summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Check for non-zero length rather than a zero value.jsing2023-06-241-2/+2
| | | | | | This removes a data dependent timing path from BN_sqr(). ok tb@
* Rewrite and simplify bn_sqr()/bn_sqr_normal().jsing2023-06-243-39/+44
| | | | | | | | | Rework bn_sqr()/bn_sqr_normal() so that it is less convoluted and more readable. Instead of recomputing values that the caller has already computed, pass it as an argument. Avoid branching and remove duplication of variables. Consistently use a_len and r_len naming for lengths. ok tb@
* Provide optimised bn_subw() and bn_subw_subw() for arm.jsing2023-06-241-1/+50
|
* Codify BN_asc2bn(NULL, *) behavior in regress.tb2023-06-231-1/+11
|
* Avoid crash in BN_asc2bn()tb2023-06-231-2/+3
| | | | | | | | | | | | | | | | | | Historically (and currently in OpenSSL), BN_asc2bn() could be called with NULL, but only for positive numbers. So BN_asc2bn(NULL, "1") would succeed but BN_asc2bn(NULL, "-1"), would crash. The other *2bn functions return a length, so accepting a NULL makes some sense since it allows callers to skip over part of the string just parsed (atoi-style). For BN_asc2bn() a NULL bn makes no sense because it returns a boolean. The recent CBS rewrite makes BN_asc2bn(NULL, *) always crash which in turn made Coverity throw a fit. Another change of behavior from that rewrite pertains to accidents (or is it madness?) like -0x-11 and 0x-11 being parsed as decimal -17 (which Ingo of course spotted and diligently documented). This will be addressed later. ok jsing
* Fix return check for BN_hex2bn()tb2023-06-231-2/+2
| | | | | | | | Purely cosmetic change taking into account the fact that this function returns a length rather than a boolean. This is the last offender in the library. ok jsing
* Fix return check of bn_hex2bn_cbs()tb2023-06-231-3/+3
| | | | | | | It returns a length, not a Boolean, so check for 0 explicitly. This is purely cosmetic. ok jsing
* typo: hexidecimal -> hexadecimaltb2023-06-231-2/+2
|
* Remove some redundant parenthesestb2023-06-231-17/+17
| | | | This file is already enough of an eyesore without them.
* Revert previous, not all platforms allow compilingotto2023-06-232-37/+4
| | | | __builtin_return_address(a) with a != 0.
* symbols: Tweak this test so it works with -j Ntb2023-06-221-6/+4
|
* Allow to ask for deeper callers for leak reports using malloc options.otto2023-06-222-4/+37
| | | | ok deraadt@
* Provide optimised bn_clzw() for aarch64.jsing2023-06-211-1/+15
|
* Provide and use bn_clzw() in place of bn_word_clz().jsing2023-06-213-5/+15
| | | | | | | | | | On some architectures, we can provide an optimised (often single instruction) count-leading-zero implementation. In order to do this effectively, provide bn_clzw() as a static inline that can be replaced by an architecture specific version. The default implementation defers to the bn_word_clz() function (which may also be architecture specific). ok tb@
* Make BN_num_bits() independent of bn->top.jsing2023-06-215-33/+74
| | | | | | | | Provide bn_bitsize(), which performs a constant time scan of a BN in order to determine the bit size of the BN value. Use this for BN_num_bits() such that it is no longer dependent on the bn->top value. ok tb@
* Add tests for BN_sqr() corner cases.jsing2023-06-211-1/+81
| | | | | Test BN_sqr() with a newly allocated BN, a BN explicitly set to zero and small values that fit in a single BN_ULONG.
* Add BN_cmp()/BN_ucmp() tests with zero padded inputs.jsing2023-06-211-1/+25
| | | | | Currently BN_hex2bn() removes the leading zeros, however this will not be the case in the future.
* Add a BN_num_bits() with zero padded input.jsing2023-06-211-4/+13
| | | | | Currently BN_hex2bn() removes the leading zeros, however this will not be the case in the future.
* Consolidate elliptic curve cofactor handlingtb2023-06-201-49/+41
| | | | | | | | | | | | | The various checks of the cofactor to be set in EC_GROUP_set_generator() are a bit all over the place. Move them into a single function and clean things up a little. Instead of calculating directly with the cofactor member of the group, use a temporary variable and copy this variable only if all tests passed. In cryptographic contexts the cofactor almost always fits if not into a single byte then into a word, so copying is cheap. Also streamline the computations a bit and remove some binary curve contortions. ok jsing
* Improve certificate version checks in x509v3_cache_extensions()tb2023-06-201-4/+11
| | | | | | | | | Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs and require that if X509v3 extensions are present that the cert be v3. Initial diff from job ok job jsing
* Rename all occurrences of e in this file to enginetb2023-06-201-15/+15
| | | | Requested by jsing
* Rename int_ctx_new() into evp_pkey_ctx_new()tb2023-06-201-4/+4
| | | | | | int_ctx_new() is a bad, generic, nondescriptive name. requested by jsing
* Clean up and fix int_ctx_new()tb2023-06-201-34/+30
| | | | | | | | | Compare explicitly against NULL, ensure the engine is always finished on error, switch to using calloc() instead of malloc() + forgetting to set some members to 0, use EVP_PKEY_up_ref() and also use pkey_ctx instead of ret for the newly created EVP_PKEY_CTX. ok jsing
* Clean up EVP_PKEY_CTX_meth_dup()tb2023-06-201-22/+19
| | | | | | | | | | | Explicitly check against NULL, replace malloc() plus manual zeroing with calloc(). Use EVP_PKEY_up_ref() rather than handrolling it and use a more normal error idiom. There still seems to be a bug in here in that the ENGINE's refcount isn't bumped, but that will be investigated and fixed separately. ok jsing
* Fix copy-paste errortb2023-06-201-2/+2
|
* Add regress coverage for BN_num_bits()jsing2023-06-201-1/+35
|
* Make enginetest work with disabled engine supporttb2023-06-191-1/+10
|
* Fix GOST test with disabled enginetb2023-06-191-1/+5
|
* Properly guard ENGINE usage with !OPENSSL_NO_ENGINEtb2023-06-191-1/+5
|
* Dedoxigenize ecdsa.htb2023-06-191-133/+5
| | | | | | | These functions are properly documented and upcoming surgery in here is going to be tricky enough without having to navigate around this noise. No code change.
* Turns out EC_KEY_METHOD_new() has dup built in...tb2023-06-181-21/+3
| | | | | | | ... because RSA_meth_new() doesn't. So we can fortunately lose a few lines added in the previous commit. Three cheers for the masters of inconsistency. ok jsing
* tls_signer: reinstate the default EC_KEY methodstb2023-06-181-2/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way of lovely indirection in our three crypto/ec* directories ended up having no effect on the default methods. Now that we set a new EC_KEY_METHOD, we need to make sure we still have the other handlers that we might need. Like so many things that were made opaque in the 1.1 re"design", the accessors were written without actual application code in mind. In particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the default methods with getters and then set them again on the new method. This is particularly awesome because once someone adds a new method to the opaque struct, all applications will have to adapt and do a get/set dance. So far this is very reminiscent of PostgreSQL with BIO_meth_* https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928 Only it's worse here because someone wanted to be smart and save a few public functions, so we have to use getters that get several functions at once. Which in turn means we need to have function pointers with the precise signatures which are part of the struct that was made opaque. We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is the best fix we can have. Whenever you think you've seen the worst turds in this code base, you find another one that could serve as an exemplar. ok jsing op
* Switch tls_ecdsa_do_sign() to EC_KEY_get_ex_data()tb2023-06-181-3/+3
| | | | | | | Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign() callback needs to have a matching change. ok jsing op
* libtls: switch ECDSA_METHOD usage to EC_KEY_METHODop2023-06-183-17/+12
| | | | | | | | | | | smtpd and the bits it needs in libtls are the only consumer left of ECDSA_METHOD, which is long deprecated. This paves the way for the removal in libcrypto. The diff is from gilles' work on OpenSMTPD-portable, libretls had a similar diff. ok tb@, jsing@
* Optimise bn_mul2_mulw_addtw() for aarch64.jsing2023-06-171-1/+28
| | | | | This provides significant performance gains for bn_sqr_comba4() and bn_sqr_comba8().
* Speed up Montgomery multiplication.jsing2023-06-171-10/+37
| | | | | | | | | | Factor out and optimise the inner loop for Montgomery multiplication, making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication by one word in larger steps. This provides a significant performance gain, especially on platforms where bn_qwmulw_addqw_addw() is (or can be) optimised. ok tb@
* Fix CRYPTO_get_ex_new_index() to return 1 or highertb2023-06-161-2/+2
| | | | | | | | | | Mixing SSL_{get,set}_ex_data() and and SSL_{get,set}_app_data() in the same application causes problems since they both place their data at the same spot. From Marc Aldorasi ok jsing
* Teach the grotty X509_certificate_type() about Ed25519 certstb2023-06-151-1/+4
| | | | ok jsing
* regentb2023-06-151-1/+9
|
* Add RSA with the sha3s to obj_xref.txttb2023-06-151-0/+4
| | | | ok jsing
* regen obj_xref.htb2023-06-151-12/+14
| | | | (this and the Ed25519 addition to obj_xref.txt were ok jsing)
* Add Ed25519 to the obj_xref table.tb2023-06-151-3/+6
| | | | | Also move part of for RSA-PSS to the top since it doesn't only apply to RSA-PSS.
* Some fixes in ASN1_item_verify()tb2023-06-151-17/+8
| | | | | | | | Switch to using EVP_DigestVerify(). Move the freeing of in where it belongs (previously it would leak on EVP_DigestVerifyUpdate() failure), and use the proper idiom for ASN1_item_i2d() error checking. ok jsing
* Make another NULL check explicit and put a brace on the proper linetb2023-06-151-4/+3
|
* Rename a few variables and other cosmeticstb2023-06-151-23/+21
| | | | | | | Rename buf_in into in, buf_out into out, use in_len and out_len for their lengths, drop a couple of silly casts and remove some empty lines. ok jsing
* Switch ASN1_item_sign_ctx() to EVP_DigestSign()tb2023-06-151-9/+7
| | | | | | | | | This makes this function work with Ed25519 and cleans up a handful of ugly contortions: use EVP_DigestSign() to determine the signature length instead of using the strange EVP_PKEY_size() and garbage collect the now useless out_len. Also use calloc(). ok jsing
* Make NULL checks explicit in ASN1_item_sign_ctx()tb2023-06-151-6/+8
| | | | | | | Also move the NULL check for the EVP_MD into the rv == 2 path, which is the only branch where it is used. ok jsing
* ASN1_item_sign_ctx()tb2023-06-151-3/+7
| | | | | | Pull a NULL check for pkey->ameth up to before ameth is first accessed. An EVP_PKEY created with EVP_PKEY_new() has ameth == NULL, so this check makes sense, but it does not make sense to do it where it was.
* Fix a logic error in ASN1_item_sign_ctx()tb2023-06-151-5/+8
| | | | | | | | | | | If the item_sign() ASN.1 method returns 1, it supposedly handles everything and the goto err prior to r1.5 was actually a success path. Go figure. This is fortunately inconsequential since there are only two item_sign() methods, one for RSA and one for Ed25519, neither of which can return 1. They only return 0, 2, and 3. Pointed out by and ok jsing
* Move comment about ASN1_item_dup() where it belongstb2023-06-131-7/+7
| | | | | Reword it in such a way that it stands on its own and doesn't refer to a non-existent model above. Also tweak grammar and fix typos.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-02 15:41:36 +0000