| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
These helpers used to contain messy pointer bashing some with weird logic
for NUL termination. This can be written more safely and cleanly using
CBB/CBS, so do that. The result is nearly but not entirely identical to
code used elsewhere due to some strange semantics. Apart from errors pushed
on the stack due to out-of-memory conditions, care was taken to preserve
error codes.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently have three C implementations for SHA-512 - a version that is
optimised for CPUs with minimal registers (specifically i386), a regular
implementation and a semi-unrolled implementation. Testing on a ~15 year
old i386 CPU, the fastest version is actually the semi-unrolled version
(not to mention that we still currently have an i586 assembly
implementation that is used on i386 instead...).
More decent architectures do not seem to care between the regular and
semi-unrolled version, presumably since they are effectively doing the
same thing in hardware during execution.
Remove all except the semi-unrolled version.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
|
|
| |
The previous commit resulted in misalignment, which impacts my OCD worse
than no alignment at all. Alignment wasn't consistently done in this file
anyway. op tells me it won't affect current efforts in reducing the diff.
|
| |
|
|
| |
With input from beck and jsing
|
| |
|
|
|
|
|
| |
This is more accurate and improves readability a bit. Apart from a comment
tweak this is sed + knfmt (which resulted in four wrapped lines).
Discussed with beck and jsing
|
| |
|
|
|
|
|
|
|
| |
and while here mark as const data.
This diff is actually from gilles@, in OpenSMTPD-portable bundled
libtls.
ok tb@, jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behavior of the BPSW primality test for numbers > 2^64 is not very
well understood. While there is no known composite that passes the test,
there are heuristics that indicate that there are likely infinitely many.
Therefore it seems appropriate to harden the test. Having a settable
number of MR rounds before doing a version of BPSW is also the approach
taken by Go's primality check in math/big.
This adds a new implementation of the old MR test that runs before running
the strong Lucas test. I like to imagine that it's slightly cleaner code.
We're effectively at about twice the cost of what we had a year ago. In
addition, it adds some non-determinism in case there actually are false
positives for the BPSW test.
The implementation is straightforward. It could easily be tweaked to use
the additional gcds in the "enhanced" MR test of FIPS 186-5, but as long
as we are only going to throw away the additional info, that's not worth
much.
This is a first step towards incorporating some of the considerations in
"A performant misuse-resistant API for Primality Testing" by Massimo and
Paterson. Further work will happen in tree. In particular, there are plans
to crank the number of Miller-Rabin tests considerably so as to have a
guaranteed baseline. The manual will be updated shortly.
positive feedback beck
ok jsing
|
| |
|
|
|
| |
unlock-lock dance it serves no real purpose any more. Confirmed
by a small performance increase in tests. ok @tb
|
| |
|
|
| |
having flags set.
|
| |
|
|
| |
Pointed out and ok by dlg
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Anything taken to the power of 0 is 1, and then reduced mod 1 or mod -1 it
will be 0. If "anything" includes 0 or not is a matter of convention, but
it should not depend on the sign of the modulus...
Reported by Guido Vranken
ok jsing (who had the same diff)
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The other_ctx is a strong contender for the worst name of a struct member
in OpenSSL. It's a void * member whose only purpose ever was to be set to a
STACK_OF(X509) * via X509_STORE_CTX_trusted_stack() (yes, this is obviously
a setter, why do you ask?) and then to be used by the get_issuer() callback
(which of course isn't there to find any old issuer, but only to look for
issuers among the 'trusted' certs).
Anyway, we may want to rename untrusted into intermediates and trusted into
roots later on, but for now let's match the lovely public API. While there
rename get_issuer_sk() into get_trusted_issuer() which is a more accurate
and slightly less silly name.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
| |
errors which should cause abort. A few are not enabled yet, they
will be once the corresponding diffs in malloc are committed.
|
| |
|
|
|
|
|
|
|
| |
roots was used to store the trusted stack or pull the roots out of the
X509_STORE before beck unmooned Ethel in x509_vfy.c r1.88. Since then
this variable is effectively unused. It seems the STACK_OF(3) madness
is too complicated for -Wunused-but-set-variable to notice.
ok miod
|
| |
|
|
|
|
|
| |
If an extension is non-critical, X509V3_extensions_print() would leave
trailing whitespace. This can be trivially avoided.
ok miod
|
| | |
|
| |
|
|
| |
Found by, compile tested & ok bluhm.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This drops a few certs per the CA's request and TrustCor because of drama.
Certainly, a new CA, is added as well as new certs for DigiCert, SECOM and
E-Tugra. Unizeto still haven't fixed one of their certs and we still don't
want the alternative Firmaprofesional with sha1WithRSAEncryption.
ok sthen
|
| |
|
|
| |
ok jsing (a very long time ago)
|
| | |
|
| |
|
|
|
|
|
|
| |
A calloc failure should be a fatal error, so make it return -1.
Also switch the default rv to -1 and distinguish error cases with
acceptable situations with goto err/goto done.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This makes the custom stalt stack work again.
Tested by robert as part of a larger diff
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Nothing should be using this anymore, except that salt decided to use
it in its home-cooked protocol, which already had its share of issues.
Hopefully the efforts to switch salt to something more reasonable and
standardized like mTLS will succeed sooner rather than later.
tested as part of a larger patch by robert
ok jsing
|
| |
|
|
| |
With e_old.c gone, we no longer need this.
|
| |
|
|
|
|
|
| |
This should leak slightly less than the direct expansion of ASN1_dup_of().
Use freezero() since the DER could contain a private key.
ok jsing
|
| | |
|
| |
|
|
| |
This currently leaks, which will fixed in a follow-on commit.
|
| |
|
|
|
|
| |
This test depends on RAND_set_rand_method() allowing stupid things like
making ECDSA signatures deterministic. This was gutted a long time ago
and the function should have followed its wrappers into the attic.
|
| |
|
|
|
|
|
| |
An int would be perfectly sufficient for this, but then again there would
be fewer traps.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
regress for the moment. this will come back after we rethink
the failure versus not there case.
ok tb@ jsing@
|
| |
|
|
|
|
| |
changing tests.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently these functions return raw ASN1_STRING bytes as
a C string and ignore the encoding in a "hold my beer I am
a toolkit not a functioning API surely it's just for testing
and you'd never send nasty bytes" kind of way.
Sadly some callers seem to use them to fetch things liks
subject name components for comparisons, and often just
use the result as a C string.
Instead, encode the resulting bytes as UTF-8 so it is
something like "text",
Add a failure case if the length provided is inadequate
or if the resulting text would contain an nul byte.
based on boringssl.
nits by dlg@
ok tb@
|
