summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Do not install mlkem.h and bytestring.h into /usr/include/openssl for nowtb2024-12-191-3/+1
| | | | | | More work in mlkem is needed and this was premature. discussed with beck and jsing
* #ifdef out the inclusion of openssl/mlkem.h for nowtb2024-12-191-3/+4
| | | | discussed with beck and jsing
* Do not assume mlkem.h and bytestring.h are public in libcryptotb2024-12-194-14/+8
| | | | | | | As long as is not quite clear what we want to do about the public API aspect of MLKEM, keep things internal for now. discussed with beck and jsing
* ec_mult: use 1ULL to avoid C4334 warning on Visual Studiotb2024-12-191-2/+2
| | | | | The shift is between 0 and 5 bits, so it doesn't matter, but VS is short for very st...ubborn as are its users when it comes to reporting non-issues
* mlkem: fix whitespacetb2024-12-182-4/+6
|
* kength -> lengthjsg2024-12-181-3/+3
|
* New manual page EVP_aes_128_gcm(3).schwarze2024-12-174-75/+260
| | | | | | | | | | | | The main benefit is moving the cumbersome and error-prone method of using EVP_EncryptInit(3) for AES-GCM out of the important, but obese manual page EVP_EncryptInit(3), and to create a logical place for pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3). As a side benefit, document three control commands that were so far undocumented and make the description of three others more precise. Feedback and OK tb@.
* Avoid a reduce once that can cause Clang misoptomization.beck2024-12-172-22/+54
| | | | | | | | Some versions of Clang compile this to non-constant time code. The fix is adapted from boring. For full details see: https://boringssl-review.googlesource.com/c/boringssl/+/74447 ok tb@
* Plug two memory leaks in MLKEM*_generate_key_external_entropy()tb2024-12-172-2/+6
| | | | | | | This needs more thinking. These are void functions that allocate... Left an XXX for now. From Kenjiro Nakayama
* mlkem: clean up top matter in headerstb2024-12-172-8/+14
|
* Simplify ec_point_to_octets()tb2024-12-161-8/+3
| | | | | | | | | | | This had an extra dance to allow a NULL output buffer. The plan was to use this in i2o_ECPublicKey() to preserve the behavior of avoiding an allocation if out == NULL. However, when I rewrote the latter I punted on preserving that complication, as it was already batshit crazy enough. Thus, remove said dance and make ec_point_to_octets() cleaner. ok jsing
* Add ML-KEM 1024 from BoringSSLbeck2024-12-135-2/+1290
| | | | | | | | | | | | | | | Changes include conversion from C++, basic KNF, then adaptation to use our sha3 functions for sha3 and shake instead of the BorinSSL version. This Adds units tests to run against BoringSSL and NIST test vectors. The future public API is the same as Boring's - but is not yet exposed pending making bytestring.h public (which will happen separately) and a minor bump Currently this will just ensure we build and run regress. ok tb@ to get it into the tree and massage from there.
* KNF nit tb wanted me to fixbeck2024-12-131-2/+4
|
* Add ML-KEM 768 from BoringSSLbeck2024-12-135-1/+1412
| | | | | | | | | | | | | | | Changes include conversion from C++, basic KNF, then adaptation to use our sha3 functions for sha3 and shake instead of the BorinSSL version. This Adds units tests to run against BoringSSL and NIST test vectors. The future public API is the same as Boring's - but is not yet exposed pending making bytesring.h public (which will happen separately) and a minor bump Currently this will just ensure we build and run regress. ok tb@ to get it into the tree and massage from there.
* Rewrite a comment to use p rather than qtb2024-12-121-10/+10
|
* Rename group->field to group->ptb2024-12-124-52/+46
| | | | | | Now that we only do curves over GF(p) fields, there's no need to use a weird, confusing name for what we usually call p. Adjust some comments in the vicinity as well.
* sm3: fix ugly whitespacetb2024-12-121-5/+5
|
* Avoid an oob access in asn1_item_free()tb2024-12-111-4/+3
| | | | | | | | | | As explained in a comment, this needs to loop backwards and the last tt-- ends up pointing at &it->templates[-1], which isn't ok. Use a simple way of looping, which is also ugly and involves some type confusion as pointed out by claudio. However, type confusion is common in libcrypto's asn1 code and won't be fixed anytime soon anyway. ok jsing
* Drop a pair of useless parenthesestb2024-12-111-2/+2
|
* Improve a rather misleading sentence about EVP_PKEY_new_mac_key(3).schwarze2024-12-101-4/+8
| | | | | | | It does *not* "work in the same way" as EVP_PKEY_new_raw_private_key(3) but merely arrives at the same end result after doing lots of cumbersome and unnecessary work - and on top of that, it only works for EVP_PKEY_HMAC.
* Add a paragraph about HMAC because that algorithm also involvesschwarze2024-12-101-3/+15
| | | | | | | | parameters that can be controlled with EVP_PKEY_CTX_ctrl(3). But rather than providing a detailed despription, instead point to what application programs should use instead and explain why using the control constant directly would be a particularly bad idea in this case.
* insert a forgotten .Dv macroschwarze2024-12-091-3/+3
|
* Mark the constants EVP_PK_*, EVP_PKS_*, and EVP_PKT_* as intentionallyschwarze2024-12-091-2/+7
| | | | | undocumented because they are only used by the function X509_certificate_type() which is deprecated and will eventually be deleted.
* Move the algorithm-specific functions EVP_rc2_*(3) out of EVP_EncryptInit(3)schwarze2024-12-084-55/+214
| | | | | | | | | and document them properly in their own manual page, including the control commands EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS that were so far undocumented. Arguably, the main benefit is another small step making the important, but still obese EVP_EncryptInit(3) manual page more palatable.
* Document the low-level rc2.h API.schwarze2024-12-072-2/+198
| | | | | Not that this would be particularly important, but i had to look at the code anyway while completing the EVP documentation.
* ec_mult: forgot to make one helper statictb2024-12-071-2/+2
|
* Move initialization of sign out of the middle of bits handlingtb2024-12-071-3/+3
|
* Rename ec_wNAF_mul() to ec_wnaf_mul()tb2024-12-063-7/+7
| | | | discussed with jsing
* ec_mult: manage wNAF data in a structtb2024-12-061-86/+131
| | | | | | | | | | | | | | | | | | | | | | This refactors the wNAF multiplication further and introduces a small API that manages the wNAF digits for bn and the multiples of digit * point in a single struct that is initialized and freed in two API calls in the main function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered with logic to keep various arrays in sync, helper functions calculating the wNAF splitting of bn and multiples of the point do not need to deal with memory management, and a pair of accessors obviates previously missing bounds checking. At this point we have reached a relatively clean and straightforward wNAF implementation that fits precisely the purpose needed in libcrypto, i.e., ECDSA verification instead of being generalized and optimized to the max for no good reason apart from endowing the author with an academic degree. Popper's famous maxim "if you can't say it clearly, keep quiet, and keep working until you can" very much applies to code as well. In other words, shut up and hack (and don't pour too much energy into commit messages, tb). ok jsing
* Adjust the return type and value of EVP_MD_CTX_init(3)schwarze2024-12-062-7/+12
| | | | | and EVP_CIPHER_CTX_init(3) after tb@ changed these to OpenSSL 1.1 semantics in evp.h rev. 1.124 on March 2 this year.
* Delete the manual pages EVP_PKEY_meth_new(3) and EVP_PKEY_meth_get0_info(3)schwarze2024-12-0618-776/+60
| | | | | | | | because tb@ deleted almost all functions documented there from the API in evp.h 1.127 on March 2 this year, but move the functions EVP_PKEY_CTX_set_data(3) and EVP_PKEY_CTX_get_data(3) that we still support to EVP_PKEY_keygen(3), because that page already documents EVP_PKEY_CTX_set_app_data(3) and EVP_PKEY_CTX_get_app_data(3).
* Delete the manual page EVP_PKEY_check(3).schwarze2024-12-065-158/+5
| | | | | All three functions documented in this page were deleted from the API by tb@ in evp.h rev. 1.136 on August 31 this year.
* Delete the manual page EVP_PKEY_asn1_new(3).schwarze2024-12-0614-566/+30
| | | | | All the functions documented in this page were deleted from the API by tb@ in evp.h rev. 1.126 on March 2 this year.
* Provide a SHA-1 assembly implementation for amd64 using SHA-NI.jsing2024-12-063-2/+179
| | | | | | | | This provides a SHA-1 assembly implementation for amd64, which uses the Intel SHA Extensions (aka SHA New Instructions or SHA-NI). This provides a 2-2.5x performance gain on some Intel CPUs and many AMD CPUs. ok tb@
* Explain what "EVP" is supposed to mean.schwarze2024-12-061-2/+16
| | | | | | It's so non-obvious that even i had to do some research to find out. Source: The file "doc/ssleay.doc" from SSLeay 0.8.1b, see for example OpenSSL commit d02b48c6 on Dec 21, 1998.
* Fix previous and thus regress failures reported by antontb2024-12-061-2/+3
| | | | Looks like I applied the diff to a dirty tree and didn't notice.
* ec_asn1: update a comment to match realitytb2024-12-061-2/+2
|
* Set nid on group decoded from EC parameterstb2024-12-063-7/+14
| | | | | | | | | | | | | We match curve parameters against the builtin curves and only accept them if they're encoding a curve known to us. After getting rid of the wtls curves, some of which used to coincide with secp curves (sometimes the wrong ones), the nid is unambiguous. Setting the nid has no direct implications on the encoding. This helps ssh avoid doing ugly computations during the key exchange for PEM keys using this encoding. ok djm joshua jsing
* Zap a trailing spacetb2024-12-051-2/+2
|
* Make the DSS_prime_checks macro internaltb2024-12-052-11/+12
| | | | | | | | Rename it to DSA_prime_checks and add an XXX comment mentioning that we could reduce the number of rounds thanks to BPSW. There are no plans of changing that as DSA is on its way out. discussed with miod
* Remove the undocumented DSA_is_prime() macrotb2024-12-051-3/+1
| | | | | | It aliases BN_is_prime(), which was removed in April 2023. makes sense to miod
* document the #define'd constant PKCS5_SALT_LENschwarze2024-12-051-4/+6
|
* drop comments asking for documentation of three ASN1_PKEY_CTRL_CMS_*schwarze2024-12-051-5/+2
| | | | | constants after these have been marked as intentionally undocumented; they are internal to the library and unused in the wild
* Apply a little bit of lipstick to PKCS7tb2024-12-051-3/+7
| | | | | | | Makes the setting and getting of detached signatures more symmetric and avoids a NULL access. ok jsing
* Use ASIdentifiers rather than struct ASIdentifiers_sttb2024-12-041-2/+2
| | | | | | This matches the other members of X509 and is what's used everywhere else. ok miod
* Another now unused perlasm script can bite the dust.jsing2024-12-041-1267/+0
|
* Provide a replacement assembly implementation for SHA-1 on amd64.jsing2024-12-043-2/+345
| | | | | | | | | | | | | As already done for SHA-256 and SHA-512, replace the perlasm generated SHA-1 assembly implementation with one that is actually readable. Call the assembly implementation from a C wrapper that can, in the future, dispatch to alternate implementations. On a modern CPU the performance is around 5% faster than the base implementation generated by sha1-x86_64.pl, however it is around 15% slower than the excessively complex SSSE2/AVX version that is also generated by the same script (a SHA-NI version will greatly outperform this and is much cleaner/simpler). ok tb@
* Annotate WTLS7 as being wrongtb2024-12-041-1/+2
| | | | | | | This should really have been using SECP 160R2, not SECP 160R1. Of course this means in particular that nobody ever used this curve, at least not against another implementation than OpenSSL. Quasi-monocultures are poisonous whether the monopolist is benevolent and competent or not.
* Meant to split the sentence in twotb2024-11-301-3/+3
|
* Be a bit more precise on the error conditions of CMS_get1_{certs,crls}()tb2024-11-301-3/+4
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 23:42:36 +0000