| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt
SHA256 (certdata.txt) = 579f336ace2e5717b8ecc06002ce0cce96f70623d188e1999c34b0f77696d3e9
Removals:
- /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
- /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
- /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
- /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
- /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
- /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
- /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
Addition:
+ /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
|
| |
|
|
|
|
|
|
| |
Use bn_{mul,sqr}_comba{4,6,8}() and bn_montgomery_reduce_words() for
specific input sizes. This is significantly faster than using
bn_montgomery_multiply_words().
ok tb@
|
| |
|
|
|
|
| |
This allows for fast squaring of a 6 word array.
ok tb@
|
| |
|
|
|
|
| |
This allows for fast multiplication of two 6 word arrays.
ok tb@
|
| |
|
|
|
|
|
| |
This makes it consistent with bn_sqr_comba{4,8}() and simplifies an
upcoming change.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace simplistic non-constant time scalar multiplication with a constant
time version. This is actually faster since we compute multiples of the
point, then double four times and add once. The multiple to add is selected
conditionally, ensuring that the access patterns remain the same regardless
of value.
Inspired by Go's scalar multiplication code.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
ri is an int, so the check relied on signed overflow (UB). It's not really
reachable, but shrug.
reported by smatch via jsg
ok beck jsing kenjiro
|
| |
|
|
|
| |
Reported by smatch via jsg.
ok beck jsing kenjiro
|
| |
|
|
|
| |
For now this still calls bn_montgomery_multiply_words(), however it can
be optimised further in the future.
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
Provide a ec_field_element_select() function that allows for constant time
conditional selection between two EC_FIELD_ELEMENTs. This will become a
building block for constant time point multiplication.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This is nearly identical to CMS_add_simple_smimecap(). We can reuse
its doc comment mutatis mutandis and use the same construction.
Maybe this wants deduplicating. Maybe not.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
| |
There's nothing really wrong here (at least when compared to the rest of
this file an hour or so ago), but we can make this look somewhat more like
code. That there's no bug here is not really related to the fact that it's
an add1 function, not an add0 one. In fact, it's kind of surprising that
the author had an uncharacteristic moment of lucidity and remembered to
free the last argument passed to PKCS7_add_signed_attribute() on failure.
ok kenjiro
|
| |
|
|
|
|
|
|
|
| |
Since we finally found a use for i2d_X509_ALGORS(), make use of its
sibling here. This avoids some ridiculous contortions in not quite
peak muppet code (obviously this was a first test run for the grand
finale in CMS).
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set0/add0 functions that can fail are the worst. Without fail this trips
up both users and authors (by and large these are two identical groups
consisting of a single person), resulting in leaks and double frees.
In today's episode of spelunking in the gruesome gore provided by the
PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of
leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert().
We do so by recalling that there is i2d_X509_ALGORS(), so we might
as well put it to use instead of inlining it poorly (aka, without
error checking). Normalize said error checking and ensure ownership
is handled correctly in the usual single-exit idiom.
ESS_add_signing_cert() can also make use of proper i2d handling, so
it's simpler and correct and in the end looks pretty much the same
as PKCS7_add_attrib_smimecap().
ok kenjiro
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Given that RFC 5652 does not override the earlier (and simpler)
standards but instead strives to remain compatible, referencing
both the original and the latest versions seems helpful.
OK tb@
|
| |
|
|
|
|
| |
This is no longer used in the DES code.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Use a slightly unrolled loop, which gets us half way between DES_UNROLL and
no DES_UNROLL. While we're not terribly concerned by DES performance, this
gets us a small gain on aarch64 and a small loss on arm. But above all, we
end up with simpler code.
ok tb@
|
| |
|
|
|
|
| |
Why have seven lines if you can have 30...
tweak/ok kenjiro
|
| |
|
|
|
|
|
| |
Document the change of behavor from pk7_attr.c r1.17: the time is now
validated to be in correct RFC 5280 time format.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
| |
If the caller passes in NULL, helpfully a new ASN1_TIME is allocated
with X509_gmtime_adj() and leaked if PKCS7_add0_attrib_signing_time()
fails afterward. Fix this. Also don't blindly set the signing time to
a UTCTime. Validate the usual RFC 5280 format before setting it, as
that's what RFC 5652, section 11.3 mandates.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This little gem has a number of issues.
On failure, the caller can't know whether ownership of value was taken
or not, so to avoid a double free, the only option is to leak value on
failure. As X509_ATTRIBUTE_create() takes ownership on success, this
call must be the last one that can fail. This way ownership is only
taken on success.
Next, if X509_ATTRIBUTE_create() fails in the case that the input stack
already contains an attribute of type nid, that attr is freed and the
caller freeing the stack with pop_free() will double free.
So, rework this in a few ways. Make this transactional, so we don't fail
with a modified *in_sk, so work with a local sk as usual. Then walk the
stack and see if we have an attribute with the appropriate nid already.
If not, make sure there's room to place the new attribute. Create the
new attribute, free the old attribute if necessary and replace it with
the new one. Finally assign the local sk to *in_sk and return success.
On error unwind all we did.
The behavior now matches OpenSSL 3's new behavior, except that we don't
leave an empty stack around on error.
ok kenjiro
|
| |
|
|
|
|
|
| |
These have been ineffective since r1.19 of bn.h, when BN_LLONG/BN_ULLONG
defines/undefs were added based on _LP64.
ok tb@
|
| | |
|
| |
|
|
| |
Use aes_encrypt_block128() instead of AES_encrypt(), avoiding risky casts.
|
| |
|
|
|
|
| |
There are no more consumers of crypto_cpu_caps_ia32(), so remove it.
ok bcook@ joshua@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Make aes_ecb_encrypt_internal() replaceable and provide machine dependent
versions for amd64 and i386, which dispatch to AES-NI if appropriate.
Remove the AES-NI specific EVP methods for ECB.
This removes the last of the machine dependent code from EVP AES.
ok bcook@ joshua@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mode implementation for CCM has two variants - one takes the block
function, while the other takes a "ccm64" function. The latter is expected
to handle the lower 64 bits of the IV/counter but only for 16 byte blocks.
The AES-NI implementation for CCM currently uses the second variant.
Provide aes_ccm64_encrypt_internal() as a function that can be replaced on
a machine dependent basis, along with an aes_ccm64_encrypt_generic()
function that provides the default implementation and can be used as a
fallback. Wire up the AES-NI version for amd64 and i386, change EVP's
aes_ccm_cipher() to use CRYPTO_ctr128_{en,de}crypt_ccm64() with
aes_ccm64_encrypt_internal()) and remove the various AES-NI specific
EVP_CIPHER methods for CCM.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
because PEM_X509_INFO_read(3) no longer exists.
Requested by tb@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shifting a signed int64_t into the sign bit is undefined behavior in C.
/dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error:
left shift of negative value -222076011
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable
To avoid this, import int64_lshift21() from BoringSSL, a helper function
that casts the input to uint64_t before shifting and back to int64_t afterward.
This ensures defined behavior when shifting left by 21 bits, avoiding
undefined behavior in expressions like `carry << 21`.
This change addresses potential runtime issues detected by sanitizers
when shifting signed values with high bits set.
ok tb beck
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
because tb@ removed them from Symbols.list rev. 1.220 today.
|
| |
|
|
|
|
|
|
| |
Remove BIO_s_log(): already unhooked in portable, completely unused.
Remove X509_PKEY_new/free from public API. Remove PEM_X509_INFO_read()
PEM_X509_INFO_write_bio(): all unused garbage.
The simplify X509_PKEY_new/free was ok kenjiro.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libc/hidden/_stdio.h. All programs that refer to the internal
structure of the FILE object can't be compiled from now on.
std{in,out,err} doesn't refer __sF[] now, but the hidden __sF along
with __srget and __swbuf symbols are kept temporarily to make our
transition easier. But those symbols will be deleted soon. The shared
library versions are bumped for libc and all the other libraries that
refer to std{in,out,err}.
diff from guenther, tweak by me, tested by many
ok sthen tb
|
| |
|
|
|
|
|
|
|
| |
Provide aes_xts_encrypt_internal() and call that from aes_xts_cipher().
Have amd64 and i386 provide their own versions that dispatch to
aesni_xts_encrypt()/aesni_xts_decrypt() as appropriate. The
AESNI_CAPABLE code and methods can then be removed.
ok tb@
|
| |
|
|
| |
It looks like those can be unexported.
|
| |
|
|
|
| |
X509_INFO_new() isn't used directly outside of this file, so this is a bit
tidier.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Check X509_ALGOR_cmp() explicitly against 0 and add an explanatory comment
referring to the relevant RFC 5280 sections.
ok beck kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When fixing CVE-2014-8275 in commit 684400ce, Henson added a check
that the AlgorithmIdentifier in the certificate's signature matches
the one in the tbsCertificate. A corresponding check for CRLs was
missed. BoringSSL added such a check in 2022, so this should be fine
for us to do as well even though OpenSSL still doesn't have it. The
only caller will set an error on the stack, so we don't do it here.
There's no obvious check that X509_REQ_verify() could do.
ok beck kenjiro
|
| | |
|
