A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_6 2024-08-29T16:58:19+00:00 2024-08-29T16:58:19+00:00 tb 2024-08-29T16:58:19+00:00 urn:sha1:c8099c070f0c547b73edced83591dbd871254307 This disables the EVP_PKEY_*check() API and makes it fail (more precisely indicate lack of support) on all key types. This is an intermediate step to full removal. Removal is ok beck jsing 2024-08-28T07:15:04+00:00 tb 2024-08-28T07:15:04+00:00 urn:sha1:f822543d6a7043acc1d14a3e0b44eddc1051b097 This is a slightly strange combination of OBJ_find_sigid_algs() and the security level API necessary because OBJ_find_sigid_algs() on its own isn't smart enough for the special needs of RSA-PSS and EdDSA. The API extracts the hash's NID and the pubkey's NID from the certificate's signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA for retrieving the corresponding information. This isn't entirely free for RSA-PSS, but for now we don't cache this information. The security bits calculation is a bit hand-wavy, but that's something that comes along with this sort of numerology. ok jsing 2024-08-26T22:01:28+00:00 op 2024-08-26T22:01:28+00:00 urn:sha1:07d3f305ea24da68aec66c7e4be39317f6ea7dae 2024-07-08T17:10:18+00:00 beck 2024-07-08T17:10:18+00:00 urn:sha1:da5d57728b051bf038e986004831cc0ea095d94c ok tb@ 2024-06-24T06:43:23+00:00 tb 2024-06-24T06:43:23+00:00 urn:sha1:c9802a5afe29675d69b605ce906d34fd89c024ac These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing 2024-05-19T07:12:50+00:00 jsg 2024-05-19T07:12:50+00:00 urn:sha1:9dd363a8109e5383b08891f9d0307a5d5aa2bc09 feedback and ok tb@ 2024-03-30T04:34:17+00:00 jsing 2024-03-30T04:34:17+00:00 urn:sha1:688cee18c74634f0c45a5c262fd953f3a9b8ae7f ok tb@ 2024-03-27T01:22:30+00:00 tb 2024-03-27T01:22:30+00:00 urn:sha1:34e2ca7d2d0a0fb4722dfa5e884d5657ea45d8f8 No need for an inconsistently named local variable and a ternary operator. ok jsing 2024-03-26T05:37:28+00:00 joshua 2024-03-26T05:37:28+00:00 urn:sha1:527b97ecc53623ab1854a112cab37ebd33a24109 ok tb@ 2024-03-26T05:26:27+00:00 joshua 2024-03-26T05:26:27+00:00 urn:sha1:e978a251991069caf6ee014d5a5df9bc58135470 RSA_verify_PKCS1_PSS_mgf1 ok jsing@ tb@