summaryrefslogtreecommitdiff
path: root/lib/libcrypto/dsa
AgeCommit message (Collapse)Author
2022-08-31nasty whitespaceTheo Buehler
2022-08-31Rework DSA_size() and ECDSA_size()Theo Buehler
DSA_size() and ECDSA_size() have a very special hack. They fudge up an ASN1_INTEGER with a size which is typically > 100 bytes, backed by a buffer of size 4. This was "fine", however, since they set buf[0] = 0xff, where the craziness that was i2c_ASN1_INTEGER() only looks at the first octet (one may then ask why a buffer of size 4 was necessary...). This changed with the rewrite of i2c_ASN1_INTEGER(), which doesn't respect this particular hack and rightly assumes that it is fed an actual ASN1_INTEGER... Instead, create an appropriate signature and use i2d to determine its size. Fixes an out-of-bounds read flagged by ASAN and oss-fuzz. ok jsing
2022-07-12Remove mkerr.pl remnants from LibreSSLKlemens Nanni
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
2022-07-11fix NULL return adding missing semicolonBrent Cook
ok tb@
2022-07-07Expose new API in headers.Theo Buehler
These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
2022-07-04Prepare to provide DSA_meth_{get0,set1}_name()Theo Buehler
Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
2022-06-27Prepare to provide EVP_PKEY_security_bits()Theo Buehler
This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
2022-06-27Prepare to provide DSA_security_bits()Theo Buehler
ok beck jsing
2022-05-07zap stray tabTheo Buehler
2022-05-07KNF nitsTheo Buehler
2022-04-07Avoid infinite loop on parsing DSA private keysTheo Buehler
DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing
2022-02-24Remove accidentally committed debug code.Theo Buehler
2022-02-24Minor tweaksTheo Buehler
i is a silly name for BN_num_bits(dsa->q); move a comment for readability.
2022-02-24Add sanity checks on p and q in old_dsa_priv_decode()Theo Buehler
dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't overly long and that q has one of the three allowed lengths specified in FIPS 186-3, namely 160, 224, or 256. Do these checks on deserialization of DSA keys without parameters. This means that we will now reject keys we would previously deserialize. Such keys are useless in that signatures generated by them would be rejected by both LibreSSL and OpenSSL. This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous DSA key whose q has size 65KiB. The timeout comes from additional checks on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such a humungous number for primality is expensive. ok jsing
2022-01-15Minor cleanup and simplification in dsa_pub_encode()Theo Buehler
This function has a weird dance of allocating an ASN1_STRING in an inner scope and assigning it to a void pointer in an outer scope for passing it to X509_PUBKEY_set0_param() and ASN1_STRING_free() on error. This can be simplified and streamlined. ok inoguchi
2022-01-14Simplify DSAPublicKey_itTheo Buehler
This was obtained by porting the OpenSSL commit below and then using expand_crypto_asn1.go to unroll the new ASN.1 macros - actually the ones from 987157f6f63 which fixed the omission of dsa_cb() in the first commit. ok inoguchi jsing commit ea6b07b54c1f8fc2275a121cdda071e2df7bd6c1 Author: Dr. Stephen Henson <steve@openssl.org> Date: Thu Mar 26 14:35:49 2015 +0000 Simplify DSA public key handling. DSA public keys could exist in two forms: a single Integer type or a SEQUENCE containing the parameters and public key with a field called "write_params" deciding which form to use. These forms are non standard and were only used by functions containing "DSAPublicKey" in the name. Simplify code to only use the parameter form and encode the public key component directly in the DSA public key method. Reviewed-by: Richard Levitte <levitte@openssl.org>
2022-01-14Make DSA opaqueTheo Buehler
This moves DSA_SIG, DSA and DSA_METHOD to dsa_locl.h. ok inoguchi jsing
2022-01-14Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APITheo Buehler
This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
2022-01-07Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h byTheo Buehler
including the local header where it will be needed. discussed with jsing
2022-01-07Add an essentially empty dh_local.h and include it in the files whereTheo Buehler
it will be needed in the upcoming bump. discussed with jsing
2022-01-05Prepare to provide DSA_bits()Theo Buehler
Used by Qt5 and Qt6 and slightly reduces the patching in there. ok inoguchi jsing
2022-01-05Prepare to provide DSA_get0_{p,q,g,{priv,pub}_key}()Theo Buehler
ok inoguchi jsing
2021-12-12Include evp_locl.h where it will be needed once most structs fromTheo Buehler
evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
2021-12-04Add #include "bn_lcl.h" to the files that will soon need it.Theo Buehler
ok inoguchi jsing
2021-11-29Crank the number of rounds of Miller-Rabin from 50 to 64Theo Buehler
for DSA key generation. From Kurt Roeckx, OpenSSL 74ee3796 ok bcook inoguchi jsing
2019-11-01Add DSA CMS support.Joel Sing
From OpenSSL 1.1.1d. ok tb@
2019-09-09Provide EVP_PKEY_CTX_get_signature_md() macro and implement theJoel Sing
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
2019-06-04Readability tweaks for comments that explain the blinding.Theo Buehler
2019-06-04Remove the blinding later to avoid leaking information on the lengthTheo Buehler
of kinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
2019-01-20Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.Theo Buehler
From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
2018-11-09Initialize priv_key and pub_key on first use instead of at the top.Theo Buehler
ok beck jsing mestre
2018-11-06unrevert the use of bn_rand_interval().Theo Buehler
ok beck jsing
2018-11-06revert use of bn_rand_interval due to failures with ECDHE and TLSTheo Buehler
2018-11-05Make use of bn_rand_interval() where appropriate.Theo Buehler
ok beck jsing
2018-11-05Eliminate a few "} else" branches, a few unneeded NULL checks beforeTheo Buehler
freeing and indent nearby labels. ok beck jsing
2018-11-05Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadyTheo Buehler
takes care of this internally. ok beck jsing
2018-08-24Add consts to EVP_PKEY_asn1_set_private()Theo Buehler
Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
2018-08-24After removing support for broken PKCS#8 formats (it was high time),Theo Buehler
we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
2018-06-14Use a blinding value when generating a DSA signature, in order to reduceJoel Sing
the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
2018-06-14Clarify the digest truncation comment in DSA signature generation.Joel Sing
Requested by and ok tb@
2018-06-14Pull up the code that converts the digest to a BIGNUM - this only needsJoel Sing
to occur once and not be repeated if the signature generation has to be repeated. ok tb@
2018-06-14Fix a potential leak/incorrect return value in DSA signature generation.Joel Sing
In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
2018-06-14Call DSA_SIG_new() instead of hand rolling the same.Joel Sing
ok beck@ tb@
2018-06-14DSA_SIG_new() amounts to a single calloc() call.Joel Sing
ok beck@ tb@
2018-06-13style(9), comments and whitespace.Joel Sing
2018-06-13Avoid a timing side-channel leak when generating DSA and ECDSA signatures.Joel Sing
This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
2018-05-01Convert a handful of X509_*() functions to take const as in OpenSSL.Theo Buehler
tested in a bulk by sthen ok jsing
2018-04-28Fix a small timing side channel in dsa_sign_setup(). Simple adaptationTheo Buehler
of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our version of this function. ok beck, jsing Original commit message: commit c0caa945f6ef30363e0d01d75155f20248403df4 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:13 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in DSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
2018-04-14make ENGINE_finish() succeed on NULL and simplify callers as inTheo Buehler
OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
2018-03-17Add DSA_meth_{dup,free,new,set_{finish,sign}}()Theo Buehler
As in RSA_meth_*, note that these functions return NULL in out-of-memory situations, but they do not set an error explicitly. ok jsing