summaryrefslogtreecommitdiff
path: root/lib/libcrypto/dh
AgeCommit message (Collapse)Author
2024-11-29Remove X9.42 DH rudimentsTheo Buehler
In the unlikely event that we should ever decide to implement this after a quarter century of not needing it, we can readily put this back. Until then this is dead weight. prompted by a question by djm ok jsing
2024-11-29Remove weird pad member that was never set to zero after malloc() soTheo Buehler
the weird thing it was supposed to be doing couldn't possibly work. ok jsing
2024-08-30Garbage collect the DH_check*_ex() APITheo Buehler
This was only needed by the EVP_PKEY_*check() API, which was defanged. So this silly garbage can now go: it translated flags to errors on the error stack so that openssl *check could print ugly errors while DoS-ing the user. ok beck
2024-08-29Remove the pkey_{,public_,param_}check() handlersTheo Buehler
This disables the EVP_PKEY_*check() API and makes it fail (more precisely indicate lack of support) on all key types. This is an intermediate step to full removal. Removal is ok beck jsing
2024-08-26replace strtol(3) usage with strtonum(3); idea/ok/tweaks tb@Omar Polo
2024-06-24libcrypto: constify most error string tablesTheo Buehler
These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing
2024-05-19Add space after commasTheo Buehler
2024-05-19KNF for dh_err and dsa_errTheo Buehler
2024-05-09Make the DH_METHOD static constTheo Buehler
2024-05-09Move public API and DH_METHOD to the bottom of the fileTheo Buehler
no functional change
2024-04-15DHparam_it becomes static, tooTheo Buehler
ok jsing
2024-03-27Use dh for DH function arguments.Theo Buehler
No need for a variety of r, d, ...
2024-03-27Unify *_up_ref() implementationsTheo Buehler
No need for an inconsistently named local variable and a ternary operator. ok jsing
2024-01-04Replace .pkey_base_id with a .base_method pointerTheo Buehler
Every EVP_PKEY_ASN1_METHOD is either an ASN.1 method or an alias. As such it resolves to an underlying ASN.1 method (in one step). This information can be stored in a base_method pointer in allusion to the pkey_base_id, which is the name for the nid (aka pkey_id aka type) of the underlying method. For an ASN.1 method, the base method is itself, so the base method is set as a pointer to itself. For an alias it is of course a pointer to the underlying method. Then obviously ameth->pkey_base_id is the same as ameth->base_method->pkey_id, so rework all ASN.1 methods to follow that. ok jsing
2024-01-01kill gross whitespaceTheo Buehler
2023-12-28Rework pkey_dh_paramgen()Theo Buehler
Similar to pkey_rsa_paramgen() this function does some strange dances with the pkey_gencb and initialization plus missing error checks. Fix all that and use the idiom established in previous commits. ok jsing
2023-12-28Rework pkey_dh_keygen()Theo Buehler
Single exit, fix error checking and hold on to the DH by keeping a reference. In other words, switch from EVP_PKEY_assign() to using EVP_PKEY_set1_DH() and free unconditionally in the error path. ok jsing
2023-11-29Ignore ENGINE at the API boundaryTheo Buehler
This removes the remaining ENGINE members from various internal structs and functions. Any ENGINE passed into a public API is now completely ignored functions returning an ENGINE always return NULL. ok jsing
2023-11-19Unifdef OPENSSL_NO_ENGINE in libcryptoTheo Buehler
This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing
2023-08-13fix whitespaceTheo Buehler
2023-08-12Drop silly int_ prefix from _free() and _size()Theo Buehler
2023-08-12Free {priv,pub}_key before assigning to itTheo Buehler
While it isn't the case for the default implementations, custom DH and DSA methods could conceivably populate private and public keys, which in turn would result in leaks in the pub/priv decode methods. ok jsing
2023-08-12Simplify and unify missing_parameters() for DH and DSATheo Buehler
ok jsing
2023-08-12Convert {DH,DSA}_new_method() to using calloc()Theo Buehler
Due to OPENSSL_NO_ENGINE the engine member of dh and dsa is currently uninitialized. As a consequence, {DH,DSA}_get0_engine() will return a garbage pointer, which is particularly bad because the only reason we kept them in the first place is that they are used by some software... A side effect of freeing with {DH,DSA}_free() instead of a hand-rolled version is that we may call ->meth->finish() before ->meth->init() was called. We need a NULL check for ->meth to be on the safe side in case we should need to bring ENGINE back. with nits from djm ok deraadt djm
2023-08-11Improve variable names in {dh,dsa}_{pub,priv}_{de,en}code()Theo Buehler
Use aint for the ASN1_INTEGER holding the key and astr for the ASN1_STRING holding the parameters. This frees up key and params for their DER encoded versions, matching the naming we use elsewhere much more closely. ok jsing
2023-08-11Use params{,_len} in {dh,dsa}_params_{en,de}code()Theo Buehler
2023-08-11Align dh and dsa decoding functions with encodingTheo Buehler
This adds some missing error checks and fixes and unifies error codes which were (as usual) all over the place or just plain nonsense. Use an auxiliary variable for d2i invocations even though it is not really needed here. ok jsing
2023-08-10Convert {dh,dsa}_{pub,priv}_encode() to single exitTheo Buehler
Use the same variable names throughout these functions and unify them some more. ok jsing
2023-08-10Clean up {dh,dsa}_pub_encode()Theo Buehler
This brings these two messy functions into more usual shape. There is a lot more that can be done in here. It is a step in the right direction. ok jsing
2023-08-10Various fixes in {dh,dsa}_priv_encode()Theo Buehler
Avoid creating an ASN1_STRING with negative length, set type, data and length via ASN1_STRING_type_new() and ASN1_STRING_set0() instead of doing this manually. Check return value for i2d_ASN1_INTEGER() and use an intermediate ASN1_OBJECT instead of nested function calls. Finally, clear sensitive data with freezero(). ok jsing
2023-08-03Make the bn_rand_interval() API a bit more ergonomicTheo Buehler
Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
2023-07-24Fix a minibug in DH_check()Theo Buehler
Or in the flag, don't overwrite the already set ones. ok jsing
2023-07-08Hide symbols in dhBob Beck
ok tb@
2023-07-07Mop up remaining uses of ASN1_bn_print()Theo Buehler
This removes lots of silly buffers and will allow us to make this API go away. ok jsing
2023-04-18Move some includes out of OPENSSL_NO_DEPRECATEDTheo Buehler
Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing
2023-04-17Fix whitespace in DHparam_print_fp()Theo Buehler
2023-04-17Remove now unused dh_prn.cTheo Buehler
2023-04-17Move DHparam_print_fp() next to DHparam_print()Theo Buehler
As usual with the fp suffix, the former wraps the latter with a file BIO. There is no reason for this function to be in a separate file.
2023-04-13The NBs have been duly noted and ignored. Drop them.Theo Buehler
2023-04-13Zap trailing whitespaceTheo Buehler
2023-04-13Remove files that definitely contain no code anymoreTheo Buehler
(experts disagree whether they ever did)
2023-04-13Move DH_generate_parameters() from dh_depr.c to dh_gen.cTheo Buehler
discussed with jsing
2023-04-09Move a few functions out of OPENSSL_NO_DEPRECATEDTheo Buehler
Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope was that at some point some functions can be dropped. Most of the functions marked deprecated are actually unused nowadays but unfortunately some of them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED so we can define it without breaking the consumers in the next bump. ERR_remove_state() is still used by a dozen or so ports. This isn't a big deal since it is just a stupid wrapper for the not quite as deprecated ERR_remove_thread_state(). It's not worth patching these ports. Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still used. They "make use" of the old-style BN_GENCB callback, which is therefore more difficult to remove - in case you don't know know: that's the thing responsible for printing pretty '.', '+' and '*' when you generate keys. Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020 for "advanced DH support". This is very unfortunate since cargo bundles a rust-openssl and updates it only every few years or so. As a consequence we're going to be stuck with this nonsense for a good while. ok beck jsing
2023-03-07Call BN_free() instead of BN_clear_free().Joel Sing
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
2022-12-26spelling fixes; from paul tagliamonteJason McIntyre
i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
2022-11-26Make internal header file names consistentTheo Buehler
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
2022-07-13Simplify computation of max_pub_key = dh->p - 1.Theo Buehler
ok jsing
2022-07-12Remove mkerr.pl remnants from LibreSSLKlemens Nanni
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
2022-07-07Expose new API in headers.Theo Buehler
These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
2022-06-27Prepare to provide EVP_PKEY_security_bits()Theo Buehler
This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing