| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
These functions are properly documented and upcoming surgery in here is
going to be tricky enough without having to navigate around this noise.
No code change.
|
| |
|
|
|
|
|
| |
... because RSA_meth_new() doesn't. So we can fortunately lose a few lines
added in the previous commit. Three cheers for the masters of inconsistency.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way
of lovely indirection in our three crypto/ec* directories ended up having
no effect on the default methods. Now that we set a new EC_KEY_METHOD, we
need to make sure we still have the other handlers that we might need.
Like so many things that were made opaque in the 1.1 re"design", the
accessors were written without actual application code in mind. In
particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the
default methods with getters and then set them again on the new method.
This is particularly awesome because once someone adds a new method to
the opaque struct, all applications will have to adapt and do a get/set
dance.
So far this is very reminiscent of PostgreSQL with BIO_meth_*
https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928
Only it's worse here because someone wanted to be smart and save a few
public functions, so we have to use getters that get several functions
at once. Which in turn means we need to have function pointers with the
precise signatures which are part of the struct that was made opaque.
We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is
the best fix we can have.
Whenever you think you've seen the worst turds in this code base, you find
another one that could serve as an exemplar.
ok jsing op
|
| |
|
|
|
|
|
| |
Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign()
callback needs to have a matching change.
ok jsing op
|
| |
|
|
|
|
|
|
|
|
|
| |
smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated. This paves the way for the
removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, libretls had a
similar diff.
ok tb@, jsing@
|
| |
|
|
|
| |
This provides significant performance gains for bn_sqr_comba4() and
bn_sqr_comba8().
|
| |
|
|
|
|
|
|
|
|
| |
Factor out and optimise the inner loop for Montgomery multiplication,
making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication
by one word in larger steps. This provides a significant performance gain,
especially on platforms where bn_qwmulw_addqw_addw() is (or can be)
optimised.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Mixing SSL_{get,set}_ex_data() and and SSL_{get,set}_app_data() in the
same application causes problems since they both place their data at
the same spot.
From Marc Aldorasi
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
(this and the Ed25519 addition to obj_xref.txt were ok jsing)
|
| |
|
|
|
| |
Also move part of for RSA-PSS to the top since it doesn't only apply to
RSA-PSS.
|
| |
|
|
|
|
|
|
| |
Switch to using EVP_DigestVerify(). Move the freeing of in where it
belongs (previously it would leak on EVP_DigestVerifyUpdate() failure),
and use the proper idiom for ASN1_item_i2d() error checking.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
Rename buf_in into in, buf_out into out, use in_len and out_len for their
lengths, drop a couple of silly casts and remove some empty lines.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This makes this function work with Ed25519 and cleans up a handful of
ugly contortions: use EVP_DigestSign() to determine the signature length
instead of using the strange EVP_PKEY_size() and garbage collect the now
useless out_len. Also use calloc().
ok jsing
|
| |
|
|
|
|
|
| |
Also move the NULL check for the EVP_MD into the rv == 2 path, which
is the only branch where it is used.
ok jsing
|
| |
|
|
|
|
| |
Pull a NULL check for pkey->ameth up to before ameth is first accessed. An
EVP_PKEY created with EVP_PKEY_new() has ameth == NULL, so this check makes
sense, but it does not make sense to do it where it was.
|
| |
|
|
|
|
|
|
|
|
|
| |
If the item_sign() ASN.1 method returns 1, it supposedly handles everything
and the goto err prior to r1.5 was actually a success path. Go figure.
This is fortunately inconsequential since there are only two item_sign()
methods, one for RSA and one for Ed25519, neither of which can return 1.
They only return 0, 2, and 3.
Pointed out by and ok jsing
|
| |
|
|
|
| |
Reword it in such a way that it stands on its own and doesn't refer
to a non-existent model above. Also tweak grammar and fix typos.
|
| |
|
|
|
|
|
|
|
|
|
| |
All the functions changed in this commit would silently misbehave if the
return value aliases the modulus, most of the time they would succeed and
return an incorrect result of 0 in that situation. This adjusts all the
functions in BN_mod.c, others and documentation will follow later.
Prompted by a bug report about BN_mod_inverse() by Guido Vranken.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
One problem with OpenSSL error codes is that they tend to be too specific
(another problem is that they are extremely ugly). So add an EINVAL-style
error code. This will be used in an upcoming commit to disallow aliasing
of the 'return value' with the modulus in BN_mod_* functions and should
be applicable elsewhere, outside of this one narrow use case.
ok jsing
|
| | |
|
| |
|
|
| |
This provides a performance gain across most BN operations.
|
| |
|
|
|
|
|
|
| |
This includes bn_qwaddqw(), bn_qwsubqw(), bn_qwmulw_addw() and
bn_qwmulw_addqw_addw(). These can typically be optimised on architectures
that have a reasonable number of general purpose registers.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify()
and EVP_DigestSign(). In order to do this, build the full signed_params
up front and rework the way the key exchange parameters are constructed.
This way we can do the verify and sign steps in one go and at the same
use a more idiomatic approach with CBB/CBS.
with/ok jsing
|
| |
|
|
|
|
|
| |
Convert ssl3_send_client_verify_{sigalgs,gost}() to EVP_DigestSign() and
ssl3_get_cert_verify() to EVP_DigestVerify().
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
No binary change on amd64
|
| | |
|
| |
|
|
|
| |
This is very dead code: the openssl app was never compiled with -DZLIB
after January 1, 2015.
|
| |
|
|
|
|
|
| |
This has long been unused code and compilation with -DZLIB was broken
for a long time after BIO was made opaque.
ok jsing
|
| |
|
|
|
|
|
| |
Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter
and is needed for Ed25519 support.
ok jsing
|
| |
|
|
| |
until someone finds time and motivation to figure out how to use this.
|
| |
|
|
|
|
|
|
| |
must_be_ca can no longer be 0 after the proxy cert code got nuked,
so change this to an if. must_be_ca is now -1 for a leaf, or 1 for
a non leaf.
ok tb@
|
| |
|
|
|
|
|
| |
outdated list of error messages. Instead, refer to the master copy
of that list in X509_STORE_CTX_get_error(3).
Suggested by and OK tb@, and beck@ also agrees with the idea.
|
| |
|
|
|
|
| |
unfortunately gcc3 does not have __builtin_clz().
ok miod@ otto@
|
| |
|
|
|
| |
Similar to X509_get0_notBefore(3) rev. 1.6.
Requested by and OK tb@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of the X509_CRL_INFO object. It should have been called "thisUpdate"
like in RFC 5280 section 5.1 (and in its precursor RFC 2459). Then again,
RFC 2459 was only published in 1999, so maybe the terminology wasn't
firmly established yet when Young wrote his code several years earlier -
just guessing, neither we nor the OpenSSL folks appear to know the real
reasons...
Anyway, we have been stuck with the "lastUpdate" names in the API for
more than two decades now, so clarify in the documentation what they
refer to and what they really mean.
Requested by and OK tb@.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Suggestion from Małgorzata Olszówka, they noted:
"The original wording suggests that it is required to execute
CMS_get0_signers() after CMS_verify(), while it is CMS_get0_signers()
that requires prior successful invocation of CMS_verify()."
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This traded local copies of CTASSERT() to the one in crypto_internal.h.
This change was backed out due to SHA-512 breakage on STRICT_ALIGNMENT
architectures still using Fred Flintstone's gcc without asm sha512.
Original commit message:
Use crypto_internal.h's CTASSERT()
Now that this macro is available in a header, let's use that version
rather than copies in several .c files.
discussed with jsing
|
| | |
|
| |
|
|
|
| |
Provide prototype that is hidden behind LIBRESSL_INTERNAL for portable
and or in result for future extensibility.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On free, chunks (the pieces of a pages used for smaller allocations)
are junked and then validated after they leave the delayed free
list. So after free, a chunk always contains junk bytes. This means
that if we start with the right contents for a new page of chunks,
we can *validate* instead of *write* junk bytes when (re)-using a
chunk.
With this, we can detect write-after-free when a chunk is recycled,
not justy when a chunk is in the delayed free list. We do a little
bit more work on initial allocation of a page of chunks and when
re-using (as we validate now even on junk level 1).
Also: some extra consistency checks for recallocaray(3) and fixes
in error messages to make them more consistent, with man page bits.
Plus regress additions.
|
