| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically (and currently in OpenSSL), BN_asc2bn() could be called with
NULL, but only for positive numbers. So BN_asc2bn(NULL, "1") would succeed
but BN_asc2bn(NULL, "-1"), would crash. The other *2bn functions return a
length, so accepting a NULL makes some sense since it allows callers to
skip over part of the string just parsed (atoi-style).
For BN_asc2bn() a NULL bn makes no sense because it returns a boolean. The
recent CBS rewrite makes BN_asc2bn(NULL, *) always crash which in turn made
Coverity throw a fit.
Another change of behavior from that rewrite pertains to accidents (or is
it madness?) like -0x-11 and 0x-11 being parsed as decimal -17 (which Ingo
of course spotted and diligently documented). This will be addressed later.
ok jsing
|
| |
|
|
|
|
|
|
| |
Purely cosmetic change taking into account the fact that this function
returns a length rather than a boolean. This is the last offender in the
library.
ok jsing
|
| |
|
|
|
|
|
| |
It returns a length, not a Boolean, so check for 0 explicitly. This is
purely cosmetic.
ok jsing
|
| | |
|
| |
|
|
| |
This file is already enough of an eyesore without them.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
On some architectures, we can provide an optimised (often single
instruction) count-leading-zero implementation. In order to do this
effectively, provide bn_clzw() as a static inline that can be replaced
by an architecture specific version. The default implementation defers
to the bn_word_clz() function (which may also be architecture specific).
ok tb@
|
| |
|
|
|
|
|
|
| |
Provide bn_bitsize(), which performs a constant time scan of a BN in order
to determine the bit size of the BN value. Use this for BN_num_bits() such
that it is no longer dependent on the bn->top value.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The various checks of the cofactor to be set in EC_GROUP_set_generator()
are a bit all over the place. Move them into a single function and clean
things up a little. Instead of calculating directly with the cofactor
member of the group, use a temporary variable and copy this variable only
if all tests passed. In cryptographic contexts the cofactor almost always
fits if not into a single byte then into a word, so copying is cheap.
Also streamline the computations a bit and remove some binary curve
contortions.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs
and require that if X509v3 extensions are present that the cert be v3.
Initial diff from job
ok job jsing
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
| |
int_ctx_new() is a bad, generic, nondescriptive name.
requested by jsing
|
| |
|
|
|
|
|
|
|
| |
Compare explicitly against NULL, ensure the engine is always finished on
error, switch to using calloc() instead of malloc() + forgetting to set
some members to 0, use EVP_PKEY_up_ref() and also use pkey_ctx instead of
ret for the newly created EVP_PKEY_CTX.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Explicitly check against NULL, replace malloc() plus manual zeroing with
calloc(). Use EVP_PKEY_up_ref() rather than handrolling it and use a more
normal error idiom.
There still seems to be a bug in here in that the ENGINE's refcount isn't
bumped, but that will be investigated and fixed separately.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
These functions are properly documented and upcoming surgery in here is
going to be tricky enough without having to navigate around this noise.
No code change.
|
| |
|
|
|
| |
This provides significant performance gains for bn_sqr_comba4() and
bn_sqr_comba8().
|
| |
|
|
|
|
|
|
|
|
| |
Factor out and optimise the inner loop for Montgomery multiplication,
making use of bn_qwmulw_addqw_addw() to perform Montgomery multiplication
by one word in larger steps. This provides a significant performance gain,
especially on platforms where bn_qwmulw_addqw_addw() is (or can be)
optimised.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Mixing SSL_{get,set}_ex_data() and and SSL_{get,set}_app_data() in the
same application causes problems since they both place their data at
the same spot.
From Marc Aldorasi
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
(this and the Ed25519 addition to obj_xref.txt were ok jsing)
|
| |
|
|
|
| |
Also move part of for RSA-PSS to the top since it doesn't only apply to
RSA-PSS.
|
| |
|
|
|
|
|
|
| |
Switch to using EVP_DigestVerify(). Move the freeing of in where it
belongs (previously it would leak on EVP_DigestVerifyUpdate() failure),
and use the proper idiom for ASN1_item_i2d() error checking.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
Rename buf_in into in, buf_out into out, use in_len and out_len for their
lengths, drop a couple of silly casts and remove some empty lines.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This makes this function work with Ed25519 and cleans up a handful of
ugly contortions: use EVP_DigestSign() to determine the signature length
instead of using the strange EVP_PKEY_size() and garbage collect the now
useless out_len. Also use calloc().
ok jsing
|
| |
|
|
|
|
|
| |
Also move the NULL check for the EVP_MD into the rv == 2 path, which
is the only branch where it is used.
ok jsing
|
| |
|
|
|
|
| |
Pull a NULL check for pkey->ameth up to before ameth is first accessed. An
EVP_PKEY created with EVP_PKEY_new() has ameth == NULL, so this check makes
sense, but it does not make sense to do it where it was.
|
| |
|
|
|
|
|
|
|
|
|
| |
If the item_sign() ASN.1 method returns 1, it supposedly handles everything
and the goto err prior to r1.5 was actually a success path. Go figure.
This is fortunately inconsequential since there are only two item_sign()
methods, one for RSA and one for Ed25519, neither of which can return 1.
They only return 0, 2, and 3.
Pointed out by and ok jsing
|
| |
|
|
|
| |
Reword it in such a way that it stands on its own and doesn't refer
to a non-existent model above. Also tweak grammar and fix typos.
|
| |
|
|
|
|
|
|
|
|
|
| |
All the functions changed in this commit would silently misbehave if the
return value aliases the modulus, most of the time they would succeed and
return an incorrect result of 0 in that situation. This adjusts all the
functions in BN_mod.c, others and documentation will follow later.
Prompted by a bug report about BN_mod_inverse() by Guido Vranken.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
One problem with OpenSSL error codes is that they tend to be too specific
(another problem is that they are extremely ugly). So add an EINVAL-style
error code. This will be used in an upcoming commit to disallow aliasing
of the 'return value' with the modulus in BN_mod_* functions and should
be applicable elsewhere, outside of this one narrow use case.
ok jsing
|
| | |
|
| |
|
|
| |
This provides a performance gain across most BN operations.
|
| |
|
|
|
|
|
|
| |
This includes bn_qwaddqw(), bn_qwsubqw(), bn_qwmulw_addw() and
bn_qwmulw_addqw_addw(). These can typically be optimised on architectures
that have a reasonable number of general purpose registers.
ok tb@
|
| |
|
|
|
|
|
| |
This has long been unused code and compilation with -DZLIB was broken
for a long time after BIO was made opaque.
ok jsing
|
| |
|
|
|
|
|
|
| |
must_be_ca can no longer be 0 after the proxy cert code got nuked,
so change this to an if. must_be_ca is now -1 for a leaf, or 1 for
a non leaf.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of the X509_CRL_INFO object. It should have been called "thisUpdate"
like in RFC 5280 section 5.1 (and in its precursor RFC 2459). Then again,
RFC 2459 was only published in 1999, so maybe the terminology wasn't
firmly established yet when Young wrote his code several years earlier -
just guessing, neither we nor the OpenSSL folks appear to know the real
reasons...
Anyway, we have been stuck with the "lastUpdate" names in the API for
more than two decades now, so clarify in the documentation what they
refer to and what they really mean.
Requested by and OK tb@.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Suggestion from Małgorzata Olszówka, they noted:
"The original wording suggests that it is required to execute
CMS_get0_signers() after CMS_verify(), while it is CMS_get0_signers()
that requires prior successful invocation of CMS_verify()."
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This traded local copies of CTASSERT() to the one in crypto_internal.h.
This change was backed out due to SHA-512 breakage on STRICT_ALIGNMENT
architectures still using Fred Flintstone's gcc without asm sha512.
Original commit message:
Use crypto_internal.h's CTASSERT()
Now that this macro is available in a header, let's use that version
rather than copies in several .c files.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The somewhat strange calculation m = a^{-1} (mod m) can return 0. This
breaks because of BN_nnmod() having delicate semantics of which variable
can be reused. BN_nnmod(a, a, m, ctx) works and the library relies on that.
Here, the code ends up doing BN_nnmod(m, a, m, ctx) and this doesn't work.
If the result of the initial BN_mod() is negative, then BN_nnmod() will
return 0.
Problem reported by Guido Vranken in
https://github.com/openssl/openssl/issues/21110
This code is well covered by regress, but it does not currently have
explicit test coverage. Such will be added soon.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This doesn't actually overflow, but still is poor style.
Speaking of which: this is now the second time I get to fix something
reported by Nicky Mouha by way of a blog post. The first time was the
actual SHA-3 buffer overflow in Python where it is not entirely clear
who screwed up and how. Hopefully next time proper communication will
happen and work.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
- move a sentence out of a Bd block
- add some .Pp for spacing
- avoid a double colon on a sentence and the usage of second person
- mark STORE_CTX with .Vt
- change one Vt -> Dv (done after this has been ok'd by beck)
ok beck@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an un-revert with nits of the previously landed change
to do this which broke libtls. libtls has now been changed to
not use this function.
This change ensures that if something is returned it is "text"
(UTF-8) and a C string not containing a NUL byte. Historically
callers to this function assume the result is text and a C string
however the OpenSSL version simply hands them the bytes from an
ASN1_STRING and expects them to know bad things can happen which
they almost universally do not check for. Partly inspired by
goings on in boringssl.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This takes much of the language that boring uses to document
the verify callback, and corrects the historical horror that
OpenSSL introduced years ago by suggesting people ignore expiry
dates using the callback instead of the verify flags.
nits by jsg@ and tb@
ok tb@
|
| |
|
|
|
| |
This results in bn_mul_comba4() and bn_mul_comba8() requiring ~30% less
instructions than they did previously.
|
