| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Most of these are one line wrappers around methods implemented in rsa_eay.c
by default.
|
| | |
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Make this look a bit more like other code we cleaned up avoiding nesting
and unnecessary else branches.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
RSA is pretty bad. In my most optimistic moments I dream of a world that
stopped using it. That won't happen during my lifetime, unfortunately.
Blinding is one way of making it a little less leaky. Unfortunately this
side-channel leak mitigation leaked out of the library for no good reason.
Let's at least fix that aspect of it.
ok jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
Rename all of the RSA_eay_* functions to rsa_*, as well as changing the
method name (and naming). Reorder things slightly so that we can remove
all of the prototypes for static functions.
ok tb@
|
| |
|
|
|
|
|
| |
This removes lots of silly buffers and will allow us to make this API
go away.
ok jsing
|
| |
|
|
|
|
| |
Prompted by a report by Steffen Ullrich on libressl@openbsd.org
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
This makes the custom stalt stack work again.
Tested by robert as part of a larger diff
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Nothing should be using this anymore, except that salt decided to use
it in its home-cooked protocol, which already had its share of issues.
Hopefully the efforts to switch salt to something more reasonable and
standardized like mTLS will succeed sooner rather than later.
tested as part of a larger patch by robert
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
from jsing
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes
that eventually the mess of everything includes everything will magically
resolve itself. Of course everyone would end up building openssl with
OPENSSL_NO_DEPRECATED over time... Right.
Surprisingly, the ecosystem has come to rely on these implicit inclusions,
so about two dozen ports would fail to build because of this. Patching this
would be easy but really not worth the effort.
ok jsing
|
| |
|
|
|
|
|
|
| |
This isolates the three API functions from the library so they can be
easily removed and any attempt to use RSA_X931_PADDING mode will now
result in an error.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
This wraps the three public functions in the usual #if stanza.
RSA_X931_PADDING is unfortunately exposed by rust-openssl and erlang.
Therefore it will remain visible to avoid breaking the build of
lang/rust. Its use in the library will be neutered shortly.
ok jsing
|
| | |
|
| |
|
|
| |
(experts disagree whether they ever did)
|
| |
|
|
| |
Discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope
was that at some point some functions can be dropped. Most of the functions
marked deprecated are actually unused nowadays but unfortunately some of
them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED
so we can define it without breaking the consumers in the next bump.
ERR_remove_state() is still used by a dozen or so ports. This isn't a big
deal since it is just a stupid wrapper for the not quite as deprecated
ERR_remove_thread_state(). It's not worth patching these ports.
Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still
used. They "make use" of the old-style BN_GENCB callback, which is therefore
more difficult to remove - in case you don't know know: that's the thing
responsible for printing pretty '.', '+' and '*' when you generate keys.
Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020
for "advanced DH support". This is very unfortunate since cargo bundles a
rust-openssl and updates it only every few years or so. As a consequence
we're going to be stuck with this nonsense for a good while.
ok beck jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As observed by Bernd Edlinger, the main part of the RSA timing leak that was
recently made public is that the initial blinding isn't done with Montgomery
exponentiation but rather with plain exponentiation.
Pull up the initialization of the cached Montgomery context to ensure we use
Montgomery exponentiation. Do this for private_{de,en}crypt(). Interestingly,
the latter was fixed in OpenSSL a while ago by Andy Polyakov as part of the
"smooth CRT-RSA" addition.
If this code was anything but completely insane this would never have been
an issue in the first place. But it's libcrypto...
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
This is needed for many reasons. It is currently pulled in via x509.h
but only when OPENSSL_NO_DEPRECATED is undefined. Again this should be
fixed in the public header as well.
|
| | |
|
| |
|
|
|
|
|
| |
BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly
instead.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
RSA_public_decrypt() returns <= 0 on error. Assigning to a size_t and
checking for == 0 is not the right thing to do here. Neither is blindly
turning the check into <= 0...
Found by Niels Dossche
ok jsing
|
| |
|
|
|
|
|
| |
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| | |
|
| |
|
|
|
| |
Found with CodeChecker
feedback and ok tb@
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
|
|
|
| |
These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing
|
| |
|
|
| |
pointed out by jsing
|
| |
|
|
|
|
|
| |
This also provides a pkey_security_bits member to the PKEY ASN.1 methods
and a corresponding setter EVP_PKEY_asn1_set_security_bits().
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
| |
This only occurs on very small payloads and tightly allocated buffers
that don't usually occur in practice.
This is OpenSSL f61c6804
ok inoguchi jsing
|
| |
|
|
| |
ok jsing@ millert@ tb@
|
| |
|
|
|
|
| |
CID 24839
ok jsing@ millert@ tb@
|
| |
|
|
|
|
|
| |
Move the struct internals to rsa_locl.h and provide a missing
typedef in ossl_typ.h.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
This removes NETSCAPE_X509, NETSCAPE{,_ENCRYPTED}_PKEY, RSA_NET,
Netscape_RSA things. Some of the nasty tentacles that could go in
principle are used in some test suites, so we need to keep them...
All this was removed as part of OpenSSL commit 0bc2f365.
ok inoguchi jsing
|
| |
|
|
|
| |
This marks the start of major surgery in libcrypto. Do not attempt to
build the tree for a while (~50 commits).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows checking the validity of an EVP_PKEY. Only RSA and EC keys
are supported. If a check function is set the EVP_PKEY_METHOD, it will
be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is
used. The default ASN.1 methods wrap RSA_check_key() and
EC_KEY_check_key(), respectively.
The corresponding setters are EVP_PKEY_{asn1,meth}_set_check().
It is unclear why the PKEY method has no const while the ASN.1 method
has const.
Requested by tobhe and used by PHP 8.1.
Based on OpenSSL commit 2aee35d3
ok inoguchi jsing
|
