Skip to content
  1. Apr 19, 2018
  2. Apr 18, 2018
  3. Apr 17, 2018
  4. Apr 16, 2018
  5. Apr 14, 2018
  6. Apr 13, 2018
  7. Apr 12, 2018
  8. Apr 09, 2018
  9. Apr 08, 2018
  10. Apr 07, 2018
  11. Apr 06, 2018
  12. Apr 05, 2018
    • Matt Caswell's avatar
      e6b5cbb4
    • Matt Caswell's avatar
      0d9967a6
    • Matt Caswell's avatar
      Pick a q size consistent with the digest for DSA param generation · 57c766fb
      Matt Caswell authored
      
      
      There are two undocumented DSA parameter generation options available in
      the genpkey command line app:
      dsa_paramgen_md and dsa_paramgen_q_bits.
      
      These can also be accessed via the EVP API but only by using
      EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
      helper macros for these options.
      
      dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
      dsa_paramgen_md sets the digest that is used during the parameter
      generation (default SHA1). In particular the output length of the digest
      used must be equal to or greater than the number of bits in q because of
      this code:
      
                  if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                      goto err;
                  if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                      goto err;
                  for (i = 0; i < qsize; i++)
                      md[i] ^= buf2[i];
      
                  /* step 3 */
                  md[0] |= 0x80;
                  md[qsize - 1] |= 0x01;
                  if (!BN_bin2bn(md, qsize, q))
                      goto err;
      
      qsize here is the number of bits in q and evpmd is the digest set via
      dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
      buf2 has been filled with qsize bits of random seed data, and md is
      uninitialised.
      
      If the output size of evpmd is less than qsize then the line "md[i] ^=
      buf2[i]" will be xoring an uninitialised value and the random seed data
      together to form the least significant bits of q (and not using the
      output of the digest at all for those bits) - which is probably not what
      was intended. The same seed is then used as an input to generating p. If
      the uninitialised data is actually all zeros (as seems quite likely)
      then the least significant bits of q will exactly match the least
      significant bits of the seed.
      
      This problem only occurs if you use these undocumented and difficult to
      find options and you set the size of q to be greater than the message
      digest output size. This is for parameter generation only not key
      generation. This scenario is considered highly unlikely and
      therefore the security risk of this is considered negligible.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5883)
      57c766fb
    • Matt Caswell's avatar
    • Matt Caswell's avatar
      Move the loading of the ssl_conf module to libcrypto · 23dec58b
      Matt Caswell authored
      
      
      The GOST engine needs to be loaded before we initialise libssl. Otherwise
      the GOST ciphersuites are not enabled. However the SSL conf module must
      be loaded before we initialise libcrypto. Otherwise we will fail to read
      the SSL config from a config file properly.
      
      Another problem is that an application may make use of both libcrypto and
      libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
      is called and loads a config file it will fail if that config file has
      any libssl stuff in it.
      
      This commit separates out the loading of the SSL conf module from the
      interpretation of its contents. The loading piece doesn't know anything
      about SSL so this can be moved to libcrypto. The interpretation of what it
      means remains in libssl. This means we can load the SSL conf data before
      libssl is there and interpret it when it later becomes available.
      
      Fixes #5809
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5879)
      23dec58b
  13. Apr 04, 2018
  14. Apr 03, 2018
  15. Apr 02, 2018