Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport DH_check from OpenSSL 1.1.0. #3375

Merged
merged 5 commits into from
Feb 3, 2017
Merged

Backport DH_check from OpenSSL 1.1.0. #3375

merged 5 commits into from
Feb 3, 2017

Conversation

markrwilliams
Copy link
Contributor

OpenSSL 1.0.2's DH_check considers the q parameter, allowing it
validate more generators and primes; however, OpenSSL 1.1.0's DH_check
includes code to handle errors in BN functions, so it's preferred.

See openssl/openssl@748e853.

@mention-bot
Copy link

@markrwilliams, thanks for your PR! By analyzing the history of the files in this pull request, we identified @palaviv, @reaperhulk and @public to be potential reviewers.

This was referenced Jan 31, 2017
Merged
Merged
@markrwilliams
Copy link
Contributor Author

DH_check isn't in LibreSSL 2.4.0, the latest stable release, while 2.5.0, the latest development release, has OpenSSL 1.0.2's version. So no matter the LibreSSL version we use our backport.

@markrwilliams
Backport DH_check from OpenSSL 1.1.0.
a1fe1a0 
OpenSSL 1.0.2's DH_check considers the q parameter, allowing it
validate more generators and primes; however, OpenSSL 1.1.0's DH_check
includes code to handle errors in BN functions, so it's preferred.
reaperhulk
reaperhulk reviewed Jan 31, 2017
View reviewed changes
src/_cffi_src/openssl/dh.py
* should hold.
*/

int Cryptography_DH_check(const DH *dh, int *ret)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For review purposes, is this from 1.1.0d? Could you add a comment stating what version it came from?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub says 1.1.0pre6 - not sure which letter release that is. How can I find out?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.1.0pre6 is itself a release number (it was the last pre-release prior to 1.1.0). So just add a comment saying it was updated to its current form in 1.1.0pre6

src/_cffi_src/openssl/dh.py
return (ok);
}
#else
int (*Cryptography_DH_check)(const DH *dh, int *ret) = DH_check;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our normal path for this sort of declaration is to do:

int Cryptography_DH_check(const DH *dh, int *ret) {
    return DH_check(dh, ret);
}

While this method will obviously work fine, could you make the change for consistency?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a lot nicer because I can put the cffi declaration in FUNCTIONS!

@reaperhulk
Copy link
Member

jenkins, add to whitelist

@reaperhulk
Copy link
Member

Tests are failing because the new error values are not defined in older versions of OpenSSL. (e.g. constants like DH_CHECK_INVALID_Q_VALUE).

reaperhulk
reaperhulk reviewed Jan 31, 2017
View reviewed changes
src/_cffi_src/openssl/dh.py
@@ -117,6 +117,10 @@
#endif

#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
# define DH_CHECK_Q_NOT_PRIME 0x10
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should each be ifndef for safety since we don't want to fail with duplicate definitions if/when LibreSSL adds these.

@markrwilliams
Defensively guard DH_CHECK_* definitions with ifndef.
c558185 
This will prevent duplicate definitions when LibreSSL supports a
version of DH_check that can return these.
@markrwilliams
Document the OpenSSL of origin for the DH_check code
218744c
@markrwilliams
Copy link
Contributor Author

markrwilliams commented Feb 2, 2017
edited
Loading

@reaperhulk anything else I can do to help this land? And thanks for all the feedback!!

@reaperhulk
Copy link
Member

I just need to get some time to review it. Will probably have to wait until Sunday, sorry!

@reaperhulk
Copy link
Member

Confirmed this matches the implementation in OpenSSL. DH_UNABLE_TO_CHECK_GENERATOR looks like it will be set in any case where generator is not 2 or 5. I assume we'll be making that an allowable code in the PR that lifts the generator restriction?

@reaperhulk reaperhulk merged commit 523b132 into pyca:master Feb 3, 2017
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markrwilliams @mention-bot @reaperhulk