| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
|
|
Use aes_encrypt_block128() instead of AES_encrypt(), avoiding risky casts.
|
|
There are no more consumers of crypto_cpu_caps_ia32(), so remove it.
ok bcook@ joshua@ tb@
|
|
Make aes_ecb_encrypt_internal() replaceable and provide machine dependent
versions for amd64 and i386, which dispatch to AES-NI if appropriate.
Remove the AES-NI specific EVP methods for ECB.
This removes the last of the machine dependent code from EVP AES.
ok bcook@ joshua@ tb@
|
|
The mode implementation for CCM has two variants - one takes the block
function, while the other takes a "ccm64" function. The latter is expected
to handle the lower 64 bits of the IV/counter but only for 16 byte blocks.
The AES-NI implementation for CCM currently uses the second variant.
Provide aes_ccm64_encrypt_internal() as a function that can be replaced on
a machine dependent basis, along with an aes_ccm64_encrypt_generic()
function that provides the default implementation and can be used as a
fallback. Wire up the AES-NI version for amd64 and i386, change EVP's
aes_ccm_cipher() to use CRYPTO_ctr128_{en,de}crypt_ccm64() with
aes_ccm64_encrypt_internal()) and remove the various AES-NI specific
EVP_CIPHER methods for CCM.
ok tb@
|
|
ok tb@
|
|
because PEM_X509_INFO_read(3) no longer exists.
Requested by tb@.
|
|
Shifting a signed int64_t into the sign bit is undefined behavior in C.
/dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error:
left shift of negative value -222076011
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable
To avoid this, import int64_lshift21() from BoringSSL, a helper function
that casts the input to uint64_t before shifting and back to int64_t afterward.
This ensures defined behavior when shifting left by 21 bits, avoiding
undefined behavior in expressions like `carry << 21`.
This change addresses potential runtime issues detected by sanitizers
when shifting signed values with high bits set.
ok tb beck
|
|
|
|
|
|
|
|
because tb@ removed them from Symbols.list rev. 1.220 today.
|
|
At runtime, profiling data is stored per-thread. Upon termination, the
per-thread profiling data pools are merged into a into a single record,
which is then written out (using the new kernel-assisted system). I think
the original gmon merging parts may have come from or been inspired by
someone at NetBSD.
This has been delayed because there were concerns about adding a TLS object
which would require other library cranks, so this rides all the major cranks
today.
ok kettenis tb claudio sthen etc etc etc
|
|
|
|
Remove BIO_s_log(): already unhooked in portable, completely unused.
Remove X509_PKEY_new/free from public API. Remove PEM_X509_INFO_read()
PEM_X509_INFO_write_bio(): all unused garbage.
The simplify X509_PKEY_new/free was ok kenjiro.
|
|
libc/hidden/_stdio.h. All programs that refer to the internal
structure of the FILE object can't be compiled from now on.
std{in,out,err} doesn't refer __sF[] now, but the hidden __sF along
with __srget and __swbuf symbols are kept temporarily to make our
transition easier. But those symbols will be deleted soon. The shared
library versions are bumped for libc and all the other libraries that
refer to std{in,out,err}.
diff from guenther, tweak by me, tested by many
ok sthen tb
|
|
Provide aes_xts_encrypt_internal() and call that from aes_xts_cipher().
Have amd64 and i386 provide their own versions that dispatch to
aesni_xts_encrypt()/aesni_xts_decrypt() as appropriate. The
AESNI_CAPABLE code and methods can then be removed.
ok tb@
|
|
__cmtx provides mutual exclusion using futex(2) and cas on archs
that support it, or _spinlocks on the rest. __rcmtx is a recursive
mutex built on top of __cmtx, so it inherits the use of futex and
cas/spinlock from __cmtx.
until now the options we had for locking between threads in libc
were spinlocks or pthread mutexes. spinlocks use sched_yield to
relax if they have to spin on a contended lock, which we are trying
to minimise the use of as much as possible. pthread_mutex is
relatively large in memory and offers a lot of complicated features
which are unecessary for most of libc. the non cas/futex version
of pthread_mutexes currently relies on __thrsleep and __thrwakeup,
which we also want to deprecate.
having a small futex based lock available everywhere will help us
move away from overuse of spinlocks, and deprecate __thrsleep and
__thrwakeup.
ok kettenis@
jca@ provided his eyes too.
|
|
It looks like those can be unexported.
|
|
X509_INFO_new() isn't used directly outside of this file, so this is a bit
tidier.
|
|
|
|
|
|
|
|
Check X509_ALGOR_cmp() explicitly against 0 and add an explanatory comment
referring to the relevant RFC 5280 sections.
ok beck kenjiro
|
|
When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.
There's no obvious check that X509_REQ_verify() could do.
ok beck kenjiro
|
|
|
|
While it may be acceptable for Go to fill regular users' homedirs with a
compiler cache that is unable to deal with corruption and full disks,
this is terrible for people running regress as root since the cache can
quickly grow to hundreds of megs and can thus result in all sorts hilarity
below /root. Move the GOCACHE under ${.OBJDIR} and use a cleanup target to
get rid of it again. This makes these tests a bit slower for regular users
as well, but so be it. Let's see how this goes before I switch libtls to
the same model.
discussed with claudio and jsing
|
|
OK tb@ and no objection from tedu@
|
|
|
|
These annoying and careless inconsistencies were introduced when const
was sprinkled everywhere without rhyme or reason.
|
|
|
|
|
|
fixes in particular ./check_complete.pl pkcs7
|
|
|
|
These are safe to call concurrently and they don't modify the memory
region pointed to by the pkey - they only bump the refcount of the
key hanging off of it. The returned "legacy" key has to be handled with
care in threaded constexts, so it is handed back as non-const. This also
matches what EVP_PKEY_get0() always had.
This way our signature is identical to BoringSSL's and doesn't cause
compiler warnings in code that overuses const because one of the many
API incoherencies added by OpenSSL 3 was to turn get0 into a function
that takes and returns const while leaving get1 as it was.
dlg agrees
ok kenjiro
|
|
These have been taking a const pkey ever since they were added in
OpenSSL 1.0.0.
|
|
While EVP_CIPHER_CTX_ctrl() can return a negative value this can't
actually happen currently as all ciphers with EVP_CIPH_CTRL_INIT set
normalize the EVP_CTRL_INIT return value to boolean in their ctrl()
methods. Still, this check looks weird in grep, so align it.
ok beck kenjiro
|
|
ok job kenjiro
|
|
issuerUID and subjectUID are a curiosity introduced in X.509v2 before
extensions were a thing. Their purpose is to help distinguishing certs
with identical subject. They are rarely used and are MUST NOT use in
the CA/BF baseline requirements. They do occasionally show up in test
certificates and it is confusing that openssl x509 silently ignores
them. Their encoding also makes them relatively hard to spot in the
output of asn1 parsing tools.
The output is identical to OpenSSL < 3 and BoringSSL, but due to some
weird tweaks added leading up to OpenSSL 3 their output is no longer
compatible with that. It is not entirely correct anyway. Since it is
a (not further specified) bit string, you shouldn't be ignoring its
unused bits...
The X509_FLAG_NO_IDS flag has no effect for CSRs.
discussed with beck
ok job kenjiro (on an earlier version)
|
|
|
|
this drives me nuts when i want to print something out of what's already
const. casting it works, but feels gross.
ok guenther@ tb@ deraadt@
enh says this is already in bionic/glibc/musl
|
|
Provide an assembly implementation of SHA-1 for aarch64 using the ARM
Cryptographic Extension (CE). This results in around a 2x speed up for
larger block sizes.
ok tb@
|
|
Provide gcm128_amd64.c and gcm128_i386.c, which contain the appropriate
gcm128 initialisation and CPU feature tests for the respective platform.
This allows for all of the #define spagetti to be removed from gcm128.c
and removes one of the two remaining consumers of crypto_cpu_caps_ia32().
ok tb@
|
|
Since we always initialise the gmult/ghash function pointers, use the same
implementaion of gcm_mul() and gcm_ghash(), regardless of the actual
underlying implementation.
ok tb@
|
|
|
|
ok tb@
|
