| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
As reported by ajacoutot and sthen, an update to net/neon is blocked on
that missing symbol.
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed by Python 3.14, extending the urllib3 nonsense further.
This is a trivial getter and it is exercised by the libssl unit test
I added for urllib3 (which can now use dynamic linking for libcrypto).
Fixes https://github.com/libressl/portable/issues/1202
Thanks to @orbea for the report.
ok kenjiro
PS: X509_VERIFY_PARAM_get_flags() and X509_VERIFY_PARAM_get_peername()
aren't const correct. Fixing this will require some doing...
|
| |
|
|
|
|
| |
now that all archs use at least gcc4.
ffsl() and ffsll() are now part of POSIX.
OK deraadt@, input from miod@ and jsg@
|
| |
|
|
|
|
|
|
|
| |
This allows a const correct SSL_SESSION_dup() implementation at the cost
of casting away const due to the const incorrect CRYPTO_dup_ex_data()...
(I should look into fixing that, but things like rust-openssl make that
hard at this point in the release cycle.)
ok kenjiro (as part of a larger diff)
|
| |
|
|
| |
set to "gcc3".
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing the client supported groups and key shares extensions,
the group selection is currently based on client preference. However,
when building a HRR the preferred group is identified by calling
tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled,
group selection will be based on server instead of client preference. This
in turn can result in the server sending a HRR for a group that the client
has already provided a key share for, violating the RFC.
Avoid this issue by storing the client preferred group when processing
the key share extension, then using this group when creating the HRR.
Thanks to dzwdz for identifying and reporting the issue.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This is currently an internal helper only used by a regress test.
We'll have to expose in the public API for Python 3.14:
https://github.com/libressl/portable/issues/1202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To allow binary search for looking up if a cert was revoked in a CRL,
the list of revoked serial numbers is sorted in crl_lookup(). On the
other hand, to be able to output the DER that was actually signed by
the issuer, the original order needs to be remembered.
Before the encoding was cached, there was a mechanism that would restore
the original order on serialization using the .sequence member. This was
done without a lock and was thus racy (hilarity would ensue if one thread
performed a CRL lookup while another thread serialized the same CRL). When
the racy mechanism was removed in 2004, the only reader of .sequence,
X509_REVOKED_seq_cmp(), was also removed, and this piece of dead code was
left behind. Garbage collect it.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
| |
An incorrect length check can result in a 4-byte overwrite and an
8-byte overread.
From Stanislav Fort and Viktor Dukhovni via OpenSSL.
CVE-2025-9230.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is required in NIST Special Publication 800-56B Revision 2
"Recommendation for Pair-Wise Key Establishment Using Integer
Factorization Cryptography":
6 RSA Key Pairs
6.2 Criteria for RSA Key Pairs for Key Establishment
6.2.1 Definition of a Key Pair
3. The prime factors p and q shall be generated using one of
the methods specified in Appendix B.3 of FIPS 186 such that:
c. |p – q| > 2nBits/2−100
ok djm@, tb@
|
| |
|
|
|
| |
The version check will break the rust-openssl regress unless you have
rust-openssl-tests-20250927p0.
|
| |
|
|
|
|
|
|
|
|
|
| |
This wasn't part of the initial proposal and causes issues in curl downstream.
We could pile more hacks on top of this, but at some point this is getting too
silly.
Relatedly, most of the FOOerr() could be removed, although PEMerr(), RSAerr()
and SSLerr() are used by some downstreams and probably not worth patching out.
Discussed with @vszakats in https://github.com/libressl/portable/issues/1154
|
| | |
|
| |
|
|
|
|
|
| |
This removes two unnecessary variables in each of these functions,
normalizes the sizeof() use and undoes unnecessary line wraps.
ok deraadt djm kenjiro
|
| |
|
|
|
|
| |
CID 621601 621602
ok djm jsg jsing miod
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After the guts of MLKEM_public_key were changed from a union to a struct,
the aligner grew the struct, leaking as many bytes of private key data as
the struct grew (on normal platforms that would be 2).
Ideally this would all be a bit more robust.
CID 621603 621604
ok jsing kenjiro
|
| |
|
|
|
| |
With the renaming, aes_set_decrypt_key_generic() should now call
aes_set_encrypt_key_generic() directly.
|
| |
|
|
|
|
|
|
|
| |
Rename the C based AES implementation to *_generic() and provide
*_internal() wrappers for these. This allows for architectures to provide
accelerated versions without having to also provide a fallback
implementation.
ok tb@
|
| |
|
|
|
|
|
| |
This avoids leaving previous round keys around on failure, or leaving parts
of previous round keys behind if reused with a smaller key size.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Every aes_set_{encrypt,decrypt}_key_internal() implementation is currently
required to check the inputs and return appropriate error codes. Pull the
input validation up to the API boundary, setting key->rounds at the same
time. Additionally, call aes_set_encrypt_key_internal() directly from
aes_set_decrypt_key_internal(), rather than going back through the public
API.
ok tb@
|
| |
|
|
|
|
|
| |
The BN_DIV2W define provides a code path for double word division via the C
compiler, which is only enabled on hppa. Simplify the code and mop this up.
ok tb@
|
| |
|
|
| |
This is now only on amd64.
|
| |
|
|
|
|
|
| |
bn_sqr_words() does not actually compute the square of the words, it only
computes the square of each individual word - rename it to reflect reality.
Discussed with tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This moves everything not public to mlkem_internal.c
removing the old files and doing some further cleanup
on the way.
With this landed mlkem is out of my stack and can be
changed without breaking my subsequent changes
ok tb@
|
| |
|
|
|
|
|
|
| |
The old assembly bn_sqr_words() does not actually square words in the
bignum sense. These will have to be renamed (once I come up with a name
for whatever it actually does) before we can roll forward again.
Found the hard way by Janne Johansson.
|
| | |
|
| |
|
|
|
|
| |
Use bn_mul_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_mul_words(), such as amd64.
|
| | |
|
| |
|
|
|
|
|
|
| |
Use bn_sqr_words() and bn_montgomery_reduce_words(), rather than using
bn_montgomery_multiply_words(). This provides better performance on
architectures that have assembly optimised bn_sqr_words(), such as amd64.
ok tb@
|
| |
|
|
|
| |
This uses s2n-bignum's bignum_mul() and provides significant performance
gains for a range of multiplication sizes.
|
| |
|
|
| |
(for our purposes).
|
| |
|
|
|
|
| |
Not installed for nearly a decade since it only "documents" internal
functions and structs and the internal function doco gets more out of
sync with reality with every (much needed) pass over bn/
|
| | |
|
| |
|
|
| |
This was missed in the previous commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most bn_.*_words() functions operate on two word arrays, however
bn_mul_words() and bn_mul_add_words() operate on one word array and
multiply by a single word. Rename these to bn_mulw_words() and
bn_mulw_add_words() to reflect this, following naming scheme that we use
for primitives.
This frees up bn_mul_words() to actually be used for multiplying two word
arrays. Rename bn_mul_normal() to bn_mul_words(), which will then become
one of the possible assembly integration points.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rework some of the squaring code so that it calls bn_sqr_words() and use
this as the integration point for assembly. Convert bn_sqr_normal() to
bn_sqr_words(), which is then used on architectures that do not provide
their own version.
This means that we resume using the assembly version of bn_sqr_words() on
i386, mips64 and powerpc, which can provide considerable performance gains.
ok tb@
|
| |
|
|
|
|
| |
The code supporting this toggle has long been removed from all the forks.
discussed with jsing
|
| |
|
|
|
|
|
|
| |
I have effectively rewritten the entirety of this file end of 2024.
This isn't code I'm particularly proud of, but it's much better than
it was before (it's not as if that involved any sort of challenge...)
requested by/ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After drilling through many layers of fossilized turds from a
long-forgotten millenium, jsing and I finally found oil^Wa
machine-independent version of opensslconf.h.
Remove the no longer needed versions in arch/*/ and move one copy
to the top level. Add an RCS tag and place the remaining garbage
in the public domain.
ok jsing
|
| |
|
|
| |
Rides the libcrypto bump from a couple days ago
|
| | |
|
| |
|
|
| |
rides the libcrypto bump
|
| | |
|
| | |
|
