| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
OBJ_obj2txt() is often called without error checking and is used for
reporting unexpected or malformed objects. As such, we should ensure
buf is a string even on failure. This had long been the case before it
was lost in a recent rewrite. If obj and obj->data are both non-NULL
this is already taken care of by i2t_ASN1_OBJECT_internal(), so many
callers were still safe.
ok miod
|
|
|
|
|
|
|
|
Makes mandoc -Tlint happier
|
|
and with an unaligned offset. Let's see if all ciphers on our strict
alignment arches can deal with this.
|
|
All hashes and ciphers covered by speed should be able to handle unaligned
input and output. The buffers used in openssl speed are well aligned since
they are large, so will never exercise the more problematic unaligned case.
I wished something like this was available on various occasions. It would
have been useful to point more easily at OpenSSL's broken T4 assembly.
Yesterday there were two independent reasons for wanting it, so I sat down
and did it. It's trivial: make the allocations a bit larger and use buffers
starting at an offset inside these allocations. Despite the trivality, I
managed to have a stupid bug. Thanks miod.
discussed with jsing
ok miod
|
|
This drops a bunch of unnecessary parentheses, makes the strcmp()
checks consistent and moves some "}\n\telse" to "} else".
Makes an upcoming commit smaller
|
|
This wasn't properly hidden under OPENSSL_NO_EC2M, and all it does now
is producing ugly errors and useless "statistics". While looking at this,
I found that much of speed "has been pilfered from [Eric A. Young's]
libdes speed.c program". Apparently this was an precursor and ingredient
of SSLeay. Unfortunately, it seems that this piece of the history is lost.
ok miod
PS: If anyone is bored, a rewrite from scratch of the speed 'app' would
be a welcome contribution and may be an instructive rainy day project.
The current code was written in about the most stupid way possible so as
to maximize fragility and unmaintainability.
|
|
Prompted by a report by Steffen Ullrich on libressl@openbsd.org
ok jsing
|
|
|
|
future, inadvertant PLT entries. Move the __getcwd and __realpath
declarations to hidden/{stdlib,unistd}.h to consolidate and remove
duplication.
ok tb@ otto@ deraadt@
|
|
Now that this macro is available in a header, let's use that version
rather than copies in several .c files.
discussed with jsing
|
|
All assembly implementations are required to perform their own alignment
handling. In the case of the C implementation, on strict alignment
platforms, unaligned data will be copied into an aligned buffer. However,
most platforms then perform byte-by-byte reads (via the PULL64 macros).
Instead, remove SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA and alignment
handling to sha512_block_data_order() - if the data is aligned then simply
perform 64 bit loads and then do endian conversion via be64toh(). If the
data is unaligned then use memcpy() and be64toh() (in the form of
crypto_load_be64toh()). Overall this reduces complexity and can improve
performance (on aarch64 we get a ~10% performance gain with aligned input
and about ~1-2% gain on armv7), while the same movq/bswapq is generated
for amd64 and movl/bswapl for i386.
ok tb@
|
|
From Ilya Chipitsine
|
|
ok tb
|
|
Avoid reach around and initialisation outside of the macro, cleaning up
the call sites to remove the initialisation. Use a T2 variable to more
closely follow the documented algorithm and remove the gorgeous compound
statement X = Y += A + B + C.
There is no change to the clang generated assembly on aarch64.
ok tb@
|
|
It is higly confusing to call the list of untrusted certs chain, when
you're later going to call X509_STORE_CTX_get0_chain() to get a completely
unrelated chain by the verifier. Other X509_STORE_CTX APIs call this list
of certs 'untrusted', so go with that. At the same time, rename the x509
into leaf, which is more explicit.
suggested by/ok jsing
|
|
When v3err.c was merged into x509_err.c nearly three years ago, it was
overlooked that the code needed two distinct pairs of ERR_FUNC/ERR_REASON,
one for ERR_LIB_X509 and one for ERR_LIB_X509V3. The result is that the
reason strings for the X509_R_* codes would be overwritten by the ones for
X509V3_R_* with the same value while the reason strings for all X509V3_R_*
would be left undefined.
Fix this by an #undef/#define dance for ERR_LIB_X509V3 once we no longer
the ERR_FUNC/ERR_REASON pair for ERR_LIB_X509.
reported by job
ok jsing
|
|
*) On VMS, stdout may very well lead to a file that is written to
in a record-oriented fashion. That means that every write() will
write a separate record, which will be read separately by the
programs trying to read from it. This can be very confusing.
The solution is to put a BIO filter in the way that will buffer
text until a linefeed is reached, and then write everything a
line at a time, so every record written will be an actual line,
not chunks of lines and not (usually doesn't happen, but I've
seen it once) several lines in one record. BIO_f_linebuffer() is
the answer.
Currently, it's a VMS-only method, because that's where it has
been tested well enough.
[Richard Levitte]
Yeah, no, we don't care about any of this and haven't compiled this file
since forever. Looks like tedu's chainsaw got blunt at some point...
|
|
With this the only -Tlint warnings are about Xr to undocumented functions:
EVP_CIPHER_CTX_copy, EVP_CIPHER_CTX_get_cipher_data, X509V3_EXT_get_nid.
|
|
|
|
|
|
|
|
|
|
|
|
Should make coverity happier
|
|
|
|
|
|
These helpers used to contain messy pointer bashing some with weird logic
for NUL termination. This can be written more safely and cleanly using
CBB/CBS, so do that. The result is nearly but not entirely identical to
code used elsewhere due to some strange semantics. Apart from errors pushed
on the stack due to out-of-memory conditions, care was taken to preserve
error codes.
ok jsing
|
|
|
|
We currently have three C implementations for SHA-512 - a version that is
optimised for CPUs with minimal registers (specifically i386), a regular
implementation and a semi-unrolled implementation. Testing on a ~15 year
old i386 CPU, the fastest version is actually the semi-unrolled version
(not to mention that we still currently have an i586 assembly
implementation that is used on i386 instead...).
More decent architectures do not seem to care between the regular and
semi-unrolled version, presumably since they are effectively doing the
same thing in hardware during execution.
Remove all except the semi-unrolled version.
ok tb@
|
|
|
|
|
|
ok tb@
|
|
|
|
The previous commit resulted in misalignment, which impacts my OCD worse
than no alignment at all. Alignment wasn't consistently done in this file
anyway. op tells me it won't affect current efforts in reducing the diff.
|
|
With input from beck and jsing
|
|
This is more accurate and improves readability a bit. Apart from a comment
tweak this is sed + knfmt (which resulted in four wrapped lines).
Discussed with beck and jsing
|
|
and while here mark as const data.
This diff is actually from gilles@, in OpenSMTPD-portable bundled
libtls.
ok tb@, jsing@
|
|
The behavior of the BPSW primality test for numbers > 2^64 is not very
well understood. While there is no known composite that passes the test,
there are heuristics that indicate that there are likely infinitely many.
Therefore it seems appropriate to harden the test. Having a settable
number of MR rounds before doing a version of BPSW is also the approach
taken by Go's primality check in math/big.
This adds a new implementation of the old MR test that runs before running
the strong Lucas test. I like to imagine that it's slightly cleaner code.
We're effectively at about twice the cost of what we had a year ago. In
addition, it adds some non-determinism in case there actually are false
positives for the BPSW test.
The implementation is straightforward. It could easily be tweaked to use
the additional gcds in the "enhanced" MR test of FIPS 186-5, but as long
as we are only going to throw away the additional info, that's not worth
much.
This is a first step towards incorporating some of the considerations in
"A performant misuse-resistant API for Primality Testing" by Massimo and
Paterson. Further work will happen in tree. In particular, there are plans
to crank the number of Miller-Rabin tests considerably so as to have a
guaranteed baseline. The manual will be updated shortly.
positive feedback beck
ok jsing
|
|
unlock-lock dance it serves no real purpose any more. Confirmed
by a small performance increase in tests. ok @tb
|
|
having flags set.
|
|
Pointed out and ok by dlg
|
|
|
|
Anything taken to the power of 0 is 1, and then reduced mod 1 or mod -1 it
will be 0. If "anything" includes 0 or not is a matter of convention, but
it should not depend on the sign of the modulus...
Reported by Guido Vranken
ok jsing (who had the same diff)
|
|
ok tb@
|
|
ok tb@
|
