| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Formerly used by ASN1_STRING_TABLE_{add,cleanup}() which were removed two
years ago. Annotate why STABLE_NO_MASK stays: as usual, security/xca ends
up being the sole consumer of some nonsense. Apparently it needs its own
reimplementation of ASN1_STRING_set_by_NID(), another removable public API
that should never have been exposed.
ok kenjiro
|
| |
|
|
|
|
|
|
| |
Contrary to naming, the '"June" MMX version' of gcm_ghash_4bit_mmx() uses
SSE, while the 'pure-MMX "May" version' does not. This detail got missed
when I was untangling OPENSSL_IA32_SSE2.
Found the hard way by Tate Baldwin and Dennis Camera.
|
| | |
|
| |
|
|
| |
All other public APIs call group->meth->... not point->meth->...
|
| |
|
|
|
|
|
| |
This is the only public API that doesn't check for compatibility between
group and point. Add the missing check.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
The method will currently always be identical since all groups use the
EC_GFp_mont_method(). Use the ec_group_and_point_compatible() check to
ensure this and if both group and point have a nid set, check that they
are identical.
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
Check that a given group and point are reasonably compatible. First see
if they use the same method. Compare nids if both have nid != NID_undef.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
It is annoying that an EC_POINT does not really know on what EC_GROUP it
lives. Adding a refcount to EC_GROUP is slightly tricky, so instead use
a nid which we will know unless the group was constructed by hand.
ok jsing kenjiro
|
| | |
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
| |
This is the last remaining actual use of ASN1_PRINTABLE_type(), which will
go away in the next major bump.
ok kenjiro
|
| |
|
|
| |
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
The only thing CONF_DEBUG has done in ages is defining NDEBUG in a file
that does not contain a single assert. Kill it.
ok jsing kenjiro
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
What Netscape fucked up just had to be embraced by secure boot and
other nonsense. First OpenSSL wanted to be strict (which we inherited)
then Rich Salz Postel-ized this and made OpenSSL bypass this check by
default and added a flag to be strict 10 years ago.
Now sthen found that PHP 8.5 uses/exposes this flag.
Follows OpenSSL 6b2ebe43 (2016)
ok kenjiro
|
| |
|
|
|
|
|
|
| |
While the latter is more general in that it also works on 1-complement
achitectures, we don't care about that. Adjust documentation and the
only error check for it in libcrypto.
ok deraadt
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS5_pbe_set0_algor() is no longer public, but its parameters are
provided directly via public API, namely the wonderful PKCS8_encrypt()
and PKCS12_pack_p7encdata().
Muppetry abounds. To wit:
If saltlen < 0, the call to ASN1_STRING_set(pbe->salt, NULL, saltlen)
would error. Let's do that up front in a more obvious way. We don't
care about side-effects to pbe->salt since we free it on error anyway.
If saltlen == 0, we default it to PKCS5_PBE1_SALT_LEN. This is
particularly funky in case the caller passed in salt != NULL, in
which case we can only hope and pray this buffer is long enough.
If the caller passed a salt, copy it to pbe->salt via ASN1_STRING_set().
If there's no salt, allocate a buffer of the appropriate length, fill it
with random and transfer ownership to pbe->salt via ASN1_STRING_set0().
There's a change of behavior in that this will not be NUL-terminated
(why should it be?). If we wanted to preserve behavior, we'd just use
calloc(1, saltlen + 1) instead of the malloc().
The exit path is quite special, too, but I didn't want to change this
right now.
tweaks/ok kenjiro
|
| |
|
|
| |
It appears that these were only ever used in bn_test.c...
|
| |
|
|
|
|
|
|
|
| |
Almost entirely mechanical diff that ensures that for read-only accesses
we use the const correct ASN1_STRING_get0_data(). Arguably, in most
places the better fix would be to reach into ASN1_STRING but then we
have to think and bikeshed...
ok beck kenjiro
|
| |
|
|
|
|
|
|
|
| |
This is a first sweep of reducing the number of terribly named macros
in bn.h More can go away. Those we need internally go to bn_local.h.
Annoyingly bn_internal.h uses some of them, so it includes bn_local.h
now. This can be cleaned up later.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
This makes it easier to read and more in line with other code in
libcrypto. Also add a missing error check for the CMS_set_detached()
call.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
| |
An upcoming change requires the inclusion of asn1_local.h in x509_local.h
which doesn't work due to missing header guards. Add guards to all local
headers that don't have them, although reacharounds and multiple inclusions
are unlikely to occur for most of those.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ietf has had a bunch of back and forth over what will happen here.
in the end the previously mentioned draft will not include the TLS hybrids,
so we change this to use reference the correct draft for TLS, and use the
same name everyone else is using, without an OID.
While we will probably end up needing the *other* hybrids for things like
CMS, we will bring them in when we need them and have official OID values
from IANA.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
changes are:
+OISTE Foundation
+ /C=CH/O=OISTE Foundation/CN=OISTE Server Root ECC G1
+ /C=CH/O=OISTE Foundation/CN=OISTE Server Root RSA G1
SwissSign AG
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
+ /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1
TrustAsia Technologies, Inc.
/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia Global Root CA G3
/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia Global Root CA G4
+ /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS ECC Root CA
+ /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS RSA Root CA
|
| | |
|
| |
|
|
|
|
| |
to the right section and mention the value returned
if X509_VERIFY_PARAM_set_hostflags(3) was never called;
OK tb@ kenjiro@
|
| |
|
|
|
|
|
|
| |
64 bit Windows is a special LLP snowflake and it is currently incorrectly
using 32 bit BN_ULONG, since _LP64 is not defined. Enable 64 bit BN_ULONG
if _LP64 or _WIN64 is defined.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This was the last user of BN_LONG in code. It had no reason to do so.
BN_mod_word() returns a BN_ULONG and since the largest prime in the
small primes table primes[] is well below 20000, the only return value
that could cause 'mod' to be negative was the error sentinel (BN_ULONG)-1.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
|
|
| |
Be specific about width and use uint64_t/uint32_t, rather than using
unsigned int/long/long long, based on platform. Additionally use UINT64_C()
and UINT32_C() for constants, along with PRI*64/PRI*32 for formatting. This
makes the platform responsible for providing the correct types/defines -
all we then need to do is determine is if BN should use a 32 bit or 64 bit
configuration.
With input from and ok tb@
|
| |
|
|
|
|
|
| |
(A much bigger problem here is a double free for which I will send
out a diff shortly)
From Niels Dossche
|
| |
|
|
| |
from Niels Dossche
|
| | |
|
| |
|
|
|
|
| |
If CMS_EncryptedData_set1_key() fails, cms is leaked.
From Niels Dossche
|
| | |
|
| |
|
|
| |
From Thorsten Blum
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed by Python 3.14, extending the urllib3 nonsense further.
This is a trivial getter and it is exercised by the libssl unit test
I added for urllib3 (which can now use dynamic linking for libcrypto).
Fixes https://github.com/libressl/portable/issues/1202
Thanks to @orbea for the report.
ok kenjiro
PS: X509_VERIFY_PARAM_get_flags() and X509_VERIFY_PARAM_get_peername()
aren't const correct. Fixing this will require some doing...
|
| |
|
|
|
|
|
| |
This is currently an internal helper only used by a regress test.
We'll have to expose in the public API for Python 3.14:
https://github.com/libressl/portable/issues/1202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To allow binary search for looking up if a cert was revoked in a CRL,
the list of revoked serial numbers is sorted in crl_lookup(). On the
other hand, to be able to output the DER that was actually signed by
the issuer, the original order needs to be remembered.
Before the encoding was cached, there was a mechanism that would restore
the original order on serialization using the .sequence member. This was
done without a lock and was thus racy (hilarity would ensue if one thread
performed a CRL lookup while another thread serialized the same CRL). When
the racy mechanism was removed in 2004, the only reader of .sequence,
X509_REVOKED_seq_cmp(), was also removed, and this piece of dead code was
left behind. Garbage collect it.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
| |
An incorrect length check can result in a 4-byte overwrite and an
8-byte overread.
From Stanislav Fort and Viktor Dukhovni via OpenSSL.
CVE-2025-9230.
ok jsing
|
| |
|
|
| |
ok jsing
|
