| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Use bn_{mul,sqr}_comba{4,6,8}() and bn_montgomery_reduce_words() for
specific input sizes. This is significantly faster than using
bn_montgomery_multiply_words().
ok tb@
|
|
This allows for fast squaring of a 6 word array.
ok tb@
|
|
This allows for fast multiplication of two 6 word arrays.
ok tb@
|
|
This makes it consistent with bn_sqr_comba{4,8}() and simplifies an
upcoming change.
ok tb@
|
|
Sort HISTORY chronologically.
No text change.
|
|
|
|
reset on exec as preserving it across exec is not necessary for its
original purpose and has security and usability concerns.
Many thanks to Ricardo Branco (rbranco (at) suse.de) who did an
independent implementation, caught that /dev/fd/* needed to be
handled, and provided a port of the illumos test suite. Thanks
to tb@ for assistance with that.
ok deraadt@
|
|
the flockfile implementation in thread/rthread_file.c used an
external lock, and associated it with the relevant FILE * as needed.
this isn't great for a lot of reasons, complexity being the big
one, but the straw that broke the camels back is that it uses a
single spinlock to coordinate all of this, which in turn generates
a lot of sched_yield syscalls.
this avoids all the code complexity and the spinlock by just embedding
a small __rctmx in every FILE.
tested by and ok tb@ jca@
ok claudio@
|
|
Replace simplistic non-constant time scalar multiplication with a constant
time version. This is actually faster since we compute multiples of the
point, then double four times and add once. The multiple to add is selected
conditionally, ensuring that the access patterns remain the same regardless
of value.
Inspired by Go's scalar multiplication code.
ok tb@
|
|
|
|
|
|
ri is an int, so the check relied on signed overflow (UB). It's not really
reachable, but shrug.
reported by smatch via jsg
ok beck jsing kenjiro
|
|
Reported by smatch via jsg.
ok beck jsing kenjiro
|
|
This provides benchmarking for EC_POINT_add(), EC_POINT_dbl() and
EC_POINT_mul()'s scalar * generator path.
|
|
For now this still calls bn_montgomery_multiply_words(), however it can
be optimised further in the future.
|
|
ok tb@
|
|
Provide a ec_field_element_select() function that allows for constant time
conditional selection between two EC_FIELD_ELEMENTs. This will become a
building block for constant time point multiplication.
ok tb@
|
|
This depends on the illumos-os-tests port I just imported and can be
linked to the build once guenther lands the close-on-fork diff.
Adapted from an initial diff by Ricardo Branco
|
|
|
|
This is nearly identical to CMS_add_simple_smimecap(). We can reuse
its doc comment mutatis mutandis and use the same construction.
Maybe this wants deduplicating. Maybe not.
ok kenjiro
|
|
There's nothing really wrong here (at least when compared to the rest of
this file an hour or so ago), but we can make this look somewhat more like
code. That there's no bug here is not really related to the fact that it's
an add1 function, not an add0 one. In fact, it's kind of surprising that
the author had an uncharacteristic moment of lucidity and remembered to
free the last argument passed to PKCS7_add_signed_attribute() on failure.
ok kenjiro
|
|
Since we finally found a use for i2d_X509_ALGORS(), make use of its
sibling here. This avoids some ridiculous contortions in not quite
peak muppet code (obviously this was a first test run for the grand
finale in CMS).
ok kenjiro
|
|
set0/add0 functions that can fail are the worst. Without fail this trips
up both users and authors (by and large these are two identical groups
consisting of a single person), resulting in leaks and double frees.
In today's episode of spelunking in the gruesome gore provided by the
PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of
leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert().
We do so by recalling that there is i2d_X509_ALGORS(), so we might
as well put it to use instead of inlining it poorly (aka, without
error checking). Normalize said error checking and ensure ownership
is handled correctly in the usual single-exit idiom.
ESS_add_signing_cert() can also make use of proper i2d handling, so
it's simpler and correct and in the end looks pretty much the same
as PKCS7_add_attrib_smimecap().
ok kenjiro
|
|
|
|
|
|
Given that RFC 5652 does not override the earlier (and simpler)
standards but instead strives to remain compatible, referencing
both the original and the latest versions seems helpful.
OK tb@
|
|
This will allow us to call certhash_directory with other digests as
required to implement the openssl rehash command, which uses SHA1 or MD5.
ok jsing tb
|
|
This is no longer used in the DES code.
ok tb@
|
|
Use a slightly unrolled loop, which gets us half way between DES_UNROLL and
no DES_UNROLL. While we're not terribly concerned by DES performance, this
gets us a small gain on aarch64 and a small loss on arm. But above all, we
end up with simpler code.
ok tb@
|
|
Why have seven lines if you can have 30...
tweak/ok kenjiro
|
|
Document the change of behavor from pk7_attr.c r1.17: the time is now
validated to be in correct RFC 5280 time format.
ok kenjiro
|
|
If the caller passes in NULL, helpfully a new ASN1_TIME is allocated
with X509_gmtime_adj() and leaked if PKCS7_add0_attrib_signing_time()
fails afterward. Fix this. Also don't blindly set the signing time to
a UTCTime. Validate the usual RFC 5280 format before setting it, as
that's what RFC 5652, section 11.3 mandates.
ok kenjiro
|
|
This little gem has a number of issues.
On failure, the caller can't know whether ownership of value was taken
or not, so to avoid a double free, the only option is to leak value on
failure. As X509_ATTRIBUTE_create() takes ownership on success, this
call must be the last one that can fail. This way ownership is only
taken on success.
Next, if X509_ATTRIBUTE_create() fails in the case that the input stack
already contains an attribute of type nid, that attr is freed and the
caller freeing the stack with pop_free() will double free.
So, rework this in a few ways. Make this transactional, so we don't fail
with a modified *in_sk, so work with a local sk as usual. Then walk the
stack and see if we have an attribute with the appropriate nid already.
If not, make sure there's room to place the new attribute. Create the
new attribute, free the old attribute if necessary and replace it with
the new one. Finally assign the local sk to *in_sk and return success.
On error unwind all we did.
The behavior now matches OpenSSL 3's new behavior, except that we don't
leave an empty stack around on error.
ok kenjiro
|
|
|
|
These have been ineffective since r1.19 of bn.h, when BN_LLONG/BN_ULLONG
defines/undefs were added based on _LP64.
ok tb@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use aes_encrypt_block128() instead of AES_encrypt(), avoiding risky casts.
|
|
There are no more consumers of crypto_cpu_caps_ia32(), so remove it.
ok bcook@ joshua@ tb@
|
|
Make aes_ecb_encrypt_internal() replaceable and provide machine dependent
versions for amd64 and i386, which dispatch to AES-NI if appropriate.
Remove the AES-NI specific EVP methods for ECB.
This removes the last of the machine dependent code from EVP AES.
ok bcook@ joshua@ tb@
|
|
The mode implementation for CCM has two variants - one takes the block
function, while the other takes a "ccm64" function. The latter is expected
to handle the lower 64 bits of the IV/counter but only for 16 byte blocks.
The AES-NI implementation for CCM currently uses the second variant.
Provide aes_ccm64_encrypt_internal() as a function that can be replaced on
a machine dependent basis, along with an aes_ccm64_encrypt_generic()
function that provides the default implementation and can be used as a
fallback. Wire up the AES-NI version for amd64 and i386, change EVP's
aes_ccm_cipher() to use CRYPTO_ctr128_{en,de}crypt_ccm64() with
aes_ccm64_encrypt_internal()) and remove the various AES-NI specific
EVP_CIPHER methods for CCM.
ok tb@
|
|
ok tb@
|
|
because PEM_X509_INFO_read(3) no longer exists.
Requested by tb@.
|
|
Shifting a signed int64_t into the sign bit is undefined behavior in C.
/dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error:
left shift of negative value -222076011
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable
To avoid this, import int64_lshift21() from BoringSSL, a helper function
that casts the input to uint64_t before shifting and back to int64_t afterward.
This ensures defined behavior when shifting left by 21 bits, avoiding
undefined behavior in expressions like `carry << 21`.
This change addresses potential runtime issues detected by sanitizers
when shifting signed values with high bits set.
ok tb beck
|
|
|
|
|
