summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/buffer/buffer.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2025-04-18Remove BS-AES and VP-AES from EVP.jsing3-137/+9
The bitsliced and vector permutation AES implementations were created around 2009, in attempts to speed up AES on Intel hardware. Both require SSSE3 which existed from around 2006. Intel introduced AES-NI in 2008 and a large percentage of Intel/AMD CPUs made in the last 15 years include it. AES-NI is significantly faster and requires less code. Furthermore, the BS-AES and VP-AES implementations are wired directly into EVP (as is AES-NI currently), which means that any consumers of the AES_* API are not able to benefit from acceleration. Removing these greatly simplifies the EVP AES code - if you just happen to have a CPU that supports SSSE3 but not AES-NI, then you'll now use the regular AES assembly implementations instead. ok kettenis@ tb@
2025-04-18SSL_set_tlsext_host_name: as a setter it cannot take a const ssltb1-3/+3
2025-04-18Remove two unused defines, update standard referencetb1-7/+3
ok jsing
2025-04-18Use 'ctx' for sha3_ctx variables, rather than the less readable 'c'.jsing2-36/+36
ok tb@
2025-04-18Fix annoying whitespacetb4-52/+52
2025-04-18Pull casts from void * to uint8_t * up to variables, rather than inline.jsing1-9/+11
ok tb@
2025-04-18Use two temporary variables in sha3_keccakf(), rather than reusing bc[0].jsing1-8/+8
ok tb@
2025-04-18Use crypto_rol_u64() instead of a separate ROTL64 define.jsing1-5/+4
ok tb@
2025-04-17Use hyphenated spelling for the SHAs except for the APItb12-41/+42
The mix of SHA256 and SHA-256 is jarring, so use FIPS's spelling. Leave HMAC-SHA256 as it is and fix a nearby RIPEMD-160.
2025-04-14Enable remaining tests with NULL, 0tb2-9/+3
Now that libc is fixed, we can do this also for md5, rmd160 and sha1.
2025-04-14Link hash regress to buildtb1-1/+2
2025-04-14Add some regress coverage for the hashes in libctb2-0/+946
Prompted by a pending diff by claudio
2025-04-14Update openssl.1 for msie_hack removaltb1-21/+4
ok jmc jsing
2025-04-14Remove openssl ca -msie_hacktb1-31/+2
The nineties called and wanted their garbage back. ok jsing
2025-04-13parse_test_file()tb1-1/+3
gcc 14 needs a hint that ld != NULL beyond the use of ld->data in the previous line. I guess aggressive inlining is becoming too aggressive. What a pile of junk.
2025-04-13Avoid compiler warning on some OStb1-1/+1
Some OS declare arc4random() with __attribute__((warn_unused_result)) causing this test to whine. So explicitly ignore the return value. Reported by scheiba in libressl/portable Fixes #1151
2025-03-28x509_policy: zap an extra stb1-2/+2
2025-03-28x509_policy: certificats -> certificatestb1-2/+2
2025-03-28typos: us -> is, te -> the (twice)tb1-3/+3
2025-03-28typo: primtive -> primitivetb2-4/+4
2025-03-25Fix RETURN VALUES for EVP_CIPHER_CTX_ctrl(3)tb1-9/+4
The current documentation was clearly incorrect since a return of -1 from the methods is explicitly intercepted and translated to 0. schwarze and I both audited the tree and concluded that only 0 and 1 is possible. OpenSSL 3 broke this API contract and now has explicit return -1 in the convoluted 200-line maze this simple function has become with recent provider improvements. So add a small sentence hinting at that. Nobody will be surprised to read that with OpenSSL's characteristic penchant for needless inconsistency the return value checks in their tree are all over the place and sometimes incorrect. ok schwarze (with two tweaks)
2025-03-24Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul().jsing4-35/+33
EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@
2025-03-24Check group generator in EC_POINT_mul().jsing1-1/+6
When a non-NULL generator scalar is passed to EC_POINT_mul(), the group's generator will be used in multiplication. Add a check that ensures that the group generator is non-NULL, in order to avoid needing to handle this elsewhere (currently in the lower level point multiplication code). ok tb@
2025-03-20Plug a memory leak in x509_name_encode()tb1-2/+4
This is nearly identical to a leak fixed by miod 10 years ago in x509_name_canon() but was missed in r1.30. This entire file needs a metric ton of bleach, but my head currently spins too much for tackling this, so go with the cheap one-liner. From Niels Dossche
2025-03-19x509_param_set_hosts_internal: rename vpm to param for consistencytb1-11/+11
2025-03-19X509_VERIFY_PARAM_lookup(): avoid passing stack garbage aroundtb1-1/+2
ok jsing
2025-03-19Rename pm to param, fix the type of idx and unindenttb1-8/+6
ok jsing
2025-03-19Introduce and use N_DEFAULT_VERIFY_PARAMStb1-6/+9
ok jsing
2025-03-19X509_VERIFY_PARAM_get0(): use consistent idiom for default_table accesstb1-2/+3
ok jsing
2025-03-19X509_VERIFY_PARAM_lookup(): remove unnecessary braces and add empty linetb1-3/+3
ok jsing
2025-03-19X509_VERIFY_PARAM_get_count(): make NULL check explicittb1-2/+2
ok jsing
2025-03-19X509_VERIFY_PARAM_get0: avoid out of bounds access when id < 0tb1-1/+5
ok jsing
2025-03-19Adjust x509_name_regress to the X509_NAME_print() fix in a_strex.c r1.38tb1-15/+2
2025-03-19Fix traditional SSLeay X509_NAME printingtb1-29/+1
The gibberish that was there before the rewrite didn't actually skip names whose SN representation was different start with /O= or /OU= (with one or two capital letters between '/' and '='), it simply failed to separate them, resulting in nonsense such as CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu So ditch the code doing that, simplifying this now internal function quite a bit. ok jsing
2025-03-18save_index: fix some code quality issuestb1-13/+16
Error check BIO_new() both times it is used, drop unused j variable, Error check BIO_printf() call and turn the whole thing into single exit. Prompted by a diff by Niels Dossche ok jsing
2025-03-18PKCS7_dataVerify(): zap offensive whitespacetb1-2/+2
2025-03-18PKCS7_signatureVerify(): add missing free after EVP_VerifyUpdate()tb1-2/+4
From Nils Dossche
2025-03-17apps.c: don't leak out in error pathtb1-1/+2
From Niels Dossche
2025-03-16Update cert.pem, ok sthentb1-215/+179
Added to existing CA /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 2 2023 /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 2 2023 Added back: /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 Deleted: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G4 /C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11 /C=JP/O=SECOM Trust Systems CO.,LTD./CN=Security Communication RootCA3 /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
2025-03-15Rename a bunch of confusingly named variablestb1-6/+6
Variables of the type serialized or deserialized are called val_in or val_out in all other manuals, so align this page to using those rather than the confusing X509_CRL **der_out, etc.
2025-03-15Add regress coverage for X509_NAME_oneline and X509_NAME_printtb2-1/+314
2025-03-14const correct d2i_* prototypestb4-13/+13
2025-03-13minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION)sthen2-2/+2
code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@
2025-03-13pkey_ec_derive: fix call to ECDH_compute_key()tb1-2/+2
The last argument is a pointer to the KDF, so use NULL, not 0.
2025-03-13Simplify field and private key encodingtb1-13/+3
Reach into the group (p and order are always available) and use BN_num_bytes() rather than using clumsy and badly named API. It's shorter and more readable. ok jsing
2025-03-13Make srtp.h self-standing by including ssl.htb1-1/+3
ok miod
2025-03-12Provide an accelerated SHA-512 assembly implementation for aarch64.jsing4-2/+353
This provides a SHA-512 assembly implementation that makes use of the ARM Cryptographic Extension (CE), which is found on many arm64 CPUs. This gives a performance gain of up to 2.5x on an Apple M2 (dependent on block size). If an aarch64 machine does not have SHA512 support, then we'll fall back to using the existing C implementation. ok kettenis@ tb@
2025-03-12Test SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.jsing1-1/+56
Extend renegotiation tests to cover SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
2025-03-12Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.jsing4-6/+36
In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@
2025-03-12Use .arch rather than .cpu for sha2 instructions.jsing1-2/+2
We have code that targets a specific architecture level, hence .arch makes more sense here than .cpu. Suggested by kettenis@