| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
These have not been used for quite some time.
|
| |
|
|
|
|
| |
gas dislikes bare .rodata - add .section before .rodata to make it happier
(LLVM does not care and is happy with either). For consistency, do the same
with .text.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Add missing space after commas, shorten a couple comments in structs,
reflow weirdly wrapped long comments and improve the random line
breaks in typedefs and prototypes.
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In stack.c r1.34 I converted one 'char *' too many to 'void *', thereby
relying on a gcc/clang extension which interprets the fictional void
type as a type of size 1 (that's what the stack code wants, fortunately).
As pointed out in the link below, -Wpointer-arith would have caught this:
https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html
MSVC flags this as follows:
D:\a\portable\portable\crypto\stack\stack.c(211,23): error C2036: 'const void *': unknown size [D:\a\portable\portable\build\crypto\crypto_obj.vcxproj].
Pull in workaround from the portable repo which undoes the char * -> void *
conversion.
ok jsing millert
|
| | |
|
| |
|
|
|
|
|
|
| |
This converts more macros to C99 initializers. Rename flags and tags
arguments by appending val because they collide with the field names.
The remainder are whitespace changes.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a first pass at tidying up the unsightly mess that is asn1t.h.
For better or worse, we have expanded the macros internally, and in base
only rpki-client uses the templates. They are generally rarely used.
Fortunately.
Having C99 initializers helps a lot with debugging templated ASN.1 by
combining cc -E with clang-format. They make the macros more readable,
look tidier and help with grep.
ok kenjiro
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In asn1t.h r1.18 (commit 9b72422d) I removed the app_items member from
ASN1_ADB and failed to fix up the ASN1_ADB_END() macro that populates
the ASN1_ADB. This means ASN1_ADB_END() tried to initialize one member
too many and would thus cause a compilation failure, so nobody uses this
with LibreSSL. Internally, we have expanded all its uses.
We could leave it broken or fix it up. Take the opportunity to add an
unused adb_cb() argument instead, making the macro invocation compatible
with OpenSSL.
ok jsing kenjiro
|
| | |
|
| |
|
|
| |
These are used directly only as part of the ASN.1 item in the same file.
|
| |
|
|
| |
no binary change
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A nasty quirk in the bit string handling is that the serialization
produced by i2d_ASN1_BIT_STRING() depends on whether the the magic
ASN1_STRING_FLAG_BITS_LEFT is set.
If ASN1_STRING_FLAG_BITS_LEFT is set, the number of unused bits is
carried in a->flags & 0x07 and the remainder of the bit string is
in a->data. This is terrible and undocumented but handled correctly.
If ASN1_STRING_FLAG_BITS_LEFT is not set, all trailing zero bits are
(intended to be) chopped off with all sorts of hilarious side effects.
I broke this quite thoroughly when I incorrectly ported an overflow
check from BoringSSL in:
https://github.com/openbsd/src/commit/f81cc285d2aed8b36615119a306533696f3eb66c
The result is that we currently return ret = a->length + 1 for both NULL
and non-NULL pp. The calls to asn1_ex_i2c() in asn1_i2d_ex_primitive()
thus report consistent lengths back, making it succeed.
asn1_i2d_ex_primitive() therefore skips a->length + 1 bytes, while
i2c_ASN1_BIT_STRING() only overwrites len + 1 bytes, which are possibly
fewer. So a caller passing in an output buffer containing garbage
(malloc) will get some of that garbage back in the encoding. Further,
i2c_ASN1_BIT_STRING() also advances that pointer by the possibly reduced
len + 1, but that fortunately doesn't matter since that's an effect
local to asn1_ex_i2c(), the only caller of i2c_ASN1_BIT_STRING().
The last bit is that the current behavior may set bogus unused bits
coming from the scanning backward madness. I added such an example in
the parent commit.
The fix is simple: use len after the truncation effect was established,
not the original a->length, turning this commit into what my backport
should have been.
This fixes the two currently failing regress tests, so remove expected
failure marker again.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
The /* should not happen */ happens if a->data is all zeroes (where
there used to be an OOB access a few years back), which is a legitimate
BIT STRING, so this is just nonsense.
ok jsing kenjiro
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This is another one of these weird magic values that nothing outside
of libcrypto uses. Fix a confusing comment in long_i2c() while there.
The skipping behavior is used in particular for omitting the optional
length value in the non-standard OpenSSL-specific DHparam() ASN.1
encoding.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
The ML-KEM code is doing a pretty poor job at cleaning up secrets it no
longer needs. This commit clears a few stack-based arrays containing
secrets or not obviously public information and stack-based structs
containing pointers to secrets.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
RANK768 and RANK1024 are awfully short and generic names for public
constants. Before we make it worse with similarly named constants for
ML-DSA, let's fix this. This follows the naming convention used by the
other macros in the mlkem code.
ok kenjiro jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Formerly used by ASN1_STRING_TABLE_{add,cleanup}() which were removed two
years ago. Annotate why STABLE_NO_MASK stays: as usual, security/xca ends
up being the sole consumer of some nonsense. Apparently it needs its own
reimplementation of ASN1_STRING_set_by_NID(), another removable public API
that should never have been exposed.
ok kenjiro
|
| |
|
|
|
|
|
|
| |
Contrary to naming, the '"June" MMX version' of gcm_ghash_4bit_mmx() uses
SSE, while the 'pure-MMX "May" version' does not. This detail got missed
when I was untangling OPENSSL_IA32_SSE2.
Found the hard way by Tate Baldwin and Dennis Camera.
|
| | |
|
| |
|
|
| |
All other public APIs call group->meth->... not point->meth->...
|
| |
|
|
|
|
|
| |
This is the only public API that doesn't check for compatibility between
group and point. Add the missing check.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
The method will currently always be identical since all groups use the
EC_GFp_mont_method(). Use the ec_group_and_point_compatible() check to
ensure this and if both group and point have a nid set, check that they
are identical.
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
Check that a given group and point are reasonably compatible. First see
if they use the same method. Compare nids if both have nid != NID_undef.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
It is annoying that an EC_POINT does not really know on what EC_GROUP it
lives. Adding a refcount to EC_GROUP is slightly tricky, so instead use
a nid which we will know unless the group was constructed by hand.
ok jsing kenjiro
|
| | |
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
| |
This is the last remaining actual use of ASN1_PRINTABLE_type(), which will
go away in the next major bump.
ok kenjiro
|
| |
|
|
| |
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
The only thing CONF_DEBUG has done in ages is defining NDEBUG in a file
that does not contain a single assert. Kill it.
ok jsing kenjiro
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
What Netscape fucked up just had to be embraced by secure boot and
other nonsense. First OpenSSL wanted to be strict (which we inherited)
then Rich Salz Postel-ized this and made OpenSSL bypass this check by
default and added a flag to be strict 10 years ago.
Now sthen found that PHP 8.5 uses/exposes this flag.
Follows OpenSSL 6b2ebe43 (2016)
ok kenjiro
|
| |
|
|
|
|
|
|
| |
While the latter is more general in that it also works on 1-complement
achitectures, we don't care about that. Adjust documentation and the
only error check for it in libcrypto.
ok deraadt
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS5_pbe_set0_algor() is no longer public, but its parameters are
provided directly via public API, namely the wonderful PKCS8_encrypt()
and PKCS12_pack_p7encdata().
Muppetry abounds. To wit:
If saltlen < 0, the call to ASN1_STRING_set(pbe->salt, NULL, saltlen)
would error. Let's do that up front in a more obvious way. We don't
care about side-effects to pbe->salt since we free it on error anyway.
If saltlen == 0, we default it to PKCS5_PBE1_SALT_LEN. This is
particularly funky in case the caller passed in salt != NULL, in
which case we can only hope and pray this buffer is long enough.
If the caller passed a salt, copy it to pbe->salt via ASN1_STRING_set().
If there's no salt, allocate a buffer of the appropriate length, fill it
with random and transfer ownership to pbe->salt via ASN1_STRING_set0().
There's a change of behavior in that this will not be NUL-terminated
(why should it be?). If we wanted to preserve behavior, we'd just use
calloc(1, saltlen + 1) instead of the malloc().
The exit path is quite special, too, but I didn't want to change this
right now.
tweaks/ok kenjiro
|
