summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Check return value of EVP_EncodeUpdate() in PEM_write_bio().tb2018-08-241-2/+3
| | | | ok jsing
* Check return value of EVP_EncodeUpdate() in b64_write().tb2018-08-241-3/+4
| | | | ok jsing
* Convert EVP_EncodeUpdate() to return an int to allow for errortb2018-08-242-8/+10
| | | | | | | | | checking. Matches our documented behavior. Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
* Provide EVP_CIPHER_CTX_encrypting().tb2018-08-243-2/+10
| | | | | tested in a bulk by sthen ok jsing
* Document prototype change and return values for BIO_set_cipher()tb2018-08-241-3/+5
| | | | ok jsing
* Return an int in BIO_set_cipher() to be able to report errors.tb2018-08-242-13/+22
| | | | | tested in a bulk by sthen ok jsing
* In DSO_up_ref(), check return value of CRYPTO_add() and reporttb2018-08-241-3/+5
| | | | | | failure accordingly. ok jsing
* In ENGINE_up_ref(), check return value of CRYPTO_add() and reporttb2018-08-241-3/+5
| | | | | | failure accordingly. ok jsing
* Document new prototype and return values of X509_OBJECT_up_ref_count()tb2018-08-241-3/+6
| | | | ok jsing
* Make X509_OBJECT_up_ref_count return an int.tb2018-08-242-9/+7
| | | | | | | Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
* Update documentation of CRYPTO_mem_leaks*.tb2018-08-241-6/+12
| | | | ok jsing
* Let CRYPTO_mem_leaks{,_fp,_cb}() return -1.tb2018-08-242-12/+12
| | | | | | | | | These functions are no-ops. Their signature was changed by OpenSSL to allow error checking. This way we return an error and do not indicate the (non-)existence of memory leaks. tested in a bulk by sthen ok jsing
* Don't leak sktmp in X509_verify_cert().tb2018-08-191-5/+5
| | | | | | CID #118791 ok jsing mestre
* whitespace fixtb2018-08-191-2/+2
|
* Don't leak db on error in RSA_padding_check_PKCS1_OAEP().tb2018-08-191-7/+7
| | | | | | CID #183499. input & ok jsing, ok mestre on first version
* Add a comment that explains what the check is doing and why len >= 1.tb2018-08-141-1/+2
| | | | Prompted by a remark by jsing
* The UI_add_{input,verify}_string() functions want a length not includingtb2018-08-141-5/+8
| | | | | | | | | | | | | | the terminating NUL. EVP_read_pw_string_min() got this wrong, leading to a one-byte buffer overrun in all callers of EVP_read_pw_string(). Found by mestre running 'openssl passwd' with MALLOC_OPTIONS including C. Fix this by doing some basic sanity checking in EVP_read_pw_string_min(). Cap the len argument at BUFSIZ and ensure that min < len as well as 0 <= min and 1 <= len. The last two checks are important as these numbers may end up in reallocarray(). ok bcook (on previous version), jsing, mestre
* Add glue to EVP_md5_sha1() so that it can be used with EVP_Sign* andjsing2018-08-101-1/+12
| | | | | | EVP_Verify*. ok tb@
* Add missing include to X25519 synopsis.jsing2018-08-101-2/+3
|
* typo: macro-generates wrappers -> macro-generated wrapperstb2018-08-081-3/+3
|
* Remove unnecessary NULL check from get_cert_by_subject sincelibressl-v2.8.0bcook2018-08-051-3/+3
| | | | | | sk_BY_DIR_HASH_find already does it, removing ambiguity later in the function. ok tb@
* Fix a memory leak in i2d_RSA_NET on failure of ASN1_STRING_set.bcook2018-08-051-2/+2
| | | | | Found by Coverity. Feedback and ok tb@
* In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.bcook2018-08-051-3/+7
| | | | ok tb@
* Fix memory leak in i2b_PVK in error handling.bcook2018-08-051-14/+10
| | | | | | | Simplify parameter checks since this is only called from one place. Found by Coverity, CID 183502. ok beck@
* Document that X509_{NAME,REQ,REQ_INFO}_free() are all NULL safe.tb2018-07-292-4/+19
| | | | From Ross L. Richardson
* add c++ symbol annotationsbcook2018-07-241-1/+9
| | | | from Cameron Palmer
* Use BN_swap_ct() instead of BN_consttime_swap() intb2018-07-231-5/+10
| | | | | | | | | ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows error checking, doesn't assert(), and has fewer assumptions on the input. This diff eliminates the last use of BN_consttime_swap() in our tree. ok inoguchi, jsing
* Use a size_t instead of an int for the byte count in BN_swap_ct().tb2018-07-232-8/+11
| | | | | | | | Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing
* Clean up our disgusting implementations of BN_{,u}{add,sub}(), followingtb2018-07-231-157/+67
| | | | | | | | | changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn
* Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.tb2018-07-231-120/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on an OpenSSL commit by David Benjamin. Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library reported that more than 200 "expected to fail" signatures among Project Wycheproof's test vectors validated on LibreSSL. This patch makes them all fail. ok jsing commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836 Author: David Benjamin <davidben@google.com> Date: Sat Aug 20 13:35:17 2016 -0400 Implement RSASSA-PKCS1-v1_5 as specified. RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode the DigestInfo struct and then compare the result against the public key operation result. This implies that one and only one encoding is legal. OpenSSL instead parses with crypto/asn1, then checks that the encoding round-trips, and allows some variations for the parameter. Sufficient laxness in this area can allow signature forgeries, as described in https://www.imperialviolet.org/2014/09/26/pkcs1.html Although there aren't known attacks against OpenSSL's current scheme, this change makes OpenSSL implement the algorithm as specified. This avoids the uncertainty and, more importantly, helps grow a healthy ecosystem. Laxness beyond the spec, particularly in implementations which enjoy wide use, risks harm to the ecosystem for all. A signature producer which only tests against OpenSSL may not notice bugs and accidentally become widely deployed. Thus implementations have a responsibility to honor the specification as tightly as is practical. In some cases, the damage is permanent and the spec deviation and security risk becomes a tax all implementors must forever pay, but not here. Both BoringSSL and Go successfully implemented and deployed RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so this change should be compatible enough to pin down in future OpenSSL releases. See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 As a bonus, by not having to deal with sign/verify differences, this version is also somewhat clearer. It also more consistently enforces digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath wasn't quite doing this right. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1474
* Document behavior change of EC_POINTs_mul() again.tb2018-07-161-4/+22
|
* Recommit Billy Brumley's ECC constant time patch with a fix for sparc64tb2018-07-166-47/+341
| | | | | | | from Nicola Tuveri (who spotted the omission of ecp_nist.c from the PR). discussed with jsing tested by jsg
* recommit label indentation part of the backout; clearly unrelated to thetb2018-07-1519-91/+93
| | | | breakage.
* back out ecc constant time changesjsg2018-07-1521-448/+137
| | | | | | | | after the constant time commits various regress tests started failing on sparc64 ssh t9, libcrypto ec ecdh ecdsa and trying to ssh out resulted in 'invalid elliptic curve value' ok tb@
* Eliminate the weird condition in the BN_swap_ct() API that at most one bittb2018-07-131-3/+3
| | | | | | | | be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn
* Sync commentkn2018-07-111-3/+5
| | | | | | Makes it a tad easier to read through and compare with BN_swap_ct(). OK tb
* Document behavior change of EC_POINTs_mul(3) from EC constant time changes.tb2018-07-111-4/+22
| | | | ok beck on earlier version, markup help from Schwarze.
* Turn yesterday's optimistic ! in an XXX comment into a more cautious ?tb2018-07-111-2/+2
|
* Indent labels by a space so they don't obliterate function names in diffs.tb2018-07-1019-91/+93
|
* ECC constant time scalar multiplication support. First step in overhaulingtb2018-07-105-46/+337
| | | | | | | | | | | the EC module. From Billy Brumley and his team, via https://github.com/libressl-portable/openbsd/pull/94 With tweaks from jsing and me. ok jsing
* Provide BN_swap_ct(), a constant time function that conditionally swapstb2018-07-102-2/+53
| | | | | | | | | | two bignums. It's saner and substantially less ugly than the existing public BN_constantime_swap() function and will be used in forthcoming work on constant time ECC code. From Billy Brumley and his team. Thanks! ok jsing
* Factor out a bit of ugly code that truncates the digest to the order_bitstb2018-07-101-32/+32
| | | | | | | | leftmost bits of a longer digest, according to FIPS 183-6, 6.4. Eliminate a microoptimization that only converts the relevant part of the digest to a bignum. ok beck, jsing
* sync with const changes in x509.h r1.68.tb2018-07-091-4/+4
|
* sync with const changes in evp.h r1.64.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.44.tb2018-07-091-3/+3
|
* sync with const changes in bio.h r1.45.tb2018-07-091-10/+10
|
* import the relevant parts of a new ASN1_INTEGER_get(3) manual pageschwarze2018-07-082-1/+240
| | | | from OpenSSL, fixing many bugs and polishing many details
* Tiny tweak to the blinding comment.tb2018-06-161-2/+4
|
* Basic cleanup. Handle the possibly NULL ctx_in in ecdsa_sign_setup() withtb2018-06-151-67/+62
| | | | | | | | | | | | the usual idiom. All the allocations are now handled inside conditionals as is usually done in this part of the tree. Turn a few comments into actual sentences and remove a few self-evident ones. Change outdated or cryptic comments into more helpful annotations. In ecdsa_do_verify(), start calculating only after properly truncating the message digest. More consistent variable names: prefer 'order_bits' and 'point' over 'i' and 'tmp_point'. ok jsing
* Clean up some whitespace and polish a few comments. Reduces noise intb2018-06-151-24/+21
| | | | an upcoming diff.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-24 04:19:35 +0000