summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* sync with Mozilla root CA store, ok tb@sthen2026-03-181-174/+42
| | | | | | | | - remove CommScope CA (they requested it themselves; https://bugzilla.mozilla.org/show_bug.cgi?id=1994866) - add new cert: /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno TLS Root CA 2023
* libcrypto: prefix EC_KEY methods with ec_key_tb2026-03-185-100/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We received reports that the too generic internal ecdsa_{sign,verify}() symbol names clash in some static links. The naming here is annoying because the EC_KEY_METHOD amalgamated the no longer existing ECDH and ECDSA methods which themselves had poorly chosen method names, still reflected in public API. There are various messes here. The ECDSA verify methods are declared in ec_local.h, whereas the ECDSA sign methods are in ecdsa_local.h (which is itself pretty useless and really only about EC_KEY_METHOD). I therefore merged the ECDSA method declarations into ec_local.h and deleted ecdsa_local.h since I see no real benefit to the latter. ecdsa.c needs ec_local.h anyway. Having the method declarations next to EC_KEY_METHOD seems sensible. I left the order as it was, matching ecdsa.c. The eckey_compute_pubkey() prototype should probably be moved down. With one exception I just added an ec_key_ prefix. This leads to a a repetition of 'key' in ec_key_ecdh_compute_key() which I chose to live with because it matches the public ECDH_compute_key() (mostly used by SSH implementations). The exception is ec_key_generate_key() where I expanded the gen() leading to another _key repetition but this then matches EC_KEY_generate_key(). Thanks to Rosen Penev for reporting and sending an initial diff. See also https://github.com/gsliepen/tinc/issues/478 ok jsing
* Move ECDSA_SIG_st definition to its only consumer, ecdsa.ctb2026-03-162-7/+7
|
* Fix BIO_get_mem_data(3) return value documentationtb2026-03-101-3/+18
| | | | pointed out by/ok dlg
* use the "e" flag with fopen() for O_CLOEXEC; ok tbderaadt2026-03-101-3/+3
|
* use O_CLOEXEC; ok tbderaadt2026-03-103-6/+6
|
* Use __pledge_open(2) for files that libc urgently needs even in lowerderaadt2026-03-102-10/+29
| | | | | | | | promise levels. You must be running a kernel at least 4 days old. Soon, another commit will happen that breaks compatibility even further, and you'll need new static binaries and new libc.so, along with a new kernel. This removes an old pledge design decision which is weak. Long discussions with david leadbeater and beck
* mlkem: use timingsafe_memcmp() in decapsulationkenjiro2026-03-061-2/+2
| | | | | | | | | | Replace memcmp() with timingsafe_memcmp() when comparing the re-encrypted ciphertext. FIPS 203 Section 6.3 defines this comparison result as a secret piece of intermediate data that must not be revealed in any form. ok tb
* a_bitstr.c: fix includestb2026-02-081-3/+5
|
* More ec_point_cmp() turd polishingtb2026-02-081-45/+46
| | | | | | | | jsing prefers doing all computations first and comparing at the end. This means we do more work when we fail and no longer (ab)use err as an out label. Also split out one more helper. ok jsing
* Make truncation in ASN1_BIT_STRING_set_bit() explicittb2026-02-081-9/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused" bits on encoding, set them explicitly in abs->flags via a call to asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is now set on a bit string, which was previously explicitly cleared. This also means that the encoding of a non-zero ASN1_BIT_STRING populated by setting the bits individually will now go through the if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING(). The most prominent usage of this function is in X.509 for the keyUsage extension or the CRL reason codes. There's also the NS cert type, TS PKIFailureInfo and general BITLIST config strings. The reason for the truncation logic comes from the DER for NamedBitLists X.690, 11.2.2 below: X.680, 22.7: When a "NamedBitList" is used in defining a bitstring type ASN.1 encoding rules are free to add (or remove) arbitrarily any trailing 0 bits to (or from) values that are being encoded or decoded. Application designers should therefore ensure that different semantics are not associated with such values which differ only in the number of trailing 0 bits. X.690, 11.2.2 Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded. Note 1 - In the case where a size constraint has been applied, the abstract value delivered by a decoder to the application will be one of those satisfying the size constraint and differing from the transmitted value only in the number of trailing zero bits. Note 2 - If a bitstring value has no 1 bits, then an encoder shall encode the value with a length of 1 and an initial octet set to 0. ok kenjiro (on an earlier version) jsing
* replace buggy strncmp with strcmp found with clang-tidybcook2026-02-071-2/+2
| | | | | | Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect. discussed w/ tb@ & beck@
* EVP_SealInit.3: fix RETURN VALUES sectiontb2026-01-301-2/+12
| | | | | | | | | While normal calls return 0 for error and npubk for success, there is a case where it returns the usual 1/0 thing. Make that explicit. Prompted by a report by Niels Dossche ok jsing kenjiro
* EVP_OpenInit.3: fix RETURN VALUES sectiontb2026-01-301-6/+4
| | | | | | | This has been incorrectly documented since forever. The function only ever returned 0/1. ok jsing kenjiro
* EVP_SealInit(): clear random key on exittb2026-01-301-2/+4
| | | | ok jsing kenjiro
* EVP_{Open,Seal}Init(): remove redundant EVP_CIPHER_CTX_reset() callstb2026-01-301-5/+1
| | | | | | The subsequent EVP_{Decrypt,Encrypt}Init_ex() calls already do that. pointed out by jsing
* EVP_SealInit(): minor cleanup.tb2026-01-301-11/+25
| | | | | | | | | | | | | | | | | Explicitly compare pointers against NULL, turn the function into single exit, add hint at why npubk <= 0 or pubk == NULL are a success path: The documentation briefly explains that EVP_OpenInit() and EVP_SealInit() is able to initialize the EVP_CIPHER_CTX in two steps exactly like the EVP_CipherInit_ex() API they wrap: the first call with non-NULL cipher (aka type) only sets the cipher on the ctx, then it returns to allow callers to customize the EVP_CIPHER_CTX, and a second call with cipher == NULL skips the initialization and finishes the ctx setup by setting key and iv. Prompted by a report by Niels Dossche. ok jsing kenjiro
* EVP_SealInit: do not return -1 on errortb2026-01-301-2/+2
| | | | | | | | It is documented that EVP_SealInit() returns 0 on error. So -1 is wrong. Reported by Niels Dossche ok jsing kenjiro
* EVP_OpenInit(): minor cleanuptb2026-01-301-9/+16
| | | | | | | | | Explicitly compare pointers against NULL, turn the function into single exit and explain why priv == NULL is a success (hint: muppet API). Prompted by a report by Niels Dossche. ok jsing kenjiro
* Avoid type confusion in the timestamp response parsingtb2026-01-271-1/+3
| | | | | | | | | | A malformed v2 signing cert can lead to a type confusion, and the result is a read from an invalid memory address or NULL, so a crash. Unlike for OpenSSL, v1 signing certs aren't affected since miod fixed this in '14. Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-69420. ok jsing
* Avoid type confusion in PKCS#12 parsingtb2026-01-271-3/+9
| | | | | | | | | A type confusion can lead to a 1-byte read at address 0x00-0xff, so a crash. Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-22795 ok jsing
* Add NULL pointer check to PKCS12_item_decrypt_d2i()tb2026-01-271-1/+6
| | | | | | | | Avoids a NULL pointer dereference triggerable by a malformed PCKS#12 file. From Luigino Camastra via OpenSSL (CVE-2025-69421) ok jsing
* Make SHA aarch64 assembly build with gcc.jsing2026-01-253-55/+72
| | | | | | | | | | | | | gcc is extremely fussy about register naming and insists on q and s naming for the ARM CE SHA instructions, even though they're referring to the same register (while LLVM just figures it out). Work around this by mapping registers to their required variant at usage and defining a handful of mappings between v registers and alternate names/views. This is still somewhat ugly, but seems to be one of the cleaner options that will allow portable to enable SHA assembly on platforms that use gcc. ok kenjiro@ tb@
* Tidy instruction separators in SHA assembly.jsing2026-01-247-113/+113
| | | | | Remove unnecessary separators and add a few to macros that call other macros (instead of expecting them to exist).
* DH_check: teach this DoS vector about RFC 7919 primestb2026-01-231-1/+6
| | | | ok beck
* bn_const: add RFC 7919 primestb2026-01-232-2/+300
| | | | | | | | There is no intention to expose these via public API or to use them in TLS. For now these will only be used for short-circuiting pointless expensive computations in DH_check(). ok beck
* Scapy special for DH_check()tb2026-01-231-2/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The latest release of Scapy calls DH_check() on all the well-known Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this via pyca/cryptography at startup. Every single time. This is obviously very expensive, due to our 64 MR rounds (which are complete overkill now that we have BPSW). Instead of pondering the ideal number of rounds for BPSW with FFDH, simply skip the check if the parameter matches a well-known prime. These are known to be safe primes, so we can skip those super-expensive and pointless checks without any risk. This is only done for the public dh->p parameter. It could be further optimized, but with the follow-up commit adding the RFC 7919 primes this reduces the startup time to what it was before Scapy 2.7.0: < 1s. Reverting from 64 MR rounds to BN_check_primes rounds, we would still have ~8s startup time without this optimization, which isn't great for an interactive tool. Clearly, it's not entirely our fault, it's also Scapy and cryptography that do something ... suboptimal, but I think we're better off if DH_check() isn't a complete DoS vector. If you're using non-standard parameters with FFDH, you deserve it. We could consider adding a flag for non-well-known p and thus making DH_check() indicate failure for candidate primes larger than, say, 4k. https://github.com/pyca/cryptography/issues/14048 ok beck kenjiro
* Rewrite ec_point_cmp()tb2026-01-181-59/+97
| | | | | | | | This removes some complications due to handling the fast path for affine points and general points at the same time. The result is a bit more code but both paths should be much easier to follow. ok jsing kenjiro
* mlkem: fix mklem_{generate_key,encap}_external_entropy() declarationstb2026-01-181-5/+3
| | | | | | | | | | The prototypes used sized arrays appropriate only for MLKEM768 while the declarations used pointers. For some reason clang doesn't flag this but gcc does. In any case it was wrong. The callers of these functions check that they pass in the correct size. Which is weird but the mlkem directory has an unbelievable amount of mess and bad code. found by/ok jsing
* mlkem: garbage collect the unusd mlkem_{generate_key,encap}()tb2026-01-182-58/+2
| | | | | | | These are flagged by more recent gcc since declarations and definitions don't match (sized array vs pointer). Also an array was checked for NULL. found by/ok jsing
* Provide LIBRESSL_USE_.*_ASSEMBLY defines.jsing2026-01-1717-31/+104
| | | | | | | | | Make life easier for portable by providing LIBRESSL_USE_.*_ASSEMBLY defines, which enable/disable assembly for a specific algorithm. This means that selected platforms can include the assembly files and specify a define, rather than having to try to patch the crypto_arch.h headers. Discussed with tb@
* Replace MD5_ASM with function specific defines.jsing2026-01-175-9/+11
| | | | | Use the same pattern that is now used for most other code - provide HAVE_MD5_BLOCK_DATA_ORDER and use this to selectively enable source code.
* Replace GHASH_ASM with function specific defines.jsing2026-01-1711-22/+41
| | | | | Use the same pattern that is now used for most other code - provide HAVE_* defines for functions and use these to selectively enable source code.
* Mop up unused AES_ASM and RSA_ASM defines.jsing2026-01-177-15/+7
| | | | These have not been used for quite some time.
* Use .section before .rodata to appease gas.jsing2026-01-178-22/+26
| | | | | | gas dislikes bare .rodata - add .section before .rodata to make it happier (LLVM does not care and is happy with either). For consistency, do the same with .text.
* Use local label prefix for loop labels.jsing2026-01-173-9/+9
|
* mlkem_internal.h: formate -> formattb2026-01-161-2/+2
|
* mlkem_internal.h: some very basic copy editingtb2026-01-161-6/+6
|
* mlkem.h: Thie -> This (2x)tb2026-01-161-3/+3
|
* mlkem.c: becuase -> becausetb2026-01-161-2/+2
|
* asn1t.h: whitespace tweakstb2026-01-161-81/+74
| | | | | | Add missing space after commas, shorten a couple comments in structs, reflow weirdly wrapped long comments and improve the random line breaks in typedefs and prototypes.
* asn1t.h: Otherwiser -> Otherwisetb2026-01-161-2/+2
|
* asn1t.h: more macro cleanup, add missing C99 initializers for ADB_ENTRY()tb2026-01-161-69/+99
| | | | ok kenjiro
* stack.c: avoid arithmetic on pointers to voidtb2026-01-141-2/+2
| | | | | | | | | | | | | | | | | In stack.c r1.34 I converted one 'char *' too many to 'void *', thereby relying on a gcc/clang extension which interprets the fictional void type as a type of size 1 (that's what the stack code wants, fortunately). As pointed out in the link below, -Wpointer-arith would have caught this: https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html MSVC flags this as follows: D:\a\portable\portable\crypto\stack\stack.c(211,23): error C2036: 'const void *': unknown size [D:\a\portable\portable\build\crypto\crypto_obj.vcxproj]. Pull in workaround from the portable repo which undoes the char * -> void * conversion. ok jsing millert
* x509_utl.c: zap two useless commentstb2026-01-121-5/+1
|
* More asn1t.h cleanuptb2026-01-111-58/+88
| | | | | | | | This converts more macros to C99 initializers. Rename flags and tags arguments by appending val because they collide with the field names. The remainder are whitespace changes. ok kenjiro
* asn1t.h: add C99 initializers for some ASN.1 templatestb2026-01-091-155/+195
| | | | | | | | | | | | | | This is a first pass at tidying up the unsightly mess that is asn1t.h. For better or worse, we have expanded the macros internally, and in base only rpki-client uses the templates. They are generally rarely used. Fortunately. Having C99 initializers helps a lot with debugging templated ASN.1 by combining cc -E with clang-format. They make the macros more readable, look tidier and help with grep. ok kenjiro
* asn1t.h: whitespace nittb2026-01-091-2/+2
|
* Fix ASN1_ADB_END macro, make it compatible with OpenSSLtb2026-01-071-4/+3
| | | | | | | | | | | | | | In asn1t.h r1.18 (commit 9b72422d) I removed the app_items member from ASN1_ADB and failed to fix up the ASN1_ADB_END() macro that populates the ASN1_ADB. This means ASN1_ADB_END() tried to initialize one member too many and would thus cause a compilation failure, so nobody uses this with LibreSSL. Internally, we have expanded all its uses. We could leave it broken or fix it up. Take the opportunity to add an unused adb_cb() argument instead, making the macro invocation compatible with OpenSSL. ok jsing kenjiro
* ASN.1 templates: make internal *_PUBKEY_it statictb2026-01-051-5/+5
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-06-02 16:53:41 +0000