| Commit message (Collapse) | Author | Files | Lines |
|---|
|
There's nothing really wrong here (at least when compared to the rest of
this file an hour or so ago), but we can make this look somewhat more like
code. That there's no bug here is not really related to the fact that it's
an add1 function, not an add0 one. In fact, it's kind of surprising that
the author had an uncharacteristic moment of lucidity and remembered to
free the last argument passed to PKCS7_add_signed_attribute() on failure.
ok kenjiro
|
|
Since we finally found a use for i2d_X509_ALGORS(), make use of its
sibling here. This avoids some ridiculous contortions in not quite
peak muppet code (obviously this was a first test run for the grand
finale in CMS).
ok kenjiro
|
|
set0/add0 functions that can fail are the worst. Without fail this trips
up both users and authors (by and large these are two identical groups
consisting of a single person), resulting in leaks and double frees.
In today's episode of spelunking in the gruesome gore provided by the
PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of
leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert().
We do so by recalling that there is i2d_X509_ALGORS(), so we might
as well put it to use instead of inlining it poorly (aka, without
error checking). Normalize said error checking and ensure ownership
is handled correctly in the usual single-exit idiom.
ESS_add_signing_cert() can also make use of proper i2d handling, so
it's simpler and correct and in the end looks pretty much the same
as PKCS7_add_attrib_smimecap().
ok kenjiro
|
|
|
|
|
|
Given that RFC 5652 does not override the earlier (and simpler)
standards but instead strives to remain compatible, referencing
both the original and the latest versions seems helpful.
OK tb@
|
|
This will allow us to call certhash_directory with other digests as
required to implement the openssl rehash command, which uses SHA1 or MD5.
ok jsing tb
|
|
This is no longer used in the DES code.
ok tb@
|
|
Use a slightly unrolled loop, which gets us half way between DES_UNROLL and
no DES_UNROLL. While we're not terribly concerned by DES performance, this
gets us a small gain on aarch64 and a small loss on arm. But above all, we
end up with simpler code.
ok tb@
|
|
Why have seven lines if you can have 30...
tweak/ok kenjiro
|
|
Document the change of behavor from pk7_attr.c r1.17: the time is now
validated to be in correct RFC 5280 time format.
ok kenjiro
|
|
If the caller passes in NULL, helpfully a new ASN1_TIME is allocated
with X509_gmtime_adj() and leaked if PKCS7_add0_attrib_signing_time()
fails afterward. Fix this. Also don't blindly set the signing time to
a UTCTime. Validate the usual RFC 5280 format before setting it, as
that's what RFC 5652, section 11.3 mandates.
ok kenjiro
|
|
This little gem has a number of issues.
On failure, the caller can't know whether ownership of value was taken
or not, so to avoid a double free, the only option is to leak value on
failure. As X509_ATTRIBUTE_create() takes ownership on success, this
call must be the last one that can fail. This way ownership is only
taken on success.
Next, if X509_ATTRIBUTE_create() fails in the case that the input stack
already contains an attribute of type nid, that attr is freed and the
caller freeing the stack with pop_free() will double free.
So, rework this in a few ways. Make this transactional, so we don't fail
with a modified *in_sk, so work with a local sk as usual. Then walk the
stack and see if we have an attribute with the appropriate nid already.
If not, make sure there's room to place the new attribute. Create the
new attribute, free the old attribute if necessary and replace it with
the new one. Finally assign the local sk to *in_sk and return success.
On error unwind all we did.
The behavior now matches OpenSSL 3's new behavior, except that we don't
leave an empty stack around on error.
ok kenjiro
|
|
|
|
These have been ineffective since r1.19 of bn.h, when BN_LLONG/BN_ULLONG
defines/undefs were added based on _LP64.
ok tb@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use aes_encrypt_block128() instead of AES_encrypt(), avoiding risky casts.
|
|
There are no more consumers of crypto_cpu_caps_ia32(), so remove it.
ok bcook@ joshua@ tb@
|
|
Make aes_ecb_encrypt_internal() replaceable and provide machine dependent
versions for amd64 and i386, which dispatch to AES-NI if appropriate.
Remove the AES-NI specific EVP methods for ECB.
This removes the last of the machine dependent code from EVP AES.
ok bcook@ joshua@ tb@
|
|
The mode implementation for CCM has two variants - one takes the block
function, while the other takes a "ccm64" function. The latter is expected
to handle the lower 64 bits of the IV/counter but only for 16 byte blocks.
The AES-NI implementation for CCM currently uses the second variant.
Provide aes_ccm64_encrypt_internal() as a function that can be replaced on
a machine dependent basis, along with an aes_ccm64_encrypt_generic()
function that provides the default implementation and can be used as a
fallback. Wire up the AES-NI version for amd64 and i386, change EVP's
aes_ccm_cipher() to use CRYPTO_ctr128_{en,de}crypt_ccm64() with
aes_ccm64_encrypt_internal()) and remove the various AES-NI specific
EVP_CIPHER methods for CCM.
ok tb@
|
|
ok tb@
|
|
because PEM_X509_INFO_read(3) no longer exists.
Requested by tb@.
|
|
Shifting a signed int64_t into the sign bit is undefined behavior in C.
/dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error:
left shift of negative value -222076011
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable
To avoid this, import int64_lshift21() from BoringSSL, a helper function
that casts the input to uint64_t before shifting and back to int64_t afterward.
This ensures defined behavior when shifting left by 21 bits, avoiding
undefined behavior in expressions like `carry << 21`.
This change addresses potential runtime issues detected by sanitizers
when shifting signed values with high bits set.
ok tb beck
|
|
|
|
|
|
|
|
because tb@ removed them from Symbols.list rev. 1.220 today.
|
|
At runtime, profiling data is stored per-thread. Upon termination, the
per-thread profiling data pools are merged into a into a single record,
which is then written out (using the new kernel-assisted system). I think
the original gmon merging parts may have come from or been inspired by
someone at NetBSD.
This has been delayed because there were concerns about adding a TLS object
which would require other library cranks, so this rides all the major cranks
today.
ok kettenis tb claudio sthen etc etc etc
|
|
|
|
Remove BIO_s_log(): already unhooked in portable, completely unused.
Remove X509_PKEY_new/free from public API. Remove PEM_X509_INFO_read()
PEM_X509_INFO_write_bio(): all unused garbage.
The simplify X509_PKEY_new/free was ok kenjiro.
|
|
libc/hidden/_stdio.h. All programs that refer to the internal
structure of the FILE object can't be compiled from now on.
std{in,out,err} doesn't refer __sF[] now, but the hidden __sF along
with __srget and __swbuf symbols are kept temporarily to make our
transition easier. But those symbols will be deleted soon. The shared
library versions are bumped for libc and all the other libraries that
refer to std{in,out,err}.
diff from guenther, tweak by me, tested by many
ok sthen tb
|
|
Provide aes_xts_encrypt_internal() and call that from aes_xts_cipher().
Have amd64 and i386 provide their own versions that dispatch to
aesni_xts_encrypt()/aesni_xts_decrypt() as appropriate. The
AESNI_CAPABLE code and methods can then be removed.
ok tb@
|
|
__cmtx provides mutual exclusion using futex(2) and cas on archs
that support it, or _spinlocks on the rest. __rcmtx is a recursive
mutex built on top of __cmtx, so it inherits the use of futex and
cas/spinlock from __cmtx.
until now the options we had for locking between threads in libc
were spinlocks or pthread mutexes. spinlocks use sched_yield to
relax if they have to spin on a contended lock, which we are trying
to minimise the use of as much as possible. pthread_mutex is
relatively large in memory and offers a lot of complicated features
which are unecessary for most of libc. the non cas/futex version
of pthread_mutexes currently relies on __thrsleep and __thrwakeup,
which we also want to deprecate.
having a small futex based lock available everywhere will help us
move away from overuse of spinlocks, and deprecate __thrsleep and
__thrwakeup.
ok kettenis@
jca@ provided his eyes too.
|
|
It looks like those can be unexported.
|
|
X509_INFO_new() isn't used directly outside of this file, so this is a bit
tidier.
|
|
|
|
|
|
|
|
Check X509_ALGOR_cmp() explicitly against 0 and add an explanatory comment
referring to the relevant RFC 5280 sections.
ok beck kenjiro
|
|
When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.
There's no obvious check that X509_REQ_verify() could do.
ok beck kenjiro
|
|
|
|
While it may be acceptable for Go to fill regular users' homedirs with a
compiler cache that is unable to deal with corruption and full disks,
this is terrible for people running regress as root since the cache can
quickly grow to hundreds of megs and can thus result in all sorts hilarity
below /root. Move the GOCACHE under ${.OBJDIR} and use a cleanup target to
get rid of it again. This makes these tests a bit slower for regular users
as well, but so be it. Let's see how this goes before I switch libtls to
the same model.
discussed with claudio and jsing
|
|
OK tb@ and no objection from tedu@
|
|
|
|
These annoying and careless inconsistencies were introduced when const
was sprinkled everywhere without rhyme or reason.
|
