summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add some accessor functions:djm2018-09-122-2/+22
| | | | | | RSA_meth_get_finish() RSA_meth_set1_name() EVP_CIPHER_CTX_(get|set)_iv() feedback and ok jsing@ tb@
* use timing-safe compares for checking results in signature verificationdjm2018-09-054-9/+10
| | | | | | (there are no known attacks, this is just inexpensive prudence) feedback and ok tb@ jsing@
* Add consts to EVP_PKEY_asn1_set_private()tb2018-08-241-2/+2
| | | | | | | | | Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
* whitespace fixtb2018-08-191-2/+2
|
* Don't leak db on error in RSA_padding_check_PKCS1_OAEP().tb2018-08-191-7/+7
| | | | | | CID #183499. input & ok jsing, ok mestre on first version
* In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.bcook2018-08-051-3/+7
| | | | ok tb@
* Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.tb2018-07-231-120/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin <davidben@google.com> Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1474
* make ENGINE_finish() succeed on NULL and simplify callers as intb2018-04-141-12/+7
| | | | | | | | | | | OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
* Provide RSA_meth_{dup,free,new,set_{finish,priv_{dec,enc}}}()tb2018-03-172-1/+96
| | | | | | | Note that these functions return NULL in out-of-memory situations, but contrary to OpenSSL's versions they do not set an error. ok jsing
* Provide RSA_{clear,set,test}_flasg()tb2018-02-202-2/+23
| | | | ok jsing
* Provide RSA_{g,s}et0_crt_params()tb2018-02-182-2/+40
| | | | ok jsing
* Use usual order of RSA_{g,s}et0_key().tb2018-02-182-13/+14
| | | | ok jsing
* Provide RSA_{g,s}et0_factors()tb2018-02-182-2/+31
| | | | ok jsing
* Provide RSA_bits()tb2018-02-182-2/+9
| | | | ok jsing
* Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(),tb2018-02-172-2/+39
| | | | | | EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing
* Bring back the RSA_SSLV23_PADDING define.jsing2017-08-301-1/+2
| | | | Several pieces of software expect this to be available unconditionally.
* Remove RSA_padding_add_SSLv23()/RSA_padding_check_SSLv23() and relatedjsing2017-08-284-166/+3
| | | | | | code. We removed SSLv2/SSLv3 a long time ago... Discussed with doug@
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-023-35/+13
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* revert previous accidental commitbeck2017-04-283-21/+33
|
* *** empty log message ***beck2017-04-283-33/+21
|
* Send the function codes from the error functions to the bit bucket,beck2017-01-2917-275/+148
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggestedbeck2017-01-252-5/+5
| | | | | | | | | | | by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@
* Add ct and nonct versions of BN_mod_inverse for internal usebeck2017-01-213-7/+9
| | | | ok jsing@
* Split out BN_div and BN_mod into ct and nonct versions for Internal use.beck2017-01-213-12/+16
| | | | ok jsing@
* Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatbeck2017-01-211-2/+4
| | | | | | | | | | | | matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
* Expand ASN1_ITEM_rptr macros - no change in generated assembly.jsing2016-12-302-6/+6
|
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-1/+6
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* unifdef OPENSSL_NO_CMSjsing2016-10-192-39/+2
|
* missing space after commatb2016-09-091-2/+2
| | | | | | (this was apparently lost during the repo surgery) ok bcook
* Expand DECLARE_ASN1_.*FUNCTIONS macros.jsing2016-09-041-4/+12
| | | | No change in preprocessed output, ignoring whitespace and line numbers.
* call BN_init on temporaries to avoid use-before-set warningsbcook2016-07-072-2/+12
| | | | ok beck@
* Remove flags for disabling constant-time operations.bcook2016-06-304-129/+70
| | | | | | | | This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
* Fix for OpenSSL CVE-2015-3194beck2015-12-031-2/+2
| | | | ok krw@
* Replace M_ASN1_OCTET_STRING_(free|new) with ASN1_OCTET_STRING_(free|new).jsing2015-09-301-2/+2
|
* Correct spelling of OPENSSL_cleanse.jsing2015-09-103-11/+12
| | | | ok miod@
* Drop stupid (int) casts for the arguments of malloc() and friends. This ismiod2015-07-192-6/+6
| | | | | not 16-bit MS-DOS anymore. ok bcook@ tedu@
* Replace remaining CRYPTO_memcmp() calls with timingsafe_memcmp().jsing2015-06-201-2/+2
| | | | ok doug@ deraadt@
* Remove obsolete MDC-2DES from libcrypto.doug2015-06-202-29/+3
| | | | ok deraadt@ jsing@ miod@
* Fix bad indenting in LibreSSL.doug2015-06-131-2/+2
| | | | | | | | | jsg@ noticed that some of the lines in libssl and libcrypto are not indented properly. At a quick glance, it looks like it has a different control flow than it really does. I checked the history in our tree and in OpenSSL to make sure these were simple mistakes. ok miod@ jsing@
* Regenmiod2015-02-151-52/+59
|
* Check for allocation error in RSA_eay_mod_exp(). Coverity CID 25217.miod2015-02-142-2/+7
| | | | ok jsing@
* Expand ASN1_CHOICE*, ASN1_SEQUENCE* and associated macros, making thejsing2015-02-141-25/+161
| | | | | | | | | data structures visible and easier to review, without having to wade through layers and layers of asn1t.h macros. Change has been scripted and there is no change to the generated assembly. Discussed with beck@ miod@ tedu@
* Guenther has plans for OPENSSL_NO_CMS, so revert this for the moment.beck2015-02-112-2/+39
|
* get rid of OPENSSL_NO_CMS code we do not use.beck2015-02-112-39/+2
| | | | ok miod@
* Enable building with -DOPENSSL_NO_DEPRECATED.doug2015-02-112-2/+4
| | | | | | | | | | | | | | | If you didn't enable deprecated code, there were missing err.h and bn.h includes. This commit allows building with or without deprecated code. This was not derived from an OpenSSL commit. However, they recently enabled OPENSSL_NO_DEPRECATED in git and fixed these header problems in a different way. Verified with clang that this only changes line numbers in the generated asm. ok miod@
* Expand the -IMPLEMENT_ASN1_ENCODE_FUNCTIONS_(const_)?fname macros so thatjsing2015-02-101-3/+27
| | | | | | | | the code is visible and functions can be readily located. Change has been scripted and there is no change to the generated assembly. Discussed with beck@ miod@ tedu@
* Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible andjsing2015-02-091-2/+26
| | | | | | | | functions can be readily located. Change has been scripted and there is no change to the generated assembly. Discussed with beck@ miod@ tedu@
* BN_CTX_get() can fail - consistently check its return value.jsing2015-02-093-14/+17
| | | | | | | | | | | | | | | There are currently cases where the return from each call is checked, the return from only the last call is checked and cases where it is not checked at all (including code in bn, ec and engine). Checking the last return value is valid as once the function fails it will continue to return NULL. However, in order to be consistent check each call with the same idiom. This makes it easy to verify. Note there are still a handful of cases that do not follow the idiom - these will be handled separately. ok beck@ doug@
* Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().jsing2014-10-224-24/+16
| | | | | | | | arc4random_buf() is guaranteed to always succeed - it is worth noting that a number of the replaced function calls were already missing return value checks. ok deraadt@
* None of these need to include <openssl/rand.h>jsing2014-10-185-10/+5
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 16:40:02 +0000