| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Avoid conflicts where alignment is specified later in the underlying
assembly.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Make these functions always fail. A copy of OBJ_bsearch_ex_() is kept
in stack.c, where it is still used by internal_find() for sk_find{,_ex}().
sk_find_ex() will be removed in the upcoming bump, and then we can
simplify or rewrite what's still needed.
ok jsing
|
| |
|
|
|
|
|
|
| |
gcm_{gmult,ghash}_4bit(), aesni_ccm64_decrypt_blocks(), aes_cbc_encrypt(),
and aesni_xts_{en,de}crypt() were overlooked in previous passes.
Found with a diff for ld.lld by kettenis
ok kettenis
|
| |
|
|
|
|
|
|
|
| |
cet.h is needed for other platforms to emit the relevant .gnu.properties
sections that are necessary for them to enable IBT. It also avoids issues
with older toolchains on macOS that explode on encountering endbr64.
based on a diff by kettenis
ok beck kettenis
|
| |
|
|
|
|
|
|
|
|
|
| |
No cipher in libcrypto is marked EVP_CIPH_CUSTOM_KEY_LENGTH and no control
handler deals with EVP_CTRL_SET_KEY_LENGTH, which means that this code is
dead as far as libcrypto is concerned. Almost nothing uses EVP_CIPHER_meth*
(this was added for a single project) and nothing sets a custom ctrl. This
isn't going to change anyway since EVP_CIPHER_meth* is deprecated in order
to promote more provider beauty.
ok beck jsing
|
| |
|
|
|
|
|
| |
These don't do anything but return 0 and will be garbage collected in the
upcoming bump.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OpenSSL 1.1 API X509_STORE_get0_objects() is not thread safe. It
exposes a naked internal pointer containing certificates, CRLs and
cached objects added by X509_LOOKUP_hash_dir(). Thus, if the store is
shared between threads, it is not possible to inspect this pointer safely
since another thread could concurrently add to it. This may happen in
particular during certificate verification. This API led to security
issues in rust-openssl and is also problematic in current Python.
Other consumers of X509_STORE_get0_objects() are haproxy, isync, openvpn.
The solution is to take a snapshot of the state under a lock and return
that. This is what X509_STORE_get1_objects() does. It returns a newly
allocated stack that needs to be freed with sk_X509_OBJECT_pop_free(),
passing X509_OBJECT_free as a second argument.
Based on a diff by David Benjamin for BoringSSL.
https://boringssl-review.googlesource.com/c/boringssl/+/65787
ok beck jsing
PS: Variants of this have landed in Python and OpenSSL 3 as well. There the
sk_*deep_copy() API is used, which in OpenSSL relies on evaluating function
pointers after casts (BoringSSL fixed that). Instead of using this macro
insanity and exposing that garbage in public, we can do this by implementing
a pedestrian, static sk_X509_OBJECT_deep_copy() by hand.
|
| |
|
|
|
| |
There is now a prototype in x509_internal.h, so no need to repeat that
here.
|
| |
|
|
| |
requested by/ok jsing
|
| |
|
|
|
|
|
|
| |
When this file was brought into KNF, a few things became particularly ugly.
This makes {a,b}{,_{min,max}} have function scope in canonize/is_canonical,
which removes unfortunate line wraps and some other silliness.
ok job
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This exercises the new API, in particular with respect to overflow behavior
around the years 0/9999, which are special for GeneralizedTime/X.509.
|
| |
|
|
|
|
|
| |
Document OPENSSL_{posix_to_tm,tm_to_posix}() and fix the documentation of
OPENSSL_{gmtime,timegm}().
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is prepares to expose some internal API as OPENSSL_tm_to_posix() and
OPENSSL_posix_to_tm(). They will be used in libtls and ocspcheck(8) to get
rid of the portability nightmare that is timegm().
Also fix the location of OPENSSL_gmtime() and OPENSSL_timegm() (this API
is not yet exposed). The former is from OpenSSL and surprisingly lives in
crypto.h, not asn1.h, and the latter is BoringSSL API and lives in the new
posix_time.h.
Initial diff from beck, this pulls in further upstream work after review
feedback.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This is analogous to EVP_CIPHER_CTX_legacy_clear() and will serve as an
internal replacement for EVP_MD_CTX_init() until the conversion to heap
allocated ctx is completed. This way EVP_MD_CTX_init() can be changed to
match the OpenSSL 1.1 API.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 made EVP_CIPHER_CTX_init() an alias of EVP_CIPHER_CTX_reset().
In particular, it changed signature and it would no longer leak internal
state if used on an already used ctx. On the other hand, it can't be used
for ctx on the stack.
libcrypto still has a few ctx on the stack which will be converted to heap
allocated contexts at some point. Until this is completed, we will use
EVP_CIPHER_CTX_legacy_clear() internally, so that the public API can be
changed to match OpenSSL 1.1.
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
BIO_set() is a dangerous function that cannot be used safely. Thankfully,
the only consumer is BIO_new(), hence inline the functionality and disable
the BIO_set() function (for complete removal in the near future).
ok tb@
|
| |
|
|
|
|
|
|
| |
Rather than 'a' or 'b', use 'bio' more consistently - there are still some
more complex cases that have been left alone for now. Also use fewer
parentheses.
No change to generated assembly other than line numbers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While EC_POINT_set_affine_coordinates() checks that the resulting point
is on the elliptic curve, this is only necessary, but not sufficient, to
ensure that the point can serve as a valid public key. For example, this
does not check for normalized coordinates or exclude that it is zero (the
point at infinity). Such checks, and more, are performed by the similarly
named EC_KEY_set_public_key_affine_coordinates().
This kind of makes sense from the mathematical standpoint as an elliptic
curve point isn't a priori a public key, even if you are not going to use
libcrypto for actual mathematics (or anything really) unless you like pain.
In a cryptographic library such differences are more of a hazard than a
help.
This is exacerbated by the fact that EC_KEY_set_public_key() does almost
no checking (it only checks that the point's EC_POINT method matches the
one of group set of the EC_KEY, which is far from enough). The API expects
that you call EC_KEY_check_key() on your own. This is kind of confusing
since EC_KEY_set_public_key_affine_coordinates() does that for you.
Unfortunately, adding sanity checks to EC_KEY_set_public_key() isn't easy
since it's going to penalize those who already check. Caching the result
of a check is dangerous and fragile if there are a million ways of fiddling
with an EC_KEY.
While the elliptic curve code is really bad, its documentation is worse
(another thing that applies to OpenSSL in general). Try to help that a
little bit by making it more explicit that you are supposed to call
EC_KEY_check_key() after using lower-level EC_KEY setters. Also make it
clearer that the setters copy the data, they don't take ownership (which
isn't obvious from the naming).
If OpenSSL 3 got one thing kind of right, it was to deprecate the EC_KEY
and EC_POINT APIs. But if you are going to deprecate something, you should
either be prepared to remove it or have a reasonable replacement...
Found by Guido Vranken using cryptofuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66667
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This API returns an int encoding the number of bytes printed. Thus, a dump
of a large enough byte string can make this overflow and rely on undefined
behavior. With an indent of 64, as little as 26 MB is enough to make this
happen.
ok jsing
|
| |
|
|
| |
OK tb@
|
| | |
|
| |
|
|
|
| |
The hash was just created with EVP_MD_CTX_new(), so we memset a calloced
piece of memory to 0.
|
| | |
|
| |
|
|
| |
From Christian Andersen
|
| |
|
|
| |
From Christian Andersen
|
| |
|
|
| |
Noticed by Christian Andersen
|
| |
|
|
|
|
|
| |
The failed variable was erroneously initialized to 0, making this test
always pass.
From Christian Andersen, thanks!
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If an error occurs in action->recv() for a handshake that needs to
downgrade to legacy TLS, the artistic exit path led to hiding the
error under TLS13_IO_USE_LEGACY. Rework the exit path to be easier
to follow, preserving behavior except that the error can no longer
be masked.
Detailed analysis and initial diff by Masaru Masuda.
Fixes https://github.com/libressl/openbsd/issues/146
ok beck
|
| |
|
|
|
|
|
| |
This was used for some GOST weirdness. The flag is unused in ports and
there is no user in Debian's codesearch.
ok beck
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.
At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.
This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump
ok tb@
|
| |
|
|
| |
Also drop now unnecessary NULL checks before it.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of heaps of unchecked strlcpy/strlcat/snprintf doing hard to follow
gymnastics, use a byte string, a somewhat comprehensible computation of the
number of bytes to dump per output line and write using checked BIO_printf()
directly to the BIO.
Longer strings will still overflow the terminal width of 80 and even longer
strings will still overflow the return value (undefined behavior). I don't
care much about the former but the latter should be fixed in a later pass.
ok beck
|
| | |
|
