| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This provides a SHA-256 assembly implementation that makes use of the ARM
Cryptographic Extension (CE), which is found on many arm64 CPUs. This gives
a performance gain of up to 7.5x on an Apple M2 (dependent on block size).
If an aarch64 machine does not have SHA2 support, then we'll fall back to
using the existing C implementation.
ok kettenis@ tb@
|
| |
|
|
|
|
|
| |
Don't leak v if its insertion into the hash failed and properly free it
instead.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
There's no need to cast away const from a const char * if you're going to
pass it to a const char * argument of a function.
|
| |
|
|
|
|
|
|
| |
This makes it clear for those fluent in OpenSSL API gibberish that nothing
needs to be freed here. This is because it returns something hanging off a
hash entry owned by cnf.
ok jsing
|
| |
|
|
|
|
|
|
| |
Historically, X509V3_section_free() could be customized by the conf db
method to release memory allocated by X509V3_get_section(). This is no
longer supported, so it is always a noop and can be removed.
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
Despite the claim in this comment, the "new" conf code did replace
the "old" conf code (which no longer exists in the public API).
|
| | |
|
| |
|
|
|
| |
This way we don't need a prototype and things that belong together
are together. Slight KNF tweak while there
|
| | |
|
| |
|
|
| |
From Kenjiro Nakayama
|
| |
|
|
|
|
|
| |
For an OID of excessive length >= 2^12, a->length << 20L is undefined,
so add a cast to the target type of (unsigned long).
From Kenjiro Nakayama
|
| |
|
|
|
|
|
|
| |
This is undefined for a ca->type of ADDED_LNAME (2) and ADDED_NID (3)
when ca->type << 30L results in a shift into the sign bit, so add a
cast to the target type of unsigned long.
From Kenjiro Nakayama
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
As far as I can tell this has never been used since the beginning of git
history with SSLeay 0.8.1b, so we can simplify the x509_cb() a little.
ok jsing miod
|
| |
|
|
|
|
| |
internal_verify() (now x509_vfy_internal_verify()) used to cache the
validity of the signature of a cert in this field. This is no longer
the case since x509_vfy.c 1.57 (2017).
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, SHA{1,256,512}_ASM defines are used to remove the C
implementation of sha{1,256,512}_block_data_order() when it is provided
by assembly. However, this prevents the C implementation from being used
as a fallback.
Rename the C sha*_block_data_order() to sha*_block_generic() and provide
a sha*_block_data_order() that calls sha*_block_generic(). Replace the
Makefile based SHA*_ASM defines with two HAVE_SHA_* defines that allow
these functions to be compiled in or removed, such that machine specific
verisons can be provided. This should effectively be a no-op on any
platform that defined SHA{1,256,512}_ASM.
ok tb@
|
| |
|
|
|
|
|
|
| |
This removes the penultimate internal call of BN_MONT_CTX_new(). The last
one could be removed at the cost of introducing a BN_MONT_CTX_dup(), which
probably isn't worth it.
ok jsing
|
| |
|
|
|
|
|
| |
This can now be a single call before the BN_MONT_CTX is actually used
rather than two calls separated by 170 lines.
ok jsing
|
| |
|
|
|
|
|
|
| |
This simplifies the handling of the BN_MONT_CTX passed in and unifies the
exit paths. Also zap some particularly insightful comments by our favorite
captain.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does what the public BN_MONT_CTX_new() should have done in the first
place rather than doing the toolkit thing of returning an invalid object
that you need to figure out how to populate and with what because the docs
are abysmal.
It takes the required arguments and calls BN_MONT_CTX_set(), which all
callers do immediately after _new() (except for DSA which managed to
squeeze 170 lines of garbage between the two calls).
ok jsing
|
| | |
|
| |
|
|
|
| |
(leaving out a dotasm comment that would become harder to read than it
already is)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issuer cache holds a pair of SHA-512 of parent and child cert plus
the result of the signature verification. Since CRLs also have a cached
hash of their DER, we can easily add them to the same cache. This way we
also avoid the cost of repeated signature verification for CRLs.
For ordinary workloads the cache is larger than necessary and it won't
currently take up more space than ~8M anyway, so the cost of doing this
is negligible.
For applications like rpki-client where the same (CA, CRL) pair is used
to verify multiple EE certs, the gain is significant. In fact, the current
worst case is a single pair being used for > 50k EE certs, responsible for
about 20-25% of the total runtime of an ordinary rpki-client run if a
hw-accelerated version of SHA-2 is available and even more if it isn't.
In both cases the cost of processing of this pair is reduced by more than
an order of magnitude.
The implementation is a translation of x509_verify_parent_signature() to
the case of CRLs and is entirely trivial thanks to the cache's design.
Found while investigating a performance bottleneck found by job
tested by job
ok beck
|
| |
|
|
| |
Fix includes while there
|
| |
|
|
|
|
|
| |
The parent certificate outlives the signature check, so we don't have
to take a refcount of its pubkey and then release it again.
ok beck
|
| |
|
|
|
|
|
|
| |
If a signature mismatch is cached, the same error should be passed to the
verify callback as if the mismatch was detected by doing the calculation,
rather than falling back to the "unable to find the issuer cert locally".
ok beck
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is simpler, doesn't need an auxiliary function of dubious value,
avouds an auxiliary variable and gets rid of a bunch of comments that
are hard to make sense of.
This doesn't bother to invalidate recp->shift since on error you should
not be reusing the RECP_CTX without reinitializing it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The fast path where no division is performed can be dealt with without
BN_CTX, so do that up front so there's no need to clean up before return.
Error check BN_CTX_get() on each use asd simplify the logic for optional
input parameters. KNF for an ugly comment.
ok jsing
|
| |
|
|
|
|
| |
CID 532326
ok djm jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The RC4_INDEX define switches between base pointer indexing and per-byte
pointer increment. This supposedly made a huge difference to performance
on x86 at some point, however compilers have improved somewhat since then.
There is no change (or effectively no change) in generated assembly on
a the majority of LLVM platforms and even when there is some change
(e.g. aarch64), there is no noticable performance difference.
Simplify the (still messy) macros/code and mop up RC4_INDEX.
ok tb@
|
| |
|
|
|
| |
This was needed to avoid truncation on BIO_write(). With the switch to
BIO_printf() in the previous commit this is no longer needed.
|
| |
|
|
|
|
| |
This handles the empty string, which ruby-openssl checks.
Pointed out by anton
|
| | |
|
