| Commit message (Collapse) | Author | Files | Lines |
|---|
|
These were previously called by GF2m code and are no longer used.
Also remove ec_pre_comp_new(), since it is only called by
ec_wNAF_precompute_mult() and is now unused.
ok tb@
|
|
At least one of our bn_mul_words() assembly implementation fails to handle
n = 0 correctly... *sigh*
|
|
|
|
This removes a data dependent timing path from BN_sqr().
ok tb@
|
|
Rework bn_sqr()/bn_sqr_normal() so that it is less convoluted and more
readable. Instead of recomputing values that the caller has already
computed, pass it as an argument. Avoid branching and remove duplication
of variables. Consistently use a_len and r_len naming for lengths.
ok tb@
|
|
|
|
|
|
Historically (and currently in OpenSSL), BN_asc2bn() could be called with
NULL, but only for positive numbers. So BN_asc2bn(NULL, "1") would succeed
but BN_asc2bn(NULL, "-1"), would crash. The other *2bn functions return a
length, so accepting a NULL makes some sense since it allows callers to
skip over part of the string just parsed (atoi-style).
For BN_asc2bn() a NULL bn makes no sense because it returns a boolean. The
recent CBS rewrite makes BN_asc2bn(NULL, *) always crash which in turn made
Coverity throw a fit.
Another change of behavior from that rewrite pertains to accidents (or is
it madness?) like -0x-11 and 0x-11 being parsed as decimal -17 (which Ingo
of course spotted and diligently documented). This will be addressed later.
ok jsing
|
|
Purely cosmetic change taking into account the fact that this function
returns a length rather than a boolean. This is the last offender in the
library.
ok jsing
|
|
It returns a length, not a Boolean, so check for 0 explicitly. This is
purely cosmetic.
ok jsing
|
|
|
|
This file is already enough of an eyesore without them.
|
|
__builtin_return_address(a) with a != 0.
|
|
|
|
ok deraadt@
|
|
|
|
On some architectures, we can provide an optimised (often single
instruction) count-leading-zero implementation. In order to do this
effectively, provide bn_clzw() as a static inline that can be replaced
by an architecture specific version. The default implementation defers
to the bn_word_clz() function (which may also be architecture specific).
ok tb@
|
|
Provide bn_bitsize(), which performs a constant time scan of a BN in order
to determine the bit size of the BN value. Use this for BN_num_bits() such
that it is no longer dependent on the bn->top value.
ok tb@
|
|
Test BN_sqr() with a newly allocated BN, a BN explicitly set to zero and
small values that fit in a single BN_ULONG.
|
|
Currently BN_hex2bn() removes the leading zeros, however this will not be
the case in the future.
|
|
Currently BN_hex2bn() removes the leading zeros, however this will not be
the case in the future.
|
|
The various checks of the cofactor to be set in EC_GROUP_set_generator()
are a bit all over the place. Move them into a single function and clean
things up a little. Instead of calculating directly with the cofactor
member of the group, use a temporary variable and copy this variable only
if all tests passed. In cryptographic contexts the cofactor almost always
fits if not into a single byte then into a word, so copying is cheap.
Also streamline the computations a bit and remove some binary curve
contortions.
ok jsing
|
|
Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs
and require that if X509v3 extensions are present that the cert be v3.
Initial diff from job
ok job jsing
|
|
Requested by jsing
|
|
int_ctx_new() is a bad, generic, nondescriptive name.
requested by jsing
|
|
Compare explicitly against NULL, ensure the engine is always finished on
error, switch to using calloc() instead of malloc() + forgetting to set
some members to 0, use EVP_PKEY_up_ref() and also use pkey_ctx instead of
ret for the newly created EVP_PKEY_CTX.
ok jsing
|
|
Explicitly check against NULL, replace malloc() plus manual zeroing with
calloc(). Use EVP_PKEY_up_ref() rather than handrolling it and use a more
normal error idiom.
There still seems to be a bug in here in that the ENGINE's refcount isn't
bumped, but that will be investigated and fixed separately.
ok jsing
|
|
|
|
|
|
|
|
|
|
|
|
These functions are properly documented and upcoming surgery in here is
going to be tricky enough without having to navigate around this noise.
No code change.
|
|
... because RSA_meth_new() doesn't. So we can fortunately lose a few lines
added in the previous commit. Three cheers for the masters of inconsistency.
ok jsing
|
|
Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way
of lovely indirection in our three crypto/ec* directories ended up having
no effect on the default methods. Now that we set a new EC_KEY_METHOD, we
need to make sure we still have the other handlers that we might need.
Like so many things that were made opaque in the 1.1 re"design", the
accessors were written without actual application code in mind. In
particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the
default methods with getters and then set them again on the new method.
This is particularly awesome because once someone adds a new method to
the opaque struct, all applications will have to adapt and do a get/set
dance.
So far this is very reminiscent of PostgreSQL with BIO_meth_*
https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928
Only it's worse here because someone wanted to be smart and save a few
public functions, so we have to use getters that get several functions
at once. Which in turn means we need to have function pointers with the
precise signatures which are part of the struct that was made opaque.
We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is
the best fix we can have.
Whenever you think you've seen the worst turds in this code base, you find
another one that could serve as an exemplar.
ok jsing op
|
|
Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign()
callback needs to have a matching change.
ok jsing op
|
|
smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated. This paves the way for the
removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, libretls had a
similar diff.
ok tb@, jsing@
|
|
This provides significant performance gains for bn_sqr_comba4() and
bn_sqr_comba8().
|
|
Factor out and optimise the inner loop for Montgomery multiplication,
making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication
by one word in larger steps. This provides a significant performance gain,
especially on platforms where bn_qwmulw_addqw_addw() is (or can be)
optimised.
ok tb@
|
|
Mixing SSL_{get,set}_ex_data() and and SSL_{get,set}_app_data() in the
same application causes problems since they both place their data at
the same spot.
From Marc Aldorasi
ok jsing
|
|
ok jsing
|
|
|
|
ok jsing
|
|
(this and the Ed25519 addition to obj_xref.txt were ok jsing)
|
|
Also move part of for RSA-PSS to the top since it doesn't only apply to
RSA-PSS.
|
|
Switch to using EVP_DigestVerify(). Move the freeing of in where it
belongs (previously it would leak on EVP_DigestVerifyUpdate() failure),
and use the proper idiom for ASN1_item_i2d() error checking.
ok jsing
|
|
|
|
Rename buf_in into in, buf_out into out, use in_len and out_len for their
lengths, drop a couple of silly casts and remove some empty lines.
ok jsing
|
|
This makes this function work with Ed25519 and cleans up a handful of
ugly contortions: use EVP_DigestSign() to determine the signature length
instead of using the strange EVP_PKEY_size() and garbage collect the now
useless out_len. Also use calloc().
ok jsing
|
|
Also move the NULL check for the EVP_MD into the rv == 2 path, which
is the only branch where it is used.
ok jsing
|
