi, jsing
* Convert a handful of X509_*() functions to take const as in OpenSSL.tb2018-05-011-5/+5
| | | | | tested in a bulk by sthen ok jsing
* make ENGINE_finish() succeed on NULL and simplify callers as intb2018-04-141-10/+6
| | | | | | | | | | | OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
* Provide DH_get0_engine().jsing2018-02-222-2/+9
|
* Fix bogus check. Spotted by brynet, thanks.tb2018-02-201-2/+4
|
* Provide DH_set_length()tb2018-02-202-2/+12
| | | | ok jsing
* Provide DH_bits()tb2018-02-202-2/+9
| | | | ok jsing
* Provide DH_{clear,set,test}_flags().tb2018-02-202-2/+23
| | | | ok jsing
* Provide {DH,DSA}_set0_key(). Requested by sthen.tb2018-02-182-2/+22
| | | | ok jsing
* Provide DH_set0_pqg.tb2018-02-182-2/+25
| | | | ok jsing
* Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(),tb2018-02-172-2/+26
| | | | | | EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing
* Send the function codes from the error functions to the bit bucket,beck2017-01-297-55/+38
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-211-2/+4
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* Expand ASN1_ITEM_rptr macro - no change in generated assembly.jsing2016-12-301-2/+2
|
* Kill a bunch of OLD_ASN1 usage by replacing ASN1_{d2i,i2d}_* withjsing2016-11-042-8/+30
| | | | | | ASN1_item_{d2i,i2d}_* equivalents. ok guenther@ miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 02:21:02 +0000