summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Update and improve documentation for pkcs8 -v2tb2025-05-241-12/+8
| | | | with input from jsing
* Crank default salt length of PBE2 to 16 octetstb2025-05-242-4/+13
| | | | | | | | | | FIPS is currently revising their PBKDF2 recommendations and apparently they want to require 16 octets. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
* Switch the default PBMAC to hmacWithSHA256tb2025-05-241-2/+2
| | | | | | | | | | Using hmacWithSHA1 isn't outrageously bad, but newly generated encrypted password files ought to be using something better. Make it so. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok joshua
* Switch default to PBES2 for openssl pkcs8 -topk8tb2025-05-241-3/+3
| | | | | | | | | | | | | | | | | | | | We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which we inherited from OpenSSL. This could have been worse - there is also NID_pbeWithMD2AndDES_CBC... The way this diff works is that the undocumented PKCS8_encrypt() API uses the PKCS#5v2 code path when it's passed a NID of -1 and requires a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in a sensible cipher, namely AES-CBC-256, and let layers of muppetry cascade to doing something resembling the right thing. This still uses the default of hmacWithSHA1 and a somewhat short salt, which will be improved in a subsequent commit. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
* openssl speed: use single md buffer for digestsjoshua2025-05-241-31/+10
| | | | ok jsing tb
* Add the ability to run individual ruby ssl test for figuring outbeck2025-05-231-1/+16
| | | | | | what is going on when these break ok tb@
* When commons were deprecated, noone noticed that malloc_options in staticderaadt2025-05-232-7/+10
| | | | | | | | binaries had become unlinkable. Change the libc definition to weak to solve that, and to "const char * const" so that noone will try to set it late. It must be stable before the first malloc() call, which could be before main()... discussion with otto, kettenis, tedu
* Do a clean up pass over the GCM code.jsing2025-05-221-92/+86
| | | | | | | | Rework some logic, add explicit numerical checks, move assignment out of variable declaration and use post-increment/post-decrement unless there is a specific reason to do pre-increment. ok kenjiro@ tb@
* Use timingsafe_memcmp() in CRYPTO_gcm128_finish().jsing2025-05-221-2/+2
| | | | | | When checking the GCM tag, use timingsafe_memcmp() instead of memcmp(). ok tb@
* Simplify SSL_alert_desc_stringtb2025-05-221-67/+2
| | | | | | | | | | SSL_alert_desc_string() is only used by our good old friends M2Crypto and Net::SSLeay. While some of the two-letter combinations can be made sense of without looking at the switch, I guess, this is just a completely useless interface. The same level of uselessness can be acchieved in a single line matching BoringSSL. ok joshua kenjiro
* Fix HTTP CONNECT proxy support to not treat responses likedjm2025-05-221-5/+5
| | | | "HTTP/1.0 200poo" as success; patch from Spiros Thanasoulas
* asn1: merge invalid generalized time tests into invalid time testsjoshua2025-05-221-16/+10
| | | | | | | | | | | Previously, invalid generalized time tests were split into a separate set of test vectors and a flag was used when calling the test function to indicate they should be tested as generalized only. This simplifies the code a bit, and makes converting to the new test framework easier. ok jsing
* Convert sha_test to use new test frameworkjoshua2025-05-222-153/+141
| | | | ok beck
* Convert md_test to use new test frameworkjoshua2025-05-222-122/+106
| | | | ok jsing tb beck
* Fix test_errorf macro expanding to two linesjoshua2025-05-221-4/+8
| | | | | This caused test_fail to always be called when used in certain conditions, and wrapping with do {} while (0) fixes this.
* Add basic HKDF test using EVP_PKEY_HKDFkenjiro2025-05-221-1/+81
| | | | | | | | Add a basic test case for HKDF using EVP_PKEY_HKDF to evp_test.c. This test verifies the correct derivation of output keying material using SHA-256, matching the test vector from RFC 5869 Appendix A.1. ok tb@ joshua@
* Reorder some functions.jsing2025-05-211-20/+20
|
* Remove GHASH_CHUNK and size_t related code from GCM encrypt/decrypt.jsing2025-05-211-220/+1
| | | | | | | | This adds significant complexity to the code. On amd64 and aarch64 it results in a minimal slowdown for aligned inputs and a performance improvement for unaligned inputs. ok beck@ joshua@ tb@
* Fix wrapping.jsing2025-05-211-13/+9
|
* Remove now unused AES assembly generation scripts.jsing2025-05-213-5256/+0
|
* for SOCKS4A don't perform a local hostname lookup that we're not goingdjm2025-05-211-4/+6
| | | | to use; spotted by lucas@
* Add initial regress test frameworkjoshua2025-05-213-0/+408
| | | | | | | | | | Add a test framework for use in LibreSSL regression tests. This test framework aims to be as lightweight and as simple to use as possible. The design is mostly inspired by Go's test system, and aims to be a drop-in utility in most existing regress tests. ok jsing tb beck
* add SOCKS4A to help textdjm2025-05-211-2/+2
|
* add SOCKS4A support to nc(1)'s proxy (-X) modedjm2025-05-213-7/+27
| | | | | | | | | | | SOCKS4A is a fairly obscure extension to the olde SOCKS4 protocol that allows passing the destination as a string rather than a literal IPv4 address, which is the only thing that vanilla SOCKS4 supports. The motivation for adding something so niche is to test the SOCKS4A server code in ssh(1)'s dynamic forwarding (-D) support. ok tb@
* Remove more unused code.jsing2025-05-211-95/+1
| | | | Discussed with tb@
* Add NULL checks to HKDF and TLS1-PRF EVP_PKEY cleanup functionskenjiro2025-05-213-3/+11
| | | | | | | | Check if ctx->data is NULL before calling freezero(). Also add HKDF and TLS1-PRF to the EVP_PKEY cleanup regression test, as they no longer crash with this change. ok tb@
* mlkem_unittest: fix typo in commenttb2025-05-211-2/+2
|
* Fix buffer size in MLKEM1024_marshal_public_key()kenjiro2025-05-211-2/+2
| | | | | | | Initialize the output buffer with MLKEM1024_PUBLIC_KEY_BYTES instead of MLKEM768_PUBLIC_KEY_BYTES. ok tb@
* Unbreak GHASH on some architectures setting GHASH_ASMtb2025-05-201-1/+3
| | | | | | | | The last #else branch in CRYPTO_gcm128_init() doesn't initialize the function pointers for gmult/ghash, which results in a segfault when using GCM on architectures taking this branch, notably sparc64. found by and fix from jca
* Simplify err_build_SYS_str_reasonstb2025-05-201-19/+13
| | | | | | | | This is currently done in a rather silly way. Shift the index by 1 and avoid weird pointer dances. Rather than relying on static initialization, use code to obviate a comment. ok beck joshua jsing
* Fix previous - names use underscores and not hyphens.jsing2025-05-201-3/+3
|
* Add ML-KEM768 Hybrid Kems to obj_mac.numbeck2025-05-201-0/+3
| | | | ok tb@, joshua@
* Add ML-KEM768 Hybrid Kems to objects.txtbeck2025-05-201-0/+6
| | | | ok tb@, joshua@
* Don't use the array index as the group_idbeck2025-05-201-51/+97
| | | | | | | | | | | | This is a precursor to adding new group ids for post quantum stuff which are up in the 4000 range, so using the array index as the group id will be silly. Instead we just add the group id to the structure and we walk the list to find it. This should never be a very large list for us, so no need to do anything cuter than linear search for now. ok jsing@, joshua@
* Make MLKEM1024_marshal_private_key consistent with the public_key funcitonsbeck2025-05-207-66/+68
| | | | | | | | Even though this should remain internal, make it the same as the public key marshal function, and make the needed fallout changes in regress. ok kenjiro@, tb@
* Whitespace nits from tbbeck2025-05-201-1/+4
| | | | ok tb@
* Fix up MLKEM768_marshal_private_key to not use a passed in CBBbeck2025-05-197-53/+54
| | | | | | | | | | | | Even though this should remain internal, make it the same as the public key marshal function, and make the needed fallout changes in regress. This does not yet do the bikeshed of renaming the structure field in the regress ctx, that will wait until a follow on to convert 1024 in a similar manner ok tb@
* Remove the boringssl if || ideom from mlkembeck2025-05-192-34/+46
| | | | ok jsing@, joshua@
* API changes for ML-KEMbeck2025-05-199-176/+203
| | | | | | | | | - Get rid of CBB/CBS usage in public api - Make void functions return int that can fail if malloc fails. Along with some fallout and resulting bikeshedding in the regress tests. ok jsing@, tb@
* Simplify EVP AES code for ECB.jsing2025-05-192-33/+46
| | | | | | | | | | AES_ecb_encrypt() does not really do ECB - provide an aes_ecb_encrypt_internal that actually does multiple blocks and call this from aes_ecb_cipher(). Provide ECB with its own key initialisation function, which allows aes_init_key() to be simplified considerably. The block function pointer is now unused, so mop this up. ok joshua@ tb@
* Remove block128_f function casts.jsing2025-05-191-8/+20
| | | | | | | Provide aes_{en,de}crypt_block128() which have correct function signatures and use these when calling the various mode functions. ok joshua@ tb@
* Simplify EVP AES code for OFB.jsing2025-05-191-7/+19
| | | | | | | Provide AES-NI with its own aesni_ofb_cipher() and switch aes_ofb_cipher() to call AES_ofb128_encrypt() directly. ok joshua@ tb@
* Simplify EVP AES code for CFB.jsing2025-05-191-25/+79
| | | | | | | | Provide AES-NI with its own aesni_cfb*_cipher() functions, which then allows us to change the existing aes_cfb*_cipher() functions to () to call AES_cfb*_encrypt() directly. ok beck@ tb@
* EC_POINT_new: wording tweaks in the BUGS sectiontb2025-05-181-6/+6
|
* Simplify EVP AES code for CTR.jsing2025-05-181-22/+23
| | | | | | | | Provide AES-NI with its own aesni_ctr_cipher(), which then allows us to change aes_ctr_cipher() to call AES_ctr128_encrypt() directly. The stream.ctr function pointer is now unused and can be mopped up. ok beck@ tb@
* Unifdef AES_CTR_ASM.jsing2025-05-181-14/+1
| | | | This is a remnant from s390x assembly.
* Simplify EVP code for AES CBC.jsing2025-05-181-26/+33
| | | | | | | | | Change aes_cbc_cipher() to call AES_cbc_encrypt() directly, rather than via the stream.cbc function pointer. Remove stream.cbc since it is no longer used. Also provide a separate aes_cbc_init_key() function which makes this standalone and does not require checking mode flags. ok joshua@ tb@
* add missing u64/uint64_t conversionbcook2025-05-181-3/+3
| | | | ok jsing@
* Use stdint types instead of u64/u32/u8.jsing2025-05-185-134/+127
| | | | No change in generated assembly.
* Remove contortions with the rem_4bit table.jsing2025-05-181-28/+9
| | | | | | | | | Instead of using size_t and a PACK macro, store the entries as uint16_t and then uncondtionally left shift 48 bits. This gives a small performance gain on some architectures and has the advantage of reducing the size of the table from 1024 bits to 256 bits. ok beck@ joshua@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-21 19:52:03 +0000