| Commit message (Collapse) | Author | Files | Lines |
|---|
|
ok beck
|
|
|
|
There is no intention to expose these via public API or to use them in TLS.
For now these will only be used for short-circuiting pointless expensive
computations in DH_check().
ok beck
|
|
The latest release of Scapy calls DH_check() on all the well-known
Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this
via pyca/cryptography at startup. Every single time. This is obviously
very expensive, due to our 64 MR rounds (which are complete overkill
now that we have BPSW). Instead of pondering the ideal number of rounds
for BPSW with FFDH, simply skip the check if the parameter matches a
well-known prime. These are known to be safe primes, so we can skip
those super-expensive and pointless checks without any risk.
This is only done for the public dh->p parameter. It could be further
optimized, but with the follow-up commit adding the RFC 7919 primes this
reduces the startup time to what it was before Scapy 2.7.0: < 1s.
Reverting from 64 MR rounds to BN_check_primes rounds, we would still
have ~8s startup time without this optimization, which isn't great for
an interactive tool.
Clearly, it's not entirely our fault, it's also Scapy and cryptography
that do something ... suboptimal, but I think we're better off if
DH_check() isn't a complete DoS vector. If you're using non-standard
parameters with FFDH, you deserve it.
We could consider adding a flag for non-well-known p and thus making
DH_check() indicate failure for candidate primes larger than, say, 4k.
https://github.com/pyca/cryptography/issues/14048
ok beck kenjiro
|
|
Also has code to check the RFC 7919 primes and run DH_check() once that
knows about these.
|
|
Installed packages will update and pkg_add wycheproof-testvectors will
continue to work.
|
|
|
|
This adds coverage for MLKEM_private_key_from_seed(), which was previously
only minimal teted from our regress.
|
|
New testvectors want some more detailed handling, which brings these
Wycheproof encapsulation tests about on par with our existing tests.
|
|
|
|
|
|
An update to the test vectors adds tests which verifies that the API
correctly rejects some inputs.
|
|
libc call, flockfile() and ftrylockfile() can be called when
single-threaded and then--while 'holding' the lock--the process can
create another thread, resulting in a broken state. Have the
f{lock,trylock,unlock}file() APIs *always* do real locking so the
exposed state is always consistent.
ok dlg@
|
|
This removes some complications due to handling the fast path for affine
points and general points at the same time. The result is a bit more code
but both paths should be much easier to follow.
ok jsing kenjiro
|
|
The prototypes used sized arrays appropriate only for MLKEM768 while the
declarations used pointers. For some reason clang doesn't flag this but
gcc does. In any case it was wrong. The callers of these functions check
that they pass in the correct size. Which is weird but the mlkem directory
has an unbelievable amount of mess and bad code.
found by/ok jsing
|
|
These are flagged by more recent gcc since declarations and definitions
don't match (sized array vs pointer). Also an array was checked for NULL.
found by/ok jsing
|
|
Make life easier for portable by providing LIBRESSL_USE_.*_ASSEMBLY
defines, which enable/disable assembly for a specific algorithm. This
means that selected platforms can include the assembly files and specify
a define, rather than having to try to patch the crypto_arch.h headers.
Discussed with tb@
|
|
Use the same pattern that is now used for most other code - provide
HAVE_MD5_BLOCK_DATA_ORDER and use this to selectively enable source code.
|
|
Use the same pattern that is now used for most other code - provide HAVE_*
defines for functions and use these to selectively enable source code.
|
|
These have not been used for quite some time.
|
|
gas dislikes bare .rodata - add .section before .rodata to make it happier
(LLVM does not care and is happy with either). For consistency, do the same
with .text.
|
|
|
|
|
|
|
|
|
|
|
|
Add missing space after commas, shorten a couple comments in structs,
reflow weirdly wrapped long comments and improve the random line
breaks in typedefs and prototypes.
|
|
|
|
ok kenjiro
|
|
In stack.c r1.34 I converted one 'char *' too many to 'void *', thereby
relying on a gcc/clang extension which interprets the fictional void
type as a type of size 1 (that's what the stack code wants, fortunately).
As pointed out in the link below, -Wpointer-arith would have caught this:
https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html
MSVC flags this as follows:
D:\a\portable\portable\crypto\stack\stack.c(211,23): error C2036: 'const void *': unknown size [D:\a\portable\portable\build\crypto\crypto_obj.vcxproj].
Pull in workaround from the portable repo which undoes the char * -> void *
conversion.
ok jsing millert
|
|
|
|
This converts more macros to C99 initializers. Rename flags and tags
arguments by appending val because they collide with the field names.
The remainder are whitespace changes.
ok kenjiro
|
|
This is a first pass at tidying up the unsightly mess that is asn1t.h.
For better or worse, we have expanded the macros internally, and in base
only rpki-client uses the templates. They are generally rarely used.
Fortunately.
Having C99 initializers helps a lot with debugging templated ASN.1 by
combining cc -E with clang-format. They make the macros more readable,
look tidier and help with grep.
ok kenjiro
|
|
|
|
In asn1t.h r1.18 (commit 9b72422d) I removed the app_items member from
ASN1_ADB and failed to fix up the ASN1_ADB_END() macro that populates
the ASN1_ADB. This means ASN1_ADB_END() tried to initialize one member
too many and would thus cause a compilation failure, so nobody uses this
with LibreSSL. Internally, we have expanded all its uses.
We could leave it broken or fix it up. Take the opportunity to add an
unused adb_cb() argument instead, making the macro invocation compatible
with OpenSSL.
ok jsing kenjiro
|
|
|
|
These are used directly only as part of the ASN.1 item in the same file.
|
|
|
|
no binary change
|
|
A nasty quirk in the bit string handling is that the serialization
produced by i2d_ASN1_BIT_STRING() depends on whether the the magic
ASN1_STRING_FLAG_BITS_LEFT is set.
If ASN1_STRING_FLAG_BITS_LEFT is set, the number of unused bits is
carried in a->flags & 0x07 and the remainder of the bit string is
in a->data. This is terrible and undocumented but handled correctly.
If ASN1_STRING_FLAG_BITS_LEFT is not set, all trailing zero bits are
(intended to be) chopped off with all sorts of hilarious side effects.
I broke this quite thoroughly when I incorrectly ported an overflow
check from BoringSSL in:
https://github.com/openbsd/src/commit/f81cc285d2aed8b36615119a306533696f3eb66c
The result is that we currently return ret = a->length + 1 for both NULL
and non-NULL pp. The calls to asn1_ex_i2c() in asn1_i2d_ex_primitive()
thus report consistent lengths back, making it succeed.
asn1_i2d_ex_primitive() therefore skips a->length + 1 bytes, while
i2c_ASN1_BIT_STRING() only overwrites len + 1 bytes, which are possibly
fewer. So a caller passing in an output buffer containing garbage
(malloc) will get some of that garbage back in the encoding. Further,
i2c_ASN1_BIT_STRING() also advances that pointer by the possibly reduced
len + 1, but that fortunately doesn't matter since that's an effect
local to asn1_ex_i2c(), the only caller of i2c_ASN1_BIT_STRING().
The last bit is that the current behavior may set bogus unused bits
coming from the scanning backward madness. I added such an example in
the parent commit.
The fix is simple: use len after the truncation effect was established,
not the original a->length, turning this commit into what my backport
should have been.
This fixes the two currently failing regress tests, so remove expected
failure marker again.
ok jsing kenjiro
|
|
This is another test that fails due to the bug in i2c_ASN1_BIT_STRING().
|
|
This test fails, so mark the asn1basic test as an expected failure
|
|
There is a bug in i2c_ASN1_BIT_STRING() resulting in nonsense encoding of
some BIT STRINGs with trailing zeroes if ASN1_STRING_FLAG_BITS_LEFT is not
set (a rare corner case). This test currently passes when it shouldn't.
|
|
The /* should not happen */ happens if a->data is all zeroes (where
there used to be an OOB access a few years back), which is a legitimate
BIT STRING, so this is just nonsense.
ok jsing kenjiro
|
|
|
|
|
|
This is another one of these weird magic values that nothing outside
of libcrypto uses. Fix a confusing comment in long_i2c() while there.
The skipping behavior is used in particular for omitting the optional
length value in the non-standard OpenSSL-specific DHparam() ASN.1
encoding.
ok jsing kenjiro
|
|
Register sha3-{224,256,384,512} as dgst commands so they appear in
openssl help. Without this, SHA-3 support is easy to miss and looks
unsupported from the command line.
ok tb jsing
|
|
Remove an unused intermediate EVP_MD pointer and assign digests
directly to cfg.md.
ok tb joel
|
|
The ML-KEM code is doing a pretty poor job at cleaning up secrets it no
longer needs. This commit clears a few stack-based arrays containing
secrets or not obviously public information and stack-based structs
containing pointers to secrets.
ok jsing kenjiro
|
