summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add EVP_CIPHER_meth_* documentation from OpenSSL 1.1tb2023-03-161-0/+335
| | | | | | | | This is essentially the original text with a few tweaks and fixes by me, removing parts inapplicable to LibreSSL. There are dangling references to EVP_CIPHER_CTX_copy(3) and EVP_CIPHER_CTX_get_cipher_data(3). This all isn't great, but it's better than nothing. Probably good enough for these rarely used functions.
* Update manpage for X509_CRL_get0_tbs_sigalg()libressl-v3.7.1job2023-03-161-4/+18
| | | | OK tb@
* Bump LibreSSL version to 3.7.2tb2023-03-161-3/+3
|
* Fix a number of out of bound reads in DNS response parsing.millert2023-03-151-1/+7
| | | | Originally from djm@. OK deraadt@ florian@ bluhm@
* Return the signature length after successful signing operationtb2023-03-151-1/+3
| | | | | | | | | This is required behavior of the EVP_DigestSign() API, but seemingly almost nothing uses this. Well, turns out ldns does. Reported by Stephane. Helpful comments by sthen. ok jsing
* Add comments that explain why things are done in this strange order.tb2023-03-151-3/+13
| | | | | | There's some method to this madness. ok jsing
* Push calloc() of ndef_aux down as far as possible andtb2023-03-151-7/+8
| | | | | | | pull the setting of the ex_arg up, so we can do error checking. ok jsing
* Error check BIO_asn1_set_{prefix,suffix}() callstb2023-03-151-3/+5
| | | | ok jsing
* Streaming BIOs assume they can write to NULL BIOstb2023-03-151-5/+4
| | | | | | | | | | At least SMIME_text() relies on this. Pushing an error on the stack trips PKCS7 regress in py-cryptography, so indicate nothing was written instead of throwing an error. Reported by Alex Gaynor a while back ok jsing
* Ensure negative input to BN_mod_exp_mont_consttime() is correctly reduced.jsing2023-03-151-7/+4
| | | | | | | | | | A negative input to BN_mod_exp_mont_consttime() is not correctly reduced, remaining negative (when it should be in the range [0, m)). Fix this by unconditionally calling BN_nnmod() on the input. Fixes ossfuzz #55997. ok tb@
* Include tests with negative values in BN_mod_exp* regress.jsing2023-03-151-2/+15
| | | | This currently fails.
* bn_mod_exp_zero: rename result into gottb2023-03-151-14/+14
|
* Stop confusing out and asn_bio in BIO_new_NDEF()tb2023-03-131-4/+4
| | | | | | | | | | BIO_new_NDEF() sets up an ASN.1 BIO to the output chain and then adds even more BIOs. Since BIO_push(bio, new_tail) returns bio on success, after the if ((out = BIO_push(asn_bio, out)) != NULL) the 'out' BIO and the 'asn_bio' are the same. The code then goes on and uses one or the other. This is very confusing. Simply stop using out once it's appended to asn_bio. ok jsing
* pk7_cb() and cms_cb()tb2023-03-122-5/+8
| | | | | | Add and fix FALLTHROUGH statement. I was confused for way too long since I hadn't noticed that this case fell through to the next. Also add and move some empty lines in the cms_cb() to make this resemble KNF more.
* Avoid an 1 byte out-of-bounds read in ASN1_PRINTABLE_type()tb2023-03-121-2/+2
| | | | | | | | | | | In case the input is not NUL terminated, the reversed check for length and terminating NUL results in a one-byte overread. The documentation says that the input should be a string, but in ASN.1 land you never know... Reported by Guido Vranken a while back ok beck
* Remove a few extra spacestb2023-03-111-2/+2
|
* Switch an early return into goto errtb2023-03-111-2/+2
|
* Tiny cleanup for readabilitytb2023-03-111-4/+5
| | | | | Turn a malloc() into calloc() and check two function calls directly forever instead of a combined check afterward.
* Use "if (ptr == NULL)" instead of "if (!ptr)"tb2023-03-111-3/+3
| | | | Requested by jsing
* Fix double free after BIO_new_NDEF()tb2023-03-111-6/+7
| | | | | | | | | | | | Once the asn_bio is prepended to the out chain, and before the asn1_cb() has done its thing, asn_bio needs to be popped off again on error. Failing to do this can cause write after frees or double frees when the out BIO is used after the function returned. Based on a very complicated diff by Matt Caswell and Viktor Dukhovni. This was part of the fixes in OpenSSL 1.1.1t. ok jsing
* Fix an off-by-one in dsa_check_key()tb2023-03-111-2/+2
| | | | | | | | | | The private key is a random number in [1, q-1], so 1 must be allowed. Since q is at least an 160-bit prime and 2^159 + 1 is not prime (159 is not a power of 2), the probability that this is hit is < 2^-159, but a tiny little bit wrong is still wrong. Found while investigating a report by bluhm ok jsing
* Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().jsing2023-03-111-0/+1
| | | | | | Issue reported by Graham Percival (@gperciva) ok tb@
* Add OPENSSL_cleanup() calls to some regress.jsing2023-03-112-2/+6
| | | | This gets us some minimal test coverage.
* Avoid -0 in BN_div_word().jsing2023-03-111-1/+5
| | | | | | | | | Currently, the use of BN_div_word() can result in -0 - avoid this by setting negative again, at the end of the computation. Should fix oss-fuzz 56667. ok tb@
* Correct sign handling in BN_add_word().jsing2023-03-111-3/+3
| | | | | | | | | | | | A sign handling bug was introduced to BN_add_word() in bn_word.c r1.18. When handling addition to a negative bignum, the BN_sub_word() call can result in the sign being flipped, which we need to account for. Use the same code in BN_sub_word() - while not technically needed here it keeps the code consistent. Issue discovered by tb@ ok tb@
* Remove a pesky space.jsing2023-03-111-2/+2
|
* Add regress coverage for BN_{add,sub,mul,div,mod}_word().jsing2023-03-112-1/+619
| | | | | | | This also provides some indirect coverage for BN_hex2bn(), BN_bn2hex() and BN_get_word(). Two of these tests are currently failing and will be fixed shortly.
* Mark test table as static const.jsing2023-03-111-2/+2
|
* Crankl libcrypto/libssl/libtls minors after symbol additiontb2023-03-103-3/+3
|
* Update Symbols.listtb2023-03-101-0/+18
|
* Expose various X509_STORE_*check_issued()tb2023-03-101-3/+1
|
* Expose X509_CRL_get0_sigalg() and X509_get0_uidstb2023-03-101-5/+1
|
* Expose UI_null()tb2023-03-101-3/+1
|
* Expose the EVP_CIPHER_meth_* API (setter only) in evp.htb2023-03-101-3/+1
|
* ASN.1 BIO: properly wire up prefix_free and suffix_freetb2023-03-101-1/+7
| | | | | | | | | | | | | | If something goes wrong before the ASN.1 BIO state machine has passed both flushing states, asn1_bio_free() forgets to free the ndef_aux and the ex_arg since the prefix_free() and suffix_free callbacks are not called. This can lead to leaks, notably in streaming bios. Part of https://github.com/openssl/openssl/pull/15999 I have a regress covering this but it is not yet ready to land. ok beck jsing
* Return the correct type for ASN.1 BOOLEANstb2023-03-101-5/+9
| | | | | | | | | | | | | ASN.1 BOOLEANs and ASN.1 NULL are handled specially in the ASN.1 sausage factory and they are special in that they don't have a->value.ptr set. Both need to be special cased here since they fail the a->type.ptr != NULL check. Apart from fixing an obvious bug in ASN1_TYPE_get(), this fixes another crash in openssl(1) asn1parse. There is more to do in the vicinity, but that is more complex and will have to wait for OpenBSD 7.3-current. with/ok jsing
* openssl(1) asn1parse: avoid crash with ASN.1 BOOLEANStb2023-03-101-3/+4
| | | | | | | | | | | | | When pointing openssl asn1parse -strparse at DER octets 01 01, it crashes: $ printf '<\x01\x01>' | openssl asn1parse -inform der -strparse 1 Refuse to parse BOOLEAN types instead, which avoids a crash in hensonian /* hmm... this is a little evil, but it works */ code. Found while poking at CMS timestamps to understand one of job's diffs. with/ok jsing
* Add missing error checking in PKCS7tb2023-03-091-3/+11
| | | | | | | | Check the return value of BIO_set_md(). Prompted by OpenSSL's fix for CVE-2023-0401 (the crash in that bug is an OpenSSL 3-only problem due to provider design). ok beck jsing
* Use BN_free() instead of BN_clear_free()tb2023-03-081-2/+2
|
* Fix a EC_GROUP_clear_free() that snuck through.jsing2023-03-081-2/+2
| | | | Thanks to Mark Patruck for reporting.
* Fix previous.jsing2023-03-081-5/+5
|
* reduce number of tests in bn_rand_interval.tb2023-03-081-2/+2
| | | | | This is only testing basic functionality anyway, so 10000 tests are more than enough.
* bn_isqrt: reduce number of tests to 100.tb2023-03-081-2/+2
| | | | | | The runtime is roughly quadratic in N_TESTS. While it only takes 1-2s on modern machines, this test takes a long time on slow machines. A reduction of runtime by a factor of ~16 is significant.
* Process up to four test vector files concurrently.jsing2023-03-081-4/+30
| | | | | | | | | This avoids having a slow down when processing test vector files that only have a single group. Note that the processing of test vector files is in turn going to be rate limited by the number of concurrent test groups, which means we do not need variable limits for vectors. Reduces a Wycheproof regress run down to ~8 seconds on an Apple M1.
* Always clear EC groups and points on free.jsing2023-03-0810-114/+35
| | | | | | | | | | Rather than sometimes clearing, turn the free functions into ones that always clear (as we've done elsewhere). Turn the EC_GROUP_clear_free() and EC_POINT_clear_free() functions into wrappers that call the *_free() version. Do similar for the EC_METHOD implementations, removing the group_clear_finish() and point_clear_finish() hooks in the process. ok tb@
* Run test groups concurrently.jsing2023-03-081-144/+151
| | | | | | | Add a basic test coordinator, that allows for Wycheproof test groups to be run concurrently. This can be further improved (especially for vectors that have limited test groups), however it already reduces the regress duration by about half on an Apple M1.
* zap more audit remnantstb2023-03-081-6/+1
|
* Stop trying to use EC_GFp_nist_method().jsing2023-03-081-76/+20
| | | | | | | | | | | | | | | | | | | | | | | | Currently, if compiled without OPENSSL_BN_ASM_MONT, EC_GROUP_new_curve_GFp() tries to use EC_GFp_nist_method(), falling back to EC_GFp_mont_method() if it is not a NIST curve (if OPENSSL_BN_ASM_MONT is defined we use EC_GFp_mont_method() unconditionally). Now that we have a reasonable non-assembly Montgomery implementation, the performance of EC_GFp_nist_method() is either similar or slower than EC_GFp_mont_method() (the exception being P-521, however if you're using that you're not doing it for performance reasons anyway). The EC_GFp_nist_method() uses rather scary BN NIST code (which would probably already be removed, if not for the BN and EC public APIs), it uses code paths that are currently less constant time, and there is additional overhead in checking to see if the curve is actually supported. Stop trying to use EC_GFp_nist_method() and unconditionally use EC_GFp_mont_method() in all cases. While here, factor out the common setup code and call it from both EC_GROUP_new_curve_GFp() and EC_GROUP_new_curve_GF2m(). ok beck@ tb@
* Remove acceptable audit.jsing2023-03-081-94/+1
| | | | | | | This code would need changes to be safe to use concurrently - remove it since it is somewhat incomplete and needs reworking. Requested by tb@
* Remove EC_FLAGS_DEFAULT_OCT.jsing2023-03-086-79/+27
| | | | | | | | | | | | | | The EC code has an amazing array of function pointer hooks, such that a method can hook into almost any operation... and then there is the EC_FLAGS_DEFAULT_OCT flag, which adds a bunch of complex code and #ifdef so you can avoid setting three of those function pointers! Remove EC_FLAGS_DEFAULT_OCT, the now unused flags field from EC_METHOD, along with the various code that was wrapped in EC_FLAGS_DEFAULT_OCT, setting the three function pointers that need to be set in each of the EC_METHODs. ok beck@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:47:00 +0000