| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
FIPS is currently revising their PBKDF2 recommendations and apparently
they want to require 16 octets.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro joshua jsing
|
| |
|
|
|
|
|
|
|
|
| |
Using hmacWithSHA1 isn't outrageously bad, but newly generated encrypted
password files ought to be using something better. Make it so.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok joshua
|
| |
|
|
|
|
|
|
| |
binaries had become unlinkable. Change the libc definition to weak to solve
that, and to "const char * const" so that noone will try to set it late.
It must be stable before the first malloc() call, which could be before
main()...
discussion with otto, kettenis, tedu
|
| |
|
|
|
|
|
|
| |
Rework some logic, add explicit numerical checks, move assignment out of
variable declaration and use post-increment/post-decrement unless there is
a specific reason to do pre-increment.
ok kenjiro@ tb@
|
| |
|
|
|
|
| |
When checking the GCM tag, use timingsafe_memcmp() instead of memcmp().
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
SSL_alert_desc_string() is only used by our good old friends M2Crypto
and Net::SSLeay. While some of the two-letter combinations can be made
sense of without looking at the switch, I guess, this is just a
completely useless interface. The same level of uselessness can be
acchieved in a single line matching BoringSSL.
ok joshua kenjiro
|
| | |
|
| |
|
|
|
|
|
|
| |
This adds significant complexity to the code. On amd64 and aarch64 it
results in a minimal slowdown for aligned inputs and a performance
improvement for unaligned inputs.
ok beck@ joshua@ tb@
|
| | |
|
| | |
|
| |
|
|
| |
Discussed with tb@
|
| |
|
|
|
|
|
|
| |
Check if ctx->data is NULL before calling freezero(). Also add
HKDF and TLS1-PRF to the EVP_PKEY cleanup regression test, as
they no longer crash with this change.
ok tb@
|
| |
|
|
|
|
|
| |
Initialize the output buffer with MLKEM1024_PUBLIC_KEY_BYTES
instead of MLKEM768_PUBLIC_KEY_BYTES.
ok tb@
|
| |
|
|
|
|
|
|
| |
The last #else branch in CRYPTO_gcm128_init() doesn't initialize the
function pointers for gmult/ghash, which results in a segfault when
using GCM on architectures taking this branch, notably sparc64.
found by and fix from jca
|
| |
|
|
|
|
|
|
| |
This is currently done in a rather silly way. Shift the index by 1
and avoid weird pointer dances. Rather than relying on static
initialization, use code to obviate a comment.
ok beck joshua jsing
|
| | |
|
| |
|
|
| |
ok tb@, joshua@
|
| |
|
|
| |
ok tb@, joshua@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a precursor to adding new group ids for post quantum
stuff which are up in the 4000 range, so using the array index
as the group id will be silly. Instead we just add the group
id to the structure and we walk the list to find it.
This should never be a very large list for us, so no need
to do anything cuter than linear search for now.
ok jsing@, joshua@
|
| |
|
|
|
|
|
|
| |
Even though this should remain internal, make it the same
as the public key marshal function, and make the needed
fallout changes in regress.
ok kenjiro@, tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Even though this should remain internal, make it the same
as the public key marshal function, and make the needed
fallout changes in regress.
This does not yet do the bikeshed of renaming the structure
field in the regress ctx, that will wait until a follow on
to convert 1024 in a similar manner
ok tb@
|
| |
|
|
| |
ok jsing@, joshua@
|
| |
|
|
|
|
|
|
|
| |
- Get rid of CBB/CBS usage in public api
- Make void functions return int that can fail if malloc fails.
Along with some fallout and resulting bikeshedding in the regress tests.
ok jsing@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
AES_ecb_encrypt() does not really do ECB - provide an
aes_ecb_encrypt_internal that actually does multiple blocks and call this
from aes_ecb_cipher(). Provide ECB with its own key initialisation
function, which allows aes_init_key() to be simplified considerably.
The block function pointer is now unused, so mop this up.
ok joshua@ tb@
|
| |
|
|
|
|
|
| |
Provide aes_{en,de}crypt_block128() which have correct function signatures
and use these when calling the various mode functions.
ok joshua@ tb@
|
| |
|
|
|
|
|
| |
Provide AES-NI with its own aesni_ofb_cipher() and switch aes_ofb_cipher()
to call AES_ofb128_encrypt() directly.
ok joshua@ tb@
|
| |
|
|
|
|
|
|
| |
Provide AES-NI with its own aesni_cfb*_cipher() functions, which then
allows us to change the existing aes_cfb*_cipher() functions to () to call
AES_cfb*_encrypt() directly.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Provide AES-NI with its own aesni_ctr_cipher(), which then allows us to
change aes_ctr_cipher() to call AES_ctr128_encrypt() directly. The
stream.ctr function pointer is now unused and can be mopped up.
ok beck@ tb@
|
| |
|
|
| |
This is a remnant from s390x assembly.
|
| |
|
|
|
|
|
|
|
| |
Change aes_cbc_cipher() to call AES_cbc_encrypt() directly, rather than
via the stream.cbc function pointer. Remove stream.cbc since it is no
longer used. Also provide a separate aes_cbc_init_key() function which
makes this standalone and does not require checking mode flags.
ok joshua@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
No change in generated assembly.
|
| |
|
|
|
|
|
|
|
| |
Instead of using size_t and a PACK macro, store the entries as uint16_t and
then uncondtionally left shift 48 bits. This gives a small performance gain
on some architectures and has the advantage of reducing the size of the
table from 1024 bits to 256 bits.
ok beck@ joshua@ tb@
|
| |
|
|
|
|
|
|
|
| |
The REDUCE1BIT macro is now only used in one place, so just inline it.
Additionally we do not need separate 32 bit and 64 bit versions - just use
the 64 bit version and let the compiler deal with it (we effectively get
the same code on i386).
ok beck@ joshua@
|
| |
|
|
|
|
| |
Prompted by a diff by Kenjiro Nakayama
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
TABLE_BITS is always currently defined as 4 - 8 is considered to be
insecure due to timing leaks and 1 is considerably slower. Remove code
that is not regularly tested, does not serve a lot of purpose and is making
clean up harder than it needs to be.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than having defines for GCM_MUL/GHASH (along with the wonder that
is GCM_FUNCREF_4BIT) then conditioning on their availability, provide and
call gcm_mul()/gcm_ghash() unconditionally. This simplifies all of the call
sites.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently PKCS12_setup_mac() function uses salt length of 8 bytes / 64
bits when no salt length is specified. Increase this fallback default
to 16 bytes / 128 bits, as recommended by NIST SP 800-132.
Note this is for interoperability purposes. Some FIPS implementations
enforce minimum salt length of 16 bytes. Examples of such FIPS
implemenations are Bouncycastle FIPS Java API and Chainguard FIPS
Provider for OpenSSL. Also future v3.6 release of OpenSSL will also
increase the default salt length to 16 bytes.
From Dimitri John Ledkov, thanks
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Redirect through an additional macro that adds the repeated function,
file and line macros. Reduces the eyesore and makes the whole thing
much more redable.
similar to a suggestion by jsing a while back
|
| |
|
|
| |
pointed out by djm a while back
|
| |
|
|
|
|
|
| |
These three are still used in about half a dozen ports. All the others are
unused.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
These are now only used in libcrypto. They should never have been in a
public header in the first place.
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
