summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Speed up Montgomery multiplication.jsing2023-06-171-10/+37
| | | | | | | | | | Factor out and optimise the inner loop for Montgomery multiplication, making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication by one word in larger steps. This provides a significant performance gain, especially on platforms where bn_qwmulw_addqw_addw() is (or can be) optimised. ok tb@
* Fix CRYPTO_get_ex_new_index() to return 1 or highertb2023-06-161-2/+2
| | | | | | | | | | Mixing SSL_{get,set}_ex_data() and and SSL_{get,set}_app_data() in the same application causes problems since they both place their data at the same spot. From Marc Aldorasi ok jsing
* Teach the grotty X509_certificate_type() about Ed25519 certstb2023-06-151-1/+4
| | | | ok jsing
* regentb2023-06-151-1/+9
|
* Add RSA with the sha3s to obj_xref.txttb2023-06-151-0/+4
| | | | ok jsing
* regen obj_xref.htb2023-06-151-12/+14
| | | | (this and the Ed25519 addition to obj_xref.txt were ok jsing)
* Add Ed25519 to the obj_xref table.tb2023-06-151-3/+6
| | | | | Also move part of for RSA-PSS to the top since it doesn't only apply to RSA-PSS.
* Some fixes in ASN1_item_verify()tb2023-06-151-17/+8
| | | | | | | | Switch to using EVP_DigestVerify(). Move the freeing of in where it belongs (previously it would leak on EVP_DigestVerifyUpdate() failure), and use the proper idiom for ASN1_item_i2d() error checking. ok jsing
* Make another NULL check explicit and put a brace on the proper linetb2023-06-151-4/+3
|
* Rename a few variables and other cosmeticstb2023-06-151-23/+21
| | | | | | | Rename buf_in into in, buf_out into out, use in_len and out_len for their lengths, drop a couple of silly casts and remove some empty lines. ok jsing
* Switch ASN1_item_sign_ctx() to EVP_DigestSign()tb2023-06-151-9/+7
| | | | | | | | | This makes this function work with Ed25519 and cleans up a handful of ugly contortions: use EVP_DigestSign() to determine the signature length instead of using the strange EVP_PKEY_size() and garbage collect the now useless out_len. Also use calloc(). ok jsing
* Make NULL checks explicit in ASN1_item_sign_ctx()tb2023-06-151-6/+8
| | | | | | | Also move the NULL check for the EVP_MD into the rv == 2 path, which is the only branch where it is used. ok jsing
* ASN1_item_sign_ctx()tb2023-06-151-3/+7
| | | | | | Pull a NULL check for pkey->ameth up to before ameth is first accessed. An EVP_PKEY created with EVP_PKEY_new() has ameth == NULL, so this check makes sense, but it does not make sense to do it where it was.
* Fix a logic error in ASN1_item_sign_ctx()tb2023-06-151-5/+8
| | | | | | | | | | | If the item_sign() ASN.1 method returns 1, it supposedly handles everything and the goto err prior to r1.5 was actually a success path. Go figure. This is fortunately inconsequential since there are only two item_sign() methods, one for RSA and one for Ed25519, neither of which can return 1. They only return 0, 2, and 3. Pointed out by and ok jsing
* Move comment about ASN1_item_dup() where it belongstb2023-06-131-7/+7
| | | | | Reword it in such a way that it stands on its own and doesn't refer to a non-existent model above. Also tweak grammar and fix typos.
* Disallow aliasing of return value and modulustb2023-06-131-1/+44
| | | | | | | | | | | All the functions changed in this commit would silently misbehave if the return value aliases the modulus, most of the time they would succeed and return an incorrect result of 0 in that situation. This adjusts all the functions in BN_mod.c, others and documentation will follow later. Prompted by a bug report about BN_mod_inverse() by Guido Vranken. ok jsing
* Add a BN_R_INVALID_ARGUMENT error codetb2023-06-132-2/+4
| | | | | | | | | | One problem with OpenSSL error codes is that they tend to be too specific (another problem is that they are extremely ugly). So add an EINVAL-style error code. This will be used in an upcoming commit to disallow aliasing of the 'return value' with the modulus in BN_mod_* functions and should be applicable elsewhere, outside of this one narrow use case. ok jsing
* Remove prototypes for various ec_GF2m_* functions that no longer exist.jsing2023-06-121-13/+1
|
* Optimise quad word primitives on aarch64.jsing2023-06-121-1/+136
| | | | This provides a performance gain across most BN operations.
* Provide and use various quad word primitives.jsing2023-06-123-27/+120
| | | | | | | | This includes bn_qwaddqw(), bn_qwsubqw(), bn_qwmulw_addw() and bn_qwmulw_addqw_addw(). These can typically be optimised on architectures that have a reasonable number of general purpose registers. ok tb@
* Unifdef ZLIBtb2023-06-117-739/+7
| | | | | | | This has long been unused code and compilation with -DZLIB was broken for a long time after BIO was made opaque. ok jsing
* Remove dead code.beck2023-06-081-13/+3
| | | | | | | | must_be_ca can no longer be 0 after the proxy cert code got nuked, so change this to an if. must_be_ca is now -1 for a leaf, or 1 for a non leaf. ok tb@
* In 1995, Eric A. Young chose a confusing name for the "lastUpdate" fieldschwarze2023-06-062-12/+20
| | | | | | | | | | | | | | | of the X509_CRL_INFO object. It should have been called "thisUpdate" like in RFC 5280 section 5.1 (and in its precursor RFC 2459). Then again, RFC 2459 was only published in 1999, so maybe the terminology wasn't firmly established yet when Young wrote his code several years earlier - just guessing, neither we nor the OpenSSL folks appear to know the real reasons... Anyway, we have been stuck with the "lastUpdate" names in the API for more than two decades now, so clarify in the documentation what they refer to and what they really mean. Requested by and OK tb@.
* Fix typo in comment: exta -> extratb2023-06-061-2/+2
|
* Improve the description of CMS_get0_signers()job2023-06-051-3/+3
| | | | | | | | | | Suggestion from Małgorzata Olszówka, they noted: "The original wording suggests that it is required to execute CMS_get0_signers() after CMS_verify(), while it is CMS_get0_signers() that requires prior successful invocation of CMS_verify()." OK tb@
* Reinstate bn_isqrt.c r1.8 and crypto_lock.c r1.3tb2023-06-042-8/+5
| | | | | | | | | | | | | | | This traded local copies of CTASSERT() to the one in crypto_internal.h. This change was backed out due to SHA-512 breakage on STRICT_ALIGNMENT architectures still using Fred Flintstone's gcc without asm sha512. Original commit message: Use crypto_internal.h's CTASSERT() Now that this macro is available in a header, let's use that version rather than copies in several .c files. discussed with jsing
* Fix variable reuse in BN_mod_inverse()tb2023-06-021-21/+15
| | | | | | | | | | | | | | | | | | The somewhat strange calculation m = a^{-1} (mod m) can return 0. This breaks because of BN_nnmod() having delicate semantics of which variable can be reused. BN_nnmod(a, a, m, ctx) works and the library relies on that. Here, the code ends up doing BN_nnmod(m, a, m, ctx) and this doesn't work. If the result of the initial BN_mod() is negative, then BN_nnmod() will return 0. Problem reported by Guido Vranken in https://github.com/openssl/openssl/issues/21110 This code is well covered by regress, but it does not currently have explicit test coverage. Such will be added soon. ok beck jsing
* Avoid a potentially overflowing checktb2023-06-011-2/+2
| | | | | | | | | | | | This doesn't actually overflow, but still is poor style. Speaking of which: this is now the second time I get to fix something reported by Nicky Mouha by way of a blog post. The first time was the actual SHA-3 buffer overflow in Python where it is not entirely clear who screwed up and how. Hopefully next time proper communication will happen and work. ok jsing
* fix some nits on previousop2023-05-301-6/+10
| | | | | | | | | | - move a sentence out of a Bd block - add some .Pp for spacing - avoid a double colon on a sentence and the usage of second person - mark STORE_CTX with .Vt - change one Vt -> Dv (done after this has been ok'd by beck) ok beck@
* Oops, Fa -> .Fabeck2023-05-291-2/+2
|
* Make X509_NAME_get_text_by[NID|OBJ] safer.beck2023-05-292-20/+48
| | | | | | | | | | | | | | | | This is an un-revert with nits of the previously landed change to do this which broke libtls. libtls has now been changed to not use this function. This change ensures that if something is returned it is "text" (UTF-8) and a C string not containing a NUL byte. Historically callers to this function assume the result is text and a C string however the OpenSSL version simply hands them the bytes from an ASN1_STRING and expects them to know bad things can happen which they almost universally do not check for. Partly inspired by goings on in boringssl. ok jsing@ tb@
* Stop suggesting that children play with loaded revolvers.beck2023-05-291-31/+49
| | | | | | | | | | This takes much of the language that boring uses to document the verify callback, and corrects the historical horror that OpenSSL introduced years ago by suggesting people ignore expiry dates using the callback instead of the verify flags. nits by jsg@ and tb@ ok tb@
* Provide optimised bn_mulw_{addw,addw_addw,addtw}() for aarch64.jsing2023-05-281-1/+68
| | | | | This results in bn_mul_comba4() and bn_mul_comba8() requiring ~30% less instructions than they did previously.
* Provide optimised bn_addw_addw()/bn_subw_subw() for aarch64.jsing2023-05-281-1/+43
|
* Sprinkle some style(9).jsing2023-05-281-15/+15
|
* Expand occurrences of HASH_CTX that were previously missed.jsing2023-05-281-4/+5
| | | | No change in generated assembly.
* Reorder functions.jsing2023-05-281-214/+214
| | | | No intended functional change.
* Clean up includes.jsing2023-05-281-6/+5
|
* Remove now unnecessary do {} while(0);jsing2023-05-281-3/+1
|
* Inline HASH_MAKE_STRING for SHA256.jsing2023-05-281-34/+37
| | | | No change to generated assembly.
* Rewrite BN_{asc,dec,hex}2bn() using CBS.jsing2023-05-281-123/+224
| | | | | | | | | | | This gives us more readable and safer code. There are two intentional changes to behaviour - firstly, all three functions zero any BN that was passed in, prior to doing any further processing. This means that a passed BN is always in a known state, regardless of what happens later. Secondly, BN_asc2bn() now fails on NULL input, rather than crashing. This brings its behaviour inline with BN_dec2bn() and BN_hex2bn(). ok tb@
* Merge X509_VERIFY_PARAM_ID into X509_VERIFY_PARAMtb2023-05-284-110/+73
| | | | | | | | | | Back in the day when essentially every struct was open to all applications, X509_VERIFY_PARAM_ID provided a modicum of opacity. This indirection is now no longer needed with X509_VERIFY_PARAM being opaque itself, so stop using X509_VERIFY_PARAM_ID and merge it into X509_VERIFY_PARAM. This is a first small step towards cleaning up the X509_VERIFY_PARAM mess. ok jsing
* Implement SHA256_{Update,Transform,Final}() directly in sha256.c.jsing2023-05-271-4/+103
| | | | | | | | | | m32_common.h is a typical OpenSSL macro horror show - copy the update, transform and final functions from md32_common.h, manually expanding the macros for SHA256. This will allow for further clean up to occur. No change in generated assembly. ok beck@ tb@
* Add HASH_NO_UPDATE and HASH_NO_TRANSFORM to md32_common.hjsing2023-05-271-5/+7
| | | | | | | This makes it possible to still use minimal parts of md32_common.h, while disabling the update and transform functions. ok beck@ tb@
* Bump LibreSSL versionlibressl-v3.8.0tb2023-05-271-3/+3
|
* Clean up alignment handling for SHA-512.jsing2023-05-272-80/+96
| | | | | | | | | | | This recommits r1.37 of sha512.c, however uses uint8_t * instead of void * for the crypto_load_* functions and primarily uses const uint8_t * to track input, only casting to const SHA_LONG64 * once we know that it is suitably aligned. This prevents the compiler from implying alignment based on type. Tested by tb@ and deraadt@ on platforms with gcc and strict alignment. ok tb@
* Update X509_VERIFY_PARAM_inherit() to reflect the change of behaviortb2023-05-241-9/+6
| | | | in x509_vpm.c r1.39.
* Copy the verify param hostflags independently of the host listtb2023-05-241-3/+4
| | | | | | | | | | | | | | | | Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing
* Provide X509_VERIFY_PARAM_set_hostflags()tb2023-05-241-1/+8
| | | | | | | | This is needed for an upcoming regress test that needs to access the hostflag. This is public API in OpenSSL but since nothing seems to be using this, this accessor will be kept internal-only for the time being. ok jsing
* Simplify OBJ_obj2txt()tb2023-05-232-8/+5
| | | | | | | | | | Instead of adding a NUL termination to OBJ_obj2txt(), move the aobj == NULL or aobj->data == NULL checks to i2t_ASN1_OBJECT_internal(). The only other caller, i2t_ASN1_OBJECT(), fails on aobj == NULL and aobj->length == 0, and the latter condition is implied by aobj->data. Cleaner solution for obj_dat.c r1.52 suggested by/ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-23 02:24:32 +0000