IABSD.fr/src/lib/libcrypto/dh

Branch :


Log

Author Commit Date CI Message
cd5380a6 2026-01-23 08:32:22 DH_check: teach this DoS vector about RFC 7919 primes ok beck
9ac14cf7 2026-01-23 08:21:52 Scapy special for DH_check() The latest release of Scapy calls DH_check() on all the well-known Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this via pyca/cryptography at startup. Every single time. This is obviously very expensive, due to our 64 MR rounds (which are complete overkill now that we have BPSW). Instead of pondering the ideal number of rounds for BPSW with FFDH, simply skip the check if the parameter matches a well-known prime. These are known to be safe primes, so we can skip those super-expensive and pointless checks without any risk. This is only done for the public dh->p parameter. It could be further optimized, but with the follow-up commit adding the RFC 7919 primes this reduces the startup time to what it was before Scapy 2.7.0: < 1s. Reverting from 64 MR rounds to BN_check_primes rounds, we would still have ~8s startup time without this optimization, which isn't great for an interactive tool. Clearly, it's not entirely our fault, it's also Scapy and cryptography that do something ... suboptimal, but I think we're better off if DH_check() isn't a complete DoS vector. If you're using non-standard parameters with FFDH, you deserve it. We could consider adding a flag for non-well-known p and thus making DH_check() indicate failure for candidate primes larger than, say, 4k. https://github.com/pyca/cryptography/issues/14048 ok beck kenjiro
27854fe4 2025-05-10 05:54:38 Use err_local.h rather than err.h in most places ok jsing
515aa502 2025-01-25 17:59:44 Remove #error if OPENSSL_NO_FOO is defined discussed with jsing
10f20e90 2025-01-17 05:04:25 dh_ameth: explcitly -> explicitly
15073478 2024-11-29 15:59:57 Remove X9.42 DH rudiments In the unlikely event that we should ever decide to implement this after a quarter century of not needing it, we can readily put this back. Until then this is dead weight. prompted by a question by djm ok jsing
d2a56ad6 2024-11-29 07:42:35 Remove weird pad member that was never set to zero after malloc() so the weird thing it was supposed to be doing couldn't possibly work. ok jsing
13c70bae 2024-08-30 17:44:56 Garbage collect the DH_check*_ex() API This was only needed by the EVP_PKEY_*check() API, which was defanged. So this silly garbage can now go: it translated flags to errors on the error stack so that openssl *check could print ugly errors while DoS-ing the user. ok beck
a8d73a0e 2024-08-29 16:58:19 Remove the pkey_{,public_,param_}check() handlers This disables the EVP_PKEY_*check() API and makes it fail (more precisely indicate lack of support) on all key types. This is an intermediate step to full removal. Removal is ok beck jsing
1e10d066 2024-08-26 22:00:47 replace strtol(3) usage with strtonum(3); idea/ok/tweaks tb@
3dca7526 2024-06-24 06:43:22 libcrypto: constify most error string tables These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing
7caac9b4 2024-05-19 08:22:40 Add space after commas
3582c311 2024-05-19 08:21:13 KNF for dh_err and dsa_err
fbadb84b 2024-05-09 20:43:36 Make the DH_METHOD static const
f5e89b37 2024-05-09 20:40:42 Move public API and DH_METHOD to the bottom of the file no functional change
e282ca66 2024-04-15 15:47:37 DHparam_it becomes static, too ok jsing
e45bbcd5 2024-03-27 01:26:30 Use dh for DH function arguments. No need for a variety of r, d, ...
d230cbd2 2024-03-27 01:22:30 Unify *_up_ref() implementations No need for an inconsistently named local variable and a ternary operator. ok jsing
9ed721ec 2024-01-04 17:01:26 Replace .pkey_base_id with a .base_method pointer Every EVP_PKEY_ASN1_METHOD is either an ASN.1 method or an alias. As such it resolves to an underlying ASN.1 method (in one step). This information can be stored in a base_method pointer in allusion to the pkey_base_id, which is the name for the nid (aka pkey_id aka type) of the underlying method. For an ASN.1 method, the base method is itself, so the base method is set as a pointer to itself. For an alias it is of course a pointer to the underlying method. Then obviously ameth->pkey_base_id is the same as ameth->base_method->pkey_id, so rework all ASN.1 methods to follow that. ok jsing
9c6b3ee3 2024-01-01 16:01:48 kill gross whitespace
cb6b0a5e 2023-12-28 22:10:33 Rework pkey_dh_paramgen() Similar to pkey_rsa_paramgen() this function does some strange dances with the pkey_gencb and initialization plus missing error checks. Fix all that and use the idiom established in previous commits. ok jsing
3b26100e 2023-12-28 22:06:41 Rework pkey_dh_keygen() Single exit, fix error checking and hold on to the DH by keeping a reference. In other words, switch from EVP_PKEY_assign() to using EVP_PKEY_set1_DH() and free unconditionally in the error path. ok jsing
592331b2 2023-11-29 21:35:57 Ignore ENGINE at the API boundary This removes the remaining ENGINE members from various internal structs and functions. Any ENGINE passed into a public API is now completely ignored functions returning an ENGINE always return NULL. ok jsing
87978dd9 2023-11-19 15:46:09 Unifdef OPENSSL_NO_ENGINE in libcrypto This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing
ce5197b5 2023-08-13 12:09:14 fix whitespace
7244e844 2023-08-12 07:59:48 Drop silly int_ prefix from _free() and _size()
52d22fd7 2023-08-12 07:50:47 Free {priv,pub}_key before assigning to it While it isn't the case for the default implementations, custom DH and DSA methods could conceivably populate private and public keys, which in turn would result in leaks in the pub/priv decode methods. ok jsing
a13d6b7a 2023-08-12 07:43:48 Simplify and unify missing_parameters() for DH and DSA ok jsing
e498bf2d 2023-08-12 06:14:36 Convert {DH,DSA}_new_method() to using calloc() Due to OPENSSL_NO_ENGINE the engine member of dh and dsa is currently uninitialized. As a consequence, {DH,DSA}_get0_engine() will return a garbage pointer, which is particularly bad because the only reason we kept them in the first place is that they are used by some software... A side effect of freeing with {DH,DSA}_free() instead of a hand-rolled version is that we may call ->meth->finish() before ->meth->init() was called. We need a NULL check for ->meth to be on the safe side in case we should need to bring ENGINE back. with nits from djm ok deraadt djm
5c3bbfbb 2023-08-11 13:57:24 Improve variable names in {dh,dsa}_{pub,priv}_{de,en}code() Use aint for the ASN1_INTEGER holding the key and astr for the ASN1_STRING holding the parameters. This frees up key and params for their DER encoded versions, matching the naming we use elsewhere much more closely. ok jsing
e6a172b0 2023-08-11 13:53:45 Use params{,_len} in {dh,dsa}_params_{en,de}code()
b42bcaec 2023-08-11 11:32:19 Align dh and dsa decoding functions with encoding This adds some missing error checks and fixes and unifies error codes which were (as usual) all over the place or just plain nonsense. Use an auxiliary variable for d2i invocations even though it is not really needed here. ok jsing
fed21370 2023-08-10 16:57:15 Convert {dh,dsa}_{pub,priv}_encode() to single exit Use the same variable names throughout these functions and unify them some more. ok jsing
0e358455 2023-08-10 15:11:16 Clean up {dh,dsa}_pub_encode() This brings these two messy functions into more usual shape. There is a lot more that can be done in here. It is a step in the right direction. ok jsing
d4662417 2023-08-10 09:43:51 Various fixes in {dh,dsa}_priv_encode() Avoid creating an ASN1_STRING with negative length, set type, data and length via ASN1_STRING_type_new() and ASN1_STRING_set0() instead of doing this manually. Check return value for i2d_ASN1_INTEGER() and use an intermediate ASN1_OBJECT instead of nested function calls. Finally, clear sensitive data with freezero(). ok jsing
12347e81 2023-08-03 18:53:55 Make the bn_rand_interval() API a bit more ergonomic Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
2da88a04 2023-07-24 16:25:02 Fix a minibug in DH_check() Or in the flag, don't overwrite the already set ones. ok jsing
d6d0b2f3 2023-07-08 15:29:03 Hide symbols in dh ok tb@
549c133b 2023-07-07 06:59:18 Mop up remaining uses of ASN1_bn_print() This removes lots of silly buffers and will allow us to make this API go away. ok jsing
c6a6590f 2023-04-18 08:33:43 Move some includes out of OPENSSL_NO_DEPRECATED Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing
28db4cbb 2023-04-17 05:57:17 Fix whitespace in DHparam_print_fp()
b6daaadc 2023-04-17 05:54:41 Remove now unused dh_prn.c
cf220632 2023-04-17 05:51:16 Move DHparam_print_fp() next to DHparam_print() As usual with the fp suffix, the former wraps the latter with a file BIO. There is no reason for this function to be in a separate file.
cd34b3ea 2023-04-13 15:18:29 The NBs have been duly noted and ignored. Drop them.
0ec53076 2023-04-13 15:15:43 Zap trailing whitespace
d9d87315 2023-04-13 15:04:19 Remove files that definitely contain no code anymore (experts disagree whether they ever did)
d442cf7a 2023-04-13 14:57:00 Move DH_generate_parameters() from dh_depr.c to dh_gen.c discussed with jsing
e4c559e8 2023-04-09 19:10:23 Move a few functions out of OPENSSL_NO_DEPRECATED Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope was that at some point some functions can be dropped. Most of the functions marked deprecated are actually unused nowadays but unfortunately some of them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED so we can define it without breaking the consumers in the next bump. ERR_remove_state() is still used by a dozen or so ports. This isn't a big deal since it is just a stupid wrapper for the not quite as deprecated ERR_remove_thread_state(). It's not worth patching these ports. Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still used. They "make use" of the old-style BN_GENCB callback, which is therefore more difficult to remove - in case you don't know know: that's the thing responsible for printing pretty '.', '+' and '*' when you generate keys. Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020 for "advanced DH support". This is very unfortunate since cargo bundles a rust-openssl and updates it only every few years or so. As a consequence we're going to be stuck with this nonsense for a good while. ok beck jsing
c11f7855 2023-03-07 09:27:10 Call BN_free() instead of BN_clear_free(). BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@
71743258 2022-12-26 07:18:50 spelling fixes; from paul tagliamonte i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
c9675a23 2022-11-26 16:08:50 Make internal header file names consistent Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
4ce274f7 2022-07-13 18:38:20 Simplify computation of max_pub_key = dh->p - 1. ok jsing
aeccd9ed 2022-07-12 14:42:48 Remove mkerr.pl remnants from LibreSSL This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
d30c34e0 2022-07-07 13:01:28 Expose new API in headers. These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
5cdf0398 2022-06-27 12:36:05 Prepare to provide EVP_PKEY_security_bits() This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
fee21fef 2022-06-27 12:31:38 Prepare to provide DH_security_bits() ok beck jsing
7cd40e1c 2022-01-20 11:00:34 Add check for BIO_indent return value CID 24812 ok jsing@ millert@ tb@
34372826 2022-01-14 08:25:44 Make structs in dh.h opaque This moves the struct internals for DH and DH_METHOD to dh_local.h. ok inoguchi jsing
326063fd 2022-01-14 07:49:49 Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_API This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
262d8ecc 2022-01-10 12:10:26 Prepare to provide EVP_PKEY_{public,param}_check This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing
ef053c5d 2022-01-10 12:00:52 Provide DH_check*_ex and many error codes DH_check{,_pub_key}_ex() wrap their non-ex versions to translate the flags argument of the original functions into OpenSSL errors. For this almost a dozen new error codes need to be added. DH_params_check{,_ex}() is a new version of DH_check that only performs a cheap subset of the checks. They are needed to implement EVP_PKEY_{public,param}_check() (observe the consistent naming) although the actual implementation of EVP_PKEY_param_check() chose to use DH_check_ex(). As far as I can tell, the only raison d'être of the _ex functions and error codes is to spew them to stderr in a couple of openssl(1) commands. This couldn't have been solved differently... These functions will not be exposed publicly. ok inoguchi jsing
657fbe7d 2022-01-10 00:09:06 zap trailing whitespace
a69386be 2022-01-07 09:27:13 Add an essentially empty dh_local.h and include it in the files where it will be needed in the upcoming bump. discussed with jsing
e8300e2c 2022-01-07 09:21:21 zap trailing whitespace
7c7e4506 2022-01-05 20:36:29 Prepare to provide DH_get_length() Will be needed by openssl(1) dhparam. ok inoguchi jsing
d742c600 2022-01-05 20:30:16 Prepare to provide DH_get0_{p,q,g,{priv,pub}_key}() These are accessors that allow getting one specific DH member. They are less error prone than the current getters DH_get0_{pqg,key}(). They are used by many ports and will also be used in base for this reason. Who can remember whether the pub_key or the priv_key goes first in DH_get0_key()? ok inoguchi jsing
bc366ef8 2021-12-12 21:30:13 Include evp_locl.h where it will be needed once most structs from evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi
adfe9e36 2021-12-05 13:45:26 Simplify DH_check_params a bit. It makes no sense to allocate an entire BN_CTX if we only use it to get a single BIGNUM, from which we subtract 1 to compare it to g. We can just use a plain BIGNUM and delete a bunch of lines. ok inoguchi jsing
636d4f5a 2021-12-04 16:08:32 Add #include "bn_lcl.h" to the files that will soon need it. ok inoguchi jsing
79207923 2021-11-29 20:02:14 Clean up DH_check_pub_key() and ensure that y^q (mod p) == 1. This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation for small subgroup attacks. This did not affect LibreSSL since we do not support X9.42 style parameter files or RFC 5114. The meat of this commit is from Matt Caswell, OpenSSL b128abc3 ok inoguchi jsing
0cbf20e4 2021-11-29 19:54:07 Increase number of iterations in Miller-Rabin checks for DH. BN_prime_checks is only to be used for random input. Here, the input isn't random, so increase the number of checks. According to https://eprint.iacr.org/2019/032, 64 rounds is suitable. From Jake Massimo, OpenSSL 1.1.1, af6ce3b4 ok inoguchi jsing
2cad8c6e 2021-11-29 19:47:47 Synchronize DH_check() mostly with OpenSSL 1.1.1 with some simplifications and readability tweaks. This ensures in particular that dh->q is suitable if present. Based on work by Stephen Henson and Bernd Edlinger in OpenSSL. Issues with the current implementation found via regression tests in py-cryptography. ok inoguchi jsing
aacfb2c7 2021-11-29 19:41:02 Provide a version of DH_check_params() for internal use. Based on the version in OpenSSL 1.1.1l with minor tweaks. ok inoguchi jsing
c44f9f1f 2021-11-29 19:34:51 Provide a number of flags for DH_check and DH_check_pubkey that will be used in subsequent commits. ok inoguchi jsing
1085073b 2021-11-23 09:53:45 In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do. ok inoguchi jsing
cb943ddc 2020-01-04 13:57:43 Avoid leak in error path of dh_priv_decode ok jsing@ tb@
9af159c9 2019-01-20 01:56:59 Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error. From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
f03cf33c 2018-11-12 17:39:17 Missing initialization for pub_key. CID 184303. ok bcook
4435d402 2018-11-09 23:49:18 Initialize priv_key and pub_key on first use instead of at the top. While there, eliminate a flag that was only used once. ok beck jsing mestre
8a144a0f 2018-11-06 07:02:33 unrevert the use of bn_rand_interval(). ok beck jsing
a5fe48f9 2018-11-06 02:14:39 revert use of bn_rand_interval due to failures with ECDHE and TLS
99212bcc 2018-11-05 23:54:27 Make use of bn_rand_interval() where appropriate. ok beck jsing
eb7398b7 2018-11-05 23:50:05 Eliminate a few "} else" branches, a few unneeded NULL checks before freeing and indent nearby labels. ok beck jsing
a5369e1a 2018-11-05 23:46:16 Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() already takes care of this internally. ok beck jsing
8d6bc8b3 2018-08-24 20:22:15 Add consts to EVP_PKEY_asn1_set_private() Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing
eb5c5266 2018-08-24 20:17:33 After removing support for broken PKCS#8 formats (it was high time), we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing
eedff511 2018-06-12 15:33:18 zap stray tab
54293529 2018-06-12 15:32:54 Reject excessively large primes in DH key generation. Problem reported by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack."
7e67e88e 2018-05-02 15:48:38 Remove incorrect NULL checks in DH_set0_key(). Reported by Ondřej Surý, LibreSSL-portable issue #92. ok inoguchi, jsing
0267c206 2018-05-01 19:01:27 Convert a handful of X509_*() functions to take const as in OpenSSL. tested in a bulk by sthen ok jsing
341fd9e0 2018-04-14 07:09:21 make ENGINE_finish() succeed on NULL and simplify callers as in OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi
dfbc7a43 2018-02-22 16:41:04 Provide DH_get0_engine().
4beaa5f5 2018-02-20 21:11:15 Fix bogus check. Spotted by brynet, thanks.
57addcd0 2018-02-20 18:01:42 Provide DH_set_length() ok jsing
a108d6e6 2018-02-20 17:59:31 Provide DH_bits() ok jsing
5d59ae97 2018-02-20 17:38:15 Provide DH_{clear,set,test}_flags(). ok jsing
1cdc303d 2018-02-18 14:58:12 Provide {DH,DSA}_set0_key(). Requested by sthen. ok jsing
8216844a 2018-02-18 12:51:31 Provide DH_set0_pqg. ok jsing
f08abba0 2018-02-17 13:47:35 Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(), EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing
5067ae9f 2017-01-29 17:49:22 Send the function codes from the error functions to the bit bucket, as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@