summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Reorder functions.jsing2023-05-281-214/+214
| | | | No intended functional change.
* Clean up includes.jsing2023-05-281-6/+5
|
* Remove now unnecessary do {} while(0);jsing2023-05-281-3/+1
|
* Inline HASH_MAKE_STRING for SHA256.jsing2023-05-281-34/+37
| | | | No change to generated assembly.
* Rewrite BN_{asc,dec,hex}2bn() using CBS.jsing2023-05-281-123/+224
| | | | | | | | | | | This gives us more readable and safer code. There are two intentional changes to behaviour - firstly, all three functions zero any BN that was passed in, prior to doing any further processing. This means that a passed BN is always in a known state, regardless of what happens later. Secondly, BN_asc2bn() now fails on NULL input, rather than crashing. This brings its behaviour inline with BN_dec2bn() and BN_hex2bn(). ok tb@
* correct comment, spotted by tb@beck2023-05-281-4/+4
|
* Refactor tls_check_common_name to use lower level API.beck2023-05-281-12/+47
| | | | | | | | | | | | | | | | | | | | X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@
* Merge X509_VERIFY_PARAM_ID into X509_VERIFY_PARAMtb2023-05-284-110/+73
| | | | | | | | | | Back in the day when essentially every struct was open to all applications, X509_VERIFY_PARAM_ID provided a modicum of opacity. This indirection is now no longer needed with X509_VERIFY_PARAM being opaque itself, so stop using X509_VERIFY_PARAM_ID and merge it into X509_VERIFY_PARAM. This is a first small step towards cleaning up the X509_VERIFY_PARAM mess. ok jsing
* Implement SHA256_{Update,Transform,Final}() directly in sha256.c.jsing2023-05-271-4/+103
| | | | | | | | | | m32_common.h is a typical OpenSSL macro horror show - copy the update, transform and final functions from md32_common.h, manually expanding the macros for SHA256. This will allow for further clean up to occur. No change in generated assembly. ok beck@ tb@
* Add HASH_NO_UPDATE and HASH_NO_TRANSFORM to md32_common.hjsing2023-05-271-5/+7
| | | | | | | This makes it possible to still use minimal parts of md32_common.h, while disabling the update and transform functions. ok beck@ tb@
* Bump LibreSSL versionlibressl-v3.8.0tb2023-05-271-3/+3
|
* Clean up alignment handling for SHA-512.jsing2023-05-272-80/+96
| | | | | | | | | | | This recommits r1.37 of sha512.c, however uses uint8_t * instead of void * for the crypto_load_* functions and primarily uses const uint8_t * to track input, only casting to const SHA_LONG64 * once we know that it is suitably aligned. This prevents the compiler from implying alignment based on type. Tested by tb@ and deraadt@ on platforms with gcc and strict alignment. ok tb@
* Remove malloc interposition, a workaround that was once needed for emacsotto2023-05-271-7/+7
| | | | ok guenther@
* Move verified_chain from SSL to SSL_HANDSHAKEtb2023-05-264-14/+17
| | | | | | | | This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing
* Forcibly update the EVP_PKEY's internal keyop2023-05-251-13/+25
| | | | | | | | | | | | | | | | | | | | | | | | To aid privilege separation, libtls maintains application-specific data on the key inside the EVP_PKEY abstraction because the EVP API doesn't provide a way to do that on the EVP_PKEY itself. OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions. These now return a struct from some cache. Thus, modifying the RSA will no longer modify the EVP_PKEY like it did previously, which was clearly implied to be the case in the older documentation. This is a subtle breaking change that affects several applications. While this is documented, no real solution is provided. The transition plan from one OpenSSL major version to the next one tends to involve many #ifdef in the ecosystem, and the only suggestion provided by the new documentation is to switch to a completely unrelated, new API. Instead, forcibly reset the internal key on EVP_PKEY after modification, this way the change is picked up also by OpenSSL 3. Fixes issue 1171 in OpenSMTPD-portable ok tb@, jsing@
* Update X509_VERIFY_PARAM_inherit() to reflect the change of behaviortb2023-05-241-9/+6
| | | | in x509_vpm.c r1.39.
* Copy the verify param hostflags independently of the host listtb2023-05-241-3/+4
| | | | | | | | | | | | | | | | Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing
* Provide X509_VERIFY_PARAM_set_hostflags()tb2023-05-241-1/+8
| | | | | | | | This is needed for an upcoming regress test that needs to access the hostflag. This is public API in OpenSSL but since nothing seems to be using this, this accessor will be kept internal-only for the time being. ok jsing
* Simplify OBJ_obj2txt()tb2023-05-232-8/+5
| | | | | | | | | | Instead of adding a NUL termination to OBJ_obj2txt(), move the aobj == NULL or aobj->data == NULL checks to i2t_ASN1_OBJECT_internal(). The only other caller, i2t_ASN1_OBJECT(), fails on aobj == NULL and aobj->length == 0, and the latter condition is implied by aobj->data. Cleaner solution for obj_dat.c r1.52 suggested by/ok jsing
* Always NUL terminate buf in OBJ_obj2txt()tb2023-05-231-1/+4
| | | | | | | | | | | OBJ_obj2txt() is often called without error checking and is used for reporting unexpected or malformed objects. As such, we should ensure buf is a string even on failure. This had long been the case before it was lost in a recent rewrite. If obj and obj->data are both non-NULL this is already taken care of by i2t_ASN1_OBJECT_internal(), so many callers were still safe. ok miod
* cms_asn1.c: zap stray tabstb2023-05-231-8/+1
|
* Remove misplaced semicolons in .Fatb2023-05-222-6/+6
|
* Add missing rsa_security_bit() handler to the RSA-PSS ASN1_METHODtb2023-05-191-1/+2
| | | | | | Prompted by a report by Steffen Ullrich on libressl@openbsd.org ok jsing
* backout alignment changes (breaking at least two architectures)deraadt2023-05-194-100/+89
|
* Add PROTO_NORMAL() declarations for the remaining syscalls, to avoidguenther2023-05-181-4/+1
| | | | | | | | future, inadvertant PLT entries. Move the __getcwd and __realpath declarations to hidden/{stdlib,unistd}.h to consolidate and remove duplication. ok tb@ otto@ deraadt@
* Use crypto_internal.h's CTASSERT()tb2023-05-172-8/+5
| | | | | | | Now that this macro is available in a header, let's use that version rather than copies in several .c files. discussed with jsing
* Clean up alignment handling for SHA-512.jsing2023-05-172-81/+95
| | | | | | | | | | | | | | | | | | All assembly implementations are required to perform their own alignment handling. In the case of the C implementation, on strict alignment platforms, unaligned data will be copied into an aligned buffer. However, most platforms then perform byte-by-byte reads (via the PULL64 macros). Instead, remove SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA and alignment handling to sha512_block_data_order() - if the data is aligned then simply perform 64 bit loads and then do endian conversion via be64toh(). If the data is unaligned then use memcpy() and be64toh() (in the form of crypto_load_be64toh()). Overall this reduces complexity and can improve performance (on aarch64 we get a ~10% performance gain with aligned input and about ~1-2% gain on armv7), while the same movq/bswapq is generated for amd64 and movl/bswapl for i386. ok tb@
* add missing pointer invalidationjcs2023-05-161-1/+2
| | | | ok tb
* Clean up SHA-512 input handling and round macros.jsing2023-05-161-47/+49
| | | | | | | | | | | Avoid reach around and initialisation outside of the macro, cleaning up the call sites to remove the initialisation. Use a T2 variable to more closely follow the documented algorithm and remove the gorgeous compound statement X = Y += A + B + C. There is no change to the clang generated assembly on aarch64. ok tb@
* Rename arguments of X509_STORE_CTX_init()tb2023-05-141-5/+5
| | | | | | | | | | It is higly confusing to call the list of untrusted certs chain, when you're later going to call X509_STORE_CTX_get0_chain() to get a completely unrelated chain by the verifier. Other X509_STORE_CTX APIs call this list of certs 'untrusted', so go with that. At the same time, rename the x509 into leaf, which is more explicit. suggested by/ok jsing
* Fix X509error() and X509V3error()tb2023-05-141-6/+11
| | | | | | | | | | | | | | | When v3err.c was merged into x509_err.c nearly three years ago, it was overlooked that the code needed two distinct pairs of ERR_FUNC/ERR_REASON, one for ERR_LIB_X509 and one for ERR_LIB_X509V3. The result is that the reason strings for the X509_R_* codes would be overwritten by the ones for X509V3_R_* with the same value while the reason strings for all X509V3_R_* would be left undefined. Fix this by an #undef/#define dance for ERR_LIB_X509V3 once we no longer the ERR_FUNC/ERR_REASON pair for ERR_LIB_X509. reported by job ok jsing
* Send the linebuffer BIO to the attictb2023-05-141-377/+0
| | | | | | | | | | | | | | | | | | | | | *) On VMS, stdout may very well lead to a file that is written to in a record-oriented fashion. That means that every write() will write a separate record, which will be read separately by the programs trying to read from it. This can be very confusing. The solution is to put a BIO filter in the way that will buffer text until a linefeed is reached, and then write everything a line at a time, so every record written will be an actual line, not chunks of lines and not (usually doesn't happen, but I've seen it once) several lines in one record. BIO_f_linebuffer() is the answer. Currently, it's a VMS-only method, because that's where it has been tested well enough. [Richard Levitte] Yeah, no, we don't care about any of this and haven't compiled this file since forever. Looks like tedu's chainsaw got blunt at some point...
* Fix another mandoc -Tlint warningtb2023-05-141-3/+5
| | | | | With this the only -Tlint warnings are about Xr to undocumented functions: EVP_CIPHER_CTX_copy, EVP_CIPHER_CTX_get_cipher_data, X509V3_EXT_get_nid.
* Rephrase a sentence slightly to apease mandoc -Tlinttb2023-05-141-3/+5
|
* Fix Xr as BN_is_prime(3) is in the attictb2023-05-141-3/+3
|
* Zap trailing commatb2023-05-141-2/+2
|
* X509_policy_tree_level_count(3) is gonetb2023-05-141-3/+2
|
* add missing #include <string.h>; ok tb@op2023-05-148-8/+18
|
* Bob points out that one error should be an X509V3error()tb2023-05-121-2/+2
|
* x509_utl.c: fix some style nits.tb2023-05-121-4/+3
|
* Rewrite string_to_hex() and hex_to_string() using CBB/CBStb2023-05-121-70/+124
| | | | | | | | | | | These helpers used to contain messy pointer bashing some with weird logic for NUL termination. This can be written more safely and cleanly using CBB/CBS, so do that. The result is nearly but not entirely identical to code used elsewhere due to some strange semantics. Apart from errors pushed on the stack due to out-of-memory conditions, care was taken to preserve error codes. ok jsing
* Reduce the number of SHA-512 C implementations from three to one.jsing2023-05-121-134/+1
| | | | | | | | | | | | | | | | | We currently have three C implementations for SHA-512 - a version that is optimised for CPUs with minimal registers (specifically i386), a regular implementation and a semi-unrolled implementation. Testing on a ~15 year old i386 CPU, the fastest version is actually the semi-unrolled version (not to mention that we still currently have an i586 assembly implementation that is used on i386 instead...). More decent architectures do not seem to care between the regular and semi-unrolled version, presumably since they are effectively doing the same thing in hardware during execution. Remove all except the semi-unrolled version. ok tb@
* primility -> primalityjsg2023-05-121-3/+3
| | | | ok tb@
* Be a bit more precise on how s2i_ASN1_OCTET_STRING handles colonstb2023-05-121-5/+6
|
* tls_verify.c: give up on variable alignment in this filetb2023-05-111-6/+6
| | | | | | The previous commit resulted in misalignment, which impacts my OCD worse than no alignment at all. Alignment wasn't consistently done in this file anyway. op tells me it won't affect current efforts in reducing the diff.
* Document recent changes in primality testingtb2023-05-111-8/+23
| | | | With input from beck and jsing
* Use is_pseudoprime instead of is_prime in bn_bpsw.ctb2023-05-101-30/+33
| | | | | | | This is more accurate and improves readability a bit. Apart from a comment tweak this is sed + knfmt (which resulted in four wrapped lines). Discussed with beck and jsing
* switch two ASN1_STRING_data() to ASN1_STRING_get0_data()op2023-05-101-5/+5
| | | | | | | | | and while here mark as const data. This diff is actually from gilles@, in OpenSMTPD-portable bundled libtls. ok tb@, jsing@
* Add Miller-Rabin test for random bases to BPSWtb2023-05-103-33/+130
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behavior of the BPSW primality test for numbers > 2^64 is not very well understood. While there is no known composite that passes the test, there are heuristics that indicate that there are likely infinitely many. Therefore it seems appropriate to harden the test. Having a settable number of MR rounds before doing a version of BPSW is also the approach taken by Go's primality check in math/big. This adds a new implementation of the old MR test that runs before running the strong Lucas test. I like to imagine that it's slightly cleaner code. We're effectively at about twice the cost of what we had a year ago. In addition, it adds some non-determinism in case there actually are false positives for the BPSW test. The implementation is straightforward. It could easily be tweaked to use the additional gcds in the "enhanced" MR test of FIPS 186-5, but as long as we are only going to throw away the additional info, that's not worth much. This is a first step towards incorporating some of the considerations in "A performant misuse-resistant API for Primality Testing" by Massimo and Paterson. Further work will happen in tree. In particular, there are plans to crank the number of Miller-Rabin tests considerably so as to have a guaranteed baseline. The manual will be updated shortly. positive feedback beck ok jsing
* As mmap(2) is no longer a LOCK syscall, do away with the extraotto2023-05-101-23/+1
| | | | | unlock-lock dance it serves no real purpose any more. Confirmed by a small performance increase in tests. ok @tb
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-12 08:38:49 +0000