summaryrefslogtreecommitdiff
path: root/lib/libcrypto/dsa
AgeCommit message (Collapse)Author
2019-09-09Provide EVP_PKEY_CTX_get_signature_md() macro and implement theJoel Sing
EVP_PKEY_CTRL_GET_MD control for DSA, EC and RSA. This is used by the upcoming RSA CMS code. ok inoguchi@ tb@
2019-06-04Readability tweaks for comments that explain the blinding.Theo Buehler
2019-06-04Remove the blinding later to avoid leaking information on the lengthTheo Buehler
of kinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
2019-01-20Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error.Theo Buehler
From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
2018-11-09Initialize priv_key and pub_key on first use instead of at the top.Theo Buehler
ok beck jsing mestre
2018-11-06unrevert the use of bn_rand_interval().Theo Buehler
ok beck jsing
2018-11-06revert use of bn_rand_interval due to failures with ECDHE and TLSTheo Buehler
2018-11-05Make use of bn_rand_interval() where appropriate.Theo Buehler
ok beck jsing
2018-11-05Eliminate a few "} else" branches, a few unneeded NULL checks beforeTheo Buehler
freeing and indent nearby labels. ok beck jsing
2018-11-05Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadyTheo Buehler
takes care of this internally. ok beck jsing
2018-08-24Add consts to EVP_PKEY_asn1_set_private()Theo Buehler
Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
2018-08-24After removing support for broken PKCS#8 formats (it was high time),Theo Buehler
we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
2018-06-14Use a blinding value when generating a DSA signature, in order to reduceJoel Sing
the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
2018-06-14Clarify the digest truncation comment in DSA signature generation.Joel Sing
Requested by and ok tb@
2018-06-14Pull up the code that converts the digest to a BIGNUM - this only needsJoel Sing
to occur once and not be repeated if the signature generation has to be repeated. ok tb@
2018-06-14Fix a potential leak/incorrect return value in DSA signature generation.Joel Sing
In the very unlikely case where we have to repeat the signature generation, the DSA_SIG return value has already been allocated. This will either result in a leak when we allocate again on the next iteration, or it will give a false success (with missing signature values) if any error occurs on the next iteration. ok tb@
2018-06-14Call DSA_SIG_new() instead of hand rolling the same.Joel Sing
ok beck@ tb@
2018-06-14DSA_SIG_new() amounts to a single calloc() call.Joel Sing
ok beck@ tb@
2018-06-13style(9), comments and whitespace.Joel Sing
2018-06-13Avoid a timing side-channel leak when generating DSA and ECDSA signatures.Joel Sing
This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
2018-05-01Convert a handful of X509_*() functions to take const as in OpenSSL.Theo Buehler
tested in a bulk by sthen ok jsing
2018-04-28Fix a small timing side channel in dsa_sign_setup(). Simple adaptationTheo Buehler
of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our version of this function. ok beck, jsing Original commit message: commit c0caa945f6ef30363e0d01d75155f20248403df4 Author: Pauli <paul.dale@oracle.com> Date: Wed Nov 1 06:58:13 2017 +1000 Address a timing side channel whereby it is possible to determine some information about the length of the scalar used in DSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)]
2018-04-14make ENGINE_finish() succeed on NULL and simplify callers as inTheo Buehler
OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
2018-03-17Add DSA_meth_{dup,free,new,set_{finish,sign}}()Theo Buehler
As in RSA_meth_*, note that these functions return NULL in out-of-memory situations, but they do not set an error explicitly. ok jsing
2018-02-20Provide DSA_get0_engine()Theo Buehler
ok jsing
2018-02-20Provide DSA_SIG_{g,s}et0()Theo Buehler
ok jsing
2018-02-20Provide DSA_{clear,set,test}_flags()Theo Buehler
ok jsing
2018-02-18Provide {DH,DSA}_set0_key(). Requested by sthen.Theo Buehler
ok jsing
2018-02-18Provide DSA_set0_pqg.Theo Buehler
ok jsing
2018-02-17s/DH/DSA/Joel Sing
2018-02-17Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(),Theo Buehler
EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing
2017-05-02use freezero() instead of memset/explicit_bzero + free. SubstantiallyTheo de Raadt
reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
2017-01-29Send the function codes from the error functions to the bit bucket,Bob Beck
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
2017-01-21Add ct and nonct versions of BN_mod_inverse for internal useBob Beck
ok jsing@
2017-01-21Split out BN_div and BN_mod into ct and nonct versions for Internal use.Bob Beck
ok jsing@
2017-01-21Make explicit _ct and _nonct versions of bn_mod_exp funcitons thatBob Beck
matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@
2016-12-30Expand ASN1_ITEM_rptr macro - no change in generated assembly.Joel Sing
2016-12-21Explicitly export a list of symbols from libcrypto.Joel Sing
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
2016-11-04Kill a bunch of OLD_ASN1 usage by replacing ASN1_{d2i,i2d}_* withJoel Sing
ASN1_item_{d2i,i2d}_* equivalents. ok guenther@ miod@
2016-10-19unifdef OPENSSL_NO_CMSJoel Sing
2016-06-30Remove flags for disabling constant-time operations.Brent Cook
This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
2016-06-21Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.Brent Cook
Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@
2016-06-06Set BN_FLG_CONSTTIME on the correct variable. beck committed wrong fix.Ted Unangst
Mistake noted by Billy Brumley. Many thanks.
2016-06-06Correct a problem that prevents the DSA signing algorithm from runningBob Beck
in constant time even if the flag BN_FLG_CONSTTIME is set. This issue was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by Cesar Pereida.
2016-03-01Remove support for ancient, broken DSA implementations.Doug Hogan
Based on a few OpenSSL commits: Remove ancient DSA workarounds commit ab4a81f69ec88d06c9d8de15326b9296d7f498ed Remove workaround for broken DSA implementations using negative integers commit dfb10af92e9663ce4eefaa1d6b678817fa85344d Typo in error name (EVP_R_DECODE_ERROR -> DSA_R_DECODE_ERROR) commit f6fb7f1856d443185c23f1a5968c08b4269dd37d ok beck@
2015-10-13Group d2i/i2d function prototypes by type and add missing externs for theJoel Sing
DSAPublicKey, DSAPrivateKey and DSAparams ASN1_ITEMs.
2015-09-26We don't need no stinking "EXAMPLE OF THE DSA" or README (the credits areJoel Sing
already in the code). ok beck@ miod@
2015-09-10When loading a DSA key from an raw (without DH parameters) ASN.1 serialization,Miod Vallat
perform some consistency checks on its `p' and `q' values, and return an error if the checks failed. Thanks for Georgi Guninski (guninski at guninski dot com) for mentioning the possibility of a weak (non prime) q value and providing a test case. See https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html for a longer discussion. ok bcook@ beck@
2015-09-10Fix an incorrect error check in DSA verify.Brent Cook
From Matt Caswell's OpenSSL commit "RT3192: spurious error in DSA verify". https://github.com/openssl/openssl/commit/eb63bce040d1cc6147d256f516b59552c018e29b
2015-07-15Fix inverted test in previous. Commit message told what we intended, butMiod Vallat
we did not notice my fingers slipping. Noticed by bcook@
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-18 12:11:30 +0000