summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Replace the remaining BN_copy() with bn_copy()tb2023-03-272-5/+5
| | | | ok jsing
* BN_free() is defined in <openssl/bn.h>tb2023-03-251-1/+2
| | | | | | This is currently pulled in via dsa.h and ecdsa.h, but only when OPENSSL_NO_DEPRECATED is not defined. We should fix this in the public header, too - let's wait a bit with that.
* Fix an off-by-one in dsa_check_key()tb2023-03-111-2/+2
| | | | | | | | | | The private key is a random number in [1, q-1], so 1 must be allowed. Since q is at least an 160-bit prime and 2^159 + 1 is not prime (159 is not a power of 2), the probability that this is hit is < 2^-159, but a tiny little bit wrong is still wrong. Found while investigating a report by bluhm ok jsing
* Call BN_free() instead of BN_clear_free().jsing2023-03-072-11/+11
| | | | | | | BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
* Simplify the consistency checks in old_dsa_priv_decode()tb2023-03-041-24/+13
| | | | | | | | We have long had expensive checks for DSA domain parameters in old_dsa_priv_decode(). These were implemented in a more complicated way than necesary. ok beck jsing
* Cap the number of iterations in DSA signingtb2023-03-041-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The DSA standard specifies an infinite loop: if either r or s is zero in the signature calculation, a new random number k shall be generated and the whole thing is to be redone. The rationale is that, as the standard puts it, "[i]t is extremely unlikely that r = 0 or s = 0 if signatures are generated properly." The problem is... There is no cheap way to know that the DSA domain parameters we are handed are actually DSA domain parameters, so even if all our calculations are carefully done to do all the checks needed, we cannot know if we generate the signatures properly. For this we would need to do two primality checks as well as various congruences and divisibility properties. Doing this easily leads to DoS, so nobody does it. Unfortunately, it is relatively easy to generate parameters that pass all sorts of sanity checks and will always compute s = 0 since g is nilpotent. Thus, as unlikely as it is, if we are in the mathematical model, in practice it is very possible to ensure that s = 0. Read David Benjamin's glorious commit message for more information https://boringssl-review.googlesource.com/c/boringssl/+/57228 Thanks to Guido Vranken for reporting this issue, also thanks to Hanno Boeck who apparently found and reported similar problems earlier. ok beck jsing
* Small readability tweak in old_dsa_priv_decode()tb2023-03-041-3/+3
| | | | | | Explicitly check against NULL and turn early return into goto err. ok beck jsing
* Call dsa_check_keys() before signing or verifyingtb2023-03-041-23/+9
| | | | | | | | We already had some checks on both sides, but they were less precise and differed between the functions. The code here is messy enough, so any simplification is helpful... ok beck jsing
* Add dsa_check_key() calls on DSA decodingtb2023-03-041-18/+17
| | | | | | | | | | | | When decoding a public or a private key, use dsa_check_key() to ensure consistency of the DSA parameters. We do not always have sufficient information to do that, so this is not always possible. This adds new checks and replaces incomplete existing ones. On decoding the private key we will now only calculate the corresponding public key, if the sizes are sensible. This avoids potentially expensive operations. ok beck jsing
* Provide dsa_check_key()tb2023-03-042-2/+77
| | | | | | | | | | | | | | | | | | | | This is a cheap check that ensures basid parameter consistency per FIPS 186-4: 1 < g < q, that q has the allowed bit sizes 160, 224, 256 and that p is neither too small nor too large. Unfortunately, enforcing the three allowed sizes for p is not possible since the default dsa key generation has not respected this limitation. Instead of checking that p and q are prime, we only check that they are odd. Check that public and private keys, if set, are in the proper range. In particular, disallow zero values. Various versions of these checks have been added to the dsa code over time. This consolidates and extends them and in a subsequent commit wewill replace the incomplete checks. BoringSSL has a similar function of the same name, thanks to David Benjamin for pointing it out. ok beck jsing
* Provide DSA_R_INVALID_PARAMETERS error codetb2023-03-042-2/+4
| | | | | | | This has been missing for a while already and will be used in a few upcoming commits. ok beck jsing
* Merge dsa_sign.c and dsa_vrf.c into dsa_ossl.ctb2023-02-133-163/+36
| | | | discussed with jsing
* dsa/dsa_sign.c: unindent by inverting logic for DSA_SIG_free(NULL)tb2023-02-131-6/+7
|
* dsa/dsa_sign.c: shuffle functions into a more sensible ordertb2023-02-131-13/+13
|
* Clean up and simplify BIGNUM handling in DSA code.jsing2023-01-113-96/+116
| | | | | | | | | | | This adds missing BN_CTX_start()/BN_CTX_end() calls, removes NULL checks before BN_CTX_end()/BN_CTX_free() (since they're NULL safe) and calls BN_free() instead of BN_clear_free() (which does the same thing). Also replace stack allocated BIGNUMs with calls to BN_CTX_get(), using the BN_CTX that is already available. ok tb@
* Simplify BIGNUM handling in dsa_builtin_keygen().jsing2023-01-111-18/+17
| | | | | | | Rather than having complicated "attempt to reuse" dances, always allocate priv_key/pub_key, then free and assign on success. ok tb@
* Make internal header file names consistenttb2022-11-2612-31/+31
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Rework pkey_dsa_sign() and pkey_dsa_verify()tb2022-11-191-21/+25
| | | | | | | | | | Since DSA_sign() and DSA_verify() ignore their type argument, don't bother to determine it here. Check all size_t for overflow before passing them as int arguments. Follow OpenSSL and add a check to see if the tbs blob's length matches the one of the md, in case it is set on the EVP_PKEY_CTX. Fix return value check of DSA_sign(). ok jsing
* Rework DSA_sign() and DSA_verify()tb2022-11-191-20/+31
| | | | | | | | | | | Change DSA_sign() to single exit and check the signed i2d_DSA_SIG() return value before assigning it to an unsigned int. In DSA_verify() let d2i_DSA_SIG() handle the allocation, split error check of i2d_DSA_SIG() from signature check and change an unnecessary freezero() to free. ok jsing
* Fix whitespacetb2022-11-1911-63/+62
|
* Fix a few more leaks in *_print() functions.tobhe2022-11-101-5/+9
| | | | ok jsing@
* Fix leak of pk if EVP_PKEY_set1_DSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker ok jsing@
* Stop using CBIGNUM_it internal to libcrypto.jsing2022-09-031-3/+3
| | | | | | | | | CBIGNUM_it is supposed to be the "clear bignum" or "secure" bignum - that is one which zeros its memory after use and ensures that the constant time flags are set... in LibreSSL we always do both of these things for BIGNUMs, so just use BIGNUM_it instead. ok tb@
* nasty whitespacetb2022-08-311-9/+9
|
* Rework DSA_size() and ECDSA_size()tb2022-08-311-18/+10
| | | | | | | | | | | | | | | | | | | DSA_size() and ECDSA_size() have a very special hack. They fudge up an ASN1_INTEGER with a size which is typically > 100 bytes, backed by a buffer of size 4. This was "fine", however, since they set buf[0] = 0xff, where the craziness that was i2c_ASN1_INTEGER() only looks at the first octet (one may then ask why a buffer of size 4 was necessary...). This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't respect this particular hack and rightly assumes that it is fed an actual ASN1_INTEGER... Instead, create an appropriate signature and use i2d to determine its size. Fixes an out-of-bounds read flagged by ASAN and oss-fuzz. ok jsing
* Remove mkerr.pl remnants from LibreSSLkn2022-07-122-12/+2
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* fix NULL return adding missing semicolonbcook2022-07-111-2/+2
| | | | ok tb@
* Expose new API in headers.tb2022-07-071-5/+1
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-271-1/+8
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Prepare to provide DSA_security_bits()tb2022-06-272-2/+14
| | | | ok beck jsing
* zap stray tabtb2022-05-071-2/+2
|
* KNF nitstb2022-05-071-7/+7
|
* Avoid infinite loop on parsing DSA private keystb2022-04-071-3/+24
| | | | | | | | | | | | | | DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing
* Remove accidentally committed debug code.tb2022-02-241-3/+1
|
* Minor tweakstb2022-02-241-7/+8
| | | | i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
* Add sanity checks on p and q in old_dsa_priv_decode()tb2022-02-241-1/+15
| | | | | | | | | | | | | | | | | | dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing
* Minor cleanup and simplification in dsa_pub_encode()tb2022-01-151-15/+8
| | | | | | | | | This function has a weird dance of allocating an ASN1_STRING in an inner scope and assigning it to a void pointer in an outer scope for passing it to X509_PUBKEY_set0_param() and ASN1_STRING_free() on error. This can be simplified and streamlined. ok inoguchi
* Simplify DSAPublicKey_ittb2022-01-144-56/+25
| | | | | | | | | | | | | | | | | | | | | | | | | This was obtained by porting the OpenSSL commit below and then using expand_crypto_asn1.go to unroll the new ASN.1 macros - actually the ones from 987157f6f63 which fixed the omission of dsa_cb() in the first commit. ok inoguchi jsing commit ea6b07b54c1f8fc2275a121cdda071e2df7bd6c1 Author: Dr. Stephen Henson <steve@openssl.org> Date: Thu Mar 26 14:35:49 2015 +0000 Simplify DSA public key handling. DSA public keys could exist in two forms: a single Integer type or a SEQUENCE containing the parameters and public key with a field called "write_params" deciding which form to use. These forms are non standard and were only used by functions containing "DSAPublicKey" in the name. Simplify code to only use the parameter form and encode the public key component directly in the DSA public key method. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Make DSA opaquetb2022-01-142-65/+57
| | | | | | This moves DSA_SIG, DSA and DSA_METHOD to dsa_locl.h. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-5/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h bytb2022-01-078-8/+21
| | | | | | including the local header where it will be needed. discussed with jsing
* Add an essentially empty dh_local.h and include it in the files wheretb2022-01-071-1/+3
| | | | | | it will be needed in the upcoming bump. discussed with jsing
* Prepare to provide DSA_bits()tb2022-01-052-2/+11
| | | | | | Used by Qt5 and Qt6 and slightly reduces the patching in there. ok inoguchi jsing
* Prepare to provide DSA_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | ok inoguchi jsing
* Include evp_locl.h where it will be needed once most structs fromtb2021-12-121-1/+2
| | | | | | evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
* Add #include "bn_lcl.h" to the files that will soon need it.tb2021-12-042-2/+5
| | | | ok inoguchi jsing
* Crank the number of rounds of Miller-Rabin from 50 to 64tb2021-11-291-4/+7
| | | | | | | | for DSA key generation. From Kurt Roeckx, OpenSSL 74ee3796 ok bcook inoguchi jsing
* Add DSA CMS support.jsing2019-11-011-1/+25
| | | | | | From OpenSSL 1.1.1d. ok tb@
* Provide EVP_PKEY_CTX_get_signature_md() macro and implement thejsing2019-09-091-1/+5
| | | | | | | | EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@