summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix leak of pk if EVP_PKEY_set1_DSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker ok jsing@
* Stop using CBIGNUM_it internal to libcrypto.jsing2022-09-031-3/+3
| | | | | | | | | CBIGNUM_it is supposed to be the "clear bignum" or "secure" bignum - that is one which zeros its memory after use and ensures that the constant time flags are set... in LibreSSL we always do both of these things for BIGNUMs, so just use BIGNUM_it instead. ok tb@
* nasty whitespacetb2022-08-311-9/+9
|
* Rework DSA_size() and ECDSA_size()tb2022-08-311-18/+10
| | | | | | | | | | | | | | | | | | | DSA_size() and ECDSA_size() have a very special hack. They fudge up an ASN1_INTEGER with a size which is typically > 100 bytes, backed by a buffer of size 4. This was "fine", however, since they set buf[0] = 0xff, where the craziness that was i2c_ASN1_INTEGER() only looks at the first octet (one may then ask why a buffer of size 4 was necessary...). This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't respect this particular hack and rightly assumes that it is fed an actual ASN1_INTEGER... Instead, create an appropriate signature and use i2d to determine its size. Fixes an out-of-bounds read flagged by ASAN and oss-fuzz. ok jsing
* Remove mkerr.pl remnants from LibreSSLkn2022-07-122-12/+2
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* fix NULL return adding missing semicolonbcook2022-07-111-2/+2
| | | | ok tb@
* Expose new API in headers.tb2022-07-071-5/+1
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-271-1/+8
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Prepare to provide DSA_security_bits()tb2022-06-272-2/+14
| | | | ok beck jsing
* zap stray tabtb2022-05-071-2/+2
|
* KNF nitstb2022-05-071-7/+7
|
* Avoid infinite loop on parsing DSA private keystb2022-04-071-3/+24
| | | | | | | | | | | | | | DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing
* Remove accidentally committed debug code.tb2022-02-241-3/+1
|
* Minor tweakstb2022-02-241-7/+8
| | | | i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
* Add sanity checks on p and q in old_dsa_priv_decode()tb2022-02-241-1/+15
| | | | | | | | | | | | | | | | | | dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing
* Minor cleanup and simplification in dsa_pub_encode()tb2022-01-151-15/+8
| | | | | | | | | This function has a weird dance of allocating an ASN1_STRING in an inner scope and assigning it to a void pointer in an outer scope for passing it to X509_PUBKEY_set0_param() and ASN1_STRING_free() on error. This can be simplified and streamlined. ok inoguchi
* Simplify DSAPublicKey_ittb2022-01-144-56/+25
| | | | | | | | | | | | | | | | | | | | | | | | | This was obtained by porting the OpenSSL commit below and then using expand_crypto_asn1.go to unroll the new ASN.1 macros - actually the ones from 987157f6f63 which fixed the omission of dsa_cb() in the first commit. ok inoguchi jsing commit ea6b07b54c1f8fc2275a121cdda071e2df7bd6c1 Author: Dr. Stephen Henson <steve@openssl.org> Date: Thu Mar 26 14:35:49 2015 +0000 Simplify DSA public key handling. DSA public keys could exist in two forms: a single Integer type or a SEQUENCE containing the parameters and public key with a field called "write_params" deciding which form to use. These forms are non standard and were only used by functions containing "DSAPublicKey" in the name. Simplify code to only use the parameter form and encode the public key component directly in the DSA public key method. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Make DSA opaquetb2022-01-142-65/+57
| | | | | | This moves DSA_SIG, DSA and DSA_METHOD to dsa_locl.h. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-5/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h bytb2022-01-078-8/+21
| | | | | | including the local header where it will be needed. discussed with jsing
* Add an essentially empty dh_local.h and include it in the files wheretb2022-01-071-1/+3
| | | | | | it will be needed in the upcoming bump. discussed with jsing
* Prepare to provide DSA_bits()tb2022-01-052-2/+11
| | | | | | Used by Qt5 and Qt6 and slightly reduces the patching in there. ok inoguchi jsing
* Prepare to provide DSA_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-042-2/+5
| | | | ok inoguchi jsing
* Crank the number of rounds of Miller-Rabin from 50 to 64tb2021-11-291-4/+7
| | | | | | | | for DSA key generation. From Kurt Roeckx, OpenSSL 74ee3796 ok bcook inoguchi jsing
* Add DSA CMS support.jsing2019-11-011-1/+25
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-091-1/+5
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
* Readability tweaks for comments that explain the blinding.tb2019-06-041-5/+5
|
* Remove the blinding later to avoid leaking information on the lengthtb2019-06-041-3/+3
| | | | | | | | of kinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
* Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.tb2019-01-201-3/+3
| | | | | | | From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
* Initialize priv_key and pub_key on first use instead of at the top.tb2018-11-091-4/+4
| | | | ok beck jsing mestre
* unrevert the use of bn_rand_interval().tb2018-11-062-17/+8
| | | | ok beck jsing
* revert use of bn_rand_interval due to failures with ECDHE and TLStb2018-11-062-8/+17
|
* Make use of bn_rand_interval() where appropriate.tb2018-11-052-17/+8
| | | | ok beck jsing
* Eliminate a few "} else" branches, a few unneeded NULL checks beforetb2018-11-051-11/+9
| | | | | | freeing and indent nearby labels. ok beck jsing
* Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadytb2018-11-051-9/+3
| | | | | | takes care of this internally. ok beck jsing
* Add consts to EVP_PKEY_asn1_set_private()tb2018-08-241-2/+2
| | | | | | | | | Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
* After removing support for broken PKCS#8 formats (it was high time),tb2018-08-241-2/+2
| | | | | | | | we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
* Use a blinding value when generating a DSA signature, in order to reducejsing2018-06-141-9/+39
| | | | | | | | the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
* Clarify the digest truncation comment in DSA signature generation.jsing2018-06-141-3/+4
| | | | Requested by and ok tb@
* Pull up the code that converts the digest to a BIGNUM - this only needsjsing2018-06-141-10/+10
| | | | | | | to occur once and not be repeated if the signature generation has to be repeated. ok tb@
* Fix a potential leak/incorrect return value in DSA signature generation.jsing2018-06-141-4/+6
| | | | | | | | | | In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
* Call DSA_SIG_new() instead of hand rolling the same.jsing2018-06-141-5/+2
| | | | ok beck@ tb@
* DSA_SIG_new() amounts to a single calloc() call.jsing2018-06-141-10/+3
| | | | ok beck@ tb@
* style(9), comments and whitespace.jsing2018-06-131-30/+32
|
* Avoid a timing side-channel leak when generating DSA and ECDSA signatures.jsing2018-06-131-5/+2
| | | | | | | | | This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
* Convert a handful of X509_*() functions to take const as in OpenSSL.tb2018-05-011-5/+5
| | | | | tested in a bulk by sthen ok jsing
* Fix a small timing side channel in dsa_sign_setup(). Simple adaptationtb2018-04-281-12/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our version of this function. ok beck, jsing Original commit message: commit c0caa945f6ef30363e0d01d75155f20248403df4 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:13 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in DSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-28 01:16:00 +0000