summaryrefslogtreecommitdiff
path: root/src/lib/libc/stdlib/reallocarray.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2018-07-25Provide a harness that runs test vectors from Project Wycheproof againstjsing3-1/+253
libcrypto. Initially this just covers RSA signatures, but can be extended to cover other cryptographic algorithms. This regress requires the go and wycheproof-testvector packages to be installed, with the regress being skipped otherwise. Discussed with beck@ and tb@
2018-07-24add c++ symbol annotationsbcook1-1/+9
from Cameron Palmer
2018-07-24Use the same order in NAME, SYNOPSIS, DESCRIPTION, and RETURN VALUES totb1-27/+28
improve readability and ease of maintenance. Positive feedback jmc Detailed suggestion & ok schwarze
2018-07-23Document tls_peer_ocsp_result() and use it in place of the non-existenttb1-6/+12
tls_peer_ocsp_result_msg() in the documentation. input & ok jsing Reads fine to jmc and makes sense to schwarze
2018-07-23Use BN_swap_ct() instead of BN_consttime_swap() intb1-5/+10
ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows error checking, doesn't assert(), and has fewer assumptions on the input. This diff eliminates the last use of BN_consttime_swap() in our tree. ok inoguchi, jsing
2018-07-23Use a size_t instead of an int for the byte count in BN_swap_ct().tb2-8/+11
Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
2018-07-23Clean up our disgusting implementations of BN_{,u}{add,sub}(), followingtb1-157/+67
changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn
2018-07-23Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.tb1-120/+148
Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin <davidben@google.com> Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1474
2018-07-23avoid using argv[0] for printing to stderrtb1-2/+2
2018-07-18Bob's license was missing, add it.tb1-1/+16
ok beck
2018-07-17some more style fixestb1-19/+19
2018-07-17Add missing $OpenBSD$ markers.tb41-22/+42
2018-07-17remove unused, empty filetb1-0/+0
2018-07-17Replace getprogname() to argv[0] in bnaddsubinoguchi1-3/+2
ok tb@
2018-07-16Document behavior change of EC_POINTs_mul() again.tb1-4/+22
2018-07-16Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb6-47/+341
from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
2018-07-15re-commit the removal of the EC_POINTs_mul() regression tests with num > 1tb1-161/+27
2018-07-15recommit label indentation part of the backout; clearly unrelated to thetb19-91/+93
breakage.
2018-07-15$OpenBSD$tb1-0/+1
2018-07-15Also revert regression tests so that EC_POINTs_mul() with longer vectorstb1-26/+160
gets exercised again.
2018-07-15back out ecc constant time changesjsg21-448/+137
after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
2018-07-13openssl app timers: TM_START -> TM_RESET, TM_STOP -> TM_GETcheloha4-15/+15
Much more apt than the current operation names. Names suggested by jca@ ages ago. ok jca, jsing
2018-07-13Eliminate the weird condition in the BN_swap_ct() API that at most one bittb1-3/+3
be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
2018-07-11Sync commentkn1-3/+5
Makes it a tad easier to read through and compare with BN_swap_ct(). OK tb
2018-07-11Document behavior change of EC_POINTs_mul(3) from EC constant time changes.tb1-4/+22
ok beck on earlier version, markup help from Schwarze.
2018-07-11Turn yesterday's optimistic ! in an XXX comment into a more cautious ?tb1-2/+2
2018-07-11Update EC regression tests.tb1-160/+26
Part of https://github.com/libressl-portable/openbsd/pull/94 from Billy Brumley and his team. ok jsing
2018-07-10Indent labels by a space so they don't obliterate function names in diffs.tb19-91/+93
2018-07-10ECC constant time scalar multiplication support. First step in overhaulingtb5-46/+337
the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
2018-07-10Provide BN_swap_ct(), a constant time function that conditionally swapstb2-2/+53
two bignums. It's saner and substantially less ugly than the existing public BN_constantime_swap() function and will be used in forthcoming work on constant time ECC code. From Billy Brumley and his team. Thanks! ok jsing
2018-07-10Factor out a bit of ugly code that truncates the digest to the order_bitstb1-32/+32
leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
2018-07-10$OpenBSD$tb2-1/+2
2018-07-10Now that all *_free() functions are NULL safe, we can generate thetb5-239/+123
freenull test from Symbols.list. Suggested by jsing, discussed with beck and bluhm.
2018-07-10+addsubtb1-1/+2
2018-07-10Add simple regression tests for BN_{,u}{add,sub}(3). With input from jcatb2-0/+248
2018-07-09Move a detail on tls_connect(3) to its documentation and be a bit moretb1-5/+7
explicit about the servername argument of tls_connect_servername(3). input & ok jsing, input & ok schwarze on earlier version
2018-07-09wording tweak for tls_init() from jsingtb1-4/+4
ok jsing, schwarze
2018-07-09sync with const changes in x509.h r1.68.tb1-4/+4
2018-07-09sync with const changes in evp.h r1.64.tb1-3/+3
2018-07-09sync with const changes in bio.h r1.44.tb1-3/+3
2018-07-09sync with const changes in bio.h r1.45.tb1-10/+10
2018-07-08import the relevant parts of a new ASN1_INTEGER_get(3) manual pageschwarze2-1/+240
from OpenSSL, fixing many bugs and polishing many details
2018-07-08Simplify and shorten the description of tls_init(3),schwarze1-4/+4
fixing an awkward wording noticed by tb@. OK tb@
2018-06-16This code is already painful enough to look at. Putting the braces at thetb1-74/+64
right spot helps this a bit. Other whitespace and typo fixes while there.
2018-06-16Tiny tweak to the blinding comment.tb1-2/+4
2018-06-15Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb1-67/+62
the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
2018-06-15Clean up some whitespace and polish a few comments. Reduces noise intb1-24/+21
an upcoming diff.
2018-06-14Use a blinding value when generating an ECDSA signature, in order totb1-14/+65
reduce the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok jsing
2018-06-14Use a blinding value when generating a DSA signature, in order to reducejsing1-9/+39
the possibility of a side-channel attack leaking the private key. Suggested by Keegan Ryan at NCC Group. With input from and ok tb@
2018-06-14Clarify the digest truncation comment in DSA signature generation.jsing1-3/+4
Requested by and ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-26 02:53:20 +0000