summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add regress coverage for BN_mod_inverse()tb2023-06-032-1/+387
| | | | | This would detect the aliasing issue reported by Guido Vranken fixed in bn_gcd.c r1.28. Most testcases are from BoringSSL's regress test.
* Fix variable reuse in BN_mod_inverse()tb2023-06-021-21/+15
| | | | | | | | | | | | | | | | | | The somewhat strange calculation m = a^{-1} (mod m) can return 0. This breaks because of BN_nnmod() having delicate semantics of which variable can be reused. BN_nnmod(a, a, m, ctx) works and the library relies on that. Here, the code ends up doing BN_nnmod(m, a, m, ctx) and this doesn't work. If the result of the initial BN_mod() is negative, then BN_nnmod() will return 0. Problem reported by Guido Vranken in https://github.com/openssl/openssl/issues/21110 This code is well covered by regress, but it does not currently have explicit test coverage. Such will be added soon. ok beck jsing
* fix typotb2023-06-021-2/+2
|
* Remove the speed test againtb2023-06-011-7/+2
| | | | | It takes too much time and we now know that all covered ciphers can cope with unaligned input and output on all tested architectures.
* Rework tls_check_subject_altname() error handlingtb2023-06-011-12/+13
| | | | | | | Default to having rv = -1 and explicitly goto done to set rv = 0. This matches other code better. ok jsing
* Check for X509_get_ext_d2i() failuretb2023-06-011-4/+10
| | | | | | | | | | X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for various reasons. If it fails because the extension wasn't found, it sets *crit = -1. In any other case, e.g., the cert is bad or we ran out of memory in X509V3_EXT_d2i(), crit is set to something else, so we should actually error. ok jsing
* Avoid a potentially overflowing checktb2023-06-011-2/+2
| | | | | | | | | | | | This doesn't actually overflow, but still is poor style. Speaking of which: this is now the second time I get to fix something reported by Nicky Mouha by way of a blog post. The first time was the actual SHA-3 buffer overflow in Python where it is not entirely clear who screwed up and how. Hopefully next time proper communication will happen and work. ok jsing
* fix some nits on previousop2023-05-301-6/+10
| | | | | | | | | | - move a sentence out of a Bd block - add some .Pp for spacing - avoid a double colon on a sentence and the usage of second person - mark STORE_CTX with .Vt - change one Vt -> Dv (done after this has been ok'd by beck) ok beck@
* Correct test that was pasto'ed incorrectlybeck2023-05-291-3/+7
| | | | This now tests what the comment says it does
* Correctly catch all return values from X509_NAME_get_index_by_NIDbeck2023-05-291-6/+11
| | | | | | And some comment requests, from jsing@ ok jsing@
* Oops, Fa -> .Fabeck2023-05-291-2/+2
|
* Make X509_NAME_get_text_by[NID|OBJ] safer.beck2023-05-293-22/+125
| | | | | | | | | | | | | | | | This is an un-revert with nits of the previously landed change to do this which broke libtls. libtls has now been changed to not use this function. This change ensures that if something is returned it is "text" (UTF-8) and a C string not containing a NUL byte. Historically callers to this function assume the result is text and a C string however the OpenSSL version simply hands them the bytes from an ASN1_STRING and expects them to know bad things can happen which they almost universally do not check for. Partly inspired by goings on in boringssl. ok jsing@ tb@
* Stop suggesting that children play with loaded revolvers.beck2023-05-291-31/+49
| | | | | | | | | | This takes much of the language that boring uses to document the verify callback, and corrects the historical horror that OpenSSL introduced years ago by suggesting people ignore expiry dates using the callback instead of the verify flags. nits by jsg@ and tb@ ok tb@
* Provide optimised bn_mulw_{addw,addw_addw,addtw}() for aarch64.jsing2023-05-281-1/+68
| | | | | This results in bn_mul_comba4() and bn_mul_comba8() requiring ~30% less instructions than they did previously.
* Provide optimised bn_addw_addw()/bn_subw_subw() for aarch64.jsing2023-05-281-1/+43
|
* Sprinkle some style(9).jsing2023-05-281-15/+15
|
* Expand occurrences of HASH_CTX that were previously missed.jsing2023-05-281-4/+5
| | | | No change in generated assembly.
* Reorder functions.jsing2023-05-281-214/+214
| | | | No intended functional change.
* Clean up includes.jsing2023-05-281-6/+5
|
* Remove now unnecessary do {} while(0);jsing2023-05-281-3/+1
|
* Inline HASH_MAKE_STRING for SHA256.jsing2023-05-281-34/+37
| | | | No change to generated assembly.
* Rewrite BN_{asc,dec,hex}2bn() using CBS.jsing2023-05-281-123/+224
| | | | | | | | | | | This gives us more readable and safer code. There are two intentional changes to behaviour - firstly, all three functions zero any BN that was passed in, prior to doing any further processing. This means that a passed BN is always in a known state, regardless of what happens later. Secondly, BN_asc2bn() now fails on NULL input, rather than crashing. This brings its behaviour inline with BN_dec2bn() and BN_hex2bn(). ok tb@
* correct comment, spotted by tb@beck2023-05-281-4/+4
|
* Refactor tls_check_common_name to use lower level API.beck2023-05-282-14/+51
| | | | | | | | | | | | | | | | | | | | X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@
* Merge X509_VERIFY_PARAM_ID into X509_VERIFY_PARAMtb2023-05-284-110/+73
| | | | | | | | | | Back in the day when essentially every struct was open to all applications, X509_VERIFY_PARAM_ID provided a modicum of opacity. This indirection is now no longer needed with X509_VERIFY_PARAM being opaque itself, so stop using X509_VERIFY_PARAM_ID and merge it into X509_VERIFY_PARAM. This is a first small step towards cleaning up the X509_VERIFY_PARAM mess. ok jsing
* Implement SHA256_{Update,Transform,Final}() directly in sha256.c.jsing2023-05-271-4/+103
| | | | | | | | | | m32_common.h is a typical OpenSSL macro horror show - copy the update, transform and final functions from md32_common.h, manually expanding the macros for SHA256. This will allow for further clean up to occur. No change in generated assembly. ok beck@ tb@
* Add HASH_NO_UPDATE and HASH_NO_TRANSFORM to md32_common.hjsing2023-05-271-5/+7
| | | | | | | This makes it possible to still use minimal parts of md32_common.h, while disabling the update and transform functions. ok beck@ tb@
* Add coverage for calling BN_{dec,hex}2bn() with NULL inputs.jsing2023-05-271-9/+37
|
* Bump LibreSSL versionlibressl-v3.8.0tb2023-05-271-3/+3
|
* Clean up alignment handling for SHA-512.jsing2023-05-272-80/+96
| | | | | | | | | | | This recommits r1.37 of sha512.c, however uses uint8_t * instead of void * for the crypto_load_* functions and primarily uses const uint8_t * to track input, only casting to const SHA_LONG64 * once we know that it is suitably aligned. This prevents the compiler from implying alignment based on type. Tested by tb@ and deraadt@ on platforms with gcc and strict alignment. ok tb@
* Remove malloc interposition, a workaround that was once needed for emacsotto2023-05-271-7/+7
| | | | ok guenther@
* Move verified_chain from SSL to SSL_HANDSHAKEtb2023-05-264-14/+17
| | | | | | | | This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing
* Forcibly update the EVP_PKEY's internal keyop2023-05-251-13/+25
| | | | | | | | | | | | | | | | | | | | | | | | To aid privilege separation, libtls maintains application-specific data on the key inside the EVP_PKEY abstraction because the EVP API doesn't provide a way to do that on the EVP_PKEY itself. OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions. These now return a struct from some cache. Thus, modifying the RSA will no longer modify the EVP_PKEY like it did previously, which was clearly implied to be the case in the older documentation. This is a subtle breaking change that affects several applications. While this is documented, no real solution is provided. The transition plan from one OpenSSL major version to the next one tends to involve many #ifdef in the ecosystem, and the only suggestion provided by the new documentation is to switch to a completely unrelated, new API. Instead, forcibly reset the internal key on EVP_PKEY after modification, this way the change is picked up also by OpenSSL 3. Fixes issue 1171 in OpenSMTPD-portable ok tb@, jsing@
* Update X509_VERIFY_PARAM_inherit() to reflect the change of behaviortb2023-05-241-9/+6
| | | | in x509_vpm.c r1.39.
* Copy the verify param hostflags independently of the host listtb2023-05-242-6/+5
| | | | | | | | | | | | | | | | Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing
* Add a test to verify that an SSL inherits the hostflags from the SSL_CTXtb2023-05-242-1/+105
| | | | This is currently an expected failure that will be fixed shortly.
* Provide CRYPTO_INT for statically linking libcrypto for libssl regresstb2023-05-241-0/+2
| | | | This will be needed for the ssl_verify_param test
* Provide X509_VERIFY_PARAM_set_hostflags()tb2023-05-241-1/+8
| | | | | | | | This is needed for an upcoming regress test that needs to access the hostflag. This is public API in OpenSSL but since nothing seems to be using this, this accessor will be kept internal-only for the time being. ok jsing
* Simplify OBJ_obj2txt()tb2023-05-232-8/+5
| | | | | | | | | | Instead of adding a NUL termination to OBJ_obj2txt(), move the aobj == NULL or aobj->data == NULL checks to i2t_ASN1_OBJECT_internal(). The only other caller, i2t_ASN1_OBJECT(), fails on aobj == NULL and aobj->length == 0, and the latter condition is implied by aobj->data. Cleaner solution for obj_dat.c r1.52 suggested by/ok jsing
* Add empty line for consistencytb2023-05-231-1/+2
|
* Add regress coverage for obj_dat.c r1.52tb2023-05-231-1/+44
|
* Always NUL terminate buf in OBJ_obj2txt()tb2023-05-231-1/+4
| | | | | | | | | | | OBJ_obj2txt() is often called without error checking and is used for reporting unexpected or malformed objects. As such, we should ensure buf is a string even on failure. This had long been the case before it was lost in a recent rewrite. If obj and obj->data are both non-NULL this is already taken care of by i2t_ASN1_OBJECT_internal(), so many callers were still safe. ok miod
* cms_asn1.c: zap stray tabstb2023-05-231-8/+1
|
* Remove misplaced semicolons in .Fatb2023-05-222-6/+6
|
* ecdhtest: Fix indenttb2023-05-201-2/+2
|
* Remove a space that I thought I had already deleted.tb2023-05-201-2/+2
| | | | Makes mandoc -Tlint happier
* Add a slow regress target that runs openssl speed with proper alignmenttb2023-05-201-2/+7
| | | | | and with an unaligned offset. Let's see if all ciphers on our strict alignment arches can deal with this.
* openssl speed: add an '-unaligned n' optiontb2023-05-202-7/+37
| | | | | | | | | | | | | | | | All hashes and ciphers covered by speed should be able to handle unaligned input and output. The buffers used in openssl speed are well aligned since they are large, so will never exercise the more problematic unaligned case. I wished something like this was available on various occasions. It would have been useful to point more easily at OpenSSL's broken T4 assembly. Yesterday there were two independent reasons for wanting it, so I sat down and did it. It's trivial: make the allocations a bit larger and use buffers starting at an offset inside these allocations. Despite the trivality, I managed to have a stupid bug. Thanks miod. discussed with jsing ok miod
* openssl speed: minor style nitstb2023-05-201-8/+6
| | | | | | | This drops a bunch of unnecessary parentheses, makes the strcmp() checks consistent and moves some "}\n\telse" to "} else". Makes an upcoming commit smaller
* openssl speed: remove binary curve remnantstb2023-05-201-88/+5
| | | | | | | | | | | | | | | This wasn't properly hidden under OPENSSL_NO_EC2M, and all it does now is producing ugly errors and useless "statistics". While looking at this, I found that much of speed "has been pilfered from [Eric A. Young's] libdes speed.c program". Apparently this was an precursor and ingredient of SSLeay. Unfortunately, it seems that this piece of the history is lost. ok miod PS: If anyone is bored, a rewrite from scratch of the speed 'app' would be a welcome contribution and may be an instructive rainy day project. The current code was written in about the most stupid way possible so as to maximize fragility and unmaintainability.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:47:04 +0000