summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h bytb2022-01-078-8/+21
| | | | | | including the local header where it will be needed. discussed with jsing
* Add an essentially empty dh_local.h and include it in the files wheretb2022-01-071-1/+3
| | | | | | it will be needed in the upcoming bump. discussed with jsing
* Prepare to provide DSA_bits()tb2022-01-052-2/+11
| | | | | | Used by Qt5 and Qt6 and slightly reduces the patching in there. ok inoguchi jsing
* Prepare to provide DSA_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-042-2/+5
| | | | ok inoguchi jsing
* Crank the number of rounds of Miller-Rabin from 50 to 64tb2021-11-291-4/+7
| | | | | | | | for DSA key generation. From Kurt Roeckx, OpenSSL 74ee3796 ok bcook inoguchi jsing
* Add DSA CMS support.jsing2019-11-011-1/+25
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-091-1/+5
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Readability tweaks for comments that explain the blinding.tb2019-06-041-5/+5
|
* Remove the blinding later to avoid leaking information on the lengthtb2019-06-041-3/+3
| | | | | | | | of kinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
* Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.tb2019-01-201-3/+3
| | | | | | | From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
* Initialize priv_key and pub_key on first use instead of at the top.tb2018-11-091-4/+4
| | | | ok beck jsing mestre
* unrevert the use of bn_rand_interval().tb2018-11-062-17/+8
| | | | ok beck jsing
* revert use of bn_rand_interval due to failures with ECDHE and TLStb2018-11-062-8/+17
|
* Make use of bn_rand_interval() where appropriate.tb2018-11-052-17/+8
| | | | ok beck jsing
* Eliminate a few "} else" branches, a few unneeded NULL checks beforetb2018-11-051-11/+9
| | | | | | freeing and indent nearby labels. ok beck jsing
* Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadytb2018-11-051-9/+3
| | | | | | takes care of this internally. ok beck jsing
* Add consts to EVP_PKEY_asn1_set_private()tb2018-08-241-2/+2
| | | | | | | | | Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
* After removing support for broken PKCS#8 formats (it was high time),tb2018-08-241-2/+2
| | | | | | | | we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
* Use a blinding value when generating a DSA signature, in order to reducejsing2018-06-141-9/+39
| | | | | | | | the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
* Clarify the digest truncation comment in DSA signature generation.jsing2018-06-141-3/+4
| | | | Requested by and ok tb@
* Pull up the code that converts the digest to a BIGNUM - this only needsjsing2018-06-141-10/+10
| | | | | | | to occur once and not be repeated if the signature generation has to be repeated. ok tb@
* Fix a potential leak/incorrect return value in DSA signature generation.jsing2018-06-141-4/+6
| | | | | | | | | | In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
* Call DSA_SIG_new() instead of hand rolling the same.jsing2018-06-141-5/+2
| | | | ok beck@ tb@
* DSA_SIG_new() amounts to a single calloc() call.jsing2018-06-141-10/+3
| | | | ok beck@ tb@
* style(9), comments and whitespace.jsing2018-06-131-30/+32
|
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-131-5/+2
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* Convert a handful of X509_*() functions to take const as in OpenSSL.tb2018-05-011-5/+5
| | | | | tested in a bulk by sthen ok jsing
* Fix a small timing side channel in dsa_sign_setup(). Simple adaptationtb2018-04-281-12/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our version of this function. ok beck, jsing Original commit message: commit c0caa945f6ef30363e0d01d75155f20248403df4 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:13 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in DSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
* make ENGINE_finish() succeed on NULL and simplify callers as intb2018-04-141-10/+6
| | | | | | | | | | | OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
* Add DSA_meth_{dup,free,new,set_{finish,sign}}()tb2018-03-172-1/+86
| | | | | | | As in RSA_meth_*, note that these functions return NULL in out-of-memory situations, but they do not set an error explicitly. ok jsing
* Provide DSA_get0_engine()tb2018-02-202-2/+9
| | | | ok jsing
* Provide DSA_SIG_{g,s}et0()tb2018-02-202-2/+27
| | | | ok jsing
* Provide DSA_{clear,set,test}_flags()tb2018-02-202-2/+23
| | | | ok jsing
* Provide {DH,DSA}_set0_key(). Requested by sthen.tb2018-02-182-2/+21
| | | | ok jsing
* Provide DSA_set0_pqg.tb2018-02-182-2/+26
| | | | ok jsing
* s/DH/DSA/jsing2018-02-171-2/+2
|
* Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(),tb2018-02-172-2/+26
| | | | | | EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-021-5/+2
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Send the function codes from the error functions to the bit bucket,beck2017-01-297-76/+50
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-211-3/+3
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-213-9/+9
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-214-9/+13
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* Expand ASN1_ITEM_rptr macro - no change in generated assembly.jsing2016-12-301-2/+2
|
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-1/+5
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Kill a bunch of OLD_ASN1 usage by replacing ASN1_{d2i,i2d}_* withjsing2016-11-042-9/+30
| | | | | | ASN1_item_{d2i,i2d}_* equivalents. ok guenther@ miod@
* unifdef OPENSSL_NO_CMSjsing2016-10-191-24/+1
|
* Remove flags for disabling constant-time operations.bcook2016-06-302-14/+5
| | | | | | | | This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
* Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.bcook2016-06-213-88/+46
| | | | | | | Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 02:05:20 +0000