| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
bn_correct_top() is currently a macro and far more complex than it needs
to be - rewrite it as a function.
ok tb@
|
| |
|
|
|
|
|
|
| |
BN_ucmp() is supposed to return -1/0/1 on a < b, a == b and a > b, however
it currently returns other negative and positive values when the top of
a and b differ. Correct this.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
For various historical reasons, there are a number of cases where our
BIO_read() and BIO_write() return slightly different values to what
OpenSSL 3.x does (of course OpenSSL 1.0 differs from OpenSSL 1.1 which
differs from OpenSSL 3.x). Mostly align these - some further work will be
needed.
Issue raised by tb@ who also wrote some test code.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
X509_verify_cert_error_string() is now thread safe as it no longer returns
a static buffer. Document X509_V_ERR_UNSPECIFIED. Stop asserting that the
X509_V_ERR_CERT_CHAIN_TOO_LONG code is unused, the new verifier can set it.
Add commented versions of various missing error codes in the proper spots
and move X509_V_ERR_UNNESTED_RESOURCE where it belongs.
prompted by claudio
|
| | |
|
| | |
|
| |
|
|
|
| |
No need for errno, stdio, time, asn1, buffer, evp, lhash, objects, x509
for a switch containing string constants. We do need x509_vfy instead.
|
| | |
|
| |
|
|
| |
Requested by claudio
|
| |
|
|
|
|
|
| |
Stop returning a pointer to a static buffer containing the error code on
unknown error. While this might be helpful, it's not going to end well.
ok beck claudio jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While BIO chains are doubly linked lists, nothing has ever made use of this
fact internally. Even libssl has failed to maintain prev_bio properly in
two places for a long time. When BIO was made opaque, the opportunity to
fix that was missed. Instead, BIO_set_next() now allows breaking the lists
from outside the library, which freerdp has long done.
Problem found by schwarze while trying to document BIO_set_next().
schwarze likes the idea
ok jsing
|
| |
|
|
|
|
|
|
|
| |
When called from v2i, hostpart in x509_constraints_uri_host() is NULL, so
add a NULL check before storing the strdup result in it.
From Anton Borowka
ok jsing miod
|
| |
|
|
|
| |
Merge the documentation from the OpenSSL 1.1.1 branch, which is still
under a free license, tweaked by me.
|
| |
|
|
|
| |
Not all of them, only those that didn't leak into a public header...
Yes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Compiling with BN_DEBUG (and if you want to take it further, BN_DEBUG_RAND)
supposedly adds consistency checks to the BN code. These are rarely if ever
used and introduce a bunch of clutter in the code. Furthermore, there are
hacks in place to undo things that the debugging code does.
Remove all of this mess and instead rely on always enabled checks, more
readable code and proper regress coverage to ensure correct behaviour.
"Good riddance." tb@
|
| | |
|
| |
|
|
| |
Document it.
|
| |
|
|
|
|
|
|
|
|
| |
Remove many statements that are no longer true after tb@, in July,
massively improved the algorithms used by these functions
and also did some cleanup of the interface. Instead, explain
many aspects that were missing. Also use more descriptive argument
names, drop some redundancy, and improve ordering in various respects.
Feedback and enthusiastic OK from tb@.
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
|
|
|
|
| |
If y_bit is set for a zero y, something is wrong and we can error directly.
No need to run the non-trivial BN_kronecker() to check if BN_mod_sqrt()
lied or not, only to set a more specific error code.
ok jsing
|
| |
|
|
|
|
|
| |
Remove obvious comments, wrap long lines and general KNF cleanup. Format
and rephrase the more important comments.
Discussed with jsing
|
| |
|
|
|
|
|
|
|
| |
Currently bn_expand()/bn_wexpand() return a BIGNUM *, however none of the
callers use this (and many already treat it as a true/false value).
Change these functions to return 0 on failure and 1 on success, revising
callers that test against NULL in the process.
ok tb@
|
| |
|
|
|
|
|
| |
The current code manually calculates words from bits and then calls
bn_wexpand() - call bn_expand() with bits instead.
ok tb@
|
| |
|
|
|
|
|
|
| |
When ecx_key_set_{priv,pub}() fails, ecx_key is leaked.
CID 377014
From jsing
|
| |
|
|
|
|
|
|
| |
We want to copy the tls_content_cbs() into the cbs, not the other way around
CID 377013
ok jsing
|
| |
|
|
|
|
|
| |
This also fixes a bug in BN_MONT_CTX_set(), where the sizeof(BN_ULONG) in
the call to bn_expand() was not multiplied by eight (to get bits).
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
Any sensible compiler will likely inline this anyway (and even if it does
not, one extra function call/return is the least of the performance
overhead for this code).
ok tb@
|
| |
|
|
|
|
| |
No functional change.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
The BN_set_params()/BN_get_params() and associated unused variables are
meant to be in this block, not things like BN_new() and BN_free().
ok tb@
|
| |
|
|
|
|
| |
These now come directly via bn_lcl.h.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This rename was done before commit, but one instance was missed since it
was hidden behind #ifdef SMALL_TIME_T.
Spotted by Android CI.
|
| |
|
|
|
| |
This was fixed by Eric A. Young in "a C2Net version of SSLeay" and
committed to OpenSSL by Mark J. Cox in January 1999 (OpenSSL a0a54079).
|
| | |
|
| |
|
|
|
|
| |
We don't install this page, but it might possibly still help developers
working on internals of the BN library, so i'm not in a hurry to cvs rm
this file.
|
| |
|
|
|
|
|
|
|
|
|
| |
and BN_BITS2 (below RETURN VALUES).
While here, perform major reordering and rewriting
for precision and readability, in particular:
- Avoid misleading wordings like "size of a BIGNUM".
- Drop the trivial example.
- Move the pointers to RSA_size(3) and friends to CAVEATS.
- Stop recommending 8*BN_num_bytes() in this context because it is wrong, too.
|
| |
|
|
|
|
|
|
|
| |
bn_print.c r1.29 added length checks to avoid overflowing the BIGNUM.
If these checks are hit in length-only mode, i.e., bn is NULL, the
error path dereferences bn. Change goto err to an early return to
avoid this.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All other wrappers in the same file that use a temporary array of
degrees size that array dynamically, such that they are able to
handle reducing polynomials of arbitrary lengths. BN_GF2m_mod(3)
was the only one that used a static array of size 6 instead, limiting
it to trinomials and pentanomials and causing it to fail for longer
reducing polynomials.
Make this more uniform and less surprising by using exactly the
same code as in all the other wrappers, such that BN_GF2m_mod(3)
works with reducing polynomials of arbitrary length, too, just like
the others.
Again, tb@ points out this quirk is very unlikely to cause
vulnerabilities in practice because cryptographic applications do
not use longer reducing polynomials.
This patch is not expected to significantly impact performance
because the relevant caller, BN_GF2m_mod_div(3), already uses dynamic
allocation via BN_GF2m_mod_mul(3).
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the last argument, the size of the output array, is too small to
contain all degrees present in the input polynomial plus one for the
terminating -1, the function is documented to return the size of the
output array that would be needed (in comments in the source code, in
the new manual page, and by the way how the function is used by other
functions in the same file). However, in case of overflow, the existing
code failed to include the element needed for the terminating -1 in the
return value, wrongly indicating success if everything but the -1 did
fit and reporting failure with a size that was still too small otherwise.
According to tb@, this is very unlikely to cause vulnerabilities in
practical applications because there is no real reason to pick a
reducing polynomial longer than a pentanomial, because all known
callers use either fixed size arrays of size 6 or dynamic allocation,
because use of GF(2^m) is rare in practice, and GF(2^m) with custom
reducing polynomials even more so.
OK tb@
|
| |
|
|
|
| |
It was placed and formatted weirdly. Fix the title of the book referenced
and complete the reference's information.
|
| |
|
|
|
|
|
|
|
|
| |
Since DSA_sign() and DSA_verify() ignore their type argument, don't bother
to determine it here. Check all size_t for overflow before passing them as
int arguments. Follow OpenSSL and add a check to see if the tbs blob's
length matches the one of the md, in case it is set on the EVP_PKEY_CTX.
Fix return value check of DSA_sign().
ok jsing
|
